--- 1/draft-ietf-lamps-samples-05.txt 2021-12-13 14:13:12.144537765 -0800 +++ 2/draft-ietf-lamps-samples-06.txt 2021-12-13 14:13:12.216539548 -0800 @@ -1,18 +1,18 @@ lamps D.K. Gillmor, Ed. Internet-Draft ACLU -Intended status: Informational 5 August 2021 -Expires: 6 February 2022 +Intended status: Informational 13 December 2021 +Expires: 16 June 2022 S/MIME Example Keys and Certificates - draft-ietf-lamps-samples-05 + draft-ietf-lamps-samples-06 Abstract The S/MIME development community benefits from sharing samples of signed or encrypted data. This document facilitates such collaboration by defining a small set of X.509v3 certificates and keys for use when generating such samples. Status of This Memo @@ -22,35 +22,35 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 6 February 2022. + This Internet-Draft will expire on 16 June 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components - extracted from this document must include Simplified BSD License text - as described in Section 4.e of the Trust Legal Provisions and are - provided without warranty as described in the Simplified BSD License. + extracted from this document must include Revised BSD License text as + described in Section 4.e of the Trust Legal Provisions and are + provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Prior Work . . . . . . . . . . . . . . . . . . . . . . . 4 2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Certificate Usage . . . . . . . . . . . . . . . . . . . . 5 2.2. Certificate Expiration . . . . . . . . . . . . . . . . . 5 @@ -79,57 +79,59 @@ 6.1. Ed25519 Certification Authority Root Certificate . . . . 24 6.2. Ed25519 Certification Authority Secret Key . . . . . . . 25 6.3. Ed25519 Certification Authority Cross-signed Certificate . . . . . . . . . . . . . . . . . . . . . . . 25 7. Carlos's Sample Certificates . . . . . . . . . . . . . . . . 26 7.1. Carlos's Signature Verification End-Entity Certificate . 26 7.2. Carlos's Signing Private Key Material . . . . . . . . . . 27 7.3. Carlos's Encryption End-Entity Certificate . . . . . . . 27 7.4. Carlos's Decryption Private Key Material . . . . . . . . 27 7.5. PKCS12 Object for Carlos . . . . . . . . . . . . . . . . 28 - 8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 29 - 8.1. Dana's Signature Verification End-Entity Certificate . . 29 - 8.2. Dana's Signing Private Key Material . . . . . . . . . . . 30 - 8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 30 - 8.4. Dana's Decryption Private Key Material . . . . . . . . . 30 - 8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 31 - 9. Security Considerations . . . . . . . . . . . . . . . . . . . 32 - 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 - 11. Document Considerations . . . . . . . . . . . . . . . . . . . 32 - 11.1. Document History . . . . . . . . . . . . . . . . . . . . 32 + 8. Dana's Sample Certificates . . . . . . . . . . . . . . . . . 30 + 8.1. Dana's Signature Verification End-Entity Certificate . . 31 + 8.2. Dana's Signing Private Key Material . . . . . . . . . . . 31 + 8.3. Dana's Encryption End-Entity Certificate . . . . . . . . 31 + 8.4. Dana's Decryption Private Key Material . . . . . . . . . 32 + 8.5. PKCS12 Object for Dana . . . . . . . . . . . . . . . . . 32 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34 + 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 + 11. Document Considerations . . . . . . . . . . . . . . . . . . . 34 + 11.1. Document History . . . . . . . . . . . . . . . . . . . . 34 11.1.1. Substantive Changes from draft-ietf-*-04 to - draft-ietf-*-05 . . . . . . . . . . . . . . . . . . . 32 - 11.1.2. Substantive Changes from draft-ietf-*-03 to - draft-ietf-*-04 . . . . . . . . . . . . . . . . . . . 33 - 11.1.3. Substantive Changes from draft-ietf-*-02 to - draft-ietf-*-03 . . . . . . . . . . . . . . . . . . . 33 - 11.1.4. Substantive Changes from draft-ietf-*-01 to - draft-ietf-*-02 . . . . . . . . . . . . . . . . . . . 33 - 11.1.5. Substantive Changes from draft-ietf-*-00 to - draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 33 - 11.1.6. Substantive Changes from draft-dkg-*-05 to - draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 33 - 11.1.7. Substantive Changes from draft-dkg-*-04 to - draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 33 - 11.1.8. Substantive Changes from draft-dkg-*-03 to - draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 33 - 11.1.9. Substantive Changes from draft-dkg-*-02 to - draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 34 - 11.1.10. Substantive Changes from draft-dkg-*-01 to - draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 34 - 11.1.11. Substantive Changes from draft-dkg-*-00 to - draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 34 - 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 - 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 - 13.1. Normative References . . . . . . . . . . . . . . . . . . 34 - 13.2. Informative References . . . . . . . . . . . . . . . . . 35 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 36 + draft-ietf-*-05 . . . . . . . . . . . . . . . . . . . 34 + 11.1.2. Substantive Changes from draft-ietf-*-04 to + draft-ietf-*-05 . . . . . . . . . . . . . . . . . . . 34 + 11.1.3. Substantive Changes from draft-ietf-*-03 to + draft-ietf-*-04 . . . . . . . . . . . . . . . . . . . 34 + 11.1.4. Substantive Changes from draft-ietf-*-02 to + draft-ietf-*-03 . . . . . . . . . . . . . . . . . . . 34 + 11.1.5. Substantive Changes from draft-ietf-*-01 to + draft-ietf-*-02 . . . . . . . . . . . . . . . . . . . 35 + 11.1.6. Substantive Changes from draft-ietf-*-00 to + draft-ietf-*-01 . . . . . . . . . . . . . . . . . . . 35 + 11.1.7. Substantive Changes from draft-dkg-*-05 to + draft-ietf-*-00 . . . . . . . . . . . . . . . . . . . 35 + 11.1.8. Substantive Changes from draft-dkg-*-04 to + draft-dkg-*-05 . . . . . . . . . . . . . . . . . . . 35 + 11.1.9. Substantive Changes from draft-dkg-*-03 to + draft-dkg-*-04 . . . . . . . . . . . . . . . . . . . 35 + 11.1.10. Substantive Changes from draft-dkg-*-02 to + draft-dkg-*-03 . . . . . . . . . . . . . . . . . . . 35 + 11.1.11. Substantive Changes from draft-dkg-*-01 to + draft-dkg-*-02 . . . . . . . . . . . . . . . . . . . 35 + 11.1.12. Substantive Changes from draft-dkg-*-00 to + draft-dkg-*-01 . . . . . . . . . . . . . . . . . . . 35 + 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 36 + 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 + 13.1. Normative References . . . . . . . . . . . . . . . . . . 36 + 13.2. Informative References . . . . . . . . . . . . . . . . . 37 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 38 1. Introduction The S/MIME ([RFC8551]) development community, in particular the e-mail development community, benefits from sharing samples of signed and/or encrypted data. Often the exact key material used does not matter because the properties being tested pertain to implementation correctness, completeness or interoperability of the overall system. However, without access to the relevant secret key material, a sample is useless. @@ -170,22 +172,22 @@ 1.3. Prior Work [RFC4134] contains some sample certificates, as well as messages of various S/MIME formats. That older work has unacceptably old algorithm choices that may introduce failures when testing modern systems: in 2019, some tools explicitly mark 1024-bit RSA and 1024-bit DSS as weak. This earlier document also does not use the now widely-accepted PEM - encoding for the objects, and instead embeds runnable perl code to - extract them from the document. + encoding (see [RFC7468]) for the objects, and instead embeds runnable + Perl code to extract them from the document. It also includes examples of messages and other structures which are greater in ambition than this document intends to be. [RFC8410] includes an example X25519 certificate that is certified with Ed25519, but it appears to be self-issued, and it is not directly useful in testing an S/MIME-capable MUA. 2. Background @@ -215,22 +217,25 @@ particularly useful to test or evaluate the interaction between certificate expiration and protected messages. 2.3. Certificate Revocation Because these are expected to be used in test suites or examples, and we do not expect there to be online network services in these use cases, we do not expect these certificates to produce any revocation artifacts. - As a result, there are no OCSP or CRL indicators in any of the - certificates. + As a result, none of the certificates include either an OCSP + indicator (see id-ad-ocsp as defined in the Authority Information + Access X.509 extension in S.4.2.2.1 of [RFC5280]) or a CRL indicator + (see the CRL Disttribution Points X.509 extension as defined in + S.4.2.1.13 of [RFC5280]). 2.4. Using the CA in Test Suites To use these end-entity certificates in a piece of software (for example, in a test suite or an interoperability matrix), most tools will need to accept either the Example RSA CA (Section 3) or the Example Ed25519 CA (Section 6) as a legitimate root authority. Note that some tooling behaves differently for certificates validated by "locally-installed root CAs" than for pre-installed "system-level" @@ -249,30 +254,30 @@ chain of more than one X.509 certificate. In particular, there is typically a long-lived root CA that users' software knows about upon installation, and the end-entity certificate is issued by an intermediate CA, which is in turn issued by the root CA. The example end-entity certificates in this document can be used with either a simple two-link certificate chain (they are directly certified by their corresponding root CA), or in a three-link chain. For example, Alice's encryption certificate (Section 4.3, - "alice.encrypt.crt") can be validated by a peer that directly trusts - the Example RSA CA's root cert (Section 3.1, "ca.rsa.crt"): + alice.encrypt.crt) can be validated by a peer that directly trusts + the Example RSA CA's root cert (Section 3.1, ca.rsa.crt): ╔════════════╗ ┌───────────────────┐ ║ ca.rsa.crt ╟─→│ alice.encrypt.crt │ ╚════════════╝ └───────────────────┘ And it can also be validated by a peer that only directly trusts the - Example Ed25519 CA's root cert (Section 6.1, "ca.25519.crt"), via an - intermediate cross-signed CA cert (Section 3.3, "ca.rsa.cross.crt"): + Example Ed25519 CA's root cert (Section 6.1, ca.25519.crt), via an + intermediate cross-signed CA cert (Section 3.3, ca.rsa.cross.crt): ╔══════════════╗ ┌──────────────────┐ ┌───────────────────┐ ║ ca.25519.crt ╟─→│ ca.rsa.cross.crt ├─→│ alice.encrypt.crt │ ╚══════════════╝ └──────────────────┘ └───────────────────┘ By omitting the cross-signed CA certs, it should be possible to test a "transvalid" certificate (an end-entity certificate that is supplied without its intermediate certificate) in some configurations. @@ -300,25 +305,25 @@ All RSA seeds used are 224 bits long (the first 224 bits of the SHA-256 digest of the origin string), and are represented in hexadecimal. 3. Example RSA Certification Authority The example RSA Certification Authority has the following information: - * Name: "Sample LAMPS RSA Certification Authority" + * Name: Sample LAMPS RSA Certification Authority 3.1. RSA Certification Authority Root Certificate - This cerificate is used to verify certificates issued by the example + This certificate is used to verify certificates issued by the example RSA Certification Authority. -----BEGIN CERTIFICATE----- MIIDezCCAmOgAwIBAgITcBn0xb/zdaeCQlqp6yZUAGZUCDANBgkqhkiG9w0BAQ0F ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowVTENMAsGA1UEChMESUVURjERMA8G A1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlm aWNhdGlvbiBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQC2GGPTEFVNdi0LsiQ79A0Mz2G+LRJlbX2vNo8STibAnyQ9VzFrGJHjUhRX/Omr @@ -366,23 +371,23 @@ BqvpSoQjBLt1nDysV2krI0RwMIOzAWc0E9C8RMvJ6+RdU50Q1BSyjvLGaKi5AAHk PTk8cGYVO1BCHGlX8p3XYfw0xQaHxtuVCV8eYgCvAoGBAIZeiVhc0YTJOjUadz+0 vSOzA1arg5k2YCPCGf7z+ijM5rbMk7jrYixD6WMjTOkVLHDsVxMBpbA7GhL7TKy5 cepBH1PVwxEIl8dqN+UoeJeBpnHo/cjJ0iCR9/aMJzI+qiUo3OMDR+UH99NIddKN i75GRVLAeW0Izgt09EMEiD9joDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC AgQcpcG3hHYU7WYaawUiNRQotLfwnYzMotmTAt1i6Q== -----END PRIVATE KEY----- This secret key was generated using provable prime generation found in [FIPS186-4] using the seed - "a5c1b7847614ed661a6b0522351428b4b7f09d8ccca2d99302dd62e9". This - seed is the first 224 bits of the [SHA256] digest of the string - "draft-lamps-sample-certs-keygen.ca.rsa.seed". + a5c1b7847614ed661a6b0522351428b4b7f09d8ccca2d99302dd62e9. This seed + is the first 224 bits of the [SHA256] digest of the string draft- + lamps-sample-certs-keygen.ca.rsa.seed. 3.3. RSA Certification Authority Cross-signed Certificate If an e-mail client only trusts the Ed25519 Certification Authority Root Certificate found in Section 6.1, they can use this intermediate CA certificate to verify any end entity certificate issued by the example RSA Certification Authority. -----BEGIN CERTIFICATE----- MIIC5zCCApmgAwIBAgITcTQnnf8DUsvAdvkX7mUemYos7DAFBgMrZXAwWTENMAsG @@ -400,23 +405,23 @@ EDAOMAwGCmCGSAFlAwIBMAIwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBSRMI58 BxcMp/EJKGU2GmccaHb0WTAfBgNVHSMEGDAWgBRropV9uhSb5C0E0Qek0YLkLmuM tTAFBgMrZXADQQBnQ+0eFP/BBKz8bVELVEPw9WFXwIGnyH7rrmLQJSE5GJmm7cYX FFJBGyc3NWzlxxyfJLsh0yYh04dxdM8R5hcD -----END CERTIFICATE----- 4. Alice's Sample Certificates Alice has the following information: - * Name: "Alice Lovelace" + * Name: Alice Lovelace - * E-mail Address: "alice@smime.example" + * E-mail Address: alice@smime.example 4.1. Alice's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Alice. -----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0F ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx @@ -469,23 +474,23 @@ uEuM18+QM73hfLt26RBCHGXK1CUMMzL+fAQc7sjH1YXlkleFASg4rrpcrKqoR+KB YSiayNhAK4yrf+WN66C8VPknbA7us0L1TEbAOAECgYEAtwRiiQwk3BlqENFypyc8 0Q1pxp3U7ciHi8mni0kNcTqe57Y/2o8nY9ISnt1GffMs79YQfRXTRdEm2St6oChI 9Cv5j74LHZXkgEVFfO2Nq/uwSzTZkePk+HoPJo4WtAdokZgRAyyHl0gEae8Rl89e yBX7dutONALjRZFTrg18CuegOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC BBySyJ1DMNPY4x1P3pudD+bp/BQhQd1lpF5bQ28F -----END PRIVATE KEY----- This secret key was generated using provable prime generation found in [FIPS186-4] using the seed - "92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05". This - seed is the first 224 bits of the [SHA256] digest of the string - "draft-lamps-sample-certs-keygen.alice.sign.seed". + 92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05. This seed + is the first 224 bits of the [SHA256] digest of the string draft- + lamps-sample-certs-keygen.alice.sign.seed. 4.3. Alice's Encryption End-Entity Certificate This certificate is used to encrypt messages to Alice. -----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0F ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8G @@ -537,31 +542,31 @@ fDGDv7wb5FIgykypqtn4lpvjHUHA6hX90gShT3TTTsZ0SjJJGgZEeV/2qyq+ZdF/ Ya+ecV26BzR1Vfuzs4jBnCuS4DaHgxcuWW2N6pZRAoGAWTovk3xdtE0TZvDerxUY l8hX+vwJGy7uZjegi4cFecSkOR4iekVxrEvEGhpNdEB2GqdLgp6Q6GPdalCG2wc4 7pojp/0inc4RtRRf3nZHaTy00bnSe/0y+t0OUbkRMtXhnViVhCcOt6BUcsHupbu2 Adub72KLk+gvASDduuatGjqgOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC BBwc90hJ90RfRmxCciUfX5a3f6Bpiz6Ys/Hugge/ -----END PRIVATE KEY----- This secret key was generated using provable prime generation found in [FIPS186-4] using the seed - "1cf74849f7445f466c4272251f5f96b77fa0698b3e98b3f1ee8207bf". This - seed is the first 224 bits of the [SHA256] digest of the string - "draft-lamps-sample-certs-keygen.alice.encrypt.seed". + 1cf74849f7445f466c4272251f5f96b77fa0698b3e98b3f1ee8207bf. This seed + is the first 224 bits of the [SHA256] digest of the string draft- + lamps-sample-certs-keygen.alice.encrypt.seed. 4.5. PKCS12 Object for Alice This PKCS12 ([RFC7292]) object contains the same information as presented in Section 4.1, Section 4.2, Section 4.3, Section 4.4, and Section 3.3. - It is locked with the simple five-letter password "alice". + It is locked with the simple five-letter password alice. -----BEGIN PKCS12----- MIIX+AIBAzCCF8AGCSqGSIb3DQEHAaCCF7EEghetMIIXqTCCBI8GCSqGSIb3DQEH BqCCBIAwggR8AgEAMIIEdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIWQKs PyUaB9YCAhTCgIIESCsrTOUTY394FyrjkeCBSV1dw7I3o9oZN7N6Ux2KyIamsWiJ 77t7RL1/VSxSBLjVV8Sn5+/o3mFjr5NkyQbWuky33ySVy3HZUdZc2RTooyFEdRi8 x82dzEaVmab7pW4zpoG/IVR6OTizcWJOooGoE0ORim6y2G+iRZ3ePBUq0+8eSNYW +jIWov9abdFqj9j1bQKj/Hrdje2TCdl6a9sSlTFYvIxBWUdPlZDwvCQqwiCWmXeI 6T9EpZldksDjr5N+zFhSLoRwABGRU8jXSU9AEsem9DFxoqZq8VsQcegQFY6aJcZO Xel7IECIAgK8nZlKCTzyNVALxeFw0ijWnW4ltDaqcC6GepmuINiqqdD94YAOHxRl @@ -684,23 +689,23 @@ coTqPkm/XGNMmOZ81KX/ReVdP+dC93sov2DuDZbYGPmHlD47bOOiA68GD64DEuNt Q8MhWk8VRR1FqcuwB0T0bc+SIKEINkvYmDFAMBkGCSqGSIb3DQEJFDEMHgoAYQBs AGkAYwBlMCMGCSqGSIb3DQEJFTEWBBS79syyLR0GEhyXrilqkBDTIGZmczAvMB8w BwYFKw4DAhoEFO/nnMx9hi1oZ0S+JkJAu+H3/jPzBAj1OQCGvaJQwQICKAA= -----END PKCS12----- 5. Bob's Sample Bob has the following information: - * Name: "Bob Babbage" + * Name: Bob Babbage - * E-mail Address: "bob@smime.example" + * E-mail Address: bob@smime.example 5.1. Bob's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Bob. -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgITaqOkD33fBy/kGaVsmPv8LghbwzANBgkqhkiG9w0BAQ0F ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowODENMAsGA1UEChMESUVURjERMA8G @@ -752,23 +757,23 @@ s5n5iwI1VZEtDbKTt1kqKCp8tqAV9p9AYWQKrgzxUJsOuUWcZc+X3aWEf87IIpNE iQKfXiZaquZ23T2tKvsoZz8nqg9x7U8hG3uYLV26HQKBgCOJ/C21yW25NwZ5FUdh PsQmVH7+YydJaLzHS/c7PrOgQFRMdejvAku/eYJbKbUv7qsJFIG4i/IG0CfVmu/B ax5fbfYZtoB/0zxWaLkIEStVWaKrSKRdTrNzTAOreeJKsY4RNp6rvmpgojbmIGA1 Tg8Mup0xQ8F4d28rtUeynHxzoDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC AgQc9K+qy7VHPzYOBqwy4AGI/kFzrhXJm88EOouPbg== -----END PRIVATE KEY----- This secret key was generated using provable prime generation found in [FIPS186-4] using the seed - "f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e". This - seed is the first 224 bits of the [SHA256] digest of the string - "draft-lamps-sample-certs-keygen.bob.sign.seed". + f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e. This seed + is the first 224 bits of the [SHA256] digest of the string draft- + lamps-sample-certs-keygen.bob.sign.seed. 5.3. Bob's Encryption End-Entity Certificate This certificate is used to encrypt messages to Bob. -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgITMHxHQA+GJjocYtLrgy+WwNeGlDANBgkqhkiG9w0BAQ0F ADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTEx MjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowODENMAsGA1UEChMESUVURjERMA8G @@ -820,169 +825,169 @@ dOXFU7gCdBeMotTBA7uBVUxZOtKQyl9bTorNU1wNn1zNnJbETDLi1WH9zCdkrTIC PtFK67WQ6yMFdWzC1gEy5YjzRjbTe/rukbP5weH1uQKBgQC+WfachEmQ3NcxSjbR kUxCcida8REewWh4AldU8U0gFcFxF6YwQI8I7ujtnCK2RKTECG9HCyaDXgMwfArV zf17a9xDJL2LQKrJ9ATeSo34o9zIkpbJL0NCHHocOqYdHU+VO2ZE4Gu8DKk3siVH XAaJ/RJSEqAIMOgwfGuHOhhto6A7MDkGCisGAQQBkggSCAExKzApBglghkgBZQME AgIEHJjImYZSlYkp6InjQZ87/Q7f4KyhXaMGDe34oeg= -----END PRIVATE KEY----- This secret key was generated using provable prime generation found in [FIPS186-4] using the seed - "98c8998652958929e889e3419f3bfd0edfe0aca15da3060dedf8a1e8". This - seed is the first 224 bits of the [SHA256] digest of the string - "draft-lamps-sample-certs-keygen.bob.encrypt.seed". + 98c8998652958929e889e3419f3bfd0edfe0aca15da3060dedf8a1e8. This seed + is the first 224 bits of the [SHA256] digest of the string draft- + lamps-sample-certs-keygen.bob.encrypt.seed. 5.5. PKCS12 Object for Bob This PKCS12 ([RFC7292]) object contains the same information as presented in Section 5.1, Section 5.2, Section 5.3, Section 5.4, and Section 3.3. - It is locked with the simple three-letter password "bob". + It is locked with the simple three-letter password bob. -----BEGIN PKCS12----- MIIX6AIBAzCCF7AGCSqGSIb3DQEHAaCCF6EEghedMIIXmTCCBIcGCSqGSIb3DQEH - BqCCBHgwggR0AgEAMIIEbQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIe/d6 - qDQ/28QCAhQGgIIEQJKA5kzRVm9d6rEwC/0RyBSgpPuSROUQTjspt6EhBZlgHc3u - FTCPaO5P/vpeWaCnBRarGFn3DmqA3JT+59bmRpGdiP3Zrlk2EbHi0yrd2P3UFDnX - qRkkI+7pf6eOHWJRntJA+KJS8v3tZ/hpiEKAEav/Mq0IFNFyEiZpCkbKCX5auDb1 - p5c3J2MNg/WNBfpGJUHKVIzuIF3H+8LfFgayRsDsppoUMffR+GmdL8nxLiqhraHD - +Iqr3LpEroNi/iZQWUTFTUlaePf/2KMqaHOuy41IVvcH1jIcLXHGNa66S8AP/Hj2 - TJPPg/lve76DVaGdEnx4QJd4pBFQac90zmhxU1HZrvzubK9t4e5lr80wpd2djvZK - wSLzUgtQZXq8pSs1r85vrb3KItdYGF6SZpX029FS7rY3uYth5SYVUQWdUYYY3S0/ - nsaLg4MCWUO4Sh7nYJZl5Ijkk9LS7JhmwKvizHRRTXbLyRDH06e+jCRgLcU2WSUq - 1bEr9Jy0ucK8zNPTf8HWBTS0ubvy4JfO3mVp4REX/8ozXlLztWGblFGbyaJ9Y4ga - LM3JpKxMtb1UTxoAyj3iFwGlGZFGKBlWplr+OdkKkC4dloFE22IINfLdRNLV9mPO - aGZhsDheB8iVOtN01u91BlU68Q7AL1ryXWUSjouKGRSU6uMDLZ7rw0wlZC1m4oLG - BF8CmO4ELmbOci78fBs/qDXlf3BJazcNtciamEsQPYRGkHASBRYtoDfVy6mTT40o - obdrZigcvCwttDBu7RtynAQVZ8DvKzxFGhe2p2Yc9H5A5ML7IwqNtYzheduBAQTE - jAU2jMqwnZN5wULEnH2TF6KAQNrKdtBYMbqkToKgxf5Zf+cJZbyQq7WM6nVfOM7g - kcFdeHDn/CWoSNHI1+JA3wSDM06zkU5HMd2MpT1RLTSaemImUKCAGYieJmwNQxR9 - aYHBBw5BNBw1XRB7WRka2Uah0Xq/wAgaI/o9L+mShDRFJjFi+t8AV3KR0WWHg02O - 9qchX7P5H3Sy/tq8yUQIol+hRiRjkfi9qy6AxIRttrK4WbW4scUtBZSkg9uFkTVU - ybnV6WvBpn2SrnwF/E1ueKARVmouWJ/7fiLJXk6wVvVtuBZw2gE5QGfuCwq0PQsC - xPx8MhNl1KZYDVCGsyUr/LMHeKNc31S2HLGQK7kh/o+QQazafiJocQ+kRbS1VX1D - nQlIhz4zvKsBgzHpoe3wQcfAY5sp2ubepsZ5T/YHkmroBmvA4g1vi7nlCetgxXrh - 2V6OXvaZ+BnfsYxJeUZGnNMNEDFlzS7xB18ojtT5JN0o+9tLsdikdikl69IsVv+2 - eCv9Go+wh19cSAL24rkzdKVuiIAXS7tzel3eWGjdKoq3Ke+tfJtobSGrB39xgLVr - 3ho63hd+qTUyjcAhVL3hAJinv+/KT0jR8fq+CDsXMnCEWugHhwB+66NOr876MIIE + BqCCBHgwggR0AgEAMIIEbQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI6NTC + of68mzgCAhQXgIIEQDuXJ0vv86loQC7vz26FjGylSr7mt6epUVNUtlEn9tbsIjjw + IGpu0eRzEk8ezAfzL0R5NaeVKkoFDvihn7NOoclhWPt66SJmiss54pRRkrVlTVwf + qY9tHeWQShQQjBU0suq9MOIJYZDfsT+aFJJNVSPNid4mj8npvP3p5d0M7Jh8kQUp + Ia+/YWQD8KX7GtJ6ObyhF88gxuWs0a5GqXqE3qIC3ULOQVE13SORmql5Tvxyr9iK + f/J9pfWmmr7uHsztBO9mzze872PBQ27Zgc2sojR5FcxHZWFQvUxRkjzMGDh/QC15 + 5j+Nc+eke8KJSh0PoO8/RPbDjbPekPd1JKvAr+eU/ksw205ldcZqVUVyQTLFghr8 + G8thAh/SzUPeZ5Ag6FLLCxBuaj8HDyFC7hIoYjaNuPd3QxtTrgAuDFzB6+SlEfGj + MFxd4m1gXJYOm0OaKE+rRAHZ8KtGnr43vK/QAnSkW6G1evZc0kcAW7fNfAg8Oqzk + J84xBrc9OwF+IFMYJteYEGcsb49Djzb5QDwusMDQ2SBJatNsFNMTv8+w79toyMWd + fEaqmdQ6GvZOf9rNNSWVgT+g7EGAEUtA1cXrz5cuHdFN5qcKM0+948++A59BB9dw + 2+J+YSZ/3XxUGP/4zFwJE6ZgrjZYl5h9uqxE+tABVZVvtv16hJgXojFlyRUe6DY7 + Mxt0a/NomXzNM/cXrqJ1tnhaCSTBdeUSvgQi2U6k9y76Jj4Mc1T7tUG7rZHvyAyE + q4WBZ6U+GD89Agrg2pSn+zVS2BJc68P1WRRqsX87yaD60UuGuoIphCkYnxfSCmdX + O3aZOG3/3l37FkViFooPJ+91t455P2vyiDS0gfUffpH+jWyC6c4lbs5mmQW/HlMy + cKNbIzvlvRhC5xwgS6T8jaJjMTSOdX6G/gxIx+JOmPpZT3uJ1IQtn1Kec0uhq3B9 + i9pBQwPTzzE0oLac9QHiVDl7EWWfAQQENSKuGkZ2yDx32sdLU62l1N6w3anUIv41 + cAZjqEB5AWpDPCO/9yVtrpnN9FfFx0q4XC9qkTCwFh07YSXrZ/o1c9XO36wZ9Osp + YI3M4bWFDXOdMiNr/RxnBC/cOs3UsYgpnV7Po5hSmxb5Ncew6g7YN71lkY0UXk0k + 5zCkATF2Qu9wfA35BX+N4eghN5ArQjgS7so6ohw9C1egknScU5CiJJ2XsXGKPxsw + L12O+kQRv5/s1QxGbru2C/oKeQnBR8cuWrtYXFLHXhGl8i8pcX0OO6ABYRenqJsq + EDJf5MppbN486UivL/mq0dgHHpl99rmtXJaBaq+aSF8bZGZUOTMOcI0mhlq2kcWT + F1wrwFt7iMPAg4SxJTAFaxnIlLvesxGQLWvnaQyK+l4Rua9C7HxONrp2tDh9Qwie + Yo30dRbOQR4xD3SEHloH9UMei2E8hXMztS5tPFIgKuiTVqQid26C5rcP7kV+MIIE bwYJKoZIhvcNAQcGoIIEYDCCBFwCAQAwggRVBgkqhkiG9w0BBwEwHAYKKoZIhvcN - AQwBAzAOBAjiGuDSkfG4UwICFLWAggQogyL08hPtUl52dkO+BVimcGXW3FmDrT0D - gU3Drd0P76KzYzd2lLuGb9dx84wx0XnFIXeBM4F3QSDbCK4tOuJ6JRaEeUoCAyZd - XyHtLjVeuozt2xHBDUgQVEO1dZHtk1VUgzLSCha1rXjcwpa4+8xqqoVM3Cl5uBh6 - QLUNey8Z3YlKlk018Tdge6OOUrg72BPKppNfJlN4TnOFwMVMA/qHAJl4pL1YDpmc - 5BZm4tMg0HvPiz96uwjEhw1GZFGOgZIogeVJuqCNiZPDjCFEDgnCw6sciS5Bi+dX - Km0VUdamSr93e2eEPLbzxZR0E0A3IcOj66iHuZpU9YhKzsAIhLMxT8kF81I0ZZzj - 8N+P1hnkjdVWuJLg77pkXxQJyvuT0e2oc9r/DCHjckneen3+E66IKsYbib7sX4g6 - 2oFBJs+7xQopy69pC8jCn3fx61t7AFx2RIvuVHY/eU4sXoWkJNqQ3Vxj2SPWKjzJ - 4IIvWVxIFiQjjOtDFdGYPGukJXn62Lbb8CFgam9s4jDKnr0LHIngVeUIgi4wkvva - QzZTzXfUApezQgQqy4x+ogdiYF1UOa0OaqvrGRiiJlMdRi0/MDy+jzkX5cULhxkF - vdBNCirv+3zBaiJ5Eu6q0zP5Cxi2qXhSbehZqvTPB4dD/vu9yxHpZmUCvzm7H213 - Tdrb9WxHOc92ZpBzsfiCA1smVwTDFVGa/kqN6noPw0qWZANIk27/+apsTkBYaVpa - jpfn9eydi5eV2+pEQV08fh4OJfiKbHS0l2E3Gp/rPm9lVgmCmjBWh+Di1k4qgF/f - lsxWgzXNOxPntpohnM6AZDxW9Sk+BElDLYS4WFwUg679BsJG6hQqAZKvG/8agSH2 - k+TKKYUbXbFVCB0+iuNZIwgf4qxGzvI5+Iok+OcxuGCqwOu30QbfECEG01QbKETn - ic3kMiZ5Cxt7NQSuyEYAQ/AmvM4qo0x7Tw1r7tR8BcAEF6fGxd2VXIV8Tr/pXGO2 - HL+0iIHs+Ob67zlTHr7wUB4tCp9LC3IIWdsr7KcSRNEMXpUIFI0etCjNgCU3iT+R - 915215OfWNGxQfaXTEyMVNaT1HpwihIisSb9QHbagaRLbYmqJ+ILSECADYQPEWf+ - LTO1tcOhkIb6BiwVWUuOOqNj6ILJM2XvmknATyUj9MYcd77xOJzMrJE5VtaM5BVT - oRpcOLfhYOmihceGSEqXX5golkqfLUze7zlslNWMYTTLw6tC6I+c/IUIWJnZT4m2 - RbTQ0krfPn94zbTjrG42HS5+Ke3ySV6Fv8MZ+s93yY1v9iB6cVPEUteLRc+C7e7t - lw0bQ2+MyAkjenS5Td+3tC7lR42O2CSfY2SaOsRv+EaYjTGzf9F3TM706o5+VZrM - gtIKtw2okRcjRhaKDfhui6jo46YYzWbrgOS3vzc60VcwggNnBgkqhkiG9w0BBwag - ggNYMIIDVAIBADCCA00GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECEyHXPVs - ncxTAgIUQ4CCAyDSBlYeFnsa4vtKApbLnd9FENDYeYqkKmj0lkDagMqHC22/nQ9v - gz2lOo5FQJoaJx/WSorQt0Jny1QP9vZd2t+bkfoaXOR0MtmFY5SOtYEudJplrCz+ - ZEw8JlePJRP0Q3lnwEiSk5NnXLRWNzurIeuyZEd1VbTvi/rF22sRWlmU335L67zj - P1sPeXkBpIYCPLHw8E4rkaC8G1ko5wyrnhuqL4ItzhvOORvgRaDflpP9WTj9LVUv - FD5D59zgb0ptaW0jIw4JplIGXIEZIynW4KfkWy2YJvsXiuLHvN3Z8qL6VtxNGk1s - g340uKkUUlzmtDJqGT9RVkoYBXxN7KYesbSttONhPwdv/MxHrEo8TGHZAvbmwgft - hOUrc/WVtUopPEs4QgrsA8d0MrSd5lVtPW0XPsBPEnLuh7dqAlmgztYlP4Yztk2/ - JJ+E4MosmhRjbKzM2N5WuGlDC5m9KF/5JjNVwQ7e8gMeUv/3gizgCG/4Mgng0VGG - IxGzzBoQXPWCKdT3sLQVyt4/pqPBpZYnP09bmkkY/UIa1unNB+WWpLOkKSzD5wRv - /2xmNO2D37DnHwTFYC51ZblKz7FGjOgCwG95VPc8NQ8aG5rqpQ+muq/Jil5mXgNw - IDeM4bawa01UKEzqTGQUb3gsJMGiVOhgtOrBiO9Kx/2PJolUuwZGcbo4oGSVR7KH - lLgIuC8aIQDyFURVYRCNwOw5U7JN5arkvZ4ty0/qk5UbjxQuDkF8o6ZdViO3l0Do - C+6zvncDx4HvUd6uQ+u/kZfr8qfwM5o6D2qXhS/ZHSkq2xwIzb47uUUqaeg3yOZJ - ++na7gC+ibtHXXnNsHUvPbpCn9qViFhzilcQZYq0tZxDKa0E/pzEP/IA4IG24wEL - GnyuUIHXBS9T0MchTxl7BglycOPRDnFKzMQfUXY1rAErK76cs3y4VQDbfYDiOzsa - 1qqMApIX4i/qKFdRvDuLxtZQbVA/rNumm40LPUQ5OvEngIESA74G+//YQbVjbMjP - y+hm7/15q5LRo9YxCS49KGlz4NG1QMWjnfkpOCNVZVpaQ7TPGOIYzBL6kTCCBZgG + AQwBAzAOBAjEoygdzjeRWwICFCeAggQoV/qxKd0svQ+7Pkd6VDs7zPVlHbxynt78 + MAz98oshJ0OyG5RXL++heW2+x5u6lmNhD5LjgLjcUToGCYDwJFzqI8QiwgCvcpfE + obiCI2+Ev9FZ7H8gRsASIP1DDaiYXuO3xJrAaQM77uLek6T18X+BsmvRWzRpN4Hi + JyKFPX5mcBX6AgFaVLJKhZ/GXcTuxFga8uA2sFzxridzgW3120ghCLDx9aL/8JVo + 9DaxMqo8aS0gL1yasjidAd6bkiPnZNztEIYWBHy7jq468KjmxO6XL3sn6VOIgjRL + PSSYcPKktZWhxlQgEg+OdOLzli4PqA/7ILbcPQ/wk6XA19uzmxTO2zhk8lBaGb+p + C84Kf2cYaI1RkpHzEmqPs3EpJMbBhwxVT7Gw2nfTmMIKCUfRfxCqtWOhC3pEo/Nn + 9MnZq5iqb5tJ6tUAqSkXYN+/JEM5g9Yf94m5JAlbnxYDMhWU5Mz0v00hxCd4jn8/ + fK0st+vTPpbIFXH6XeKrGwYyKBluycM2jExXsjbLnX2aINShCDuxn/LOO6hYGkcc + 7+G/kQjacDlbdJ5LtaZwbfU7p4AR+OxaqA4lr5uk+OFcMW2lF+Bbwim2F5gs3NW3 + 1KDtsrgyHTPNal8vjuWtPmZhqBR+0lwmTmaGdVmG0Q3EOthXPmB7k/iRobS/JwFV + oi0u6wkwelCkYplObE9RqCjx78Xts+0M/WVlGkjnuhWthv8pvK8L3C/eQLVXLlrn + Yf2DlWVQH64S3U/TjEwVrOVNpfqAST7KJy85JWTnShGqySRB8h+LYBHa60YiCBg3 + Qn6ZOn/aJN+dxOm1JthNJojB6DSt+gEIDr1XWQJjmiy2Bg4DnM8wRa58jfxWi/wH + a8tHGpq8DdJhKRIWvOK2YveUQ01KWVAxNnzYmREGHQGEc9d4kp5hBltX7Xh1+OWT + zDa9Zqgq0+l2SffVerERsY0KuCo6g7DCOieyDsWJEtKF3LsAcYclWq7X0RYk5ta0 + MKcG4kXZ6KJOkTynZQTtuBOJ8t7g2u0PxzxZxgLit2ukd5zm8KIdoTdUgz7Q5ZVO + ukxK4S9mn6Slfkea0k4mxRh6wttcDJ5jr7yv5iEIvQ3J2XqH64W70fm5tbD3l3W5 + fyaBxTpmb5rX7oqE0WOjtr1GVurbydUVnvBD7Jxir5tmnGsdUvRPeGYy6x4K86wH + b7IU9GEqyS44J/P2p0s+6/tOCtiS1kGRGkf5UEkEqmKu0rzhZVBx2ImqjwmOqy0c + xYnPItLdV6FVRX0Pvc7ROnqdRABpNo9bClEENR80v+hnqyh1MARDWOdUCZtccf6l + ttG5ihCcK8LunDF//qXcgFZsRvSwzAWhJkHbubpAJmkbDS7Zv25yvo/bG5VyXGqF + eAbSQHM5JJQWy9daTEeo41n2tyZu9Ubjxo7w3QhtF3UwggNnBgkqhkiG9w0BBwag + ggNYMIIDVAIBADCCA00GCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECCwvAkUo + pFtUAgIU0oCCAyAyxF7F1HQNryZd8PlbEy/f1R8MWtVQDEIJ30eTlaate/rS5RO9 + 9MOlglCc43bhk6iHzZuJ9FV/fWlFaJ6JmFPkyLPif8Rn/9EFTXGVq7smLvk0POCU + BBq/rI378tu9DbVT1JiWULvvD4bzwvChBSTlzNUo5HGRNfS/J3mLmm35c1ETYktH + L05NM86Yv2RUiTpRYDDK99heCYRwflrV6CPv+pJ5mNtniN0L4VtIPhSNczLoUZgL + hraX4qqQ82NN9VR+WBoQjvLfJSMtYxqCxkEc7uKG/cu0EJ5QAv3ufvTLq5TajXRd + Yb4Vvjxuik7WLKK4lXSMyFgvgY/NRL9zLFETTEJgpDHcfYgMmSKVy9gxZ+8S6i69 + 8okItTqJxnKZM1c/C+aAVaQb+ZiB805ntsp06zCYQljN4cnIlaMphAqf6ht6eg8M + 77I2/ZTnDw0ED/0ZGVvNKoqSE+Twito4KcZ3b9e8B15gZYhtzoE62x4kHEYYqM4+ + TVxey+9pkTGK5Y4xeDld/WiML3t/7G4jdub05Wwnu4YzqHGqKFV6gFgLqSAVlWvU + Ytn5/Ox+MjHet0tSU4ByIkbjL8G+nInc9KFBZ7udc/Qwqsn394BT0k/b4LNSvatK + JFl1z/VlnA//DyiGc1l1KWqBPLJ+0Bq0gzKse9bCFtNuYPnQf1INuRuCjxhdsCbu + CMgu2r3l7lVRscL7KbpD//cjjWza7C816hzZ21TJWLAe5HxmLs7Etnpu+/R7LwYI + jpeQPVTNzdnt7FM+bf4rWwkxfoEx/lSvV/Fdp+WGrMZ7+2VK1PHThIUo9yJRN30z + aLpRyzLR5i9qt6yyk1cLxtztoBIBmb/GvJEXEOWF80r92+LlI53sHdnqD+0+mgRE + LfnsE6vCQE5hyI9lxXalyqVUdspAsMQA5Zs94fctvZ27UzVtE5EuY6X9/4UrE7Fj + bdg7jWHVbGO/KvMa0UvgRxbglAJLAN6CwdMT1Cbca01MrmK9pcZBMKuJDcUibmQO + mzeunDJBT+BVbNRSo0zKAAfEWonFNgNdqjE9uMXzlhaIbGFlDxXhfPt9NDCCBZgG CSqGSIb3DQEHAaCCBYkEggWFMIIFgTCCBX0GCyqGSIb3DQEMCgECoIIFLjCCBSow - HAYKKoZIhvcNAQwBAzAOBAiO/0ICbTbZLQICFOwEggUIFwT/JI8UjJQPfYTFonJE - o8zEbpYWXKboqw6/zZsMGmAnUPgQNQDxyuLVprs5jUc437kVB2M3F0x8DjmEppeb - tHfIoyjoXF7jdnA4EF38tsso0K1nMPmSgl02iYZtOqsOvBpfeO5Hj4Ovhi26J9Pz - TwPcgl3QQPqfWv7CwgGVn4/hntBAriPSE4gAlfAcqkxtJBm01QwDoAdsOKOMsYnt - gWajpr1J3Hm+34NPL04Usf1OpcesPUJ4CBxNyLXxjjsOzD78WVvKY+N+j89xTsyt - z5Y0fEkFqrcl8pgBQxH72jBwSCm5YwHz3BhWQgr2bpWJ1f2LWcVsnrN9tx6RhQtA - AkcyNgX/ksp5EW4JTo+o6oXLRhXIYauRrUrisMY++b8ZJTp6C1t0RW2QdqgMZghS - ZgaW6FSC6Dy2Dd/ezdkYUCgiEtq8eSxF/8WDw6Va2iGVSNt4/p/OJ97yN5yOJ0K1 - g0hATebU+I3E74PQ9RK84FfJvyHDBC6fvYZW/ouMcgp3YmAF+dTm74Hq88X4daV+ - /UPYf/cVpyiwcBTg6H3jrkrs0yKoWLIfrIvMNBeeKZ+fl2Enw1MFzkLI4VGD/UeR - wrbhN0SHkh5lIGtu0yRTfq6msYQpkw+jr7QwJIdQyrAoaaVaRotVyvgTOLlHw8r6 - o7v36yoNov3kDPW7DfbSVTWX5lIyQn8NqMwa4N1clWT8ukfZXSaYykFSqF3w5zal - a4iIhu03GjDcfiWLMUlYVAUcvSmcIULE1oW7FKiJc8OadeIu0JBySRSEvf7B3w8l - eYUs+u/h1ptrZZKhe1JdAtlszvHJ0DD0kMqA6Ig4yomscGSol/sRUqpecIQwVZTC - RRq9dJOFJkKhKD5Eo9E0Z2snp01fpUF5qlMeBjpYgkX7jhyFyvq+qDqBAY8izvkc - ruE69WooBVyorqKHURjWtY+rhzcB4+HL72wZKzLnY3iUjJ1UANxM8mC9fpD1NJt/ - 7epqzPyZ2Kd4GJVYi8sQpFKf4tRHDr0tI5iUB78qj1EBp1w4qvRn/jC4ii7+Bas8 - mz/AJ25QeviC44Vj+eT2YYXafDivrmoeBuVMIBbD066YnuBC2CeKydNWdiARzc3I - fhcuhVwq7riotYfyDqd4e0Jy7Y57pbwv4Qwz1yCxRjSwiFQ7/fRa2Cx8xtxKcC/A - 4LGnXAKISy+uNbDWA7AYaP6RmGgMCaNiXy3F1zvxnE3bv68tXRF9vjuEChUq56N6 - 992qhoBuHP0J/mRItw+JoI4m/OFnEUGT3bNyxpEFyA7aXBE91aQdSXl4a97nC0/R - SFH/fRwPFYgxr3XdCIf3Cw5PDs25YNsXWCsDCVejWMFrwOzmDwa8sBkY270+rGv7 - 6qXvb/uGD3M2C+DySVy55Zd42wjghSezgY6taT0tqKfLOS6Vl4ELU78Q6va2o8Ml - cUdi343tOi60MZgCDUwPP8TjKZINh8u1KNhzgpwNLz1gE0dd200l3bbzdZ6uio3R - 52WQWRCk17Z9lUesCJavytcAi0mMefMxBPMOdnUi6O8TPDRA0mcohbE5rybwDXAo - B/VUbwgM0/qCpZ7VcSKN1lUuoe9+Kho0NK/gyMEvntMxGNNI8arV8UkeFollPhrt - umvdwqbVCeN8TBj5vXo6Hu+eKB7AVwjBk/rRHpZxnnVGXbm8HzM+kjib2cY1dius - VRJ/1+Q9GXuo135tQbobgcMzAmqAqZp9kDE8MBUGCSqGSIb3DQEJFDEIHgYAYgBv + HAYKKoZIhvcNAQwBAzAOBAh3So2X8cem5gICFDIEggUIhIUw+YkTW0xCm9S8Kn3k + Fm6mI68Da4CD0b/5H2QU0UaMg1DT05TwCybWFIsjdEmHhXALvxQ53nTZyIEYp5Jf + 6ICOwXBm3Vn5TL9472L6e5RPG2li1IrowR0nzFxr7oiSNWMhmv9NZbBNtHbH9KfT + HCMlouIhOnxFX+yP8YzGfiiqNLgHX7xEVWVhLBglJeet6c1xxMHR/b7z2DuI6k3U + p5NArfNwbZpT/SzLO+jqBwfFsMPXa1jmqi3W+q0xUt+obsfb7jK7ha9e+oegW7yY + fklgXJObY0YxuFbiJYJb+vnOb/qBiO15/b0xifxA/R6X6cv96T79I+9fvUOHQnQ5 + bEKXFymxd9FD2UtxcWAOhD7R3iwtPGNx4WgEOe2nOPBP4OXgk/Rvq9bTkF/1mojn + MN7oer90NsvVEEx0x6Yoayy+ncolfxAeui9LJ6Cso/bYNA7fw9GvEkC9tSCiO65L + He9O1qHss08eXUi4Nrp7zh95T5/sC8HU+blhj8asE3ofJGb8l7SrAREoVLI4D3iA + xHE7E79i5Lf/J/3eisxZXdL4nU+4bk3fuZqqScQL7BlkZPtzcDJTCcoRG0jvNCA2 + lWvzfwzrNmo5SWHXQ29It5wpGFJPRKFRIdg88GNxGwzNoxye1pnaQR/9JCjL2RSW + RhuS7bIXLKC8DlLlCUgzPoiD8UEPBhNcX7OiOSlgL0KW70qcH+jqVuSq/3t6kWlE + i0fL2OZU3s8r0hq34nuXe4pkO1VUTafZ4nOlrLFYsLj67+P/abtH67LUYgI0xZQ5 + VcywY0BN6CrxCKY2Dgkvf9+YtidysDkS5tfDMYmSEQyAORJVHKvipXeMjTblV5v/ + FhgoxXCS/FeqzEHQLioCxVsnluEaE4KukXBdJYpUJg26kuTp+kY/plzq9hLU4aF4 + 37ah/yIwI97SmulsM799Ru1tx0bigIdoB354sj6S2UcSQaEXAEf8i3ljXvK63zC4 + pDA4i37IGUqHVaH1I6bmmPqBgw3jNW7NMNUsldwawSbDAyRAw2LtI62U4DL6B6Lb + 1Cri2oAydd6YogP5eGYxfYEpjzIQ+jmElUctKPc63Fc8OVINytooTi6o/SIwDovp + WT+6liQ8M2vNcH4NSGitMcp98K1RnlstAErNtNf+pfe0NoUP9f7xpajiEFKjjTtC + FHY2eOrdaaiZG9xjOuviDmJ/4gvtdfCjpfOrwtqeYiHFvmWYgxiUfMFvuMYTYGJ9 + LdVS+rWYrjC+srQi2lPyci8JzRZFG3SV7OktujZFHANqpRVF4mFBV+hR7AYouU89 + BpkjFSkOFSOBQF9eEbK3O+6iiWYznrDie3CW2chuK7eeYEj9z69xBKJ+pfNuji1w + jx7UiSd7Wfdhohc2MKPuSJYVXCK36xeN2sh0YpmFX0o23PL41XooO9M1oTKGxPNJ + u1O3gGOV9Oeczd8+mta3OEM0TbGhA/Uwgpq8itG1CkL4nzaH3Gt59l3bL7ACyM5X + Pl8eve57SsQcarGbLs8pN3KBOC8p/ETo24WZdDJSzzAf+Kk/ObsXgFcH/u+0bi4Y + TnnrZg1O4Eiw3WJHpaRshAwrt1l4wK6R5QDIMRS2WxTzW1k+CuP13LG2c6x+SexW + zMwhkDCrNGVubXnfPwbwUGXes1+jMr4vWkklFSFJG5vR0ol8wwVbTFt/cFgv0QjM + BOsZDYlXzziQAoERKa6EBvl4d/ygICU3KzE8MBUGCSqGSIb3DQEJFDEIHgYAYgBv AGIwIwYJKoZIhvcNAQkVMRYEFEqzrDFTAkmcTeNueeAlYZU+iGIlMIIFkAYJKoZI hvcNAQcBoIIFgQSCBX0wggV5MIIFdQYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoq - hkiG9w0BDAEDMA4ECCNi2K1bMEiBAgIUdgSCBQDLIXo4ExcyE8+4aiZIj/Wnh/SV - VVR0n7s4PGCbXt+VrOHd9YzTuUicAqIcHH62dv7NSy+fgqZG7SmVR1IodadFe+5u - sAzXoyyhhEe2c+ToeVbr5rs+vBvQUyh6X5XTV5QVOAkwSyKGjyfdy86x1Q8cL2D2 - BM+Rpkm1cFtjgWcB46U6S6w50sG7XOKSCMI4a6rnHPVgPPdXMrj3VSPJY8bhBqED - PVTnfSHf/wKZrIi54O3F33B5jt6Cm9+9m9Fed8n+81w59rRom72CY9Xii/ULER9T - HwjxOZOQ+dIml23KauwexuOGjii0UR8MeM/A0n7UNys+bZTulgdpWW/mDhJ+eLAT - nhJw5ro/AWa6YVXG+t5k9LjdJ1ZmqS4bJxvBwilpEGoh0MM6Yp0dr1XM4mT/E0JM - WD458Ngs05CuCpwAUXGdQmgrVsFrrV0HTyHeVLDhe43J3GI6HCWJVOeDQzzmaO3A - M+IooRDkTHnJMaxUXphKTag5+f/smNYEhzVjZeIc8GFZ36eSI4BNGHSXFACwLu2T - hkzpXMmg50JAUhBYxqE/fVevLUH4JPLgz869wk8gRlUBo6ihQGrnsx7ZO5IsYahE - Yjz0N05PVPJYMLSyMovG9i+LpzQ49gIBzPu2fdLR41u5n5O5mG1Y4aJ7OCJxMORY - hWHuctHdGdpJsgiq8+1iiUwmfyCfb0ZL3ePMU+W0zkAsyn22aK8jDBLLVZlvOZIV - qR3Gx4QFPSk6qCMQ0E58VkMUMxYvClzTwSeEMu66eND/AKTE+XXV/d9bmSmWGk7Y - 8XrDKLKfmRdrlIeondVJv5mk12YKxBPQGeUqK5XJUa2dzH9zvfEX8iYzdt4281QC - iXJ3qwmbT+8RoOLBt4KyOs2e2ZSZnjrL9OO4oUsHIOyEfjwnWoLhKbkmun8GJxoB - 2yCzTawVQf9/qIUXaSzcp23AV6Lf1k9Of79HYPW3cQJAtjf6XBVE1xVZPkfTuC3y - VLufljs2ed/ctpHg9nuId/xHFH7t4HbmU3/ZufE1GHnsRQ3kbnqA5WXerd9UzeoD - aVDjFXGrITp8env08GXYvwWGXLL150l0DuJSv1E+1yww86SNjBYUTx0r0CJjjTk2 - 7vIUhAYUEA+J71IeifqqPDKYXnrCdUEajbfEdek30WiLR+ChEvEp48Mla6UVTLm/ - mjziwbsxm5QlGccmz13e32RiyrfseB+RyllmzeJtydP2IHkWK7pww9yOlPK0QtZs - 66IGZKqeXrWBk9QFYDX42gAy/xTfglco4KO7akhp3UzTIQyTXnt+OsOScc+ArVm/ - dwClm+ZxybtOcVyadjpKWydyfAr3aTkGxX6RmHrEWr1R9BnMGPYesDs+yeVNs1Qd - Dhff/bQLwCLXdGLWwLe6kitUiyi8F3bdfPjR7R61lEUvJrBm7YLmgdxRCJ02LFLG - n09iSMNe5vmiNaKiuzfb4Dp9dqEMhmJfdsTURagfJIyqULoe08EIIozahivbzoWV - A6oPAkk2D8DnTiMegX4IZ/Zb3LPxJKAeXO3Ys1YQrNSNZ3B2ZISBapzGzhFZfRVz - POmXhN53pDhlxkw0btkKblYA9CvP+kzgwekzCy/Mlq/HbO38CV1NKzay3yg4nteh - J+v9/k7gaqKmo3ZWMGk0WGBv/GFxYhmeNd14Y65D9TlypM/zrXSyGoOqZgSA6HlA - gogzwwSaGwx9n/o6czE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcN - AQkVMRYEFBfFhHvQp+92kDi4s28IvJK1niuUMC8wHzAHBgUrDgMCGgQUgwafFeGU - n9Q1rAOUCgw+KWxk+8EECJ1vqXe6ro0FAgIoAA== + hkiG9w0BDAEDMA4ECJJKzeDj9Jy9AgIULwSCBQDqW3Z5nt8HxRRIJlcwYDdGa8lE + TK58VexJYzhLMwO6OtM0J6JyhKcknJYIWL754aozGhFh3wJfP0YJ5u2x6lWeNJwW + 1mRW8htE5MR1FntBeQC1+KrhmwDXhPe03/r1yiefs6lq33MuB2N9WZCCKr7SLcFA + 0UdVZNM5sbm34/7c2QMbl/yp20mE8dypNsjVFuUX9ermiBkTQiNdp5mENpYkualW + I22asZVowGOQdIgwnW238RMO+Ai8/1tY3H7kvR50aziujLDwVY9LDRZLEsmD5YXt + BR9BjpGwvPMx9kq2pKvpbVamS7N4jdEWdMNc/v0/hl/ZIBmxroztkd+IseV3ntJH + gCufXSNzSjb2vOUB2Ouu9mH9J2wpIW80Q9g297aOoV+MOoWrqkjJzcKz887/MZ9z + UeTBj8eLxUgvw/udhCt7t6C+xfyNqvMEVKRb4TAKu7f9vsI750n1fXkIuS7h9qQV + H1PKyVCl+WmfV4soJ71UVW86oMdow09PCmzIDAut0mRJ6640Tez7umv+PJd3WLk/ + j8ge3RtFP0S5sQ4fyhmaP43ZkOJkybLvap1EW/OLPaqd/rSS1sLQwdQ4kaqJlouG + 1iyVK8pLgobITNwZfRzvOakKTmo35dQkYzixB2zuJVY7ZXuiDD/7sWRNfcU8J8XT + z6Y+p5Cr+3MKbrWzw5agJ9+TtH1fORqr6Fm0bvgfhVDl5lGgBQNTgwg+2Gy+qFoF + qVoFwKpnCRutB5rFiUHW7B1fKp9RL9BZhdvNfTb5tlvDlK06uiemwI2nvnEQabAN + Toc8eZ6d6yqrlSkYj4xbyneoL7ydkViKt5gCB5+F+diTt40IN5PDJKLkemUOdwGy + BTbWvcwAFhL5hChoHQguJOqG1J7zq6Hsh4H893s5gVWBOshfadz78vwE3aPnCZ4Y + ZX/e9uiVsq67N7EblcB7IcE15y1bR0H7MXoJXumjCJx0VxZbRv228NrvUsFx+mFn + so6xsGZCrH62hkqI9lSdlRyCLxd+vjyg7xQOIXqVTIeGHP/Kie0SJNzYf2bsdrNU + A1EtlA32ti+My8eko2X1PFYCg3mX9NY3XoPJpacvpzZ5Uj/ie0Vnl6q8S7PdOjqx + YlT7QBk/qPGKCiIYyG+TRKDLNr8vTNnOGVUVxsp5vp36Pf3vaCzeddrUvd6P7Puj + 1ymz4dmvd/OOuOCtZ9lFiOqD9bHZ4BSwJR6Myr/jrprRIBGQn7QCqFDSg2N1lXqa + 1tqxKF7tRJIkq2UDQmR3Sgiv+wdQGlGNRiwNGZmNme8O1kRTbT7mCjmLfYWD50z6 + JP8q09HS+1gXfYqfbvDLQTHMQl/fxL/zmkF8xlMqtoLSIDkNvesyiT9g/JwN9X0G + hanzi3B3kMWI7lqkhO+If5SNI7Ct928YQTEfPEm79J1UGmXZBtdt9lOKK7M5b6F0 + 5TCkOp7RN7SXw+UGYx53kUspR0HNwqRa7rqXT4RodxVcnghGT4qA/rb1uQZZzWnv + TuuZolIhOxpdmhJVZdQoEWVx/w/EERdNLivqzHykeiv7OiSy4FhrgWWmWipJRB2v + cgezn/v8XSIG+KJKRLzyfx44P6senjcgmKRBITgJ85rU/uoLNGjLjEfwQb6x5Lit + KqNfcqN2PB3q3/Om4Ft5BeWk2uGXAObLe98s27rZe0iOT5eqyftyiWlMXLS0bIkg + xSrxDA2LJW5Gf8F58zE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcN + AQkVMRYEFBfFhHvQp+92kDi4s28IvJK1niuUMC8wHzAHBgUrDgMCGgQUFQ+BtZ/3 + gX+Re8eKDEP/OBp2V1YECDNLqWo6a8ZVAgIoAA== -----END PKCS12----- 6. Example Ed25519 Certification Authority The example Ed25519 Certification Authority has the following information: - * Name: "Sample LAMPS Ed25519 Certification Authority" + * Name: Sample LAMPS Ed25519 Certification Authority 6.1. Ed25519 Certification Authority Root Certificate This certificate is used to verify certificates issued by the example Ed25519 Certification Authority. -----BEGIN CERTIFICATE----- MIIBtzCCAWmgAwIBAgITH59R65FuWGNFHoyc0N3iWesrXzAFBgMrZXAwWTENMAsG A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx @@ -997,22 +1002,22 @@ 6.2. Ed25519 Certification Authority Secret Key This secret key material is used by the example Ed25519 Certification Authority to issue new certificates. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEIAt889xRDvxNT8ak53T7tzKuSn6CQDe8fIdjrCiSFRcp -----END PRIVATE KEY----- - This secret key is the [SHA256] digest of the ASCII string "draft- - lamps-sample-certs-keygen.ca.25519.seed". + This secret key is the [SHA256] digest of the ASCII string draft- + lamps-sample-certs-keygen.ca.25519.seed. 6.3. Ed25519 Certification Authority Cross-signed Certificate If an e-mail client only trusts the RSA Certification Authority Root Certificate found in Section 3.1, they can use this intermediate CA certificate to verify any end entity certificate issued by the example Ed25519 Certification Authority. -----BEGIN CERTIFICATE----- MIICvzCCAaegAwIBAgITR49T5oAgYhF5+eBYQ3ZBZIMuujANBgkqhkiG9w0BAQsF @@ -1029,23 +1034,23 @@ f/v99LEcsZTcuIbnJqz35danQkp4/upG4hPkfx+nbc1bsVylrITwIGOpnGhz7z3m VCk03DFE3Qt4w9mlv9yuMse33nmsBGXog/XZvM2JRY0iKt0xksQqQD9uYm7MoMeH qQs3Ot7EaoPj54xyWvy42run6TLUye64D94SNjB/q/wjL96bsVIKGrRn10T1ybCh 4F5HD00hQZgP15Dlb1rg+vskN8MSk5nuD+6z1VsugioW0+k= -----END CERTIFICATE----- 7. Carlos's Sample Certificates Carlos has the following information: - * Name: "Carlos Turing" + * Name: Carlos Turing - * E-mail Address: "carlos@smime.example" + * E-mail Address: carlos@smime.example 7.1. Carlos's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Carlos. -----BEGIN CERTIFICATE----- MIICBzCCAbmgAwIBAgITP14fVCTRtAFDeA9zwYoXhR52ljAFBgMrZXAwWTENMAsG A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx @@ -1060,22 +1065,22 @@ -----END CERTIFICATE----- 7.2. Carlos's Signing Private Key Material This private key material is used by Carlos to create signatures. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEILvvxL741LfX+Ep3Iyye3Cjr4JmONIVYhZPM4M9N1IHY -----END PRIVATE KEY----- - This secret key is the [SHA256] digest of the ASCII string "draft- - lamps-sample-certs-keygen.carlos.sign.25519.seed". + This secret key is the [SHA256] digest of the ASCII string draft- + lamps-sample-certs-keygen.carlos.sign.25519.seed. 7.3. Carlos's Encryption End-Entity Certificate This certificate is used to encrypt messages to Carlos. It contains an SMIMECapabilities extension to indicate that Carlos's MUA expects ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in [RFC8418]. -----BEGIN CERTIFICATE----- MIICNDCCAeagAwIBAgITfz0Bv+b1OMAT79aCh3arViNvhDAFBgMrZXAwWTENMAsG @@ -1093,99 +1098,170 @@ -----END CERTIFICATE----- 7.4. Carlos's Decryption Private Key Material This private key material is used by Carlos to decrypt messages. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VuBCIEIIH5782H/otrhLy9Dtvzt79ffsvpcVXgdUczTdUvSQsK -----END PRIVATE KEY----- - This secret key is the [SHA256] digest of the ASCII string "draft- - lamps-sample-certs-keygen.carlos.encrypt.25519.seed". + This secret key is the [SHA256] digest of the ASCII string draft- + lamps-sample-certs-keygen.carlos.encrypt.25519.seed. 7.5. PKCS12 Object for Carlos This PKCS12 ([RFC7292]) object contains the same information as presented in Section 7.1, Section 7.2, Section 7.3, Section 7.4, and Section 6.3. - It is locked with the simple five-letter password "carlos". + It is locked with the simple five-letter password carlos. -----BEGIN PKCS12----- - MIIKzgIBAzCCCpYGCSqGSIb3DQEHAaCCCocEggqDMIIKfzCCAvcGCSqGSIb3DQEH - BqCCAugwggLkAgEAMIIC3QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIwS3R - pT1mkyMCAhS7gIICsGKkBm0nci9VHfqxOTWy/lkKyQeF5bwsF/9gZrqUym1KtHZF - a4rSJIPUctmzqVnhGmfW9m+LEi7Em9rRmUIQbDZt4kQDG5eDk7AdhyDnB3uZDG1W - 4cAeUVXJMzGfnwtzy5TzBZzEo5nnVX74Al+PDW9wdpbv2TIriL0m29fBT+7HVS9F - Z/95XokSwbb6mmCYeGiPpNEaoeUeuU4zrh/k+JJqDuqNsU66I30wH0CFmk3aarBV - 3LkEeCjKFkngzMOZqiKZu8D2hEUjsGQ9ALsRn7P+hIWNFIgjvqgcCMTF8fLK1C/8 - vYGD+HOpnn23nLele4b/qpFYx5kJ0bOK1Zo1SpgUQ7Bu6gectUceyOgi7CjRScuV - ew7918ZY0ugyYoIWAT0kecPM0TFtxAn19JPXo4jBYAlwUtx7GYAlDkgZCb/0dbkv - 4L+PAeJK4kVDREDQ6ch/6/hlqU8xHeNzdagEWYL6FxWDiHebASxIvZzqkLd7RV9m - dL1FXst9R9G74jOs0WMMFmd9toyOhD0q6Gl9catOrolCVS/CKaC0CucsJfiKrlJ/ - duQkt/JwcELveuOg60u2uaGKUqHmFhd3+6omk+wNBoY+0D5MmBZ/xnrVELGmzp94 - q0f/HfZPT6sxkYBGuP2eUA/qr/zimNG3TuGVch/MdnduuVhvAYLyh1gbA8yRm+I/ - zGCVuAqhsHITTx7Fqc3tyVp/mLYUO0QuwmgAw6NhzwKZf5N+tR0DZGcgw8rZpeJA - yTxVFcjzXvoShxog7RroR9Nc4FwJhWI4BO241OHFEiQZeRk8vzI8WIFXnn6t42/q - j1mV7Ba42zxPEGoY3mObKwjR6rDp6KwmmfkghpwMPU3qP2/ASV8WT1+9GIYHc5Am - 9CmSOTiQMluW70Ra2k5ZMlwnbKNyMRbjUB/yHwwwggKvBgkqhkiG9w0BBwagggKg - MIICnAIBADCCApUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECOMzXMste/8a - AgIUlICCAmgXa+q2JhTLvWsj5SKLdMninTk5uB6HhOsDKYR9GDg/cABqUFxycROG - JeJuewIRkJhsfdXJi+TSRtnQOqpyVM9oRUdxcbGuCI98fEbLmVyr7KF8GudTgC+b - eaLjn6HYkWpv7lWdvsFG8BEy6Jqi3/tP9PgNvpCYgVVM7yx6SX8QArcLSQkxbTsv - Ae0iN18H89W9xOHEz4Z2qHYyb7f0pPHrmpTGC6qmtvo1gNRsKTF0wYeQ5Sy/9U3f - oM6bIcrOvHDksaco4+5n0zeySDETY8W4mO1K0uC/t0oTOScYGBeRhVr0DQapZGT/ - Ej5LpgjXOuosAoT3IKnMwK3C0OZ8oBzcvgSpeAa/V/OTKDpZb22yq6sEaHAPoUqb - cKRJmB6HC5mdLs3n0uP1vlZuYsHu7Evt0Uhns9pbklJDiCgM+4SFgKTRbd6Xt8bf - GHkWnmpv4pQL7jjzA3epP2DHyC8MJaDvleWY7Z3t/IEtkzVxflLo8kT21edz12cm - uFVK9ilMW3eJuyiRyFXFPgVsuNi/HFnijXFgxzAncP7fFP5MCsOo6daiEjJjemKf - J3D+HdD60gFih/eX9V+tGl4y7/jtxCRA/54mit4sCy3LC0++lEp9AtFwGYrDw825 - uGj27a7mE26qgGdGXdzT9UJ8FfUsIoRPrG38Q4mhS10pTarNucWOGjkftZiKJLay - rfMRf3HYxOI/7iupfxYLK/4/FODijaHzAfSdQf2Bo7csPaz2HQkK/0nyO+tt68S9 - pUCjEfV6Liy22tang/jXxPFbBDK/P68MnmgR8C3PcYhPJCo/K0JR2/8F8pVVEqd5 - MIIDPwYJKoZIhvcNAQcGoIIDMDCCAywCAQAwggMlBgkqhkiG9w0BBwEwHAYKKoZI - hvcNAQwBAzAOBAho9g0tQyYTvwICFIGAggL43SpNCoshZX3ikmK1mOIJpS2Ah8Xv - 94S/5NA8kwHtaNXpLrjYr3CyRL93USm55uvGAtECR/EblON9zeo2p0gK2JPSbDr6 - /1oovo7UoZNRoRBZ8pUegVWJswNWjqvzVu5JIRmpD05XjVDKHbFqiXAqtj9/w3q0 - Qq/p/M9UrLWD93hyLNdIppWr2KR2it9mASTKEHX9dqXcTOG0Kp2GmrfGNteGL02j - qVKZaZyYI8gkSxhVLS9zzgf1OynAkzYQsoo+GKhdAW1fJECemAyPc3L+eeARw/SY - q1d5QVwxKfYpIJ2wiiavdeRVNbWiwV7Ti+P9PtPx/hV22NNLwMhvnJcHaSS1PaOi - SjoxFJ1EJWGEs0QwcdwM8iN3oVuqT5HU/edMgx9TLNTiE1g2GEq59I/RwBtCL8Dh - OzKnUb4PU1Z81+HimV3KPI8g3cduhYaBR4HfqAhMnc+w5HXI6J3C1NtAE/izZ1Y2 - Od7l+GTJfjPgzIy0hjqfbMt8uU9D9aPr2XjNOWoKRSojae16v8bLx+dFn6RMxFUS - g3nLEZ6EDpyrJfpGPm6mPgZKSXtvnHuFcbS+utkRuVAtqu07r2XpkGBIJLNVIRHU - 5gLACbTj9TPcAce6RLoaYSDgOuFK0YZMdwzhsAI0YMpyHsUEZpQ5tjWSBY6ENbvF - 7+QhmDnf6N3Bj+vxUtGS40pVsYCGbmOD7UM5QpUxIgVkpPrfRokOZs/fi9sW+Xy6 - eQ2Brbn3t9C2TAsORYzFbuBwuTCqFW/rXHS6iffJpx2eAg3DCqaUAJjptSV/yzj4 - vxiXlDB3fMRcpNd5Je7DoHS4axuj7SLHdpNoUHs+qQsG6yDM5BEuXWGxo/L9sGhe - XQrUnkZ4m4g01sfgTOfDNurXx/oP0ym+B50q6nLUWv0tYZpmCVil358dIEGPPSMY - AMXh05tIPFdYSJ3WLs0cxy5X4sXZl5w16Pzeb9SF5topqRUb5PDTfVr2bQUMwTbp - 99FcOQf6cg8HXyT+8b4qKp9WyjCBxAYJKoZIhvcNAQcBoIG2BIGzMIGwMIGtBgsq - hkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAgNhfODEdzSrQICFF0EOCEq - Fie1peicS9OSXNQjLwbN3kO8lYM2HqeSZoEKJ4JSFlV1kWW3xwfu5aZKrGEYBfGM - d8renRijMUIwGwYJKoZIhvcNAQkUMQ4eDABjAGEAcgBsAG8AczAjBgkqhkiG9w0B - CRUxFgQUgSmg+iOgSyCMDXgA3u3aFss0JbkwgcQGCSqGSIb3DQEHAaCBtgSBszCB - sDCBrQYLKoZIhvcNAQwKAQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQINFcqIEMfd9UC - AhS1BDgZruEsSaBY+Cm9WKR8HhH3JXh+AoMSrwkDCKytWt+MNIXB0jY2QZHDbN3u - Fn7qHw06MDthnKniazFCMBsGCSqGSIb3DQEJFDEOHgwAYwBhAHIAbABvAHMwIwYJ - KoZIhvcNAQkVMRYEFGSF4zucHVrN5gu6Gn8IvsSczIQ/MC8wHzAHBgUrDgMCGgQU - 8nOYIWrnJVXEur957K5cCV3jx5cECJDjaZkfy4FnAgIoAA== + MIIYJAIBAzCCF+wGCSqGSIb3DQEHAaCCF90EghfZMIIX1TCCBJ8GCSqGSIb3DQEH + BqCCBJAwggSMAgEAMIIEhQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQI7xhQ + zoEDt2UCAhQIgIIEWMgzPbEtNf6qVctx2p5i7x6wAz15AjqfNv+qiIHQtPljZ23b + BjHWAdxuri+jbwV+jY1JWwMG7CvikBZN0EeWkjeTC5R6RFz0QPoK5cetdcu1gyX1 + /ugrG48vgnrNwxfZOaBzRUuudLB0FI0ns436XPPgAPx9lCZ+jZesjfj38mSB+qb6 + SxFbZc9ix4bMgPMqCyjF6o1TL25HGCfN562sNcG/xLqNT94wvw1Ofibd1ywuunlE + Mm/L/G31U8ZehA27XHHSKXOTkSxQ7cNCh9ZfU9tpFm8XMo6s30BQRCHubF+VLzso + 7xPhtc8/ldcl9MyLnpSBzYhPbHwIxbDo9DxqN7N8latA+WKXT0YlR+bCfF9XQnbH + xFKk08U51XCT8mBp8BdAHp2n60XwDfBm3eQPJfc5TOyfoLOEkJNbC+dA88hb97zv + Uw8bW91YtiU2XvIrKUajJVlXHCBFZnCnFwst+f19T5PFGPAj7s4mZdPWnQTtLyjw + pHnuT4/U5w1sHAvf2oZ0PdUNq/yqjdKARxsRvS7lBTcci89Lto0OwF4TRzi/vdFZ + X5bBhf/WYY6gacG1X9pzTPl5qp3doOwwhxXIvoneQFVAP21yI0imrus+66mxB6Gd + wQf8iZMniS/1Gpu1N5XUUSL1B/qcxYK72YOK12ChpgzEETwJ7Y0lYrbOsJt8IhE1 + WxsDy6nWLA2c8/1OU16l1mIgrVoKVOs0ZkK2dCDYdr0qKqeKgdHqp3INeUKX1ZQo + k/kYAD6Mo0QkjW5fPbt/vQWSspjTKzpcz3NgQYKMcFqlB8P186nb4BvrDky0BM3i + P7mXpcRb42WSY77xpeUDhUg1q6fnlTdtm5NdUZkuSgpHpQUrs945KTkxfLReErSd + 15OAAnODb5T8+5JdXOLAgHnPPezRuof1LQZsytsx4nC92OrboC2Yn3hHEqcgqQYE + BywzDNGuA8ISEmdKvo7AgaJvoFEvLDmas8T5I2yuWQ9mDXMurgKFxheMSpHpZiPc + JE/n45ooSH+uX3HDUVmjUOYQf35udyurbS772Zrptguek6VdjV3F6GV0Q4X3wIo9 + llV+aFe2/v3Mm/tt+h0KW8XVfBOB62uvb7ac7ipBjAHBeGYFQeVkmI0Nzvizk1lA + jKtmIGZ8MwBp2e6rpu3g9rCbCz53LxWB4yJYgGc6NQmWxWQGjLUqdOkYuQwEdjr9 + 6hpZbtXvXs+jcDO8OACg9kfjX6EzK2kVXoGdy7tPMH6ElXEaSf4tzIhfwvwNapj5 + 7smeQbXQj/v9HC9XbgdslB89V1wAcU1PG/xBjEulm6O9EN8xhEXfegzIGxJ7JcVq + 7kaxdX6BPPH4iW2Bwbv+FFvSQOwMf1SVjpE/LcV5JxkYrfT2cEinTcZsEFfP5XOZ + aJw3xmya24L2ynjNfljmpK1xg38OkzeCVebkeQ82OAYequb/iTz2yyfaeUoXbNlR + wcc++JwAWlkj6FS/dy5gwLTGvUBkMIIEdwYJKoZIhvcNAQcGoIIEaDCCBGQCAQAw + ggRdBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAjBHiWMROp4AgICFOKAggQw + FC71dSM3kMdsEhcjRPE+6YRmvktReM0XxK7+5FTD6tGJsl6gglHIre4gC3LKekFp + 4P346gebmSflwp1v/7ReLpNPXngK98HXfVcxHYFXWKOYdgHSVqGBbpH6v961C6XW + PGwIvQ9+H6R6Np1gw3CZ2CJN1paFKmciHmCDkc1iPKbr0I8J5fruol7SS1WMnWFQ + AWk+EuR+Di9vNYD0+7QyNANu1Ud9yvlLaPxCcrgZBccXe/om07penmWPwVuXq2aq + zc2/vUq3JLqrg5d5OiP4ZEwksvSIBzZSNlAM08D1Ez4fDmMt9iRvlztujOKad/Gc + bwhhy/kUZ+HliTA5ItnZRJSXtsICwpH2DqJ4MnvtQtOjcl72uyFOigC/DANDjSYo + YJn44h4dx351AyuF6wpyRwYfaXzjAaQ39SsEQpvSzzZmKYrsgjQEwIoWv0EcBvqR + AQjHVBnJK/ZFNhTHDlD5RrXtkM3VLU5zhiNtsMWAj0gAN0DNBqHP8y9ZqVInWWjF + YvoThcpHuwKI+pRto0fLsZxwWaZiCqAs8tJpF/iXcUoCm6+eGXNBBbBwzABaMC0S + c3HyhQ9luuQeq0m5WbulGfXKFA7OAo+pWnivbHjIoEOVeJgnLYLT2ImOOypKYepN + 48kyVBAJ8y5QDnG82/4GU7VSW8ZztIbAWzhVFuEejuhd3V6bvPxI36lYrPeObees + c1WuaQgDvHf1VFjoGCZRDW0Nw/kxmvWqwnfLmhZVo8LbIJGTstMt+rNvAD7zhtCM + M3LhWfT/IYI4xCQFpP+ENG9DZFHpVorRrAVu9OwbXGSJOGUx0ISlZiBA3Gtou59W + NN089EprACk7VDIQlzOS8Ox5vwo8UwqEKWt+537xIbclanc6pIYz6F6RgwEHb+T4 + 4xKEbE/cNLJHQEJJZ8tF4afN3DENPLMnDoyAbetPrJILomZEayKfkY+dkXFGiyxU + xslhk+JR7Utc4e+WNCZ0hnUyid0ZE7qjMUFSzdYoSmPZttM4zRh4qpCfXTyhvQkI + G88dNenQ/b51VCCNfWqRKytrpnhZQYKd7SuNQLh2GAL/urlWtYq5rDRDKGLv7vmu + 0NloL4xJjWVlUSGsSjlOigZNfvphEDqYimIGXhiU6uAQN64suvWMVMNoNIwcZVrP + zZQUky59Ct6ahnc5cdSwWWmwKxJj1GHtvn82tMoR2LtERJMx/hEdqrCSNXvrIeZl + ozwSh9mXupO6Fa0KIpf0txZl6zK1/8F3xvly0lyxpsYwrTeTlGKm2y/RMUYp8tDJ + zUZu34oeOogonerOnSIU7kEM0slXJs16lIrReFI46ZQ3XGB98MLuCser+5SzzgvY + Bf+alMAiz8qUTFMBuLFFoM0IRCsSmaaclSBB2NjpFOVjR+sajmxWEcN4lPO604Ru + N0cFylKAYe9BJlxhNFx1AjCCA2cGCSqGSIb3DQEHBqCCA1gwggNUAgEAMIIDTQYJ + KoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIkUQBCq0OgUgCAhQ3gIIDIFJKEkt8 + ErFDpHJT+IOyrxR/ULSFmO5aBopLCJd44vSqxcHl1EEH0LQ3bAedxiiI8Go4iy3H + Aw9nvpyvkZTrXWfhZqgsLsuD3AYHVHVCO/9pmZe4gWuWosR7PMI6RUoE4f00My5+ + kmm5gRpJ6Ol0SUG7yZ5P+ESc7emwkjzPqQds29WegzFgU4lLVk0UMq76a14m80or + kWpjWpWddkid+Ku7cr8vU9BOpkTObmg9Gd8T1GGliQa1UvvyOxRKtdwOMOjM0OBs + pmc4RFNk49zLbsTaOZIgiv2CN6aCL7ZVqGNrnHfkglKV5uq119hnTkr8rPvXqgcK + vnc6bvMQUp388wzYzjkLQw0oS8+Jr3NaJefj65e0MZlPOOA+uGPHKo2XXRndy6np + /ASNEj7nAYQUTBwu4/GIdjmaCwauTiyvYMZOyVlp0mISZ4+YfeZTFqpjX/K39RFK + ubLSQHpevhn5vFUO90/94U1FQkLCGQ1V4xcDe2SZe0NF3B+dJw5R+NjE8Nvv1VfQ + isw/Qv3MlTTqz8VFBtbPdg77rwzVnSJuHinrVW9FwlDTNA9hhDbnBeZdyZkeEBUT + ddjOGGeudc6SYbp4Dy9hsmr5x4o0GKsUJWyItO8+NPbKfFYpYB97NsaoiNQN1wXG + LD8zKNZ9VKlpeW9n8b8/j61jxCiWwQILeGAuDsLpFxaQEtOBiDmzXKZjC45Efp1E + +Wps/rpEIpYnAF6hoj292amDbenkPsq0TlYuo3u1M4PqqBwQ0FC72ssNlM9uUNTI + G1q83GH3snnarr59+DpiIaTZkEhj3fBh+9dJnbzxPhHT2d0cze4eTF3nhG9u1cxL + fE1qruycIWkHXF0XsVnzw6CwEToLWNr06QOjsKBTAsMmMd0w6WWeL+b1DO26avlu + 6tx83SCPp7EoxPdwFYB2Jqg4+KT/L87RtuPzHlGeFsh7QhCfI8Qk7CAkfk67Zhv1 + PFWsYKcJZvAuZHZXiSrMPY9NEB2DaDBGN/DFnwk4JVjlj9ACJ98MY+c2id8dkuTd + ejwtalC1VPehC2HhqRR/9oGnIFzh0drCi20JMIIFogYJKoZIhvcNAQcBoIIFkwSC + BY8wggWLMIIFhwYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoqhkiG9w0BDAEDMA4E + CPaeHSwq2qj1AgIUjgSCBQA6OexrotUYcswY06ija4HfeLQQYbDA9+UjC5xEi6QX + FRIAXfT1zoqZ6R+9sYnyCNqZWRzsKR6+OswWSlPjsgC6CXI3YO/MjtDo/MSif6Mw + O5ZIxqPYcbslKDF6Og7MQ8C+tRu2qfu7e6ufkw/cyO3BXNyOU6tS7iCbNlVn28EF + 6W/14HvXsQ4mv1yAwvoWa5G9hettvwxMIL3KADLkEI40abpzbH/LOMXEAPHghunQ + xijllviwYQKEJGqJmtShpBOxBGHkTik0b8xJK5LfX+oSowehO8yv7/z52c9x9RKY + p2jLPudBByeA93iWhaUIe+p3ueexS4hmjegshjXE3LBm9ppZ1zWhJr8ipA/DY/1g + KGy3tM5OUYc8CGbWstJfQ9dxsse8qG1WmwhNtCj5heXWMGZgsbt53+eSoirgJVFq + 40NzVryc3BEc+JS/d+U7MeL7ySdvGRHZ9kb8ItdsDcNAPMhvN/XXhALSBs5GWec5 + dqAUYyd5GREVCOqoPkKx/secOOGUkHl2unUD3ub+6JDXplSyiQulS04EXLZJqPWN + yEK2wWCPsWquhTvVJCB6W/xcgtdY0zq7fiq0sZf6qPjb4s+hIDZXSWENh1VnuJBg + 9e40G/jh4M+vEdrLPpOLLCEhpiVxzRyQG0eP3EL8EWBZd71lX45VgGt+ZXVoNuDY + PcLuQAHYcN8Sixg+8gTakuJGUwYGBy5tRjAWGGdtd2cuWrvtKxjooP/gLQ8hVAFi + Dedo7ab5t8xar5lhG2ftAH59CqP5+Sr3ZpIkldu1lxlJHxDO0Pws1EyVkwllrxNO + li3ETTwUeyENPswGPN+cTgKMJvPf5sCVlUWCS7I7pRPUUx5F4mebz/Drgeuqr54D + feXu4zvDxUHUQGrb6g2bIxlvDU6/CJo11LVpRLRWWc3YfBSvOYwUjCehyK2kaC9/ + FhlRvqDZGuFFjKB04QanP0M7H6f31iH05a2gakxYhWw9wPysEw+Te/KJp/TBJnsX + YjQCDDi1A69Pq/Xo1IONutCKKq/gQKpku53acvTYtdEscbNEschY4PWjbsy8h/tF + HAm90g3eCxGqIU18Vb6bErm4x/wurBw2025yXTK4LEOc6ZyZi53RAsUBPjcob+xh + urBScAwv1mEIzH5luy5yvF/jjkJBl11SgYVfRZFTEGZs/l6h4REGwe1SaCyCa2pn + eojFOlxk1pHe4QTlbjfv19xAvurpzUu9e9Hfl7M7c3V3WFXiyMUlqNS9CNRDEj4G + Re35XVrehDrymodsAsIzyxU1iQvAN2BD1BeZI286YagK2mZX/q/YWCq2s0HGyESa + XdBoVm7JzkrQt4q+Am4fi8SNrKNVQD8x3b7UQ1EQ23L/MnS3+p2jaw4evnrnuoy3 + eihOofuRVdbECvMCurGom72zCjC8KcVZ8yssWYIZKQjRr3dgdGUFiaJ6jA+Xgxws + 2GGMgTu6G3/Y1AOrF96qC0G6geHjPbByWGKKSPEqswyllsYlk4m2j+JU/BEh44+8 + lCdPfg0eAkanNdyJoXbYBxFRDaAxeKUEnNtwZ/wo4yLAJBdoo2extWP/9kvrEfII + qqiVUAZNS2pKx6apysRtRDWzmm4leoc41lQ7yK+OT+d/Kkq9iiFrpj4esbJYHe7C + RA18+Sc4nwNAsJrF4zBWN3eBfxk1YRDT8zTEsIyyMpes1xHm6KJq1rpfWDdjpEgJ + IzFOMCMGCSqGSIb3DQEJFTEWBBRAtwlRIx9e+C9k2MGQwb2AVNthojAnBgkqhkiG + 9w0BCRQxGh4YAGMAYQByAGwAbwBzAC4AMgA1ADUAMQA5MIIFogYJKoZIhvcNAQcB + oIIFkwSCBY8wggWLMIIFhwYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoqhkiG9w0B + DAEDMA4ECMEFrpUx/mJTAgIUIgSCBQAJ3iJnERsIV+zUmXifQtXp08dtGZ4th5vJ + 1sGGtredTpyG/xZCI91P27VtdvAJLJO1fvqRVTqwztJJ109vimnYaeMlnQPwFjmE + tHATQcrpVPd4k6Vq3DnRKu71118pR4nTNnCS3IzwnTgGZeZJvz0wOWdqOgrUX7v4 + DuLvMOmecTBWvJcy8ypN2itfuDQ2J9o/G3kmExzmDkHRuFB1LtkCZTus1JS7AJ8Y + MnoWJmmOItF3lDURRxOCFY4fhs+EEhOMz7gvvRWxtnUXqNj7hq02shVO8zDjUgxL + oKMOfD3hj2O+3+woRrvvTgVHKP/rlorn/m0SYy7JCcJ+oC3PPhFqlDLKFsBZfqgE + DWezGXAvevOnHVVyqmNo32iSV8kJggFwv1K6tJkR55lILvwl/dKeSiPk7NpImngw + /5vhTCLAelZMU4QqdTp5tFgzKcH25kU4b6DFKs4IGRDXbrdKEk8TV4jNIoivv4KS + kKjPVdkXZkqmn39e8D2VGDb6j/t1hD3kI2WgYwWN5GKQlcWIwYdVncINkimkjmlM + 1rTk6hF8rma/BiN6RfJMs6JsNduLIKebtiMoVLFc91MwQbAbY0GZ35GTKunQURrT + abAJZiVOSFzrArLEsEteQBBu9kph2rdwMIv3+cAVQDsYckAhQhRDXQwvOjYnUwsM + XB/Xde3hkngm6g+4ZYSftC5pKOhBamHoR8q0xggFmGA2gsmA/AMCkamhrhfYDYlG + Bg5SZJwZVI/Wq+8mpZ+mXKsIkKo/piYVXl/RLSJLmksBwg5nETOsQtAh0wzn5Fv9 + sqbcJzVboZgZ+zxbGQW6d0MNFoFJ33G6CJ1tGmqS5TK1BuADGGCZNNSph4IK/WW7 + /8XHS1Vh4fs3XMoqlA50XNtk9Rymxb9Vwr5CbRGUzVT0mkJbPm8M5SzMSWKawhfv + F/ecrBdz+Z+nN05ULBIEJXv00fLZZ5dNNWs+Nwa+A1NqSIjrrvy0rkd42dneA0ss + kjMCsI1qy/pwmpxBOnvGu2/GN6pWqTm2kNuJtFSWnGUU6zecz0jP0jC10j33EQAl + d22usIzIA2VGoojA7xO07UacQ+w4axa2eOOATApdU8Vs+621GO2Yb5On27aEMbs2 + dm9D0XoION5u1hXfgSg175sVA0IStIT/2ktkyC5fUJJYDB4klpPG0EBTwRfqOvqG + Kf27ZDhxHY8DZySh6idUJMAGfMpUnpIOlX3tWroRMEMWBnao7Pfy9n1Q1ySGWFRo + DD1BkfNZXabovM6qdpGD2zbp+MAFF7l/fsV4otDH2UjC1jpPyibVyUYme3/9et65 + H2WtzCC6+ARR3FHGiR+6JBcKbov1VEy1XW2IeDLdUCOFWoiRyWDkUFyKLtKPOncH + +4NczdYh+EyvHijf3N8Dyiw/lnSLHmYFlBULYjRFbplIlPw0iJdDLLW6A8z78cO5 + hqkKRbXIxM9jKMM3ccqYFiKeVAHmbEX5AEvQau387acVkEwDORqXuvXN9GVdteNn + BIe5kd9p+m+SONqUkmPJGRUJdt2kwVFvpW/woLS+tAk5Ys3u5eDfH0av59lp8xKa + /vLaoBTtSiUIU/KuXt3D7yas/Ybo1etc02KO913dd8ByjWdozhD8aLF0o9PEeBPC + ttm93YSrv7ttH1LF5vfhi9xq+yGhbEvbJHtD6y5g7KeUekwfXMxd0C8M1OyakcHH + Arh3TJZ3WDFOMCMGCSqGSIb3DQEJFTEWBBRB2kp/JAu+EV0KnNDuwZWyHH7/azAn + BgkqhkiG9w0BCRQxGh4YAGMAYQByAGwAbwBzAC4AMgA1ADUAMQA5MC8wHzAHBgUr + DgMCGgQUS7gZkMK++JTD92Cctznb5uLKdvEECJmBdZIPusX5AgIoAA== -----END PKCS12----- 8. Dana's Sample Certificates Dana has the following information: - * Name: "Dana Hopper" + * Name: Dana Hopper - * E-mail Address: "dna@smime.example" + * E-mail Address: dna@smime.example 8.1. Dana's Signature Verification End-Entity Certificate This certificate is used for verification of signatures made by Dana. -----BEGIN CERTIFICATE----- MIICAzCCAbWgAwIBAgITaWZI+hVtn8pQZviAmPmBXzWfnjAFBgMrZXAwWTENMAsG A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxNTAzBgNVBAMTLFNhbXBsZSBM QU1QUyBFZDI1NTE5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTIwMTIxNTIx MzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA4MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL @@ -1199,22 +1275,22 @@ -----END CERTIFICATE----- 8.2. Dana's Signing Private Key Material This private key material is used by Dana to create signatures. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VwBCIEINZ8GPfmQh2AMp+uNIsZMbzvyTOltwvEt13usjnUaW4N -----END PRIVATE KEY----- - This secret key is the [SHA256] digest of the ASCII string "draft- - lamps-sample-certs-keygen.dana.sign.25519.seed". + This secret key is the [SHA256] digest of the ASCII string draft- + lamps-sample-certs-keygen.dana.sign.25519.seed. 8.3. Dana's Encryption End-Entity Certificate This certificate is used to encrypt messages to Dana. It contains an SMIMECapabilities extension to indicate that Dana's MUA expects ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in [RFC8418]. -----BEGIN CERTIFICATE----- MIICMDCCAeKgAwIBAgITDksKNqnvupyaO2gkjlIdwN7zpzAFBgMrZXAwWTENMAsG @@ -1232,30 +1308,30 @@ -----END CERTIFICATE----- 8.4. Dana's Decryption Private Key Material This private key material is used by Dana to decrypt messages. -----BEGIN PRIVATE KEY----- MC4CAQAwBQYDK2VuBCIEIGxZt8L7lY48OEq4gs/smQ4weDhRNMlYHG21StivPfz3 -----END PRIVATE KEY----- - This seed is the [SHA256] digest of the ASCII string "draft-lamps- - sample-certs-keygen.dana.encrypt.25519.seed". + This seed is the [SHA256] digest of the ASCII string draft-lamps- + sample-certs-keygen.dana.encrypt.25519.seed. 8.5. PKCS12 Object for Dana This PKCS12 ([RFC7292]) object contains the same information as presented in Section 8.1, Section 8.2, Section 8.3, Section 8.4, and Section 6.3. - It is locked with the simple four-letter password "dana". + It is locked with the simple four-letter password dana. -----BEGIN PKCS12----- MIIKtgIBAzCCCn4GCSqGSIb3DQEHAaCCCm8EggprMIIKZzCCAu8GCSqGSIb3DQEH BqCCAuAwggLcAgEAMIIC1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH TA2APx0CAhQXgIICqK+HFHF6dF5qwlWM6MRCXw11VKrcYBff65iLABPyGvWENnVM TTPpDLqbGm6Yd2eLntPZvJoVe5Sf2+DW4q3BZ9aKuEdneBBk8mDJ6/Lq1+wFxY5k WaBHTA6LNml/NkM3za/fr4abKFQnu6DZgZDGbZh2BsgCMmO9TeHgZyepsh3WP4ZO aYDvSD0LiEzerDPlOBgjYahcNLjv/Dn/dFxtOO3or010TTUoQCqeHJOoq3hJtSI+ 8n0iXk6gtf1/ROj6JRt/3Aqz/mLMIhuxIg/5K1wxY9AwFT4oyflapNJozGg9qwGi PWVtEy3QDNvAs3bDfiNQqAfJOEHv2z3Ran7sYuz3vE0FnPfA81oWbazlydjB0P/B @@ -1310,102 +1386,108 @@ zAawM6xXMt2WMC8wHzAHBgUrDgMCGgQUzSoHpcIerV21CvCOjAe5ZVhs2M8ECC5D kkzl2MltAgIoAA== -----END PKCS12----- 9. Security Considerations The keys presented in this document should be considered compromised and insecure, because the secret key material is published and therefore not secret. - Applications which maintain blacklists of invalid key material SHOULD - include these keys in their lists. + Any application which maintains a denylist of invalid key material + SHOULD include these keys in its list. 10. IANA Considerations IANA has nothing to do for this document. 11. Document Considerations [ RFC Editor: please remove this section before publication ] This document is currently edited as markdown. Minor editorial changes can be suggested via merge requests at https://gitlab.com/dkg/lamps-samples or by e-mail to the author. Please direct all significant commentary to the public IETF LAMPS - mailing list: "spasm@ietf.org" + mailing list: spasm@ietf.org 11.1. Document History 11.1.1. Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05 + + * Added outbound references for acronyms PEM, CRL, and OCSP, thanks + Stewart Brant. + +11.1.2. Substantive Changes from draft-ietf-*-04 to draft-ietf-*-05 + * Switch from SHA512 to SHA1 as MAC checksum in PKCS#12 objects, for interop with Keychain Access on macOS. -11.1.2. Substantive Changes from draft-ietf-*-03 to draft-ietf-*-04 +11.1.3. Substantive Changes from draft-ietf-*-03 to draft-ietf-*-04 * Order subject/issuer DN components by scope. * Put cross-signed intermediate CA certificates into PKCS#12 instead of self-signed root CA certificates. -11.1.3. Substantive Changes from draft-ietf-*-02 to draft-ietf-*-03 +11.1.4. Substantive Changes from draft-ietf-*-02 to draft-ietf-*-03 * Correct encoding of S/MIME Capabilities extension. * Change "Certificate Authority" to "Certification Authority". * Add CertificatePolicies to all intermediate and end-entity certificates. * Add organization and organizational unit to all certificates. -11.1.4. Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02 +11.1.5. Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02 * Added cross-signed certificates for both CAs * Added S/MIME Capabilities extension for Carlos and Dana's encryption keys, indicating preferred ECDH parameters. * Ensure no serial numbers are negative. * Encode keyUsage extensions in minimum-length BIT STRINGs. -11.1.5. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01 +11.1.6. Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01 * Added Curve25519 sample certificates (new CA, Carlos, and Dana) -11.1.6. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 +11.1.7. Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00 * WG adoption (dkg moves from Author to Editor) -11.1.7. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 +11.1.8. Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05 - * PEM blobs are now "sourcecode", not "artwork" + * PEM blobs are now sourcecode, not artwork -11.1.8. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 +11.1.9. Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04 * Describe deterministic key generation + * label PEM blobs with filenames in XML -11.1.9. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 +11.1.10. Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03 * Alice and Bob now each have two distinct certificates: one for signing, one for encryption, and public keys to match. -11.1.10. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 +11.1.11. Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02 * PKCS#12 objects are deliberately locked with simple passphrases -11.1.11. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 +11.1.12. Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01 * changed all three keys to use RSA instead of RSA-PSS - * set keyEncipherment keyUsage flag instead of dataEncipherment in EE certs 12. Acknowledgements This draft was inspired by similar work in the OpenPGP space by Bjarni Runar and juga at [I-D.bre-openpgp-samples]. Eric Rescorla helped spot issues with certificate formats. @@ -1410,28 +1492,29 @@ Eric Rescorla helped spot issues with certificate formats. Sean Turner pointed to [RFC4134] as prior work. Deb Cooley suggested that Alice and Bob should have separate certificates for signing and encryption. Wolfgang Hommel helped to build reproducible encrypted PKCS#12 objects. - Carsten Bormann got the XML "sourcecode" markup working for this - draft. + Carsten Bormann got the XML sourcecode markup working for this draft. David A. Cooper identified problems with the certificates and suggested corrections. Lijun Liao helped get the terminology right. + Stewart Brant and Roman Danyliw provided editorial suggestions. + 13. References 13.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., @@ -1475,20 +1558,24 @@ Einarsson, B. R., juga, and D. K. Gillmor, "OpenPGP Example Keys and Certificates", Work in Progress, Internet-Draft, draft-bre-openpgp-samples-01, 20 December 2019, . [RFC4134] Hoffman, P., Ed., "Examples of S/MIME Messages", RFC 4134, DOI 10.17487/RFC4134, July 2005, . + [RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX, + PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468, + April 2015, . + [RFC7469] Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April 2015, . [RFC8410] Josefsson, S. and J. Schaad, "Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure", RFC 8410, DOI 10.17487/RFC8410, August 2018, .