--- 1/draft-ietf-lamps-samples-01.txt 2021-05-12 19:14:02.833882056 -0700 +++ 2/draft-ietf-lamps-samples-02.txt 2021-05-12 19:14:02.969885476 -0700 @@ -1,18 +1,18 @@ lamps D.K. Gillmor, Ed. Internet-Draft ACLU -Intended status: Informational 8 May 2021 -Expires: 9 November 2021 +Intended status: Informational 12 May 2021 +Expires: 13 November 2021 S/MIME Example Keys and Certificates - draft-ietf-lamps-samples-01 + draft-ietf-lamps-samples-02 Abstract The S/MIME development community benefits from sharing samples of signed or encrypted data. This document facilitates such collaboration by defining a small set of X.509v3 certificates and keys for use when generating such samples. Status of This Memo @@ -22,21 +22,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 9 November 2021. + This Internet-Draft will expire on 13 November 2021. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -52,74 +52,77 @@ 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Prior Work . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Certificate Usage . . . . . . . . . . . . . . . . . . . . 4 2.2. Certificate Expiration . . . . . . . . . . . . . . . . . 5 2.3. Certificate Revocation . . . . . . . . . . . . . . . . . 5 2.4. Using the CA in Test Suites . . . . . . . . . . . . . . . 5 2.5. Certificate Chains . . . . . . . . . . . . . . . . . . . 5 2.6. Passwords . . . . . . . . . . . . . . . . . . . . . . . . 6 2.7. Secret key origins . . . . . . . . . . . . . . . . . . . 6 - 3. Example Certificate Authority . . . . . . . . . . . . . . . . 6 - 3.1. Certificate Authority Certificate . . . . . . . . . . . . 6 - 3.2. Certificate Authority Secret Key . . . . . . . . . . . . 7 - 4. Alice's Sample Certificates . . . . . . . . . . . . . . . . . 8 - 4.1. Alice's Signature Verification End-Entity Certificate . . 8 - 4.2. Alice's Signing Private Key Material . . . . . . . . . . 9 - 4.3. Alice's Encryption End-Entity Certificate . . . . . . . . 10 - 4.4. Alice's Decryption Private Key Material . . . . . . . . . 11 - 4.5. PKCS12 Object for Alice . . . . . . . . . . . . . . . . . 12 - 5. Bob's Sample . . . . . . . . . . . . . . . . . . . . . . . . 15 - 5.1. Bob's Signature Verification End-Entity Certificate . . . 15 - 5.2. Bob's Signing Private Key Material . . . . . . . . . . . 16 - 5.3. Bob's Encryption End-Entity Certificate . . . . . . . . . 17 - 5.4. Bob's Decryption Private Key Material . . . . . . . . . . 18 - 5.5. PKCS12 Object for Bob . . . . . . . . . . . . . . . . . . 19 - 6. Example Ed25519 Certificate Authority . . . . . . . . . . . . 22 - 6.1. Certificate Authority Certificate . . . . . . . . . . . . 22 - 6.2. Ed25519 Certificate Authority Secret Key . . . . . . . . 23 - 7. Carlos's Sample Certificates . . . . . . . . . . . . . . . . 23 - 7.1. Carlos's Signature Verification End-Entity Certificate . 23 - 7.2. Carlos's Signing Private Key Material . . . . . . . . . . 24 - 7.3. Carlos's Encryption End-Entity Certificate . . . . . . . 24 - 7.4. Carlos's Decryption Private Key Material . . . . . . . . 24 - 7.5. PKCS12 Object for Carlos . . . . . . . . . . . . . . . . 24 - 8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 26 - 8.1. Dana's Signature Verification End-Entity Certificate . . 26 - 8.2. Dana's Signing Private Key Material . . . . . . . . . . . 26 - 8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 26 - 8.4. Dana's Decryption Private Key Material . . . . . . . . . 27 - 8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 27 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 28 - 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 - 11. Document Considerations . . . . . . . . . . . . . . . . . . . 29 - 11.1. Outstanding Changes . . . . . . . . . . . . . . . . . . 29 - 11.2. Document History . . . . . . . . . . . . . . . . . . . . 29 - 11.2.1. Substantive Changes from draft-ietf-*-00 to - draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 29 - 11.2.2. Substantive Changes from draft-dkg-*-05 to - draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 29 - 11.2.3. Substantive Changes from draft-dkg-*-04 to - draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 29 - 11.2.4. Substantive Changes from draft-dkg-*-03 to - draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 29 - 11.2.5. Substantive Changes from draft-dkg-*-02 to - draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 29 - 11.2.6. Substantive Changes from draft-dkg-*-01 to - draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 29 - 11.2.7. Substantive Changes from draft-dkg-*-00 to - draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 29 - 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 - 13.1. Normative References . . . . . . . . . . . . . . . . . . 30 - 13.2. Informative References . . . . . . . . . . . . . . . . . 31 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 32 + 3. Example RSA Certificate Authority . . . . . . . . . . . . . . 7 + 3.1. RSA Certificate Authority Root Certificate . . . . . . . 7 + 3.2. RSA Certificate Authority Secret Key . . . . . . . . . . 7 + 3.3. RSA Certificate Authority Cross-signed Certificate . . . 8 + 4. Alice's Sample Certificates . . . . . . . . . . . . . . . . . 9 + 4.1. Alice's Signature Verification End-Entity Certificate . . 9 + 4.2. Alice's Signing Private Key Material . . . . . . . . . . 10 + 4.3. Alice's Encryption End-Entity Certificate . . . . . . . . 11 + 4.4. Alice's Decryption Private Key Material . . . . . . . . . 12 + 4.5. PKCS12 Object for Alice . . . . . . . . . . . . . . . . . 13 + 5. Bob's Sample . . . . . . . . . . . . . . . . . . . . . . . . 16 + 5.1. Bob's Signature Verification End-Entity Certificate . . . 16 + 5.2. Bob's Signing Private Key Material . . . . . . . . . . . 17 + 5.3. Bob's Encryption End-Entity Certificate . . . . . . . . . 18 + 5.4. Bob's Decryption Private Key Material . . . . . . . . . . 19 + 5.5. PKCS12 Object for Bob . . . . . . . . . . . . . . . . . . 20 + 6. Example Ed25519 Certificate Authority . . . . . . . . . . . . 23 + 6.1. Ed25519 Certificate Authority Root Certificate . . . . . 23 + 6.2. Ed25519 Certificate Authority Secret Key . . . . . . . . 24 + 6.3. Ed25519 Certificate Authority Cross-signed Certificate . 24 + 7. Carlos's Sample Certificates . . . . . . . . . . . . . . . . 25 + 7.1. Carlos's Signature Verification End-Entity Certificate . 25 + 7.2. Carlos's Signing Private Key Material . . . . . . . . . . 25 + 7.3. Carlos's Encryption End-Entity Certificate . . . . . . . 25 + 7.4. Carlos's Decryption Private Key Material . . . . . . . . 26 + 7.5. PKCS12 Object for Carlos . . . . . . . . . . . . . . . . 26 + 8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 27 + 8.1. Dana's Signature Verification End-Entity Certificate . . 27 + 8.2. Dana's Signing Private Key Material . . . . . . . . . . . 28 + 8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 28 + 8.4. Dana's Decryption Private Key Material . . . . . . . . . 28 + 8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 29 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 30 + 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 + 11. Document Considerations . . . . . . . . . . . . . . . . . . . 30 + 11.1. Document History . . . . . . . . . . . . . . . . . . . . 30 + 11.1.1. Substantive Changes from draft-ietf-*-01 to + draft-ietf-*-02 . . . . . . . . . . . . . . . . . . . 30 + 11.1.2. Substantive Changes from draft-ietf-*-00 to + draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 31 + 11.1.3. Substantive Changes from draft-dkg-*-05 to + draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 31 + 11.1.4. Substantive Changes from draft-dkg-*-04 to + draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 31 + 11.1.5. Substantive Changes from draft-dkg-*-03 to + draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 31 + 11.1.6. Substantive Changes from draft-dkg-*-02 to + draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 31 + 11.1.7. Substantive Changes from draft-dkg-*-01 to + draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 31 + 11.1.8. Substantive Changes from draft-dkg-*-00 to + draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 31 + 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 32 + 13.1. Normative References . . . . . . . . . . . . . . . . . . 32 + 13.2. Informative References . . . . . . . . . . . . . . . . . 33 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 33 1. Introduction The S/MIME ([RFC8551]) development community, in particular the e-mail development community, benefits from sharing samples of signed and/or encrypted data. Often the exact key material used does not matter because the properties being tested pertain to implementation correctness, completeness or interoperability of the overall system. However, without access to the relevant secret key material, a sample is useless. @@ -206,49 +209,66 @@ cases, we do not expect these certificates to produce any revocation artifacts. As a result, there are no OCSP or CRL indicators in any of the certificates. 2.4. Using the CA in Test Suites To use these end-entity certificates in a piece of software (for example, in a test suite or an interoperability matrix), most tools - will need to accept the example CA (Section 3) as a legitimate root - authority. + will need to accept either the Example RSA CA (Section 3) or the + Example Ed25519 CA (Section 6) as a legitimate root authority. Note that some tooling behaves differently for certificates validated by "locally-installed root CAs" than for pre-installed "system-level" root CAs). For example, many common implementations of HPKP ([RFC7469]) only applied the designed protections when dealing with a certificate issued by a pre-installed "system-level" root CA, and were disabled when dealing with a certificate issued by a "locally- installed root CA". To test some tooling specifically, it may be necessary to install the root CA as a "system-level" root CA. 2.5. Certificate Chains In most real-world examples, X.509 certificates are deployed with a chain of more than one X.509 certificate. In particular, there is typically a long-lived root CA that users' software knows about upon installation, and the end-entity certificate is issued by an intermediate CA, which is in turn issued by the root CA. - The examples presented in this document use a simple two-link - certificate chain, and therefore may be unsuitable for simulating - some real-world deployments. + The example end-entity certificates in this document can be used with + either a simple two-link certificate chain (they are directly + certified by their corresponding root CA), or in a three-link chain. - In particular, testing the use of a "transvalid" certificate (an end- - entity certificate that is supplied without its intermediate - certificate) is not possible with the configuration here. + For example, Alice's encryption certificate (Section 4.3, + "alice.encrypt.crt") can be validated by a peer that directly trusts + the Example RSA CA's root cert (Section 3.1, "ca.crt"): + + ╔════════╗ ┌───────────────────┐ + ║ ca.crt ╟─→│ alice.encrypt.crt │ + ╚════════╝ └───────────────────┘ + + And it can also be validated by a peer that only directly trusts the + Example Ed25519 CA's root cert (Section 6.1, "ca.25519.crt"), via an + intermediate cross-signed CA cert (Section 3.3, "ca.cross.crt"): + + ╔══════════════╗ ┌──────────────┐ ┌───────────────────┐ + ║ ca.25519.crt ╟─→│ ca.cross.crt ├─→│ alice.encrypt.crt │ + ╚══════════════╝ └──────────────┘ └───────────────────┘ + + By omitting the cross-signed CA certs, it should be possible to test + a "transvalid" certificate (an end-entity certificate that is + supplied without its intermediate certificate) in some + configurations. 2.6. Passwords Each secret key presented in this draft is unprotected (it has no password). As such, the secret key objects are not suitable for verifying interoperable password protection schemes. However, the PKCS#12 [RFC7292] objects do have simple textual @@ -262,52 +282,52 @@ based on known seeds derived via [SHA256] from simple strings. The secret Ed25519 and X25519 keys in this document are all derived by hashing a simple string. The seeds and their derivation are included in the document for informational purposes, and to allow re-creation of the objects from appropriate tooling. All RSA seeds used are 224 bits long (the first 224 bits of the SHA-256 digest of the origin string), and are represented in hexadecimal. -3. Example Certificate Authority +3. Example RSA Certificate Authority - The example Certificate Authority has the following information: + The example RSA Certificate Authority has the following information: * Name: "Sample LAMPS Certificate Authority" -3.1. Certificate Authority Certificate +3.1. RSA Certificate Authority Root Certificate This cerificate is used to verify certificates issued by the example - Certificate Authority. + RSA Certificate Authority. -----BEGIN CERTIFICATE----- - MIIDLDCCAhSgAwIBAgITD5FARp09T2LXr/FPQiI+8ZsGAjANBgkqhkiG9w0BAQ0F + MIIDKzCCAhOgAwIBAgITD5FARp09T2LXr/FPQiI+8ZsGAjANBgkqhkiG9w0BAQ0F ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAtMSswKQYDVQQDEyJT YW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAnFB71AsptFyqxG4qPtbt2VLJVctHyNXtlIUWve4q PSo/+Oi9s3sf+t7krrosxlv626L+Wm05t99ZVKWKn7y2uYyO7/IToRpTwHN1sXga Uz/u2gjPfS69R20ZNSKL9EiB78hgCr1UvY5elQoW2Y4zqQGR729pQYI5obT15V8n wdyHCTvecvvvMGBiaAk66VlMQCZLG+nVU8wYVCl6fE37Z1qAs12XlUJr3DGgVKGf ZpMz55xiV8q11Aobhmx4aPPyE4GWshDDt4DbtYJMGLEeik1AmNHBsmyaQCLBxVE3 - 3ZW1UrhK5Pb9qSL4gizDZ7ZaGZNudwjJu20HHVIGQT7nDwIDAQABo0MwQTAPBgNV - HRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFHhfDlp42Gvk - VHA9s93s9/Hy+sBHMA0GCSqGSIb3DQEBDQUAA4IBAQAMqotfBm1fUs18JqiTgZhW - LUo/Oo+l/rVEIMUPN8+uZgxfOwA0u9cE0IAgMdVELfyHuEt5ld+xyS300z1/Z3X0 - w1NpEaLmgBNB70kmjNZkvT/aWDlKE3JVUITYkkLOm10U5J1dF3DjGH+kK+/nbeF2 - mHTquWfm7420fJJNvCWgvylBHCFheFHt450G/2t5b8+0a4Qj6/QPsqGwiD6NjLrA - gD0oKIyQP6HNQ8fGpYekiLcq8NQ3sFBYsNUmfAy/Zfjo9/5o5qc+2UwRPTv+QUZx - 0bBs2gH3LVOuvgkHXm5EFyfjCInWTOg0PBlsjvHjrROQHSsuL/Bd3uuqG02bJbbj + 3ZW1UrhK5Pb9qSL4gizDZ7ZaGZNudwjJu20HHVIGQT7nDwIDAQABo0IwQDAPBgNV + HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUeF8OWnjYa+RU + cD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBAC6D3qI26uy9yKEqxoBLkNLQ + lpRTKzBn/78v4ejj5HyyNwxkMe2nSRUuLEo65537NwAa9XuOaSRDKRl+SH8ArvGd + C2XhEfKm2GwW1eyV2ZLFzwWinZMKce3NgraQWYxFndI12ewbUUQr5R4b4AO69lSE + iOJ2bTWJGHpuCrLKfx98pnarJxFp6hOS6V3wxny5ksQ5NGfqNWnovZRSSvGfyu7H + HKLp7T1dNHmF1n4bJtnx7/6yks+Eu8jQp9vhhEXdeAq3ZAPJGahY8AIndg01ZGNG + vAIzxiHzjEWWcjbwtIkINZAPZHgq1u1cjhy7mDfq9GfCoE4/6q55N6Etbuesh5c= -----END CERTIFICATE----- -3.2. Certificate Authority Secret Key +3.2. RSA Certificate Authority Secret Key This secret key material is used by the example Certificate Authority to issue new certificates. -----BEGIN PRIVATE KEY----- MIIE/AIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCcUHvUCym0XKrE bio+1u3ZUslVy0fI1e2UhRa97io9Kj/46L2zex/63uSuuizGW/rbov5abTm331lU pYqfvLa5jI7v8hOhGlPAc3WxeBpTP+7aCM99Lr1HbRk1Iov0SIHvyGAKvVS9jl6V ChbZjjOpAZHvb2lBgjmhtPXlXyfB3IcJO95y++8wYGJoCTrpWUxAJksb6dVTzBhU KXp8TftnWoCzXZeVQmvcMaBUoZ9mkzPnnGJXyrXUChuGbHho8/ITgZayEMO3gNu1 @@ -334,53 +354,77 @@ 9SGCNQ8nx1AsXLZn57U52Oji8KA7MDkGCisGAQQBkggSCAExKzApBglghkgBZQME AgIEHPBUYbjdNRelyUPep86pkRfIdEPM9N+yPctTfB0= -----END PRIVATE KEY----- This secret key was generated using provable prime generation found in [FIPS186-4] using the seed "f05461b8dd3517a5c943dea7cea99117c87443ccf4dfb23dcb537c1d". This seed is the first 224 bits of the [SHA256] digest of the string "draft-lamps-sample-certs-keygen.ca.seed". +3.3. RSA Certificate Authority Cross-signed Certificate + + If an e-mail client only trusts the Ed25519 Certificate Authority + Root Certificate found in Section 6.1, they can use this intermediate + CA certificate to verify any end entity certificate issued by the + example RSA Certificate Authority. + + -----BEGIN CERTIFICATE----- + MIICgjCCAjSgAwIBAgITB2Y8zXRHikdU9jKPM22+7kcZXTAFBgMrZXAwNTEzMDEG + A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 + MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIwOTI3MDY1NDE4WjAtMSswKQYDVQQDEyJT + YW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B + AQEFAAOCAQ8AMIIBCgKCAQEAnFB71AsptFyqxG4qPtbt2VLJVctHyNXtlIUWve4q + PSo/+Oi9s3sf+t7krrosxlv626L+Wm05t99ZVKWKn7y2uYyO7/IToRpTwHN1sXga + Uz/u2gjPfS69R20ZNSKL9EiB78hgCr1UvY5elQoW2Y4zqQGR729pQYI5obT15V8n + wdyHCTvecvvvMGBiaAk66VlMQCZLG+nVU8wYVCl6fE37Z1qAs12XlUJr3DGgVKGf + ZpMz55xiV8q11Aobhmx4aPPyE4GWshDDt4DbtYJMGLEeik1AmNHBsmyaQCLBxVE3 + 3ZW1UrhK5Pb9qSL4gizDZ7ZaGZNudwjJu20HHVIGQT7nDwIDAQABo2MwYTAPBgNV + HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUeF8OWnjYa+RU + cD2z3ez38fL6wEcwHwYDVR0jBBgwFoAUa6KVfboUm+QtBNEHpNGC5C5rjLUwBQYD + K2VwA0EA+Zb/X/6jcMIBDyy3UbV+8JMfYgSZRNyyyaW8Oz1dqQGtWsW2Rl0FZfw5 + fUMzFTd/jLQdU/g3LCtyIhuTHPSdAQ== + -----END CERTIFICATE----- + 4. Alice's Sample Certificates Alice has the following information: * Name: "Alice Lovelace" * E-mail Address: "alice@smime.example" 4.1. Alice's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Alice. -----BEGIN CERTIFICATE----- - MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0F + MIIDbDCCAlSgAwIBAgITITV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0F ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5B bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0 iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7 pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rB X7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQV tkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/ 2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVC - CpDtc0NT6vdJ45bCSzsCAwEAAaOBlzCBlDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX - MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDwYD - VR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYD - VR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEB - ABbWeonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0 - iSyFDG1NW14kNbFt5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QEC - Ss08b8zrxIncf+t2DHGuVEy/Qq1drBz8d4ay8zpqAE1tUyL5DcqZiKUfWwZQXSI/ - JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTivyk4cYwOp/W9UAWymOZXF8WcJ - YCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/j8BAwrKKaFvd - lZS9k1Ypb2+UQY75mKJE9Bg= + CpDtc0NT6vdJ45bCSzsCAwEAAaOBljCBkzAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX + MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYD + VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNV + HSMEGDAWgBR4Xw5aeNhr5FRwPbPd7Pfx8vrARzANBgkqhkiG9w0BAQ0FAAOCAQEA + ee6To0QC32Z7njIGt8b6AI/YY2PzmhKakIwc7V/9zCuXwcvYGEDWtmAGXEUKkvHL + 1p0DtQqD3YQ8n1/PjwW3hsVB5Az65E3gFTvRbKXmI8Z4UAYWMJBmuxX3oUd0kZAW + WRkeQBe3LBATG0/I4tHkpH6WF/lVRf5jw6xwsXFL27xjQ3T1Jqo1GV+Mekzcc7Z4 + y+7/8y4+BxZ0AG8H8UcgLj9CFicysCV/fTUHpY4yh0VXBhH9WUw16XGJUfxpx6ZV + TszxfaNpxbfeM5GVrgF42n0ztJB9D/6nJO8flXEP62JBO1xD1oziJDnPuMDwE2pK + KFlEI+TjQEUy5DKiSWjd1w== -----END CERTIFICATE----- 4.2. Alice's Signing Private Key Material This private key material is used by Alice to create signatures. -----BEGIN PRIVATE KEY----- MIIE+gIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC09InoWDgWPk2a f0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwO Rjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z @@ -414,39 +458,39 @@ in [FIPS186-4] using the seed "92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05". This seed is the first 224 bits of the [SHA256] digest of the string "draft-lamps-sample-certs-keygen.alice.sign.seed". 4.3. Alice's Encryption End-Entity Certificate This certificate is used to encrypt messages to Alice. -----BEGIN CERTIFICATE----- - MIIDbTCCAlWgAwIBAgIT3r7MRJB7qx35ms1tFWj7th3y5jANBgkqhkiG9w0BAQ0F + MIIDbDCCAlSgAwIBAgITXr7MRJB7qx35ms1tFWj7th3y5jANBgkqhkiG9w0BAQ0F ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5B bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqV KfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfID lB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdS NRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1 ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv 9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIB - aVv4wPxAf1iPsIVKarUCAwEAAaOBlzCBlDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX - MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDwYD - VR0PAQH/BAUDAwcgADAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYD - VR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEB - AEi3/4eQPCAAbdgVMVbA7CplI+5LIV+7qUrORNdN8E53zu1oBkxktmDPWpQGiGYJ - fsQD2Gu1sz0Ofpqzaw0QHo90ghEcz3GOb9/JFEBRwV8Ern1rHXKRis56PPdBAlTg - 3D7QKgwkGolETHH1TFv4mY/XC1CWzWq/wKPActIDt1cujjUKk2ILsa1kqYfbEQol - ZGil0pxx9jdMS5qaTdjb66GvPpkQI1uH4E9xiYbJu5bD+SX0Sgzih79GEhaP8vjc - w6+P//nJ3ExJkVT7OvIJmwGvV0ULtmsghoigcd2BBc/fOKdbyIBmJBe152dd02EW - 6FwMfHKDtHO8k+/XBeZcxF0= + aVv4wPxAf1iPsIVKarUCAwEAAaOBljCBkzAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX + MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYD + VR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNV + HSMEGDAWgBR4Xw5aeNhr5FRwPbPd7Pfx8vrARzANBgkqhkiG9w0BAQ0FAAOCAQEA + kxjgvL3tIH8ZIeI9rLd16aftGuo3uKRl2aU6Hek7vFfwJESn6oNTPrJUQYigoYVS + Sm/9yvGXmNEON21j83IgbeUfZgcIpgcXkwwfVsrhxnj0bcXLnuAOzvlzZfDgz/YO + uRSa2m9oaQg1um7CLDWiE/Zqe6XzLD6JKhHzYHYILajnFgoKBkL57GFVJlXFkgJc + bW2880QchGj6XDdXcJzYiBuQD+pGz+t2phgW6E/8vTUvATZ1s1SC4UN19AyqJyAl + RQWGJpJdsHN8bBiRenio1NajPMbFnCjz1pf5bNoF10yWJkFcG6A+EWjAMlWgl/tu + QapHLcsaIPscn6mnqbFNyA== -----END CERTIFICATE----- 4.4. Alice's Decryption Private Key Material This private key material is used by Alice to decrypt messages. -----BEGIN PRIVATE KEY----- MIIE+gIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCalSn6i8Gi44/o AVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnV z5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEB @@ -486,83 +530,83 @@ This PKCS12 ([RFC7292]) object contains the same information as presented in Section 4.1, Section 4.2, Section 4.3, Section 4.4, and Section 3.1. It is locked with the simple five-letter password "alice". -----BEGIN PKCS12----- MIIXsAIBAzCCF0gGCSqGSIb3DQEHAaCCFzkEghc1MIIXMTCCBC8GCSqGSIb3DQEH BqCCBCAwggQcAgEAMIIEFQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIWQKs - PyUaB9YCAhTCgIID6GT96ewG16YBcazV7Zo8cZ0AWul+It5HDTSG2EYFtJB8nqhG - rgKuUeD1g1xWJw++M7z3kAtEn1Vxi1KdHtzZ9S47GRd69TWSpbA8l6X7nY9WcdhW - N3OcpdBcuJo7PQ/PFk1srsXbqrKpnDkHn22twIN57/ZR1dvicpvsRbmjWf73ia4w - GfabS7WUGTt6Kpdd/kUzWNdII07B+qjcqAOlZ608Vql1MD75Jbb7nXTP5DpSP7WA - kCAGD4b6O7MzqBwGWLHXnLQP3RniraqgFwLKOAOM4G2G+wJVQ7ig2GhJoD0qfd9U - +dpELWZs5hWXU1E2Q5mx8AkQZHesAhCHsONLMB38rzCeWGRODHV03+U9EjQOusOu - jzHEEPtKzZa+c2BtzwnVxYi1Tz9BIs0OWLSE5hlYuT8ZQ13/bDlaUmKZgBvEubzZ - t/fglGTlCczymabSpaMpQRzXO0eT+/enDdILpDT2cBf6Q3+a521g38gaf0CIKfGf - NLCCfL2YxLbjHJHxCq5WqyY8bLDNreCxffQ3wV154eIvwYdLfiq44uM2s2vrr5bM - LAV9DhomAuyfQJixk8I6YejlEwZQscDeh5+037DTzDc0AFQDe8d365hQMcqMYC9w - aey7X1SUCL9B9coEyR2k4NM1qFNnd0n3K1j0bY9N0o2kzI/02nCcO9Yq2qMHkA1m - XShpyrmkqYMDtlM7DXQDPlYGumIwYu8tSPuFJzXSq64BNmRxgvOhFnrqytwBeAVS - XTe8HelM6EOW6z/KUffWOYwuq/QHCgNRODJN3hB9oI7Ij5g6wn920WNTzoFjivoi - QNEivXhyEakrBwZF08fJFUJHoJg4N7M1nV3F6I8/pgdPyRMFHO6InfDD+/Uoitwg - 51BxMyAvejGVzk0KxolG5NQoUOXhje7qFURxIbqXrSI1Xui6jSUPXTTyGLj5rcLo - mpVMLbs5tUQFRDBtN5qBmbW1SWf3ZvkHScMrPAgpZ/cDSKh5w2ykUGWhIPAaXClA - +WCWlMOuzrk+JDRjmO+Mzptno9b4NCiFCyGJqQSyEo4dD4ftZVciNK6fCjnArkz3 - mgQroeIDf/VpoExLcf+Kp/PK+X9oTbyW5pShH2B1sKD57l1qT5AlBfmpKA0lrw9D - KRvO8kfLxaNBbijOU1f0YTQIwoykq6k8YqH78RcjoeOoEcFriknBYqc3ay6tNbgd - IhaBuRXnxxv0drXkMLReZ6EqPBz8NmYu+vhYKtaMxg3T5+H7BEfmLy6qIJpsEqtV - a4vWrVbhMsNtfjVQnDhbeZ6Tea+U5kxXAhXfKE1A9LM3UkYcvn3aBg8smKIrL/wu - /LPJSKIwggQXBgkqhkiG9w0BBwagggQIMIIEBAIBADCCA/0GCSqGSIb3DQEHATAc - BgoqhkiG9w0BDAEDMA4ECPoEFEHQGB9dAgIU5oCCA9BEuCtcDZvvbXNHI+j/3C3U - zI65UbgkDQL3S02ZMP6Ooec5Mrx4t5GekUR6hyZJqkHpcDP7UjdnlU17TYH01bfi - lcIaaNaJ/5pkNAqfPKKT9ZXNTh/2iVauqBPcQVS8tNWMPsOSl3V+MlaCz5GJPSH0 - H36rXRZV3cEq5KppiG12CHmNTpumpcRoeYAn6UMs8iaFPyoxNUircsNBtr4BpWqL - qU0cuVL6aUS0mWwC92UXNRbfo7MLhmn92myE1FuiQeeda04dX4HTVT7l+jEiBq4Q - pXIGBOu2pOJlmc87ruUl3UEnjXN8NSTgIlmuzu/ohx0jDJRf13ABRoJtYC2kw/iz - Pj0Yu4ux18uZ/FfN7qgKAAMB2Dx1UJLCC713LbUj1zaCMc4uEgt+9tnmMe5bKMg0 - V3eMa5QvHp0yxGZpqpewisaBI79z9ZoIkY3gqfnZhzRg1uJyHOLNY3hvMTK6O2XL - Xgvw9mNbx6YCOj+SSAVKQIqt6vswSa7G0Zfc0y26evVOdOMJcfYJ6D1Q+NV9/nlj - st4pFf8orZL2zrMoC2ISvjEJKku9dyh7DIUxVJGQm7Kc46MYBV0N7ZLPHrlsq8/j - ap2q4glZfYRefqFKzD7ZnIcRKu1dLIRCji86m9Ic+n8Jox2aUAICm9Cx9TdE74gP - 9+uHpGfI51sMlU0Q8Fn2W8xHfBiwzbcyEAW+YZj5iKuGCcjPAx+dJSMLkFU9/Uun - wgO3VOPoYyLOluO1e8Uc3nw56eT2x5yV69gnK19s/K0zyOELm43Ex1JiJKWOO8Xa - UbmbYlzZEgxhfp3fP65KN3FOw8ehHEuTTpXTIYJQlKFzODzm+fkYpZCdXZDjCxli - o+LPHjrhQIR1umBlGaCL6myNTSeFbyJAF5gUy1VqD4cEm2bxDSdBefBPLvR5Z+b/ - 4aGPaqpNTb5n/vXeWY6AHOyDA4aLtuKUo7TWTvp4dSKLzPGhTUdu00WGTxSj4rs7 - 9tyeHdTlbhhugLvpfyrBzDWA4BvyVHpCOfnj26UvCKLQgAvjzKEXsiqiYuQdsgQz - rgc9mwLi6GuJLm3OjMhonGtaRCgF3vFvKUuki3WY/7EcClFn/kjjCLQhP3EcP7wi - uH6dpnlu9l5R63a7Tc9pvhCnYyt5Rt9kTCh+NcPEH18eAHj+2nnEDsN+nUfLzAgV - NHrNBq9ZgEWibC6/8ihy3qaYRAuHFK+zQseWT0vEgJCBqvo0QwDnGit0NhtLczAt - gan1xOL4/N1VE/bZ7Ydxm/dDpBcdvspiXg9LHlGI6tS8UDfAlGi2BhPmiE3OAR4e + PyUaB9YCAhTCgIID6OG+E29xPAn+g9mtERq3M50uFGqQjP2tx5uyldS+xlSUYk8a + HCsBfrLFfh2EDZHuGFxwHVwbc5dhOZlJAKyT0jRnZ0jnMEuD01Zxb8V8/LaiBGs7 + j6UGToFIsCSofsLbYWD8rN5wlSt4RzBf3JaiFQ+7CkeTkmC+RQ8eMLN7SxfoToro + lMEzUHrvVb+0KuD9/6UldmWXzxpzuSFxgQBKPlou88gPqeqFmelBqyWdn1ATkjhB + /yv1oQNm+Qd/A4fCKL/oQrO4/KvU1zZgsQ6vBWUgUM4CHZRvdfZhMQNJpIJ5lQrR + Og6/6d2CJqTD6WmsZ3XD0mozIC67VRHm4BZsKjZMa5C9H5J0PgUuN4S5N7fCRE5U + RKzSHJwFmoAtLbe7qlUT+98iYMdmB3unWwsiUIsrODH2OOMykvjcPvyyjbc2SEGX + z8iLWdDoxJQz/3hNTDSp7S84G1pd/tOtBD4r9VlCfu1f4yy+ivX4znG0sFK/VEzK + I6MuP37T2WCHphibX4CAXGjQD7fbIjg+qyF+G8Cyd+L6DgH2/7rbZNa2RSLjGKSh + j7+lRyafY6E5Ge02H1dhdgL6AYtxRBjuBxsI2qymR5ioJ7zR0TKOcwisTjeTVGMf + 2D35OsbSbJTnE/iOMChj0oxHDWsBbVJ4JMCAVNWEZGUHRdCKQvH38V0nvCdgK/L1 + B/qigxG+Xs4tS7SzO5ayeKQoARPvMif+KKUVsFNVhkZAso+0hEjudwZb52eE8DMq + goTF1VkTLNA+YhjrIqUyW0726o84yuAi2z2JWO+g4oYQqTmdaWbDhFGNIVmopxIe + SMLUh9yH+JjjUVImL0pdjSY9Dyhx9hjbITktinfl+QADjd/GmtxCbBTXa6vChDJN + uv4BiNqL5FL7BAu899dD37ZL2dLpyI5VnC/4t2MjowTlr7DVhJKDicW+4Ax4iyKa + KS6VICYTlPbJcKn9/q7SBKKYXkNBfCDm/VwYHzJxGashBCAwAg8vXNLx4BBitzr0 + 0ySaT7fXb7GwP9NCAfSN1F04BCLfOcs5ZYbRWvjVJP6v9dOdEp3XYRN1Jjnr3ssk + 3viGWyfOGsSNj/w/2dbTqXirOsWu6dn/zXZHNFANjVdfHunySvwMuORnwxipX0Q5 + 6XIBGLUeJkPhbgiwgtRwdHzcQ1YhZUTdoiGjfLPWZif2ROqNNsqXH8CHzcxX6nas + oEpDcCpW4qZ6rH5OAXrZoPxuOdGcRObqvWXq7fN9VKYsKSjgDZGS+Jw9FN2U9FFW + B1mrABED/pVD1GT6IMRqFTMbnrLgbnwNmHBo231yA/+tu6hwLnTtFk2YZkeinOrt + 6JUS2GQwggQXBgkqhkiG9w0BBwagggQIMIIEBAIBADCCA/0GCSqGSIb3DQEHATAc + BgoqhkiG9w0BDAEDMA4ECPoEFEHQGB9dAgIU5oCCA9ACIR/7QLUcUI1XjLtVNP9P + JzjfAjV9GSb/Liw/FRPIZ3b8QujOCQwNqJG9QWf049+am6ZWFH6tzyk4go66d6Lq + AbsVcRWHAgz8UcxOdLTXOmF2ZJJIstNHsIFDiHlwKWQ4XA+uZQ0gk7Lzvj6sp0nU + nPaeYXS3nKQUiHSFnKlKdmsn5Iti1k29TEbWfVdOi2xLRecC5tIF5aErds4wREah + rkBVtWJ72uhcQjFAX0s505h3QSqk04lVl8Z4ktbo7p+YWZZc4t9z7says0XpF5wS + i7Z/k6OtbZ7pGItUH9PcbNfuIep+uvl+Sxitfmc85BZgj3G+Z3pqDm3YSgosHQBO + hzllK294R/BLSI4qP2l3dhqxfaJfhdmF17APUCxwirT9yduEwpQnC+ieMVAPJx8a + 2j/Bb/oohiNWwNHVeGmp7+SrGfJBiLpHIFSsGhUacSNSUIMBUPczGboGlIS8+YEw + BbLau1yRPti0V4aU2Aa41IgLeiogqQ6cF0pQVzVyO8i8ZLRRTLVkuuFxWUTKVMcx + LLZ0EJx2WSX8cNCExhx/0A6VjbxIQuWZ0eDAwljC2uTiYvYqjVfiUEV8JHpCUQTZ + NcMvOecNgqRMth7IVAwjm6+iGTz6dTv71Jtm0zE2XbKBQriwjPXXZiLwmtTJjkVn + tNH6TC05CfZS8m7w16C2d58WYruiR9+QPhXNgnV4ealwk8l1Va9QeM5KUzQVchkW + 5qFLyvDPZG49UbxMMPWfUXdsb+ENU7JIM3739SUz+ubOzOyQCykmjtIyg1Tt4wfZ + 1rWPsgQo7d0zQW+26g8B8aNU25UNYbXikmYi8rmQwqMYng1yTPjGHKrNOurjMwwz + VQOJIduThstQcjBMorHprA6O+IIOPvCJCIOAiHbktGEbrOaZutYLMZcfMUgZT26e + 1t3BFPVS4OQnEvM8yIrryvCXQu2g1ef4RPsKDQLblXyeCo1bSrXA8fwB0Td3+xYL + V3O8h1wJUp2ZllpZQU980ACbn7tmQLrP16XpLSpi/7S6rTYWUfNV84iItJJ9bCab + 18iUlUXqprCka2jbCLExCdjYzhE3nWeREGB6AtVj09psL8LqhlwojbfnzmJzV5wz + +KiBONT4pSjI7XwTBee8q5rKa8+sTr6rVWoIHJ/5a6uILZEJm46ERIzvRM+A1jKm + 6ZybUxEkHDGR91y8JCEex7fUHzUa75liVQygu24wk/4Ssi4DbwqXCmEA6XsBQ0St + FiTfMkIuRJeZ4Z50ZcmM9bwMsCw6gO6+GYqZJ0pu8woN97gBe4qxygj2CehenxNS MIIDrwYJKoZIhvcNAQcGoIIDoDCCA5wCAQAwggOVBgkqhkiG9w0BBwEwHAYKKoZI - hvcNAQwBAzAOBAidIqBxZFwvagICFCKAggNotP/z1THhMYAjuY/0fDNvUslKV/d2 - LU4mkt/mLD72DZCkQJx5MYl8dw4JbQv6TrS3wWPsvJSAEG2XlY1PkF6MHqPfuWRp - B7g5Q972q4TXKqiffDXQa/GyGaUjqu6q9te8uP1u+duQ2qbfZWGsWSTBSu5NYLDY - tYNy9xWscdGzCG8fvFiYlrc6cdyUl4G6aw3dZ1kcDk9ki1TwsL2mAagktorzTt5H - ewu1DVkpQ4OdIXuD9uqhZ5P6Mbb8zyVPkFDBUPj28zIA045T/gEyAuuJRTU5ndTO - TGzXzXgC4b67zbSQqzIZsL3Bld+uWlQhS8xkpaOKUzdexN4pu1SnLAJcGE9xOkcW - 1c9Ro+yj7mkxTU/UzoYzyKWQzduJtl033iE8ocZV4kcknJZTPKcNvgdPCMKvcjSH - YD6HDIVUBU+Frm1yvXQz8Jvxi2WMy/+ThTUwJF1HJ/CXVITECAg0rbCCMbxwq+Ys - 7XzzqhBYdQWEJJHEUFDb7yo1qK9hDkxu0ZWHA8PJf4YhxUcUFCKyYOn2VzfTgbpY - b0Df2MqOossUGeIfWn866rsRQLFaZJNpJSJMgWbc7ASeq0hL9s6cRTtN19Afyp4G - pQUpdMbYKcRabkuKZDCPdmSnaNCeQ8KlRdF517O0Bv3uYH2xaWIFGXP3nh+54czF - yxC5eEALTW1fDRH+xf/AzkaRB9uSB6i4ykZfhdGyAI8DpccCT7/SI99KJmQ+s9S5 - WFRmBaepqV40a+VKDVO4wIsdiGiz27GNocRumfKdNjaREDIufWlX1s2PI2b3SJCz - ncyZvLY2fOpumqZYXemWUIWiPE44IsZV6mCJ0UsqEFvZNrPNyfzo9w1s5SNy1oIl - d2NxpNkLRAm8FIA3MbyIuvFYGhyo124sHXLGjXJOhqpnn4q5dhLCnB/Y2HtRSlih - raJyNO1GE1PwF6Y5pdbYHkIr9VPlPueoHFbPiz4rIgHMuUa6IRkIfZrm3QEEagzo - ZgFudPJAokWD7hy9rg+fXj0SW1O2yFPesBCxWY5OQd3j2/2WYHUwwx9y6GJl+C1k - I/71/kxATWchmg8uRoq/DigGlbxmvBzPUZmpbvpvLwBk96J9M+Bxg34gC8xj0G6K - YxdZDBMJoqQmTn4xeK6qBqjlFaRdg4eKN8JHJqA5Xa6u/t4wggWUBgkqhkiG9w0B + hvcNAQwBAzAOBAidIqBxZFwvagICFCKAggNor23OUC45pysZrDfScxyAOWuCHXIH + tDG0yFq18osxZH35us0vb72zhU1Bx9hqQaNq3s8EHnbQpQvJiqUQK0OnOyGKcmFw + 9jXnAH25Qb4oJqzVp3wliuZXZ7Tp+wmQu0Zab+/i1zKK2lisE55IEzlT0U2ofIVP + DSXjCS8SqZg4pYNXpV3onsBgJUE0lPIpridcEOK6kz9G/eAidQ25/gA3tQvb+dHS + lrtnHMGwIbYYvwBw7sVHPorbjWN2RR44urD26bdqiA/5CmkT/S1qkwqIoJ44yz4N + fsrPGK0TQSqgDw0HaN6USBck5f86LapWY/tHCPYrTGb525L7BDGotjzzdVU67a5K + AgBFYvyr617md+6kQkhRC25xXkI1SQtLkgfZ7NgSDrctil00740bxqV3En4zUQJR + h2WGLuKmknmdeVCDDVlHR1DWXZBpn3pNOMGTh7hFJiw/vpgyYLfWlFakk0iN6U+7 + UIT7WCTMQcMuSPyz1X3ADv0OQrRYBUoOuA2j/Q0F+QGezzo5+nNn6dt0pZKpVyh+ + Fx+UYzMyPJaxtYQkHH0EXQFXeZ39JBPxukhol2v8mJ+I1KYm2toIxIoyArZ4IEZp + M1c7ZH0RHJ4G/cGOA29+VDglZQ0RsPKfuLIZvuLjO9p8ns4Bahzz26Dt4HIwKpZG + XlzKGWgGV/XhCZM8+fV9mij6TUC74IMAT7C05rE+KqvNDMl/ZIHCrb94lvHPVyCQ + zClY7MuWNILO2ZJNgCTPM3HFLnpYPjWkIm2wm2vnwbWyfec2+iqWJUzRfQ3Dn65X + dhgGqBRe3R/WP6AKOw6x4jNY09RUJ2uX4ksybr7lAGaV5ufyO35zCMTVyrR1o5F4 + iinE1f1NSfEozUqedh2P/RCZ7tPXv9sMu/8gvYCJkZkz9qJxEA72cH7xKtPhYj61 + oj7O8B4XA1fq/3KFOhZyuSLR9A1vJtaLA5EGuCFWrS+x61G4y82yNUJ4chci2vY1 + ESkbNeiaWswj2UbPSvoPIiW7X/cal0I7nOWrlvx9n1rICWO1SPa0Psx+1bX9LwMC + jMK7ed0U3Z+OBSfQnHYUHQRYx42lXbgum4kI41fxDNLLXXRLUxUwj4FSmGaDoTAB + pCEqs41XvECWdCgTTBU1zC0C/9uSRH7pXtbQK7t86VxG4jYwggWUBgkqhkiG9w0B BwGgggWFBIIFgTCCBX0wggV5BgsqhkiG9w0BDAoBAqCCBSYwggUiMBwGCiqGSIb3 DQEMAQMwDgQIehcRLmVUApMCAhQOBIIFAHb5dXZKzCeRUo2ZSj0oyuFS3zQ5HhKy fapsyCqbYCKv/lSzNYWvuda7xfa+uOM7/wCB9sWdz0MTpaBMHWx9hvibZIY65oM+ ry4tTuKKqOJl37OsnjB0dSNTKszsI3faPUjslxqIH3aC1shD7OqhIRGZzRjK44PJ yWv626oQrgVtTYR9NYTdee+SbBZbkEt/EpWipwftWXGR6tSYJQn99eO9Vih8HyQv wIpidUh3pCFOlow4VZyAqIWOHcw9TAjBXNv+qfdH7fiX9wM5/GvnQReIsqjXCUoc 6pSQIAqD/f+I/d1F2ZmqM7KwX0LGRER9OWZGyF734pN9GLbNetWm6rKxmlSI/5m6 +2Jxxfann16P+vBSEgWJ/I8GnJAdzIbBTyfjog4Gi2+lmrPzK7+C79ntM9nfsr4x Vzy/BknwZIaJksd4VvOGkS9nfM6shtBJB9uR+GJfthtsvIVUHN0kz2r/lVzMSRbO g9yR53hv1H/nXCmUjWz/BvobmoaVBcCmmOnnYZTHMNarIVYdLQFif5ZLH7WV/XVE @@ -608,57 +652,57 @@ oUpOD1v6En+rat+PoyRXIy2fLHBL25awLhABoZPgRsCiLsiNiohfyngksrQKeRgO laBMT92J8r1E4sUKirQlcOdiWBE6vmBSXzyN/twvfgPNIXgR0rw6c7VhhS+hNTrs ttg/xcfvJ/bftDbKm+RZL+yQoOkkAf9R5tizyMdMBlaMrpfrBxvNtMiykbZ88SYo A70Trwab2aHQluVhs8OjXGBEOqmSudcSdV1EhBpo9HBsDZZi0IwOp5/B9fCHdnTh CTiUm80eQ6mX2/DB9LlNh7gHOyLL3azTm12D0ZpZNaXyxLzdiRiAdwpWZmmegOOG 70yi0D5eIxh6cbnbuU6Ygdp+pFFVYHfAvc5Czpne2OPhXX2k0Okbwawr9AfrFjIf AEmBFx5GBGr/lSiUQSkbUC/s209YgaOgWTYt3KXPzrThJJGZnnXZRTGfIi6vp8Rs nPX35+Dxe/Lp3gXDdIJeWG6XVA8t3fspcoTqPkm/XGNMmOZ81KX/ReVdP+dC93so v2DuDZbYGPmHlD47bOOiA68GD64DEuNtQ8MhWk8VRR1FqcuwB0T0bc+SIKEINkvY mDFAMBkGCSqGSIb3DQEJFDEMHgoAYQBsAGkAYwBlMCMGCSqGSIb3DQEJFTEWBBS7 - 9syyLR0GEhyXrilqkBDTIGZmczBfME8wCwYJYIZIAWUDBAIDBEB46MAsz3IW/otz - UKMFDfWTViMUL7zfR11eaXJwLbIeYN0LvgCPONEp+hUMwXfnwDNTB89j1Ly5arzK - LfOLWHXiBAj1OQCGvaJQwQICKAA= + 9syyLR0GEhyXrilqkBDTIGZmczBfME8wCwYJYIZIAWUDBAIDBEB4eSY7MGIcB30C + HRiJ2xJ8z8hPuqCScCdxvKtva5ASZJKf3B9NdAS8Y1ctgKu0JMdyIu41RFJYCkIa + CsL6vLfKBAj1OQCGvaJQwQICKAA= -----END PKCS12----- 5. Bob's Sample Bob has the following information: * Name: "Bob Babbage" * E-mail Address: "bob@smime.example" 5.1. Bob's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Bob. -----BEGIN CERTIFICATE----- - MIIDaDCCAlCgAwIBAgITWeEgizhkG2crS8Kgl56AnNft6zANBgkqhkiG9w0BAQ0F + MIIDZzCCAk+gAwIBAgITWeEgizhkG2crS8Kgl56AnNft6zANBgkqhkiG9w0BAQ0F ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAWMRQwEgYDVQQDEwtC b2IgQmFiYmFnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOZwBdIJ UaH/TYwSpHuoPu0S6zoEX8EI3B/ts5tAH+uxSUTaxME7jrrZVmplAN6ffsG+16os 1RzkIVXrI8IKfDyaaPAHZvGq/OHdrbXstTlXcWgibjXu0iY368EoQejbwJu0vAgx t/hGqZDvX859qVsGkREOrcFrR4tUE+dT3bkbYkNaKrLiZPCwQ4FDGZSlLGl3xfBi syZRrmi0Zef9yn6/fm+lZAg7sU2WC2cbevmt/0JGgtyPZtsoD7m7RxSQeT+frPG6 ETkiptTgdYLC6MPHhfUuzrXBhnqKGSYiVEAkdeDWlOWyMnyhGVdmErV8Hc7aBCSd - n0VESCvvGJ8JQd0CAwEAAaOBlTCBkjAMBgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOB - EWJvYkBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB - /wQFAwMHwAAwHQYDVR0OBBYEFBfFhHvQp+92kDi4s28IvJK1niuUMB8GA1UdIwQY - MBaAFHhfDlp42GvkVHA9s93s9/Hy+sBHMA0GCSqGSIb3DQEBDQUAA4IBAQAT2G9y - JTWq6FS7hBYLjeBijVILmvwRiy+AucPJS/DtPM10mwObdrTnvOoLKeEIQWDV7gg5 - RNWiHlhSUsjUdXcsOvuQ3FxsKp5scFd9xc9C7EAzaoorvpQOSiJsFEFnkvQwjdZ0 - rfHH2Y+k2Sa5YZZdhZJWwqyNWQmUavWSmazqkUb5DAlOx7Dcfb4AzEX3sO55LAYF - XKpqLxzoVPsiy1JsEmSd1IRe5ux/b66xdwpSTx935A0nTQ8UcBvndM6o+4UIFZOb - PPLBKORIXiHNtoWqjsxIcQaGDE8kY2LEc94wDUXcaJSOi2zCHuF+DOuUTXTPmCJC - pVUZ9OWDKfM54rYh + n0VESCvvGJ8JQd0CAwEAAaOBlDCBkTAMBgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOB + EWJvYkBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB + /wQEAwIGwDAdBgNVHQ4EFgQUF8WEe9Cn73aQOLizbwi8krWeK5QwHwYDVR0jBBgw + FoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBAD0SptDc + YKfCH3W3J5whIYabPA3uiIfSQs7bP1tSs4i9bPrFry7m72ArhJtyVIts5TD+AZ1x + +EZG/9/kvEddBnUmGPUTv1Btur7C9DiTTEu9ekw5ea+nRfypxTmwBFfl01Atd+BW + +Un5xUSHlHvd7udm9TQZ2qKRR8BxkUIr/AXrfpBtcdj6K8VdJmX+ZTmOMzOynfl8 + TdMJqsvSFbfqXBnc/2bORn9s7f36VyRQkdM5wxVR/GGrendD+xZ3J5ELNpGR2qO/ + DHa27GFSYFjU1nS+RR4fxbGc7dTmxs5adKejod2Vc/YFS3T9EvWXiWNtnNvVVT1E + lcbF+c7MhV/OtKQ= -----END CERTIFICATE----- 5.2. Bob's Signing Private Key Material This private key material is used by Bob to create signatures. -----BEGIN PRIVATE KEY----- MIIE+wIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmcAXSCVGh/02M EqR7qD7tEus6BF/BCNwf7bObQB/rsUlE2sTBO4662VZqZQDen37BvteqLNUc5CFV 6yPCCnw8mmjwB2bxqvzh3a217LU5V3FoIm417tImN+vBKEHo28CbtLwIMbf4RqmQ @@ -692,39 +736,39 @@ in [FIPS186-4] using the seed "f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e". This seed is the first 224 bits of the [SHA256] digest of the string "draft-lamps-sample-certs-keygen.bob.sign.seed". 5.3. Bob's Encryption End-Entity Certificate This certificate is used to encrypt messages to Bob. -----BEGIN CERTIFICATE----- - MIIDaDCCAlCgAwIBAgITO17BWkcdhfwmHN7ueuPziuUW1DANBgkqhkiG9w0BAQ0F + MIIDZzCCAk+gAwIBAgITO17BWkcdhfwmHN7ueuPziuUW1DANBgkqhkiG9w0BAQ0F ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAWMRQwEgYDVQQDEwtC b2IgQmFiYmFnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrRwJQT TIgSJPIiasB5P8g6BVsI/D/WdbmHatWqiLqH746AMo3QPE27AURnZr2iDkkDnqbD Y1tZKO5RPB5Q7PSR59RPrcx95in5/htnq2PmpZDCU1z7zAFHQgPPntTie5PdYGFw 6cyFqz9ynNMU5bCfLRiepocnSV98D9Px7sh6XykEHw7rDx/EuconT3Ilrge1o9F+ MWNaVAM9q0kgJZxr4RMyhW1uNwT42Fz1J0VjLVxcmtXY6uhG/TP5JW4XWYXgyy7I y1El2FO9K/VVxjP6nI3fzYVmKYQngXKrMGjOZly2HZtJhZqqHnBetplBNA4jXYcC - k7Z3n3dHJZfg9xUCAwEAAaOBlTCBkjAMBgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOB - EWJvYkBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB - /wQFAwMHIAAwHQYDVR0OBBYEFEqzrDFTAkmcTeNueeAlYZU+iGIlMB8GA1UdIwQY - MBaAFHhfDlp42GvkVHA9s93s9/Hy+sBHMA0GCSqGSIb3DQEBDQUAA4IBAQCCgLLW - tCBYZK+DatWaOVNiJdTxgQBRXtspGV79bejJgFV2YG9BwvacdKx3ZnCNiUprr69Y - WOjP/l9GP4bCKHNfrp6j79rGxe8MtxEWswF00cBj6QYZaWWjMXQS5G6NJqSAWlCl - cQfNSVMIgtD6vCf3ibyB22LDRYBokLFSK63B0y0OXbdGZYaQNVFqCXBPT5zhB3p7 - lZAU09PukACJI+7lfupW6Xc3Brhqnw9pkouNElBvMSx5rAcAxsNK4/Jkw+sQSEih - VinpFedAz36YufvpHUNOmYspiHFz48iGPAaNbDREEoDUSRB2PxXVMim22EH6iBXe - t1oEQxqwa0AMz5Fn + k7Z3n3dHJZfg9xUCAwEAAaOBlDCBkTAMBgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOB + EWJvYkBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB + /wQEAwIFIDAdBgNVHQ4EFgQUSrOsMVMCSZxN42554CVhlT6IYiUwHwYDVR0jBBgw + FoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBAIeexc8w + hwtXqn/ptLV/dcKt+gsSOrMcZz36YuqxpMpuzCvoOa2tFFvi2AvTvGfvyK7Oa7ux + L4sJjVc81RxtyJJLkbdkHw3Wod4BeH7Wn4Ll1LusU1g6SeiuJo4uVLnWmEH6PXQv + +pEzsf1NTZxrga3SsEdrBq9GztHkKkY4vrTrZaq5uZIN+upV8doLMXGTt+1L0/mp + 2ukafqeW4W2kn3JCYi859PfJmGxayp4Cvw6xoF0ElHfgsTkKp0TxfUfVNzEYnZTc + ELVUVBO8bMV75SBBoZC1HpAwL752e9a613BFpdFbH/RMsRn4fs7S0I/SKLXD9ruQ + kDDPaMYBPo0ftuw= -----END CERTIFICATE----- 5.4. Bob's Decryption Private Key Material This private key material is used by Bob to decrypt messages. -----BEGIN PRIVATE KEY----- MIIE/AIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCq0cCUE0yIEiTy ImrAeT/IOgVbCPw/1nW5h2rVqoi6h++OgDKN0DxNuwFEZ2a9og5JA56mw2NbWSju UTweUOz0kefUT63MfeYp+f4bZ6tj5qWQwlNc+8wBR0IDz57U4nuT3WBhcOnMhas/ @@ -764,83 +808,83 @@ This PKCS12 ([RFC7292]) object contains the same information as presented in Section 5.1, Section 5.2, Section 5.3, Section 5.4, and Section 3.1. It is locked with the simple three-letter password "bob". -----BEGIN PKCS12----- MIIXoAIBAzCCFzgGCSqGSIb3DQEHAaCCFykEghclMIIXITCCBCcGCSqGSIb3DQEH BqCCBBgwggQUAgEAMIIEDQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIe/d6 - qDQ/28QCAhQGgIID4OAnlsZankpTStcSJpXiMtvB6Ol+f6XhgDJ5hOJLHyYerFHQ - 6BaMiIgPQ3ycT/UwYjtIE9yo6NxHz94jCsMM74OgzUMYc1b62VChOcADCRpZ2HYy - EGfGQPUdxKuOzbeS7O9LQNrCA0/B2y+Wtu4D+dthoO84KK9916Jq87+eDrA8qXQm - sy1jVGNBA6Y1n2DWAnR4H9+Ghm0tYCcRDPhd6togL533EZ8FsbGw/eZbkojyAYGj - wNjkk+DfJcIIxIxuN4OMY9lFnqakj3OcQA5vChL/2qa+DhkDAkEwqBKDwNv6eMol - gyvLbusIOxsPc9ejLPoXn4JEURtkInN6zUr2j9OVpQzjqaJx8lSwDS04i0fmUzqi - RzaCy3CKw2VQZyEfXmtbad2fVp7yXP/Bx2R0ddeCpj604PLPe0kxPFrdCIIVIg2y - CZmjcjvJJCWehiDHsmVvKVkfmthJmoS0qRLZ4Sc2AVQZwA30zc4hFEh6hECUBmS+ - v4Nlp1IOocSPLTW0nw2e/+I1+Y0nfo3wRpQMHNL5DHxhgRRa73IHKdpwY2dGOmw5 - yKzJnhJAVoiTIy1CbK3Rfd7buuWTpOyL14AbFFfW9N2LP8QWYWi0m/fZs/z7MPVL - kTi63kzk7jHpOzxoy8Xzs5QlrDQlTaDrG8yqGmVTSxvvGhx243xonNja1A8TWaf4 - 5GBuZwEDyehmyclX+G49rz7PewVyXdJuUDgUKub+Y/RTKUh55oGpbNKNK2WLIYgH - XOQRVJa/VZJfc9IDqF9ZfPiyVCACx3tSzqeCzNW8n2bvppX68vpUT8V2FSFBVB6c - +VcBNJ5MdpatpqH0CaBOmfWmOBA8him76FSSQokuANZhI+wxGw8+mvcrJTpZnuVq - xndKasvJxpHfARrgTk8l5ijNXnxrGzWktMH3lWbhJciIPtw4DJhcO17dhoptJepS - enF+cpZXRoXY5HsiengdGpDgXP7aiWIgrdrWqr1ktzX8o94+EKeZrEU0WoWDZHo+ - gCjtLUwKH6f/oyex2dWfe8ABDyjat/WZRFwf8qpJuE5vbL50VDNbLEAMgGFXPuE1 - ih/sgi7ZBcSmlY704dEpS6HMVcMGoMr3NPlLUruiYZanr3eYlWMd98C+FoJwb7Ca - RdDK/Ud1Q8E1GvQi+59cTBABLANiWPVsh7rWOLo4d84dJyiDcb2LAGNLxXN2uTXH - 1oadAPHVOwYSe6H1B67tlFJhivuRcS/dumTFUW4hI4HGzpq+XwnQFY/qBwjZsf5T - fIQgJ9+3wEx7w/AXk0wR0l+ITKLauH10IQFd4BEvtTOaZZIbR0Wf3RvJLaKGMIIE + qDQ/28QCAhQGgIID4HU6LzRSQpvpE9vk66QO5SwtHDR5cxPrr0a8GoNDS0qB0vzZ + 6qCUZsa8MBghT5JdWC5WmUK7LXSge9ZQYyutasw5aB74js4C5l+sQfHZ/Qpg98Us + n4kyQQDNUJSvA0dkEgi5G/XNeEl0OGaAY57Uus0dYFXYu3b04nvrm2UjFnayT4AW + PNrzs9pnuELccSg8FQDHPTa3xv3kwmtlS4fVLgicL1Vsq3uqtMYb8kiy0MRmU6JB + xculAl9ncpUH7CNWvHDR5GsZ2LLhaUewBsHZq4PV0WoSzoSyobcsx10tnsoH9pGV + 5fYLcgSKTmVz/5mDUdTjzCfB9euvLgPAMkwWoQFRNHxb9vbL9PVc+8tc5CgSMWcY + 0i5UQws6+vfhGynJuQAY4CcJIIa4N6Vtufr2KHWWBd9AbZcRlVIdU3lLTtRhYoJO + uiQ6FYCt8V+ntUB1CZyH1hmvw+QAenGoFK0vEa+u0/6QhrlrdlBVx+YOZjtYz8A2 + BlebHx4rUuJDX/ayVSXn9XxZN2uS5vRNjG0NllUBy5D9CL4LR3wEasfKRLTVISNl + TtZcBTkqvsclBWWQANyQJukavoDJMZ187RbB0Xds8HAGzXjZoXJPnFhjyEkQioWq + /VXDbONWz7jeqknaDZVz5RKC25y1BHH38+0atldF42/k0Xx4iii/fga3hrJEnLnF + gMkVipU6lwGbNOC80OAfNatJMws4kxpph02FZp9A0hkEeJ+eeDmYlIE8jFm9gSD4 + MgqznsdOAp0ispDqO0t7Z1YCM0IssO3j4edp8C8tBCdwJ/hOQZ1qCasEM4znG/CO + nESlEAdCJZHNz+2/N8LzVB8NpP1qiyqW2nJKXXaOMDQwi9qFDUG0n3yUpggF029C + c98g05SY3e8f/3V9cgtg2HXjtjeEHsln1SWdmfBB7mOnUdkDh+pmXZ4zB9BUuS7t + H0UTpL0WxUlfgIoz/uk2hi/vXAX5Q66SUqVFifMQtOlf44oYOb/JYOG9wSWnj2pU + Fih7Y66TYWnX2dEdUyIiPut7WNrBCHuAXmHoR8qZjGIxRobphKAgXu5nWg8vhm0T + woRq8pdO3uOGHIOOJGyxG4feVHRG/GstW+M6qdYO8/hLaZ4/ZShLxEojyrS9htXo + oFBwQCmMooC4smAvSFqhbrY9j5ueB3jCECI0sn72bH1nXNbkwonxGWEvRBBjvmFA + ev5xoJh9Jo0JydKWuI6yXXCImWVvofxbMsnrSY9XWd1gV1JSw0DlN2a5R12zqHaD + 6E2VkcOWOP6pnH1peQAjkFtfWByU4xAx1Jr91TN4r1L2DeVTV5nz6b4spl5ZMIIE DwYJKoZIhvcNAQcGoIIEADCCA/wCAQAwggP1BgkqhkiG9w0BBwEwHAYKKoZIhvcN - AQwBAzAOBAjiGuDSkfG4UwICFLWAggPIqZnFK5vMsK5cy32va9aHXHjKzzCZf/Zj - 5gFAAl2KMJZ04AyAFR8dLJxEGHUQgDUCgQklDf0RfmfxHjIPSaNirddpb96bJnkY - 0EkNIo0rsAfV4errJwZ2zItFP+h4jVMYM6FerKGP1Cs6fWf4m8SWIIJ4afGhh2wF - vnGs4weTulxxosmxli/Y/l+OxeGfhhtiCtTkiX01WcPNO5vkSsTIrZgxMcdVV8PR - Vwvf0NgY5zS55pkNVlZSmmAfm5uwZNDd4Wgdb4tC0mBLaXxmsxjSxVJsxoA94tqw - 2JkNo6jqRhyKpEJ+4cAH6e3YidKX7D0V51CItVBn+0GFHrEJzFkwtiaB7GYwBebZ - kKAILCFejgzV8iC18bvIFY7cRr5fo57+0M78SM/WrqmC9zbX5boQcwcaxR3cN7ya - wGcfZzAbRv+fViALCpARgmz9HnhNZ+PjFgfX7KrbyM7+NWILfJ6F9UTuwXW2OVTR - F4+WJaXry0pMC/0YHu+3Kbdf/J6hfgEPcjmeczFprMJPuWY1aoHySAGg4a+Ngb8h - OgvhvKQvh/HTgVDsVik2TWfDAgsS0NB61c1oi9fRLwuHOaK9jeR5I9i9/ZgI6K0g - xe/LgfRfVHr5awnO4akRE4G1Uh6cxwsQU3Bt2WOeXSO9jfofTfEaw7Tax5C0mird - GANd/5B14u5goMGRk3B1XOVq8G8K970rjGu2Zh8KCz4qGgWROvK+ee33K02gNii3 - qQis0ynO5b1ylpEMrOf+GegUbYm9pccduN03zEpCwNPnIY05pV95IxGCWfIcOJbt - c23RnXfqQLAlNXn4nrf9g9sxtJ6iecVjCHoJXrNhyMLy2uF2/eJaM4WWlBR95pSP - DO2u2gI0aEfCYXAN1CkhvhKpm/Zl8QHG7tXc8//U1bhWgpmx44+bXf5T4hG29HpD - Zl9r/+CkbWJofF/86FqleyFEhiZ9cMfznKuYtvegMhDsQ4z/YUU/2U0/hEhsQVpF - YtCCxcrXzXmwXfZZ3JrgYxbfRzc6UG9jhvSTR0fvKPfVW03qRC4Hxy7AjMOxbADl - GCh/NiYC+h07b3GCsHuJdRh87JyeL+x5Y1DNgcJdIzwEIetB6cKPYOX4Na2kyInk - LgAfwZGAQTHN1IXB4gbYUnfuYgzSIc07AE13sxORgrfRWL/xRW8egWyDIVkHKITJ - rM9Zzid+sjkGte3RQKTPw+wYvPAbhprlB92lxeB+gKlODVe58ZnpUALzY9+BS5Tf - EbIOJiHcjlr3vGTUBLp/xhuHpkzdaPysQDqE5vYR5uIwggOvBgkqhkiG9w0BBwag + AQwBAzAOBAjiGuDSkfG4UwICFLWAggPIECUZsKFZWi4pn4njlMf8F8r2T6iaGOjO + 4xVOkPFV8nC1gb/kKeZP6oSyEVahfb5/bzyrd7qzntTaSNdoVPf9aCGjIaxUAhd9 + wczQ91Efp5SJTGAzJmCiYlss3dmnKgwgc8XEnhp3VDjit3j6vzR+EEf23Qxgk0Hf + jt9N+oKD8otUr4kH1HJ/6qQEOModxiRi4kDbLfuRl0O17tyMPQhQjzntmy8eRBfu + 7JQrnnRvyuv/a/qgYbf0OVa+tcIHttAd+Vko39h0K0Y3A3TnwZkb+1mmi4XvMtWX + buOwrvQmvH3E/tMyQKlesJf0Pnk3tmKC5wCFZ4xiaf884nF+2QfqLZC7qD2yM8ui + 2KVsq+TMF+THJKYBqfAZZui8r30KlkXQClLkSkHwsUfJxKQsRjodS51UEPU0afgl + FEqGZEfRQgInuVhqyYxZodVK0JlGZP1a0n3u8EqmJ2Z8B/f4jBb9XFH7v64P0YHz + 1UH8smmQhmboi30XJwB6QDZCKR8xxXb5esQmAbUY0cTJld4nPZAmRqP38n0f4bC1 + 5bYVpUcAVcd+UMaO2acRTtIvjgFjSSO2Hou6/Ex7LVBzoe2mtAyguhOwD59nLxrn + FChSZCoUlNplU7akJCWQkrtT1tEIEdivZMHOfuluUhgzyzkWxKuppHJiFxki8vZ3 + YgKyVg/K+Tt/4W87c/hEiSWjDd1TEvYK/iDBiDiIuPgFxjUp/2Wmo4u26GskeOvU + v3PIvmmJoOskp2lOa0jNAd57eXcn2s92c0qqxIfWuEuOUBagfPIfyHTpyKNxi7qI + JKR20UtgiPSs9tvywg2h/Y451xXFNJuv4R1wxmSgKlv2lKf9OA6aq9kNIafHbhwz + Ilw/xl98xoncENpQzJkKAgySvtiX51Tq/A5lm9p23sUK8JdL+JtA/8yEa5g8eCj0 + MfcmNx1TlYCfHrGx1/ZdW1DGl4GHJIpllSLkHYxXBQ6sixc7GNJ0qkpRTeDRLiDt + 35yAsv7ESpp5w3/WjLAsPbPsaMVgQjOOhBwjkV9dOwFc2k44XcBjCtVTtTEuhN/a + LVmwgdH5LFV3Uyp5442Y8aWODlG0i4YDP7oXY3mBu4WrL6NlMlJOQNfz+e077+to + c1Bw4Fag9f8X+AiBl95HPG/sx8YKnVaID4rcxpyKOO/ONy0oShrkAmbQyM7hRe/v + fRL4lNB+fyK75vPGsp/shquhF9K5wZCulixVBQwze7q1CcGro2D030YdP/EDWexC + 1xoidBkqssem1oDx+OpsavtdMCDrft0/lO9g4TNnnB8wggOvBgkqhkiG9w0BBwag ggOgMIIDnAIBADCCA5UGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECEyHXPVs - ncxTAgIUQ4CCA2ivLIdvKuViOkHRZXgcOxBJkBxK2m0tDslwbMSITMi1KvQ7NVP1 - NngNw19Hsql9SHXPzSk46aalvaxH34WRNXs2GtZrWOFb5XDwuxqNcTOxGaxVsavG - X5psJ3ubC907kWykkqKIKhDjny8NkY7K1UcacWI8OY86WGgOUjryK9oCzIjVcLGa - pt1fzimZqezwx3ArSbekOUoCkDxLpPYaTbqMcogcp93yTK3SvaemkzgtKIVnVt3m - 6FDrihnUifcPzSrAUqZk3UfGeaELCP4Y9oIB5Xak4o1qI9h+eR82mzEKyoFfI0Z7 - FjGsDhNXoldLPFYZIDdja9ZQya7X+0AmDoTWzjTqY/efDeaD26Z7E2Tkfdp34XY/ - 3oDSKmggX8k48P+I1gWVTONmeIZm6i5iJs0nQJX0dsRfBgSXHvTjptejINuh8MeJ - IRiRA2YPtSqPSDAlcTC0HzEAlOMeZcKAfd/JbrXvgjK/MUDx1IRGgmUi5nKIaKpQ - YqZ8tTBvWSm86P+JhAlUH5RXZa7tnLsn3IAZ3sc7JnVmB1bIwVzNNLzZg5p4gk+c - 2gvHWecLTkJLrdpESKKJX4xvLomD1x4TI+YlKpCjnbArImlO99BsDPCBliRsGx+u - OFuVWXzdgLBkz+UN+OMQs4pBhMGIFDA3Q7VrgXtbcik/LAWTECEhTR8Jf/d0xeaz - +d3e+VA7lZlyELr4pBlqelHD89a+8UtHPGR1esw3EID4h5nt1oP2S8nGGcyYwd4b - sX7AAXV4sozPIjSsyG1I9N7QYCY7b+Cyrdvy4JSGVa7vz+7q8IHs9K40lG1kKUv9 - p7Y/w0vdfPWhT6+NZvlXsQknYBR3+IPXlHDsqwNB8oYA8xtYsy3SzBi+BZyLIiDa - SkeJ6RNxbjYIRBqPckCW6XmI02unKbiD0E2z919GjtI10hx6dzgdhAEDnzTJ0NYA - vT+v4W2dXDTmZeJD2EYb9r2GFFUErYsEKzBgRv21HmJlZMjk7lM+XbirRoSJb715 - VrH+bRdYnBAOEiIamsND3wIq/LoZ4O/wQqeSY9eaza7qEtVzZ8d+r7qqCQkl8lQG - iC7Ce/VzaSZ8823m9LoMw2AX8Us/bdT5kR60w+WMYPrq5tky9XYLILuTh1bwTSps - AO4NH42IhpH2Tg+mmaS6M2MQzDCCBZgGCSqGSIb3DQEHAaCCBYkEggWFMIIFgTCC + ncxTAgIUQ4CCA2jGt/qN+nxrXgh0JNk53ykzmi76tkL8Rwu1OfRyalJElUvfdDTu + O+nEpGRq0rCvD5nUL75s9opbRwlGs4MK5oj9dgMFa8zUiA7Ef6eDjb/Ak3xDoXLN + a91AgT/Z5x68AxPQVpU5lPOXxqm+JD7NsfVKVASB7wDx9sx8AlsxbmkRcfme1dBO + p/iY9mim7y3wmd+t6D7KPjiaWxwsCALS8O1Kit3zmIGvB2GnB2ijFommyqydbBM5 + Vg7nXYqeogBN/wY/vr8u7g+rwdroEOqAvflqZXBDecDoCbNpI+uFl8VeufiAKNQ3 + TEPsO9EO7OU39aQyO/oMEqY1hDidzF0CHUaFUB/GMNONSulhFCZT7RIUsQ8L2BBw + E+Nd5N/XOwtKY/PWzRbBXqSR1QTEOmOzQ6ilPLboxn33ngy5n/6aN6HgUAyPqJ3M + lijNnrzyDTl8emk1KeEmny4pBRkYGj8WZfszzxnccZput4rGlhggQPjx/sjiIdPP + R0bj0CU+b3TFHMUCX9g6AzSqpkAiAFYb2ChGyRGbitdAilc71GnsIBxSULHj7EoI + s//uIPguDcDS/tdlkcE5MeUA5LJ2OtmFAEZFtYOM079MM7p5YJlmnmmq3olvf8BH + 4Q3aZhQ72hZFI+Ug8ZSFMWqj8tsV8d409b+ykvYTHpZTScDXqGDmKFFlqXx/pSRn + Jxo3A3feSEEPlKGJugx83o38v1o3ZpU9NYZsueUp8+6Dkb7dwLhcfyORKd6TSfxq + ePYtMz7XjZkrQcCKBeiXtyNoWgsFw/yIAi27c5O8nAd3aUjQc9p4noOHL2qFKa+C + DM0xgQqyLWDAVJEuWFM/gX+FZCzXpaSGcKt2DDmrsEPyhv32ay3FQpj86S7WjVw9 + MbkLe3USnRo6HaoLVh6oQNAkkE3DByvbEaAgAIIHUc7sG9G7Ma1tDF6zqHEs/hPc + 9B9yzw87ysdpuCTLxANryf2rODY/kRGxbo9plwQYO2qEmEIWNZiBCrs8L6f2GEDM + fpPBc++q2cs6VKNuG8V9f6oBFrUBrCKpXItNus69+fHlsdjDcrx1cK75R4boyEcy + G7YhyMoHw7wrxFRPTp1ZCVqShPepiMilgxerst39aEgpflmSusZEEbMTxei/9gKY + euKDZiqVlw8IggZ54p4GWJGi3jCCBZgGCSqGSIb3DQEHAaCCBYkEggWFMIIFgTCC BX0GCyqGSIb3DQEMCgECoIIFLjCCBSowHAYKKoZIhvcNAQwBAzAOBAiO/0ICbTbZ LQICFOwEggUIFwT/JI8UjJQPfYTFonJEo8zEbpYWXKboqw6/zZsMGmAnUPgQNQDx yuLVprs5jUc437kVB2M3F0x8DjmEppebtHfIoyjoXF7jdnA4EF38tsso0K1nMPmS gl02iYZtOqsOvBpfeO5Hj4Ovhi26J9PzTwPcgl3QQPqfWv7CwgGVn4/hntBAriPS E4gAlfAcqkxtJBm01QwDoAdsOKOMsYntgWajpr1J3Hm+34NPL04Usf1OpcesPUJ4 CBxNyLXxjjsOzD78WVvKY+N+j89xTsytz5Y0fEkFqrcl8pgBQxH72jBwSCm5YwHz 3BhWQgr2bpWJ1f2LWcVsnrN9tx6RhQtAAkcyNgX/ksp5EW4JTo+o6oXLRhXIYauR rUrisMY++b8ZJTp6C1t0RW2QdqgMZghSZgaW6FSC6Dy2Dd/ezdkYUCgiEtq8eSxF /8WDw6Va2iGVSNt4/p/OJ97yN5yOJ0K1g0hATebU+I3E74PQ9RK84FfJvyHDBC6f vYZW/ouMcgp3YmAF+dTm74Hq88X4daV+/UPYf/cVpyiwcBTg6H3jrkrs0yKoWLIf @@ -886,110 +930,137 @@ jbfEdek30WiLR+ChEvEp48Mla6UVTLm/mjziwbsxm5QlGccmz13e32RiyrfseB+R yllmzeJtydP2IHkWK7pww9yOlPK0QtZs66IGZKqeXrWBk9QFYDX42gAy/xTfglco 4KO7akhp3UzTIQyTXnt+OsOScc+ArVm/dwClm+ZxybtOcVyadjpKWydyfAr3aTkG xX6RmHrEWr1R9BnMGPYesDs+yeVNs1QdDhff/bQLwCLXdGLWwLe6kitUiyi8F3bd fPjR7R61lEUvJrBm7YLmgdxRCJ02LFLGn09iSMNe5vmiNaKiuzfb4Dp9dqEMhmJf dsTURagfJIyqULoe08EIIozahivbzoWVA6oPAkk2D8DnTiMegX4IZ/Zb3LPxJKAe XO3Ys1YQrNSNZ3B2ZISBapzGzhFZfRVzPOmXhN53pDhlxkw0btkKblYA9CvP+kzg wekzCy/Mlq/HbO38CV1NKzay3yg4ntehJ+v9/k7gaqKmo3ZWMGk0WGBv/GFxYhme Nd14Y65D9TlypM/zrXSyGoOqZgSA6HlAgogzwwSaGwx9n/o6czE8MBUGCSqGSIb3 DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFBfFhHvQp+92kDi4s28IvJK1 - niuUMF8wTzALBglghkgBZQMEAgMEQESULk1nPh/xbTET83QqxpxbEpCxkvY1zrpc - aWzzbehThKle6bJRDM3zlpr0dHs8Qxs3ocSpAQ1XOXjuXlqFfKsECJ1vqXe6ro0F + niuUMF8wTzALBglghkgBZQMEAgMEQBS7n+ELEEn4DxvxQtrFdK1yyK4ib8dvtnLQ + leuH3hK8w9YNLhkfnVb5+oJiDceNqHIRBkrqZXzGf5yRd5TnxgsECJ1vqXe6ro0F AgIoAA== -----END PKCS12----- 6. Example Ed25519 Certificate Authority The example Ed25519 Certificate Authority has the following information: * Name: "Sample LAMPS Ed25519 Certificate Authority" -6.1. Certificate Authority Certificate +6.1. Ed25519 Certificate Authority Root Certificate This cerificate is used to verify certificates issued by the example Ed25519 Certificate Authority. -----BEGIN CERTIFICATE----- - MIIBcDCCASKgAwIBAgITGz6zL8fCL93bElmwkKaEVA49zzAFBgMrZXAwNTEzMDEG + MIIBbzCCASGgAwIBAgITGz6zL8fCL93bElmwkKaEVA49zzAFBgMrZXAwNTEzMDEG A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA1MTMwMQYDVQQDEypT YW1wbGUgTEFNUFMgRWQyNTUxOSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwKjAFBgMr - ZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+RKE3URyp+eN2TxJDBKNDMEEwDwYDVR0T - AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQWBBRropV9uhSb5C0E - 0Qek0YLkLmuMtTAFBgMrZXADQQCpSPkvILHd5nLh+YT34REF0VVphNaxdw1dnx/J - 7BGYvgKOObND0sqpkpc1neTiIi9gdfs5zSIak6TnVDdiuccK + ZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+RKE3URyp+eN2TxJDBKNCMEAwDwYDVR0T + AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGuilX26FJvkLQTR + B6TRguQua4y1MAUGAytlcANBAMI9vFSXNfqh5gHVsKHmvMOW1pK2DcDr1GVcmX07 + Hnzi32c/0QVbF3NoHdkpGmjY0P5fpT+SyWfOXwW+93fMvwA= -----END CERTIFICATE----- 6.2. Ed25519 Certificate Authority Secret Key This secret key material is used by the example Ed25519 Certificate Authority to issue new certificates. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEIAt889xRDvxNT8ak53T7tzKuSn6CQDe8fIdjrCiSFRcp -----END PRIVATE KEY----- This secret key is the [SHA256] digest of the ASCII string "draft- lamps-sample-certs-keygen.ca.25519.seed". +6.3. Ed25519 Certificate Authority Cross-signed Certificate + + If an e-mail client only trusts the RSA Certificate Authority Root + Certificate found in Section 3.1, they can use this intermediate CA + certificate to verify any end entity certificate issued by the + example Ed25519 Certificate Authority. + + -----BEGIN CERTIFICATE----- + MIICWjCCAUKgAwIBAgITDkECFedCINX+zN0f/pVkUiFMXDANBgkqhkiG9w0BAQsF + ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 + MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIwOTI3MDY1NDE4WjA1MTMwMQYDVQQDEypT + YW1wbGUgTEFNUFMgRWQyNTUxOSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwKjAFBgMr + ZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+RKE3URyp+eN2TxJDBKNjMGEwDwYDVR0T + AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGuilX26FJvkLQTR + B6TRguQua4y1MB8GA1UdIwQYMBaAFHhfDlp42GvkVHA9s93s9/Hy+sBHMA0GCSqG + SIb3DQEBCwUAA4IBAQCTvPF9jV7E18mX2ps6jgSz8QizMKiSkd4Yayyc30jx6etl + BMC6VoUYbN+aLgD9SxJOFVnj8+Rk648nHc5Bgd1myng8b/oBYis7SIdveJazdsPD + 4lG4yzsUItDxs12HYSlVlGK0ce75CTus+6DgVxZgcaCdeO0SnVL+QXBQLzvyUgtJ + jFrPA6f2C1jtIfjGwqmKYK5ZaJxmloqUR45YdUiuWbLsc1dvc3n7hvpIrMk/626M + U+rfkoKOf/gSRxR3nc1rxpVcvdT2esjnF6Qn7K37wL461jWJmDbISwjVQJbZVyxI + GDpwg8nWGPe9iagwV3MJMEPVNBzc1fIHQ1Hsz4Q7 + -----END CERTIFICATE----- + 7. Carlos's Sample Certificates Carlos has the following information: * Name: "Carlos Turing" * E-mail Address: "carlos@smime.example" 7.1. Carlos's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Carlos. -----BEGIN CERTIFICATE----- - MIIBqTCCAVugAwIBAgITfTA2/ZV2DbKUTmbWgsuSzBMGCTAFBgMrZXAwNTEzMDEG + MIIBqDCCAVqgAwIBAgITfTA2/ZV2DbKUTmbWgsuSzBMGCTAFBgMrZXAwNTEzMDEG A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAYMRYwFAYDVQQDEw1D YXJsb3MgVHVyaW5nMCowBQYDK2VwAyEAws6AMizeYchNhE1g75Gc552urn8e5Add - I/IAppL3yK2jgZgwgZUwDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgRRjYXJsb3NA - c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAPBgNVHQ8BAf8EBQMD - B8AAMB0GA1UdDgQWBBRkheM7nB1azeYLuhp/CL7EnMyEPzAfBgNVHSMEGDAWgBRr - opV9uhSb5C0E0Qek0YLkLmuMtTAFBgMrZXADQQDHbvRfqrivP1YFE1vR4s8IxQba - mPgWm+bh1bz0WQZEJx27+HXSwcQq1OaigzpNX5x/8fXy3Tdfyh/syZqkGwAD + I/IAppL3yK2jgZcwgZQwDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgRRjYXJsb3NA + c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMC + BsAwHQYDVR0OBBYEFGSF4zucHVrN5gu6Gn8IvsSczIQ/MB8GA1UdIwQYMBaAFGui + lX26FJvkLQTRB6TRguQua4y1MAUGAytlcANBAAqOV3znya6m6uHwPVPLzcj7UHwV + GuFHnMt23KCQchRicDJjRWZuTVw4oQqq5G9deVqJee8T2cspxkmFdVGWxQM= -----END CERTIFICATE----- 7.2. Carlos's Signing Private Key Material This private key material is used by Carlos to create signatures. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEILvvxL741LfX+Ep3Iyye3Cjr4JmONIVYhZPM4M9N1IHY -----END PRIVATE KEY----- This secret key is the [SHA256] digest of the ASCII string "draft- lamps-sample-certs-keygen.carlos.sign.25519.seed". 7.3. Carlos's Encryption End-Entity Certificate - This certificate is used to encrypt messages to Carlos. + This certificate is used to encrypt messages to Carlos. It contains + an SMIMECapabilities extension to indicate that Carlos's MUA expects + ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in + [RFC8418]. -----BEGIN CERTIFICATE----- - MIIBqTCCAVugAwIBAgITqKfyfNYXEMyA0hgjaMFYQldVQzAFBgMrZXAwNTEzMDEG + MIIB0zCCAYWgAwIBAgITazo1UrK0irBqUo9n7eep3mSynjAFBgMrZXAwNTEzMDEG A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAYMRYwFAYDVQQDEw1D YXJsb3MgVHVyaW5nMCowBQYDK2VuAyEALmgxzNMgyJ11NRhNz9bKYSpfDyFmbVBs - jPbFfaAUPHSjgZgwgZUwDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgRRjYXJsb3NA - c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAPBgNVHQ8BAf8EBQMD - BwgAMB0GA1UdDgQWBBSBKaD6I6BLIIwNeADe7doWyzQluTAfBgNVHSMEGDAWgBRr - opV9uhSb5C0E0Qek0YLkLmuMtTAFBgMrZXADQQBAEptLosUVLmgSGgX/KBtx6end - 0GlzlW+uz/tkIV0FlqKwrOXt3ixbQJ1dTWBnKdpxKxOwwJrfn5/01YgzUJ0E + jPbFfaAUPHSjgcIwgb8wKQYJKoZIhvcNAQkPBBwwGgYLKoZIhvcNAQkQAxMwCwYJ + YIZIAWUDBAEFMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUY2FybG9zQHNtaW1l + LmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgMIMB0G + A1UdDgQWBBSBKaD6I6BLIIwNeADe7doWyzQluTAfBgNVHSMEGDAWgBRropV9uhSb + 5C0E0Qek0YLkLmuMtTAFBgMrZXADQQB2O4eB2hfCrKfP5yIwwRVXSFBUKqE97Twt + xXgQ8/YSpsjVm81NC1vwOCP+X/W7ERF1NVTY4WGHYsK2r5rz62oN -----END CERTIFICATE----- 7.4. Carlos's Decryption Private Key Material This private key material is used by Carlos to decrypt messages. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VuBCIEIIH5782H/otrhLy9Dtvzt79ffsvpcVXgdUczTdUvSQsK -----END PRIVATE KEY----- @@ -998,118 +1069,123 @@ 7.5. PKCS12 Object for Carlos This PKCS12 ([RFC7292]) object contains the same information as presented in Section 7.1, Section 7.2, Section 7.3, Section 7.4, and Section 6.1. It is locked with the simple five-letter password "carlos". -----BEGIN PKCS12----- - MIIIxgIBAzCCCF4GCSqGSIb3DQEHAaCCCE8EgghLMIIIRzCCAm8GCSqGSIb3DQEH - BqCCAmAwggJcAgEAMIICVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIwS3R - pT1mkyMCAhS7gIICKKwyttinvdBY3pNtMUJ4/G6tE8tBny4Xnh5vONwv0SU1nPzN - NKDPjaanMtw61VEFsQTJOTktIeNVV8uzT1a15/A9ax7U+70Mw3zwiXsyzMxEd7ry - Qmj7djYjx5xQ+UsnBgzrjapUSYmryDvYqEuig27O9Q8zaxdMd/wep3OGeaa4jrXo - dEW3iXBEkjH0wvCc9FV72z5AGMQzvz1dGC+cjSeJyvNvcfqkifhpPCmdM1Wltj1J - aejep+P21+yZRle9mDYSgiwWOzMcOD7hLYOEo81CvNmPtoYjctm3L7okSwS6lVoA - pDLoIumlHgvA7jMWOUM5VkW5ONrPREB3uSQnP2CoKJjmTYQ1VupJl9/Gfltj3O5c - eX5/gsU8q/G0Bti9hpEV5Cu83hnz6Zrb2LzIu0TpyYsjslUUs3vkG5fTBkCcjWkM - R40VTz5kxL16U1px1cDGQ50Fa1qISXMzBsXV38gSGIU/qcUVPtuTZzNckFrcQDLs - 4IxjUO+ijnh5oHEHdeSBM9CWzMsq/agNihb0dO4uC/VLtwh+TxLiTOrMLrAhIpqx - NUDo8jyYhn0/GQNQJHBgSn2GIoUpC5CLOBGw37LxXqvJqNeuZ378mTO1xbc10MTo - TBW5aZkNZPJsx59msjJVXZjTr3qZ7AephyEWJEJIyJbzNVbvLP+qBWzie4avydlJ - fpYqjoWQxsJBcY5vjVDl7ofF5kgRLZkz++GWPMYACfgqf5ZcMDCCAk8GCSqGSIb3 - DQEHBqCCAkAwggI8AgEAMIICNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI - 4zNcyy17/xoCAhSUgIICCO+ILkjMy7C90J/ATzaSEgL69GkwwyuZbTo/YwY2fq/E - NNrBt/RMcgRLgNAWw/QpFI9QhwjAicFscq9V7NXPpVCd9x/cX0qbx+EA9k3UdSBJ - NyF0rOX0ZkrXJAUuu8aO41DaSpbUshJhh5hx5MRqbANlaT+1Q7D+k9vz3zcpO3wx - zyHqNYxmZ+x1ExxiCxmLTxTwLHsJnFMamYuP7fBT5A34iYZdtVwotA/ussPx/HXP - n+KAXt1QQyvEb7kch9nJEWAmuCjdpIvf2AQCTSHp+WnDB/Tg7pEw8RT+HIcAwbXd - 8AfhZmncDCOmNKe+4HPrp8R5CXwz7tpOqo/EqC5x36ak94RQXh7QM/r7thL68d1U - VL9Vx7LnRLjsQAedSHXrKyYShluzTLbJNHLDVnYBT1m1WyO0mDRm4Y0SLUiJ+Lud - AeKlVMJV6H+BeyxsXBSRQu5BHI8XhO/gQh00dmXTT9plqZ7V44qRHpYqeeoHYzZO - G8gPoCQ+AXCWmrctugcDu09tgbpGkDOFI+J0mAJz/E3vkHJ7T92TXj98Bf/zlKEX - AQGvaxCI5FpT224x0DBF/z6ZxWKZortuaxPhChBqrZ14qdBVdnXpgdoFUY9SLAn8 - hthwn93in0IFHHdjRgaxR3c0TE0a28xwQpvI17w5t/Vl+WGQ8GHmPAzFUDLO33oE - mn2FmWVjMWswggHvBgkqhkiG9w0BBwagggHgMIIB3AIBADCCAdUGCSqGSIb3DQEH - ATAcBgoqhkiG9w0BDAEDMA4ECGj2DS1DJhO/AgIUgYCCAaiPztSEqZVM6ghfLfK9 - UFKypTE38W/ozxw1QDOKxETQplu8iDrsYI54EbU1w6g6vWxrhHvIcJEMPbnUX7V2 - DQwyi/Hd3ad0EdQ45kGb7mNciltIuDGPrFrBqsPEx4hDJGjePIvgEXDpj8szxJwQ - wq9WbdPq2pH7uD4Va9+HbeJjRTP7CP8ceGAO77zfAU1MZl7n+ydptAwVN3Ex9GGc - jbs0yocOXheRDYK8U1Hl22UjQ5OtXA83DID8QeLr+NNFIlwcYJEPM5kxKnBIcngP - utB3SLz16w8eap9yfHuVwdr1dI6rn93dcFix2ympTJnQLNSVEPZS62cydmWOYKUo - LyhuYfM7ZnuI1vOWl932pgkIHdplfkmygB+OE5w9NXhv5En6tqtISNdJcpfB65as - E8orGVDrQeao9E2mVTAFgiHHLCKcsbL4n3OwG83I0fzEja6yLyDzu/hGyMh/Jyuf - rcJGgMWrn2/+2TVzTVUcvcTFsypfaPAb6UkEvt5h+2xatZMnJC5CkBY+yzc3ahqN - GtgFtEf7RdDZK12+IA1qxrRkNSH+DE57xFLGMIHEBgkqhkiG9w0BBwGggbYEgbMw - gbAwga0GCyqGSIb3DQEMCgECoFowWDAcBgoqhkiG9w0BDAEDMA4ECA2F84MR3NKt - AgIUXQQ4ISoWJ7Wl6JxL05Jc1CMvBs3eQ7yVgzYep5JmgQonglIWVXWRZbfHB+7l - pkqsYRgF8Yx3yt6dGKMxQjAbBgkqhkiG9w0BCRQxDh4MAGMAYQByAGwAbwBzMCMG - CSqGSIb3DQEJFTEWBBSBKaD6I6BLIIwNeADe7doWyzQluTCBxAYJKoZIhvcNAQcB - oIG2BIGzMIGwMIGtBgsqhkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAg0 - VyogQx931QICFLUEOBmu4SxJoFj4Kb1YpHweEfcleH4CgxKvCQMIrK1a34w0hcHS - NjZBkcNs3e4WfuofDTowO2GcqeJrMUIwGwYJKoZIhvcNAQkUMQ4eDABjAGEAcgBs - AG8AczAjBgkqhkiG9w0BCRUxFgQUZIXjO5wdWs3mC7oafwi+xJzMhD8wXzBPMAsG - CWCGSAFlAwQCAwRAit56S2r7yFrpjMaCK3ybG63nQrjdqKEIHQZSMvr4UmbA6u1n - tadRca4edJMDRdUIRFckfpa1qHI9YWBWGP4TFAQIkONpmR/LgWcCAigA + MIII7gIBAzCCCIYGCSqGSIb3DQEHAaCCCHcEgghzMIIIbzCCApcGCSqGSIb3DQEH + BqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIwS3R + pT1mkyMCAhS7gIICUDFhZmrEWCDBUJidtT/9T8JVj1+gBWH+LyGcyCoK6R6HK8hl + Ee+qT8jI+cIQ2J4FCz+ZZyHZLvp5EznQk02h97rTkXod3yrrSuBnfK54VlPLZSwN + hfEc8b4CX8VeQwMdLu/b8G6GFzmtK9Dhnb3UF+3PCc9YSBqyBdGLPghhYthxyUit + WLy5GhtoLhjrkgxriMUQurH6Gyh36o0wZdoVXLXUyUYjNZlHgZzITf6g0h5rX125 + 50UjF+HU25YOoDuE5GEMcT732wWCKPajNKqQSP6WBOYifKtZ2OnNYG6/x6xEyLgg + vrmFJF9lVfqkHHhdiQ1yZ3GYF9oEYRVZsw283kXMP4Gb9avdSu5AGhWEsF2Z5K9v + WoNOYNQy9Q0RJFDV2mu6CAe/ExToSp6Zq99o0hH+3pDUSuWAmZk6xOa/HUYyDxw+ + dJHCaFTNZu/BpmCOH+jF+1hbkJsA9KxYzgrbMowdQQec232saG25I1IUo9zM5MMw + SQ9n21ISXbY01rqPOpTY23pbbKe8uSLFZlrWmMMOBidhVvqrJXhy/rL0+C+SvTjx + OA5L/phGXa2HmXD/xnaZYg7EzNLtlaEwASlwyfo2NTDuNdmIBmWeVrWZbH4ETGVJ + Qk/dnkUnCX1yimeYek+N3H4826AC2dQy6MvPzoI7XznzT2j3CoNAjANwVbQwtMSh + DRBM5jk+RMJDeFVn/l9+obwXW/w2ucwxfDi0PWDnIt19Cd27oEzk5QKcAWxm7s44 + FN2fr0cz8VQ10ozXVp3xLKfh1BOiThGIocO1sgcwggJPBgkqhkiG9w0BBwagggJA + MIICPAIBADCCAjUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECOMzXMste/8a + AgIUlICCAgjGICz00XOzEF6f/F8s7SlV8KM+WLuelXUIjGMSsX9Xd9l9aQemTh8y + n5+XyoNKXfrUn9UfEfpoKr7Y3Xz4L88/fsuLALbLUpDRMW/C+sPp5H/63aI+szyk + lnKpJIxLpMjlfXDSEafPszf+2ckBgyImQ8+Wqf3J2WryXobhrvXFR7FidtQ0GpDk + WND6DY6Vdx5pdIV8sLLvRiawV9cx0rAoMItPe8FbSXVCP7JJ5+LyABnPHlfUySQS + EPOkEc5XUyHigwkvhHweIDe0jiE987esjPsnn6hgepYZjx/YGilFUVrShblj2TMV + YYfu4FMxaeFR3/kGITVXgWyMJumBS3WfzdmJ1wV2qFl3uk/ONOpCqnwA+yj8y+Kq + tX5Qz4qPkFqjs/9yQmDYQbRvLuTdcZwp5bYd8oQACDCek+OoaR4EWhbYAet3xA13 + cULY2g3H+p8pVBQC6ANDAY4hVbqoEla3O6i6ZUv2galjze4bTz38Z58vd43Q796k + Kw3NMdUgkfyU6rhRimMH/GUjyTihEVyLokc9NPJS8mhXblr0WAvY24KhBxq/plf+ + N9Dp2XHLAPK2N672KGGbZTPf/x1RPprsKF0lcyueLE4pVLpX/GEHmm0H++XYMLzW + uc0icZQt7pERKa5zPKhp3I756pat2gvjMPeL1hl8zHnK+Yi9NbYj2kAO3K1bgz2K + MIIB7wYJKoZIhvcNAQcGoIIB4DCCAdwCAQAwggHVBgkqhkiG9w0BBwEwHAYKKoZI + hvcNAQwBAzAOBAho9g0tQyYTvwICFIGAggGoKzdhPK62x2hQseNPvFp4RUVsAToT + zZLU7WKZr5JnbsUt6wnc/QrrTDYuED252Tr0XP1tn1dEx6Yk3QqN5011tpjupiDb + 821DGT8OwwrYTWOKZpoLiQ17bI35l5Bz/pY03ZHgy8TIH3hJAsUdxnAHs4ASr/ZG + SkCI0aJosqKTbbA4Y6dBNPClqjG+b2sBncIwedKTXgHO/B+HHJoXtRbl+YZ1CNyq + lZaIeWouRCccrv6XnPdpjtv3QRxRlvCGg40bHhpqnXiDcLCk32Oqxux64skF6Wt9 + m9Ij05qtGBU4bXCTVSUaUEOf0kpxII0drg+B/eZbOfDwFmgmvOh3zTdmOQhh01CP + zbeoOdBm3K/L4XJhTV3kh2UKURoQ7+E67nNeiLtbdT8CIhy32oS/IG2gmGsIOeuR + 0quFD+Kpq7rzIobE1JEhlzJV2pGBHEOwKL/FAo5HJ2TS6hw1w675DtjaqqBYwjfp + vgket8WDrfD8eYH4GJ3GSoM9YgNVmYjHrO/c95GOBeoe9k0u/+DitqVPa2/ljw// + vg4OHw9HymnWgTlwkFPkpHRE9jCBxAYJKoZIhvcNAQcBoIG2BIGzMIGwMIGtBgsq + hkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAgNhfODEdzSrQICFF0EOCEq + Fie1peicS9OSXNQjLwbN3kO8lYM2HqeSZoEKJ4JSFlV1kWW3xwfu5aZKrGEYBfGM + d8renRijMUIwGwYJKoZIhvcNAQkUMQ4eDABjAGEAcgBsAG8AczAjBgkqhkiG9w0B + CRUxFgQUgSmg+iOgSyCMDXgA3u3aFss0JbkwgcQGCSqGSIb3DQEHAaCBtgSBszCB + sDCBrQYLKoZIhvcNAQwKAQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQINFcqIEMfd9UC + AhS1BDgZruEsSaBY+Cm9WKR8HhH3JXh+AoMSrwkDCKytWt+MNIXB0jY2QZHDbN3u + Fn7qHw06MDthnKniazFCMBsGCSqGSIb3DQEJFDEOHgwAYwBhAHIAbABvAHMwIwYJ + KoZIhvcNAQkVMRYEFGSF4zucHVrN5gu6Gn8IvsSczIQ/MF8wTzALBglghkgBZQME + AgMEQOSgOktGopSxl70faInHLRayV1vh25vqmy1fdnFkgJRwJVNWL14k6e17jAUO + Rmu50E9sjz9BDZTUCoftLEstD5AECJDjaZkfy4FnAgIoAA== -----END PKCS12----- 8. Dana's Sample Certificates Dana has the following information: * Name: "Dana Hopper" * E-mail Address: "dna@smime.example" 8.1. Dana's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Dana. -----BEGIN CERTIFICATE----- - MIIBpTCCAVegAwIBAgITpJvJ/RfYIwaHOq+JHuYw2w0HKzAFBgMrZXAwNTEzMDEG + MIIBpDCCAVagAwIBAgITJJvJ/RfYIwaHOq+JHuYw2w0HKzAFBgMrZXAwNTEzMDEG A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAWMRQwEgYDVQQDEwtE YW5hIEhvcHBlcjAqMAUGAytlcAMhALLaHeGGRooNjrs+4K40ueetCId1JZik+WAW - w6J/zm+uo4GWMIGTMAwGA1UdEwEB/wQCMAAwHQYDVR0RBBYwFIESZGFuYUBzbWlt - ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB/wQFAwMHwAAw - HQYDVR0OBBYEFEgDhsFpuHhtrt7zzAawM6xXMt2WMB8GA1UdIwQYMBaAFGuilX26 - FJvkLQTRB6TRguQua4y1MAUGAytlcANBAO1JTk7QtXn5yCwgjVRYMzwY6vCaxR0v - yNVq04iiXCADZWNyeBt2rvpTwJ0j5ky5/OzJygrhSmkxoi1ySsvypgw= + w6J/zm+uo4GVMIGSMAwGA1UdEwEB/wQCMAAwHQYDVR0RBBYwFIESZGFuYUBzbWlt + ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAd + BgNVHQ4EFgQUSAOGwWm4eG2u3vPMBrAzrFcy3ZYwHwYDVR0jBBgwFoAUa6KVfboU + m+QtBNEHpNGC5C5rjLUwBQYDK2VwA0EAbT5OedGDjT2UNivGqR7NVb4UVd6cRPM/ + yEuJ6P2k69jq6tIutanF1HAskHIOi3dt5IENbgCmdOrCqDYay9rdAA== -----END CERTIFICATE----- 8.2. Dana's Signing Private Key Material This private key material is used by Dana to create signatures. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEINZ8GPfmQh2AMp+uNIsZMbzvyTOltwvEt13usjnUaW4N -----END PRIVATE KEY----- This secret key is the [SHA256] digest of the ASCII string "draft- lamps-sample-certs-keygen.dana.sign.25519.seed". 8.3. Dana's Encryption End-Entity Certificate - This certificate is used to encrypt messages to Dana. + This certificate is used to encrypt messages to Dana. It contains an + SMIMECapabilities extension to indicate that Dana's MUA expects ECDH + with HKDF using SHA-256; uses AES-128 key wrap, as indicated in + [RFC8418]. -----BEGIN CERTIFICATE----- - MIIBpTCCAVegAwIBAgITC+vfipqj1grZL8ViMpnNj1gd6zAFBgMrZXAwNTEzMDEG + MIIBzzCCAYGgAwIBAgITblJdPFwwrKiKmpHj0REce7n5NTAFBgMrZXAwNTEzMDEG A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAWMRQwEgYDVQQDEwtE YW5hIEhvcHBlcjAqMAUGAytlbgMhAOAxojYBaRT0sbwK9pEeANIRj13vZjwQ1l4z - CJs+6CRUo4GWMIGTMAwGA1UdEwEB/wQCMAAwHQYDVR0RBBYwFIESZGFuYUBzbWlt - ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA8GA1UdDwEB/wQFAwMHCAAw - HQYDVR0OBBYEFJ3fTdQF75rsYIa8J20E6c5a3I+kMB8GA1UdIwQYMBaAFGuilX26 - FJvkLQTRB6TRguQua4y1MAUGAytlcANBAD5H9BEI9UMNr17ZTPgcUqP7Lj4LYpmm - AMjqTuul+fQWupaq81D3eqKH/+I0xBgU7tOm5daFOcylUECUppIxIgk= + CJs+6CRUo4HAMIG9MCkGCSqGSIb3DQEJDwQcMBoGCyqGSIb3DQEJEAMTMAsGCWCG + SAFlAwQBBTAMBgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSBEmRhbmFAc21pbWUuZXhh + bXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCAwgwHQYDVR0O + BBYEFJ3fTdQF75rsYIa8J20E6c5a3I+kMB8GA1UdIwQYMBaAFGuilX26FJvkLQTR + B6TRguQua4y1MAUGAytlcANBAIip5JgJkZjKvC3pHKckgOnBxZbIfzNgJ8c65/Bq + ce91uhvjbdiBeJPAz6a/GB3LRlrV6Q/TEtruGKDC7yYNLgc= -----END CERTIFICATE----- 8.4. Dana's Decryption Private Key Material This private key material is used by Dana to decrypt messages. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VuBCIEIGxZt8L7lY48OEq4gs/smQ4weDhRNMlYHG21StivPfz3 -----END PRIVATE KEY----- @@ -1118,67 +1194,68 @@ 8.5. PKCS12 Object for Dana This PKCS12 ([RFC7292]) object contains the same information as presented in Section 8.1, Section 8.2, Section 8.3, Section 8.4, and Section 6.1. It is locked with the simple four-letter password "dana". -----BEGIN PKCS12----- - MIIItgIBAzCCCE4GCSqGSIb3DQEHAaCCCD8Eggg7MIIINzCCAmcGCSqGSIb3DQEH - BqCCAlgwggJUAgEAMIICTQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH - TA2APx0CAhQXgIICII41QoooyUFqZ/fDWmgn1xEzYA0oJmBoFCl8uyXfZ/0yP63q - EYmGtmplf0qtFoI9tG1k0yKnmYY4xACo8Vy12BxSY62YfDv/2Uk+R4vNsyO9IwDR - rR4LF1rvYOlj8VNbIovXp2c1RUZW7QZKL/qVb5V9hNL80mKk77TteeFFKvDBYPyw - DYUBr+CP5gbMi71DwePoXHN+Rd6hHFFrUBhFVEUlXgCTs/rgsN+WJ3Wx1SK44xel - MyP9PzrMO5rnZDnP1pPsanIB/Zl5xDKbg/lg19St+dnnaHr3Le5knMRcc48PZ/r8 - 0bSaEQ2TxxUbdVQoshPtpoJ20EMgD0omRYZNYBB3ukj2j5c2gHCAsv+3cRKYZbpn - 37N0MreFTdVyx7KKXKUz9pyVk7TDxtseq4uF/tZzo2QTe0aWoVAsapcu9Ypc4OW+ - r/EehKR5MxPoNxa9eKIZEmDPU6ZnNRhnJG3QB63zAZ9ojY72PgvNOMrrKipCI4Jc - irJ7KK5hOLh7ScsFaYnZnVwfdN5Vw6os4VxY51uW6JOQuCaCZtB6ypEe40DCPevd - ej+YYm4qCxGnbiS7lf2yBkoYsmmz9yGCePvkHLpdYL3yql12Ti8cEV1hyQP9manq - ye4OvnlHKczGOIeE3sHipkjTyAqo+uSDy2/TMZU6U9Wpq5FcrmOIs3HHFaEKWq7N - oIVLEGgVcvgyL9hGrb5WsU71e6JgeZsZ9jL2QigwggJPBgkqhkiG9w0BBwagggJA - MIICPAIBADCCAjUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECPG6iJpJkNuf - AgIUf4CCAgj/MCKXWbtp1qlHufYRzMhWeV3BaYoisKS4N0I+MYEv0VpHKLGp8e5v - CtkuWnuY3WJ6Mqn5F27MIGyjoimcoeQboApOgVYu+QZbwWX4HV7jPfByE3DX1Ll5 - 7irBYXUaoGzqBspDsmancqL7LHr/HJszKpv7kSTKiRpHvqdcg3RtD+AetoZxrYci - zmfcBONW4XDyTDKM4sSyypMrSjiO/huGjg4TXQQYLbxOxUo+RH7JWzTH3RLHhH/w - /+RHKXvym7uRm+oSlXkffz47VyA348w7+YADMCxeujG+NlBikGJEc53R1xGuiVjI - 8aButCifePwyQ65/m+jklMOqIrq2M12mh9z6mtT6kYqZjcKxwV+rEib4TX48+HOt - 2vp9r6o41+ulLu9f2P/EJka86biQU0MbWA+cd0JXpDm7CgVT/c7opob3Fs3fM1BH - Sh8g8moOIAI7EBfkxkymrgrCBptm74W6AxQGAgYFrNWBHunFer4DnE2rhDLxFvZg - X2c1VJPfhKDM9lt7vksoAttmXNWY1UuCBqGipH11qe7txE/tgAZJF51owRvFGOLQ - 7dCFH+cyS55UIJPhuFgUR7qskzrrh5SyWuBdMDSgyf7z+Jo86mBQEtwIsT2erqGf - z7fqo1TFyK2HpTr1FsTFjhNq4cXBQB2Red7f6IuK9/b6A6soKwpApjE3Uoymc3MK - MIIB7wYJKoZIhvcNAQcGoIIB4DCCAdwCAQAwggHVBgkqhkiG9w0BBwEwHAYKKoZI - hvcNAQwBAzAOBAjnyf7N2H+W4AICFJ2AggGoGREGUW0ANjBShA7junSDi0+1a3uu - PVz1O2L0eWnKISTivDOBDjmhkAwoMF+RSaTqc0eFz4yCEiMdBEkO/Uk3+R5HCOGr - tKh0sMh1Ti8dPEPbXcwVvs7vUuXx5iAMAMN2BP2/4DTB32XMCHwFwTHyTFkQcsdI - 4GtpnP9YsusabQWaD2YjHKZnNTP1LBKrllhxEyUK1zB39rfQkRtM6X/2cpO/rKjH - NEKW0QQIzx4jrrf93cbXGMZy7ZZWygkbS8SNfe6ztvR3/AAU03PD7b9GfMSHW0gN - 6HAHuRX3U6STB3kGUB0u80+Ff4OHIRf0gTwfXjj0RW1cJ+T+mpJfsmgycVFSNn4r - ThuIwSSHWB/dJguhj1pd2kldHS90T3xbcxxQPru41HIRpc69BVPmdgsywt285Q1A - IkR0laF7yTn7j0mNCkFjgiUPyUh0B6oziqa6bPFX33v9vbIkvGEH/xiyH5KL8NVn - e+SJqOqo5Ldz+VwuVjRVaJKYRiEIwG/igukbZELynt+n2ab7MQBwaF7szah6rgoJ - 9siHtn2qqcLH/yFSpa31l+zmrzCBwAYJKoZIhvcNAQcBoIGyBIGvMIGsMIGpBgsq - hkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAi9gc9b1vmGZAICFLoEOGDs - hI5HudzQ7whUdHIlB2e63n/f8D8eU4Fd6sxoX0eGz9q3aYjrfYQB1SuXJlAEe/sI - wCYmHS1EMT4wFwYJKoZIhvcNAQkUMQoeCABkAGEAbgBhMCMGCSqGSIb3DQEJFTEW - BBSd303UBe+a7GCGvCdtBOnOWtyPpDCBwAYJKoZIhvcNAQcBoIGyBIGvMIGsMIGp - BgsqhkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAhcO/FJPCuuLgICFPoE - OIndI0W9ychDOX3aWnkEfmBHjJ/mOSmr6ZVQ+R7YEEGPYYaaW0KhuGn+ymPjE+sb - rOqDREHiQBOcMT4wFwYJKoZIhvcNAQkUMQoeCABkAGEAbgBhMCMGCSqGSIb3DQEJ - FTEWBBRIA4bBabh4ba7e88wGsDOsVzLdljBfME8wCwYJYIZIAWUDBAIDBEBIhL6p - HFTK0hwRZDyE3YSCZQkqqfjtQ5Af5bMNXzoKrBwKyiIFjaLjzqOHsXjZfvpYFn9l - SfA4Br7bcbT0GhQEBAguQ5JM5djJbQICKAA= + MIII3gIBAzCCCHYGCSqGSIb3DQEHAaCCCGcEgghjMIIIXzCCAo8GCSqGSIb3DQEH + BqCCAoAwggJ8AgEAMIICdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH + TA2APx0CAhQXgIICSPQnI0u1rbDuFE7RHOmB8gaSF2Sy8Rbz5yMH9Ecek09CKiuc + 4ZcQ1weWYXHAxMqRKdOBH//kvkbQq3z8tbrrMEIsqpa0KnbceCSAeBoSa6tfaDQh + WpHoQpXNLxwK3Fmvan0njS3EEQafvSV3eu0KFpZUutMJXceXAFlLWytNtP1b85jy + ije23fbzq1IeplZbWUjgFFAsC9PQf+3p+KE57HfhQ3pKPyQuGOCg54XuOVJVNOMX + fGQxdFywK8L5F+KKqzvNwtzn3lEsLLedxzTLjspI0lz6EIKCvlpykkKZIbyZlakl + rjvSN/VXiLwpzlFJTVAg1Cue0kGmDZIV22LGOqkkvnJ0R+h/3bnWVP/8OuFQGowb + 40IeclSsbxG0JIDcES4uX04m4bvb7Brx79FUHnGr5sXz45AqnbO1rMT8Vl12Qq9U + Pn7u1CeLpNXl/hjU+zbcZzHcRYz2k+PqSxwHDyCbyJpINDY+LWfy8OOC2JUEhYze + y6/vL7i0efHTf0CRNV9664Z9RdfxCPXRJEUVSZINSSydASkSWl+OABkAsYA2Fg7y + PipJm+GdwKNP67aIlhiDatwSEZ2eT/TayNmCwXLlV83G7OSfw8UQjBYNIMmFuvLs + TR5PLi3E2llcC9geKUHVDdEAGOB0ixgmfv2TqGFTE3sHdDVbLFn5OD3DtfV74YsA + QqxOnN1OKleljMlJgN1w33jYzx90RqOJHt5ve4/Qj6CRK+TjU+xH0GvTSi6wcEmE + UPD3az7ZGRrEVGRo7nWh2nNwiJLRMIICTwYJKoZIhvcNAQcGoIICQDCCAjwCAQAw + ggI1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAjxuoiaSZDbnwICFH+AggII + UmezlzXbcjLVmLiRmNAKNqzwefymnj/ykUx+3s9jACknIhEZ4nkNOdLffUvcMk0b + DpzZGevsxLXBAc15x5cpaPJ13nbM/+9lQSnhqd7+wjkERRuRuyWj2Pe6yDauEgF4 + lrkaq+tQJmfSlFJFwlVVh7ZzpFTQlbPLJ0cVEtpGwkpeoLb1wJ0tH0u0/HS3CI/q + aQ6QtEIIbsBvHG3Wx0gvYeQN+sTnfVS+nimMQSPN8u+ZTx/SsTad2LJqkWSo+mXm + xG/pjYr7PKezppt4b5djGepPlIKwR+xeKYJdzFNteUUinEdOxEyxzutb0eZv5Fvt + IfyhaAEMO3J1zN9kmihxKJRopGRjqSk96FqVNZE934JjR4mysGT/aEvGhYHD5kRL + XX1Pea+aGlB9leBgC21QobStZLIB7OF/NMUXUJtCLuUx47v9hmbS0BjdihVRdf9b + vouw52jnkbLtxWyFussZX3/SD57thiRroGcjO+j+LKwzjFTsec1TntKsDbuQY4P9 + YEBnNjo92xmnoXht95EcNanlLe7TdPqcKiSriYagpaBvKcuED25Lj0gvZCywJsFE + UH6QIXoLyawV52Owjxl1PvkwPV5MBKTIAFsspipYDr7mrJBGWKKlOkpDEPj9qsR5 + iDgJjG56IaCLaR0xNhfpJSejC1PUQIw12x4tWf9f9+o+qt+2r4T2iDCCAe8GCSqG + SIb3DQEHBqCCAeAwggHcAgEAMIIB1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw + DgQI58n+zdh/luACAhSdgIIBqDm3P6jekAlPi1HmdPOG+jbWocN/FQRP5tMLXjMK + oZZ7Xc7XXgLEZUX6Y7lwD4tsxBuUmskPdroF7GDXosp+NwnBKa1l46ABS2kJ5e5k + ZAGaXouPHDc57kapBa3ZZ05CmexJKA48Gv4wje42bhQXrhuw0xXoKFUYiXY5z1YN + kWm52m7RLN17toCOSzrcEiMr/vbU9Lm1yuJzqmDylJhafQqdujMr3vwA/aegT7RJ + 757BFtPORkhaMGwHCBkNo07whqWU3CmUk4HLP8nSw0o5Y+YsGY6sxoCI0IXNjei0 + tbrElwTrxOfT4p2t2GcLNRViLsiYB+sdw5z0sSZakF5G1khu2IiWAWNoW3tjd+PE + aD/AgsyQN7hKkpjSn62Z/iYd9pG6WqSZoC+sABKuVvR3fmfg8r0z3os6//Bdl6SI + GgBFLWxm7tPhrb5D14nzmnlyomL0ED6Q/uu44TijOWl4b98F0Seals4xmlqy2rm8 + fxs/uvBdSv2xDNOq0zzb1i/BF5ALoeGkZfkhLGSQyrAbUzU6lkMAhABkc7L4SRQb + pTminYCcp27XsnMwgcAGCSqGSIb3DQEHAaCBsgSBrzCBrDCBqQYLKoZIhvcNAQwK + AQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQIvYHPW9b5hmQCAhS6BDhg7ISOR7nc0O8I + VHRyJQdnut5/3/A/HlOBXerMaF9Hhs/at2mI632EAdUrlyZQBHv7CMAmJh0tRDE+ + MBcGCSqGSIb3DQEJFDEKHggAZABhAG4AYTAjBgkqhkiG9w0BCRUxFgQUnd9N1AXv + muxghrwnbQTpzlrcj6QwgcAGCSqGSIb3DQEHAaCBsgSBrzCBrDCBqQYLKoZIhvcN + AQwKAQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQIXDvxSTwrri4CAhT6BDiJ3SNFvcnI + Qzl92lp5BH5gR4yf5jkpq+mVUPke2BBBj2GGmltCobhp/spj4xPrG6zqg0RB4kAT + nDE+MBcGCSqGSIb3DQEJFDEKHggAZABhAG4AYTAjBgkqhkiG9w0BCRUxFgQUSAOG + wWm4eG2u3vPMBrAzrFcy3ZYwXzBPMAsGCWCGSAFlAwQCAwRAb7hp2ueeypwrQVGb + B4g0cM1U9WV+3ku23y/LXhnkFeTqO+MDE5/KBjbU4ykjN2GZyiXPKQF3y+KCdEtH + VcLNbwQILkOSTOXYyW0CAigA -----END PKCS12----- 9. Security Considerations The keys presented in this document should be considered compromised and insecure, because the secret key material is published and therefore not secret. Applications which maintain blacklists of invalid key material SHOULD include these keys in their lists. @@ -1190,57 +1267,61 @@ 11. Document Considerations [ RFC Editor: please remove this section before publication ] This document is currently edited as markdown. Minor editorial changes can be suggested via merge requests at https://gitlab.com/dkg/lamps-samples or by e-mail to the author. Please direct all significant commentary to the public IETF LAMPS mailing list: "spasm@ietf.org" -11.1. Outstanding Changes +11.1. Document History - * Cross-sign between two sample CAs ? +11.1.1. Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02 - * Add SMIMECapabilities (RFC 4262) for X25519 certificates - indicating supported ECDH schemes, as in section 8 of RFC 8418? + * Added cross-signed certificates for both CAs + * Added S/MIME Capabilities extension for Carlos and Dana's + encryption keys, indicating preferred ECDH parameters. -11.2. Document History + * Ensure no serial numbers are negative. -11.2.1. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01 + * Encode keyUsage extensions in minimum-length BIT STRINGs. + +11.1.2. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01 * Added Curve25519 sample certificates (new CA, Carlos, and Dana) -11.2.2. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 +11.1.3. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 * WG adoption (dkg moves from Author to Editor) -11.2.3. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 +11.1.4. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 * PEM blobs are now "sourcecode", not "artwork" -11.2.4. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 +11.1.5. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 * Describe deterministic key generation * label PEM blobs with filenames in XML -11.2.5. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 +11.1.6. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 * Alice and Bob now each have two distinct certificates: one for signing, one for encryption, and public keys to match. -11.2.6. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 +11.1.7. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 * PKCS#12 objects are deliberately locked with simple passphrases -11.2.7. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 +11.1.8. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 + * changed all three keys to use RSA instead of RSA-PSS * set keyEncipherment keyUsage flag instead of dataEncipherment in EE certs 12. Acknowledgements This draft was inspired by similar work in the OpenPGP space by Bjarni Runar and juga at [I-D.bre-openpgp-samples]. @@ -1250,20 +1331,23 @@ Deb Cooley suggested that Alice and Bob should have separate certificates for signing and encryption. Wolfgang Hommel helped to build reproducible encrypted PKCS#12 objects. Carsten Bormann got the XML "sourcecode" markup working for this draft. + David A. Cooper identified problems with the certificates and + suggested corrections. + 13. References 13.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., @@ -1317,24 +1401,29 @@ [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April 2015, . [RFC8410] Josefsson, S. and J. Schaad, "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure", RFC 8410, DOI 10.17487/RFC8410, August 2018, . + [RFC8418] Housley, R., "Use of the Elliptic Curve Diffie-Hellman Key + Agreement Algorithm with X25519 and X448 in the + Cryptographic Message Syntax (CMS)", RFC 8418, + DOI 10.17487/RFC8418, August 2018, + . + [SHA256] Dang, Q., "Secure Hash Standard", National Institute of Standards and Technology report, DOI 10.6028/nist.fips.180-4, July 2015, . Author's Address - Daniel Kahn Gillmor (editor) American Civil Liberties Union 125 Broad St. New York, NY, 10004 United States of America Email: dkg@fifthhorseman.net