idnits 2.17.1 

draft-ietf-sipcore-sec-flows-07.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the
     document.

  == There are 3 instances of lines with non-RFC3849-compliant IPv6 addresses
     in the document.  If these are example addresses, they should be changed.

  -- The document has examples using IPv4 documentation addresses according
     to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
     there should be IPv6 examples, too?


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (December 13, 2010) is 4883 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Looks like a reference, but probably isn't: '0' on line 1171

  ** Obsolete normative reference: RFC 2560 (Obsoleted by RFC 6960)

  ** Obsolete normative reference: RFC 4474 (Obsoleted by RFC 8224)

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)

  ** Obsolete normative reference: RFC 5751 (Obsoleted by RFC 8551)

  -- Obsolete informational reference (is this intentional?): RFC 2818
     (Obsoleted by RFC 9110)


     Summary: 4 errors (**), 0 flaws (~~), 3 warnings (==), 5 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                        C. Jennings
3	Internet-Draft                                             Cisco Systems
4	Intended status: Informational                                    K. Ono
5	Expires: June 16, 2011                               Columbia University
6	                                                               R. Sparks
7	                                                         B. Hibbard, Ed.
8	                                                                 Tekelec
9	                                                       December 13, 2010

11	  Example call flows using Session Initiation Protocol (SIP) security
12	                               mechanisms
13	                    draft-ietf-sipcore-sec-flows-07

15	Abstract

17	   This document shows example call flows demonstrating the use of
18	   Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
19	   Extensions (S/MIME) in Session Initiation Protocol (SIP).  It also
20	   provides information that helps implementers build interoperable SIP
21	   software.  To help facilitate interoperability testing, it includes
22	   certificates used in the example call flows and processes to create
23	   certificates for testing.

25	Status of this Memo

27	   This Internet-Draft is submitted in full conformance with the
28	   provisions of BCP 78 and BCP 79.

30	   Internet-Drafts are working documents of the Internet Engineering
31	   Task Force (IETF).  Note that other groups may also distribute
32	   working documents as Internet-Drafts.  The list of current Internet-
33	   Drafts is at http://datatracker.ietf.org/drafts/current/.

35	   Internet-Drafts are draft documents valid for a maximum of six months
36	   and may be updated, replaced, or obsoleted by other documents at any
37	   time.  It is inappropriate to use Internet-Drafts as reference
38	   material or to cite them other than as "work in progress."

40	   This Internet-Draft will expire on June 16, 2011.

42	Copyright Notice

44	   Copyright (c) 2010 IETF Trust and the persons identified as the
45	   document authors.  All rights reserved.

47	   This document is subject to BCP 78 and the IETF Trust's Legal
48	   Provisions Relating to IETF Documents
49	   (http://trustee.ietf.org/license-info) in effect on the date of
50	   publication of this document.  Please review these documents
51	   carefully, as they describe your rights and restrictions with respect
52	   to this document.  Code Components extracted from this document must
53	   include Simplified BSD License text as described in Section 4.e of
54	   the Trust Legal Provisions and are provided without warranty as
55	   described in the Simplified BSD License.

57	Table of Contents

59	   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
60	   2.  Certificates . . . . . . . . . . . . . . . . . . . . . . . . .  4
61	     2.1.  CA Certificates  . . . . . . . . . . . . . . . . . . . . .  4
62	     2.2.  Host Certificates  . . . . . . . . . . . . . . . . . . . .  8
63	     2.3.  User Certificates  . . . . . . . . . . . . . . . . . . . .  9
64	   3.  Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12
65	     3.1.  TLS with Server Authentication . . . . . . . . . . . . . . 12
66	     3.2.  MESSAGE Transaction Over TLS . . . . . . . . . . . . . . . 13
67	   4.  Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15
68	     4.1.  MESSAGE Request with Signed Body . . . . . . . . . . . . . 15
69	     4.2.  MESSAGE Request with Encrypted Body  . . . . . . . . . . . 20
70	     4.3.  MESSAGE Request with Encrypted and Signed Body . . . . . . 22
71	   5.  Observed Interoperability Issues . . . . . . . . . . . . . . . 29
72	   6.  Additional Test Scenarios  . . . . . . . . . . . . . . . . . . 31
73	   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 34
74	   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 35
75	   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 36
76	   10. Changelog  . . . . . . . . . . . . . . . . . . . . . . . . . . 37
77	   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40
78	     11.1. Normative References . . . . . . . . . . . . . . . . . . . 40
79	     11.2. Informative References . . . . . . . . . . . . . . . . . . 41
80	   Appendix A.  Making Test Certificates  . . . . . . . . . . . . . . 42
81	     A.1.  makeCA script  . . . . . . . . . . . . . . . . . . . . . . 43
82	     A.2.  makeCert script  . . . . . . . . . . . . . . . . . . . . . 47
83	   Appendix B.  Certificates for Testing  . . . . . . . . . . . . . . 50
84	     B.1.  Certificates Using EKU . . . . . . . . . . . . . . . . . . 50
85	     B.2.  Certificates NOT Using EKU . . . . . . . . . . . . . . . . 57
86	     B.3.  Certificate Chaining with a Non-Root CA  . . . . . . . . . 65
87	   Appendix C.  Message Dumps . . . . . . . . . . . . . . . . . . . . 72
88	   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75

90	1.  Introduction

92	   This document is informational and is not normative on any aspect of
93	   SIP.

95	   SIP with TLS ([RFC5246]) implementations are becoming very common.
96	   Several implementations of the S/MIME ([RFC5751]) portion of SIP
97	   ([RFC3261]) are also becoming available.  After several
98	   interoperability events, it is clear that it is difficult to write
99	   these systems without any test vectors or examples of "known good"
100	   messages to test against.  Furthermore, testing at the events is
101	   often hindered due to the lack of a commonly trusted certificate
102	   authority to sign the certificates used in the events.  This document
103	   addresses both of these issues by providing messages that give
104	   detailed examples that implementers can use for comparison and that
105	   can also be used for testing.  In addition, this document provides a
106	   common certificate and private key that can be used to set up a mock
107	   Certificate Authority (CA) that can be used during the SIP
108	   interoperability events.  Certificate requests from the users will be
109	   signed by the private key of the mock CA.  The document also provides
110	   some hints and clarifications for implementers.

112	   A simple SIP call flow using SIPS URIs and TLS is shown in Section 3.
113	   The certificates for the hosts used are shown in Section 2.2, and the
114	   CA certificates used to sign these are shown in Section 2.1.

116	   The text from Section 4.1 through Section 4.3 shows some simple SIP
117	   call flows using S/MIME to sign and encrypt the body of the message.
118	   The user certificates used in these examples are shown in
119	   Section 2.3.  These host certificates are signed with the same mock
120	   CA private key.

122	   Section 5 presents a partial list of items that implementers should
123	   consider in order to implement systems that will interoperate.

125	   Scripts and instructions to make certificates that can be used for
126	   interoperability testing are presented in Appendix A, along with
127	   methods for converting these to various formats.  The certificates
128	   used while creating the examples and test messages in this document
129	   are made available in Appendix B.

131	   Binary copies of various messages in this document that can be used
132	   for testing appear in Appendix C.

134	2.  Certificates

136	2.1.  CA Certificates

138	   The certificate used by the CA to sign the other certificates is
139	   shown below.  This is a X509v3 certificate.  Note that the X.509v3
140	   Basic Constraints in the certificate allows it to be used as a CA,
141	   certificate authority.  This certificate is not used directly in the
142	   TLS call flow; it is used only to verify user and host certificates.

144	   Version: 3 (0x2)
145	   Serial Number:
146	       96:a3:84:17:4e:ef:8a:4c
147	   Signature Algorithm: sha1WithRSAEncryption
148	   Issuer: C=US, ST=California, L=San Jose, O=sipit,
149	           OU=Sipit Test Certificate Authority
150	   Validity
151	       Not Before: Dec  6 22:36:29 2010 GMT
152	       Not After : Nov 12 22:36:29 2110 GMT
153	   Subject: C=US, ST=California, L=San Jose, O=sipit,
154	           OU=Sipit Test Certificate Authority
155	   Subject Public Key Info:
156	       Public Key Algorithm: rsaEncryption
157	       RSA Public Key: (2048 bit)
158	           Modulus (2048 bit):
159	               00:ec:c0:ad:ec:3b:0d:7b:6a:95:24:96:dc:33:c2:
160	               1d:f6:b3:0d:af:ed:5f:73:9c:b5:5f:dc:3a:21:95:
161	               20:81:c1:29:63:a0:34:86:ed:f1:4c:8a:66:90:37:
162	               95:ab:0f:8c:b2:da:55:a9:ca:ca:ae:50:10:eb:34:
163	               28:d7:d8:98:5b:14:ec:fc:c4:55:d4:c6:63:5a:ee:
164	               e8:ec:41:08:d3:be:28:9e:b1:89:4d:d2:6b:57:f6:
165	               aa:77:c9:08:fc:f9:25:a0:a3:e3:cc:bf:f0:c0:f2:
166	               99:59:e5:ef:cf:0a:3a:d7:38:bc:6b:f9:6c:ff:6e:
167	               a0:d0:b2:62:4f:98:72:f0:f0:1d:1d:40:84:50:05:
168	               9b:6e:15:3c:49:b6:9d:58:05:a1:0d:cf:91:ee:ed:
169	               28:0f:0f:e1:0f:71:8a:a6:6e:7c:2a:ad:ae:ae:c4:
170	               8d:8e:2a:2e:8a:a2:ac:67:85:2e:aa:82:0e:4b:38:
171	               b1:e9:f2:84:23:0c:98:e0:57:b8:38:70:f4:89:a9:
172	               94:cb:9a:5e:15:52:ba:45:0a:80:9f:33:82:cf:e2:
173	               f2:eb:8f:f9:61:3c:8a:eb:74:b1:7c:87:f9:0c:2f:
174	               20:ce:0d:be:69:8f:d1:bc:5d:c5:8a:e5:1a:0b:5d:
175	               70:65:c8:02:f3:46:85:25:d3:88:8c:dd:80:55:d9:
176	               69:9b
177	           Exponent: 65537 (0x10001)
178	   X509v3 extensions:
179	       X509v3 Subject Key Identifier:
180	           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
181	       X509v3 Authority Key Identifier:

183	           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
184	           DirName:/C=US/ST=California/L=San Jose/O=sipit/
185	           OU=Sipit Test Certificate Authority
186	           serial:96:A3:84:17:4E:EF:8A:4C

188	       X509v3 Basic Constraints:
189	           CA:TRUE
190	       Signature Algorithm: sha1WithRSAEncryption
191	   b1:75:d4:56:ab:70:14:a0:ee:67:a3:ec:07:0c:1d:8b:2c:5f:
192	   d7:1c:f3:e3:01:ba:3d:9d:da:47:49:31:d5:81:f5:2d:d2:66:
193	   a5:2c:1f:db:c3:2d:8a:32:6a:ec:22:8b:b1:58:63:57:23:88:
194	   34:9f:6c:df:8c:7b:73:8c:2a:7c:d3:23:02:97:54:76:f3:34:
195	   25:7f:d1:ad:25:87:17:56:30:61:43:f4:16:63:77:0f:7b:a7:
196	   b0:0b:97:1b:05:f2:5c:86:2c:a9:d5:3b:cb:73:92:a2:3c:dc:
197	   7e:12:30:86:9e:f8:57:6c:a2:a4:28:51:e4:f7:f0:ce:29:9c:
198	   82:34:f2:02:3c:43:62:36:94:44:c1:ad:b4:79:f7:6e:f9:e2:
199	   bd:f9:15:cc:e8:de:b0:9d:9c:2f:18:30:a9:eb:3f:d4:56:c9:
200	   61:8d:78:b2:fb:4e:e5:22:1d:00:c4:cf:ce:9c:fe:d6:f1:4f:
201	   01:9d:92:58:e0:78:2a:cb:69:36:18:ac:1b:53:0d:86:b1:91:
202	   34:8b:de:05:5d:22:18:2a:67:e5:ea:f2:77:01:d6:9c:60:17:
203	   06:84:83:6f:b6:88:7e:ce:c8:63:d4:30:6d:90:72:fe:59:f4:
204	   32:04:e6:af:d4:be:99:44:c8:de:3d:01:88:d7:8a:35:30:c2:
205	   2d:77:e9:70

207	   The ASN.1 parse of the CA certificate is shown below.

209	  0:l=1083 cons: SEQUENCE
210	  4:l= 803 cons:  SEQUENCE
211	  8:l=   3 cons:   cont [ 0 ]
212	 10:l=   1 prim:    INTEGER           :02
213	 13:l=   9 prim:   INTEGER           :96A384174EEF8A4C
214	 24:l=  13 cons:   SEQUENCE
215	 26:l=   9 prim:    OBJECT            :sha1WithRSAEncryption
216	 37:l=   0 prim:    NULL
217	 39:l= 112 cons:   SEQUENCE
218	 41:l=  11 cons:    SET
219	 43:l=   9 cons:     SEQUENCE
220	 45:l=   3 prim:      OBJECT            :countryName
221	 50:l=   2 prim:      PRINTABLESTRING   :US
222	 54:l=  19 cons:    SET
223	 56:l=  17 cons:     SEQUENCE
224	 58:l=   3 prim:      OBJECT            :stateOrProvinceName
225	 63:l=  10 prim:      PRINTABLESTRING   :California
226	 75:l=  17 cons:    SET
227	 77:l=  15 cons:     SEQUENCE
228	 79:l=   3 prim:      OBJECT            :localityName
229	 84:l=   8 prim:      PRINTABLESTRING   :San Jose
230	 94:l=  14 cons:    SET
231	 96:l=  12 cons:     SEQUENCE
232	 98:l=   3 prim:      OBJECT            :organizationName
233	103:l=   5 prim:      PRINTABLESTRING   :sipit
234	110:l=  41 cons:    SET
235	112:l=  39 cons:     SEQUENCE
236	114:l=   3 prim:      OBJECT            :organizationalUnitName
237	119:l=  32 prim:      PRINTABLESTRING  :Sipit Test Certificate Authority
238	153:l=  32 cons:   SEQUENCE
239	155:l=  13 prim:    UTCTIME           :101206223629Z
240	170:l=  15 prim:    GENERALIZEDTIME   :21101112223629Z
241	187:l= 112 cons:   SEQUENCE
242	189:l=  11 cons:    SET
243	191:l=   9 cons:     SEQUENCE
244	193:l=   3 prim:      OBJECT            :countryName
245	198:l=   2 prim:      PRINTABLESTRING   :US
246	202:l=  19 cons:    SET
247	204:l=  17 cons:     SEQUENCE
248	206:l=   3 prim:      OBJECT            :stateOrProvinceName
249	211:l=  10 prim:      PRINTABLESTRING   :California
250	223:l=  17 cons:    SET
251	225:l=  15 cons:     SEQUENCE
252	227:l=   3 prim:      OBJECT            :localityName
253	232:l=   8 prim:      PRINTABLESTRING   :San Jose
254	242:l=  14 cons:    SET
255	244:l=  12 cons:     SEQUENCE
256	246:l=   3 prim:      OBJECT            :organizationName
257	251:l=   5 prim:      PRINTABLESTRING   :sipit
258	258:l=  41 cons:    SET
259	260:l=  39 cons:     SEQUENCE
260	262:l=   3 prim:      OBJECT            :organizationalUnitName
261	267:l=  32 prim:      PRINTABLESTRING  :Sipit Test Certificate Authority
262	301:l= 290 cons:   SEQUENCE
263	305:l=  13 cons:    SEQUENCE
264	307:l=   9 prim:     OBJECT            :rsaEncryption
265	318:l=   0 prim:     NULL
266	320:l= 271 prim:    BIT STRING
267	  00 30 82 01 0a 02 82 01-01 00 ec c0 ad ec 3b 0d   .0............;.
268	  7b 6a 95 24 96 dc 33 c2-1d f6 b3 0d af ed 5f 73   {j.$..3......._s
269	  9c b5 5f dc 3a 21 95 20-81 c1 29 63 a0 34 86 ed   .._.:!. ..)c.4..
270	  f1 4c 8a 66 90 37 95 ab-0f 8c b2 da 55 a9 ca ca   .L.f.7......U...
271	  ae 50 10 eb 34 28 d7 d8-98 5b 14 ec fc c4 55 d4   .P..4(...[....U.
272	  c6 63 5a ee e8 ec 41 08-d3 be 28 9e b1 89 4d d2   .cZ...A...(...M.
273	  6b 57 f6 aa 77 c9 08 fc-f9 25 a0 a3 e3 cc bf f0   kW..w....%......
274	  c0 f2 99 59 e5 ef cf 0a-3a d7 38 bc 6b f9 6c ff   ...Y....:.8.k.l.
275	  6e a0 d0 b2 62 4f 98 72-f0 f0 1d 1d 40 84 50 05   n...bO.r....@.P.
276	  9b 6e 15 3c 49 b6 9d 58-05 a1 0d cf 91 ee ed 28   .n.<I..X.......(
277	  0f 0f e1 0f 71 8a a6 6e-7c 2a ad ae ae c4 8d 8e   ....q..n|*......

279	  2a 2e 8a a2 ac 67 85 2e-aa 82 0e 4b 38 b1 e9 f2   *....g.....K8...
280	  84 23 0c 98 e0 57 b8 38-70 f4 89 a9 94 cb 9a 5e   .#...W.8p......^
281	  15 52 ba 45 0a 80 9f 33-82 cf e2 f2 eb 8f f9 61   .R.E...3.......a
282	  3c 8a eb 74 b1 7c 87 f9-0c 2f 20 ce 0d be 69 8f   <..t.|.../ ...i.
283	  d1 bc 5d c5 8a e5 1a 0b-5d 70 65 c8 02 f3 46 85   ..].....]pe...F.
284	  25 d3 88 8c dd 80 55 d9-69 9b 02 03 01 00 01      %.....U.i......
285	595:l= 213 cons:   cont [ 3 ]
286	598:l= 210 cons:    SEQUENCE
287	601:l=  29 cons:     SEQUENCE
288	603:l=   3 prim:      OBJECT            :X509v3 Subject Key Identifier
289	608:l=  22 prim:      OCTET STRING
290	  04 14 bb 37 8e 47 c7 5a-34 db 7a d9 f8 76 b6 75   ...7.G.Z4.z..v.u
291	  8e d0 e4 13 17 45                                 .....E
292	632:l= 162 cons:     SEQUENCE
293	635:l=   3 prim:      OBJECT            :X509v3 Authority Key Identifier
294	640:l= 154 prim:      OCTET STRING
295	  30 81 97 80 14 bb 37 8e-47 c7 5a 34 db 7a d9 f8   0.....7.G.Z4.z..
296	  76 b6 75 8e d0 e4 13 17-45 a1 74 a4 72 30 70 31   v.u.....E.t.r0p1
297	  0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11   .0...U....US1.0.
298	  06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69   ..U....Californi
299	  61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20   a1.0...U....San
300	  4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73   Jose1.0...U....s
301	  69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53   ipit1)0'..U... S
302	  69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66   ipit Test Certif
303	  69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82   icate Authority.
304	  09 00 96 a3 84 17 4e ef-8a 4c                     ......N..L
305	797:l=  12 cons:     SEQUENCE
306	799:l=   3 prim:      OBJECT            :X509v3 Basic Constraints
307	804:l=   5 prim:      OCTET STRING
308	  30 03 01 01 ff                                    0....
309	811:l=  13 cons:  SEQUENCE
310	813:l=   9 prim:   OBJECT            :sha1WithRSAEncryption
311	824:l=   0 prim:   NULL
312	826:l= 257 prim:  BIT STRING
313	  00 b1 75 d4 56 ab 70 14-a0 ee 67 a3 ec 07 0c 1d   ..u.V.p...g.....
314	  8b 2c 5f d7 1c f3 e3 01-ba 3d 9d da 47 49 31 d5   .,_......=..GI1.
315	  81 f5 2d d2 66 a5 2c 1f-db c3 2d 8a 32 6a ec 22   ..-.f.,...-.2j."
316	  8b b1 58 63 57 23 88 34-9f 6c df 8c 7b 73 8c 2a   ..XcW#.4.l..{s.*
317	  7c d3 23 02 97 54 76 f3-34 25 7f d1 ad 25 87 17   |.#..Tv.4%...%..
318	  56 30 61 43 f4 16 63 77-0f 7b a7 b0 0b 97 1b 05   V0aC..cw.{......
319	  f2 5c 86 2c a9 d5 3b cb-73 92 a2 3c dc 7e 12 30   .\.,..;.s..<.~.0
320	  86 9e f8 57 6c a2 a4 28-51 e4 f7 f0 ce 29 9c 82   ...Wl..(Q....)..
321	  34 f2 02 3c 43 62 36 94-44 c1 ad b4 79 f7 6e f9   4..<Cb6.D...y.n.
322	  e2 bd f9 15 cc e8 de b0-9d 9c 2f 18 30 a9 eb 3f   ........../.0..?
323	  d4 56 c9 61 8d 78 b2 fb-4e e5 22 1d 00 c4 cf ce   .V.a.x..N.".....
324	  9c fe d6 f1 4f 01 9d 92-58 e0 78 2a cb 69 36 18   ....O...X.x*.i6.
325	  ac 1b 53 0d 86 b1 91 34-8b de 05 5d 22 18 2a 67   ..S....4...]".*g
326	  e5 ea f2 77 01 d6 9c 60-17 06 84 83 6f b6 88 7e   ...w...`....o..~
327	  ce c8 63 d4 30 6d 90 72-fe 59 f4 32 04 e6 af d4   ..c.0m.r.Y.2....
328	  be 99 44 c8 de 3d 01 88-d7 8a 35 30 c2 2d 77 e9   ..D..=....50.-w.
329	  70                                                p

331	2.2.  Host Certificates

333	   The certificate for the host example.com is shown below.  Note that
334	   the Subject Alternative Name is set to example.com and is a DNS type.
335	   The certificates for the other hosts are shown in Appendix B.

337	   Version: 3 (0x2)
338	   Serial Number:
339	       96:a3:84:17:4e:ef:8a:4f
340	   Signature Algorithm: sha1WithRSAEncryption
341	   Issuer: C=US, ST=California, L=San Jose, O=sipit,
342	           OU=Sipit Test Certificate Authority
343	   Validity
344	       Not Before: Dec  6 22:43:50 2010 GMT
345	       Not After : Nov 12 22:43:50 2110 GMT
346	   Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com
347	   Subject Public Key Info:
348	       Public Key Algorithm: rsaEncryption
349	       RSA Public Key: (2048 bit)
350	           Modulus (2048 bit):
351	               00:9d:26:25:9d:f2:f8:00:ce:3a:8e:e5:11:f8:6a:
352	               3b:0e:ca:0b:7c:ac:74:cb:5a:79:c7:52:1c:ea:cc:
353	               07:86:b7:93:37:6a:0e:2a:00:e6:47:f9:7a:92:b8:
354	               07:c9:2c:1a:9a:34:a0:e0:63:ad:46:6e:d2:82:cc:
355	               c4:a2:cd:ce:a6:e2:51:d7:9b:ce:39:a8:55:3d:b1:
356	               4a:df:27:d8:8f:02:33:0a:84:5a:a2:ec:d1:b4:c1:
357	               e0:09:79:9f:05:6a:b8:08:38:82:6b:c2:0e:5d:c7:
358	               4f:c5:21:a2:4f:35:4a:5a:96:3a:d6:f2:a0:53:c8:
359	               fe:d7:ee:ef:1b:27:06:08:fe:24:96:04:23:19:7f:
360	               65:4d:81:43:b0:79:47:43:b7:a3:1f:13:58:8e:c0:
361	               e4:92:a7:3d:44:93:4d:74:df:21:13:94:73:48:f0:
362	               6f:cf:8d:a0:6d:2a:67:8e:82:c7:c7:56:af:15:cc:
363	               2d:c0:0e:bf:49:27:0a:bd:a7:7f:71:d4:5e:2b:6e:
364	               f2:c1:37:16:0b:e4:b9:44:29:91:fa:48:0b:48:e8:
365	               e7:32:d4:96:17:56:b9:9a:ba:1b:c1:0e:5f:78:12:
366	               26:06:b4:1f:73:0d:aa:8d:17:dc:29:89:83:fe:08:
367	               71:88:3d:a1:cd:35:49:01:fe:26:df:c7:2c:a8:44:
368	               d9:e3
369	           Exponent: 65537 (0x10001)
370	   X509v3 extensions:
371	       X509v3 Subject Alternative Name:
372	           DNS:example.com, URI:sip:example.com
373	       X509v3 Basic Constraints:

375	           CA:FALSE
376	       X509v3 Subject Key Identifier:
377	           AB:E9:BC:0D:37:A2:45:90:F2:BB:CB:B1:DB:A1:49:28:81:3C:1A:D2
378	       X509v3 Authority Key Identifier:
379	           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
380	           DirName:/C=US/ST=California/L=San Jose/O=sipit/
381	           OU=Sipit Test Certificate Authority
382	           serial:96:A3:84:17:4E:EF:8A:4C

384	       X509v3 Key Usage:
385	           Digital Signature, Non Repudiation, Key Encipherment
386	       X509v3 Extended Key Usage:
387	           TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20
388	       Signature Algorithm: sha1WithRSAEncryption
389	   8e:d9:1f:18:52:53:28:77:b9:0a:26:0b:0d:94:d8:3f:fa:01:
390	   a9:72:f2:02:80:3c:f9:01:5c:0a:84:3b:f3:6d:86:b3:ad:7f:
391	   d3:91:e8:0c:b4:76:2f:ec:f6:5a:9a:16:d5:5e:0e:77:e6:e5:
392	   3b:bb:68:51:2b:d8:bf:68:5c:63:4a:d8:2d:84:6b:af:f5:e2:
393	   ea:8c:75:0b:e5:55:bf:5d:f5:bc:bb:ee:f0:62:bc:de:9a:aa:
394	   c5:ae:53:d4:bd:aa:a5:3b:6f:f3:8d:00:2e:2b:c8:ec:ce:2a:
395	   fc:0d:8e:54:8e:4d:01:ea:c0:0a:44:93:03:2d:8f:95:45:2f:
396	   dd:df:33:df:db:96:1f:26:12:2f:b1:17:d2:f0:ab:31:b9:cb:
397	   c4:c1:ae:e6:53:c1:a0:15:79:5b:a2:9d:af:17:b4:ec:72:c2:
398	   9d:38:79:43:c5:58:6e:b6:8e:44:ba:87:03:24:d8:24:ac:12:
399	   1c:be:16:42:32:4e:1b:a8:c3:7f:a9:70:0b:12:c1:8f:98:2c:
400	   b9:23:03:ee:aa:98:5a:48:8f:c8:34:f9:be:73:e5:5c:ae:6b:
401	   a2:b5:8c:04:0f:7c:b1:d2:86:96:e4:c0:d1:f4:11:73:55:df:
402	   e6:3c:7e:17:c6:95:87:b1:a2:87:50:91:d7:ce:68:24:86:c1:
403	   3d:35:c0:d0

405	   The example host certificate above, as well as all the others
406	   presented in this document, are signed directly by a root CA.  These
407	   certificate chains have a length equal to two: the root CA and the
408	   host certificate.  Non-root CAs exist and may also sign certificates.
409	   The certificate chains presented by hosts with certificates signed by
410	   non-root CAs will have a length greater than two.  For more details
411	   on how certificate chains are validated, see Sections 6.1 and 6.2 of
412	   [RFC5280].

414	2.3.  User Certificates

416	   User certificates are used by many applications to establish user
417	   identity.  The user certificate for fluffy@example.com is shown
418	   below.  Note that the Subject Alternative Name has a list of names
419	   with different URL types such as a sip, im, or pres URL.  This is
420	   necessary for interoperating with a Common Profile for Instant
421	   Messaging (CPIM) gateway.  In this example, example.com is the domain
422	   for fluffy.  The message could be coming from any host in
423	   *.example.com, and the AOR in the user certificate would still be the
424	   same.  The others are shown in Appendix B.1.  These certificates make
425	   use of the Extended Key Usage (EKU) extension discussed in [RFC5924].
426	   Note that the X509v3 Extended Key Usage attribute refers to the SIP
427	   OID introduced in [RFC5924], which is 1.3.6.1.5.5.7.3.20

429	   Version: 3 (0x2)
430	   Serial Number:
431	       96:a3:84:17:4e:ef:8a:4d
432	   Signature Algorithm: sha1WithRSAEncryption
433	   Issuer: C=US, ST=California, L=San Jose, O=sipit,
434	           OU=Sipit Test Certificate Authority
435	   Validity
436	       Not Before: Dec  6 22:43:49 2010 GMT
437	       Not After : Nov 12 22:43:49 2110 GMT
438	   Subject: C=US, ST=California, L=San Jose, O=sipit,
439	            CN=fluffy@example.com
440	   Subject Public Key Info:
441	       Public Key Algorithm: rsaEncryption
442	       RSA Public Key: (2048 bit)
443	           Modulus (2048 bit):
444	               00:c6:a9:ff:b2:e0:63:18:7a:05:b9:9a:31:c0:33:
445	               bb:d4:05:db:a4:df:32:68:41:7e:e5:6c:13:cd:f2:
446	               18:d3:9b:fa:7f:45:92:66:10:a3:f2:4d:ce:40:dd:
447	               1e:df:13:43:b6:d9:f2:cb:44:a0:85:11:51:d2:b0:
448	               f7:9f:d2:3e:af:cd:7d:cb:ab:c0:f0:00:d0:7e:e0:
449	               45:d5:91:45:7a:25:73:d6:08:80:e6:ca:73:61:e1:
450	               04:d3:11:f5:6f:10:00:a9:5d:a7:ac:da:d9:75:92:
451	               14:07:bd:81:26:79:90:4b:99:aa:d8:54:e5:34:6a:
452	               4f:61:e5:e8:22:47:96:f1:e2:5c:e5:a3:09:43:22:
453	               7b:a5:46:d8:8f:df:c4:18:ed:75:17:00:68:6e:95:
454	               16:e8:ca:15:4c:25:f6:2c:33:86:0e:7a:0f:9d:9a:
455	               a5:e3:8c:3e:ff:c5:32:08:25:bb:52:08:20:8b:95:
456	               46:c9:52:da:7a:15:46:eb:8b:8e:a2:22:b8:e7:ef:
457	               a0:e5:c2:59:83:c8:8b:f7:33:0e:f7:80:b7:11:27:
458	               ac:3e:2c:37:a2:67:2c:22:3b:55:90:a6:ff:c0:df:
459	               63:d1:20:ec:6c:7c:61:2e:b5:d0:28:d7:09:ed:33:
460	               a6:22:9d:00:de:21:bb:7c:53:d1:9f:af:20:23:f4:
461	               dd:51
462	           Exponent: 65537 (0x10001)
463	   X509v3 extensions:
464	       X509v3 Subject Alternative Name:
465	           URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
466	              URI:pres:fluffy@example.com
467	       X509v3 Basic Constraints:
468	           CA:FALSE
469	       X509v3 Subject Key Identifier:

471	           13:C1:2F:28:AF:EB:53:7F:1D:4D:66:27:1E:D7:F7:99:56:31:C8:A0
472	       X509v3 Authority Key Identifier:
473	           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45
474	           DirName:/C=US/ST=California/L=San Jose/O=sipit/
475	           OU=Sipit Test Certificate Authority
476	           serial:96:A3:84:17:4E:EF:8A:4C

478	       X509v3 Key Usage:
479	           Digital Signature, Non Repudiation, Key Encipherment
480	       X509v3 Extended Key Usage:
481	           E-mail Protection, 1.3.6.1.5.5.7.3.20
482	       Signature Algorithm: sha1WithRSAEncryption
483	   5d:d6:f9:23:45:da:7a:51:8b:c6:fe:4b:89:99:81:37:ef:27:
484	   03:aa:e0:ed:8d:ec:d0:bf:6e:4c:0c:63:6a:bb:db:be:9d:6d:
485	   f8:d0:d9:7d:89:78:e3:1f:c6:3b:db:ae:1e:f6:f4:56:00:dd:
486	   f3:0e:2b:f8:70:91:f1:ec:f8:02:06:c1:f3:90:92:b3:25:8d:
487	   54:22:b8:07:4b:a1:ee:5c:5c:17:ac:62:37:28:5f:70:02:b5:
488	   80:09:94:42:cf:e6:f0:70:db:df:d1:94:e1:7d:d5:70:41:1a:
489	   4b:b5:73:ec:4c:78:71:bd:9b:d4:63:d7:57:30:fc:eb:d2:bb:
490	   7d:9c:4e:b9:c2:ea:b6:9b:46:47:46:d0:8d:8e:51:f9:dd:ed:
491	   88:75:2d:18:3b:79:4b:ce:f6:76:7b:f5:2f:71:4b:a4:1d:06:
492	   f8:37:5e:d9:8a:42:5c:76:a3:95:36:f0:9b:ee:5a:55:62:12:
493	   2a:94:4e:fe:37:8b:2e:45:5a:21:1c:47:fd:de:2f:01:3e:77:
494	   b9:24:a6:66:44:95:32:37:2c:4d:90:93:bb:6a:b3:1d:5b:9c:
495	   0c:3b:d6:70:d3:7a:39:46:48:2b:ba:5d:6e:d8:3b:83:cb:cf:
496	   67:5b:0c:2d:2e:4c:ff:12:1e:df:72:75:b3:cf:9d:83:ce:e9:
497	   f4:f4:3c:02

499	   Versions of these certificates that do not make use of EKU are also
500	   included in Appendix B.2

502	3.  Callflow with Message Over TLS

504	3.1.  TLS with Server Authentication

506	   The flow below shows the edited SSLDump output of the host
507	   example.com forming a TLS [RFC5246] connection to example.net.  In
508	   this example mutual authentication is not used.  Note that the client
509	   proposed three protocol suites including TLS_RSA_WITH_AES_128_CBC_SHA
510	   defined in [RFC5246].  The certificate returned by the server
511	   contains a Subject Alternative Name that is set to example.net.  A
512	   detailed discussion of TLS can be found in SSL and TLS [EKR-TLS].
513	   For more details on the SSLDump tool, see the SSLDump Manual
514	   [ssldump-manpage].

516	   This example does not use the Server Extended Hello (see [RFC5246]).

518	   New TCP connection #1: example.com(58315) <-> example.net(5061)
519	   1 1  0.0004 (0.0004)  C>SV3.1(101)  Handshake
520	         ClientHello
521	           Version 3.1
522	           random[32]=
523	             4c 09 5b a7 66 77 eb 43 52 30 dd 98 4d 09 23 d3
524	             ff 81 74 ab 04 69 bb 79 8c dc 59 cd c2 1f b7 ec
525	           cipher suites
526	           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
527	           TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
528	           TLS_DHE_RSA_WITH_AES_256_SHA
529	           TLS_RSA_WITH_AES_256_CBC_SHA
530	           TLS_DSS_RSA_WITH_AES_256_SHA
531	           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
532	           TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
533	           TLS_DHE_RSA_WITH_AES_128_CBC_SHA
534	           TLS_RSA_WITH_AES_128_CBC_SHA
535	           TLS_DHE_DSS_WITH_AES_128_CBC_SHA
536	           TLS_ECDHE_RSA_WITH_DES_192_CBC3_SHA
537	           TLS_ECDH_RSA_WITH_DES_192_CBC3_SHA
538	           TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
539	           TLS_RSA_WITH_3DES_EDE_CBC_SHA
540	           TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
541	           TLS_ECDHE_RSA_WITH_RC4_128_SHA
542	           TLS_ECDH_RSA_WITH_RC4_128_SHA
543	           TLS_RSA_WITH_RC4_128_SHA
544	           TLS_RSA_WITH_RC4_128_MD5
545	           TLS_DHE_RSA_WITH_DES_CBC_SHA
546	           TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
547	           TLS_RSA_WITH_DES_CBC_SHA
548	           TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
549	           TLS_DHE_DSS_WITH_DES_CBC_SHA
550	           TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
551	           TLS_RSA_EXPORT_WITH_RC4_40_MD5
552	           compression methods
553	                     NULL
554	   1 2  0.0012 (0.0007)  S>CV3.1(48)  Handshake
555	         ServerHello
556	           Version 3.1
557	           random[32]=
558	             4c 09 5b a7 30 87 74 c7 16 98 24 d5 af 35 17 a7
559	             ef c3 78 0c 94 d4 94 d2 7b a6 3f 40 04 25 f6 e0
560	           session_id[0]=

562	           cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
563	           compressionMethod                   NULL
564	   1 3  0.0012 (0.0000)  S>CV3.1(1858)  Handshake
565	         Certificate
566	   1 4  0.0012 (0.0000)  S>CV3.1(14)  Handshake
567	         CertificateRequest
568	           certificate_types                   rsa_sign
569	           certificate_types                   dss_sign
570	           certificate_types                 unknown value
571	         ServerHelloDone
572	   1 5  0.0043 (0.0031)  C>SV3.1(7)  Handshake
573	         Certificate
574	   1 6  0.0043 (0.0000)  C>SV3.1(262)  Handshake
575	         ClientKeyExchange
576	   1 7  0.0043 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
577	   1 8  0.0043 (0.0000)  C>SV3.1(48)  Handshake
578	   1 9  0.0129 (0.0085)  S>CV3.1(170)  Handshake
579	   1 10 0.0129 (0.0000)  S>CV3.1(1)  ChangeCipherSpec
580	   1 11 0.0129 (0.0000)  S>CV3.1(48)  Handshake
581	   1 12 0.0134 (0.0005)  C>SV3.1(32)  application_data
582	   1 13 0.0134 (0.0000)  C>SV3.1(496)  application_data
583	   1 14 0.2150 (0.2016)  S>CV3.1(32)  application_data
584	   1 15 0.2150 (0.0000)  S>CV3.1(336)  application_data
585	   1 16 12.2304 (12.0154)  S>CV3.1(32)  Alert
586	   1    12.2310 (0.0005)  S>C  TCP FIN
587	   1 17 12.2321 (0.0011)  C>SV3.1(32)  Alert

589	3.2.  MESSAGE Transaction Over TLS

591	   Once the TLS session is set up, the following MESSAGE request (as
592	   defined in [RFC3428] is sent from fluffy@example.com to
593	   kumiko@example.net.  Note that the URI has a SIPS URL and that the
594	   VIA indicates that TLS was used.  In order to format this document,
595	   the <allOneLine> convention from [RFC4475] is used to break long
596	   lines.  The actual message does not contain the linebreaks contained
597	   within those tags.

599	   MESSAGE sips:kumiko@example.net:5061 SIP/2.0
600	   <allOneLine>
601	   Via: SIP/2.0/TLS 192.0.2.2:15001;
602	        branch=z9hG4bK-d8754z-3bcb7c685f585679-1---d8754z-;
603	        rport=58315
604	   </allOneLine>
605	   Max-Forwards: 70
606	   To: <sips:kumiko@example.net:5061>
607	   From: <sips:fluffy@example.com:15001>;tag=b5220b64
608	   Call-ID: ZDQ1ZjNhMjQxZjZlYjNkZjUyYjJhMDA5MTAxYjRhMmE.
609	   CSeq: 4308 MESSAGE
610	   <allOneLine>
611	   Accept: multipart/signed, text/plain, application/pkcs7-mime,
612	           application/sdp, multipart/alternative
613	   </allOneLine>
614	   Content-Type: text/plain
615	   Content-Length: 6

617	   Hello!

619	   When a User Agent (UA) goes to send a message to example.com, the UA
620	   can see if it already has a TLS connection to example.com and if it
621	   does, it may send the message over this connection.  A UA should have
622	   some scheme for reusing connections as opening a new TLS connection
623	   for every message results in awful performance.  Implementers are
624	   encouraged to read [RFC5923] and [RFC3263].

626	   The response is sent from example.net to example.com over the same
627	   TLS connection.  It is shown below.

629	   SIP/2.0 200 OK
630	   <allOneLine>
631	   Via: SIP/2.0/TLS 192.0.2.2:15001;
632	        branch=z9hG4bK-d8754z-3bcb7c685f585679-1---d8754z-;
633	        rport=58315
634	   </allOneLine>
635	   To: <sips:kumiko@example.net:5061>;tag=35b8014f
636	   From: <sips:fluffy@example.com:15001>;tag=b5220b64
637	   Call-ID: ZDQ1ZjNhMjQxZjZlYjNkZjUyYjJhMDA5MTAxYjRhMmE.
638	   CSeq: 4308 MESSAGE
639	   Content-Length: 0

641	4.  Callflow with S/MIME-secured Message

643	4.1.  MESSAGE Request with Signed Body

645	   Below is an example of a signed message.  The values on the Content-
646	   Type line (multipart/signed) and on the Content-Disposition line have
647	   been broken across lines to fit on the page, but they are not broken
648	   across lines in actual implementations.

650	   MESSAGE sip:kumiko@example.net SIP/2.0
651	   <allOneLine>
652	   Via: SIP/2.0/TCP 192.0.2.2:15001;
653	        branch=z9hG4bK-d8754z-81e4f73858c3585d-1---d8754z-;
654	        rport=58316
655	   </allOneLine>
656	   Max-Forwards: 70
657	   To: <sip:kumiko@example.net>
658	   From: <sip:fluffy@example.com>;tag=74a11610
659	   Call-ID: MzBlOGM0NzkwOTExM2MyMGMyMzU3OWMzZGU0Y2Y1MTg.
660	   CSeq: 8473 MESSAGE
661	   <allOneLine>
662	   Accept: multipart/signed, text/plain, application/pkcs7-mime,
663	           application/sdp, multipart/alternative
664	   </allOneLine>
665	   <allOneLine>
666	   Content-Type: multipart/signed;boundary=7fbf310bbfc8c71c;
667	                 micalg=sha1;protocol="application/pkcs7-signature"
668	   </allOneLine>
669	   Content-Length: 774

671	   --7fbf310bbfc8c71c
672	   Content-Type: text/plain
673	   Content-Transfer-Encoding: binary

675	   Hello!
676	   --7fbf310bbfc8c71c
677	   Content-Type: application/pkcs7-signature;name=smime.p7s
678	   <allOneLine>
679	   Content-Disposition: attachment;handling=required;
680	                        filename=smime.p7s
681	   </allOneLine>
682	   Content-Transfer-Encoding: binary

684	   *****************
685	   * BINARY BLOB 1 *
686	   *****************
687	   --7fbf310bbfc8c71c--
688	   It is important to note that the signature ("BINARY BLOB 1") is
689	   computed over the MIME headers and body, but excludes the multipart
690	   boundary lines.  The value on the Message-body line ends with CRLF.
691	   The CRLF is included in the boundary and is not part of the signature
692	   computation.  To be clear, the signature is computed over data
693	   starting with the "C" in the "Content-Type" and ending with the "!"
694	   in the "Hello!".

696	   Content-Type: text/plain
697	   Content-Transfer-Encoding: binary

699	   Hello!

701	   Following is the ASN.1 parsing of encrypted contents referred to
702	   above as "BINARY BLOB 1".  Note that at address 30, the hash for the
703	   signature is specified as SHA-1.  Also note that the sender's
704	   certificate is not attached as it is optional in [RFC5652].

706	 0  472: SEQUENCE {
707	 4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
708	15  457:   [0] {
709	19  453:     SEQUENCE {
710	23    1:       INTEGER 1
711	26   11:       SET {
712	28    9:         SEQUENCE {
713	30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
714	37    0:           NULL
715	       :           }
716	       :         }
717	39   11:       SEQUENCE {
718	41    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
719	       :         }
720	52  420:       SET {
721	56  416:         SEQUENCE {
722	60    1:           INTEGER 1
723	63  125:           SEQUENCE {
724	65  112:             SEQUENCE {
725	67   11:               SET {
726	69    9:                 SEQUENCE {
727	71    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
728	76    2:                   PrintableString 'US'
729	       :                   }
730	       :                 }
731	80   19:               SET {
732	82   17:                 SEQUENCE {
733	84    3:                   OBJECT IDENTIFIER
734	       :                     stateOrProvinceName (2 5 4 8)
735	89   10:                   PrintableString 'California'
736	       :                   }
737	       :                 }
738	 101   17:               SET {
739	 103   15:                 SEQUENCE {
740	 105    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
741	 110    8:                   PrintableString 'San Jose'
742	       :                   }
743	       :                 }
744	 120   14:               SET {
745	 122   12:                 SEQUENCE {
746	 124    3:                   OBJECT IDENTIFIER
747	       :                     organizationName (2 5 4 10)
748	 129    5:                   PrintableString 'sipit'
749	       :                   }
750	       :                 }
751	 136   41:               SET {
752	 138   39:                 SEQUENCE {
753	 140    3:                   OBJECT IDENTIFIER
754	       :                     organizationalUnitName (2 5 4 11)
755	 145   32:                   PrintableString 'Sipit Test Certificate Aut
756	hority'
757	       :                   }
758	       :                 }
759	       :               }
760	 179    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4D
761	       :             }
762	 190    9:           SEQUENCE {
763	 192    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
764	 199    0:             NULL
765	       :             }
766	 201   13:           SEQUENCE {
767	 203    9:             OBJECT IDENTIFIER
768	       :               rsaEncryption (1 2 840 113549 1 1 1)
769	 214    0:             NULL
770	       :             }
771	 216  256:           OCTET STRING
772	       :             0F 8A 9A BE F0 A8 9B 91 3D C1 4A E5 62 C1 FB 5D
773	       :             69 70 4E 36 F8 3C C5 7A D5 06 6A 62 1E 6C 2E 17
774	       :             0D 3C 91 B5 39 C7 81 CF 77 B7 61 3B 2E 97 76 C0
775	       :             3A 97 15 A7 32 3B 3E 79 AB FD 97 E0 2E 41 E7 8B
776	       :             F6 20 19 E1 1B B7 73 E2 16 F8 44 01 4D 59 6E DB
777	       :             1B 49 FA 48 7E BE 96 32 4F 92 3E 2B 36 D1 26 2B
778	       :             37 9B 01 CD C7 39 FA A5 29 41 A5 ED BD F3 71 DB
779	       :             82 5A 2D E9 3A D2 E6 BF 10 F3 41 AF 6A 20 82 D4
780	       :             69 50 FB 70 DA 88 A3 C3 91 C5 10 CE 3D 80 55 AE
781	       :             8C 99 1E 54 B6 06 3E CA 64 90 FA E2 4F A6 B0 40
782	       :             3E A1 9D D2 E8 7C BF 40 69 6E 80 AF 73 6E 2C 7F
783	       :             DD A3 08 FF 52 F1 41 51 4D 86 34 5A 1C D6 92 3C
784	       :             87 C8 0A 52 32 8D AA F6 45 1B 5C A0 6A E7 64 1E
785	       :             29 12 84 53 4B 2E 0B 72 0E 5E 5B 9A 4B 4A FE F6
786	       :             64 3E 78 8A 5B 9C 45 C0 62 FF E6 F6 89 25 00 73
787	       :             19 4B E0 08 D2 F5 FE 32 D2 47 EC F1 4D 74 7C 26
788	       :           }
789	       :         }
790	       :       }
791	       :     }
792	       :   }

794	   SHA-1 parameters may be omitted entirely, instead of being set to
795	   NULL, as mentioned in [RFC3370].  The above dump of Blob 1 has SHA-1
796	   parameters set to NULL.  Below are the same contents signed with the
797	   same key, but omitting the NULL according to [RFC3370].  This is the
798	   preferred encoding.  This is covered in greater detail in Section 5.

800	 0  468: SEQUENCE {
801	 4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
802	15  453:   [0] {
803	19  449:     SEQUENCE {
804	23    1:       INTEGER 1
805	26    9:       SET {
806	28    7:         SEQUENCE {
807	30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
808	       :           }
809	       :         }
810	37   11:       SEQUENCE {
811	39    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
812	       :         }
813	50  418:       SET {
814	54  414:         SEQUENCE {
815	58    1:           INTEGER 1
816	61  125:           SEQUENCE {
817	63  112:             SEQUENCE {
818	65   11:               SET {
819	67    9:                 SEQUENCE {
820	69    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
821	74    2:                   PrintableString 'US'
822	       :                   }
823	       :                 }
824	78   19:               SET {
825	80   17:                 SEQUENCE {
826	82    3:                   OBJECT IDENTIFIER
827	       :                     stateOrProvinceName (2 5 4 8)
828	87   10:                   PrintableString 'California'
829	       :                   }
830	       :                 }

832	99   17:               SET {
833	 101   15:                 SEQUENCE {
834	 103    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
835	 108    8:                   PrintableString 'San Jose'
836	       :                   }
837	       :                 }
838	 118   14:               SET {
839	 120   12:                 SEQUENCE {
840	 122    3:                   OBJECT IDENTIFIER
841	       :                     organizationName (2 5 4 10)
842	 127    5:                   PrintableString 'sipit'
843	       :                   }
844	       :                 }
845	 134   41:               SET {
846	 136   39:                 SEQUENCE {
847	 138    3:                   OBJECT IDENTIFIER
848	       :                     organizationalUnitName (2 5 4 11)
849	 143   32:                   PrintableString 'Sipit Test Certificate Aut
850	hority'
851	       :                   }
852	       :                 }
853	       :               }
854	 177    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4D
855	       :             }
856	 188    7:           SEQUENCE {
857	 190    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
858	       :             }
859	 197   13:           SEQUENCE {
860	 199    9:             OBJECT IDENTIFIER
861	       :               rsaEncryption (1 2 840 113549 1 1 1)
862	 210    0:             NULL
863	       :             }
864	 212  256:           OCTET STRING
865	       :             0F 8A 9A BE F0 A8 9B 91 3D C1 4A E5 62 C1 FB 5D
866	       :             69 70 4E 36 F8 3C C5 7A D5 06 6A 62 1E 6C 2E 17
867	       :             0D 3C 91 B5 39 C7 81 CF 77 B7 61 3B 2E 97 76 C0
868	       :             3A 97 15 A7 32 3B 3E 79 AB FD 97 E0 2E 41 E7 8B
869	       :             F6 20 19 E1 1B B7 73 E2 16 F8 44 01 4D 59 6E DB
870	       :             1B 49 FA 48 7E BE 96 32 4F 92 3E 2B 36 D1 26 2B
871	       :             37 9B 01 CD C7 39 FA A5 29 41 A5 ED BD F3 71 DB
872	       :             82 5A 2D E9 3A D2 E6 BF 10 F3 41 AF 6A 20 82 D4
873	       :             69 50 FB 70 DA 88 A3 C3 91 C5 10 CE 3D 80 55 AE
874	       :             8C 99 1E 54 B6 06 3E CA 64 90 FA E2 4F A6 B0 40
875	       :             3E A1 9D D2 E8 7C BF 40 69 6E 80 AF 73 6E 2C 7F
876	       :             DD A3 08 FF 52 F1 41 51 4D 86 34 5A 1C D6 92 3C
877	       :             87 C8 0A 52 32 8D AA F6 45 1B 5C A0 6A E7 64 1E
878	       :             29 12 84 53 4B 2E 0B 72 0E 5E 5B 9A 4B 4A FE F6
879	       :             64 3E 78 8A 5B 9C 45 C0 62 FF E6 F6 89 25 00 73
880	       :             19 4B E0 08 D2 F5 FE 32 D2 47 EC F1 4D 74 7C 26
881	       :           }
882	       :         }
883	       :       }
884	       :     }
885	       :   }

887	4.2.  MESSAGE Request with Encrypted Body

889	   Below is an example of an encrypted text/plain message that says
890	   "Hello!".  The binary encrypted contents have been replaced with the
891	   block "BINARY BLOB 2".

893	   MESSAGE sip:kumiko@example.net SIP/2.0
894	   <allOneLine>
895	   Via: SIP/2.0/TCP 192.0.2.2:15001;
896	        branch=z9hG4bK-d8754z-609333791d00044c-1---d8754z-;
897	        rport=58318
898	   </allOneLine>
899	   Max-Forwards: 70
900	   To: <sip:kumiko@example.net>
901	   From: <sip:fluffy@example.com>;tag=625ceb5b
902	   Call-ID: NDY4ZjJjMDllZTA4OTNlYjNhYjQ3NmE1YjIzODk5NGM.
903	   CSeq: 3260 MESSAGE
904	   <allOneLine>
905	   Accept: multipart/signed, text/plain, application/pkcs7-mime,
906	           application/sdp, multipart/alternative
907	   </allOneLine>
908	   <allOneLine>
909	   Content-Disposition: attachment;handling=required;
910	                        filename=smime.p7
911	   </allOneLine>
912	   Content-Transfer-Encoding: binary
913	   <allOneLine>
914	   Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
915	                 name=smime.p7m
916	   </allOneLine>
917	   Content-Length: 565

919	   *****************
920	   * BINARY BLOB 2 *
921	   *****************

923	   Following is the ASN.1 parsing of "BINARY BLOB 2".  Note that at
924	   address 454, the encryption is set to aes128-CBC.

926	 0  561: SEQUENCE {
927	 4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
928	15  546:   [0] {
929	19  542:     SEQUENCE {
930	23    1:       INTEGER 0
931	26  409:       SET {
932	30  405:         SEQUENCE {
933	34    1:           INTEGER 0
934	37  125:           SEQUENCE {
935	39  112:             SEQUENCE {
936	41   11:               SET {
937	43    9:                 SEQUENCE {
938	45    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
939	50    2:                   PrintableString 'US'
940	       :                   }
941	       :                 }
942	54   19:               SET {
943	56   17:                 SEQUENCE {
944	58    3:                   OBJECT IDENTIFIER
945	       :                     stateOrProvinceName (2 5 4 8)
946	63   10:                   PrintableString 'California'
947	       :                   }
948	       :                 }
949	75   17:               SET {
950	77   15:                 SEQUENCE {
951	79    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
952	84    8:                   PrintableString 'San Jose'
953	       :                   }
954	       :                 }
955	94   14:               SET {
956	96   12:                 SEQUENCE {
957	98    3:                   OBJECT IDENTIFIER
958	       :                     organizationName (2 5 4 10)
959	 103    5:                   PrintableString 'sipit'
960	       :                   }
961	       :                 }
962	 110   41:               SET {
963	 112   39:                 SEQUENCE {
964	 114    3:                   OBJECT IDENTIFIER
965	       :                     organizationalUnitName (2 5 4 11)
966	 119   32:                   PrintableString 'Sipit Test Certificate Aut
967	hority'
968	       :                   }
969	       :                 }
970	       :               }
971	 153    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4E
972	       :             }
973	 164   13:           SEQUENCE {
974	 166    9:             OBJECT IDENTIFIER
975	       :               rsaEncryption (1 2 840 113549 1 1 1)
976	 177    0:             NULL
977	       :             }
978	 179  256:           OCTET STRING
979	       :             13 04 66 18 17 D5 24 A6 2C 67 91 92 A0 1F FC B6
980	       :             22 71 09 E7 C0 D9 B3 FB 0D C0 27 CC E4 E0 A1 FF
981	       :             FC CC AF B4 81 16 B2 D7 C3 53 78 49 59 DD DD 84
982	       :             DB BC E4 D5 E0 D9 D0 C0 E5 E1 5E 98 3C 2E 20 7B
983	       :             BC 3A 00 3B AC 88 71 91 46 F2 94 47 D0 D9 05 F6
984	       :             1B F3 EA 79 B7 69 21 97 DD E0 64 5D A8 30 56 BE
985	       :             BF 40 97 73 58 67 65 BE F6 53 C9 C0 D2 B3 61 07
986	       :             97 42 CB 68 37 97 E4 C3 AB 10 09 66 53 E9 72 C7
987	       :             A4 66 0C 09 06 12 E1 49 67 B9 40 D6 0B BA 52 7D
988	       :             C3 9E B7 30 51 4B 41 CB 5F AF EC A8 A0 AA 69 FF
989	       :             30 06 8B A4 23 E5 F7 05 05 86 F5 CE AD 7B FF BA
990	       :             5D 46 4C 2E FE 6D 7C E2 21 7A 75 37 10 7E 0D 4D
991	       :             82 9E 44 B1 34 AB D0 59 A8 F8 14 6A BD 3D 65 3E
992	       :             6B 37 2E F8 54 7B 47 49 2F 55 7B E8 76 2E BD 8E
993	       :             3F 1E D9 86 95 1A 05 EC 1A 62 96 0F 56 95 9B 26
994	       :             CD E2 8A D6 81 EF 1C 92 D1 F2 81 34 83 8C 3F EF
995	       :           }
996	       :         }
997	 439  124:       SEQUENCE {
998	 441    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
999	 452   29:         SEQUENCE {
1000	 454    9:           OBJECT IDENTIFIER
1001	       :             aes128-CBC (2 16 840 1 101 3 4 1 2)
1002	 465   16:           OCTET STRING
1003	       :             F9 4F C2 92 49 32 EB A9 E0 A5 AC AB EF 01 5D A5
1004	       :           }
1005	 483   80:         [0]
1006	       :           95 F0 53 3D 18 09 77 30 D2 AC 2B 1E 0A 51 E9 EB
1007	       :           E4 32 8B CA 69 8D BA E5 46 63 9C 99 35 20 70 D3
1008	       :           EE 7A 21 4B C3 E9 53 E5 B0 7D 26 9A 6A 5C 11 6F
1009	       :           59 72 B3 91 1E 98 95 F6 69 89 41 E6 22 5B 2F EB
1010	       :           F5 9C 71 29 BB 1E 01 97 9E 96 EB 39 8A A2 C6 FC
1011	       :         }
1012	       :       }
1013	       :     }
1014	       :   }

1016	4.3.  MESSAGE Request with Encrypted and Signed Body

1018	   In the example below, some of the header values have been split
1019	   across mutliple lines.  Where the lines have been broken, the
1020	   <allOneLine> convention has been used.  This was only done to make it
1021	   fit in the RFC format.  Specifically, the application/pkcs7-mime
1022	   Content-Type line is one line with no whitespace between the "mime;"
1023	   and the "smime-type".  The values are split across lines for
1024	   formatting, but are not split in the real message.  The binary
1025	   encrypted content has been replaced with "BINARY BLOB 3", and the
1026	   binary signed content has been replaced with "BINARY BLOB 4".

1028	   MESSAGE sip:kumiko@example.net SIP/2.0
1029	   <allOneLine>
1030	   Via: SIP/2.0/TCP 192.0.2.2:15001;
1031	        branch=z9hG4bK-d8754z-69c41c074ef38f70-1---d8754z-;
1032	        rport=58319
1033	   </allOneLine>
1034	   Max-Forwards: 70
1035	   To: <sip:kumiko@example.net>
1036	   From: <sip:fluffy@example.com>;tag=85475653
1037	   Call-ID: NmVjYjE0NzNhNjczMDEyZGM3YWM5NmRjYWQxY2JlYTI.
1038	   CSeq: 5449 MESSAGE
1039	   <allOneLine>
1040	   Accept: multipart/signed, text/plain, application/pkcs7-mime,
1041	           application/sdp, multipart/alternative
1042	   </allOneLine>
1043	   <allOneLine>
1044	   Content-Type: multipart/signed;boundary=30145b1e6548046b;
1045	                 micalg=sha1;protocol="application/pkcs7-signature"
1046	   </allOneLine>
1047	   Content-Length: 1455

1049	   --30145b1e6548046b
1050	   <allOneLine>
1051	   Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
1052	                 name=smime.p7m
1053	   </allOneLine>
1054	   <allOneLine>
1055	   Content-Disposition: attachment;handling=required;
1056	                        filename=smime.p7
1057	   </allOneLine>
1058	   Content-Transfer-Encoding: binary

1060	   *****************
1061	   * BINARY BLOB 3 *
1062	   *****************
1063	   --30145b1e6548046b
1064	   Content-Type: application/pkcs7-signature;name=smime.p7s
1065	   <allOneLine>
1066	   Content-Disposition: attachment;handling=required;
1067	                        filename=smime.p7s
1068	   </allOneLine>
1069	   Content-Transfer-Encoding: binary

1071	   *****************
1072	   * BINARY BLOB 4 *
1073	   *****************
1074	   --30145b1e6548046b--
1075	   Below is the ASN.1 parsing of "BINARY BLOB 3".

1077	 0  561: SEQUENCE {
1078	 4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
1079	15  546:   [0] {
1080	19  542:     SEQUENCE {
1081	23    1:       INTEGER 0
1082	26  409:       SET {
1083	30  405:         SEQUENCE {
1084	34    1:           INTEGER 0
1085	37  125:           SEQUENCE {
1086	39  112:             SEQUENCE {
1087	41   11:               SET {
1088	43    9:                 SEQUENCE {
1089	45    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
1090	50    2:                   PrintableString 'US'
1091	       :                   }
1092	       :                 }
1093	54   19:               SET {
1094	56   17:                 SEQUENCE {
1095	58    3:                   OBJECT IDENTIFIER
1096	       :                     stateOrProvinceName (2 5 4 8)
1097	63   10:                   PrintableString 'California'
1098	       :                   }
1099	       :                 }
1100	75   17:               SET {
1101	77   15:                 SEQUENCE {
1102	79    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
1103	84    8:                   PrintableString 'San Jose'
1104	       :                   }
1105	       :                 }
1106	94   14:               SET {
1107	96   12:                 SEQUENCE {
1108	98    3:                   OBJECT IDENTIFIER
1109	       :                     organizationName (2 5 4 10)
1110	 103    5:                   PrintableString 'sipit'
1111	       :                   }
1112	       :                 }
1113	 110   41:               SET {
1114	 112   39:                 SEQUENCE {
1115	 114    3:                   OBJECT IDENTIFIER
1116	       :                     organizationalUnitName (2 5 4 11)
1117	 119   32:                   PrintableString 'Sipit Test Certificate Aut
1118	hority'
1119	       :                   }
1120	       :                 }
1121	       :               }
1122	 153    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4E
1123	       :             }
1124	 164   13:           SEQUENCE {
1125	 166    9:             OBJECT IDENTIFIER
1126	       :               rsaEncryption (1 2 840 113549 1 1 1)
1127	 177    0:             NULL
1128	       :             }
1129	 179  256:           OCTET STRING
1130	       :             74 D6 C9 2B 48 63 97 2B 56 C2 76 FF 0C D1 C4 EB
1131	       :             D9 F1 DE 46 F5 0E 37 81 60 F8 03 11 39 99 60 F5
1132	       :             9F 20 F8 41 53 96 C7 50 4C FF 6D 99 A0 E8 B6 B8
1133	       :             AB 97 CD 6F A7 19 58 A9 D0 2C F2 C4 B9 89 29 C0
1134	       :             66 F5 FF 80 51 CC 24 75 60 A8 D4 5D B5 4C 6D 2B
1135	       :             DE C5 A5 A8 A5 FA 7D 21 10 A5 E7 0C 98 67 66 48
1136	       :             07 EF DD 8F 68 2A 11 6D 46 4E B6 A1 A0 68 EE 51
1137	       :             6D 81 57 E9 27 98 75 B3 E5 08 CC A6 DA 7C 77 D4
1138	       :             DC 16 78 61 C7 A6 B1 CF 96 36 C9 D8 27 AC 1F D3
1139	       :             A0 AF 1F B1 65 1B C8 EF BA 9C C8 AD 4B E6 AA FC
1140	       :             53 03 8C C2 02 1F BF 20 AE 6F E7 3B 37 6D 98 A3
1141	       :             13 D1 F4 A3 F4 9A BE E0 B6 75 F5 B6 5B 86 A0 E1
1142	       :             F6 8E 93 4B 49 01 62 41 87 7B 12 B1 45 83 C6 61
1143	       :             44 A5 E8 D1 CD A6 2B 17 B5 C8 25 D3 9C C2 B8 8B
1144	       :             62 16 2C F4 50 72 F6 C3 4F 2B 33 30 59 97 BF 22
1145	       :             54 36 23 4F 10 06 61 D0 B6 F8 6F 20 BF 88 08 0B
1146	       :           }
1147	       :         }
1148	 439  124:       SEQUENCE {
1149	 441    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
1150	 452   29:         SEQUENCE {
1151	 454    9:           OBJECT IDENTIFIER
1152	       :             aes128-CBC (2 16 840 1 101 3 4 1 2)
1153	 465   16:           OCTET STRING
1154	       :             71 3B EA E0 5D FE D0 5E 6D EA AC 0B B9 6B 3A 99
1155	       :           }
1156	 483   80:         [0]
1157	       :           41 E7 5A B1 AC F0 A6 BC 9F 52 4F 83 D5 C5 6C 23
1158	       :           49 17 20 78 9D C9 73 CB CC 48 8A 61 EB 46 2D D4
1159	       :           4A 03 6A 4A 31 E9 F7 52 5B 01 A6 34 38 B9 67 DD
1160	       :           BD 78 53 59 63 5A 45 2E 02 51 18 B0 F2 43 77 4F
1161	       :           89 4E EA 21 E7 FC FF 7C FD 82 41 26 C6 D5 35 29
1162	       :         }
1163	       :       }
1164	       :     }
1165	       :   }

1167	   Below is the ASN.1 parsing of "BINARY BLOB 4".

1169	 0  472: SEQUENCE {
1170	 4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
1171	15  457:   [0] {
1172	19  453:     SEQUENCE {
1173	23    1:       INTEGER 1
1174	26   11:       SET {
1175	28    9:         SEQUENCE {
1176	30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
1177	37    0:           NULL
1178	       :           }
1179	       :         }
1180	39   11:       SEQUENCE {
1181	41    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
1182	       :         }
1183	52  420:       SET {
1184	56  416:         SEQUENCE {
1185	60    1:           INTEGER 1
1186	63  125:           SEQUENCE {
1187	65  112:             SEQUENCE {
1188	67   11:               SET {
1189	69    9:                 SEQUENCE {
1190	71    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
1191	76    2:                   PrintableString 'US'
1192	       :                   }
1193	       :                 }
1194	80   19:               SET {
1195	82   17:                 SEQUENCE {
1196	84    3:                   OBJECT IDENTIFIER
1197	       :                     stateOrProvinceName (2 5 4 8)
1198	89   10:                   PrintableString 'California'
1199	       :                   }
1200	       :                 }
1201	 101   17:               SET {
1202	 103   15:                 SEQUENCE {
1203	 105    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
1204	 110    8:                   PrintableString 'San Jose'
1205	       :                   }
1206	       :                 }
1207	 120   14:               SET {
1208	 122   12:                 SEQUENCE {
1209	 124    3:                   OBJECT IDENTIFIER
1210	       :                     organizationName (2 5 4 10)
1211	 129    5:                   PrintableString 'sipit'
1212	       :                   }
1213	       :                 }
1214	 136   41:               SET {
1215	 138   39:                 SEQUENCE {
1216	 140    3:                   OBJECT IDENTIFIER
1217	       :                     organizationalUnitName (2 5 4 11)

1219	 145   32:                   PrintableString 'Sipit Test Certificate Aut
1220	hority'
1221	       :                   }
1222	       :                 }
1223	       :               }
1224	 179    9:             INTEGER 00 96 A3 84 17 4E EF 8A 4D
1225	       :             }
1226	 190    9:           SEQUENCE {
1227	 192    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
1228	 199    0:             NULL
1229	       :             }
1230	 201   13:           SEQUENCE {
1231	 203    9:             OBJECT IDENTIFIER
1232	       :               rsaEncryption (1 2 840 113549 1 1 1)
1233	 214    0:             NULL
1234	       :             }
1235	 216  256:           OCTET STRING
1236	       :             7E A7 3D FD 62 05 89 BD 84 04 E7 6C E1 9C 12 90
1237	       :             D5 23 55 65 54 D8 57 30 60 93 14 8A F0 99 E5 B7
1238	       :             81 2B 99 14 4A B0 05 A4 DB 5A FD F2 2B E2 F3 43
1239	       :             7E 29 37 F3 08 76 95 1C 43 B0 98 E6 09 81 28 95
1240	       :             FB DF FD CD AF 70 DA 07 21 67 99 11 C4 B9 D6 01
1241	       :             9A 6C CC 58 9F 2D A6 44 D3 72 D3 5C 96 3B E1 E2
1242	       :             F4 90 31 66 A3 B7 66 1B FD 2E 29 58 1D 18 15 BA
1243	       :             ED 26 D4 B1 A5 F8 67 F4 34 32 45 EA AB 22 AD B7
1244	       :             66 BC 3D 2A 07 1C EF 83 67 94 B3 DE A5 FA F5 51
1245	       :             FD 8B C5 F0 86 06 C4 ED FB FB E1 32 F3 4B C2 41
1246	       :             FC 8F FD CD 9E FF 9B 1D 09 8C E4 F9 45 0F 65 DC
1247	       :             C6 83 A3 96 8E 8B 68 E4 B3 3F 33 EC 1C 06 EB 36
1248	       :             21 23 4C 47 AB 2C A1 EB 1A 37 01 78 9E 97 5D A8
1249	       :             FF 7F B6 B2 33 A8 02 01 E3 C5 ED E8 28 0C 6A D9
1250	       :             A0 7B EA 47 56 3E 9B 24 9C 14 71 40 8F A4 5C 6A
1251	       :             34 47 28 DE C4 6B 7C F1 05 5D 2E 31 29 4C 67 E4
1252	       :           }
1253	       :         }
1254	       :       }
1255	       :     }
1256	       :   }

1258	5.  Observed Interoperability Issues

1260	   This section describes some common interoperability problems.  These
1261	   were observed by the authors at SIPit interoperability events.
1262	   Implementers should be careful to verify that their systems do not
1263	   introduce these common problems, and, when possible, make their
1264	   clients forgiving in what they receive.  Implementations should take
1265	   extra care to produce reasonable error messages when interacting with
1266	   software that has these problems.

1268	   Some SIP clients incorrectly only do SSLv3 and do not support TLS.
1269	   See Section 26.2.1 of [RFC3261].

1271	   Many SIP clients were found to accept expired certificates with no
1272	   warning or error.  See Section 4.1.2.5 of [RFC5280].

1274	   When used with SIP, TLS and S/MIME provide the identity of the peer
1275	   that a client is communicating with in the Subject Alternative Name
1276	   in the certificate.  The software checks that this name corresponds
1277	   to the identity the server is trying to contact.  Normative text
1278	   describing path validation can be found in Section 7 of [RFC5922] and
1279	   Section 6 of [RFC5280].  If a client is trying to set up a TLS
1280	   connection to good.example.com and it gets a TLS connection set up
1281	   with a server that presents a valid certificate but with the name
1282	   evil.example.com, it will typically generate an error or warning of
1283	   some type.  Similarly with S/MIME, if a user is trying to communicate
1284	   with sip:fluffy@example.com, one of the items in the Subject
1285	   Alternate Name set in the certificate will need to match according to
1286	   the certificate validation rules in Section 23 of [RFC3261] and
1287	   Section 6 of [RFC5280].

1289	   Some implementations used binary MIME encodings while others used
1290	   base64.  It is advisable that implementations send only binary and
1291	   are prepared to receive either.  See Section 3.2 of [RFC5621].

1293	   In several places in this document, the messages contain the encoding
1294	   for the SHA-1 digest algorithm identifier.  The preferred form for
1295	   encoding as set out in Section 2 of [RFC3370] is the form in which
1296	   the optional AlgorithmIdentifier parameter field is omitted.
1297	   However, [RFC3370] also says the recipients need to be able to
1298	   receive the form in which the AlgorithmIdentifier parameter field is
1299	   present and set to NULL.  Examples of the form using NULL can be
1300	   found in Section 4.2 of [RFC4134].  Receivers really do need to be
1301	   able to receive the form that includes the NULL because the NULL
1302	   form, while not preferred, is what was observed as being generated by
1303	   most implementations.  Implementers should also note that if the
1304	   algorithm is MD5 instead of SHA-1, then the form that omits the
1305	   AlgorithmIdentifier parameters field is not allowed and the sender
1306	   has to use the form where the NULL is included.

1308	   The preferred encryption algorithm for S/MIME in SIP is AES as
1309	   defined in [RFC3853].

1311	   Observed S/MIME interoperability has been better when UAs did not
1312	   attach the senders' certificates.  Attaching the certificates
1313	   significantly increases the size of the messages, which should be
1314	   considered when sending over UDP.  Furthermore, the receiver cannot
1315	   rely on the sender to always send the certificate, so it does not
1316	   turn out to be useful in most situations.

1318	   Please note that the certificate path validation algorithm described
1319	   in Section 6 of [RFC5280] is a complex algorithm for which all of the
1320	   details matter.  There are numerous ways in which failing to
1321	   precisely implement the algorithm as specified in Section 6 of
1322	   [RFC5280] can create a security flaw, a simple example of which is
1323	   the failure to check the expiration date that is already mentioned
1324	   above.  It is important for developers to ensure that this validation
1325	   is performed and that the results are verified by their applications
1326	   or any libraries that they use.

1328	6.  Additional Test Scenarios

1330	   This section provides a non-exhaustive list of tests that
1331	   implementations should perform while developing systems that use
1332	   S/MIME and TLS for SIP.

1334	   Much of the required behavior for inspecting certificates when using
1335	   S/MIME and TLS with SIP is currently underspecified.  The non-
1336	   normative recommendations in this document capture the current
1337	   folklore around that required behavior, guided by both related
1338	   normative works such as [RFC4474] (particulary, Section 13.4 Domain
1339	   Names and Subordination) and informative works such as [RFC2818]
1340	   Section 3.1.  To summarize, test plans should:

1342	   o  For S/MIME secured bodies, assure that the peer's URI (address-of-
1343	      record, as per [RFC3261] Section 23.3) appears in the
1344	      subjectAltName of the peer's certifcate as a
1345	      uniformResourceIdentifier field.

1347	   o  For TLS, assure that the peer's hostname appears as described in
1348	      [RFC5922].  Also:

1350	      *  assure an exact match in a dNSName entry in the subjectAltName
1351	         if there are any dNSNames in the subjectAltName.  Wildcard
1352	         matching is not allowed against these dNSName entries.  See
1353	         Section 7.1 of [RFC5922].

1355	      *  assure that the most specific CommonName in the Subject field
1356	         matches if there are no dNSName entries in the subjectAltName
1357	         at all (which is not the same as there being no matching
1358	         dNSName entries).  This match can be either exact, or against
1359	         an entry that uses the wildcard matching character '*'

1361	      The peer's hostname is discovered from the initial DNS query in
1362	      the server location process [RFC3263].

1364	   o  IP addresses can appear in subjectAltName ([RFC5280]) of the
1365	      peer's certificate, e.g.  "IP:192.168.0.1".  Note that if IP
1366	      addresses are used in subjectAltName, there are important
1367	      ramifications regarding the use of Record-Route headers that also
1368	      need to be considered.  See Section 7.5 of [RFC5922].  Use of IP
1369	      addresses instead of domain names is inadvisable.

1371	   For each of these tests, an implementation will proceed past the
1372	   verification point only if the certificate is "good".  S/MIME
1373	   protected requests presenting bad certificate data will be rejected.
1374	   S/MIME protected responses presenting bad certificate information
1375	   will be ignored.  TLS connections involving bad certificate data will
1376	   not be completed.

1378	   1.   S/MIME : Good peer certificate

1380	   2.   S/MIME : Bad peer certificate (peer URI does not appear in
1381	        subjAltName)

1383	   3.   S/MIME : Bad peer certificate (valid authority chain does not
1384	        end at a trusted CA)

1386	   4.   S/MIME : Bad peer certificate (incomplete authority chain)

1388	   5.   S/MIME : Bad peer certificate (the current time does not fall
1389	        within the period of validity)

1391	   6.   S/MIME : Bad peer certificate (certificate or cert in authority
1392	        chain has been revoked)

1394	   7.   S/MIME : Bad peer certificate ("Digital Signature" is not
1395	        specified as an X509v3 Key Usage)

1397	   8.   TLS : Good peer certificate (hostname appears in dNSName in
1398	        subjAltName)

1400	   9.   TLS : Good peer certificate (no dNSNames in subjAltName,
1401	        hostname appears in CN of Subject)

1403	   10.  TLS : Good peer certificate (CN of Subject empty, and
1404	        subjectAltName extension contains an iPAddress stored in the
1405	        octet string in network byte order form as specified in RFC 791
1406	        [RFC0791])

1408	   11.  TLS : Bad peer certificate (no match in dNSNames or in the
1409	        Subject CN)

1411	   12.  TLS : Bad peer certificate (valid authority chain does not end
1412	        at a trusted CA)

1414	   13.  TLS : Bad peer certificate (incomplete authority chain)

1416	   14.  TLS : Bad peer certificate (the current time does not fall
1417	        within the period of validity)

1419	   15.  TLS : Bad peer certificate (certificate or cert in authority
1420	        chain has been revoked)

1422	   16.  TLS : Bad peer certificate ("TLS Web Server Authentication" is
1423	        not specified as an X509v3 Key Usage)

1425	   17.  TLS : Bad peer certificate (Neither "SIP Domain" nor "Any
1426	        Extended Key Usage" specified as an X509v3 Extended Key Usage,
1427	        and X509v3 Extended Key Usage is present)

1429	7.  IANA Considerations

1431	   No IANA actions are required.

1433	8.  Acknowledgments

1435	   Many thanks to the developers of all the open source software used to
1436	   create these call flows.  This includes the underlying crypto and TLS
1437	   software used from openssl.org, the SIP stack from
1438	   www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org.
1439	   The TLS flow dumps were done with SSLDump from
1440	   http://www.rtfm.com/ssldump.  The book "SSL and TLS" [EKR-TLS] was a
1441	   huge help in developing the code for these flows.  It's sad there is
1442	   no second edition.

1444	   Thanks to Jim Schaad, Russ Housley, Eric Rescorla, Dan Wing, Tat
1445	   Chan, and Lyndsay Campbell who all helped find and correct mistakes
1446	   in this document.

1448	   Vijay Gurbani and Alan Jeffrey contributed much of the additional
1449	   test scenario content.

1451	9.  Security Considerations

1453	   Implementers must never use any of the certificates provided in this
1454	   document in anything but a test environment.  Installing the CA root
1455	   certificates used in this document as a trusted root in operational
1456	   software would completely destroy the security of the system while
1457	   giving the user the impression that the system was operating
1458	   securely.

1460	   This document recommends some things that implementers might test or
1461	   verify to improve the security of their implementations.  It is
1462	   impossible to make a comprehensive list of these, and this document
1463	   only suggests some of the most common mistakes that have been seen at
1464	   the SIPit interoperability events.  Just because an implementation
1465	   does everything this document recommends does not make it secure.

1467	   This document does not show any messages to check certificate
1468	   revocation status (see Sections 3.3 and 6.3 of [RFC5280]) as that is
1469	   not part of the SIP call flow.  The expectation is that revocation
1470	   status is checked regularly to protect against the possibility of
1471	   certificate compromise or repudiation.  For more information on how
1472	   certificate revocation status can be checked, see [RFC2560] (Online
1473	   Certificate Status Protocol) and [RFC5055] (Server-Based Certificate
1474	   Validation Protocol).

1476	10.  Changelog

1478	   (RFC Editor: remove this section)

1480	   -02 to -03

1482	      *  Re-worded "should" and "must" so that the document doesn't
1483	         sound like it is making normative statements.  Actual normative
1484	         behavior is referred to in the respective RFCs.

1486	      *  Section 5: re-worded paragraphs 4 and 5 regarding
1487	         subjectAltName, and added references.

1489	      *  Section 6: added references, clarified use of IP addresses, and
1490	         clarified which From/To URI is used for comparison (from
1491	         section 23.2).  Added an EKU test case.

1493	      *  Section 9: added text about certificate revocation checking.

1495	      *  Appendix B.3: new section to present certificate chains longer
1496	         than 2 (non-root CA).

1498	      *  Made examples consistently use <allOneLine> convention.

1500	      *  CSeq looks more random.

1502	      *  Serial numbers in certs are non-zero.

1504	      *  All flows re-generated using new certs.  IP addresses conform
1505	         to RFC 5737.

1507	      *  Updated references.

1509	   -01 to -02

1511	      *  Draft is now informational, not standards track.  Normative-
1512	         sounding language and references to RFC 2119 removed.

1514	      *  Add TODO: change "hello" to "Hello!" in example flows for
1515	         consistency.

1517	      *  Add TODO: Fix subjectAltName DNS:com to DNS:example.com and
1518	         DNS:net to DNS:example.net.

1520	      *  Add TODO: use allOneLine convention from RFC4475.

1522	      *  Section 3: updated open issue regarding contact headers in
1523	         MESSAGE.

1525	      *  Section 3.2: added some text about RFC 3263 and connection
1526	         reuse and closed open issue.

1528	      *  Section 5: clarified text about sender attaching certs, closed
1529	         issue.

1531	      *  Section 5: clarified text about observed problems, closed
1532	         issue.

1534	      *  Section 5: closed issue about clients vs. servers vs. proxies.

1536	      *  Section 6: updated section text and open issue where IP address
1537	         is in subjectAltName.

1539	      *  Section 6: added normative references and closed "folklore"
1540	         issue.

1542	      *  Section 6: added cases about cert usage and broken chains,
1543	         updated OPEN ISSUE: we need a SIP EKU example.

1545	      *  References: updated references to drafts and re-categorized
1546	         informative vs. normative.

1548	      *  Section 9: added some text about revocation status and closed
1549	         issue.

1551	      *  Appendix B: open issue: do we need non-root-CA certs and host
1552	         certs signed by them for help in testing cases in Section 6?

1554	      *  Miscellaneous minor editorial changes.

1556	   -00 to -01

1558	      *  Addition of OPEN ISSUES.

1560	      *  Numerous minor edits from mailing list feedback.

1562	   to -00

1564	      *  Changed RFC 3369 references to RFC 3852.

1566	      *  Changed draft-ietf-sip-identity references to RFC 4474.

1568	      *  Added an ASN.1 dump of CMS signed content where SHA-1
1569	         parameters are omitted instead of being set to ASN.1 NULL.

1571	      *  Accept headers added to messages.

1573	      *  User and domain certificates are generated with EKU as
1574	         specified in Draft SIP EKU.

1576	      *  Message content that is shown is computed using certificates
1577	         generated with EKU.

1579	      *  Message dump archive returned.

1581	      *  Message archive contains messages formed with and without EKU
1582	         certificates.

1584	   prior to -00

1586	      *  Incorporated the Test cases from Vijay Gurbani's and Alan
1587	         Jeffrey's Use of TLS in SIP draft

1589	      *  Began to capture the folklore around where identities are
1590	         carried in certificates for use with SIP

1592	      *  Removed the message dump archive pending verification (will
1593	         return in -02)

1595	11.  References

1597	11.1.  Normative References

1599	   [RFC0791]  Postel, J., "Internet Protocol", STD 5, RFC 791,
1600	              September 1981.

1602	   [RFC2560]  Myers, M., Ankney, R., Malpani, A., Galperin, S., and C.
1603	              Adams, "X.509 Internet Public Key Infrastructure Online
1604	              Certificate Status Protocol - OCSP", RFC 2560, June 1999.

1606	   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
1607	              A., Peterson, J., Sparks, R., Handley, M., and E.
1608	              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
1609	              June 2002.

1611	   [RFC3263]  Rosenberg, J. and H. Schulzrinne, "Session Initiation
1612	              Protocol (SIP): Locating SIP Servers", RFC 3263,
1613	              June 2002.

1615	   [RFC3370]  Housley, R., "Cryptographic Message Syntax (CMS)
1616	              Algorithms", RFC 3370, August 2002.

1618	   [RFC3428]  Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C.,
1619	              and D. Gurle, "Session Initiation Protocol (SIP) Extension
1620	              for Instant Messaging", RFC 3428, December 2002.

1622	   [RFC3853]  Peterson, J., "S/MIME Advanced Encryption Standard (AES)
1623	              Requirement for the Session Initiation Protocol (SIP)",
1624	              RFC 3853, July 2004.

1626	   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
1627	              Authenticated Identity Management in the Session
1628	              Initiation Protocol (SIP)", RFC 4474, August 2006.

1630	   [RFC5055]  Freeman, T., Housley, R., Malpani, A., Cooper, D., and W.
1631	              Polk, "Server-Based Certificate Validation Protocol
1632	              (SCVP)", RFC 5055, December 2007.

1634	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
1635	              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

1637	   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
1638	              Housley, R., and W. Polk, "Internet X.509 Public Key
1639	              Infrastructure Certificate and Certificate Revocation List
1640	              (CRL) Profile", RFC 5280, May 2008.

1642	   [RFC5621]  Camarillo, G., "Message Body Handling in the Session
1643	              Initiation Protocol (SIP)", RFC 5621, September 2009.

1645	   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
1646	              RFC 5652, September 2009.

1648	   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
1649	              Mail Extensions (S/MIME) Version 3.2 Message
1650	              Specification", RFC 5751, January 2010.

1652	   [RFC5922]  Gurbani, V., Lawrence, S., and A. Jeffrey, "Domain
1653	              Certificates in the Session Initiation Protocol (SIP)",
1654	              RFC 5922, June 2010.

1656	   [RFC5923]  Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in
1657	              the Session Initiation Protocol (SIP)", RFC 5923,
1658	              June 2010.

1660	   [RFC5924]  Lawrence, S. and V. Gurbani, "Extended Key Usage (EKU) for
1661	              Session Initiation Protocol (SIP) X.509 Certificates",
1662	              RFC 5924, June 2010.

1664	   [X.509]    International Telecommunications Union, "Information
1665	              technology - Open Systems Interconnection - The Directory:
1666	              Public-key and attribute certificate frameworks", ITU-
1667	              T Recommendation X.509 (2005), ISO/IEC 9594-8:2005.

1669	   [X.683]    International Telecommunications Union, "Information
1670	              technology - Abstract Syntax Notation One (ASN.1):
1671	              Parameterization of ASN.1 specifications", ITU-
1672	              T Recommendation X.683 (2002), ISO/IEC 8824-4:2002, 2002.

1674	11.2.  Informative References

1676	   [EKR-TLS]  Rescorla, E., "SSL and TLS - Designing and Building Secure
1677	              Systems", 2001.

1679	   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

1681	   [RFC4134]  Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
1682	              July 2005.

1684	   [RFC4475]  Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J.,
1685	              and H. Schulzrinne, "Session Initiation Protocol (SIP)
1686	              Torture Test Messages", RFC 4475, May 2006.

1688	   [ssldump-manpage]
1689	              Rescorla, E., "SSLDump manpage".

1691	Appendix A.  Making Test Certificates

1693	   These scripts allow you to make certificates for test purposes.  The
1694	   certificates will all share a common CA root so that everyone running
1695	   these scripts can have interoperable certificates.  WARNING - these
1696	   certificates are totally insecure and are for test purposes only.
1697	   All the CA created by this script share the same private key to
1698	   facilitate interoperability testing, but this totally breaks the
1699	   security since the private key of the CA is well known.

1701	   The instructions assume a Unix-like environment with openssl
1702	   installed, but openssl does work in Windows too.  OpenSSL version
1703	   0.9.8j was used to generate the certificates used in this document.
1704	   Make sure you have openssl installed by trying to run "openssl".  Run
1705	   the makeCA script found in Appendix A.1; this creates a subdirectory
1706	   called demoCA.  If the makeCA script cannot find where your openssl
1707	   is installed you will have to set an environment variable called
1708	   OPENSSLDIR to whatever directory contains the file openssl.cnf.  You
1709	   can find this with a "locate openssl.cnf".  You are now ready to make
1710	   certificates.

1712	   To create certs for use with TLS, run the makeCert script found in
1713	   Appendix A.2 with the fully qualified domain name of the proxy you
1714	   are making the certificate for.  For example, "makeCert
1715	   host.example.net".  This will generate a private key and a
1716	   certificate.  The private key will be left in a file named
1717	   domain_key_example.net.pem in pem format.  The certificate will be in
1718	   domain_cert_example.net.pem.  Some programs expect both the
1719	   certificate and private key combined together in a PKCS12 format
1720	   file.  This is created by the script and left in a file named
1721	   example.net.p12.  Some programs expect this file to have a .pfx
1722	   extension instead of .p12 - just rename the file if needed.  A file
1723	   with a certificate signing request, called example.net.csr, is also
1724	   created and can be used to get the certificate signed by another CA.

1726	   A second argument indicating the number of days for which the
1727	   certificate should be valid can be passed to the makeCert script.  It
1728	   is possible to make an expired certificate using the command
1729	   "makeCert host.example.net 0".

1731	   Anywhere that a password is used to protect a certificate, the
1732	   password is set to the string "password".

1734	   The root certificate for the CA is in the file
1735	   root_cert_fluffyCA.pem.

1737	   For things that need DER format certificates, a certificate can be
1738	   converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM
1739	   -out cert.der -outform DER".

1741	   Some programs expect certificates in PKCS#7 format (with a file
1742	   extension of .p7c).  You can convert these from PEM format to PKCS#7
1743	   with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/
1744	   cacert.pem -outform DER -out cert.p7c"

1746	   IE (version 8), Outlook Express (version 6), and Firefox (version
1747	   3.5) can import and export .p12 files and .p7c files.  You can
1748	   convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in
1749	   cert.p7c -inform DER -outform PEM -out cert.pem".

1751	   The private key can be converted to pkcs8 format with "openssl pkcs8
1752	   -in a_key.pem -topk8 -outform DER -out a_key.p8c"

1754	   In general, a TLS client will just need the root certificate of the
1755	   CA.  A TLS server will need its private key and its certificate.
1756	   These could be in two PEM files, a single file with both certificate
1757	   and private key PEM sections, or a single .p12 file.  An S/MIME
1758	   program will need its private key and certificate, the root
1759	   certificate of the CA, and the certificate for every other user it
1760	   communicates with.

1762	A.1.  makeCA script

1764	   #!/bin/sh
1765	   set -x

1767	   rm -rf demoCA

1769	   mkdir demoCA
1770	   mkdir demoCA/certs
1771	   mkdir demoCA/crl
1772	   mkdir demoCA/newcerts
1773	   mkdir demoCA/private
1774	   # This is done to generate the exact serial number used for the RFC
1775	   echo "4902110184015C" > demoCA/serial
1776	   touch demoCA/index.txt

1778	   # You may need to modify this for where your default file is
1779	   # you can find where yours in by typing "openssl ca"
1780	   for D in /etc/ssl /usr/local/ssl /sw/etc/ssl /sw/share/ssl; do
1781	     CONF=${OPENSSLDIR:=$D}/openssl.cnf
1782	     [ -f ${CONF} ] && break
1783	   done

1785	   CONF=${OPENSSLDIR}/openssl.cnf
1786	   if [ ! -f $CONF  ]; then
1787	       echo "Can not find file $CONF - set your OPENSSLDIR variable"
1788	       exit
1789	   fi
1790	   cp $CONF openssl.cnf

1792	   cat >> openssl.cnf  <<EOF
1793	   [ sipdomain_cert ]
1794	   subjectAltName=\${ENV::ALTNAME}
1795	   basicConstraints=CA:FALSE
1796	   subjectKeyIdentifier=hash
1797	   authorityKeyIdentifier=keyid,issuer:always
1798	   keyUsage = nonRepudiation,digitalSignature,keyEncipherment
1799	   extendedKeyUsage=serverAuth,1.3.6.1.5.5.7.3.20

1801	   [ sipdomain_req ]
1802	   basicConstraints = CA:FALSE
1803	   subjectAltName=\${ENV::ALTNAME}
1804	   subjectKeyIdentifier=hash

1806	   [ sipuser_cert ]
1807	   subjectAltName=\${ENV::ALTNAME}
1808	   basicConstraints=CA:FALSE
1809	   subjectKeyIdentifier=hash
1810	   authorityKeyIdentifier=keyid,issuer:always
1811	   keyUsage = nonRepudiation,digitalSignature,keyEncipherment
1812	   extendedKeyUsage=emailProtection,1.3.6.1.5.5.7.3.20

1814	   [ sipuser_req ]
1815	   basicConstraints = CA:FALSE
1816	   subjectAltName=\${ENV::ALTNAME}
1817	   subjectKeyIdentifier=hash

1819	   [ sipdomain_noeku_cert ]
1820	   subjectAltName=\${ENV::ALTNAME}
1821	   basicConstraints=CA:FALSE
1822	   subjectKeyIdentifier=hash
1823	   authorityKeyIdentifier=keyid,issuer:always
1824	   keyUsage = nonRepudiation,digitalSignature,keyEncipherment

1826	   [ sipdomain_noeku_req ]
1827	   basicConstraints = CA:FALSE
1828	   subjectAltName=\${ENV::ALTNAME}
1829	   subjectKeyIdentifier=hash

1831	   [ sipuser_noeku_cert ]
1832	   subjectAltName=\${ENV::ALTNAME}
1833	   basicConstraints=CA:FALSE
1834	   subjectKeyIdentifier=hash
1835	   authorityKeyIdentifier=keyid,issuer:always
1836	   keyUsage = nonRepudiation,digitalSignature,keyEncipherment

1838	   [ sipuser_noeku_req ]
1839	   basicConstraints = CA:FALSE
1840	   subjectAltName=\${ENV::ALTNAME}
1841	   subjectKeyIdentifier=hash

1843	   EOF

1845	   cat > demoCA/private/cakey.pem <<EOF
1846	   -----BEGIN ENCRYPTED PRIVATE KEY-----
1847	   MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIiJYqQKtuiS0CAggA
1848	   MBQGCCqGSIb3DQMHBAiNK9djStGRcgSCBMhyfVjcNeZk9J4Mi/aWvy//9v/Htx9q
1849	   V0F6S2qdXhuSHzcJPAAoCKAvXuySszn1GSdeMcRy927nFoAf2EROawpJ5bVMe5YQ
1850	   /lkmfo/+whlsizpX9yF84NeJ71vCOXIvvhUhD9vTUzhdmV/pM3Mtb/W4f35iEgoO
1851	   y8EnSO3zs4+b2A07eoPspudj7exYgB7BFkUCnPaPF92O8GAFkcCnNRm43Dy+T22p
1852	   m1inp5QLi5ODTbIKy+5Uaki7OP9bRmrxotDOWbXlHulYH9NOMQN1BbozJ3/PJe3U
1853	   Zn2g3KHYlEUlPoYV/GLBI064dYirMCG1uKTZpCGunGOQjj5EWzWbDYIUpAnxDboN
1854	   yKBpnMQxjsBz8/lP36HcPuVw2prTbTOCyaVjOip7p11Oq2XPHkqhWHJ6ZMypDG/3
1855	   Y/qbkROZAB3FemkfPBwjisJMQSlVIUW/PoU9Jtl2sOQ45KB3ZLEzUuOM94hc1Zmd
1856	   6VP1Iaj8irQ5Jsn8MrmIXy3566It/MX/hl395I2T0misVxoqpY5KpRsVGoj0D4bx
1857	   fcitKQrReWOU1+rNGCpHoRNj+1Iv3cTn2QiBMHGB7QI17qKlTmITCRa7SdpdWvE7
1858	   ZCM1IaNuK5PgiVQymuodvWygA4oX/mmcWKRBze6rl5sUGHzHKijdp+276ochDrzZ
1859	   goyB5zqK3epF4NWeKYkm/pOOa8htzQ2rl8Fyly0jE4Diw9XciPe5KW5qjr1tOJfF
1860	   ryborU1L1pLKvgt0nsKuXIDdqmD6xhCkssE6fcC+svS/91Q5cZB8Aiu9lmB6DRuy
1861	   gtUDjafgeLXuZviyh9GyMtlVRKL61zzlpAkav84p27q1XmpmMkN7V5fbDQE+xl7k
1862	   RLXKw5lWTgj/435YM4anAPJaF/cl8EdxgK2r6sy5FBqE2uM6d2N9ghbnAPF1HlSa
1863	   wg7s+vm54MHTdIj3LWYq3hnuVU0dn5/IJvKBbadj9DdXUAio2d3GrNVkUZLNSQtm
1864	   cCGVEIvzSO2DcDZhmBM0Ub6uWPmxfXShNWJ5L7ZrW41o19ejEUcVnP7arEIdvxsZ
1865	   fBqSXMZXw2WW+nU18qlXexkI77A4sLZIOHjRKzsS2QpV6OTzMfP/EHLluLYK+C3t
1866	   8cds9cBfd2PNyv9PlZySjSBCOCkzN7udmcldyeyflBmbNoBvbu1ti7fv3/ZQWelX
1867	   K45EW+FbnSCUfrmeanrWFSs2wgxHeB0IqKvWAqraY0qYFMfiPp8d4lgK5wJqM5bk
1868	   1HRlwnUIEnXRTEe8MPW9/HNgyPeu7LlSe5D/zCjSs2qlfIsfjAi0tekITYHD19oy
1869	   vpjIkHGQeXq9N3NucuDAQ9RlZWvw9RKLkzzzY7VFT+3Zx5FaDgSM9+igGlPbAE/8
1870	   p3h+MW18StyG9DsQ0DTurhL/fhFYtjiSCksAsmjjX4lVwWaLGEk949vKISCdAlab
1871	   BS7YUMBHrsvywTDdwygENzNlDQ1OK5d2zTjcdpSe8z+yrWj3dKLVCO9QPSkuECo6
1872	   Izm6JmZXCjn4+PhPmChZGIoB8E3cTyuLd64AzyhSAY0J0myNYVE9Po90yPp+J/86
1873	   D6dpNldxJTWm5/myrbdT2dvc2glV0XUIdMKMc16aaD7AX56fCfYt7sWyAZ6nAgwm
1874	   t4U=
1875	   -----END ENCRYPTED PRIVATE KEY-----
1876	   EOF

1878	   cat > demoCA/cacert.pem <<EOF
1879	   -----BEGIN CERTIFICATE-----
1880	   MIIEOzCCAyOgAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
1881	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
1882	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
1883	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyMzYyOVoYDzIxMTAxMTEyMjIzNjI5WjBwMQsw
1884	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
1885	   c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj
1886	   YXRlIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOzA
1887	   rew7DXtqlSSW3DPCHfazDa/tX3OctV/cOiGVIIHBKWOgNIbt8UyKZpA3lasPjLLa
1888	   VanKyq5QEOs0KNfYmFsU7PzEVdTGY1ru6OxBCNO+KJ6xiU3Sa1f2qnfJCPz5JaCj
1889	   48y/8MDymVnl788KOtc4vGv5bP9uoNCyYk+YcvDwHR1AhFAFm24VPEm2nVgFoQ3P
1890	   ke7tKA8P4Q9xiqZufCqtrq7EjY4qLoqirGeFLqqCDks4senyhCMMmOBXuDhw9Imp
1891	   lMuaXhVSukUKgJ8zgs/i8uuP+WE8iut0sXyH+QwvIM4NvmmP0bxdxYrlGgtdcGXI
1892	   AvNGhSXTiIzdgFXZaZsCAwEAAaOB1TCB0jAdBgNVHQ4EFgQUuzeOR8daNNt62fh2
1893	   tnWO0OQTF0UwgaIGA1UdIwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRy
1894	   MHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhT
1895	   YW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2Vy
1896	   dGlmaWNhdGUgQXV0aG9yaXR5ggkAlqOEF07vikwwDAYDVR0TBAUwAwEB/zANBgkq
1897	   hkiG9w0BAQUFAAOCAQEAsXXUVqtwFKDuZ6PsBwwdiyxf1xzz4wG6PZ3aR0kx1YH1
1898	   LdJmpSwf28MtijJq7CKLsVhjVyOINJ9s34x7c4wqfNMjApdUdvM0JX/RrSWHF1Yw
1899	   YUP0FmN3D3unsAuXGwXyXIYsqdU7y3OSojzcfhIwhp74V2yipChR5PfwzimcgjTy
1900	   AjxDYjaURMGttHn3bvnivfkVzOjesJ2cLxgwqes/1FbJYY14svtO5SIdAMTPzpz+
1901	   1vFPAZ2SWOB4KstpNhisG1MNhrGRNIveBV0iGCpn5erydwHWnGAXBoSDb7aIfs7I
1902	   Y9QwbZBy/ln0MgTmr9S+mUTI3j0BiNeKNTDCLXfpcA==
1903	   -----END CERTIFICATE-----
1904	   EOF

1906	   # uncomment the following lines to generate your own key pair

1908	   # openssl req -newkey rsa:2048 -passin pass:password \
1909	   #     -passout pass:password -set_serial 0x96a384174eef8a4c \
1910	   #     -sha1 -x509 -keyout demoCA/private/cakey.pem \
1911	   #     -out demoCA/cacert.pem -days 36500 -config ${CONF} <<EOF
1912	   # US
1913	   # California
1914	   # San Jose
1915	   # sipit
1916	   # Sipit Test Certificate Authority
1917	   #
1918	   #
1919	   # EOF

1921	   # either randomly generate a serial number, or set it manually
1922	   # hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial
1923	   echo 96a384174eef8a4d > demoCA/serial
1924	   openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
1925	           -outform DER -out demoCA/cacert.p7c

1927	   cp demoCA/cacert.pem root_cert_fluffyCA.pem

1929	A.2.  makeCert script

1931	  #!/bin/sh
1932	  set -x

1934	  # Make a symbolic link to this file called "makeUserCert"
1935	  # if you wish to use it to make certs for users.

1937	  # ExecName=$(basename $0)
1938	  #
1939	  # if [ ${ExecName} == "makeUserCert" ]; then
1940	  #   ExtPrefix="sipuser"
1941	  # elif [ ${ExecName} == "makeEkuUserCert" ]; then
1942	  #   ExtPrefix="sipuser_eku"
1943	  # elif [ ${ExecName} == "makeEkuCert" ]; then
1944	  #   ExtPrefix="sipdomain_eku"
1945	  # else
1946	  #   ExtPrefix="sipdomain"
1947	  # fi

1949	  if [  $# == 3  ]; then
1950	    DAYS=36500
1951	  elif [ $# == 4 ]; then
1952	    DAYS=$4
1953	  else
1954	    echo "Usage: makeCert test.example.org user|domain eku|noeku [days]"
1955	    echo "       makeCert alice@example.org [days]"
1956	    echo "days is how long the certificate is valid"
1957	    echo "days set to 0 generates an invalid certificate"
1958	    exit 0
1959	  fi

1961	  ExtPrefix="sip"${2}

1963	  if [ $3 == "noeku" ]; then
1964	    ExtPrefix=${ExtPrefix}"_noeku"
1965	  fi
1966	  DOMAIN=`echo $1 | perl -ne '{print "$1\n" if (/(\w+\..*)$/)}'   `
1967	  ADDR=$1
1968	  echo "making cert for $DOMAIN ${ADDR}"

1970	  rm -f ${ADDR}_*.pem
1971	  rm -f ${ADDR}.p12

1973	  case ${ADDR} in
1974	  *:*) ALTNAME="URI:${ADDR}" ;;
1975	  *@*) ALTNAME="URI:sip:${ADDR},URI:im:${ADDR},URI:pres:${ADDR}" ;;
1976	  *)   ALTNAME="DNS:${DOMAIN},URI:sip:${ADDR}" ;;
1977	  esac

1979	  rm -f demoCA/index.txt
1980	  touch demoCA/index.txt
1981	  rm -f demoCA/newcerts/*

1983	  export ALTNAME

1985	  openssl genrsa  -out ${ADDR}_key.pem 2048
1986	  openssl req -new  -config openssl.cnf -reqexts ${ExtPrefix}_req \
1987	          -sha1 -key ${ADDR}_key.pem \
1988	          -out ${ADDR}.csr -days ${DAYS} <<EOF
1989	  US
1990	  California
1991	  San Jose
1992	  sipit

1994	  ${ADDR}

1996	  EOF

1998	  if [ $DAYS == 0 ]; then
1999	  openssl ca -extensions ${ExtPrefix}_cert -config openssl.cnf \
2000	      -passin pass:password -policy policy_anything \
2001	      -md sha1 -batch -notext -out ${ADDR}_cert.pem \
2002	      -startdate 990101000000Z \
2003	      -enddate 000101000000Z \
2004	       -infiles ${ADDR}.csr
2005	  else
2006	  openssl ca -extensions ${ExtPrefix}_cert -config openssl.cnf \
2007	      -passin pass:password -policy policy_anything \
2008	      -md sha1 -days ${DAYS} -batch -notext -out ${ADDR}_cert.pem \
2009	       -infiles ${ADDR}.csr
2010	  fi
2011	  openssl pkcs12 -passin pass:password \
2012	      -passout pass:password -export \
2013	      -out ${ADDR}.p12 -in ${ADDR}_cert.pem \
2014	      -inkey ${ADDR}_key.pem -name ${ADDR} -certfile demoCA/cacert.pem

2016	  openssl x509 -in ${ADDR}_cert.pem -noout -text

2018	  case ${ADDR} in
2019	  *@*) mv ${ADDR}_key.pem user_key_${ADDR}.pem; \
2020	       mv ${ADDR}_cert.pem user_cert_${ADDR}.pem ;;
2021	  *)   mv ${ADDR}_key.pem domain_key_${ADDR}.pem; \
2022	       mv ${ADDR}_cert.pem domain_cert_${ADDR}.pem ;;
2023	  esac

2025	Appendix B.  Certificates for Testing

2027	   This section contains various certificates used for testing in PEM
2028	   format.

2030	B.1.  Certificates Using EKU

2032	   These certificates make use of the EKU specification described in
2033	   [RFC5924].

2035	   Fluffy's user certificate for example.com:

2037	   -----BEGIN CERTIFICATE-----
2038	   MIIEqzCCA5OgAwIBAgIJAJajhBdO74pNMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2039	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2040	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2041	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM0OVoYDzIxMTAxMTEyMjI0MzQ5WjBiMQsw
2042	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2043	   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20w
2044	   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGqf+y4GMYegW5mjHAM7vU
2045	   Bduk3zJoQX7lbBPN8hjTm/p/RZJmEKPyTc5A3R7fE0O22fLLRKCFEVHSsPef0j6v
2046	   zX3Lq8DwANB+4EXVkUV6JXPWCIDmynNh4QTTEfVvEACpXaes2tl1khQHvYEmeZBL
2047	   marYVOU0ak9h5egiR5bx4lzlowlDInulRtiP38QY7XUXAGhulRboyhVMJfYsM4YO
2048	   eg+dmqXjjD7/xTIIJbtSCCCLlUbJUtp6FUbri46iIrjn76DlwlmDyIv3Mw73gLcR
2049	   J6w+LDeiZywiO1WQpv/A32PRIOxsfGEutdAo1wntM6YinQDeIbt8U9GfryAj9N1R
2050	   AgMBAAGjggFSMIIBTjBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29t
2051	   hhVpbTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29t
2052	   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFBPBLyiv61N/HU1mJx7X95lWMcigMIGiBgNV
2053	   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
2054	   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
2055	   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
2056	   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
2057	   BAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAF3W+SNF2npRi8b+S4mZgTfv
2058	   JwOq4O2N7NC/bkwMY2q7276dbfjQ2X2JeOMfxjvbrh729FYA3fMOK/hwkfHs+AIG
2059	   wfOQkrMljVQiuAdLoe5cXBesYjcoX3ACtYAJlELP5vBw29/RlOF91XBBGku1c+xM
2060	   eHG9m9Rj11cw/OvSu32cTrnC6rabRkdG0I2OUfnd7Yh1LRg7eUvO9nZ79S9xS6Qd
2061	   Bvg3XtmKQlx2o5U28JvuWlViEiqUTv43iy5FWiEcR/3eLwE+d7kkpmZElTI3LE2Q
2062	   k7tqsx1bnAw71nDTejlGSCu6XW7YO4PLz2dbDC0uTP8SHt9ydbPPnYPO6fT0PAI=
2063	   -----END CERTIFICATE-----

2065	   Fluffy's private key for user certificate for example.com:

2067	   -----BEGIN RSA PRIVATE KEY-----
2068	   MIIEowIBAAKCAQEAxqn/suBjGHoFuZoxwDO71AXbpN8yaEF+5WwTzfIY05v6f0WS
2069	   ZhCj8k3OQN0e3xNDttnyy0SghRFR0rD3n9I+r819y6vA8ADQfuBF1ZFFeiVz1giA
2070	   5spzYeEE0xH1bxAAqV2nrNrZdZIUB72BJnmQS5mq2FTlNGpPYeXoIkeW8eJc5aMJ
2071	   QyJ7pUbYj9/EGO11FwBobpUW6MoVTCX2LDOGDnoPnZql44w+/8UyCCW7Ugggi5VG
2072	   yVLaehVG64uOoiK45++g5cJZg8iL9zMO94C3ESesPiw3omcsIjtVkKb/wN9j0SDs
2073	   bHxhLrXQKNcJ7TOmIp0A3iG7fFPRn68gI/TdUQIDAQABAoIBAEwk1lOaO4EjK9SS
2074	   rCTt7zz5rdEIl0psaBXJEeIqu6dHroBfixhBooT5m2czGWUI/jg0WyHbwOaf18u4
2075	   doC0VcCOM3v/7ahPt5oZncqYrpd9iWNsyPMsf4LxeybnSDn0WTyRH/ZZv2WXwsOg
2076	   t8Kmb076rAfUqjEn2hs8wnd5FvrISfWG2yYuht06+Tu/0OEk/DJpP9AsEcoHbWpy
2077	   tsHaPfqGiD2HEViOTXqBQ2GGJE6p/WpJvqQXDJTRkkXjuQCuNiah+p3DsUbtKkYe
2078	   YdAWhC4T/Lmq9QQiWEiEjRcFYQ45LU0jGbtqOIPOlPpq+cxlXHUVwgE6XDSC090B
2079	   YgyEL8ECgYEA8HsDj/aj28rBbiMduhAOLgVaiPrR4d9Lp5N22S2R1OXqS65cDGnU
2080	   zMjRlSBak/aLwxcFv/lGpHwoJxr13GHTid2/7h7/R8pN+USjtvC8qVAOPYujAsX6
2081	   gcl53WGo8mSciIEN5L6TpwMknP3F/FYANalyuUpkKr6dIGbVCrrbGskCgYEA03wi
2082	   QRpA/vvB21GbeneyIDcGmRX7TTCd5TfH4GFOPFNZtkw35RHOyMh6f5jN4Gf828lC
2083	   rvqhgmYaI58n9Jf8CHoOlWrXgLQadxszD4T2s+PPUmjLKKkwLLe2JpWtUxrUVbg0
2084	   9XOid8MdFybeQapUJ9BKPTufBGAAqIUvAj3LakkCgYBjWi9Klxdzgv0PR6rMaD2z
2085	   fbq9xQJZUyuqfB4p883AK4z034BgEIk+YelUtx007DMp0qUpfw9UfYcJQPY6qp/+
2086	   4YKeGmhVfJtiVJ1ew27udIitnLcoOisY2+hhMivemPqi2s6mpqXR5laGFcJqUg2c
2087	   Hfmr27QuhLnd3R4/ZJuJIQKBgAg0xeN+0EzUmgYXmY/b+yZy3CeuiazKGSZezruv
2088	   Kuj+VvnS5UxXL43s8Yvn8v0lK9OfcJ33jbLQoW0GbPd5ukbd7Zjwp2IQGwLKJGYS
2089	   w7vhOBc7h76RKhRiIIhIwIv7+4dD+ZIYpZI+GO/gCznDETbmRysvGBGEZCIl4NgW
2090	   a8E5AoGBAIzBmJ4ILr6D5ap2hXPX97FGjatcs8jl7UHOOBIKEiPJBKIwsw/n/07W
2091	   +JWtSwMAUKepSVMBJZRSugfmryO3O4dgIy4eGIIGtkzzVW/CJ+/P6f8uBOrpBr0z
2092	   woMp543+fuBjpu5B1YLP/9EmZuQf+98BCkk6uUmYekIuVNS4sbUl
2093	   -----END RSA PRIVATE KEY-----

2095	   Kumiko's user certificate for example.net:

2097	   -----BEGIN CERTIFICATE-----
2098	   MIIEqzCCA5OgAwIBAgIJAJajhBdO74pOMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2099	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2100	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2101	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM0OVoYDzIxMTAxMTEyMjI0MzQ5WjBiMQsw
2102	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2103	   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQw
2104	   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkdtivi2PlG4flNHykpe5V
2105	   BNZiM+syZv0FInCzH0E1eWYfD34esCKXZaalQJqLzxPudFZ18uwdJ8+H7ToHQM2O
2106	   nsdfY6rBh1/51ee2Au9L2qxy2kHoRPXARmWWh4Wa1oSzBWBmWJIuof9NQbkoVnER
2107	   ikFRzDiaMvG1uh4gOTpXhxch18BCUgopUkksYheHHDDcV0CcZXmH49mo+VbOs55S
2108	   S4kWkamP3R35hOWGIBYhRa7/XnBU8Xq+7Qg4SYjy41ZTSE3l8oaayfqf8SHWOQO+
2109	   hFlHm6BlYOEnGMX4Fjn+XWllJ3GinsGmrXXJvDj8Y4ux5SxYQvzAxssF0ZeMFDPt
2110	   AgMBAAGjggFSMIIBTjBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0
2111	   hhVpbTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0
2112	   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFKSdwO/x+f3jTWmnSXlr2GWtXYgkMIGiBgNV
2113	   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
2114	   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
2115	   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
2116	   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcD
2117	   BAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADggEBAJFQco7QyfgyrK8+fUpsI5PH
2118	   zgey97huhCIN07H0XI7wUbGgXpBwv/IU5MT5rCk4nRpQUcCzGcKumeSqAkjdmHjP
2119	   FgyTBTlpx3+21vr9+980sw7HBNWV3tC8wzg1M8HJe8Fg9O1ESESwy0dLFcspAcRh
2120	   QNnA9C90ukcZjyObl44blQ9z9eUGlFePwirXF/g3zAf1CLiww6a6T4i0mqxFdQ4q
2121	   Kwy0iNpfU1MdRfOIr9Pv9dOLcaoijEFH9kugRBhNSVoVK2mzctJB1+XPDQqO2uwa
2122	   3FARkYFFxdNi+TktvaXxxO1S6bq1hurStsYOfHrgunPiLdRsF+JO44xYAxHPrwU=
2123	   -----END CERTIFICATE-----

2125	   Kumiko's private key for user certificate for example.net:

2127	   -----BEGIN RSA PRIVATE KEY-----
2128	   MIIEowIBAAKCAQEApHbYr4tj5RuH5TR8pKXuVQTWYjPrMmb9BSJwsx9BNXlmHw9+
2129	   HrAil2WmpUCai88T7nRWdfLsHSfPh+06B0DNjp7HX2OqwYdf+dXntgLvS9qsctpB
2130	   6ET1wEZlloeFmtaEswVgZliSLqH/TUG5KFZxEYpBUcw4mjLxtboeIDk6V4cXIdfA
2131	   QlIKKVJJLGIXhxww3FdAnGV5h+PZqPlWzrOeUkuJFpGpj90d+YTlhiAWIUWu/15w
2132	   VPF6vu0IOEmI8uNWU0hN5fKGmsn6n/Eh1jkDvoRZR5ugZWDhJxjF+BY5/l1pZSdx
2133	   op7Bpq11ybw4/GOLseUsWEL8wMbLBdGXjBQz7QIDAQABAoIBAQCUD0pT/zEXeQmG
2134	   lxH/SEKf15MJJaR/46e1j6PWHjUeZwRAwjnQdtEtax3zd42qf+p5qdKMrP1T4hs7
2135	   S54KGZT06Iykm52GTNFioefQPCQiLeNCIqti53I2fynFsovdMXKVmCmI+gPgZ4bn
2136	   jluarPdtywGzGh968pIYAE5OxDZ5xHrdP8VfgcClx31qxHSMtr3EMWiYBOfb2P77
2137	   sQW1mox7JzNjdpw2KNjMg+gBPW7J0dslG084MtDR5qMzLXtSsxYQsJjwjySXLrB4
2138	   d2o6ZpH7UTzvkxu6zzGfeX+wmDES7Gio/AuNrWMuTR+cZcs76g10nkHkPPPRj32v
2139	   /e6YRIsBAoGBAM98U6ln2C15SjjMuEn8x/xR000BPVBH650fQoJwuORqORWFqFTH
2140	   3aQZTHupmLojabBvlCx9vlpdbC9OfKW9Le+pW1F8T9o2MyEs4U82DmkLuNNd6x5U
2141	   7TRPMieQfTzbDdEMynR1Gf5D1wl95ZcuaGbSfIoJ64c/Eyh0G5WSMJdpAoGBAMrr
2142	   WEWCYZAmZfr7O9ay/zhG+EAR86SCKVdrV12okvagp18k2EEdFuk+Mx4h7cs/FIS6
2143	   P9mbasPjU/o6kmeQuuHW/M66D/5R+C7YJKxC24L7ZfSAVrqVjyXR6rfoqCaSBJoX
2144	   kgsxpS4tsUF0iC9RRehOZrJVAuaR1A8mb4OZGUvlAoGAEiQKpIshyYgLR0AO9NkX
2145	   GyaEVP1AwR4oqYosJH96iu4Go60V9KOs60YS+9TuN4gVG4oF6IXt+LSmWtR/7XXG
2146	   6GdkRpGZ4bhPbB0ibeyKAgE2XbSec/505tftyKvHZ2S3pol5wgjjBuojiP7q7fbu
2147	   xd6taNxJLYAESsssBj3L5dECgYBLwMQ5Xs0xVURpB/V012n0BnqS4KDGX1kzq3z4
2148	   GACVVbBmEokw9b0h4fiPXTc60xfD3QwNHroi2vD0z3zscNlziiDixA9IcC1ov4Qh
2149	   UuxD37pWJrs5+K9x/QXVFmP/0i8pn3cD+sqhjKlJuElG8N5aNTqdhKMKlJJH/Z9P
2150	   z43kCQKBgEpEVv4D7MDLxXMoEaPckayeGGSswbPgeb/u5Wy1PsqiaP992KrP62hq
2151	   K5uTFjRHJMuGKJfMFM/2HETJfllXSHWIMgnFz9ZRqcZ4AbLSreK2muzIKsHnusKg
2152	   DEMZo+gSRZbZrINJnxFhCgF0ttpVZ56LC2ftMmFzARzuP7e1Wu05
2153	   -----END RSA PRIVATE KEY-----

2155	   Domain certificate for example.com:

2157	   -----BEGIN CERTIFICATE-----
2158	   MIIEejCCA2KgAwIBAgIJAJajhBdO74pPMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2159	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2160	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2161	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MFoYDzIxMTAxMTEyMjI0MzUwWjBbMQsw
2162	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2163	   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJ
2164	   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0mJZ3y+ADOOo7lEfhqOw7KC3ysdMta
2165	   ecdSHOrMB4a3kzdqDioA5kf5epK4B8ksGpo0oOBjrUZu0oLMxKLNzqbiUdebzjmo
2166	   VT2xSt8n2I8CMwqEWqLs0bTB4Al5nwVquAg4gmvCDl3HT8Uhok81SlqWOtbyoFPI
2167	   /tfu7xsnBgj+JJYEIxl/ZU2BQ7B5R0O3ox8TWI7A5JKnPUSTTXTfIROUc0jwb8+N
2168	   oG0qZ46Cx8dWrxXMLcAOv0knCr2nf3HUXitu8sE3FgvkuUQpkfpIC0jo5zLUlhdW
2169	   uZq6G8EOX3gSJga0H3MNqo0X3CmJg/4IcYg9oc01SQH+Jt/HLKhE2eMCAwEAAaOC
2170	   ASgwggEkMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29thg9zaXA6ZXhhbXBsZS5jb20w
2171	   CQYDVR0TBAIwADAdBgNVHQ4EFgQUq+m8DTeiRZDyu8ux26FJKIE8GtIwgaIGA1Ud
2172	   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
2173	   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
2174	   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
2175	   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
2176	   BggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAjtkfGFJTKHe5CiYLDZTYP/oB
2177	   qXLyAoA8+QFcCoQ7822Gs61/05HoDLR2L+z2WpoW1V4Od+blO7toUSvYv2hcY0rY
2178	   LYRrr/Xi6ox1C+VVv131vLvu8GK83pqqxa5T1L2qpTtv840ALivI7M4q/A2OVI5N
2179	   AerACkSTAy2PlUUv3d8z39uWHyYSL7EX0vCrMbnLxMGu5lPBoBV5W6Kdrxe07HLC
2180	   nTh5Q8VYbraORLqHAyTYJKwSHL4WQjJOG6jDf6lwCxLBj5gsuSMD7qqYWkiPyDT5
2181	   vnPlXK5rorWMBA98sdKGluTA0fQRc1Xf5jx+F8aVh7Gih1CR185oJIbBPTXA0A==
2182	   -----END CERTIFICATE-----

2184	   Private key for domain certificate for example.com:

2186	   -----BEGIN RSA PRIVATE KEY-----
2187	   MIIEogIBAAKCAQEAnSYlnfL4AM46juUR+Go7DsoLfKx0y1p5x1Ic6swHhreTN2oO
2188	   KgDmR/l6krgHySwamjSg4GOtRm7SgszEos3OpuJR15vOOahVPbFK3yfYjwIzCoRa
2189	   ouzRtMHgCXmfBWq4CDiCa8IOXcdPxSGiTzVKWpY61vKgU8j+1+7vGycGCP4klgQj
2190	   GX9lTYFDsHlHQ7ejHxNYjsDkkqc9RJNNdN8hE5RzSPBvz42gbSpnjoLHx1avFcwt
2191	   wA6/SScKvad/cdReK27ywTcWC+S5RCmR+kgLSOjnMtSWF1a5mrobwQ5feBImBrQf
2192	   cw2qjRfcKYmD/ghxiD2hzTVJAf4m38csqETZ4wIDAQABAoIBAHyobQCdYxOohBUk
2193	   KxwmkJCLv473cnJ5Y860GVI75OB9sN8tVu0E56dChHPsXei7/qJCizdUeng7ouu1
2194	   KWqH3ZzOPOPOqUldebjFccIRZp0SvpBiK0/Akh1UCbcabgWrAS8sPHDkb+b+Gw4i
2195	   PxGcEU5Ii4ZE0t+DunxqAexFCWmJigAqn+FfRP765ijjI/GOzw02xEemR5GblyMI
2196	   3P8dir9btXbevic3dBS4p9IkDfSQdgJc1MvscEa4RE76J8cpuRJx5/TT1YdBqn53
2197	   Yuit1vJ44ep/tDtSbOPshmqS2nZAgZZ7IhPnmkn803r9ZlOHMRomScnrNq+kLeRl
2198	   frEjgdECgYEAzi2vY7eqY+Ok+KVVR2ZqD8uxQXwiOep2n9mdNYXAtOBPEvekFGmD
2199	   oPO6NNY2sc+mbuPYNRsjkNBwvs2Amuc7sGar9vJ3KCGdA4J5WQfC2JO4QrSAw8xH
2200	   x3uQHA5nukYqZdFQzpQ87SyOPyQrg5lIsEdj8EWOjMspr7dhkfoqQpsCgYEAwx95
2201	   C1/EnZi4gy6CrNAEuinjDOborEhWY/pEvU1h2NI3L20a1UkG522Yu3vVDhIhRUmo
2202	   z46XOJmdGAjhJ+jGuEvC/I/1/dhH43QZ/+nnbNKq8hgAjsLYB2NalJLv5Oo7bOn3
2203	   99k6Ve3jpai7UMxKN+mmF4p0BtFy7pbRUrGFNlkCgYBi8CdfCa7ZWk87BlPC/JFe
2204	   3RdFXmUqN6oPESVQnsuXwKARcQaqyOtiXDL50eXTM9shEXMaINjTUEMaPJE/REEv
2205	   aEWTLk0h0+d93KmQoJnOxixAzk+QJcI4JsJDxGHgUHVeALDvQNFv2taz1A6RiwgH
2206	   l2qMzUQXqhJqAOzwWQTYiwKBgFHRq7cqRE71UEGpyh/e5myNzeiGFwDPIHKx6gsb
2207	   HLGHjJ51eLAA/EUk/st3JKLO1WaxeXj3SM/yEh6W8psCj/mNw0iWsUbtX0+wSoq2
2208	   MVW/jPERQYKbj2yhq8TrTG7IDX0hKtqiG0UXCMNZWpqJ34FMl1n9s6N8Rl5nnYS4
2209	   bayZAoGAbDehMmO3vOUa/XdDAwxXoSB1KuONGF0u+V8tbYLrPpRQRBm1hwnQgsRC
2210	   FWE1NvNEj8nku19CP9/iuOHSCaBEsZ0jKzGr5wTRa3XO19qmBjotDcby6q11VkUM
2211	   GrbwRHncPk3H6tNED+sAaeNcmEBiBvX1HW7iVN1SAM2jj1xv79E=
2212	   -----END RSA PRIVATE KEY-----

2214	   Domain certificate for example.net:

2216	   -----BEGIN CERTIFICATE-----
2217	   MIIEejCCA2KgAwIBAgIJAJajhBdO74pQMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2218	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2219	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2220	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MVoYDzIxMTAxMTEyMjI0MzUxWjBbMQsw
2221	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2222	   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJ
2223	   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKbPap6TpwWUVOamXmS8f0LCVAKz0F/7
2224	   kIb5ec82bNlDMBvAsdFU3NXDqjEToP7qFNSKC15NvspLKVke9qVrXh6C2HzGzU+E
2225	   YQZ/A+Z7ZThevlGHlDuIAjcwjF/Fl289B/grw944cjfEVEg1rj3x3mzyC3EQdNOO
2226	   7rUlAlQxq6ddWXtfTgvDItZUOiKBkj0Atj0cJLKzdHzB+hrKDgnX72sDHIpO5M59
2227	   QFjeKaanYnjZ8GoazJ6ZWLf4tQUZpwVM1ZkoVmVY/P34GCSm+AredDseL0o2591w
2228	   3OvKv7HSNtILyoXNaN3Of1WZlHbVG3ttVAV3mFc1BlrsE2mbgHl0ExsCAwEAAaOC
2229	   ASgwggEkMCcGA1UdEQQgMB6CC2V4YW1wbGUubmV0hg9zaXA6ZXhhbXBsZS5uZXQw
2230	   CQYDVR0TBAIwADAdBgNVHQ4EFgQUipA3w0Xx3/5B9qPT6PBlak3th6IwgaIGA1Ud
2231	   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
2232	   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
2233	   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
2234	   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
2235	   BggrBgEFBQcDFDANBgkqhkiG9w0BAQUFAAOCAQEAxOpZXrdpZMLbA1GgFI4Sj4a5
2236	   9qtrweqFKFY1X+mUWvuBVpcClUgTC/sbE1kngtY7p8icF7NSbQhT5+UYwwUI0d1U
2237	   +J0K2JFF+5t5db54CMVGniMIfw/NAqA5u1kX4+N90FF4DpoG9TKwxu8Q+zfWVCag
2238	   VDMg9uYx90eM1v+Qk6LWbnYzG+ZA+VuDq+ilRw4eTqX4urTmprudxzpI7FZZLJDs
2239	   1KNBGGza1anbrdD0X7NoKaY7i0Pu2Vz7JmNFa2xC5xrswOJTho8eL00g+UXCVu4M
2240	   d8aD/tpKbGVHgjwfoorD+lDLogtnDcqTXkEnw4MM77AYScc9UQtIcODm8Y65Lw==
2241	   -----END CERTIFICATE-----

2243	   Private key for domain certificate for example.net:

2245	   -----BEGIN RSA PRIVATE KEY-----
2246	   MIIEowIBAAKCAQEAps9qnpOnBZRU5qZeZLx/QsJUArPQX/uQhvl5zzZs2UMwG8Cx
2247	   0VTc1cOqMROg/uoU1IoLXk2+ykspWR72pWteHoLYfMbNT4RhBn8D5ntlOF6+UYeU
2248	   O4gCNzCMX8WXbz0H+CvD3jhyN8RUSDWuPfHebPILcRB0047utSUCVDGrp11Ze19O
2249	   C8Mi1lQ6IoGSPQC2PRwksrN0fMH6GsoOCdfvawMcik7kzn1AWN4ppqdieNnwahrM
2250	   nplYt/i1BRmnBUzVmShWZVj8/fgYJKb4Ct50Ox4vSjbn3XDc68q/sdI20gvKhc1o
2251	   3c5/VZmUdtUbe21UBXeYVzUGWuwTaZuAeXQTGwIDAQABAoIBACdfe+4UMe86NNQA
2252	   XvVuHKe4ULYWlU+ihFmnlx3W3dhmaHuUfyRG4J1AQvK0jGK/A82rC8XlmewL06Wq
2253	   jlM7RYr0HX9OOXXUbEZpQpVreNfWXRvHYbCviL5YIjoU3IqwICpuwhu4vRT2rWIh
2254	   8Y/DgFm8xACa/shUy3lMVAFle/vTxlAuLA8eU7StYCsw8a7ZBqSWwWhbRQXAH6j0
2255	   KYo7g37SP+3GnxvvLmEARpsK11ymQLWfIqtO4lF1I/ODW0Jc1YPzF/i/wcfy1VLd
2256	   IySx84qqOKmwA8aRvnjeiLnyii0Qo99Dc3nQH34uK8YyBeq1/00JNBKwI1kO+W0l
2257	   oUTindkCgYEA01mNxZeU5KhZy9n4jHkJCoO4YxXRJeVtq0HUO3Ht7NP7LtRtbmnZ
2258	   L+ha7vtftJo/H8Mklj0xMBaHw3W6J0NTtYB6fcViEVvRpohis13ol/LcpP57/y+L
2259	   yEW6E9q811mta8hUhhmjhjQdytv5IT9taze+7y6I1HGN17xlW9JOmOUCgYEAyg0G
2260	   TfbMG9974aN86RsN56OFhEvMUscawnFMf9L+c/JWV8pkhIiUvATVHwsLAMXnM0mk
2261	   q2jHVunFMF6/Dt0QDE6els+p9S/qz/qn5P2i5TEse/L7YITk0K/6Xp0Ot9VDMoFx
2262	   XDd5FJj1PjikmhZ3qM6jxhrzKE9OVnv+P+JpO/8CgYBIWbjZsnlrCWKsETMvy2NX
2263	   8R2W9eoCIhc38DIaI3dCgpLTRi8sBBowd0dh1jW+GquPUPteXxZOkvfo5o1SUY7/
2264	   bDsCgSaAMMGFU90N8BDmq2HzLZb/FaSxa4U2tMO+qNlgM1UUDwTWtVKZllIjmpX3
2265	   hT7cnD6FE1ZuSvUbyNPVLQKBgQCMmbWqaTQtrT3CjYbtm5L4fzT5E9nyPHUlm7v1
2266	   Mzk4LAnje4apJ3YAxIgd2wxkFFNHwFZjpT0aAQDkIPpo+HIjbk4zefy2DwsigTV2
2267	   Rv2k6awf8Lz2tGOZyOu8DSThzfi924+r8TpDmBEIpFf+leXcxTb4M2bDxTQpQI1z
2268	   nTVHtwKBgGQPfSeoeegQEg4JwWA4gcxc7IFn0zppj+LZMI98Teyga5S0P7ju4SC9
2269	   mPD0N9TriE6nW6+Zvf/9JDC+gjwXs2m/ueq50HKYxHaeG4NGknuJg09HpgD1f37R
2270	   UVhWNjxpG4iU18Rm5UCRP3HwEJ06DWFFty+7ZKJtSkTZFOH7NdUf
2271	   -----END RSA PRIVATE KEY-----

2273	B.2.  Certificates NOT Using EKU

2275	   These certificates do not make use of the EKU specification described
2276	   in [RFC5924].  Most existing certificates fall in this category.

2278	   Fluffy's user certificate for example.com:

2280	   -----BEGIN CERTIFICATE-----
2281	   MIIEjDCCA3SgAwIBAgIJAJajhBdO74pRMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2282	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2283	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2284	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MVoYDzIxMTAxMTEyMjI0MzUxWjBiMQsw
2285	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2286	   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20w
2287	   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCnWAqXQ7NkLPjAssXP8c3o
2288	   zMed3haJ8gwH4r+N1Pm+3LuWk8LJ63Vq/+gjlel2RxP39rkU/HXa+nqHqiH+M1E1
2289	   ic7hpmEHM6Gm0Tg43aVQBx5qGzneMMfdXJ9UARSg/Vb+U0AlvyWbwXDh3UZvIl1E
2290	   EVOJ80h8F8B34PcUbzZ5koaYcBV/GMWkihT6++mgTT+U1b0icP3+Jz//upaOYQiI
2291	   pGKo79p0b1yESS6jFkPEbiFJEQssroWIZWIYkY4qkbFQCw60pN+S+zwI/vBDFCea
2292	   9sUpwkCLdsVwMpqjDSseJHtzfqBAD5bEjLPJ8vGaqmPcYwFamsZ6ylJqxGizO1il
2293	   AgMBAAGjggEzMIIBLzBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29t
2294	   hhVpbTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29t
2295	   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFI0hoK+Qsya+/kfcfP+YSiT654kjMIGiBgNV
2296	   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
2297	   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
2298	   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
2299	   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOCAQEA
2300	   PlzFnchNCY8HE21bWZxYX20lENZqv4Cnmwcgdlq1iHCW/r+aUty6f4PvYEBULPxv
2301	   70HAW5v2KTyK4p9JOk+/59+60piLp4Fq6P0/T8D9oIJUPm2W0xqvsyBzcQEI8fq3
2302	   GZCc+P/4J2B9T58sD4wROMkThhSiCsIkqWMGxV2RZBUQZkgPkAWBHmueEFO3p/9m
2303	   7de94Cw7I8Wusip2YIbMzekraVC2soAjL9v5BV5sjflU6g94mBQ4LrfPGHIQLXL0
2304	   i84PwSuLJRtHLxfbF6Rv13t3s3aRyi3rOz9CA7cqf4ZhKdknek34WmDAFh0nRfZS
2305	   B4J1D+Ky/GluG6T4vqKHPA==
2306	   -----END CERTIFICATE-----

2308	   Fluffy's private key for user certificate for example.com:

2310	   -----BEGIN RSA PRIVATE KEY-----
2311	   MIIEogIBAAKCAQEAp1gKl0OzZCz4wLLFz/HN6MzHnd4WifIMB+K/jdT5vty7lpPC
2312	   yet1av/oI5XpdkcT9/a5FPx12vp6h6oh/jNRNYnO4aZhBzOhptE4ON2lUAceahs5
2313	   3jDH3VyfVAEUoP1W/lNAJb8lm8Fw4d1GbyJdRBFTifNIfBfAd+D3FG82eZKGmHAV
2314	   fxjFpIoU+vvpoE0/lNW9InD9/ic//7qWjmEIiKRiqO/adG9chEkuoxZDxG4hSREL
2315	   LK6FiGViGJGOKpGxUAsOtKTfkvs8CP7wQxQnmvbFKcJAi3bFcDKaow0rHiR7c36g
2316	   QA+WxIyzyfLxmqpj3GMBWprGespSasRosztYpQIDAQABAoIBAE4NmqMDSOEouL3o
2317	   pKthNZGoMlNIC2s8IrBq6r3U4MhNXJHXSbu0v4ew5S3z9njcnkvCIIHRX4dL3Wr5
2318	   x/ExLmeyZ3SIjik1w+hzHa4oc7roFx+Wo18nkZGGaipcdqrAf5sQaZMxnPERQP2Y
2319	   oAmmFapyCm0FtIFs8rD3lUdKuDXriPj+p8adcXeJrKixlJSjK1ct+KIEP+GK53x8
2320	   0c5+v2mUopfY4bFxJtQx0CwXQj0DQtn7y9gtKP53pyUDwE6/MBx3IxssIaBIz4ke
2321	   DgSZACdYCmCnyWCjsfLhkhvapm6+8nM3RxtFAdo3OA5EUte4+YpGHGCrHOkumdu/
2322	   QuJ1MQECgYEA1lCm83NUJPyh+QvmKNMT2gLcNJGkMUlLr1izBn0es6y7e0VRCgOR
2323	   wcC1KKx2IlW0OqO4yHGKGH0+9zSd+3ZE+9SjsYrL0p0zmgl3jtevhKm1KHiVHj5f
2324	   opgIOF6+SEED2QoeLWyQHzYATtQLXRjIL+rihDdct//IvY3ii4QJ37kCgYEAx+SQ
2325	   g1mkqzMraDmaB8SEO+CvxSHPZYw7xAuOx4OeznU8FKRyC+pxiMOBfsdUXqIRVa9W
2326	   vOcEhmfNmRSAOYJBmMa3S9vNJtn0hejnVEQBo/HKaG19cqDc03anXFNXxx1mkgvE
2327	   Dixv4WuiJladAHl6E8HNWNW609I1WHpRj7hWfk0CgYARyiARlUEm0NGhGpvAR8Ue
2328	   E56zvmMitDLUG0jBASHLSEtHsDlJ24H900E2XxpvPy32sCBmgwYzgjH30yZJ+UdA
2329	   oCX2Vs8UbHgcES0bbkvjdzLSaS/3krXdiUElbLfex4bKPUzD+H7+GD1uTaujzqrP
2330	   T2/+CZpoq5K+KUjky9EGAQKBgEpa0Q6q97/fBtR8KLme9fk3+OoBS55gbZLdIb1B
2331	   Tn9JyJF9IhcgnB7danv4NYAGFSCkWkVmQZ6lWisJHzFFLJVhxajoGAXNqVFucy47
2332	   JckQFdSGddV/1OSsDFEhh1M/snm8+q6zBOL7IJPWQAx/I1PaEUJsLlTAqqtAxLoL
2333	   PdE5AoGALjb+pyL6ZZzpawX3BbM6AKUYr3nITsatHkRFdko4JYQ27Wv17//947BL
2334	   NJxJrw411nv8O32O/A2PEd3tSOZAAl4XWgzDN2SSBIllIjkbQG02gdd6EalFZ4jL
2335	   LkjFYQOJdaurKaTZaOqcb6QQWlrplz9zbZhsXBJmNm+MO7IJWXE=
2336	   -----END RSA PRIVATE KEY-----

2338	   Kumiko's user certificate for example.net:

2340	   -----BEGIN CERTIFICATE-----
2341	   MIIEjDCCA3SgAwIBAgIJAJajhBdO74pSMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2342	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2343	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2344	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1MloYDzIxMTAxMTEyMjI0MzUyWjBiMQsw
2345	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2346	   c2UxDjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQw
2347	   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRSzOOvy+ileQ+vlg50lmj
2348	   LG2ZtCBwMwzoxV61qi4GYW7Ycj1Po4rGZj6SbPXBl1kOEVWLeUk6kcdw1VCx0Qy6
2349	   DhMNfdOBC/iEKGClhTs+hsV9TYl8S9gyPWPPkny6C2LSsnZlN2CAlftvj7YzMOiT
2350	   bcHejcvsA3Wa0HyJbUlj80v/iqf5e+6x2qlvEsCBfHmBQcybJlJLhIUcMTRsEo6o
2351	   pEC8ZGNzHLfyH+MFZeGkte7+n1M7PSLCywQ0ZHy5hZQd5G3xoM5FRB/MzZumLCEn
2352	   NbVi2K9tBSbcEExKPwgiANwoBG5r9fPoSUibZk/DbH4f79L+wbI8z3EjiAEqib+Z
2353	   AgMBAAGjggEzMIIBLzBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0
2354	   hhVpbTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0
2355	   MAkGA1UdEwQCMAAwHQYDVR0OBBYEFEDMGZkS331DpFqfPXUoAIYcVUKVMIGiBgNV
2356	   HSMEgZowgZeAFLs3jkfHWjTbetn4drZ1jtDkExdFoXSkcjBwMQswCQYDVQQGEwJV
2357	   UzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNV
2358	   BAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhv
2359	   cml0eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOCAQEA
2360	   E7CDtfPvcTa8bcfnkqQ9+26qTuiL1uCEyo3QnnrZl1+miN3DZvsmckgUn64vkKQ5
2361	   w9bPrckyhtJrY2WGLnQ7UGvUItK3asv22cgN9JaAMZfJeeH0jOJRtH6oDeWuDcgV
2362	   2hanLeJYeZU3p2scV5r1ph3xpRG2mOCgaFKhT1zxP7j8Teya2m/k1IKjZyV/khPI
2363	   nn/RMK1H56zoeqhQt3Xx//xxyxnZcqbyDOdRsnwGolm0V6s1qFy7BHq/1uRCAbyn
2364	   fHcPfciTr+DR7GC/HkgVrIcZdy0gxsc2Vnbx8JQ8KqQl1gNIHo+QmYbBv+MhSqcA
2365	   dhkXD+SMLv6W+eO16uneCA==
2366	   -----END CERTIFICATE-----

2368	   Kumiko's private key for user certificate for example.net:

2370	   -----BEGIN RSA PRIVATE KEY-----
2371	   MIIEpAIBAAKCAQEA0Uszjr8vopXkPr5YOdJZoyxtmbQgcDMM6MVetaouBmFu2HI9
2372	   T6OKxmY+kmz1wZdZDhFVi3lJOpHHcNVQsdEMug4TDX3TgQv4hChgpYU7PobFfU2J
2373	   fEvYMj1jz5J8ugti0rJ2ZTdggJX7b4+2MzDok23B3o3L7AN1mtB8iW1JY/NL/4qn
2374	   +XvusdqpbxLAgXx5gUHMmyZSS4SFHDE0bBKOqKRAvGRjcxy38h/jBWXhpLXu/p9T
2375	   Oz0iwssENGR8uYWUHeRt8aDORUQfzM2bpiwhJzW1YtivbQUm3BBMSj8IIgDcKARu
2376	   a/Xz6ElIm2ZPw2x+H+/S/sGyPM9xI4gBKom/mQIDAQABAoIBAG9e7w6U2gpQbOae
2377	   b2BFeQGFkMTrvx81azcqX92Xs2odythO4iVQx3YPzlgotxXPLcp4mubfIYKTNGfs
2378	   e0ZEEdunxae2Pyg6cIIS4mrx3LbHDKxC6FhGG8OQO16nesudZ3brFGmD8Ew8g1G4
2379	   TaIr8ncRPsro9YyfwqMhMkQG7bjLNcArDV8QiFduJFDKHSTfQjMS3V9p0SUFwGFy
2380	   /t/1IsEWNvcTO5H3flNOgergiPNx30prMD+vhgWJXPKDuKW0mIfmogFheDZXOMvZ
2381	   XvKJoNHzhSmB4mToADbTFXRXCTxeGgE7ZKqldPlHNBw0TdBpFdu0vrxkJV+t9CT+
2382	   RQPYdCkCgYEA+D6SGuR7LPMHa/6wGHRXaIZXDTTRbbTA9M54/+aByvSgSdUgTkyV
2383	   c76GLjal3X2eNGHHi75fJtpTugrMZ4EnRrqGS8U3Tip081zUy2m+sfT4eHUDACDT
2384	   kFOzJA+brPz9VLpZZYL1boNtDicMp9qN1RhDw8arqcRj9bUdPK9Fh4sCgYEA19Ub
2385	   oN8quH8TKi9QbDAc7Mm59T/IvW1qGXacpU/noRUvSfnhazCExLeFhmd2gfF8GbeA
2386	   Nt6LWCxMdd62wi+uubQ9N+qkp6SoRi5FdZQ0F+sTaslI8wgr+LOITcYQYibpnRLe
2387	   L4WjIqQuESy3bQ+uTDVMK/yAm3ZLxYWCBdelWesCgYEAzT6me/eWY8aXx1Fu9PkT
2388	   38baqH+X/BVrR7yCTEmf3Fa/Q+wjZrlpA6ZtuD3Uizk2GWcSndaLQ0tV2EbfU2B0
2389	   QcUsDe+D12vBAAkrovbOBMJewPE1xuBdK0IYpeMFulP9fBUKnqRVGcct3nqouws3
2390	   Iw2J0Y8sFRPb9aWGA8uCOBsCgYEA0M7QB/dgMVZfiDR2LfTuRvdy/R5Ua09rkm76
2391	   ZcTEZ0dDlOI3f6hVCqwydjGqqVSjp42scWkkjo1s+6wYTA4tkGQbxfkwiy/1zM//
2392	   Sx2yuGEpS+qotNd3Ewk+GWBBgXP8F4alhnxXs6/7EYqdetns2rXFl9iV49GyxMnB
2393	   XT2gLzkCgYBfcLwsNYCw5YChZSexQgP/VYDIFm5PAITnGYCVMDLMaPdeCV/IKVWN
2394	   UKqlc97IyKCmLy0RYzXpYiY1sw5Vdb63mb243AjIOxZiaHMjfG2Ke6+Iz5CfuIoD
2395	   3uxlgFG/hCv5HAjOPkYopkB/eOtHbvKh1Ud+zhyCjnnxiQKawYtL4Q==
2396	   -----END RSA PRIVATE KEY-----

2398	   Domain certificate for example.com:

2400	   -----BEGIN CERTIFICATE-----
2401	   MIIEWzCCA0OgAwIBAgIJAJajhBdO74pTMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2402	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2403	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2404	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1M1oYDzIxMTAxMTEyMjI0MzUzWjBbMQsw
2405	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2406	   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJ
2407	   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXQypMGzF6lwEjhD96RuJBYfc/pw98Y
2408	   cR1IVQhNBqzHQYvq+Q4FO+MdpNk/AFv6IRNTMr+v5NN6TK47CWeUqA9XuXiACFw2
2409	   ozotPePHCEqvtUaxtUvxqmhkkUB/QiZcTKk/eEDQsDSgcsY5HJ+iE7VEFhu5J6dF
2410	   gKdhn8RsNngTPTMwF/3yYuir1SjPCKTGBgikG0ZBqob5dmZ2SMovaCq22vkvO0x8
2411	   ZyitT+nmvAC3ojlhXohzjAjzhmW/okAy835eDFT720jrf0TMoPUXSj/NXXJNEBZP
2412	   V7rIB9WVb9I4FP3tSsq18pZAEarCxaunMHk6iI5p84m7c/4x9pliaKUCAwEAAaOC
2413	   AQkwggEFMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29thg9zaXA6ZXhhbXBsZS5jb20w
2414	   CQYDVR0TBAIwADAdBgNVHQ4EFgQUagjcipLzTuQKrLLsrLLfkHFwfekwgaIGA1Ud
2415	   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
2416	   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
2417	   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
2418	   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBi
2419	   FmTqO1oubNqemX+2FuF3YhkXMIzDEH668rel+NP2B4ypYJhA4tz+v2CWOAX3ZZQB
2420	   Nwkw0QcH4Fj0Ux1U9AtggSCcX7hSQ2r2k2EWM45wfzI6Nfrm+eWntGSTj9CQMSwK
2421	   XrhLhQB1o/7E05zuMmbmslZE+Nb1/W7HkDexwh1r0hzYLh+dUUAjbd5tGXo3tRgB
2422	   nU9EGfdMgbIMEP2iTc8rZoIcGIvDgd+2GrOLVL/1ZAGCZTu9ZKD0SHSmQkiY0hBk
2423	   sWDOjCnj2BFumv5e0cG3ny79ow93aHkbF5nSDpk1Os3dodkaPJ3oimtiB1J5r2Se
2424	   quV9K7j+tItHd7bapwBt
2425	   -----END CERTIFICATE-----

2427	   Private key for domain certificate for example.com:

2429	   -----BEGIN RSA PRIVATE KEY-----
2430	   MIIEowIBAAKCAQEA9dDKkwbMXqXASOEP3pG4kFh9z+nD3xhxHUhVCE0GrMdBi+r5
2431	   DgU74x2k2T8AW/ohE1Myv6/k03pMrjsJZ5SoD1e5eIAIXDajOi0948cISq+1RrG1
2432	   S/GqaGSRQH9CJlxMqT94QNCwNKByxjkcn6ITtUQWG7knp0WAp2GfxGw2eBM9MzAX
2433	   /fJi6KvVKM8IpMYGCKQbRkGqhvl2ZnZIyi9oKrba+S87THxnKK1P6ea8ALeiOWFe
2434	   iHOMCPOGZb+iQDLzfl4MVPvbSOt/RMyg9RdKP81dck0QFk9XusgH1ZVv0jgU/e1K
2435	   yrXylkARqsLFq6cweTqIjmnzibtz/jH2mWJopQIDAQABAoIBAClI8uz0pFh1IDFd
2436	   U2v/L29W3XKRAWuz0DOp1VY6kZdtM84LHd9D88X2UZyHH0lTXkC/pXNaWGVIUh6l
2437	   HbQ+3GcPRcA+SKksKAf6Vz2tTPA2SIziBeAGa6dy1I5vkS2eLOX0Gf9QzXdZR02R
2438	   hAQvlX3JPKlVVJqcaroyBEJaJl/ODyKEEWn5s13sjV1OUjsTtWJp56sbkQ/6tHaq
2439	   T/q3jLviNUyJJWnbXNMSMTo+L+kg9ezLngJp7QHjemk+/GcrZHMZGEiydFlVkE8R
2440	   egBanpVFve7OB0zeYRFI+2dSnt9/M7OwEp2abBj4iGCOlrNvvrJ0cp4US3cTc6U0
2441	   z2kvMGECgYEA+6+fw6RNCmrJRXE/cMqMq0d/gzlDeZ8iQ7Esx3yvMprI6nhYR/CI
2442	   gsYAEz4SkRYeUggMLRF2VEHzM3jIp0ClucpxN9gPXk/rgew+wdzDUHxchuSdYUYO
2443	   W0c6ji7TksrCFckYRqOyEQ1MYcQHUYSSt4FdXI1lHVSosv/DGOGtxfkCgYEA+gdo
2444	   g3hAKm0wDNMg/T9rsnsDeQY+H4TuGMpLU9Uy0dJ4wwRIeUc8L2fLBgFEzV2cwRGw
2445	   fDEZvt0btvzXN+JGUiKwoS+S8a+To6YN+Xk0w9SwyulqmriVsWfmNiBlStO7yhCI
2446	   HlM6Q9ZLCSnDK1rRiHoDDq/N44x6fZ+lfA7E8w0CgYEAuRA5HIUqNNeyaUJNUKVO
2447	   6/5lr1qi18IAUt/rOj/fHwmbZHTbDQK7jdUDZyLESjSGVPEf6t+lL21S420TtY+e
2448	   jE9kEpjnLAT9+Yl519h5MSxQaMufQVBe7BUi5DtgTNaUAardE8v3+fvaRyT58KHX
2449	   s+EGgjBhwkBmzz+q+BexTBkCgYBIbOzxaFvt7kME9AOSWFSyFsAixpQoPTFbLP41
2450	   AoT+EqG4m/0CZIgik0ZULvnnIz7NDnq4/uAeUZ49m3AcWAdWs4XGqyk9qUZzGR7j
2451	   LSEDuRCdNpAS0XVLNnWRKEEvM7YqCi/j2Of/zotd1CMc4+neRrmr/3D8gSzaRuyA
2452	   yyZx4QKBgEsfARDm5ldHF4Eatn0P7p+KpIKaaRELwklUKWpkc7Q4XTEkshzBZ7bn
2453	   66QPgU2JHCd4gKnTZDs1qhz7G+ZkRFk9bupiqEmGE1Tcv1cKgSXacYQJHvki+/9E
2454	   1r6h5F002P6KeKEwzliN2b3Bsu5fhZrxWQOm82+D1vcrkgmZ0UtY
2455	   -----END RSA PRIVATE KEY-----

2457	   Domain certificate for example.net:

2459	   -----BEGIN CERTIFICATE-----
2460	   MIIEWzCCA0OgAwIBAgIJAJajhBdO74pUMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
2461	   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
2462	   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
2463	   QXV0aG9yaXR5MCAXDTEwMTIwNjIyNDM1M1oYDzIxMTAxMTEyMjI0MzUzWjBbMQsw
2464	   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
2465	   c2UxDjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJ
2466	   KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKLxMPl07wMbp/bSkuEbZEWv9qP/GBID
2467	   pfthXzRVzFDnVFH7dpO/jMZKBH2iNT4b9wdkfsS6c1DmgU8AqJtegvtmTgOVol/r
2468	   EJn2J8VGOWJVN/TynBbJ2niNnSvxdhFV4xRq2BCebH9ef5sDUj8cWdTAq2/rHzYj
2469	   XQkaLXQB3Gv1IO4DwmKsh+TwZaTa8IsTPR2oUXp7+91NY6Su71j81vE5YWlyCceJ
2470	   ABQS21h8tRlTujsdcimMahzYk0h1YW5eIQL0nu8ntuRUJbSB1ggOIBWBfiwfrC+s
2471	   lddcoi2BmwLAjVA2jFJSX6VKPeGx/SBJzGLSchBhbYhqxLTdEZHl9hsCAwEAAaOC
2472	   AQkwggEFMCcGA1UdEQQgMB6CC2V4YW1wbGUubmV0hg9zaXA6ZXhhbXBsZS5uZXQw
2473	   CQYDVR0TBAIwADAdBgNVHQ4EFgQUtqDdd06cJYC0MbTmS+guXze7o8wwgaIGA1Ud
2474	   IwSBmjCBl4AUuzeOR8daNNt62fh2tnWO0OQTF0WhdKRyMHAxCzAJBgNVBAYTAlVT
2475	   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
2476	   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
2477	   aXR5ggkAlqOEF07vikwwCwYDVR0PBAQDAgXgMA0GCSqGSIb3DQEBBQUAA4IBAQBE
2478	   fQlW/9q+ne3nOldC1mJtzLYKBqSUUiI+FCmMvcIYACx0wzLl7CyAWmh2xn2gcVRL
2479	   7H7kFzdhRYHUzAMG88NzQ4V8RaXb3KKOv6X5yBMfaTJh4nQSkdVGZ6JkJaQpvrd3
2480	   fvAWlT1rJc19vIymXrtYhqoYcgnm0bk1ewwBmxh7SpIRIpX6W/4dP/AWryXBphYm
2481	   Ha3eghCol5H+g9wRtsA08CKPak/LRTupULY0embxqpZhHTyA++8Vp3W6dfegZVRx
2482	   tBigKs6tXY7tkvkbKq4X6zBNEF9A9verJ7u/K5fwkpxHy5QqBS5cK1i1cwlHPveU
2483	   qg7Qj2kcWHF55LrBaWFh
2484	   -----END CERTIFICATE-----

2486	   Private key for domain certificate for example.net:

2488	   -----BEGIN RSA PRIVATE KEY-----
2489	   MIIEpAIBAAKCAQEAovEw+XTvAxun9tKS4RtkRa/2o/8YEgOl+2FfNFXMUOdUUft2
2490	   k7+MxkoEfaI1Phv3B2R+xLpzUOaBTwCom16C+2ZOA5WiX+sQmfYnxUY5YlU39PKc
2491	   FsnaeI2dK/F2EVXjFGrYEJ5sf15/mwNSPxxZ1MCrb+sfNiNdCRotdAHca/Ug7gPC
2492	   YqyH5PBlpNrwixM9HahRenv73U1jpK7vWPzW8TlhaXIJx4kAFBLbWHy1GVO6Ox1y
2493	   KYxqHNiTSHVhbl4hAvSe7ye25FQltIHWCA4gFYF+LB+sL6yV11yiLYGbAsCNUDaM
2494	   UlJfpUo94bH9IEnMYtJyEGFtiGrEtN0RkeX2GwIDAQABAoIBAQCE4NaEiHSl/zbB
2495	   lUXMp67lGbO0V8KEZk9Eqkqefl2JmKzt0nkH0kz2I8R3xAFRbjLM54pt2nNSBThs
2496	   eegGFFQSuoJib/Oj7ylxtQkH2tXPOBnS+sqJ1wEAENSc0mPrjTQLIXqkSt3GHQVJ
2497	   H7NB3lfvpVPpiD/CwaIMWzm4AhCERGza2t6wpAy5gFhylKpVKooHz7kOrEYdRml1
2498	   nS/kCzPEhUoWMQR7vbvwFuSGXM92xzmI1/5cBAVE+C10jVc/rdWaZ62DYudx/g5i
2499	   hIZNlwhP3XipkO3BsbiECJxRTWL4QkkTOGaz36UouP9ZYO5QMSr7XiJMhSrInc4n
2500	   ieU4E9qZAoGBANKD1ZZ70tHaQEL8cejQNfV1fId+RPOQ0aENlAarpoyoldJll3zN
2501	   E1Hgi80Evs7Zh7hlunXmW3MpOEUgkJutv+ZpAo5blSdqQGtLiBDItPPrjYAh+HPZ
2502	   MvbCIRyh5ABxW37JaDPPiBplDGtonj37S+ZZw3FZgdgRs/BvIsUV1rqlAoGBAMYl
2503	   +PUEDSThCLseQeRKLRbnJV7+mUpEtipeoNWFWZYpupwgsFfQzN568SpN2nLO3rrL
2504	   DCC88ODWH2QJp9D1+luc2NE0b9fzGlTsFRfl2dTkHwNp8LG8k2jclLbKnpqEV0KR
2505	   M+mkEu8otmA01n51y9ok5H+JB/d1PuE8t7G2ENG/AoGBAIil9QYquE1qG56f2Z0j
2506	   UnNT4RLenwlvrvOZKcYus/zIDgC122CyieDzHixl8Sm6QIQs3J1de21Ei3crzVKQ
2507	   tWluLq+TuT0NlmVPcTJb5kITXBWZd3pTueY9W1sHp0W2T4r8V/yRsSpY/3fVQCrB
2508	   raIIEHrKfCNyUlg2+93s8CbVAoGAbEIG2ObTv5hrSsBnQ7D7HY5ALrxvR9JurIty
2509	   1/W5Un+OAwshDXl41PzakkBi32MC8Y9KGwDfoheaou9bjqE1naP+GZ7KlHOvqUIq
2510	   7Bmaf+P6xcS1yoW7DAmn/o6JROaVPjtS343TAnN94OY9Ym49Z/vME5nsjliyeCDS
2511	   Q/ezDMUCgYA9OJnERsdz8Eh7oFRYo5e2lGRb7PrhEXvWGtQTRGkciCZi+qoOUpnm
2512	   NIo24QE08RksQBHUvPQva9bX19lNcoC0mhnRtqR4I7CUug9pb/jOEU9KtDJWwqem
2513	   PYfdA6oLGdAKQrlatklXiotbPhxtW6uyXM6szyDZrlqmMz37UZ3mIw==
2514	   -----END RSA PRIVATE KEY-----

2516	B.3.  Certificate Chaining with a Non-Root CA

2518	   Following is a certificate for a non-root CA in example.net.  The
2519	   certificate was signed by the root CA shown in Section 2.1.  As
2520	   indicated in Sections 4.2.1.9 and 4.2.1.3 [RFC5280], "cA" is set in
2521	   Basic Constraints, and "keyCertSign" is set in Key Usage.  This
2522	   identifies the certificate holder as a signing authority.

2524	   Version: 3 (0x2)
2525	   Serial Number:
2526	       49:02:11:01:84:01:5c
2527	   Signature Algorithm: sha1WithRSAEncryption
2528	   Issuer: C=US, ST=California, L=San Jose, O=sipit,
2529	            OU=Sipit Test Certificate Authority
2530	   Validity
2531	       Not Before: Dec  7 01:58:47 2010 GMT
2532	       Not After : Nov 13 01:58:47 2110 GMT
2533	   Subject: C=US, ST=California, L=San Jose, O=sipit,
2534	            OU=Test CA for example.net, CN=example.net
2535	   Subject Public Key Info:

2537	       Public Key Algorithm: rsaEncryption
2538	       RSA Public Key: (2048 bit)
2539	           Modulus (2048 bit):
2540	               00:c0:a8:7e:1a:37:6a:40:3d:f6:a4:18:be:27:bd:
2541	               c6:20:63:af:9e:42:b6:09:13:85:6d:c1:0d:17:9a:
2542	               5b:98:5c:9a:d8:dc:55:b1:a0:b8:b5:51:0f:6c:98:
2543	               19:86:7f:46:24:2f:54:b1:b1:c3:75:4d:13:8a:1c:
2544	               03:83:ce:e7:3d:2b:a4:a9:8f:74:7d:9e:7e:2c:42:
2545	               2d:a9:df:84:56:ea:78:74:81:af:74:4d:c0:95:2c:
2546	               c4:c2:8b:55:a6:4e:7c:d6:f2:54:7c:10:c5:b1:ae:
2547	               88:82:38:53:97:1e:16:1a:85:db:da:9c:d5:31:7c:
2548	               df:b7:22:df:5f:2a:df:78:36:b3:98:0a:b7:d9:2a:
2549	               5f:9c:39:0e:95:23:98:cc:4d:f5:d0:63:39:83:04:
2550	               40:96:1c:3c:73:8e:78:59:09:bf:e9:45:7a:f5:76:
2551	               48:3c:86:c0:94:3b:1c:d8:d7:d1:40:7c:d2:cf:47:
2552	               c8:e4:ea:f9:d4:36:a8:1d:77:e1:25:9c:69:5d:a8:
2553	               cf:09:1a:04:78:71:95:97:99:7f:1b:51:3c:0a:25:
2554	               2e:d3:a3:20:d4:72:b9:55:80:10:a6:3e:56:2e:82:
2555	               5c:b2:77:c8:0d:40:4f:e3:65:f5:97:7a:8e:12:e9:
2556	               8a:31:42:00:5a:99:46:5e:a2:7d:b4:e2:24:d6:a7:
2557	               5e:b9
2558	           Exponent: 65537 (0x10001)
2559	   X509v3 extensions:
2560	       X509v3 Basic Constraints:
2561	           CA:TRUE
2562	       X509v3 Subject Key Identifier:
2563	           8F:65:F4:D6:05:98:B2:0F:34:5F:48:89:CC:81:DE:A5:C1:E8:A4:B2
2564	       X509v3 Authority Key Identifier:
2565	           BB:37:8E:47:C7:5A:34:DB:7A:D9:F8:76:B6:75:8E:D0:E4:13:17:45

2567	       X509v3 Key Usage:
2568	           Certificate Sign
2569	       Signature Algorithm: sha1WithRSAEncryption
2570	   c1:80:06:29:01:35:68:dc:67:ab:1c:c5:de:ad:d5:24:29:24:
2571	   12:4b:5f:67:51:a4:85:e0:70:92:d7:4b:5b:2c:17:5e:42:a1:
2572	   56:b6:89:a5:92:64:d4:30:0a:df:24:8a:88:06:ee:5c:4e:51:
2573	   3a:a1:7c:70:f4:4b:ff:18:3b:8f:6d:a8:6a:ec:84:73:b5:4c:
2574	   ef:6f:a3:f3:ac:63:46:aa:72:0c:cb:4c:ac:99:5c:ca:0f:ba:
2575	   73:c3:1f:57:e9:05:a8:57:3b:5f:dd:66:2a:a7:a8:9b:e5:99:
2576	   3f:6a:2e:48:5a:86:38:bd:5a:5d:2d:12:d1:43:6a:7a:34:d5:
2577	   9b:3e:64:d8:2f:40:0e:67:2f:34:ee:83:9a:f1:e4:99:84:66:
2578	   4d:3d:6e:99:6b:74:0b:13:28:75:7b:ee:55:e8:48:15:9e:fe:
2579	   e6:bb:de:48:f7:53:59:37:85:52:a0:72:80:35:0d:24:14:ae:
2580	   9b:87:32:da:25:16:7f:01:84:aa:c9:0b:2d:ec:21:c1:51:35:
2581	   37:80:e8:ae:eb:0c:e7:c2:7e:5d:a4:61:eb:b1:19:d0:4a:2b:
2582	   2b:42:3a:95:7c:5a:49:a8:7b:27:f3:af:b6:15:94:f4:8b:a6:
2583	   11:80:80:2f:ff:9d:9a:cd:c4:de:20:48:c0:f9:f3:0e:e4:8f:
2584	   07:a2:13:17
2585	   Robert's certificate was signed by the non-root CA in example.net:

2587	Version: 3 (0x2)
2588	Serial Number:
2589	    49:02:11:01:84:01:5d
2590	Signature Algorithm: sha1WithRSAEncryption
2591	Issuer: C=US, ST=California, L=San Jose, O=sipit,
2592	         OU=Test CA for example.net,
2593	         CN=example.net
2594	Validity
2595	    Not Before: Dec  7 01:58:48 2010 GMT
2596	    Not After : Nov 13 01:58:48 2110 GMT
2597	Subject: C=US, ST=California, L=San Jose, O=sipit, CN=robert@example.net
2598	Subject Public Key Info:
2599	    Public Key Algorithm: rsaEncryption
2600	    RSA Public Key: (2048 bit)
2601	        Modulus (2048 bit):
2602	            00:c9:74:33:f2:e2:2e:ba:0d:0f:c9:08:17:56:9b:
2603	            50:c2:9f:e9:68:af:bf:be:13:f4:d7:68:ef:67:d5:
2604	            77:53:d9:f8:64:92:08:6b:64:4e:a0:ea:ff:16:56:
2605	            96:dd:e1:94:9d:75:a9:35:e9:82:27:90:42:80:1f:
2606	            75:27:90:c2:6f:45:3d:3d:59:da:2f:12:16:ef:e5:
2607	            1f:e3:7f:f8:20:ea:2b:1b:5a:08:fd:53:a1:ed:29:
2608	            8a:13:fe:27:77:14:d6:14:f9:8e:e3:e3:da:49:b0:
2609	            e6:f1:84:d3:b0:82:58:79:9d:8d:a5:44:52:19:92:
2610	            de:da:1d:a9:cd:d6:39:01:29:02:d9:51:31:d5:c1:
2611	            d2:90:dc:58:11:c3:fb:da:21:fb:8a:71:18:a6:86:
2612	            7a:7d:21:29:83:bc:47:89:e3:7e:0c:a9:f0:dc:4d:
2613	            52:fd:6b:97:69:ec:72:1c:f7:db:8f:42:c8:54:17:
2614	            6e:12:09:e2:96:cd:c7:e6:43:7d:65:50:7d:06:17:
2615	            4e:cf:60:81:54:2d:07:b5:1f:71:ae:7a:ee:55:2f:
2616	            c9:e6:e4:62:eb:89:a5:15:ee:62:31:ad:c8:c0:48:
2617	            d6:de:04:81:88:72:ae:60:7d:6d:a4:95:00:aa:17:
2618	            3f:cc:e0:ff:c2:59:8c:2c:40:1b:8b:3d:1e:e2:39:
2619	            2a:97
2620	        Exponent: 65537 (0x10001)
2621	X509v3 extensions:
2622	    X509v3 Subject Alternative Name:
2623	        URI:sip:robert@example.net, URI:im:robert@example.net,
2624	           URI:pres:robert@example.net
2625	    X509v3 Basic Constraints:
2626	        CA:FALSE
2627	    X509v3 Subject Key Identifier:
2628	        1F:9D:AA:DA:A2:0C:D2:DF:D8:A0:5C:CF:CD:CA:E4:2F:31:0C:4F:D3
2629	    X509v3 Authority Key Identifier:
2630	        8F:65:F4:D6:05:98:B2:0F:34:5F:48:89:CC:81:DE:A5:C1:E8:A4:B2

2632	    X509v3 Key Usage:

2634	        Digital Signature, Non Repudiation, Key Encipherment
2635	    X509v3 Extended Key Usage:
2636	        E-mail Protection, 1.3.6.1.5.5.7.3.20
2637	    Signature Algorithm: sha1WithRSAEncryption
2638	46:f4:fa:a0:78:ea:66:da:87:3f:b7:c5:f4:4d:38:5a:fc:05:
2639	78:6f:6a:0b:81:b1:09:b5:79:9e:a1:05:d1:2b:b0:4b:9b:f4:
2640	ff:b9:1a:c3:15:e5:8b:83:8d:00:59:b1:bc:a4:1a:3f:e1:6c:
2641	3b:78:66:aa:b8:73:60:4d:a6:6b:22:4c:26:19:a9:71:fc:c0:
2642	04:0b:d2:42:02:12:ed:3f:29:74:4e:88:e6:46:e0:c0:46:61:
2643	27:e9:66:a3:e5:e6:e4:55:0e:03:4c:9a:55:f9:49:f6:ae:0f:
2644	8d:91:1e:fc:e4:5d:8d:51:8f:c8:07:7a:ec:04:38:8f:53:14:
2645	3d:71:ff:0c:b6:9e:c1:a4:3a:7f:2f:d3:84:e0:6a:f1:82:21:
2646	23:20:10:e7:90:94:4a:47:b3:5a:a0:9e:66:9a:97:3b:73:8f:
2647	18:43:37:8c:c2:73:cb:a4:be:86:d6:77:0c:51:65:03:41:cb:
2648	03:98:f0:2b:2f:5d:eb:64:e4:52:37:ec:5f:ff:a9:16:bf:d7:
2649	a3:43:ca:ac:86:ce:56:7e:35:f0:9f:f4:f4:77:78:ce:04:15:
2650	7b:b8:95:0c:04:52:f5:9c:98:20:9d:18:04:95:f2:15:e5:f6:
2651	31:6e:b9:1b:64:a9:c4:ac:3b:e9:f2:a7:24:1b:4e:30:fc:67:
2652	cc:97:65:5d

2654	   Certificate for CA for example.net in PEM format:

2656	   -----BEGIN CERTIFICATE-----
2657	   MIIDzTCCArWgAwIBAgIHSQIRAYQBXDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
2658	   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
2659	   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
2660	   dGhvcml0eTAgFw0xMDEyMDcwMTU4NDdaGA8yMTEwMTExMzAxNTg0N1owfTELMAkG
2661	   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
2662	   MQ4wDAYDVQQKEwVzaXBpdDEgMB4GA1UECxMXVGVzdCBDQSBmb3IgZXhhbXBsZS5u
2663	   ZXQxFDASBgNVBAMTC2V4YW1wbGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
2664	   MIIBCgKCAQEAwKh+GjdqQD32pBi+J73GIGOvnkK2CROFbcENF5pbmFya2NxVsaC4
2665	   tVEPbJgZhn9GJC9UsbHDdU0TihwDg87nPSukqY90fZ5+LEItqd+EVup4dIGvdE3A
2666	   lSzEwotVpk581vJUfBDFsa6IgjhTlx4WGoXb2pzVMXzftyLfXyrfeDazmAq32Spf
2667	   nDkOlSOYzE310GM5gwRAlhw8c454WQm/6UV69XZIPIbAlDsc2NfRQHzSz0fI5Or5
2668	   1DaoHXfhJZxpXajPCRoEeHGVl5l/G1E8CiUu06Mg1HK5VYAQpj5WLoJcsnfIDUBP
2669	   42X1l3qOEumKMUIAWplGXqJ9tOIk1qdeuQIDAQABo10wWzAMBgNVHRMEBTADAQH/
2670	   MB0GA1UdDgQWBBSPZfTWBZiyDzRfSInMgd6lweiksjAfBgNVHSMEGDAWgBS7N45H
2671	   x1o023rZ+Ha2dY7Q5BMXRTALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADggEB
2672	   AMGABikBNWjcZ6scxd6t1SQpJBJLX2dRpIXgcJLXS1ssF15CoVa2iaWSZNQwCt8k
2673	   iogG7lxOUTqhfHD0S/8YO49tqGrshHO1TO9vo/OsY0aqcgzLTKyZXMoPunPDH1fp
2674	   BahXO1/dZiqnqJvlmT9qLkhahji9Wl0tEtFDano01Zs+ZNgvQA5nLzTug5rx5JmE
2675	   Zk09bplrdAsTKHV77lXoSBWe/ua73kj3U1k3hVKgcoA1DSQUrpuHMtolFn8BhKrJ
2676	   Cy3sIcFRNTeA6K7rDOfCfl2kYeuxGdBKKytCOpV8Wkmoeyfzr7YVlPSLphGAgC//
2677	   nZrNxN4gSMD58w7kjweiExc=
2678	   -----END CERTIFICATE-----

2680	   Private key for CA for example.net:

2682	   -----BEGIN RSA PRIVATE KEY-----
2683	   MIIEowIBAAKCAQEAwKh+GjdqQD32pBi+J73GIGOvnkK2CROFbcENF5pbmFya2NxV
2684	   saC4tVEPbJgZhn9GJC9UsbHDdU0TihwDg87nPSukqY90fZ5+LEItqd+EVup4dIGv
2685	   dE3AlSzEwotVpk581vJUfBDFsa6IgjhTlx4WGoXb2pzVMXzftyLfXyrfeDazmAq3
2686	   2SpfnDkOlSOYzE310GM5gwRAlhw8c454WQm/6UV69XZIPIbAlDsc2NfRQHzSz0fI
2687	   5Or51DaoHXfhJZxpXajPCRoEeHGVl5l/G1E8CiUu06Mg1HK5VYAQpj5WLoJcsnfI
2688	   DUBP42X1l3qOEumKMUIAWplGXqJ9tOIk1qdeuQIDAQABAoIBAFuG8LnFv92bUnRt
2689	   KNG6j8jNcx5ttQuk0Yvt3ilrdL5yqEIEk1Wa9IV3aCuAKwhBqPIB5muw9xngLzs6
2690	   ydSx1Bu0gzrm40HWrTybiBQfE0EzjVxUTCWl1qtIJIYEKgGjYh2/7LEwSqt6LnIn
2691	   DldJvNiG5Yb7YTFskN/xWktdE+OIzJ3emJW9JwAMHbT4HZkhMg4YAqMa0xi48/s4
2692	   eq/oBRs6Ukn1YSi9Mae9f3ZQ4wGnWbpDbBVE/ViLKrd6jCWEK+D8LMxWoHBbfF4F
2693	   cmG52ByEjYYaNhpYbjV3ScjFOfs1OcGB/AWIpmxXhys+P7aaeTyRJeIRGMRzBXE3
2694	   yu91Kp0CgYEA/BLVqM4nhjsZgjQRBHrLViQXYldzro3L+oI9nFe6vxjZhqZeNfHc
2695	   lYD7KkdknCf8wknpmMuC+zsQdfiCytwSOFa0Pm/5MaPmL8UzgtCfg6tQovKxtBUm
2696	   a12+tpRgK1zvKivz9Vhbaa0QANW6ZEwORk00dIY09E+3MAsrFpP0IOsCgYEAw6i7
2697	   4Blxf4qWTfBMK+9QQsinfwjrqcYbg6Uwvne0C+EXyXwyIpIc/SVtjgLwYWJyxBkn
2698	   T0fUGICPeLXwMqloohtJ3UQ4wI1jxMsCEtPbJ0s/YtYEkp9kLWzJbI2OICi2eJ06
2699	   GROgHtSuL1eheEi7106vKMIGBVT3X+GqZGUVtesCgYEAmkY0ueGiUwbsr8GKAMHe
2700	   nNPt8+QuCtEB3EnFx1/yDW76AuzjkAR8yotsLQ4Qx3m5undeHoO/oF8fzfPQqLNT
2701	   +2MlYWlKjFURVn9M7W0dk4pQCcqbc+nV37Q6OqhIy4FPZvILl0cCe4TN3JTyRNw/
2702	   iEtMJVzWIAiBx0eukVzv9w0CgYBu8wDOfD8TDthai9f11ffSVww8CifwlslFZmf0
2703	   qdZsIhEmDQo09lv/5LhyHhKHdpcTwhu7ZkTMPCKfVbRGVjBiNE03bpcsAUFA98lO
2704	   Odp9NrtT5X6kUkQxSg4SQ1cDv3JxhN7MF4fl076OVAfZOI1j81d6KkPVxC+erE2+
2705	   LmAYTwKBgAZtrPmLR6jW1PsNDrRW4krw2oXZoM6sBehL0ZUwsKUkbn+ksvWgDAP1
2706	   NjxUvJ77VlCkUG5ftfl4RD+Ttd6bC8zLEqZBCV9owyCerQ5dwfU+4mAdRaY7nsry
2707	   Jx+kwbiQpcFImLnrXtO/J47UzivrAc52M5u5wAw009j0YngCPT5R
2708	   -----END RSA PRIVATE KEY-----

2710	   Robert's certificate:

2712	   -----BEGIN CERTIFICATE-----
2713	   MIIEMDCCAxigAwIBAgIHSQIRAYQBXTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG
2714	   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
2715	   BgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxlLm5ldDEU
2716	   MBIGA1UEAxMLZXhhbXBsZS5uZXQwIBcNMTAxMjA3MDE1ODQ4WhgPMjExMDExMTMw
2717	   MTU4NDhaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYD
2718	   VQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxGzAZBgNVBAMUEnJvYmVydEBl
2719	   eGFtcGxlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMl0M/Li
2720	   LroND8kIF1abUMKf6Wivv74T9Ndo72fVd1PZ+GSSCGtkTqDq/xZWlt3hlJ11qTXp
2721	   gieQQoAfdSeQwm9FPT1Z2i8SFu/lH+N/+CDqKxtaCP1Toe0pihP+J3cU1hT5juPj
2722	   2kmw5vGE07CCWHmdjaVEUhmS3todqc3WOQEpAtlRMdXB0pDcWBHD+9oh+4pxGKaG
2723	   en0hKYO8R4njfgyp8NxNUv1rl2nschz3249CyFQXbhIJ4pbNx+ZDfWVQfQYXTs9g
2724	   gVQtB7Ufca567lUvyebkYuuJpRXuYjGtyMBI1t4EgYhyrmB9baSVAKoXP8zg/8JZ
2725	   jCxAG4s9HuI5KpcCAwEAAaOBzTCByjBRBgNVHREESjBIhhZzaXA6cm9iZXJ0QGV4
2726	   YW1wbGUubmV0hhVpbTpyb2JlcnRAZXhhbXBsZS5uZXSGF3ByZXM6cm9iZXJ0QGV4
2727	   YW1wbGUubmV0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFB+dqtqiDNLf2KBcz83K5C8x
2728	   DE/TMB8GA1UdIwQYMBaAFI9l9NYFmLIPNF9IicyB3qXB6KSyMAsGA1UdDwQEAwIF
2729	   4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQAD
2730	   ggEBAEb0+qB46mbahz+3xfRNOFr8BXhvaguBsQm1eZ6hBdErsEub9P+5GsMV5YuD
2731	   jQBZsbykGj/hbDt4Zqq4c2BNpmsiTCYZqXH8wAQL0kICEu0/KXROiOZG4MBGYSfp
2732	   ZqPl5uRVDgNMmlX5SfauD42RHvzkXY1Rj8gHeuwEOI9TFD1x/wy2nsGkOn8v04Tg
2733	   avGCISMgEOeQlEpHs1qgnmaalztzjxhDN4zCc8ukvobWdwxRZQNBywOY8CsvXetk
2734	   5FI37F//qRa/16NDyqyGzlZ+NfCf9PR3eM4EFXu4lQwEUvWcmCCdGASV8hXl9jFu
2735	   uRtkqcSsO+nypyQbTjD8Z8yXZV0=
2736	   -----END CERTIFICATE-----

2738	   Robert's private key:

2740	   -----BEGIN RSA PRIVATE KEY-----
2741	   MIIEpAIBAAKCAQEAyXQz8uIuug0PyQgXVptQwp/paK+/vhP012jvZ9V3U9n4ZJII
2742	   a2ROoOr/FlaW3eGUnXWpNemCJ5BCgB91J5DCb0U9PVnaLxIW7+Uf43/4IOorG1oI
2743	   /VOh7SmKE/4ndxTWFPmO4+PaSbDm8YTTsIJYeZ2NpURSGZLe2h2pzdY5ASkC2VEx
2744	   1cHSkNxYEcP72iH7inEYpoZ6fSEpg7xHieN+DKnw3E1S/WuXaexyHPfbj0LIVBdu
2745	   Egnils3H5kN9ZVB9BhdOz2CBVC0HtR9xrnruVS/J5uRi64mlFe5iMa3IwEjW3gSB
2746	   iHKuYH1tpJUAqhc/zOD/wlmMLEAbiz0e4jkqlwIDAQABAoIBACcWcO3zjPV0i1eK
2747	   Rlz7jdP1iyhQ0XdkD+Gr7qfK93hBlryMyS1tLQR0FEKVUniCyH800TwwrpxWlVCe
2748	   yfB/WfqVCKjawkbXz7OEVYei0NYyGWMZOR1OGOEXaj8u1SF53X/8XAlDsJsTw/ug
2749	   tiJNaDVQqKckdnmX0b2oe8YAhtb+cdpAQeILHzn5Zbi/6pE1dSFRYA7krVK3Llv8
2750	   oLUJtlHJIXXdyajsBFxpT+i34PonkUDM8Gv51Or95L3z2nrBKG6IK/QvAdDnbcnK
2751	   s2IPmxaE4Dmql3+NbqOYkyaYpaPl5jot0fYuzE8WiUbnLklsPiZhnpUqOm9UOMof
2752	   RWDa76ECgYEA75U44AL7amX/yuUAugXp642I8UI05MzWE1r+uc49MqsPikr1emr2
2753	   MWq+2jejUl7hA8B1UwaND6YQxJ7IsN/Gw9e1uo/hUM0BXAmj8wvLfC7U2F2RoelV
2754	   xCxtJm8ltWv1mT7wzphYbddE3MF/WEYGMeQBPp8ZGsi5YthqCFBW2t0CgYEA10Ie
2755	   rb2TaCU2RCw/H6mJ1RDT1T9XYN/LggDmNOBnAxOpor4h0ifiuvIZSzEcnXD0bBGJ
2756	   HgGJh4yVuGQOKEWGcCXp3R6ARtYQPJi1nNF+I6wdH3eM3z5/7xB/FZsoPesA0Tp+
2757	   9cbGsaP6yxSFFdEhu3npE4r0wRSiqZevbJJcYgMCgYEAkeYHmrN2M9clrINErAQJ
2758	   7b5lVLaCy4rKG0Ngt/oWXpK5hfgcAY69ml5tFyqmtPS+hrBfQk5M/OiecX5YrQ25
2759	   V243ZwNTrQcK+ueMBeh65IcIazKgCz+zUSHU3oD1L8Qs7kPcFZPE1i8v6leTm0gZ
2760	   Yax97YqpmRv/eWhdOe7i1akCgYEAzJEvqpmBHvZOThdmneZ28J+fUQdzOMM2GgRU
2761	   wmeIPipPijP63Ee/dz5gv06bDRytjI5Vqsh3NPRrzOJ5edgo3SeKyvMToT4KDCxs
2762	   W+3TXH9S5fatT/OLjVw2Cgh8A+vzyOM4iMYxSdy2mIyVtZgb4JkI4eOqmlvMAjP/
2763	   KMUnOpUCgYA7Ah+UVDuxnW1znWnYcvo/CnSkpAFf9XPQzr/fFY8oAXTsEJdRzS1A
2764	   eXPplLGDPQLAR426MLBbGXgSgMp3SqEPHH5nn8hH6WUsnNvQDOeEIJKmGXhU/xQ3
2765	   QEA9FUXAvpAO1iSPESE/oPvwWv2DWieiUwDoX9F8scoF1j8ChBX33A==
2766	   -----END RSA PRIVATE KEY-----

2768	Appendix C.  Message Dumps

2770	   This section contains a base64 encoded gzipped, compressed tar file
2771	   of various CMS messages used in this document.  Saving the data in a
2772	   file foo.tgz.b64 then running a command like "openssl base64 -d -in
2773	   foo.tgz.b64 | tar xfz -" would recover the CMS messages and allow
2774	   them to be used as test vectors.

2776	   -- BEGIN MESSAGE ARCHIVE --
2777	   H4sIAOaV/UwCA+ycCVgTV9fHCQgIQl1wRYsBrZUlODOZJQFRg2E3CUsAEwXN
2778	   MiEJ2UyCLK6AoqLVqmVTK1DBomjFDZWq4IJbQRHRun9IUXErVoG6Ud5QW0UK
2779	   4vd+0FY+Lg/PJHdmztwM99zf/5wzQSDXkDRyiRwnyTVhjkKeVq/zGwAAKAwT
2780	   m7cYiryzbW4QDENEEIQxjAxCGIwQARBGAESPCOj9DS1Co+WpdUPhqyU8xXuO
2781	   62j/689CfLP9SBrDLSCA5uFG1EhUTuERckm4chIexZOrZLijAtcSA7x8x0GO
2782	   gLlpkITn9Oe7cezJvkSQqnvlCDlCTiACAKAzX81TCMQuMVSxB8z3IQkpGALH
2783	   kMggzgchhIoJyFQeCCAkkET6c5+zWqVUa10QChnEzE0ZvCiSu1IdyVMLNU5E
2784	   THdJttKJOL7tcU0wN3VXK+V/7BfJIkSi6Df7BUr5BGctL8wFFeh+ABQ0N53M
2785	   k8lIXnQnIovNAFgeQTIW3YvMgbxABuQv5Ur9wxlSsYThwYhkSjkQ18NdzPLw
2786	   ctSdFoDPciJSYIxM/OM+mZvSBAJcpXUiyiNkWomKp9aO00jCFLjQgajFo7Tj
2787	   VDKeROFA5KlUMomAp5UoFeNU4QINRmr2sXf7NUKVQwszPJkWVyt0u2bjuisr
2788	   FVpcoSWxo1X4X6/lzFdGKIQ8dbQLovMkmE9GBCJQJAQAgbNcZ10W5qIR80Bn
2789	   lVqpVQqUMhebvw6n2RBPG6HGbd5ebAquCNOKdTe/+e6bm5JIra23HtfbT9xi
2790	   j24eaES4muSmECiFEkWYE5EvUejG2mzSE5fJlNYfYvo9I3ZW8OS4y++LlqMK
2791	   07w9ky7RqJQaSfM5OgNaLU8gluv6ncU8hVCmG4mLGp8VIVHr7p9IIsPbs/Le
2792	   DwDEESqMTOwSPBN+NScY62fEEYp1XUf0CQTQBDA2MrT/xEDfEujz9hACGEf4
2793	   RnfIRt0hwDxABfYBTIwMAnsZWegHBoAWQP/mN70tfp+iEpFSrZDwwP5A3+Ze
2794	   Y4veATwF0VupwcFPALPmLnNTC0PdjJdoQVvg8+aOPhbEgOb3RDau0RIn42qt
2795	   RNR823AiLUIrVqol2mh9E73kTYuGMGsTGW9HaP5mhASCoV6vOIJe38R1hx/n
2796	   rF/tcsT7Nv/IyxCJiok+G18cc9FIyreSOQ4xH796L/Vk7LnIfTxnx5TZRU4p
2797	   g76FnCdE5zamVDrS7i5vIA67NXyfpmrwMzqBwVFcG+71wnP+4WSItWaCPXp+
2798	   jD22nlB6kvoi25aW/ejQ01nX4rike07ldwr7PaXtkBLjKiS+L1VXl246trq4
2799	   31mXhYHfrUizYucbTTgj/PJFFWtz3qQJmV+X18wtnCRRLNyhUTgsuLGpd5P/
2800	   LzQ/RgLMHXFpzfglp8xN/aEvtja4DZ+eIb0rtLIdsCjAx7GP+pPQaet8vH9r
2801	   EE6ISpy2wa2I33SnYdlnepphPpW9y+t/g8o9Hv7C0M4d09asJJHMTfW6dZPj
2802	   Gg0vDCdpZRqSGteoukICdMB/AMaAVvxHIAjs4f/f0f5AOhHSjZnl05rzUwI+
2803	   lPN8AR8ToBREhFAQFKO2w3nkLdU1bWDdCdHR+jW7yQifotOBopag17RB+tej
2804	   en0OXzdtAD4Kt+A9l+4HcqVMMUPqF8WVcmUcKTOcKw2M5ki9xQw6DWGwaVEc
2805	   qb+YIXd7w3uYDFDe8r41HH9HY/dZFVr4fxep/479H4PB1vofQsg9/v836/92
2806	   PbK9KKALVof2o4D214t/fIn4J0KCtqT3n0sU2lJqd/D3Vyjx8AiSoEuzAB3H
2807	   /+TW/Eehnvi/O8T/IEWAoEIyiCIQhuoUddueD4FdEv8LEQDEqAivZfxP50As
2808	   Oi2KyxbEcOliMVPqLmZ6uJFZdAHMifHXxf1BUoZUEMNh0z6K+B8HACoAQlQ+
2809	   hAkpQqiT4//W1jsx/u/IdE/83/nxv9/74v+hkrLyb58ZL+XjMxZed517Y0+8
2810	   Pt9sBnlB4Cj6Ot+zE8uC2J+FVni65m/+PCbB3NTM4LnKy+7eyIOlg1hfSkbj
2811	   /rbQiJB+B441kg6NsM7nrd8T8mIVTfDDjQR6PsAKMuaGF94R2vMezPspZbf3
2812	   uN3MfffoU71W5pqb4nXq/vU3E2sGF5y8k7l28/75qU94WRL+6a2DPGrmXJq+
2813	   JR5mzS0J4Cv3L00zSSkZC9yOUxkcrHmwetStCXqjVlCqFdkSjeW8PargIell
2814	   M65eOWjTKK/eXrGrYVD6LpunQy2SDHwZEtJGopy4c4f+hbW5524GX/s0L3WY
2815	   wtX1K8lQcLYlarX26fywnJWpm4HItqZlt08AvOb/a/bjCoE6WqXFhZ2sADri
2816	   P0RGW/Ffh3+4h//dgP8oWQRjVDKG8UUiRASL2uE/1DX5fxFMxagwtQX/GWwd
2817	   53WCnikPhDhQkJQrZ0BMdpBO9AciDJ024Ehp0Qw2B2HGhL/hPxlCgX+K//8H
2818	   pH0Q0TqCbrMt59erg1Z3iAuumI3LlCpcSNItEbx3SSz/q5JAUOQ1NfXBt0g0
2819	   yIjTt9F1WekT9HR0TNPRMUn38p+mo38bUDy4av78suFHK5KS0JtrC79KFy1O
2820	   P5d5pzEtfYvj1Spzrb9BYqVeZCFnwznrTwe6ThSrf7W3cixRGHDmHY2XTRY3
2821	   ns98+tztyOPHnOgXuN4sxgnPvqXWtw4eGjTswb4EKMry0XIRYpE/NepQYeUW
2822	   m8NoL/7IHXF2sphLD2kUO9ES0k+/1d1eYrcjtH8tbLOcNuPU0HqakfeR8m0N
2823	   6DerZl+/tmf6tMW+0dt9FTNig2cbTh2cHM34PqAGq/r6sSWn7uqtIoddBQn8
2824	   ELPRd40NFl6Mf75o+5Fdl0YifVieoRULZq148PMjpzkyi/M0n+JeFw+cGU0t
2825	   uH//QsYaa2iC1a57lpnz6/SfA4K1wNwWSgb41MhkZoInATfoRdDv1W9P3eIL
2826	   zuq6VxuzlxJv9ho7eqFv9qnhx6/3HmhduzeN51VZX1tUUtWXEFww9Mx0rcrk
2827	   +U7XWdXjwlz2vQhW6/VLnjltZupsrzlnnm6NOer58nam8ZLl876/lodmeQ2K
2828	   V4aHld/YtaK8u+fe/23876onADqO/7HW8T+A9OT/uwP/EQpO0YX9uEhIEQlE
2829	   ELkd/gNdwn+yCAOE8DvxP1cqlnE93KVMtqsu9mcgXDZXypF7RTGDGTBXzonh
2830	   0jkgR+qm0wh+H0n9H4cpFERI0bkOyIOhTor/4T/r/+9a79T6//tN/3vj/8vv
2831	   xv+ndV3FzfF/s3R5HV0b6rXOAGTpDsr4V2QAWoyxJwfQdg6g9dTs1jmAlvxv
2832	   9rA/kwCdKQQ64D8Zg1rn/1EM6Kn/dQf+A6BQAFIRKi5CKRQIFrTDf3KX8J8P
2833	   omSUh6It+M+k+0VxpH6RXDYnkkHnyrh0GsSgM2AO5B7OlLpFcj38ZVwpM5wh
2834	   Z7zhPwLD1H8r/1EBINT5FhlFQSoFQTon/w/CCPJaALQ232UJg67Oc3wkOQhm
2835	   G1COBgfVLUktHvOwait08vbc6Id213+JWr/nleu0OHrpd8RFX9soVHBlwMmz
2836	   MaFZ349ztc0cOl277zDxsTh0/hivmkFU4s/JcgnqicQbpv14OWLPEiZd2ZsR
2837	   Vro3p9FzovLMLeWkgmoDr/Qsl7yJg+J3HbPNnfokEDxrJlxQEToRfRVOf9jk
2838	   Y/ci5Gpj8dizgl0JkRHr9heX1R/9bciJH8sWVOTt+SqrTJV+6dCK4TkuWzd4
2839	   lU+Mbai5OSV3SNDMPnyz/IPDEzUy1HvUnfqfcgbXxAXjdvkVqz6zXZMxccPT
2840	   UVtme5tXr1xSe2rReDBEcfyu5STj+tq6qQsRh9q63WMsqNNz4zML7tAWvC8H
2841	   0bs+cLrsofqiu9R8o3CIr91CXwj+xXGAkeryuG/K+Ul5Tg3TjE8JI4ITbVzL
2842	   113mqDycnl3CLHv7SM8uJVVPNeGmlvibzTu9LXPP2szPjI+VK03SCaqjW8/v
2843	   vVarm/1nr6V+/1j737lBj1jtjMdV3ytWl8nEpymPrTY0fteXfZFDoVxdgyaZ
2844	   2O9H9u6ckEH6Ar0+D158d/+veWPt4sj0iCxKU/B5D58Fa5ZJl24sceu/anhs
2845	   nicxoGSNw9BPSo4VlabSpxdCA7T9hw0JG5g82Td24YKx/mPOhKw5MnKm3iiH
2846	   AxHVP66bH2oFnG+0p6wHCB7f5c4+Z+AgbRx2/0CyGpz8fLlSWySo+PqQ/5lS
2847	   Qnia3sRMV0lohuXNmUlTHmGJoYVmKueLX4aNDGi6lLITc/UbVPRNFHRzXuDW
2848	   rIEmO7ZUrLx+FCxm2S2GBrDvqh0epzw7tKXK3LSm6KDs2goe41HBiKxn5XGM
2849	   9FcHfoRDvXc1zFxfdXz9HYvFL9uamf9rrdq1lZ8Prf+0zP+gzfkfkIz16L/u
2850	   UP8BqGQyGaOCwubnfNvTfyCla+o/ECLA+Qj/Hf3HgblSbymDLpNx2TSYxWY2
2851	   P/Al1mlCMlPuBnKkXjEsejjC9GD01H/+f9V/2tJeFr1EQ4dcHL3ZIWz1moyR
2852	   r/JtZpncLbqy+6V50ecl1ZWZTa9KduyJHbzrx2MBUV6cGzcWXTtYfbHySlnR
2853	   7VuhqeMdiXMOOuk5b1s6a7X7k688yq4YNgx/ej96n8Q65UalMCQHCDpcOClF
2854	   MzUMP9wQcLqofDfPOMX1BzGWUn0st5+JKOCe+mSWyMzEaMAtr7ADky71KfCf
2855	   d2zjPsDPh/bDjB0PczK2SpoAo+VZo27/amiYUH92+5ymghD3KY6/yedWWcdE
2856	   YP3mmzPiNtJ3wrllnJxnA6WHXPAJ4ZjjM/YcD69xgXNqZjseWjnR6kpCkqXh
2857	   Q0t+ct+gpPVjSqsSL8XWjlhz/kksHL9iYu37tNdz1tE1XtCDLZXZ23JrCSHZ
2858	   C32THge4DDWJBMq32VuZm/rde1ANLT8j+aLgtrtgQxpCVF34Ocba59i9gNt5
2859	   88ask07vr+Sod6+2Sk1qkCyj3bGZNu5B/YZZtt9bEVI2Jj+gJn5z4lVPAajL
2860	   25vKDylSzNOSwpRa0uv1rBOVQEfPf4MA0or/KAb28P9vaZ2S0O9xo4/f/7vs
2861	   2x8fUv9FW/k/GSNDPf7fDfQ/BcRhEUamIBQBGaEgwnb0P9ol+h+DeSCIgkDL
2862	   579iXGUsDwbAjAmPZLHdohgQI5rhofuNCSSzghkxXI9AgANxQAY77KOo/2Ii
2863	   vogMAny+SEARYKCgc+u/ra13Yv23I9M9KbV/IKXW8x3wNmZm934EvGsrvx9a
2864	   /wVb5/8QtKf+2y3yf1QBDAoADMZFZIoIa+f7XyC1S/hPQWAMQRFyy/yfPEjK
2865	   kbrp+M8UM6WCGAbdLZrrwSBzghkIU+4v5QT7RXEgbxmH7fVR1H/Jzf8riQ/i
2866	   KAJTABjld3L9t7X5nvrv35+D1F46be8pSLEPOjq7yez88QdXfrnpXv8JFjvz
2867	   mUF/atrM+nTiM1pA8knfKU3ytIya/P25KaXKb4dN3VLm8OT4gWW2RaL6poV+
2868	   JaMjZuZUhOydIre/WZydk/1innW/7LtmqWEiT+PaG6vEdv3l7sz8zAzxz37y
2869	   2OB7n6dG7L7du2Tz1bmRFdcHR/FObt55Lhk9ffnzbSMvZOwYuRMffqq2YMOp
2870	   7T53tr4KMFhxVH9kIfE75V1nTJ66yeJ83aa6dYcr8yPq86clZNxqWLnWx4vA
2871	   py2ZM2CnW/wJHj275nzpZvshe099dmHD0f3L+YMd6nzVDcdY9mSAk1Jow0ZH
2872	   sfoZ8crynymJhUt793lfDnKW8/3KkN/KQuX3t/U5EO6UttCXdpe7c9vjzQfT
2873	   /VnxF4tlo7yGEKO+Pq35ocQzkffAnVThbSD1Bu/96j+NsBmmHAi7cSgqgCPg
2874	   ujnq+w3NezI5krWMed/67qumuY1xtDEnLiK2/50X9GjVLteq8791aeQbLju0
2875	   qNdd2a0NA768OCoQZ18OBmauHZj4OO32vlj7tIHeeYZZ17iNT+yrnk6eb4s9
2876	   7T07acTkvNQ7JrFjk17+T2PpDtVVY+uwtP7HD1wirJOVTE0nbaZfUF+Ynux8
2877	   q6ruS1C0aZ9oeKOj7dRPhw4qeDSmYmf2s7A6GHK7n2uzfZ/ooIud8Yja+LCv
2878	   dt/MflHv17i8+HGC0fFHL1/egp76HKW9WtVYurFp/acmK6qfu/XFr5+I35S8
2879	   crm4evdE8sMRRg9Q61FTPHIdMh9YYoSojSkhOU0L8neRc/QJPxU/qhlrJr2S
2880	   Mee+R9B/2rljG4CgAICClQ2MoKCRSNSi0xiBWvJVejsYgNIo5lBZwAYMYAK5
2881	   m+HVr1qTLZ7qZe9C2aTnMc531OdF1g7XV5j/3xUBAAAAAAAAAAAArwcJE6fh
2882	   AHgAAA==
2883	   -- END MESSAGE ARCHIVE --

2885	Authors' Addresses

2887	   Cullen Jennings
2888	   Cisco Systems
2889	   170 West Tasman Drive
2890	   Mailstop SJC-21/2
2891	   San Jose, CA  95134
2892	   USA

2894	   Phone: +1 408 421 9990
2895	   Email: fluffy@cisco.com

2897	   Kumiko Ono
2898	   Columbia University

2900	   Email: kumiko@cs.columbia.edu

2902	   Robert Sparks
2903	   Tekelec
2904	   17210 Campbell Road
2905	   Suite 250
2906	   Dallas, TX  75252
2907	   USA

2909	   Email: rjsparks@estacado.net

2911	   Brian Hibbard (editor)
2912	   Tekelec
2913	   17210 Campbell Road
2914	   Suite 250
2915	   Dallas, TX  75252
2916	   USA

2918	   Email: brian@estacado.net