draft-ietf-sipcore-sec-flows-02.txt   draft-ietf-sipcore-sec-flows-03.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Informational K. Ono Intended status: Informational K. Ono
Expires: July 26, 2010 Columbia University Expires: December 16, 2010 Columbia University
R. Sparks R. Sparks
B. Hibbard, Ed. B. Hibbard, Ed.
Tekelec Tekelec
January 22, 2010 June 14, 2010
Example call flows using Session Initiation Protocol (SIP) security Example call flows using Session Initiation Protocol (SIP) security
mechanisms mechanisms
draft-ietf-sipcore-sec-flows-02 draft-ietf-sipcore-sec-flows-03
Abstract Abstract
This document shows example call flows demonstrating the use of This document shows example call flows demonstrating the use of
Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
Extensions (S/MIME) in Session Initiation Protocol (SIP). It also Extensions (S/MIME) in Session Initiation Protocol (SIP). It also
provides information that helps implementers build interoperable SIP provides information that helps implementers build interoperable SIP
software. To help facilitate interoperability testing, it includes software. To help facilitate interoperability testing, it includes
certificates used in the example call flows and processes to create certificates used in the example call flows and processes to create
certificates for testing. certificates for testing.
skipping to change at page 1, line 47 skipping to change at page 1, line 47
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 26, 2010. This Internet-Draft will expire on December 16, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
skipping to change at page 3, line 20 skipping to change at page 3, line 20
2.2. Host Certificates . . . . . . . . . . . . . . . . . . . . 9 2.2. Host Certificates . . . . . . . . . . . . . . . . . . . . 9
2.3. User Certificates . . . . . . . . . . . . . . . . . . . . 10 2.3. User Certificates . . . . . . . . . . . . . . . . . . . . 10
3. Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12 3. Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12
3.1. TLS with Server Authentication . . . . . . . . . . . . . . 12 3.1. TLS with Server Authentication . . . . . . . . . . . . . . 12
3.2. MESSAGE Message Over TLS . . . . . . . . . . . . . . . . . 14 3.2. MESSAGE Message Over TLS . . . . . . . . . . . . . . . . . 14
4. Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15 4. Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15
4.1. MESSAGE Message with Signed Body . . . . . . . . . . . . . 15 4.1. MESSAGE Message with Signed Body . . . . . . . . . . . . . 15
4.2. MESSAGE Message with Encrypted Body . . . . . . . . . . . 21 4.2. MESSAGE Message with Encrypted Body . . . . . . . . . . . 21
4.3. MESSAGE Message with Encrypted and Signed Body . . . . . . 23 4.3. MESSAGE Message with Encrypted and Signed Body . . . . . . 23
5. Observed Interoperability Issues . . . . . . . . . . . . . . . 28 5. Observed Interoperability Issues . . . . . . . . . . . . . . . 28
6. Additional Test Scenarios . . . . . . . . . . . . . . . . . . 29 6. Additional Test Scenarios . . . . . . . . . . . . . . . . . . 30
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31
9. Security Considerations . . . . . . . . . . . . . . . . . . . 32 9. Security Considerations . . . . . . . . . . . . . . . . . . . 32
10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 32 10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 32
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
11.1. Normative References . . . . . . . . . . . . . . . . . . . 34 11.1. Normative References . . . . . . . . . . . . . . . . . . . 34
11.2. Informative References . . . . . . . . . . . . . . . . . . 35 11.2. Informative References . . . . . . . . . . . . . . . . . . 36
Appendix A. Making Test Certificates . . . . . . . . . . . . . . 35 Appendix A. Making Test Certificates . . . . . . . . . . . . . . 36
A.1. makeCA script . . . . . . . . . . . . . . . . . . . . . . 37 A.1. makeCA script . . . . . . . . . . . . . . . . . . . . . . 37
A.2. makeCert script . . . . . . . . . . . . . . . . . . . . . 40 A.2. makeCert script . . . . . . . . . . . . . . . . . . . . . 41
Appendix B. Certificates for Testing . . . . . . . . . . . . . . 42 Appendix B. Certificates for Testing . . . . . . . . . . . . . . 43
B.1. Certificates Using EKU . . . . . . . . . . . . . . . . . . 42 B.1. Certificates Using EKU . . . . . . . . . . . . . . . . . . 43
B.2. Certificates NOT Using EKU . . . . . . . . . . . . . . . . 50 B.2. Certificates NOT Using EKU . . . . . . . . . . . . . . . . 50
Appendix C. Message Dumps . . . . . . . . . . . . . . . . . . . . 59 B.3. Certificate Chaining with a Non-Root CA . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 62 Appendix C. Message Dumps . . . . . . . . . . . . . . . . . . . . 64
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 67
1. Introduction 1. Introduction
This document is informational and is not normative on any aspect of This document is informational and is not normative on any aspect of
SIP. SIP.
SIP with TLS (RFC 5246 [12]) implementations are becoming very SIP with TLS (RFC 5246 [14]) implementations are becoming very
common. Several implementations of the S/MIME (RFC 3851 [8]) portion common. Several implementations of the S/MIME (RFC 3851 [9]) portion
of SIP (RFC 3261 [2]) are also becoming available. After several of SIP (RFC 3261 [3]) are also becoming available. After several
interoperability events, it is clear that it is difficult to write interoperability events, it is clear that it is difficult to write
these systems without any test vectors or examples of "known good" these systems without any test vectors or examples of "known good"
messages to test against. Furthermore, testing at the events is messages to test against. Furthermore, testing at the events is
often hindered due to the lack of a commonly trusted certificate often hindered due to the lack of a commonly trusted certificate
authority to sign the certificates used in the events. This document authority to sign the certificates used in the events. This document
addresses both of these issues by providing messages that give addresses both of these issues by providing messages that give
detailed examples that implementers can use for comparison and that detailed examples that implementers can use for comparison and that
can also be used for testing. In addition, this document provides a can also be used for testing. In addition, this document provides a
common certificate and private key that can be used to set up a mock common certificate and private key that can be used to set up a mock
Certificate Authority (CA) that can be used during the SIP Certificate Authority (CA) that can be used during the SIP
skipping to change at page 4, line 46 skipping to change at page 4, line 46
Section 5 presents a partial list of items that implementers should Section 5 presents a partial list of items that implementers should
consider in order to implement systems that will interoperate. consider in order to implement systems that will interoperate.
Scripts and instructions to make certificates that can be used for Scripts and instructions to make certificates that can be used for
interoperability testing are presented in Appendix A, along with interoperability testing are presented in Appendix A, along with
methods for converting these to various formats. The certificates methods for converting these to various formats. The certificates
used while creating the examples and test messages in this document used while creating the examples and test messages in this document
are made available in Appendix B. are made available in Appendix B.
Binary copies of various messages in this draft that can be used for Binary copies of various messages in this document that can be used
testing appear in Appendix C. for testing appear in Appendix C.
2. Certificates 2. Certificates
2.1. CA Certificates 2.1. CA Certificates
The certificate used by the CA to sign the other certificates is The certificate used by the CA to sign the other certificates is
shown below. This is a X509v3 certificate. Note that the X.509v3 shown below. This is a X509v3 certificate. Note that the X.509v3
Basic Constraints in the certificate allows it to be used as a CA, Basic Constraints in the certificate allows it to be used as a CA,
certificate authority. This certificate is not used directly in the certificate authority. This certificate is not used directly in the
TLS call flow; it is used only to verify user and host certificates. TLS call flow; it is used only to verify user and host certificates.
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 0 (0x0) Serial Number:
96:a3:84:17:4e:ef:8a:4c
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: Jul 18 12:21:52 2003 GMT Not Before: May 10 20:54:48 2010 GMT
Not After : Jul 15 12:21:52 2013 GMT Not After : Apr 16 20:54:48 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, Subject: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit) RSA Public Key: (1024 bit)
Modulus (1024 bit): Modulus (1024 bit):
00:c3:22:1e:83:91:c5:03:2c:3c:8a:f4:11:14:c6: 00:c6:4d:2b:8b:79:14:07:db:c7:61:88:98:4f:a2:
4b:9d:fa:72:78:c6:b0:95:18:a7:e0:8c:79:ba:5d: 7c:e3:61:80:fb:27:05:18:ed:3c:c9:0d:e5:f1:dc:
a4:ae:1e:21:2d:9d:f1:0b:1c:cf:bd:5b:29:b3:90: 92:4e:eb:ce:77:91:4b:e7:f3:68:60:b0:40:00:6f:
13:73:66:92:6e:df:4c:b3:b3:1c:1f:2a:82:0a:ba: 74:5b:4e:1d:c9:97:c8:70:4a:66:fc:13:46:aa:d2:
07:4d:52:b0:f8:37:7b:e2:0a:27:30:70:dd:f9:2e: 98:b0:3e:9a:86:de:3c:20:d1:0b:35:a2:2d:e6:92:
03:ff:2a:76:cd:df:87:1a:bd:71:eb:e1:99:6a:c4: e6:03:49:b0:db:4c:62:2f:59:86:94:20:69:69:7a:
7f:8e:74:a0:77:85:04:e9:41:ad:fc:03:b6:17:75: 0a:16:5a:d5:01:a5:08:06:29:6e:85:a6:ae:a1:01:
aa:33:ea:0a:16:d9:fb:79:32:2e:f8:cf:4d:c6:34: 0b:f6:1f:53:c5:95:b0:6e:b0:b4:8d:0e:f9:e9:cb:
a3:ff:1b:d0:68:28:e1:9d:e5 5d:7a:44:21:14:ec:9a:a8:ad
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
DirName:/C=US/ST=California/L=San Jose/O=sipit/ DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
serial:00 serial:96:A3:84:17:4E:EF:8A:4C
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:TRUE CA:TRUE
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
96:6d:1b:ef:d5:91:93:45:7c:5b:1f:cf:c4:aa:47:52:0b:34: 2f:08:4d:b4:01:9b:79:ff:af:c8:ce:e5:5d:30:3c:fa:99:3a:
a8:50:fa:ec:fa:b4:2a:47:4c:5d:41:a7:3d:c0:d6:3f:9e:56: 48:ba:1b:28:f8:7c:ea:d6:4a:17:85:82:e6:49:81:1b:24:bf:
5b:91:1d:ce:a8:07:b3:1b:a4:9f:9a:49:6f:7f:e0:ce:83:94: 01:ff:fa:fc:55:12:2b:07:b8:c0:39:fa:10:73:88:59:56:b7:
71:42:af:fe:63:a2:34:dc:b4:5e:a5:ce:ca:79:50:e9:6a:99: 7f:96:01:30:af:89:0f:0a:6d:4e:ae:d8:04:ae:94:d4:67:78:
4c:14:69:e9:7c:ab:22:6c:44:cc:8a:9c:33:6b:23:50:42:05: 2a:c4:36:86:4b:e1:4c:a6:6d:46:d9:2c:73:0f:da:fe:8f:ba:
1f:e1:c2:81:88:5f:ba:e5:47:bb:85:9b:83:25:ad:84:32:ff: 02:10:09:b7:1b:c6:13:a9:90:a9:02:15:60:61:32:79:c5:e8:
2a:5b:8b:70:12:11:83:61:c9:69:15:4f:58:a3:3c:92:d4:e8: 2b:d8:e4:b1:ba:eb:c7:7f:19:0c:69:b1:c6:92:af:ee:1c:74:
6f:52 55:d5
The ASN.1 parse of the CA certificate is shown below. The ASN.1 parse of the CA certificate is shown below.
0:l= 804 cons: SEQUENCE 0:l= 822 cons: SEQUENCE
4:l= 653 cons: SEQUENCE 4:l= 671 cons: SEQUENCE
8:l= 3 cons: cont [ 0 ] 8:l= 3 cons: cont [ 0 ]
10:l= 1 prim: INTEGER :02 10:l= 1 prim: INTEGER :02
13:l= 1 prim: INTEGER :00 13:l= 9 prim: INTEGER :96A384174EEF8A4C
16:l= 13 cons: SEQUENCE 24:l= 13 cons: SEQUENCE
18:l= 9 prim: OBJECT :sha1WithRSAEncryption 26:l= 9 prim: OBJECT :sha1WithRSAEncryption
29:l= 0 prim: NULL 37:l= 0 prim: NULL
31:l= 112 cons: SEQUENCE 39:l= 112 cons: SEQUENCE
33:l= 11 cons: SET 41:l= 11 cons: SET
35:l= 9 cons: SEQUENCE 43:l= 9 cons: SEQUENCE
37:l= 3 prim: OBJECT :countryName 45:l= 3 prim: OBJECT :countryName
42:l= 2 prim: PRINTABLESTRING :US 50:l= 2 prim: PRINTABLESTRING :US
46:l= 19 cons: SET 54:l= 19 cons: SET
48:l= 17 cons: SEQUENCE 56:l= 17 cons: SEQUENCE
50:l= 3 prim: OBJECT :stateOrProvinceName 58:l= 3 prim: OBJECT :stateOrProvinceName
55:l= 10 prim: PRINTABLESTRING :California 63:l= 10 prim: PRINTABLESTRING :California
67:l= 17 cons: SET 75:l= 17 cons: SET
69:l= 15 cons: SEQUENCE 77:l= 15 cons: SEQUENCE
71:l= 3 prim: OBJECT :localityName 79:l= 3 prim: OBJECT :localityName
76:l= 8 prim: PRINTABLESTRING :San Jose 84:l= 8 prim: PRINTABLESTRING :San Jose
86:l= 14 cons: SET 94:l= 14 cons: SET
88:l= 12 cons: SEQUENCE 96:l= 12 cons: SEQUENCE
90:l= 3 prim: OBJECT :organizationName 98:l= 3 prim: OBJECT :organizationName
95:l= 5 prim: PRINTABLESTRING :sipit 103:l= 5 prim: PRINTABLESTRING :sipit
102:l= 41 cons: SET 110:l= 41 cons: SET
104:l= 39 cons: SEQUENCE 112:l= 39 cons: SEQUENCE
106:l= 3 prim: OBJECT :organizationalUnitName 114:l= 3 prim: OBJECT :organizationalUnitName
111:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority 119:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority
145:l= 30 cons: SEQUENCE 153:l= 32 cons: SEQUENCE
147:l= 13 prim: UTCTIME :030718122152Z 155:l= 13 prim: UTCTIME :100510205448Z
162:l= 13 prim: UTCTIME :130715122152Z 170:l= 15 prim: GENERALIZEDTIME :21100416205448Z
177:l= 112 cons: SEQUENCE 187:l= 112 cons: SEQUENCE
179:l= 11 cons: SET 189:l= 11 cons: SET
181:l= 9 cons: SEQUENCE 191:l= 9 cons: SEQUENCE
183:l= 3 prim: OBJECT :countryName 193:l= 3 prim: OBJECT :countryName
188:l= 2 prim: PRINTABLESTRING :US 198:l= 2 prim: PRINTABLESTRING :US
192:l= 19 cons: SET 202:l= 19 cons: SET
194:l= 17 cons: SEQUENCE 204:l= 17 cons: SEQUENCE
196:l= 3 prim: OBJECT :stateOrProvinceName 206:l= 3 prim: OBJECT :stateOrProvinceName
201:l= 10 prim: PRINTABLESTRING :California 211:l= 10 prim: PRINTABLESTRING :California
213:l= 17 cons: SET 223:l= 17 cons: SET
215:l= 15 cons: SEQUENCE 225:l= 15 cons: SEQUENCE
217:l= 3 prim: OBJECT :localityName 227:l= 3 prim: OBJECT :localityName
222:l= 8 prim: PRINTABLESTRING :San Jose 232:l= 8 prim: PRINTABLESTRING :San Jose
232:l= 14 cons: SET 242:l= 14 cons: SET
234:l= 12 cons: SEQUENCE 244:l= 12 cons: SEQUENCE
236:l= 3 prim: OBJECT :organizationName 246:l= 3 prim: OBJECT :organizationName
241:l= 5 prim: PRINTABLESTRING :sipit 251:l= 5 prim: PRINTABLESTRING :sipit
248:l= 41 cons: SET 258:l= 41 cons: SET
250:l= 39 cons: SEQUENCE 260:l= 39 cons: SEQUENCE
252:l= 3 prim: OBJECT :organizationalUnitName 262:l= 3 prim: OBJECT :organizationalUnitName
257:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority 267:l= 32 prim: PRINTABLESTRING :Sipit Test Certificate Authority
291:l= 159 cons: SEQUENCE 301:l= 159 cons: SEQUENCE
294:l= 13 cons: SEQUENCE 304:l= 13 cons: SEQUENCE
296:l= 9 prim: OBJECT :rsaEncryption 306:l= 9 prim: OBJECT :rsaEncryption
307:l= 0 prim: NULL 317:l= 0 prim: NULL
309:l= 141 prim: BIT STRING 319:l= 141 prim: BIT STRING
00 30 81 89 02 81 81 00-c3 22 1e 83 91 c5 03 2c .0......."....., 00 30 81 89 02 81 81 00-c6 4d 2b 8b 79 14 07 db .0.......M+.y...
3c 8a f4 11 14 c6 4b 9d-fa 72 78 c6 b0 95 18 a7 <.....K..rx..... c7 61 88 98 4f a2 7c e3-61 80 fb 27 05 18 ed 3c .a..O.|.a..'...<
e0 8c 79 ba 5d a4 ae 1e-21 2d 9d f1 0b 1c cf bd ..y.]...!-...... c9 0d e5 f1 dc 92 4e eb-ce 77 91 4b e7 f3 68 60 ......N..w.K..h`
5b 29 b3 90 13 73 66 92-6e df 4c b3 b3 1c 1f 2a [)...sf.n.L....* b0 40 00 6f 74 5b 4e 1d-c9 97 c8 70 4a 66 fc 13 .@.ot[N....pJf..
82 0a ba 07 4d 52 b0 f8-37 7b e2 0a 27 30 70 dd ....MR..7{..'0p. 46 aa d2 98 b0 3e 9a 86-de 3c 20 d1 0b 35 a2 2d F....>...< ..5.-
f9 2e 03 ff 2a 76 cd df-87 1a bd 71 eb e1 99 6a ....*v.....q...j e6 92 e6 03 49 b0 db 4c-62 2f 59 86 94 20 69 69 ....I..Lb/Y.. ii
c4 7f 8e 74 a0 77 85 04-e9 41 ad fc 03 b6 17 75 ...t.w...A.....u 7a 0a 16 5a d5 01 a5 08-06 29 6e 85 a6 ae a1 01 z..Z.....)n.....
aa 33 ea 0a 16 d9 fb 79-32 2e f8 cf 4d c6 34 a3 .3.....y2...M.4. 0b f6 1f 53 c5 95 b0 6e-b0 b4 8d 0e f9 e9 cb 5d ...S...n.......]
ff 1b d0 68 28 e1 9d e5-02 03 01 00 01 ...h(........ 7a 44 21 14 ec 9a a8 ad-02 03 01 00 01 zD!..........
453:l= 205 cons: cont [ 3 ] 463:l= 213 cons: cont [ 3 ]
456:l= 202 cons: SEQUENCE 466:l= 210 cons: SEQUENCE
459:l= 29 cons: SEQUENCE 469:l= 29 cons: SEQUENCE
461:l= 3 prim: OBJECT :X509v3 Subject Key Identifier 471:l= 3 prim: OBJECT :X509v3 Subject Key Identifier
466:l= 22 prim: OCTET STRING 476:l= 22 prim: OCTET STRING
04 14 6b 46 17 14 ea 94-76 25 80 54 6e 13 54 da ..kF....v%.Tn.T. 04 14 38 ad 80 84 e2 e0-16 6b 93 9f 89 f8 46 51 ..8......k....FQ
a1 e3 54 14 a1 b6 ..T... 67 2c da 8d 80 9c g,....
490:l= 154 cons: SEQUENCE 500:l= 162 cons: SEQUENCE
493:l= 3 prim: OBJECT :X509v3 Authority Key Identifier 503:l= 3 prim: OBJECT :X509v3 Authority Key Identifier
498:l= 146 prim: OCTET STRING 508:l= 154 prim: OCTET STRING
30 81 8f 80 14 6b 46 17-14 ea 94 76 25 80 54 6e 0....kF....v%.Tn 30 81 97 80 14 38 ad 80-84 e2 e0 16 6b 93 9f 89 0....8......k...
13 54 da a1 e3 54 14 a1-b6 a1 74 a4 72 30 70 31 .T...T....t.r0p1 f8 46 51 67 2c da 8d 80-9c a1 74 a4 72 30 70 31 .FQg,.....t.r0p1
0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0. 0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11 .0...U....US1.0.
06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi 06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69 ..U....Californi
61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San 61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20 a1.0...U....San
4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s 4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73 Jose1.0...U....s
69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S 69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53 ipit1)0'..U... S
69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif 69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66 ipit Test Certif
69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority. 69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82 icate Authority.
01 . 09 00 96 a3 84 17 4e ef-8a 4c ......N..L
0092 - <SPACES/NULS> 665:l= 12 cons: SEQUENCE
647:l= 12 cons: SEQUENCE 667:l= 3 prim: OBJECT :X509v3 Basic Constraints
649:l= 3 prim: OBJECT :X509v3 Basic Constraints 672:l= 5 prim: OCTET STRING
654:l= 5 prim: OCTET STRING
30 03 01 01 ff 0.... 30 03 01 01 ff 0....
661:l= 13 cons: SEQUENCE 679:l= 13 cons: SEQUENCE
663:l= 9 prim: OBJECT :sha1WithRSAEncryption 681:l= 9 prim: OBJECT :sha1WithRSAEncryption
674:l= 0 prim: NULL 692:l= 0 prim: NULL
676:l= 129 prim: BIT STRING 694:l= 129 prim: BIT STRING
00 96 6d 1b ef d5 91 93-45 7c 5b 1f cf c4 aa 47 ..m.....E|[....G 00 2f 08 4d b4 01 9b 79-ff af c8 ce e5 5d 30 3c ./.M...y.....]0<
52 0b 34 a8 50 fa ec fa-b4 2a 47 4c 5d 41 a7 3d R.4.P....*GL]A.= fa 99 3a 48 ba 1b 28 f8-7c ea d6 4a 17 85 82 e6 ..:H..(.|..J....
c0 d6 3f 9e 56 5b 91 1d-ce a8 07 b3 1b a4 9f 9a ..?.V[.......... 49 81 1b 24 bf 01 ff fa-fc 55 12 2b 07 b8 c0 39 I..$.....U.+...9
49 6f 7f e0 ce 83 94 71-42 af fe 63 a2 34 dc b4 Io.....qB..c.4.. fa 10 73 88 59 56 b7 7f-96 01 30 af 89 0f 0a 6d ..s.YV....0....m
5e a5 ce ca 79 50 e9 6a-99 4c 14 69 e9 7c ab 22 ^...yP.j.L.i.|." 4e ae d8 04 ae 94 d4 67-78 2a c4 36 86 4b e1 4c N......gx*.6.K.L
6c 44 cc 8a 9c 33 6b 23-50 42 05 1f e1 c2 81 88 lD...3k#PB...... a6 6d 46 d9 2c 73 0f da-fe 8f ba 02 10 09 b7 1b .mF.,s..........
5f ba e5 47 bb 85 9b 83-25 ad 84 32 ff 2a 5b 8b _..G....%..2.*[. c6 13 a9 90 a9 02 15 60-61 32 79 c5 e8 2b d8 e4 .......`a2y..+..
70 12 11 83 61 c9 69 15-4f 58 a3 3c 92 d4 e8 6f p...a.i.OX.<...o b1 ba eb c7 7f 19 0c 69-b1 c6 92 af ee 1c 74 55 .......i......tU
52 R d5 .
2.2. Host Certificates 2.2. Host Certificates
The certificate for the host example.com is shown below. Note that The certificate for the host example.com is shown below. Note that
the Subject Alternative Name is set to example.com and is a DNS type. the Subject Alternative Name is set to example.com and is a DNS type.
The certificates for the other hosts are shown in Appendix B. The certificates for the other hosts are shown in Appendix B.
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
01:52:01:54:01:90:00:43 49:02:11:01:84:01:5e
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: Apr 28 22:12:00 2009 GMT Not Before: May 11 20:22:56 2010 GMT
Not After : Apr 27 22:12:00 2012 GMT Not After : Apr 17 20:22:56 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:c7:60:09:2c:e2:0b:a6:8d:2c:8f:86:eb:47:72: 00:d1:da:2d:b3:77:42:5f:00:99:1e:f4:b6:6c:51:
4d:dc:20:a5:48:69:9c:c6:79:73:3a:65:e4:74:b6: 51:bb:0b:20:b3:f9:c7:93:97:ff:02:ac:81:92:d5:
80:99:4f:6e:a4:1b:1b:6f:5c:91:29:7c:11:a1:bd: a1:1c:c9:24:16:46:59:d1:92:1d:0d:bf:66:3a:66:
ad:25:c6:42:a3:96:bb:d8:c8:11:d8:2a:bc:39:5f: c6:5c:aa:3b:07:21:bf:45:40:63:94:20:30:81:e3:
e3:5f:9a:54:f5:0c:77:44:c6:f0:ee:a7:73:85:d0: 5f:aa:e6:c7:60:aa:6c:22:8f:47:64:94:9a:71:b1:
d1:d7:34:96:d8:24:83:fe:1d:a7:5e:94:6a:a6:79: 18:51:2e:81:e9:a3:32:64:b4:38:f4:35:eb:da:3f:
e6:8b:d6:96:06:31:8d:da:4d:f1:72:c0:a2:9c:48: 6f:82:f1:7a:4d:dc:e1:c5:e3:05:1b:c1:78:83:48:
c9:d2:1f:80:27:60:52:b8:12:cc:43:7c:e7:66:ac: d4:64:6e:98:4b:4e:ce:85:7f:0d:62:5d:1b:8a:72:
b7:6e:07:bc:e7:d5:0f:fa:41:b3:37:4f:16:33:71: c1:9d:bd:85:dc:37:f0:a7:c1:cc:60:ad:b7:39:cb:
fc:6d:73:17:b5:65:8b:65:03:34:83:8e:98:7d:8b: 20:ff:89:9f:65:06:35:93:5b:61:d0:04:1b:a3:d4:
a3:36:f1:a7:37:94:65:af:dd:13:29:f8:1b:c2:8b: 70:57:d9:d5:c0:52:f4:70:0d:ca:f6:0a:42:8b:52:
fa:05:03:6b:4b:26:ae:a9:93:ab:5d:0c:f3:08:84: 47:e2:a1:cb:0e:17:9d:d6:ea:41:e5:6a:5a:29:a8:
9e:16:c0:13:fa:da:8f:1c:b6:69:95:04:6d:c8:cf: 11:af:52:65:a4:79:8e:4f:ef:fc:ec:a7:3a:ca:56:
c0:12:8f:fd:27:2a:cb:16:16:fd:c2:fa:94:fe:e8: 45:b7:87:dd:e9:c7:f9:b7:f7:e8:12:f8:b5:a2:08:
78:40:e4:5a:ac:a7:ef:d7:17:7d:e8:f8:86:8c:16: ce:9e:c4:cc:70:85:a6:e9:d3:cc:76:6d:11:67:b0:
35:ff:3e:32:fd:43:1c:c1:20:08:2c:aa:56:a6:17: 00:14:a0:55:a6:63:36:fa:c2:e0:bd:45:3c:14:b0:
4f:bc:74:b0:5d:57:ba:a5:19:b4:20:46:dd:36:3d: ed:88:f6:19:14:d6:c3:a2:79:ca:be:69:52:d0:78:
f1:fd
15:b3
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
DNS:com, URI:sip:example.com DNS:example.com, URI:sip:example.com
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
28:CC:9B:2B:4F:7C:43:5C:9D:AD:96:8B:73:A2:4F:58:5D:30:D4:04 AC:96:21:E6:54:7D:E7:1E:A1:F1:58:86:D9:5F:AD:CB:DC:F1:66:92
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
DirName:/C=US/ST=California/L=San Jose/O=sipit/ DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
serial:00 serial:96:A3:84:17:4E:EF:8A:4C
X509v3 Key Usage: X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: X509v3 Extended Key Usage:
TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20 TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
1f:b7:c2:84:43:90:d2:06:81:47:48:e7:14:39:5a:ad:a0:53: 52:ae:66:df:55:1d:99:3c:9e:17:09:3d:4a:59:19:88:8f:df:
36:fb:6f:d7:e1:bf:b1:65:98:fd:a6:c5:e0:5a:b7:5f:90:08: ee:2b:75:ca:c5:b3:36:ce:37:10:5f:6f:0e:f2:4f:2a:62:34:
ab:d4:85:2a:d1:57:f2:0e:c1:26:43:de:e1:26:1e:ef:90:95: 19:5c:7a:3e:a3:cb:99:ae:a7:7c:a6:34:59:a7:43:a3:dc:ef:
94:6e:74:45:36:01:41:ce:43:c2:91:54:dd:35:a8:6e:57:3b: e5:80:86:3f:21:21:95:5b:74:4c:23:e3:1e:1d:14:43:86:48:
b2:34:71:aa:d4:ea:34:aa:8c:8e:dd:e1:a4:2c:05:45:fb:b8: b9:f5:c9:f0:a9:48:a3:1e:52:91:56:d5:ed:b2:56:52:8f:f4:
38:0c:7b:1f:4f:d7:3c:d7:68:7c:57:57:6d:13:c6:3f:44:dd: 02:e8:4c:80:83:e6:0c:aa:e0:d6:b0:5c:75:d2:90:39:52:8b:
fd:6b:fb:65:96:9b:87:92:95:10:af:e7:47:cd:72:6c:6e:d7: b5:48:dc:68:bc:e5:5c:5c:dd:43:34:af:14:3a:85:60:a3:46:
60:f5 17:69
The example host certificate above, as well as all the others The example host certificate above, as well as all the others
presented in this document, are signed directly by a root CA. These presented in this document, are signed directly by a root CA. These
certificate chains have a length equal to two: the root CA and the certificate chains have a length equal to two: the root CA and the
host certificate. Non-root CAs exist and may also sign certificates. host certificate. Non-root CAs exist and may also sign certificates.
The certificate chains presented by hosts with certificates signed by The certificate chains presented by hosts with certificates signed by
non-root CAs will have a length greater than two. For more details non-root CAs will have a length greater than two. For more details
on how certificate chains are validated, see section 6.1.4 of RFC on how certificate chains are validated, see section 6.1.4 of RFC
5280 [13]. 5280 [15].
TODO: Fix subjectAltName DNS:com to DNS:example.com and DNS:net to
DNS:example.net.
2.3. User Certificates 2.3. User Certificates
User certificates are used by many applications to establish user User certificates are used by many applications to establish user
identity. The user certificate for fluffy@example.com is shown identity. The user certificate for fluffy@example.com is shown
below. Note that the Subject Alternative Name has a list of names below. Note that the Subject Alternative Name has a list of names
with different URL types such as a sip, im, or pres URL. This is with different URL types such as a sip, im, or pres URL. This is
necessary for interoperating with a CPIM gateway. In this example, necessary for interoperating with a CPIM gateway. In this example,
example.com is the domain for fluffy. The message could be coming example.com is the domain for fluffy. The message could be coming
from any host in *.example.com, and the AOR in the user certificate from any host in *.example.com, and the AOR in the user certificate
skipping to change at page 11, line 8 skipping to change at page 11, line 4
2.3. User Certificates 2.3. User Certificates
User certificates are used by many applications to establish user User certificates are used by many applications to establish user
identity. The user certificate for fluffy@example.com is shown identity. The user certificate for fluffy@example.com is shown
below. Note that the Subject Alternative Name has a list of names below. Note that the Subject Alternative Name has a list of names
with different URL types such as a sip, im, or pres URL. This is with different URL types such as a sip, im, or pres URL. This is
necessary for interoperating with a CPIM gateway. In this example, necessary for interoperating with a CPIM gateway. In this example,
example.com is the domain for fluffy. The message could be coming example.com is the domain for fluffy. The message could be coming
from any host in *.example.com, and the AOR in the user certificate from any host in *.example.com, and the AOR in the user certificate
would still be the same. The others are shown in Appendix B.1. would still be the same. The others are shown in Appendix B.1.
These certificates make use of the EKU extension discussed in Draft These certificates make use of the EKU extension discussed in Draft
SIP EKU [14]. Note that the X509v3 Extended Key Usage attribute SIP EKU [16]. Note that the X509v3 Extended Key Usage attribute
refers to the SIP OID introduced in Draft SIP EKU [14], which is refers to the SIP OID introduced in Draft SIP EKU [16], which is
1.3.6.1.5.5.7.3.20 1.3.6.1.5.5.7.3.20
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
01:52:01:54:01:90:00:47 49:02:11:01:84:01:5c
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: Apr 29 17:10:46 2009 GMT Not Before: May 11 20:22:55 2010 GMT
Not After : Apr 28 17:10:46 2012 GMT Not After : Apr 17 20:22:55 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, Subject: C=US, ST=California, L=San Jose, O=sipit,
CN=fluffy@example.com CN=fluffy@example.com
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:f4:0f:e8:18:2d:b1:9b:93:ef:64:6b:19:d7:83: 00:d5:9d:cf:3e:bd:83:4e:2d:df:c9:bf:86:57:cf:
ac:f7:af:12:37:30:48:df:6e:55:0a:ce:f7:2a:19: 0d:26:a9:e9:08:35:45:e7:5f:ae:a3:5d:60:d1:3c:
17:66:bc:42:af:7a:af:78:6c:96:c6:c1:de:5e:38: 2f:6f:db:92:49:fd:05:12:68:6c:d9:ca:66:2d:02:
67:93:8d:f2:40:13:b5:6f:07:79:de:32:2c:23:e7: e2:20:8a:8a:10:0a:a1:db:ee:b3:6b:c5:39:e6:4a:
ba:e4:a8:36:32:83:8a:75:79:86:85:a2:50:d1:bb: 49:b1:41:00:f3:f8:91:07:17:83:40:a6:bc:68:99:
b5:81:36:7e:6b:f2:64:9b:b6:54:d3:8b:c4:4d:4d: a6:32:08:4f:4f:34:64:ae:9f:b1:0f:9c:d5:14:96:
26:94:ae:7c:50:e4:b2:e6:5f:ac:34:e0:97:51:cd: fb:40:62:84:85:b7:ba:38:29:cc:1d:ba:19:83:d9:
ff:66:b9:92:98:c5:cc:22:e7:0c:30:a4:4c:a6:37: 59:21:ba:1e:4b:04:53:f6:aa:a6:68:4d:9a:5f:36:
ba:21:31:b2:81:93:0d:24:ee:a7:27:c9:b3:ec:46: 90:4d:ae:01:df:58:f2:89:ec:51:c9:a1:20:65:a9:
e3:f9:7a:d2:42:0a:59:ab:e7:a3:8b:30:66:3d:31: de:5c:c9:f3:57:7f:76:56:0d:23:fc:d6:26:e7:01:
88:6f:ee:c4:8d:24:ca:99:f1:c8:4c:50:0d:4b:6b: 25:75:2a:e4:26:3b:df:db:35:61:02:0c:0f:14:68:
73:80:ac:74:6f:45:b1:29:29:a1:89:40:94:02:57: 18:70:13:d6:41:0a:a4:d1:5b:99:7b:32:60:78:7b:
23:8b:6d:60:5c:38:d3:1f:c3:bb:74:3d:15:87:af: a8:95:71:80:b5:df:63:fc:ca:f4:9e:f7:a5:a0:0c:
2d:29:16:6c:30:01:4e:e3:39:13:17:6b:ea:58:97: 13:6d:55:ad:17:9d:34:f2:80:66:03:86:a0:a7:83:
75:9f:60:38:84:2c:31:95:6e:d8:6d:69:81:bb:2e: 52:0e:ea:b7:49:ea:75:e4:c9:d8:b7:72:37:dd:30:
fa:59:a2:fb:08:53:59:df:1e:94:17:e5:10:f8:72: b1:33:d4:56:26:e8:33:70:c5:97:db:ba:63:89:3f:
5a:fb:4e:4f:2f:cd:3b:3d:30:c5:b6:c8:3b:e0:e7: 9c:65:45:51:18:a8:fb:96:14:09:f0:8e:55:01:f7:
32:ed ad:99
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Alternative Name: X509v3 Subject Alternative Name:
URI:sip:fluffy@example.com, URI:im:fluffy@example.com, URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
URI:pres:fluffy@example.com URI:pres:fluffy@example.com
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:FALSE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
D2:A2:22:FB:4D:A1:37:B9:15:0B:1E:FC:27:BC:FA:00:A7:1C:F2:29 DD:D5:75:00:3E:4C:15:7C:9C:49:C0:07:10:CB:CA:4E:07:A1:CE:4F
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
DirName:/C=US/ST=California/L=San Jose/O=sipit/ DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
serial:00 serial:96:A3:84:17:4E:EF:8A:4C
X509v3 Key Usage: X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage: X509v3 Extended Key Usage:
E-mail Protection, 1.3.6.1.5.5.7.3.20 E-mail Protection, 1.3.6.1.5.5.7.3.20
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
80:a0:db:45:dd:7d:b6:50:b6:93:27:36:cd:cd:28:3c:39:23: 9c:c5:bc:04:88:81:19:35:2b:ba:be:d4:02:8d:41:25:45:95:
aa:e4:6e:9c:f7:d9:8c:96:4d:b7:36:f6:ac:c1:8f:86:d8:6a: 8b:cf:f6:a4:95:bc:5b:d8:eb:87:6a:48:29:34:6c:ef:87:e0:
91:3a:4f:5a:68:32:37:df:0f:dd:40:b7:34:68:91:ce:0f:f0: e3:73:ca:3a:dd:a3:d2:d6:74:5b:cc:00:7f:28:fc:e4:07:b6:
16:02:ee:be:b6:1d:e1:92:87:c9:5e:a9:42:78:26:45:bb:17: 5c:e8:72:ea:ee:7d:40:99:58:26:b0:7d:5b:0d:36:e2:9e:b1:
08:ee:83:ea:e9:d8:30:84:66:90:69:b8:78:ff:c4:09:5c:ea: 40:8d:fc:af:f0:f2:60:d8:36:46:7e:a8:fa:2a:47:52:35:71:
e2:8a:10:e6:f9:64:eb:db:47:0e:10:29:4d:0e:bb:53:65:70: 11:ab:ec:fb:28:cf:fa:1d:a9:5d:8b:72:29:67:1d:be:fb:e3:
e1:71:82:c8:d0:14:f4:24:30:49:a6:fc:80:a8:b1:84:bc:e9: bd:5d:c9:57:6d:75:d5:40:b5:77:52:69:b6:c4:1f:ec:03:60:
73:75 1e:a1
Versions of these certificates that do not make use of EKU are also Versions of these certificates that do not make use of EKU are also
included in Appendix B.2 included in Appendix B.2
3. Callflow with Message Over TLS 3. Callflow with Message Over TLS
3.1. TLS with Server Authentication 3.1. TLS with Server Authentication
The flow below shows the edited SSLDump output of the host The flow below shows the edited SSLDump output of the host
example.com forming a TLS RFC 5246 [12] connection to example.net. example.com forming a TLS RFC 5246 [14] connection to example.net.
In this example mutual authentication is not used. Note that the In this example mutual authentication is not used. Note that the
client proposed three protocol suites including client proposed three protocol suites including
TLS_RSA_WITH_AES_128_CBC_SHA defined in RFC 3268 [4]. The TLS_RSA_WITH_AES_128_CBC_SHA defined in RFC 3268 [5]. The
certificate returned by the server contains a Subject Alternative certificate returned by the server contains a Subject Alternative
Name that is set to example.net. A detailed discussion of TLS can be Name that is set to example.net. A detailed discussion of TLS can be
found in SSL and TLS [20]. For more details on the SSLDump tool, see found in SSL and TLS [22]. For more details on the SSLDump tool, see
the SSLDump Manual [21]. the SSLDump Manual [23].
This example does not use the Server Extended Hello (see RFC 3546 This example does not use the Server Extended Hello (see RFC 3546
[7]). [8]).
New TCP connection #1: www.example.com(57592) <-> www.example.com(5061) New TCP connection #1: example.com(50713) <-> example.net(5061)
1 1 0.0015 (0.0015) C>SV3.1(101) Handshake 1 1 0.0004 (0.0004) C>SV3.1(101) Handshake
ClientHello ClientHello
Version 3.1 Version 3.1
random[32]= random[32]=
49 f7 83 8d 1f 21 c7 73 0c 9f 61 ab 13 2d 6b 26 4c 09 5b a7 66 77 eb 43 52 30 dd 98 4d 09 23 d3
1e 79 0c 68 b3 b6 f8 24 54 6b 41 0d 9b 3a 03 31 ff 81 74 ab 04 69 bb 79 8c dc 59 cd c2 1f b7 ec
cipher suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DSS_RSA_WITH_AES_256_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_DES_192_CBC3_SHA
TLS_ECDH_RSA_WITH_DES_192_CBC3_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_DHE_RSA_WITH_DES_CBC_SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
compression methods
NULL
1 2 0.0040 (0.0024) S>CV3.1(48) Handshake
ServerHello
Version 3.1
random[32]=
49 f7 83 8d a0 f8 f0 3f ff 2d d4 13 9c 29 2b 2b
fc 1c 92 b9 a8 2a d2 10 0c 54 8e fd af d6 42 22
session_id[0]=
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA cipher suites
compressionMethod NULL TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
1 3 0.0040 (0.0000) S>CV3.1(1823) Handshake TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Certificate TLS_DHE_RSA_WITH_AES_256_SHA
1 4 0.0040 (0.0000) S>CV3.1(14) Handshake TLS_RSA_WITH_AES_256_CBC_SHA
CertificateRequest TLS_DSS_RSA_WITH_AES_256_SHA
certificate_types rsa_sign TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
certificate_types dss_sign TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
certificate_types unknown value TLS_DHE_RSA_WITH_AES_128_CBC_SHA
ServerHelloDone TLS_RSA_WITH_AES_128_CBC_SHA
1 5 0.0360 (0.0320) C>SV3.1(7) Handshake TLS_DHE_DSS_WITH_AES_128_CBC_SHA
Certificate TLS_ECDHE_RSA_WITH_DES_192_CBC3_SHA
1 6 0.0360 (0.0000) C>SV3.1(262) Handshake TLS_ECDH_RSA_WITH_DES_192_CBC3_SHA
ClientKeyExchange TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
1 7 0.0360 (0.0000) C>SV3.1(1) ChangeCipherSpec TLS_RSA_WITH_3DES_EDE_CBC_SHA
1 8 0.0360 (0.0000) C>SV3.1(48) Handshake TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
1 9 0.0770 (0.0410) S>CV3.1(170) Handshake TLS_ECDHE_RSA_WITH_RC4_128_SHA
1 10 0.0770 (0.0000) S>CV3.1(1) ChangeCipherSpec TLS_ECDH_RSA_WITH_RC4_128_SHA
1 11 0.0770 (0.0000) S>CV3.1(48) Handshake TLS_RSA_WITH_RC4_128_SHA
1 12 0.0780 (0.0010) C>SV3.1(32) application_data TLS_RSA_WITH_RC4_128_MD5
1 13 0.0780 (0.0000) C>SV3.1(448) application_data TLS_DHE_RSA_WITH_DES_CBC_SHA
1 14 0.2804 (0.2023) S>CV3.1(32) application_data TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
1 15 0.2804 (0.0000) S>CV3.1(416) application_data TLS_RSA_WITH_DES_CBC_SHA
1 16 12.3288 (12.0483) S>CV3.1(32) Alert TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
1 12.3293 (0.0004) S>C TCP FIN TLS_DHE_DSS_WITH_DES_CBC_SHA
1 17 12.3310 (0.0017) C>SV3.1(32) Alert TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
compression methods
NULL
1 2 0.0012 (0.0007) S>CV3.1(48) Handshake
ServerHello
Version 3.1
random[32]=
4c 09 5b a7 30 87 74 c7 16 98 24 d5 af 35 17 a7
ef c3 78 0c 94 d4 94 d2 7b a6 3f 40 04 25 f6 e0
session_id[0]=
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
1 3 0.0012 (0.0000) S>CV3.1(1858) Handshake
Certificate
1 4 0.0012 (0.0000) S>CV3.1(14) Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
ServerHelloDone
1 5 0.0043 (0.0031) C>SV3.1(7) Handshake
Certificate
1 6 0.0043 (0.0000) C>SV3.1(262) Handshake
ClientKeyExchange
1 7 0.0043 (0.0000) C>SV3.1(1) ChangeCipherSpec
1 8 0.0043 (0.0000) C>SV3.1(48) Handshake
1 9 0.0129 (0.0085) S>CV3.1(170) Handshake
1 10 0.0129 (0.0000) S>CV3.1(1) ChangeCipherSpec
1 11 0.0129 (0.0000) S>CV3.1(48) Handshake
1 12 0.0134 (0.0005) C>SV3.1(32) application_data
1 13 0.0134 (0.0000) C>SV3.1(496) application_data
1 14 0.2150 (0.2016) S>CV3.1(32) application_data
1 15 0.2150 (0.0000) S>CV3.1(336) application_data
1 16 12.2304 (12.0154) S>CV3.1(32) Alert
1 12.2310 (0.0005) S>C TCP FIN
1 17 12.2321 (0.0011) C>SV3.1(32) Alert
3.2. MESSAGE Message Over TLS 3.2. MESSAGE Message Over TLS
Once the TLS session is set up, the following MESSAGE message (as Once the TLS session is set up, the following MESSAGE message (as
defined in RFC 3428 [6] is sent from fluffy@example.com to defined in RFC 3428 [7] is sent from fluffy@example.com to
kumiko@example.net. Note that the URI has a SIPS URL and that the kumiko@example.net. Note that the URI has a SIPS URL and that the
VIA indicates that TLS was used. In order to format this document, VIA indicates that TLS was used. In order to format this document,
the <allOneLine> convention from RFC 4475 [19] is used to break long the <allOneLine> convention from RFC 4475 [21] is used to break long
lines. The actual message does not contain the linebreaks contained lines. The actual message does not contain the linebreaks contained
within those tags. within those tags.
MESSAGE sips:kumiko@example.net:5061 SIP/2.0 MESSAGE sips:kumiko@example.net:5061 SIP/2.0
Via: SIP/2.0/TLS 208.77.188.166:15001;\ <allOneLine>
branch=z9hG4bK-d8754z-3be7667f18d2f53c-1---d8754z-;\ Via: SIP/2.0/TLS 192.0.2.2:15001;
rport=54499 branch=z9hG4bK-d8754z-33d8961795354459-1---d8754z-;
rport=50713
</allOneLine>
Max-Forwards: 70 Max-Forwards: 70
Contact: <sips:fluffy@example.com:15001>
To: <sips:kumiko@example.net:5061> To: <sips:kumiko@example.net:5061>
From: <sips:fluffy@example.com:15001>;tag=2eff6a6f From: <sips:fluffy@example.com:15001>;tag=10f47d62
Call-ID: NmE1NDk1YzFmYmMzMDVjOTEwMzVlZjNkMTBjZGZlMzY. Call-ID: ODU5YTQzYTMyYjNkZDAyODcyOGJiMWNmOWZmZmY2MGU.
CSeq: 1 MESSAGE CSeq: 4308 MESSAGE
Accept: multipart/signed, text/plain, application/pkcs7-mime,\ <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
</allOneLine>
Content-Type: text/plain Content-Type: text/plain
Content-Length: 6 Content-Length: 6
Hello! Hello!
When a UA goes to send a message to example.com, the UA can see if it When a UA goes to send a message to example.com, the UA can see if it
already has a TLS connection to example.com and if it does, it may already has a TLS connection to example.com and if it does, it may
send the message over this connection. A UA should have some scheme send the message over this connection. A UA should have some scheme
for reusing connections as opening a new TLS connection for every for reusing connections as opening a new TLS connection for every
message results in awful performance. Implementers are encouraged to message results in awful performance. Implementers are encouraged to
read Draft Connection Reuse in SIP [16] and RFC 3263 [3]. read Draft Connection Reuse in SIP [18] and RFC 3263 [4].
The response is sent from example.net to example.com over the same The response is sent from example.net to example.com over the same
TLS connection. It is shown below. TLS connection. It is shown below.
SIP/2.0 200 OK SIP/2.0 200 OK
Via: SIP/2.0/TLS 208.77.188.166:15001;\ <allOneLine>
branch=z9hG4bK-d8754z-3be7667f18d2f53c-1---d8754z-;\ Via: SIP/2.0/TLS 192.0.2.2:15001;
rport=54499 branch=z9hG4bK-d8754z-33d8961795354459-1---d8754z-;
Contact: <sip:208.77.188.166:5061;transport=TLS> rport=50713
To: <sips:kumiko@example.net:5061>;tag=00e62966 </allOneLine>
From: <sips:fluffy@example.com:15001>;tag=2eff6a6f To: <sips:kumiko@example.net:5061>;tag=a0d41548
Call-ID: NmE1NDk1YzFmYmMzMDVjOTEwMzVlZjNkMTBjZGZlMzY. From: <sips:fluffy@example.com:15001>;tag=10f47d62
CSeq: 1 MESSAGE Call-ID: ODU5YTQzYTMyYjNkZDAyODcyOGJiMWNmOWZmZmY2MGU.
CSeq: 4308 MESSAGE
Content-Length: 0 Content-Length: 0
TODO: Actually use the allOneLine convention. This will be fixed in
a change to binary-generated content.
TODO: Remove the Contact headers.
OPEN ISSUE: There should be some more information about how this
MESSAGE is associated with the handshake example. The dump in
Section 3.1 is slightly confusing in that example.com and example.net
both resolved to the same address, so reverse lookup shows both
domains as example.com.
4. Callflow with S/MIME-secured Message 4. Callflow with S/MIME-secured Message
4.1. MESSAGE Message with Signed Body 4.1. MESSAGE Message with Signed Body
Below is an example of a signed message. The values on the Content- Below is an example of a signed message. The values on the Content-
Type line (multipart/signed) and on the Content-Disposition line have Type line (multipart/signed) and on the Content-Disposition line have
been broken across lines to fit on the page, but they should not be been broken across lines to fit on the page, but they are not broken
broken across lines in actual implementations. across lines in actual implementations.
MESSAGE sip:kumiko@example.net SIP/2.0 MESSAGE sip:kumiko@example.net SIP/2.0
Via: SIP/2.0/TCP 208.77.188.166:15001;\ <allOneLine>
branch=z9hG4bK-d8754z-36f515466f3a7f5c-1---d8754z-;\ Via: SIP/2.0/TCP 192.0.2.2:15001;
rport=54500 branch=z9hG4bK-d8754z-c947ab3f4ea84000-1---d8754z-;
rport=50714
</allOneLine>
Max-Forwards: 70 Max-Forwards: 70
Contact: <sip:fluffy@example.com>
To: <sip:kumiko@example.net> To: <sip:kumiko@example.net>
From: <sip:fluffy@example.com>;tag=e8cc1b5c From: <sip:fluffy@example.com>;tag=20fad54c
Call-ID: NjVjYjNjNzQzNTZlYzdjMWUwM2VjYjcwOTVjM2RkZDM. Call-ID: NTMyZGNlOWRkODAyNGY1ZWM0MDI2ZGVmZDBhZTQwYWI.
CSeq: 1 MESSAGE CSeq: 8473 MESSAGE
Accept: multipart/signed, text/plain, application/pkcs7-mime,\ <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
Content-Type: multipart/signed;boundary=ac31fa52a112030f;\ </allOneLine>
<allOneLine>
Content-Type: multipart/signed;boundary=d0c5ff1dcdc8f431;
micalg=sha1;protocol="application/pkcs7-signature" micalg=sha1;protocol="application/pkcs7-signature"
</allOneLine>
Content-Length: 772 Content-Length: 772
--ac31fa52a112030f --d0c5ff1dcdc8f431
Content-Type: text/plain Content-Type: text/plain
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
hello Hello!
--ac31fa52a112030f --d0c5ff1dcdc8f431
Content-Type: application/pkcs7-signature;name=smime.p7s Content-Type: application/pkcs7-signature;name=smime.p7s
Content-Disposition: attachment;handling=required;\ <allOneLine>
Content-Disposition: attachment;handling=required;
filename=smime.p7s filename=smime.p7s
</allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
***************** *****************
* BINARY BLOB 1 * * BINARY BLOB 1 *
***************** *****************
--ac31fa52a112030f-- --d0c5ff1dcdc8f431--
It is important to note that the signature ("BINARY BLOB 1") is It is important to note that the signature ("BINARY BLOB 1") is
computed over the MIME headers and body, but excludes the multipart computed over the MIME headers and body, but excludes the multipart
boundary lines. The value on the Message-body line ends with CRLF. boundary lines. The value on the Message-body line ends with CRLF.
The CRLF is included in the boundary and should not be part of the The CRLF is included in the boundary and is not part of the signature
signature computation. To be clear, the signature is computed over computation. To be clear, the signature is computed over data
data starting with the C in the Content-Type and ending with the o in starting with the C in the Content-Type and ending with the o in the
the hello. hello.
Content-Type: text/plain Content-Type: text/plain
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
hello Hello!
Following is the ASN.1 parsing of encrypted contents referred to Following is the ASN.1 parsing of encrypted contents referred to
above as "BINARY BLOB 1". Note that at address 30, the hash for the above as "BINARY BLOB 1". Note that at address 30, the hash for the
signature is specified as SHA-1. Also note that the sender's signature is specified as SHA-1. Also note that the sender's
certificate is not attached as it is optional in RFC 3852 [9]. certificate is not attached as it is optional in RFC 3852 [10].
0 471: SEQUENCE { 0 470: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 456: [0] { 15 455: [0] {
19 452: SEQUENCE { 19 451: SEQUENCE {
23 1: INTEGER 1 23 1: INTEGER 1
26 11: SET { 26 11: SET {
28 9: SEQUENCE { 28 9: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37 0: NULL 37 0: NULL
: } : }
: } : }
39 11: SEQUENCE { 39 11: SEQUENCE {
41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
: } : }
52 419: SET { 52 418: SET {
56 415: SEQUENCE { 56 414: SEQUENCE {
60 1: INTEGER 1 60 1: INTEGER 1
63 124: SEQUENCE { 63 123: SEQUENCE {
65 112: SEQUENCE { 65 112: SEQUENCE {
67 11: SET { 67 11: SET {
69 9: SEQUENCE { 69 9: SEQUENCE {
71 3: OBJECT IDENTIFIER countryName (2 5 4 6) 71 3: OBJECT IDENTIFIER countryName (2 5 4 6)
76 2: PrintableString 'US' 76 2: PrintableString 'US'
: } : }
: } : }
80 19: SET { 80 19: SET {
82 17: SEQUENCE { 82 17: SEQUENCE {
84 3: OBJECT IDENTIFIER 84 3: OBJECT IDENTIFIER
skipping to change at page 18, line 12 skipping to change at page 18, line 21
: } : }
136 41: SET { 136 41: SET {
138 39: SEQUENCE { 138 39: SEQUENCE {
140 3: OBJECT IDENTIFIER 140 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
145 32: PrintableString 'Sipit Test Certificate Aut 145 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
179 8: INTEGER 01 52 01 54 01 90 00 47 179 7: INTEGER 49 02 11 01 84 01 5C
: } : }
189 9: SEQUENCE { 188 9: SEQUENCE {
191 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 190 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
198 0: NULL 197 0: NULL
: } : }
200 13: SEQUENCE { 199 13: SEQUENCE {
202 9: OBJECT IDENTIFIER 201 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
213 0: NULL 212 0: NULL
: } : }
215 256: OCTET STRING 214 256: OCTET STRING
: B1 08 00 AA 15 AC 59 6D 1A 66 66 61 40 A7 BB B1 : 06 AF 96 EE 1F 64 C9 B5 72 A6 07 F8 BF F7 95 4D
: D6 7C 32 D8 CE 59 98 E3 8F 69 94 09 A5 F2 C4 34 : D9 7C D7 F6 CB 00 30 46 D4 EF BA 85 11 8A EB B9
: 6F 49 4D 56 64 FE EB A9 EA 71 5D 44 B4 0C 77 C1 : 03 8E F8 34 12 99 0C A9 98 53 C7 17 DE E5 66 5D
: 0E BF FD 42 17 E3 84 A2 7E 5E 13 6C A6 F8 2B A9 : 5B A0 66 A0 93 89 53 1D 06 EC F5 10 1C DC 8B 48
: 24 3F BE AE 14 51 0E 0D 3E 9A 93 9A 16 52 25 AB : 5A 47 49 FB 02 9F 58 96 B5 2B 01 F2 F9 0A 26 7A
: 28 AA C5 8D 15 EB 96 29 C0 9B D9 52 3E 38 D8 07 : 08 79 1D 31 78 C0 C9 71 CA 30 4A 5A C5 64 89 80
: 86 2D 22 28 9F 66 0F 74 DF B1 63 0B 26 0D 51 11 : 62 0A FB F5 C9 5F 15 7B 56 2D 7B 3E A1 66 A8 CC
: EF AD 54 01 6D A4 C9 65 C6 3E 78 E3 CE 1C 78 5A : 5F 42 BD 4D 5A E1 E0 7B EB 2B E7 C5 48 53 62 4A
: 41 85 B5 20 22 9F 0B 70 5A 0B 62 1F EF 92 56 75 : D0 AA 28 95 A9 0D E3 3C A0 3E 51 41 1C B1 12 5E
: 22 25 41 90 2B F5 12 08 60 07 09 F7 73 5A 89 B9 : 47 AA A2 3A D0 7A 95 E8 6F A8 C6 0D 81 79 FE 03
: 0D F1 48 54 FF 1C FA C3 A8 10 58 6D 58 98 18 A5 : 21 50 91 1B 0A 97 DB 11 4C C8 E6 5F 2F C1 22 27
: 0B B3 24 24 D5 CE DB 33 FC 31 75 E9 AC 15 1F 02 : CF 76 36 1C E0 63 37 95 65 EF BB 7F E7 56 47 5B
: F2 A8 E0 3A 3F 1E D2 22 B8 4D EA 11 0A 08 76 A7 : C5 A7 1B 76 13 97 6A 13 BD 17 37 1D BC 2B 9A 48
: 14 1B 55 8F E7 E7 1C E0 16 E7 1B 62 D4 D4 F2 0A : 6C 20 E9 0C BE BA 4E 9D 2F 31 3E BA A4 6F EC CA
: 7C AB B0 2C 46 02 08 B7 CA 2A 1E 08 CB 4D 1C AA : E4 02 1F 2E AD 88 2F 94 F3 C3 5D 3F BF DF 0A 41
: 09 34 AA 53 5F 59 95 3D C7 87 DD 17 8D 78 04 01 : 30 17 1A 9F 1D F6 EB B3 7A 0B E1 42 DF 36 45 BB
: } : }
: } : }
: } : }
: } : }
: } : }
SHA-1 parameters may be omitted entirely, instead of being set to SHA-1 parameters may be omitted entirely, instead of being set to
NULL, as mentioned in RFC 3370 [5]. The above dump of Blob 1 has NULL, as mentioned in RFC 3370 [6]. The above dump of Blob 1 has
SHA-1 parameters set to NULL. Below are the same contents signed SHA-1 parameters set to NULL. Below are the same contents signed
with the same key, but omitting the NULL according to RFC 3370 [5]. with the same key, but omitting the NULL according to RFC 3370 [6].
This is the preferred encoding. This is covered in greater detail in This is the preferred encoding. This is covered in greater detail in
Section 5. Section 5.
0 467: SEQUENCE { 0 466: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 452: [0] { 15 451: [0] {
19 448: SEQUENCE { 19 447: SEQUENCE {
23 1: INTEGER 1 23 1: INTEGER 1
26 9: SET { 26 9: SET {
28 7: SEQUENCE { 28 7: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: } : }
: } : }
37 11: SEQUENCE { 37 11: SEQUENCE {
39 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 39 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
: } : }
50 417: SET { 50 416: SET {
54 413: SEQUENCE { 54 412: SEQUENCE {
58 1: INTEGER 1 58 1: INTEGER 1
61 124: SEQUENCE { 61 123: SEQUENCE {
63 112: SEQUENCE { 63 112: SEQUENCE {
65 11: SET { 65 11: SET {
67 9: SEQUENCE { 67 9: SEQUENCE {
69 3: OBJECT IDENTIFIER countryName (2 5 4 6) 69 3: OBJECT IDENTIFIER countryName (2 5 4 6)
74 2: PrintableString 'US' 74 2: PrintableString 'US'
: } : }
: } : }
78 19: SET { 78 19: SET {
80 17: SEQUENCE { 80 17: SEQUENCE {
82 3: OBJECT IDENTIFIER 82 3: OBJECT IDENTIFIER
skipping to change at page 20, line 11 skipping to change at page 20, line 19
: } : }
134 41: SET { 134 41: SET {
136 39: SEQUENCE { 136 39: SEQUENCE {
138 3: OBJECT IDENTIFIER 138 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
143 32: PrintableString 'Sipit Test Certificate Aut 143 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
177 8: INTEGER 01 52 01 54 01 90 00 47 177 7: INTEGER 49 02 11 01 84 01 5C
: } : }
187 7: SEQUENCE { 186 7: SEQUENCE {
189 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 188 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: } : }
196 13: SEQUENCE { 195 13: SEQUENCE {
198 9: OBJECT IDENTIFIER 197 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
209 0: NULL 208 0: NULL
: } : }
211 256: OCTET STRING 210 256: OCTET STRING
: B1 08 00 AA 15 AC 59 6D 1A 66 66 61 40 A7 BB B1 : 06 AF 96 EE 1F 64 C9 B5 72 A6 07 F8 BF F7 95 4D
: D6 7C 32 D8 CE 59 98 E3 8F 69 94 09 A5 F2 C4 34 : D9 7C D7 F6 CB 00 30 46 D4 EF BA 85 11 8A EB B9
: 6F 49 4D 56 64 FE EB A9 EA 71 5D 44 B4 0C 77 C1 : 03 8E F8 34 12 99 0C A9 98 53 C7 17 DE E5 66 5D
: 0E BF FD 42 17 E3 84 A2 7E 5E 13 6C A6 F8 2B A9 : 5B A0 66 A0 93 89 53 1D 06 EC F5 10 1C DC 8B 48
: 24 3F BE AE 14 51 0E 0D 3E 9A 93 9A 16 52 25 AB : 5A 47 49 FB 02 9F 58 96 B5 2B 01 F2 F9 0A 26 7A
: 28 AA C5 8D 15 EB 96 29 C0 9B D9 52 3E 38 D8 07 : 08 79 1D 31 78 C0 C9 71 CA 30 4A 5A C5 64 89 80
: 86 2D 22 28 9F 66 0F 74 DF B1 63 0B 26 0D 51 11 : 62 0A FB F5 C9 5F 15 7B 56 2D 7B 3E A1 66 A8 CC
: EF AD 54 01 6D A4 C9 65 C6 3E 78 E3 CE 1C 78 5A : 5F 42 BD 4D 5A E1 E0 7B EB 2B E7 C5 48 53 62 4A
: 41 85 B5 20 22 9F 0B 70 5A 0B 62 1F EF 92 56 75 : D0 AA 28 95 A9 0D E3 3C A0 3E 51 41 1C B1 12 5E
: 22 25 41 90 2B F5 12 08 60 07 09 F7 73 5A 89 B9 : 47 AA A2 3A D0 7A 95 E8 6F A8 C6 0D 81 79 FE 03
: 0D F1 48 54 FF 1C FA C3 A8 10 58 6D 58 98 18 A5 : 21 50 91 1B 0A 97 DB 11 4C C8 E6 5F 2F C1 22 27
: 0B B3 24 24 D5 CE DB 33 FC 31 75 E9 AC 15 1F 02 : CF 76 36 1C E0 63 37 95 65 EF BB 7F E7 56 47 5B
: F2 A8 E0 3A 3F 1E D2 22 B8 4D EA 11 0A 08 76 A7 : C5 A7 1B 76 13 97 6A 13 BD 17 37 1D BC 2B 9A 48
: 14 1B 55 8F E7 E7 1C E0 16 E7 1B 62 D4 D4 F2 0A : 6C 20 E9 0C BE BA 4E 9D 2F 31 3E BA A4 6F EC CA
: 7C AB B0 2C 46 02 08 B7 CA 2A 1E 08 CB 4D 1C AA : E4 02 1F 2E AD 88 2F 94 F3 C3 5D 3F BF DF 0A 41
: 09 34 AA 53 5F 59 95 3D C7 87 DD 17 8D 78 04 01 : 30 17 1A 9F 1D F6 EB B3 7A 0B E1 42 DF 36 45 BB
: } : }
: } : }
: } : }
: } : }
: } : }
TODO: For generated-content, change "hello" to "Hello!" to be
consistent.
TODO: Actually use the allOneLine convention. This will be fixed in
a change to binary-generated content.
4.2. MESSAGE Message with Encrypted Body 4.2. MESSAGE Message with Encrypted Body
Below is an example of an encrypted text/plain message that says Below is an example of an encrypted text/plain message that says
"hello". The binary encrypted contents have been replaced with the "hello". The binary encrypted contents have been replaced with the
block "BINARY BLOB 2". block "BINARY BLOB 2".
MESSAGE sip:kumiko@example.net SIP/2.0 MESSAGE sip:kumiko@example.net SIP/2.0
Via: SIP/2.0/TCP 208.77.188.166:15001;\ <allOneLine>
branch=z9hG4bK-d8754z-1c7dd40a5fff4463-1---d8754z-;\ Via: SIP/2.0/TCP 192.0.2.2:15001;
rport=54502 branch=z9hG4bK-d8754z-19883b67d813801b-1---d8754z-;
rport=50716
</allOneLine>
Max-Forwards: 70 Max-Forwards: 70
Contact: <sip:fluffy@example.com>
To: <sip:kumiko@example.net> To: <sip:kumiko@example.net>
From: <sip:fluffy@example.com>;tag=5a10502e From: <sip:fluffy@example.com>;tag=47e96625
Call-ID: YTk3ODIwN2FiYTUwMGZmYTM1MDJiMzY2ODcyYzE4MGM. Call-ID: NDg3ZGJjMGVhM2Y4MjdjNjU4ZDYyODhlODZkNGVlOWU.
CSeq: 1 MESSAGE CSeq: 3260 MESSAGE
Accept: multipart/signed, text/plain, application/pkcs7-mime,\ <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
Content-Disposition: attachment;handling=required;\ </allOneLine>
<allOneLine>
Content-Disposition: attachment;handling=required;
filename=smime.p7 filename=smime.p7
</allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
Content-Type: application/pkcs7-mime;smime-type=enveloped-data;\ <allOneLine>
Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
name=smime.p7m name=smime.p7m
Content-Length: 564 </allOneLine>
Content-Length: 563
***************** *****************
* BINARY BLOB 2 * * BINARY BLOB 2 *
***************** *****************
Following is the ASN.1 parsing of "BINARY BLOB 2". Note that at Following is the ASN.1 parsing of "BINARY BLOB 2". Note that at
address 453, the encryption is set to aes128-CBC. address 452, the encryption is set to aes128-CBC.
0 560: SEQUENCE { 0 559: SEQUENCE {
4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3) 4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15 545: [0] { 15 544: [0] {
19 541: SEQUENCE { 19 540: SEQUENCE {
23 1: INTEGER 0 23 1: INTEGER 0
26 408: SET { 26 407: SET {
30 404: SEQUENCE { 30 403: SEQUENCE {
34 1: INTEGER 0 34 1: INTEGER 0
37 124: SEQUENCE { 37 123: SEQUENCE {
39 112: SEQUENCE { 39 112: SEQUENCE {
41 11: SET { 41 11: SET {
43 9: SEQUENCE { 43 9: SEQUENCE {
45 3: OBJECT IDENTIFIER countryName (2 5 4 6) 45 3: OBJECT IDENTIFIER countryName (2 5 4 6)
50 2: PrintableString 'US' 50 2: PrintableString 'US'
: } : }
: } : }
54 19: SET { 54 19: SET {
56 17: SEQUENCE { 56 17: SEQUENCE {
58 3: OBJECT IDENTIFIER 58 3: OBJECT IDENTIFIER
: stateOrProvinceName (2 5 4 8) : stateOrProvinceName (2 5 4 8)
63 10: PrintableString 'California' 63 10: PrintableString 'California'
: } : }
: } : }
75 17: SET { 75 17: SET {
77 15: SEQUENCE { 77 15: SEQUENCE {
79 3: OBJECT IDENTIFIER localityName (2 5 4 7) 79 3: OBJECT IDENTIFIER localityName (2 5 4 7)
skipping to change at page 22, line 34 skipping to change at page 22, line 40
: } : }
110 41: SET { 110 41: SET {
112 39: SEQUENCE { 112 39: SEQUENCE {
114 3: OBJECT IDENTIFIER 114 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
119 32: PrintableString 'Sipit Test Certificate Aut 119 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
153 8: INTEGER 01 52 01 54 01 90 00 48 153 7: INTEGER 49 02 11 01 84 01 5D
: } : }
163 13: SEQUENCE { 162 13: SEQUENCE {
165 9: OBJECT IDENTIFIER 164 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
176 0: NULL 175 0: NULL
: } : }
178 256: OCTET STRING 177 256: OCTET STRING
: 6E 48 A2 78 07 3A 47 09 C0 57 6F CB 01 AA 0E E7 : 40 0B 31 3C 3D 16 C2 B3 C1 74 C8 A3 08 70 6F FB
: 3E 2C 1B 78 8F 6B 0B C2 D4 F2 BD 41 8E 3E CB 95 : DC 1B 40 72 A3 BB 84 0A 54 CA AD A7 5E 93 39 36
: CD 35 9C 2E 59 8B E8 E5 35 59 6F 0E FC 3B BB A4 : D5 0D 29 C8 D9 B0 67 3D 75 88 C7 5B 32 0A 9A 54
: 2E 66 0D 68 6E 45 04 CA 4B E5 29 BE 65 F1 51 A1 : 01 59 F1 F0 AF 07 65 6B 35 4C 24 B0 D0 2A 57 8D
: E3 40 83 95 7C 8F B0 A9 56 CF 34 D4 DE C4 63 BE : E0 99 1F 54 D2 45 7C 49 7B 59 C9 E2 26 FF 8D 79
: 26 55 1D 57 51 E2 86 8C 2A 7D B1 37 13 B5 F8 8D : FC AD 06 67 C3 31 0E 2F FF A9 17 8C 24 AA 79 82
: B8 3C F1 84 31 0C 57 B2 24 E3 D2 F6 94 5D A2 80 : B6 6E EC 87 25 B2 E7 04 88 A4 92 FB 85 AD 9C 26
: 2E 45 B7 36 96 6C EF A3 90 23 8E 9D B3 50 0A 6F : A2 D2 E8 3D F6 72 DB CD 20 EF C4 F2 0B 0F 0A 02
: DB E7 47 54 EA 2D 5E 38 75 77 CB 05 EE 45 71 B6 : 68 E9 52 B7 2E 69 3B E7 D0 EE 42 9C 9B 3E 0F B5
: BB 95 93 AF 59 31 BC B3 10 F7 FE 72 B9 85 22 51 : DA 3B 7B 27 E0 1F D4 76 DE 0A 4B C1 4C 44 51 E8
: 80 A6 7E F6 E5 9E 46 32 2C 8A BB ED 60 C8 F6 7B : 05 05 FB D8 0D 69 A5 B8 1A 51 08 00 43 E2 45 EA
: 2D 9E CF 5F 9E D9 21 68 08 BE 00 51 27 A7 1B 54 : 8D 98 A0 7E 73 53 41 4D CB D1 77 4C FB 81 AA 26
: 53 CF 45 2A 58 61 63 3C 19 75 86 67 04 C3 05 77 : F5 F4 82 6E C9 F4 8B 5E 5C 13 44 F4 D6 E2 57 89
: 6D 77 19 3B A4 16 32 38 1C 79 05 7B 71 11 7B 56 : B6 11 DD 60 A4 8A C1 77 48 98 AA BF 82 FA 5C 0E
: 24 75 24 6B F7 75 D1 8A DA AE B8 3A 86 4D 31 0A : 58 C7 A8 67 48 9E 09 97 51 2E B4 10 B3 9B 3F 62
: 1B D2 80 88 64 52 13 DA FE 93 DD AA C9 E0 D2 CB : 77 D7 4F 61 C0 E4 AA 70 58 22 4E B4 24 6E 80 4C
: } : }
: } : }
438 124: SEQUENCE { 437 124: SEQUENCE {
440 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 439 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
451 29: SEQUENCE { 450 29: SEQUENCE {
453 9: OBJECT IDENTIFIER 452 9: OBJECT IDENTIFIER
: aes128-CBC (2 16 840 1 101 3 4 1 2) : aes128-CBC (2 16 840 1 101 3 4 1 2)
464 16: OCTET STRING 463 16: OCTET STRING
: E8 E4 34 63 AE 68 F7 C1 62 C5 9E 7B 6F 25 22 AF : 22 B3 06 78 4E 7E CF 9B 99 C8 08 2F 93 85 6D 5C
: } : }
482 80: [0] 481 80: [0]
: 41 4C FE FA A4 B4 70 1A 62 86 BC C1 DE 90 94 69 : CB F2 22 1B C0 F8 ED 86 6A CB 65 8C 08 7C BE 21
: 7D 0A D2 0F F3 4E 7D 6F 72 2F 7A A7 4B B4 4A 59 : 8A 53 3D C5 92 EE 23 E3 8A EA D6 DF B3 22 3A 00
: C9 C0 CB F3 AD 92 D6 31 66 94 0E B3 49 01 63 D5 : F9 96 4C 5F 8B 75 4F 7E 22 F7 D6 8A D3 13 56 EE
: BA 5A AE 29 ED C9 8A 87 EA 00 FC 4B 97 62 54 56 : BF B7 D9 24 32 6D F1 0B E8 CF 7C FC 14 90 BE DA
: 91 DB 78 50 B6 AD B7 B8 5D F6 11 41 3C C0 20 DD : F3 5E 04 38 CC D6 E5 9D 6F AF 44 BF A0 0A 3A 5C
: } : }
: } : }
: } : }
: } : }
TODO: For generated-content, change "hello" to "Hello!" to be
consistent.
TODO: Actually use the allOneLine convention. This will be fixed in
a change to binary-generated content.
4.3. MESSAGE Message with Encrypted and Signed Body 4.3. MESSAGE Message with Encrypted and Signed Body
In the example below, some of the header values have been split In the example below, some of the header values have been split
across mutliple lines. Where the lines have been broken, a "\" has across mutliple lines. Where the lines have been broken, the
been inserted. This was only done to make it fit in the RFC format. <allOneLine> convention has been used. This was only done to make it
Specifically, the application/pkcs7-mime Content-Type line should be fit in the RFC format. Specifically, the application/pkcs7-mime
one line with no whitespace between the "mime;" and the "smime-type". Content-Type line is one line with no whitespace between the "mime;"
The values are split across lines for formatting, but are not split and the "smime-type". The values are split across lines for
in the real message. The binary encrypted content has been replaced formatting, but are not split in the real message. The binary
with "BINARY BLOB 3", and the binary signed content has been replaced encrypted content has been replaced with "BINARY BLOB 3", and the
with "BINARY BLOB 4". binary signed content has been replaced with "BINARY BLOB 4".
MESSAGE sip:kumiko@example.net SIP/2.0 MESSAGE sip:kumiko@example.net SIP/2.0
Via: SIP/2.0/TCP 208.77.188.166:15001;\ <allOneLine>
branch=z9hG4bK-d8754z-c2d73f665e157842-1---d8754z-;\ Via: SIP/2.0/TCP 192.0.2.2:15001;
rport=54503 branch=z9hG4bK-d8754z-540c0075b0e6350b-1---d8754z-;
rport=50717
</allOneLine>
Max-Forwards: 70 Max-Forwards: 70
Contact: <sip:fluffy@example.com>
To: <sip:kumiko@example.net> To: <sip:kumiko@example.net>
From: <sip:fluffy@example.com>;tag=5e4dd355 From: <sip:fluffy@example.com>;tag=ead36604
Call-ID: MDQ2ZGVkZWQ4YzJhZTZhZDRjNzE0MDJkNzk1NGIxNTQ. Call-ID: MjhmOTlmMWVmY2ZhNzAxYmZlYzNmODE2YWNhMmU4Zjg.
CSeq: 1 MESSAGE CSeq: 5449 MESSAGE
Accept: multipart/signed, text/plain, application/pkcs7-mime,\ <allOneLine>
Accept: multipart/signed, text/plain, application/pkcs7-mime,
application/sdp, multipart/alternative application/sdp, multipart/alternative
Content-Type: multipart/signed;boundary=e0c6b73cedc44967;\ </allOneLine>
<allOneLine>
Content-Type: multipart/signed;boundary=f913571e3a21963d;
micalg=sha1;protocol="application/pkcs7-signature" micalg=sha1;protocol="application/pkcs7-signature"
Content-Length: 1453 </allOneLine>
Content-Length: 1451
--e0c6b73cedc44967 --f913571e3a21963d
Content-Type: application/pkcs7-mime;smime-type=enveloped-data;\ <allOneLine>
Content-Type: application/pkcs7-mime;smime-type=enveloped-data;
name=smime.p7m name=smime.p7m
Content-Disposition: attachment;handling=required;\ </allOneLine>
<allOneLine>
Content-Disposition: attachment;handling=required;
filename=smime.p7 filename=smime.p7
</allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
***************** *****************
* BINARY BLOB 3 * * BINARY BLOB 3 *
***************** *****************
--e0c6b73cedc44967 --f913571e3a21963d
Content-Type: application/pkcs7-signature;name=smime.p7s Content-Type: application/pkcs7-signature;name=smime.p7s
Content-Disposition: attachment;handling=required;\ <allOneLine>
Content-Disposition: attachment;handling=required;
filename=smime.p7s filename=smime.p7s
</allOneLine>
Content-Transfer-Encoding: binary Content-Transfer-Encoding: binary
***************** *****************
* BINARY BLOB 4 * * BINARY BLOB 4 *
***************** *****************
--e0c6b73cedc44967-- --f913571e3a21963d--
Below is the ASN.1 parsing of "BINARY BLOB 3". Below is the ASN.1 parsing of "BINARY BLOB 3".
0 560: SEQUENCE { 0 559: SEQUENCE {
4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3) 4 9: OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15 545: [0] { 15 544: [0] {
19 541: SEQUENCE { 19 540: SEQUENCE {
23 1: INTEGER 0 23 1: INTEGER 0
26 408: SET { 26 407: SET {
30 404: SEQUENCE { 30 403: SEQUENCE {
34 1: INTEGER 0 34 1: INTEGER 0
37 124: SEQUENCE { 37 123: SEQUENCE {
39 112: SEQUENCE { 39 112: SEQUENCE {
41 11: SET { 41 11: SET {
43 9: SEQUENCE { 43 9: SEQUENCE {
45 3: OBJECT IDENTIFIER countryName (2 5 4 6) 45 3: OBJECT IDENTIFIER countryName (2 5 4 6)
50 2: PrintableString 'US' 50 2: PrintableString 'US'
: } : }
: } : }
54 19: SET { 54 19: SET {
56 17: SEQUENCE { 56 17: SEQUENCE {
58 3: OBJECT IDENTIFIER 58 3: OBJECT IDENTIFIER
skipping to change at page 25, line 40 skipping to change at page 25, line 51
: } : }
110 41: SET { 110 41: SET {
112 39: SEQUENCE { 112 39: SEQUENCE {
114 3: OBJECT IDENTIFIER 114 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
119 32: PrintableString 'Sipit Test Certificate Aut 119 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
153 8: INTEGER 01 52 01 54 01 90 00 48 153 7: INTEGER 49 02 11 01 84 01 5D
: } : }
163 13: SEQUENCE { 162 13: SEQUENCE {
165 9: OBJECT IDENTIFIER 164 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
176 0: NULL 175 0: NULL
: } : }
178 256: OCTET STRING 177 256: OCTET STRING
: 8A C2 F2 23 B0 D4 11 0E EB 38 60 3A 47 99 14 33 : 00 50 79 F3 84 E1 0A 63 9E E3 F2 FE 87 5F 81 43
: 78 01 1A F9 12 9E 97 93 D5 68 B2 B8 4E CF 76 15 : 55 6E 5B C9 46 91 B0 FF 15 70 03 8C 07 EC 56 5D
: EF CD 36 0E A5 B8 36 5F E1 05 78 45 F7 05 12 6D : 4F F9 8C 22 89 9C 0F EE 81 FB 5C 63 F0 5E 9E DA
: 55 0A A1 50 4C A9 F7 E3 B1 69 65 F8 38 A8 F7 2F : AC CC D5 F2 55 CD 04 6F C3 9A 1F 56 C5 F4 FB 08
: A1 74 0F 15 6F 29 B6 5C 74 21 49 21 77 07 E4 0A : 70 4D 07 79 54 83 AF CA 08 75 4B 4A 2A 2F 56 70
: 4D A9 02 30 15 45 2F 8F AE 08 2E 49 D9 B2 77 73 : A7 A0 B3 68 2F D0 CF 3F 77 C8 A8 DC B3 E7 81 3E
: E8 41 08 4E 2D B0 B0 EE 2F 49 B7 75 D7 70 E0 60 : 72 2A 12 6B E6 D9 B7 23 8A B1 3F 27 D6 48 EF 2C
: FC A3 C9 49 38 C8 B3 79 71 46 98 C3 17 20 A9 13 : 14 35 8A D2 84 22 FB 41 B6 1F 23 39 DC 9A 42 60
: E7 EE E3 99 AA E2 1F C3 C3 7A B3 70 40 DA F3 40 : CD F6 5F 1C 70 22 20 86 C3 EC 3E 91 D5 62 78 66
: 0B 69 99 DC EB 5C 10 A9 FF A8 66 D1 56 BB B9 B9 : A1 01 3D D7 AE 1E 9A 00 38 AC 0E 21 49 C2 4A 9A
: 84 CB 6D 03 3F 96 CC 6D 5A 92 8B 00 23 CB 8B FE : 9F BF 5D AC 50 F3 B0 39 A4 14 89 A6 F3 DA EC E0
: FB BF 19 26 7F C9 69 CC 93 98 5A E4 DE D3 B0 DE : 84 D0 B7 2B 00 C0 C0 2A B9 FA EE DE 7A B0 FE CC
: 6E 0E 29 9C E8 05 D7 4F 3D A0 F7 C2 B2 8E 0E FF : D9 1F A3 1F B7 BC 69 D3 9D 84 6B 7A 37 15 4C DB
: 06 DA 46 0B ED 3B 84 BF 88 17 9C 40 DA 52 65 62 : 08 6D 55 F8 F7 38 24 3F 87 F5 66 E2 7F 5F 0F 84
: A9 BB F5 7A E7 D1 78 69 9D 61 D5 48 53 56 0A BB : BD 1E 49 16 DD 31 BE BF 1F 7E 3E 07 AE AA 97 52
: DD F3 35 C3 04 0D C0 BD 26 41 C1 E4 9E 19 A2 4B : F2 EA 8B 34 5D 5A 07 72 DB 48 B8 FE D5 41 14 36
: } : }
: } : }
438 124: SEQUENCE { 437 124: SEQUENCE {
440 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 439 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
451 29: SEQUENCE { 450 29: SEQUENCE {
453 9: OBJECT IDENTIFIER 452 9: OBJECT IDENTIFIER
: aes128-CBC (2 16 840 1 101 3 4 1 2) : aes128-CBC (2 16 840 1 101 3 4 1 2)
464 16: OCTET STRING 463 16: OCTET STRING
: 9E C3 11 33 C1 F5 42 09 C8 8B D2 C9 54 32 78 46 : 4F 3B 58 6A ED 07 FF BC 84 F4 03 CA 98 B2 1F 65
: } : }
482 80: [0] 481 80: [0]
: 89 5B E2 84 60 E5 45 2B 74 CC 61 4F A2 E4 03 37 : 88 11 C3 C3 70 D0 5B E6 48 F5 50 27 C1 C2 F2 F5
: D3 C6 83 52 A3 CF C9 E8 C7 8D AF F3 36 39 56 BF : 31 3D 47 B9 FB 3E E6 AA EB DE 5C 11 40 A7 2A 5A
: 8F 7D E3 F8 65 43 6E 61 65 85 5B 62 AC BF 3A DD : 7C FF 6F 10 66 68 C1 D9 8E B0 36 94 9C 60 90 30
: 99 C7 8B B7 BA A7 3F 97 61 3C B1 E2 E0 45 BC 17 : 6A 80 0A C6 20 50 F0 E2 03 B6 44 B3 B3 D9 AA 54
: 43 51 03 F4 41 8C 55 E7 02 5F CC AE F5 02 6B D8 : A7 EE 12 7D F9 4D 10 56 DC 92 CE 3C C8 9C C2 F0
: } : }
: } : }
: } : }
: } : }
Below is the ASN.1 parsing of "BINARY BLOB 4". Below is the ASN.1 parsing of "BINARY BLOB 4".
0 471: SEQUENCE { 0 470: SEQUENCE {
4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 4 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15 456: [0] { 15 455: [0] {
19 452: SEQUENCE { 19 451: SEQUENCE {
23 1: INTEGER 1 23 1: INTEGER 1
26 11: SET { 26 11: SET {
28 9: SEQUENCE { 28 9: SEQUENCE {
30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 30 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37 0: NULL 37 0: NULL
: } : }
: } : }
39 11: SEQUENCE { 39 11: SEQUENCE {
41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1) 41 9: OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
: } : }
52 419: SET { 52 418: SET {
56 415: SEQUENCE { 56 414: SEQUENCE {
60 1: INTEGER 1 60 1: INTEGER 1
63 124: SEQUENCE { 63 123: SEQUENCE {
65 112: SEQUENCE { 65 112: SEQUENCE {
67 11: SET { 67 11: SET {
69 9: SEQUENCE { 69 9: SEQUENCE {
71 3: OBJECT IDENTIFIER countryName (2 5 4 6) 71 3: OBJECT IDENTIFIER countryName (2 5 4 6)
76 2: PrintableString 'US' 76 2: PrintableString 'US'
: } : }
: } : }
80 19: SET { 80 19: SET {
82 17: SEQUENCE { 82 17: SEQUENCE {
84 3: OBJECT IDENTIFIER 84 3: OBJECT IDENTIFIER
skipping to change at page 27, line 41 skipping to change at page 28, line 4
122 12: SEQUENCE { 122 12: SEQUENCE {
124 3: OBJECT IDENTIFIER 124 3: OBJECT IDENTIFIER
: organizationName (2 5 4 10) : organizationName (2 5 4 10)
129 5: PrintableString 'sipit' 129 5: PrintableString 'sipit'
: } : }
: } : }
136 41: SET { 136 41: SET {
138 39: SEQUENCE { 138 39: SEQUENCE {
140 3: OBJECT IDENTIFIER 140 3: OBJECT IDENTIFIER
: organizationalUnitName (2 5 4 11) : organizationalUnitName (2 5 4 11)
145 32: PrintableString 'Sipit Test Certificate Aut 145 32: PrintableString 'Sipit Test Certificate Aut
hority' hority'
: } : }
: } : }
: } : }
179 8: INTEGER 01 52 01 54 01 90 00 47 179 7: INTEGER 49 02 11 01 84 01 5C
: } : }
189 9: SEQUENCE { 188 9: SEQUENCE {
191 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 190 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
198 0: NULL 197 0: NULL
: } : }
199 13: SEQUENCE {
200 13: SEQUENCE { 201 9: OBJECT IDENTIFIER
202 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
213 0: NULL 212 0: NULL
: } : }
215 256: OCTET STRING 214 256: OCTET STRING
: 29 C3 93 9D 71 C5 93 52 80 4B 0F C5 66 C7 CD 18 : 25 50 A2 07 12 FC 51 08 BB FD CF A5 58 CB 35 58
: 2F 4D A0 07 E1 29 CE F9 2E CE 92 16 CD 7D B1 45 : 46 79 DD D4 B7 E7 35 D7 F1 12 83 AC 94 9A C0 14
: 5A 6D C2 5A 90 51 C3 20 66 FC 76 F0 DF D3 AE C5 : D1 B7 9A FA 98 78 52 BA 8E DB A6 14 75 CE 1B 84
: CE 4D DF C8 0D D7 87 B3 69 ED 81 BA 71 EA B4 C0 : 1A 02 DD F4 E6 7A F5 83 29 D5 A2 17 DC E9 53 76
: E3 F5 A3 A4 CA 2E 36 A3 29 37 86 37 C3 B6 90 A7 : EF 22 8E FE 76 CC 82 A9 B4 FB 5D 1B 61 90 5E 1E
: EA 6A 27 52 C6 9C AB B1 2C 7B 60 10 26 E9 33 43 : 1B CF 25 DB 24 8E A8 E1 29 4A A9 E7 BC 1A 2F 03
: 83 BA 06 B0 68 05 26 88 A2 68 1A 4E E5 82 16 5B : 0B 3A 1C 9B 9B 93 9F E6 79 25 77 B6 54 EB 3D 8D
: E4 00 7D 18 09 4A 13 09 2D B5 F1 A6 C0 39 60 29 : D4 03 69 D5 A0 52 21 1C 44 F6 73 3E 82 50 0A 00
: 02 32 24 29 D6 37 55 4C 42 DA 7D E9 98 F8 C6 FE : 46 66 85 A1 C0 8A 8A C3 3E 10 02 F4 F9 8E 63 B6
: E8 01 1C 56 8B AD DB D2 B2 C4 20 A0 CC 92 BD 9B : 83 3D B2 C2 28 E5 D9 00 92 A5 13 B5 18 7C 01 D4
: 9F 0E C9 9E 5C BF 4E DA 1D D9 E4 02 DC DA 57 A6 : 81 5D 2C 1D DB B7 DB CF 10 5E 7B E7 FC 4B 64 E2
: 59 EC 89 CD AD 66 D3 A3 7A 88 F9 A2 DA D5 9E FB : 00 94 B0 64 A6 9B 1D 9B BA E7 A2 D9 2D AF 22 C7
: 4F AD 7D D9 69 68 35 B1 98 10 64 42 1D 3D 24 57 : 5C 04 60 C8 4C C1 6C 9A E5 37 6C 16 C9 00 3A 45
: C5 BF 48 C3 B0 E6 3C 91 3C 27 52 28 D2 BE 2C AC : 18 83 57 5F 32 17 2B 18 54 B3 3F 9F F0 E4 44 36
: 79 79 32 2E C4 9D 7C 8A 73 73 68 EC 60 E0 22 0D : 30 CF 25 53 95 1F 33 CD 01 78 DF FC 8D E4 47 40
: 50 7F 72 33 96 89 F8 9F 7B ED D1 4A 75 7B D5 14 : AC 9C 9B 5A 6B 97 04 E3 06 F7 3D CE 18 4C 54 6A
: } : }
: } : }
: } : }
: } : }
: } : }
TODO: Actually use the allOneLine convention. This will be fixed in
a change to binary-generated content.
5. Observed Interoperability Issues 5. Observed Interoperability Issues
This section describes some common interoperability problems. These This section describes some common interoperability problems. These
were observed by the authors at SIPit interoperability events. were observed by the authors at SIPit interoperability events.
Implementers should be careful to verify that their systems do not Implementers should be careful to verify that their systems do not
introduce these common problems, and, when possible, make their introduce these common problems, and, when possible, make their
clients forgiving in what they receive. Implementations should take clients forgiving in what they receive. Implementations should take
extra care to produce reasonable error messages when interacting with extra care to produce reasonable error messages when interacting with
software that has these problems. software that has these problems.
Some SIP clients incorrectly only do SSLv3 and do not support TLS. Some SIP clients incorrectly only do SSLv3 and do not support TLS.
Many SIP clients were found to accept expired certificates with no Many SIP clients were found to accept expired certificates with no
warning or error. warning or error.
When used with SIP, TLS and S/MIME provide the identity of the peer When used with SIP, TLS and S/MIME provide the identity of the peer
that a client is communicating with in the Subject Alternative Name that a client is communicating with in the Subject Alternative Name
in the certificate. The software must check that this name in the certificate. The software checks that this name corresponds
corresponds to the identity the server is trying to contact. If a to the identity the server is trying to contact. Normative text
client is trying to set up a TLS connection to good.example.com and describing path validation can be found in section 7 of Draft SIP
it gets a TLS connection set up with a server that presents a valid Domain Certs [17] and section 6 of RFC 5280 [15]. If a client is
certificate but with the name evil.example.com, it must generate an trying to set up a TLS connection to good.example.com and it gets a
TLS connection set up with a server that presents a valid certificate
but with the name evil.example.com, it will typically generate an
error or warning of some type. Similarly with S/MIME, if a user is error or warning of some type. Similarly with S/MIME, if a user is
trying to communicate with sip:fluffy@example.com, one of the items trying to communicate with sip:fluffy@example.com, one of the items
in the Subject Alternate Name set in the certificate must match. in the Subject Alternate Name set in the certificate will need to
match according to the certificate validation rules in section 23 of
RFC 3261 [3] and section 6 of RFC 5280 [15].
Some implementations used binary MIME encodings while others used Some implementations used binary MIME encodings while others used
base64. Implementations should send only binary but must be prepared base64. It is advisable that implementations send only binary and
to receive either. are prepared to receive either.
In several places in this draft, the messages contain the encoding In several places in this document, the messages contain the encoding
for the SHA-1 digest algorithm identifier. The preferred form for for the SHA-1 digest algorithm identifier. The preferred form for
encoding as set out in Section 2 of RFC 3370 [5] is the form in which encoding as set out in Section 2 of RFC 3370 [6] is the form in which
the optional AlgorithmIdentifier parameter field is omitted. the optional AlgorithmIdentifier parameter field is omitted.
However, RFC 3370 also says the recipients need to be able to receive However, RFC 3370 also says the recipients need to be able to receive
the form in which the AlgorithmIdentifier parameter field is present the form in which the AlgorithmIdentifier parameter field is present
and set to NULL. Examples of the form using NULL can be found in and set to NULL. Examples of the form using NULL can be found in
Section 4.2 of RFC 4134 [18]. Receivers really do need to be able to Section 4.2 of RFC 4134 [20]. Receivers really do need to be able to
receive the form that includes the NULL because the NULL form, while receive the form that includes the NULL because the NULL form, while
not preferred, is what was observed as being generated by most not preferred, is what was observed as being generated by most
implementations. Implementers should also note that if the algorithm implementations. Implementers should also note that if the algorithm
is MD5 instead of SHA-1, then the form that omits the is MD5 instead of SHA-1, then the form that omits the
AlgorithmIdentifier parameters field is not allowed and the sender AlgorithmIdentifier parameters field is not allowed and the sender
has to use the form where the NULL is included. has to use the form where the NULL is included.
The preferred encryption algorithm for S/MIME in SIP is AES as The preferred encryption algorithm for S/MIME in SIP is AES as
defined in RFC 3853 [10]. defined in RFC 3853 [11].
Observed S/MIME interoperability has been better when UAs did not Observed S/MIME interoperability has been better when UAs did not
attach the senders' certificates. Attaching the certificates attach the senders' certificates. Attaching the certificates
significantly increases the size of the messages, which should be significantly increases the size of the messages, which should be
considered when sending over UDP. Furthermore, the receiver cannot considered when sending over UDP. Furthermore, the receiver cannot
rely on the sender to always send the certificate, so it does not rely on the sender to always send the certificate, so it does not
turn out to be useful in most situations. turn out to be useful in most situations.
6. Additional Test Scenarios 6. Additional Test Scenarios
This section provides a non-exhaustive list of tests that This section provides a non-exhaustive list of tests that
implementations should perform while developing systems that use implementations should perform while developing systems that use
S/MIME and TLS for SIP. S/MIME and TLS for SIP.
Much of the required behavior for inspecting certificates when using Much of the required behavior for inspecting certificates when using
S/MIME and TLS with SIP is currently underspecified. The non- S/MIME and TLS with SIP is currently underspecified. The non-
normative recommendations in this document capture the current normative recommendations in this document capture the current
folklore around that required behavior, guided by both related folklore around that required behavior, guided by both related
normative works such as RFC 4474 [11] (particulary, section 13.4 normative works such as RFC 4474 [12] (particulary, section 13.4
Domain Names and Subordination) and informative works such as RFC Domain Names and Subordination) and informative works such as RFC
2818 [17] section 3.1. To summarize: 2818 [19] section 3.1. To summarize, test plans should:
o For S/MIME, the peer's URI must appear in the subjectAltName of o For S/MIME secured bodies, assure that the peer's URI (address-of-
the peer's certifcate as a uniformResourceIdentifier field. record, as per RFC 3261 [3] section 23.3) appears in the
o For TLS, the peer's hostname must appear as described in Draft SIP subjectAltName of the peer's certifcate as a
Domain Certs [15]: uniformResourceIdentifier field.
* an exact match in a dNSName entry in the subjectAltName if o For TLS, assure that the peer's hostname appears as described in
there are any dNSNames in the subjectAltName. (Wildcard Draft SIP Domain Certs [17]. Also:
matching is not allowed against these dNSName entries) * assure an exact match in a dNSName entry in the subjectAltName
* the most specific CommonName in the Subject field if there are if there are any dNSNames in the subjectAltName. Wildcard
no dNSName entries in the subjectAltName at all (which is not matching is not allowed against these dNSName entries. See
the same as there being no matching dNSName entries). This section 7.1 of Draft SIP Domain Certs [17].
match can be either exact, or against an entry that uses the * assure that the most specific CommonName in the Subject field
wildcard matching character '*' matches if there are no dNSName entries in the subjectAltName
at all (which is not the same as there being no matching
dNSName entries). This match can be either exact, or against
an entry that uses the wildcard matching character '*'
The peer's hostname is discovered from the initial DNS query in The peer's hostname is discovered from the initial DNS query in
the server location process RFC 3263 [3]. the server location process RFC 3263 [4].
o An IP Address can appear in subjectAltName (RFC 5280 [13]) of the o IP addresses can appear in subjectAltName (RFC 5280 [15]) of the
peer's certificate, e.g. "DNS:192.168.0.1". peer's certificate, e.g. "IP:192.168.0.1". Note that if IP
addresses are used in subjectAltName, there are important
OPEN ISSUE: From first bullet, "peer's URI"...What URI? An AoR for ramifications regarding the use of Record-Route headers that also
the user? From or To values? Contacts? Request-URIs? For request need to be considered. See section 7.5 of Draft SIP Domain Certs
URIs, do we need to discuss the effects of retargeting? Do we need [17]. Use of IP addresses instead of domain names is inadvisable.
to consider some of the current History-Info discussions?
OPEN ISSUE: From second bullet: What if all you've got is an IP
address? Do we disallow IPAddress entries in subjectAltName? IP
addresses can appear in the subjectAltName (rfc5280 says so.) Their
handling is specified in domain-certs (I believe they will appear as
"DNS:192.168.0.1"; we need to have someone -- from pkix? -- ascertain
this. If this is the case, then their handling is specified in S7.1
of domain-certs.
OPEN ISSUE: First sub-bullet (Wildcard matching is not allowed
against these dNSName entries): Is there something that can be
referenced here? In particular, RFC2818 explicitly allows wildcards
in dNSName entries. It is not obvious to me whether the proscription
against wildcards in RFC4474 should apply to general use of TLS, or
just to identity.
For each of these tests, an implementation will proceed past the For each of these tests, an implementation will proceed past the
verification point only if the certificate is "good". S/MIME verification point only if the certificate is "good". S/MIME
protected requests presenting bad certificate data will be rejected. protected requests presenting bad certificate data will be rejected.
S/MIME protected responses presenting bad certificate information S/MIME protected responses presenting bad certificate information
will be ignored. TLS connections involving bad certificate data will will be ignored. TLS connections involving bad certificate data will
not be completed. not be completed.
1. S/MIME : Good peer certificate 1. S/MIME : Good peer certificate
2. S/MIME : Bad peer certificate (peer URI does not appear in 2. S/MIME : Bad peer certificate (peer URI does not appear in
skipping to change at page 31, line 37 skipping to change at page 31, line 36
Subject CN) Subject CN)
12. TLS : Bad peer certificate (valid authority chain does not end 12. TLS : Bad peer certificate (valid authority chain does not end
at a trusted CA) at a trusted CA)
13. TLS : Bad peer certificate (incomplete authority chain) 13. TLS : Bad peer certificate (incomplete authority chain)
14. TLS : Bad peer certificate (the current time does not fall 14. TLS : Bad peer certificate (the current time does not fall
within the period of validity) within the period of validity)
15. TLS : Bad peer certificate (certificate or cert in authority 15. TLS : Bad peer certificate (certificate or cert in authority
chain has been revoked) chain has been revoked)
16. TLS : Bad peer certificate ("TLS Web Server Authentication" is 16. TLS : Bad peer certificate ("TLS Web Server Authentication" is
not specified as an X509v3 Key Usage) not specified as an X509v3 Key Usage)
17. TLS : Bad peer certificate (Neither "SIP Domain" nor "Any
OPEN ISSUE: Should we have at least one case for SIP EKU? Extended Key Usage" specified as an X509v3 Extended Key Usage,
and X509v3 Extended Key Usage is present)
7. IANA Considerations 7. IANA Considerations
No IANA actions are required. No IANA actions are required.
8. Acknowledgments 8. Acknowledgments
Many thanks to the developers of all the open source software used to Many thanks to the developers of all the open source software used to
create these call flows. This includes the underlying crypto and TLS create these call flows. This includes the underlying crypto and TLS
software used from openssl.org, the SIP stack from software used from openssl.org, the SIP stack from
skipping to change at page 32, line 4 skipping to change at page 31, line 50
7. IANA Considerations 7. IANA Considerations
No IANA actions are required. No IANA actions are required.
8. Acknowledgments 8. Acknowledgments
Many thanks to the developers of all the open source software used to Many thanks to the developers of all the open source software used to
create these call flows. This includes the underlying crypto and TLS create these call flows. This includes the underlying crypto and TLS
software used from openssl.org, the SIP stack from software used from openssl.org, the SIP stack from
www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org. www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org.
The TLS flow dumps were done with SSLDump from The TLS flow dumps were done with SSLDump from
http://www.rtfm.com/ssldump. The book "SSL and TLS" [20] was a huge http://www.rtfm.com/ssldump. The book "SSL and TLS" [22] was a huge
help in developing the code for these flows. It's sad there is no help in developing the code for these flows. It's sad there is no
second edition. second edition.
Thanks to Jim Schaad, Russ Housley, Eric Rescorla, Dan Wing, Tat Thanks to Jim Schaad, Russ Housley, Eric Rescorla, Dan Wing, Tat
Chan, and Lyndsay Campbell who all helped find and correct mistakes Chan, and Lyndsay Campbell who all helped find and correct mistakes
in this document. in this document.
Vijay Gurbani and Alan Jeffrey contributed much of the additional Vijay Gurbani and Alan Jeffrey contributed much of the additional
test scenario content. test scenario content.
skipping to change at page 32, line 33 skipping to change at page 32, line 31
giving the user the impression that the system was operating giving the user the impression that the system was operating
securely. securely.
This document recommends some things that implementers might test or This document recommends some things that implementers might test or
verify to improve the security of their implementations. It is verify to improve the security of their implementations. It is
impossible to make a comprehensive list of these, and this document impossible to make a comprehensive list of these, and this document
only suggests some of the most common mistakes that have been seen at only suggests some of the most common mistakes that have been seen at
the SIPit interoperability events. Just because an implementation the SIPit interoperability events. Just because an implementation
does everything this document recommends does not make it secure. does everything this document recommends does not make it secure.
This document does not show the messages needed to check certificate This document does not show any messages to check certificate
revocation status (see RFC 5280 [13]) as that is not part of the SIP revocation status (see section 3.3 of RFC 5280 [15]) as that is not
call flow. The expectation is that revocation status is checked part of the SIP call flow. The expectation is that revocation status
periodically and regularly to protect against the possibility of is checked regularly to protect against the possibility of
certificate compromise or repudiation. certificate compromise or repudiation. For more information on how
certificate revocation status can be checked, see RFC 2560 [2]
(Online Certificate Status Protocol) and RFC 5055 [13] (Server-Based
Certificate Validation Protocol).
10. Changelog 10. Changelog
(RFC Editor: remove this section) (RFC Editor: remove this section)
-02 to -03
* Re-worded "should" and "must" so that the document doesn't
sound like it is making normative statements. Actual normative
behavior is referred to in the respective RFCs.
* Section 5: re-worded paragraphs 4 and 5 regarding
subjectAltName, and added references.
* Section 6: added references, clarified use of IP addresses, and
clarified which From/To URI is used for comparison (from RFC
3261 section 23.2). Added an EKU test case.
* Section 9: added text about certificate revocation checking.
* Appendix B.3: new section to present certificate chains longer
than 2 (non-root CA).
* Made examples consistently use <allOneLine> convention.
* CSeq looks more random.
* Serial numbers in certs are non-zero.
* All flows re-generated using new certs. IP addresses conform
to RFC 5737.
* Updated references.
-01 to -02 -01 to -02
* Draft is now informational, not standards track. Normative- * Draft is now informational, not standards track. Normative-
sounding language and references to RFC 2119 removed. sounding language and references to RFC 2119 removed.
* Add TODO: change "hello" to "Hello!" in example flows for * Add TODO: change "hello" to "Hello!" in example flows for
consistency. consistency.
* Add TODO: Fix subjectAltName DNS:com to DNS:example.com and * Add TODO: Fix subjectAltName DNS:com to DNS:example.com and
DNS:net to DNS:example.net. DNS:net to DNS:example.net.
* Add TODO: use allOneLine convention from RFC4475. * Add TODO: use allOneLine convention from RFC4475.
* Section 3: updated open issue regarding contact headers in * Section 3: updated open issue regarding contact headers in
MESSAGE. MESSAGE.
* Section 3.2: added some text about RFC 3263 and connection * Section 3.2: added some text about RFC 3263 and connection
reuse and closed open issue. reuse and closed open issue.
* Section 5: clarified text about sender attaching certs, closed * Section 5: clarified text about sender attaching certs, closed
issue. issue.
* Section 5: clarified text about observed problems, closed * Section 5: clarified text about observed problems, closed
issue. issue.
* Section 5: closed issue about clients vs. servers vs. proxies. * Section 5: closed issue about clients vs. servers vs. proxies.
skipping to change at page 33, line 15 skipping to change at page 33, line 36
* Add TODO: use allOneLine convention from RFC4475. * Add TODO: use allOneLine convention from RFC4475.
* Section 3: updated open issue regarding contact headers in * Section 3: updated open issue regarding contact headers in
MESSAGE. MESSAGE.
* Section 3.2: added some text about RFC 3263 and connection * Section 3.2: added some text about RFC 3263 and connection
reuse and closed open issue. reuse and closed open issue.
* Section 5: clarified text about sender attaching certs, closed * Section 5: clarified text about sender attaching certs, closed
issue. issue.
* Section 5: clarified text about observed problems, closed * Section 5: clarified text about observed problems, closed
issue. issue.
* Section 5: closed issue about clients vs. servers vs. proxies. * Section 5: closed issue about clients vs. servers vs. proxies.
* Section 6: updatee section text and open issue where IP address * Section 6: updated section text and open issue where IP address
is in subjectAltName. is in subjectAltName.
* Section 6: added normative references and closed "folklore" * Section 6: added normative references and closed "folklore"
issue. issue.
* Section 6: added cases about cert usage and broken chains, * Section 6: added cases about cert usage and broken chains,
updated OPEN ISSUE: we need a SIP EKU example. updated OPEN ISSUE: we need a SIP EKU example.
* References: updated references to drafts and re-categorized * References: updated references to drafts and re-categorized
informative vs. normative. informative vs. normative.
* Section 9: added some text about revocation status and closed * Section 9: added some text about revocation status and closed
issue. issue.
* Appendix B: open issue: do we need non-root-CA certs and host * Appendix B: open issue: do we need non-root-CA certs and host
skipping to change at page 33, line 38 skipping to change at page 34, line 15
-00 to -01 -00 to -01
* Addition of OPEN ISSUES. * Addition of OPEN ISSUES.
* Numerous minor edits from mailing list feedback. * Numerous minor edits from mailing list feedback.
to -00 to -00
* Changed RFC 3369 references to RFC 3852. * Changed RFC 3369 references to RFC 3852.
* Changed draft-ietf-sip-identity references to RFC 4474. * Changed draft-ietf-sip-identity references to RFC 4474.
* Added an ASN.1 dump of CMS signed content where SHA-1 * Added an ASN.1 dump of CMS signed content where SHA-1
parameters are omitted instead of being set to ASN.1 NULL. parameters are omitted instead of being set to ASN.1 NULL.
* Accept headers added to messages. * Accept headers added to messages.
* User and domain certificates are generated with EKU as * User and domain certificates are generated with EKU as
specified in Draft SIP EKU [14]. specified in Draft SIP EKU [16].
* Message content that is shown is computed using certificates * Message content that is shown is computed using certificates
generated with EKU. generated with EKU.
* Message dump archive returned. * Message dump archive returned.
* Message archive contains messages formed with and without EKU * Message archive contains messages formed with and without EKU
certificates. certificates.
prior to -00 prior to -00
* Incorporated the Test cases from Vijay Gurbani's and Alan * Incorporated the Test cases from Vijay Gurbani's and Alan
Jeffrey's Use of TLS in SIP draft Jeffrey's Use of TLS in SIP draft
* Began to capture the folklore around where identities are * Began to capture the folklore around where identities are
carried in certificates for use with SIP carried in certificates for use with SIP
* Removed the message dump archive pending verification (will * Removed the message dump archive pending verification (will
return in -02) return in -02)
11. References 11. References
11.1. Normative References 11.1. Normative References
[1] Postel, J., "Internet Protocol", STD 5, RFC 791, [1] Postel, J., "Internet Protocol", STD 5, RFC 791,
September 1981. September 1981.
[2] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., [2] Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams,
"X.509 Internet Public Key Infrastructure Online Certificate
Status Protocol - OCSP", RFC 2560, June 1999.
[3] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
Session Initiation Protocol", RFC 3261, June 2002. Session Initiation Protocol", RFC 3261, June 2002.
[3] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol [4] Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
(SIP): Locating SIP Servers", RFC 3263, June 2002. (SIP): Locating SIP Servers", RFC 3263, June 2002.
[4] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for [5] Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for
Transport Layer Security (TLS)", RFC 3268, June 2002. Transport Layer Security (TLS)", RFC 3268, June 2002.
[5] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms", [6] Housley, R., "Cryptographic Message Syntax (CMS) Algorithms",
RFC 3370, August 2002. RFC 3370, August 2002.
[6] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., and [7] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., and
D. Gurle, "Session Initiation Protocol (SIP) Extension for D. Gurle, "Session Initiation Protocol (SIP) Extension for
Instant Messaging", RFC 3428, December 2002. Instant Messaging", RFC 3428, December 2002.
[7] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and [8] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
T. Wright, "Transport Layer Security (TLS) Extensions", T. Wright, "Transport Layer Security (TLS) Extensions",
RFC 3546, June 2003. RFC 3546, June 2003.
[8] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions [9] Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
(S/MIME) Version 3.1 Message Specification", RFC 3851, (S/MIME) Version 3.1 Message Specification", RFC 3851,
July 2004. July 2004.
[9] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852, [10] Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852,
July 2004. July 2004.
[10] Peterson, J., "S/MIME Advanced Encryption Standard (AES) [11] Peterson, J., "S/MIME Advanced Encryption Standard (AES)
Requirement for the Session Initiation Protocol (SIP)", Requirement for the Session Initiation Protocol (SIP)",
RFC 3853, July 2004. RFC 3853, July 2004.
[11] Peterson, J. and C. Jennings, "Enhancements for Authenticated [12] Peterson, J. and C. Jennings, "Enhancements for Authenticated
Identity Management in the Session Initiation Protocol (SIP)", Identity Management in the Session Initiation Protocol (SIP)",
RFC 4474, August 2006. RFC 4474, August 2006.
[12] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) [13] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. Polk,
"Server-Based Certificate Validation Protocol (SCVP)",
RFC 5055, December 2007.
[14] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
Protocol Version 1.2", RFC 5246, August 2008. Protocol Version 1.2", RFC 5246, August 2008.
[13] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, [15] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley,
R., and W. Polk, "Internet X.509 Public Key Infrastructure R., and W. Polk, "Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List (CRL) Profile", Certificate and Certificate Revocation List (CRL) Profile",
RFC 5280, May 2008. RFC 5280, May 2008.
[14] Lawrence, S. and V. Gurbani, "Using Extended Key Usage (EKU) [16] Lawrence, S. and V. Gurbani, "Using Extended Key Usage (EKU)
for Session Initiation Protocol (SIP) X.509 Certificates", for Session Initiation Protocol (SIP) X.509 Certificates",
draft-ietf-sip-eku-08 (work in progress), October 2009. draft-ietf-sip-eku-08 (work in progress), October 2009.
[15] Gurbani, V., Lawrence, S., and B. Laboratories, "Domain [17] Gurbani, V., Lawrence, S., and B. Laboratories, "Domain
Certificates in the Session Initiation Protocol (SIP)", Certificates in the Session Initiation Protocol (SIP)",
draft-ietf-sip-domain-certs-04 (work in progress), May 2009. draft-ietf-sip-domain-certs-07 (work in progress), May 2010.
[16] Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in the [18] Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in the
Session Initiation Protocol (SIP)", Session Initiation Protocol (SIP)",
draft-ietf-sip-connect-reuse-14 (work in progress), draft-ietf-sip-connect-reuse-14 (work in progress),
August 2009. August 2009.
11.2. Informative References 11.2. Informative References
[17] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [19] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[18] Hoffman, P., "Examples of S/MIME Messages", RFC 4134, [20] Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
July 2005. July 2005.
[19] Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J., and [21] Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J., and
H. Schulzrinne, "Session Initiation Protocol (SIP) Torture Test H. Schulzrinne, "Session Initiation Protocol (SIP) Torture Test
Messages", RFC 4475, May 2006. Messages", RFC 4475, May 2006.
[20] Rescorla, E., "SSL and TLS - Designing and Building Secure [22] Rescorla, E., "SSL and TLS - Designing and Building Secure
Systems", 2001. Systems", 2001.
[21] Rescorla, E., "SSLDump manpage". [23] Rescorla, E., "SSLDump manpage".
Appendix A. Making Test Certificates Appendix A. Making Test Certificates
These scripts allow you to make certificates for test purposes. The These scripts allow you to make certificates for test purposes. The
certificates will all share a common CA root so that everyone running certificates will all share a common CA root so that everyone running
these scripts can have interoperable certificates. WARNING - these these scripts can have interoperable certificates. WARNING - these
certificates are totally insecure and are for test purposes only. certificates are totally insecure and are for test purposes only.
All the CA created by this script share the same private key to All the CA created by this script share the same private key to
facilitate interoperability testing, but this totally breaks the facilitate interoperability testing, but this totally breaks the
security since the private key of the CA is well known. security since the private key of the CA is well known.
skipping to change at page 37, line 4 skipping to change at page 37, line 35
with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/ with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/
cacert.pem -outform DER -out cert.p7c" cacert.pem -outform DER -out cert.p7c"
IE (version 8), Outlook Express (version 6), and Firefox (version IE (version 8), Outlook Express (version 6), and Firefox (version
3.5) can import and export .p12 files and .p7c files. You can 3.5) can import and export .p12 files and .p7c files. You can
convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in
cert.p7c -inform DER -outform PEM -out cert.pem". cert.p7c -inform DER -outform PEM -out cert.pem".
The private key can be converted to pkcs8 format with "openssl pkcs8 The private key can be converted to pkcs8 format with "openssl pkcs8
-in a_key.pem -topk8 -outform DER -out a_key.p8c" -in a_key.pem -topk8 -outform DER -out a_key.p8c"
OPEN ISSUE: The information in this section needs to be verified with
the latest software versions. How to do conversions between
supported types needs to be updated accordingly. Any Windows users
out there want to volunteer for verify the Windows side of these?
In general, a TLS client will just need the root certificate of the In general, a TLS client will just need the root certificate of the
CA. A TLS server will need its private key and its certificate. CA. A TLS server will need its private key and its certificate.
These could be in two PEM files, a single file with both certificate These could be in two PEM files, a single file with both certificate
and private key PEM sections, or a single .p12 file. An S/MIME and private key PEM sections, or a single .p12 file. An S/MIME
program will need its private key and certificate, the root program will need its private key and certificate, the root
certificate of the CA, and the certificate for every other user it certificate of the CA, and the certificate for every other user it
communicates with. communicates with.
A.1. makeCA script A.1. makeCA script
skipping to change at page 37, line 29 skipping to change at page 38, line 8
#!/bin/sh #!/bin/sh
set -x set -x
rm -rf demoCA rm -rf demoCA
mkdir demoCA mkdir demoCA
mkdir demoCA/certs mkdir demoCA/certs
mkdir demoCA/crl mkdir demoCA/crl
mkdir demoCA/newcerts mkdir demoCA/newcerts
mkdir demoCA/private mkdir demoCA/private
echo "01" > demoCA/serial # This is done to generate the exact serial number used for the RFC
hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial echo "4902110184015C" > demoCA/serial
touch demoCA/index.txt touch demoCA/index.txt
# You may need to modify this for where your default file is # You may need to modify this for where your default file is
# you can find where yours in by typing "openssl ca" # you can find where yours in by typing "openssl ca"
for D in /etc/ssl /usr/local/ssl /sw/etc/ssl /sw/share/ssl; do for D in /etc/ssl /usr/local/ssl /sw/etc/ssl /sw/share/ssl; do
CONF=${OPENSSLDIR:=$D}/openssl.cnf CONF=${OPENSSLDIR:=$D}/openssl.cnf
[ -f ${CONF} ] && break [ -f ${CONF} ] && break
done done
CONF=${OPENSSLDIR}/openssl.cnf CONF=${OPENSSLDIR}/openssl.cnf
skipping to change at page 39, line 4 skipping to change at page 39, line 30
subjectAltName=\${ENV::ALTNAME} subjectAltName=\${ENV::ALTNAME}
basicConstraints=CA:FALSE basicConstraints=CA:FALSE
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always authorityKeyIdentifier=keyid,issuer:always
keyUsage = nonRepudiation,digitalSignature,keyEncipherment keyUsage = nonRepudiation,digitalSignature,keyEncipherment
[ sipuser_noeku_req ] [ sipuser_noeku_req ]
basicConstraints = CA:FALSE basicConstraints = CA:FALSE
subjectAltName=\${ENV::ALTNAME} subjectAltName=\${ENV::ALTNAME}
subjectKeyIdentifier=hash subjectKeyIdentifier=hash
EOF EOF
cat > demoCA/private/cakey.pem <<EOF cat > demoCA/private/cakey.pem <<EOF
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4B47A0A73ADE342E DEK-Info: DES-EDE3-CBC,9D378A3D852EE5F0
aHmlPa+ZrOV6v+Jk0SClxzpxoG3j0ZuyoVkF9rzq2bZkzVBKLU6xhWwjMDqwA8dH v4nyT2zSrdk4xhdngH3usAEf7tz+MZXImcKMconstvTcbAd6aootPJnHk+ZZYy9M
3fCRLhMGIUVnmymXYhTW9svI1gpFxMBQHJcKpV/SmgFn/fbYk98Smo2izHOniIiu 7fOkLvlQKgh/gzKGOQwBqcjzdujoM7KWlCYYs/+4nTMFtQBKKkwnqB4gNOe7h/qC
NOu2zr+bMiaBphOAZ/OCtVUxUOoBDKN9lR39UCDOgkEQzp9Vbw7l736yu5H9GMHP 9eO0xnXZsTzfcD5XuVCyrC89dzPUDkfwR+tq4WmEtA9EsEWe4V2t0x82puUWHLV0
JtGLJyx3RhS3TvLfLAJZhjm/wZ/9QM8GjyJEiDhMQRJVeIZGvv4Yr1u6yYHiHfjX HFBnNRpEwuwhaOvWEeX50MD/TrknFMm8mEa84bX+v5C6ziKaSiC2IMPy+s2wXNvm
tX2eds8Luc83HbSvjAyjnkLtJsAZ/8cFzrd7pjFzbogLdWuil+kpkkf5h1uzh7oa NsiCbWeVnECHoGaHHrJ2TZLiwm+DUFA+cyNMjMbBgr6a9piS9vwX327xcSeIT7LZ
um0M1EXBE4tcDHsfg1iqEsDMIei/U+/rWfk1PrzYlklwZp8S03vulkDm1fT76W7d BmNWIiKXr7HWz8hcZq/mntXme1r5TCFivYluUH/DeHlZoBzQFoURbFQsnKS6wqK2
mRBg4+CrHA6qYn6EPWB37OBtfEqAfINnIcI1dWzso9A0bTPD4EJO0JA0PcZ/2JgT Qd8hXZtjHv9sQfmdrZ4Js7QNNMFkA1Y+Fqnj3WhjDV9yBJZuTmRoDuwLyKtSiY9z
PaKySgooHQ8AHNQebelch6M5LFExpaOADJKrqauKcc2HeUxXaYIpac5/7drIl3io sJa0h4E+ixLtqf84DnsnxL1Su1uEPwXIqaNgfTRWo5Xar2z7D+b4MS4ytNLo+3kz
UloqUnMlGa3eLP7BZIMsZKCfHZ8oqwU4g6mmmJath2gODRDx3mfhH6yaimDL7v4i ENfF54pSYRDp9vc25SU/CdTIlk+KjGBM07pMOQqrvlgRnA3PeOleBAuQfE9drcu1
SAIIkrEHXfSyovrTJymfSfQtYxUraVZDqax6oj/eGllRxliGfMLYG9ceU+yU/8FN fcpFcBAc1IPRHMp1/LvyJuceVqqeTAbjZCdJz/tGVTS0TMzbtYkTBX7yKuWFzyp7
LE7P+Cs19H5tHHzx1LlieaK43u/XvbXHlB5mqL/fZdkUIBJsjbBVx0HR8eQl2CH9 RRJcH4v4B+eFqs2nVNXg25IdGLt6em5qWIZEx/7xWJNqX0R3R92kQJPPP+mGv/ud
YJDMOPLADecwHoyKA0AY59oN9d41oF7yZtN9KwNdslROYH7mNJlqMMenhXCLN+Nz xzkelLww2C1+jMVeTjLPzCZPnahzzWzx8sh2LnNbSLe3chgrIkyem2ywwx7gTJ6X
vVU5/7/ugZFhZqfS46c1WdmSvuqpDp7TBtMeaH/PXjysBr0iZffOxQ== zbCbBM8mGremEoRpBIcytCB6T0lghxf9k0OHdZ8WEyhwjvG12Xtciw==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
EOF EOF
cat > demoCA/cacert.pem <<EOF cat > demoCA/cacert.pem <<EOF
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDJDCCAo2gAwIBAgIBADANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET MIIDNjCCAp+gAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
eTAeFw0wMzA3MTgxMjIxNTJaFw0xMzA3MTUxMjIxNTJaMHAxCzAJBgNVBAYTAlVT QXV0aG9yaXR5MCAXDTEwMDUxMDIwNTQ0OFoYDzIxMTAwNDE2MjA1NDQ4WjBwMQsw
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj
aXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDIh6DkcUDLDyK9BEUxkud YXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxk0ri3kU
+nJ4xrCVGKfgjHm6XaSuHiEtnfELHM+9WymzkBNzZpJu30yzsxwfKoIKugdNUrD4 B9vHYYiYT6J842GA+ycFGO08yQ3l8dySTuvOd5FL5/NoYLBAAG90W04dyZfIcEpm
N3viCicwcN35LgP/KnbN34cavXHr4ZlqxH+OdKB3hQTpQa38A7YXdaoz6goW2ft5 /BNGqtKYsD6aht48INELNaIt5pLmA0mw20xiL1mGlCBpaXoKFlrVAaUIBiluhaau
Mi74z03GNKP/G9BoKOGd5QIDAQABo4HNMIHKMB0GA1UdDgQWBBRrRhcU6pR2JYBU oQEL9h9TxZWwbrC0jQ756ctdekQhFOyaqK0CAwEAAaOB1TCB0jAdBgNVHQ4EFgQU
bhNU2qHjVBShtjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0 OK2AhOLgFmuTn4n4RlFnLNqNgJwwgaIGA1UdIwSBmjCBl4AUOK2AhOLgFmuTn4n4
pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT RlFnLNqNgJyhdKRyMHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
CFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBD MREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNp
ZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B cGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAlqOEF07vikwwDAYDVR0T
AQUFAAOBgQCWbRvv1ZGTRXxbH8/EqkdSCzSoUPrs+rQqR0xdQac9wNY/nlZbkR3O BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAvCE20AZt5/6/IzuVdMDz6mTpIuhso
qAezG6Sfmklvf+DOg5RxQq/+Y6I03LRepc7KeVDpaplMFGnpfKsibETMipwzayNQ +Hzq1koXhYLmSYEbJL8B//r8VRIrB7jAOfoQc4hZVrd/lgEwr4kPCm1OrtgErpTU
QgUf4cKBiF+65Ue7hZuDJa2EMv8qW4twEhGDYclpFU9YozyS1OhvUg== Z3gqxDaGS+FMpm1G2SxzD9r+j7oCEAm3G8YTqZCpAhVgYTJ5xegr2OSxuuvHfxkM
abHGkq/uHHRV1Q==
-----END CERTIFICATE----- -----END CERTIFICATE-----
EOF EOF
# uncomment the following lines to generate your own key pair # uncomment the following lines to generate your own key pair
# hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial
# openssl req -newkey rsa:1024 -passin pass:password \ # openssl req -newkey rsa:1024 -passin pass:password \
# -passout pass:password \ # -passout pass:password \
# -sha1 -x509 -keyout demoCA/private/cakey.pem \ # -sha1 -x509 -keyout demoCA/private/cakey.pem \
# -out demoCA/cacert.pem -days 3650 -config ${CONF} <<EOF # -out demoCA/cacert.pem -days 36500 -config ${CONF} <<EOF
# US # US
# California # California
# San Jose # San Jose
# sipit # sipit
# Sipit Test Certificate Authority # Sipit Test Certificate Authority
# #
# #
# EOF # EOF
openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \ openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
skipping to change at page 40, line 43 skipping to change at page 41, line 26
# ExtPrefix="sipuser" # ExtPrefix="sipuser"
# elif [ ${ExecName} == "makeEkuUserCert" ]; then # elif [ ${ExecName} == "makeEkuUserCert" ]; then
# ExtPrefix="sipuser_eku" # ExtPrefix="sipuser_eku"
# elif [ ${ExecName} == "makeEkuCert" ]; then # elif [ ${ExecName} == "makeEkuCert" ]; then
# ExtPrefix="sipdomain_eku" # ExtPrefix="sipdomain_eku"
# else # else
# ExtPrefix="sipdomain" # ExtPrefix="sipdomain"
# fi # fi
if [ $# == 3 ]; then if [ $# == 3 ]; then
DAYS=1095 DAYS=36500
elif [ $# == 4 ]; then elif [ $# == 4 ]; then
DAYS=$4 DAYS=$4
else else
echo "Usage: makeCert test.example.org user|domain eku|noeku [days]" echo "Usage: makeCert test.example.org user|domain eku|noeku [days]"
echo " makeCert alice@example.org [days]" echo " makeCert alice@example.org [days]"
echo "days is how long the certificate is valid" echo "days is how long the certificate is valid"
echo "days set to 0 generates an invalid certificate" echo "days set to 0 generates an invalid certificate"
exit 0 exit 0
fi fi
ExtPrefix="sip"${2} ExtPrefix="sip"${2}
if [ $3 == "noeku" ]; then if [ $3 == "noeku" ]; then
ExtPrefix=${ExtPrefix}"_noeku" ExtPrefix=${ExtPrefix}"_noeku"
fi fi
DOMAIN=`echo $1 | perl -ne '{print "$1\n" if (/\.(.*)$/)}' ` DOMAIN=`echo $1 | perl -ne '{print "$1\n" if (/(\w+\..*)$/)}' `
ADDR=$1 ADDR=$1
echo "making cert for $DOMAIN ${ADDR}" echo "making cert for $DOMAIN ${ADDR}"
rm -f ${ADDR}_*.pem rm -f ${ADDR}_*.pem
rm -f ${ADDR}.p12 rm -f ${ADDR}.p12
case ${ADDR} in case ${ADDR} in
*:*) ALTNAME="URI:${ADDR}" ;; *:*) ALTNAME="URI:${ADDR}" ;;
*@*) ALTNAME="URI:sip:${ADDR},URI:im:${ADDR},URI:pres:${ADDR}" ;; *@*) ALTNAME="URI:sip:${ADDR},URI:im:${ADDR},URI:pres:${ADDR}" ;;
*) ALTNAME="DNS:${DOMAIN},URI:sip:${ADDR}" ;; *) ALTNAME="DNS:${DOMAIN},URI:sip:${ADDR}" ;;
esac esac
rm -f demoCA/index.txt rm -f demoCA/index.txt
touch demoCA/index.txt touch demoCA/index.txt
rm -f demoCA/newcerts/* rm -f demoCA/newcerts/*
skipping to change at page 42, line 37 skipping to change at page 43, line 16
mv ${ADDR}_cert.pem user_cert_${ADDR}.pem ;; mv ${ADDR}_cert.pem user_cert_${ADDR}.pem ;;
*) mv ${ADDR}_key.pem domain_key_${ADDR}.pem; \ *) mv ${ADDR}_key.pem domain_key_${ADDR}.pem; \
mv ${ADDR}_cert.pem domain_cert_${ADDR}.pem ;; mv ${ADDR}_cert.pem domain_cert_${ADDR}.pem ;;
esac esac
Appendix B. Certificates for Testing Appendix B. Certificates for Testing
This section contains various certificates used for testing in PEM This section contains various certificates used for testing in PEM
format. format.
OPEN ISSUE: Should we discuss certificate chains? We aren't really
trying to be a tutorial. Would it be helpful to add a non-root CA
and hosts signed by that non-root CA to help with testing events? We
do imply non-root CAs in Section 6.
B.1. Certificates Using EKU B.1. Certificates Using EKU
These certificates make use of the EKU specification described in These certificates make use of the EKU specification described in
Draft SIP EKU [14]. Draft SIP EKU [16].
Fluffy's certificate. Fluffy's user certificate for example.com:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEHzCCA4igAwIBAgIIAVIBVAGQAEcwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE MIIEKDCCA5GgAwIBAgIHSQIRAYQBXDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dXRob3JpdHkwHhcNMDkwNDI5MTcxMDQ2WhcNMTIwNDI4MTcxMDQ2WjBiMQswCQYD dGhvcml0eTAgFw0xMDA1MTEyMDIyNTVaGA8yMTEwMDQxNzIwMjI1NVowYjELMAkG
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20wggEi MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSZmx1ZmZ5QGV4YW1wbGUuY29tMIIB
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0D+gYLbGbk+9kaxnXg6z3rxI3 IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z3PPr2DTi3fyb+GV88NJqnp
MEjfblUKzvcqGRdmvEKveq94bJbGwd5eOGeTjfJAE7VvB3neMiwj57rkqDYyg4p1 CDVF51+uo11g0Twvb9uSSf0FEmhs2cpmLQLiIIqKEAqh2+6za8U55kpJsUEA8/iR
eYaFolDRu7WBNn5r8mSbtlTTi8RNTSaUrnxQ5LLmX6w04JdRzf9muZKYxcwi5www BxeDQKa8aJmmMghPTzRkrp+xD5zVFJb7QGKEhbe6OCnMHboZg9lZIboeSwRT9qqm
pEymN7ohMbKBkw0k7qcnybPsRuP5etJCClmr56OLMGY9MYhv7sSNJMqZ8chMUA1L aE2aXzaQTa4B31jyiexRyaEgZaneXMnzV392Vg0j/NYm5wEldSrkJjvf2zVhAgwP
a3OArHRvRbEpKaGJQJQCVyOLbWBcONMfw7t0PRWHry0pFmwwAU7jORMXa+pYl3Wf FGgYcBPWQQqk0VuZezJgeHuolXGAtd9j/Mr0nveloAwTbVWtF5008oBmA4agp4NS
YDiELDGVbthtaYG7LvpZovsIU1nfHpQX5RD4clr7Tk8vzTs9MMW2yDvg5zLtAgMB Duq3Sep15MnYt3I33TCxM9RWJugzcMWX27pjiT+cZUVRGKj7lhQJ8I5VAfetmQID
AAGjggFKMIIBRjBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29thhVp AQABo4IBUjCCAU4wUQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYV
bTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29tMAkG aW06Zmx1ZmZ5QGV4YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJ
A1UdEwQCMAAwHQYDVR0OBBYEFNKiIvtNoTe5FQse/Ce8+gCnHPIpMIGaBgNVHSME BgNVHRMEAjAAMB0GA1UdDgQWBBTd1XUAPkwVfJxJwAcQy8pOB6HOTzCBogYDVR0j
gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG
CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4GBAJzFvASIgRk1K7q+1AKNQSVFlYvP
9qSVvFvY64dqSCk0bO+H4ONzyjrdo9LWdFvMAH8o/OQHtlzocurufUCZWCawfVsN
NuKesUCN/K/w8mDYNkZ+qPoqR1I1cRGr7Psoz/odqV2LcilnHb77471dyVdtddVA
tXdSabbEH+wDYB6h
-----END CERTIFICATE-----
Fluffy's private key for user certificate for example.com:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA1Z3PPr2DTi3fyb+GV88NJqnpCDVF51+uo11g0Twvb9uSSf0F
Emhs2cpmLQLiIIqKEAqh2+6za8U55kpJsUEA8/iRBxeDQKa8aJmmMghPTzRkrp+x
D5zVFJb7QGKEhbe6OCnMHboZg9lZIboeSwRT9qqmaE2aXzaQTa4B31jyiexRyaEg
ZaneXMnzV392Vg0j/NYm5wEldSrkJjvf2zVhAgwPFGgYcBPWQQqk0VuZezJgeHuo
lXGAtd9j/Mr0nveloAwTbVWtF5008oBmA4agp4NSDuq3Sep15MnYt3I33TCxM9RW
JugzcMWX27pjiT+cZUVRGKj7lhQJ8I5VAfetmQIDAQABAoIBAC/Yi+3alslw/vn6
OwX561Eop3heLk0Xok8XADN9Toa4YHjQAk3QM+lIK0CTr8BoJ2pWZ1CSk39lCoXp
R746+BKtLxaujohxkCvBlncIY3MzIgX24LrFfviApMAUEOi+cShZPE3APCzLBurF
/DkDPCc4q9Ma5qPC3el4OxUioBiB/Dw/5BF8TXO2+mqrxidocgNY79EEdR2n9pRA
xbUNXGfvLeZ8Ran2awCe2az7wa2GpuwOCza2l3v2UqxBP2BpV9c8CnScvNjFI0Au
wSRukKuulw0os6N1G5M6fi81XyCncQ09LeyON47yme1EZkhUjdxR2aKws/+48BN5
CAeHuz0CgYEA7q715kYFrkuOYz74A5m0yBlD/fMAoRdf8X18t4q19AY5+EcqcWOH
2Ptk3HFNcpkXD9FYadXTbQRPe0+uYygytRYVCeDKkuVGP0gm2IjuLi/O57sc6/Me
6zjgHJPJfxQU+hx4pzciOXWuGFi0dUkwsW3wDF+hVvpqlUUsp7mOhjsCgYEA5R1I
WtWRVhp34peyhxoyNeiTuglKlPeX/AVGzjkcFIYBCkSu/eDJ60GIyt88nh1hDKAB
X0cy0Xb3rrsZikRoZjIa3T2FGFJcDT0SSaJu68Zsf3gH49tTPaayg1fCffpUxCRP
2zQinXoRmwjDj/UfOIYDh0x+3hCmVmdzi0PqWjsCgYALDLqBkJhOu1y6J34f3IvL
/69wIEHVM1nTujV94cQOqgMhBVpnqW3uk6TVt8EYHxI8PzrSm32QPHTZhpTSLlg6
ne0Xafq21jpsT5DM0XoFVV1EyRrLqZOy3A00BXt8kJdwBMVpKFpDQrlukxy3mU3R
yP8l839qoWkxw+QPV73LZQKBgQCh9s5kcB96x+FCDM0G1szx8QUleVYA8vq9DRnd
xN+F3qkzkhRGorb7GOvTxnX6rHgjzaTKrvFMxBYZrmhCp1NKE1eMWOYSqH4sWaTo
6uwQvseKYNbrC+vPZF1DnjF+jw2HTsgpBLUHr/hsKYjd5oF4mrw51CjHYOvFnwI+
S/eKawKBgQDkZ3ptH2nCQOGOQmHcTxukTMQmeRCKiYJB6OEKZNCjSO0R6gHc8Qvs
Cx0D36UKoLMmKRMlwF+ceEIP7tob5em8mZAtRUmRhd/+I/bXP4NYIBE66eQgaCDG
NuL1yCJnOplNbsc1Iwv4IuySu9SiUCJopp/8RiL1MnG6eXSdhmR3Og==
-----END RSA PRIVATE KEY-----
Kumiko's user certificate for example.net:
-----BEGIN CERTIFICATE-----
MIIEKDCCA5GgAwIBAgIHSQIRAYQBXTANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowYjELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSa3VtaWtvQGV4YW1wbGUubmV0MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjOOrNtR0LNv3rJsUdMAxWHO
RNj84vrJbL+m7vPtp3E/9hIaAa4u4PXgHpe2J/a0FVFRkYQpaJJIPt6tHem5x1Me
2NthZxLuj9uRPHdzEfJV4O4a2ThTXWhzFJna+UE0wF3LflfuHKpXk4e/RJTt3a5t
MQwPnOj3WzYjCfPt2nJHUkN977dC2s28vIkOQ9xBnboDxLMF+GMzwsz5vi8ZdB0d
94TR3gC0tzueZxVqvl3dUQA4oZy81Jr6vimxQKs6qdHIaADeRTRZobNsvI4GNUmj
GuYC/ahmqxqMMY6aK5ras8dwhwYtkZhrWUaWU4UhMl2CMn43mw6ri5xz13qblQID
AQABo4IBUjCCAU4wUQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYV
aW06a3VtaWtvQGV4YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJ
BgNVHRMEAjAAMB0GA1UdDgQWBBQMBUFFhDtD8qJTsy0CwsrwwVkghjCBogYDVR0j
BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG
CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4GBAFDa/vd7qvbf5dxkpLsYpgNs6cZx
dWs32afH+NEXKzeEBXPkJfWGqAShD4gaOBYFObF5pPz5TqPgAeHc58/jZedQyE9D
UV1Sz+aic2ClH8Yy3nu0vtIoc0AvPxaPujfdBJvopjjfwcqKy29j75NG8dp57IOu
LyZn/Q8Q5O6w+iDR
-----END CERTIFICATE-----
Kumiko's private key for user certificate for example.net:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqjOOrNtR0LNv3rJsUdMAxWHORNj84vrJbL+m7vPtp3E/9hIa
Aa4u4PXgHpe2J/a0FVFRkYQpaJJIPt6tHem5x1Me2NthZxLuj9uRPHdzEfJV4O4a
2ThTXWhzFJna+UE0wF3LflfuHKpXk4e/RJTt3a5tMQwPnOj3WzYjCfPt2nJHUkN9
77dC2s28vIkOQ9xBnboDxLMF+GMzwsz5vi8ZdB0d94TR3gC0tzueZxVqvl3dUQA4
oZy81Jr6vimxQKs6qdHIaADeRTRZobNsvI4GNUmjGuYC/ahmqxqMMY6aK5ras8dw
hwYtkZhrWUaWU4UhMl2CMn43mw6ri5xz13qblQIDAQABAoIBAGUDlHoi8Lvcw1h4
rLEjeiGrmrBh2DUegs14MatAOpxWKo/wzl6Q8mGxjAKcKBAv61F7od2rgqf9qcMm
hbhrL0eNnZE3Iuf55Hyc4+XvPuw316BXsLebJl8ZzrM7XSrx+EzzXgLuTPPWZYO5
3VrmyQX4r/WcIugNnEEWMFWH4HL0yCx/JbEZjMHPGGm/O46SsCAHkixzL0vVIuQc
4AhL3HQM0OUVVEbAut0X5MxFo9TTjmdFH2dsCVTH4CwmHK+ChClNDbhFVaXjB+5E
d7QAHLLH6Tkb7g2+VgmDm8Jj/rpArdy/0d/6xzHTjVQDAZT4M8gSmHLa1Gc7jV9M
2eGoj0ECgYEA20TTTcw1eRXurF7Ag5esvuknupMoRw1SfnSXFBRpcMrgvnJhxrTT
lPfxhkp9iVEE3WgeJ52PrB9iMvvXjnDPOXY92ryGfk9+aE1zuzZJcjoM9hSN9fVg
orDYMChS7e7qXmq9ttE4j9FXh5VKjwWfdftTPeiAmmvByEnb+my7VQMCgYEAxraD
IPkSzyuSi05buadaYP1JnCYHPvozQdQpcZTX2HiF8yWwMq0yltz3u2oirH6RvRL7
gbdq/mES8VQhAUmZUlCiahtmEHwhQ6uSUdm5dq/pnYm7hLO+Nd4UM1kpjX/GBRhm
000LmDEtM/WU5Y3A9u20cEVw4HZG9dMc33f/7YcCgYBnHKeNh0GCLpktf+ViPJpk
sLoZGAix2Qb5JpTBQZQQEae8h4eJbRGulSaEM1VzlKEICWVc1dBxbdS9CwdkGZKp
f/w4d717eqCEJiANYssJJ1lfA216w6hs+WLAysWs1FRskB+k8CB8KULTJJaKSWei
kMylaUfI1nGrYWhMDIPPxwKBgQCtMF8jOtJQ67oCXh4Ftj1IMRmZ1W8VTX2lDyO7
0a06BvlADQX/dQKViCsGFh/4VSvyLXw090ZyROr8mIVXmOzfWFXlwtF25qkbUIrr
eaZyMimbW3Kq2vmZ+1+BzWEw6T8OK9Fasli7oYizM4Q9egnHbS+JdoxFpfB8yi3s
+qp9OwKBgGnBuEiJ4LDUHdwsBXJTKE1e+nmNYYloui7xH18ZJvZFgDpY8WOczIj/
ggN/CA7faTvZvA+6XeawYkPImxA5htbWzJJyoBzDvvicntLIzetX9APfQeszjCww
m1SA9lhGKOTH7XnPgmeTrZvgMUK7IZaCuO1btz8E00RYSVPbepZJ
-----END RSA PRIVATE KEY-----
Domain certificate for example.com:
-----BEGIN CERTIFICATE-----
MIID9zCCA2CgAwIBAgIHSQIRAYQBXjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowWzELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR2i2zd0JfAJke9LZsUVG7CyCz+ceTl/8C
rIGS1aEcySQWRlnRkh0Nv2Y6ZsZcqjsHIb9FQGOUIDCB41+q5sdgqmwij0dklJpx
sRhRLoHpozJktDj0NevaP2+C8XpN3OHF4wUbwXiDSNRkbphLTs6Ffw1iXRuKcsGd
vYXcN/Cnwcxgrbc5yyD/iZ9lBjWTW2HQBBuj1HBX2dXAUvRwDcr2CkKLUkfiocsO
F53W6kHlalopqBGvUmWkeY5P7/zspzrKVkW3h93px/m39+gS+LWiCM6exMxwhabp
08x2bRFnsAAUoFWmYzb6wuC9RTwUsO2I9hkU1sOiecq+aVLQePH9AgMBAAGjggEo
MIIBJDAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFKyWIeZUfeceofFYhtlfrcvc8WaSMIGiBgNVHSME
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
eYIBADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMU eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
MA0GCSqGSIb3DQEBBQUAA4GBAICg20XdfbZQtpMnNs3NKDw5I6rkbpz32YyWTbc2 KwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADgYEAUq5m31UdmTyeFwk9SlkZiI/f7it1
9qzBj4bYapE6T1poMjffD91AtzRokc4P8BYC7r62HeGSh8leqUJ4JkW7Fwjug+rp ysWzNs43EF9vDvJPKmI0GVx6PqPLma6nfKY0WadDo9zv5YCGPyEhlVt0TCPjHh0U
2DCEZpBpuHj/xAlc6uKKEOb5ZOvbRw4QKU0Ou1NlcOFxgsjQFPQkMEmm/ICosYS8 Q4ZIufXJ8KlIox5SkVbV7bJWUo/0AuhMgIPmDKrg1rBcddKQOVKLtUjcaLzlXFzd
6XN1 QzSvFDqFYKNGF2k=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Fluffy's private key Private key for domain certificate for example.com:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA9A/oGC2xm5PvZGsZ14Os968SNzBI325VCs73KhkXZrxCr3qv MIIEowIBAAKCAQEA0dots3dCXwCZHvS2bFFRuwsgs/nHk5f/AqyBktWhHMkkFkZZ
eGyWxsHeXjhnk43yQBO1bwd53jIsI+e65Kg2MoOKdXmGhaJQ0bu1gTZ+a/Jkm7ZU 0ZIdDb9mOmbGXKo7ByG/RUBjlCAwgeNfqubHYKpsIo9HZJSacbEYUS6B6aMyZLQ4
04vETU0mlK58UOSy5l+sNOCXUc3/ZrmSmMXMIucMMKRMpje6ITGygZMNJO6nJ8mz 9DXr2j9vgvF6TdzhxeMFG8F4g0jUZG6YS07OhX8NYl0binLBnb2F3Dfwp8HMYK23
7Ebj+XrSQgpZq+ejizBmPTGIb+7EjSTKmfHITFANS2tzgKx0b0WxKSmhiUCUAlcj Ocsg/4mfZQY1k1th0AQbo9RwV9nVwFL0cA3K9gpCi1JH4qHLDhed1upB5WpaKagR
i21gXDjTH8O7dD0Vh68tKRZsMAFO4zkTF2vqWJd1n2A4hCwxlW7YbWmBuy76WaL7 r1JlpHmOT+/87Kc6ylZFt4fd6cf5t/foEvi1ogjOnsTMcIWm6dPMdm0RZ7AAFKBV
CFNZ3x6UF+UQ+HJa+05PL807PTDFtsg74Ocy7QIDAQABAoIBAGAETgQNHf2eAqVX pmM2+sLgvUU8FLDtiPYZFNbDonnKvmlS0Hjx/QIDAQABAoIBAC2T730dF+M+ZANf
+U+vLwI2bw0lQtYb+vsIl3aJboptcDLHKndPCTZimRAqUp1bT73jwxJON6SxymnJ LwfTmabAQfgU9g3OY2qXQQU9NOLlpNrZqMRlsb28pl1k2QxjRLLF158Y3wfa/e4Y
xd4lS0UuOO+kgsbaJ7+LgIm4HZ5sOyaDYfXj27OpsY724lOU1ckKRJ586Ss2xs7s Dj02JnOOUDIpYF4uEGVFC30GVt0Bvv40TnJsC6+5O2T7QY8LvFWYexGOMbiB5u9x
HP9beccVbNdKHBmcfO6INbkCWD55nLspPlNOaRZwW/h7ID0hT+Kd4e+U4Kz9TeeD Pc6NbTl9YNDOXB7z0a2K7jnoRHKKtge3vb+yFul6cTNOp6tqx8doIFjXK/r58Yuy
NsmugwrPaNX3T1R1QBPK9HDLv8cyo3AJskfN7K+14tY+bkwAH+6IySq2JvhUBHnZ n6Z9c8IMTHFIGbavoRBK0TH+PhkhISJ5ZWfgIClx4VA05Y/+0kXKJ1TiVnpSeQ6x
xI/ieO0SeX+kG2nEk8nkXlphyrUJ5o+HQBeWec8nx9jYH6jFN1fvB5GsLUEw9GHo 1fgtvnKtibGuyMOz3ESgPvqqcU69ZzmPgnBDzbLQUnfN9Jlh1J7ZkFwoIpKpKf1f
AOe5YgUCgYEA/KwR2E/pq4oRy3b6WbH3tSktmCcF9nzmBn0fUGYliX0HRtnp1pwx wxZW2hkCgYEA+Dm4VWJt/dOGziKwsDSS9y7I5hirBzD5Jo+wjeeQQQQh3rwR8DVz
x+OEUMsDmnwE4TmMJudzFYLRWbddm4pYHiqZGLjmd96UDUsjU+eV0INw4sebsoP4 m6gggPBAfdzZ6KdREC+JQMoqFCPPIYvMfMXkOoZ81kmCWcqlFKDxnAmL8aBOcwDr
ymO7JEPt+ewOz07/+aKsqtUCeJUFXksqUmz8yPOkSRgwG7WdJtZvcm8CgYEA90bO jxmp6MIAXAcELhIoTmk3w9oQ0LT7xBK6wQpSMJYKdcBnMS9wxJjNkO8CgYEA2GzH
gtR3Owc17X7i1eeNmpo7PHFuAK3b3ULqmLSQebIPBYTMBJ0GMPqSqHcCSYwAuT3O 47QwF31HgiEQcMtCzTiGEU3gjmoSRyJ1hXvF6A1Q6RY19xUS/wUQTR9cwHvToYlY
HIH6i7B7I2GniqgC2nGaN962yy1nh3S8NnUuJ0LcxoMoDSpy6d2INlL27XG6K9dv Me2cd+E3Sqd3Z8o9gvqwnJm469heT7p7R88NRo0DdQSj/M3L8sFMdsVE49RyTftM
ROLhVylPlFnlo/QEWJy2OrzXtRPQOYAMJS2iLmMCgYBZLPmXWIzl5/Lj1ngBFBiS LjwWFYWp39R7dcoXlw/rrtcPYCRDOEkMnl3DU9MCgYEAiTwYLpS5rPCqggLp3rFi
rZfT7WHjXq1oeNyGaaax4Zih3uLyxWmkXJ4kTaJV8ZNfUgou6NzrKKJugZLeBHOZ Y2ipR5Vx0QsBZJFikkHpHhjzxNoDrONQZEmClua9MRjOHPOMPL+bSYe71eCqXqiU
IfuqiAd/IuUp0+0B/egYEWvT/hLrbDxwYcZ4xCjHXhLUA9O/7TP3jvoySJX+c5Ta yJL8CGNcV3jSqWQA+rO0gIlCprbzSF/E3BvbNUU0v6xdYj9Fq3w+iXhhfZHh89hL
RnDpE2RWD91ayjxOqrvmrQKBgQDw2OWiJoGvW9mZ5mHYiL2y3RBfUfgb7ztcaqYH Cfjz0crSQ6G5K5dH6Fl2pV8CgYAaKTwYaEWP8VLdhgWovMk8aWK7YMCONoAzHRU7
cK/b6KOa83qn762tHRKlxazTp+q4gstzluJLFu0JTD+c3QJSdB4K1wFiKmpRVFFS p3SK0mE/a7HmRiPfs8r+p5Xcpps0YZfJoUFStGSsn4WthCLfXFJQ+7wAtkzgMliI
FZaLpSNWsz7afAMLaLwYdXyPT5tOwnpdNULY26LoUxtKMw3cpV8VHQRZGeBRcTfj m5ytNIqAcKkp++51T6xghwQGzj1q87+Hrze0Lk4UgmjSGjWzyvbgUZrIMln1yc6+
KmxyEwKBgH/8LJfit80sEYSUB0MDa8diI8Bc/BJwHJYgZpihpjGXh0YFGN+laX9+ rfLYhQKBgDpo+fDx/wQ/m1iMV3/s4B2lVCUIIDxZ3784wl785J6tF6TF5rhNg7yV
CSgbG9FyvSTO6fRhRlhRSVlZt4fcx9woMXcmG+PzITLcCdaJHFOuqWUS8cPa+II2 QJvNfiyUzIZDuYVahlwlCLa05+btLYCXzD5Zz3r4SD5o84tY7qNidubAiMUiVEZA
NW30dkcLPKpxa8bOBC7x6mxYzdw4GfpZmQlIo9SS6NwqU7sHuqpC Dr6yeA0l+y2Fpgj/gEm9kNyF/F/WxrOm08ZooAUnaaOyf0PAUdIk
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Kumiko's certificate Domain certificate for example.net:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEHzCCA4igAwIBAgIIAVIBVAGQAEgwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE MIID9zCCA2CgAwIBAgIHSQIRAYQBXzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dXRob3JpdHkwHhcNMDkwNDI5MTcxMDQ3WhcNMTIwNDI4MTcxMDQ3WjBiMQswCQYD dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowWzELMAkG
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQwggEi MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqG
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9KZU33jUDzO1UjmSEWEjKPjA3 SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkJmPQLQfz5Kk9o1cecXFmeipHOMUbWtZl
yzJJTZuKTRq0BOmwtYwPBeGzp3gePo5jTOUB3PAqzm26PlobjqmobPOErKuIFLsX QrtDulIX8Y0yTBxXXYcLeSWTpaSgeuet75256Ngz3qH6MhF8TUq+iJ4SwBK8at7y
1Wz4BsQEArBqm8951Z5TreerajP1SgIvCFHw9B/QOQQaLr7r9JSEQCYSM2mh/w9j 1PhPYu8EFkUpRyLVKeGm1QM2NgEV11vAO77hPkSe6YXGt0cOKEySicmg4bNjhFZn
QzbB/cvl3EV70rPgtOoDxvWu0X11YmblvRjDUum1sECSPOsMbj+a+lZWR/VRkUoz rY99+DBUpvNrMkClRJhuRo22yQnfxiCOLP3kHLFDFIBwEe/6AiHxAlYf/c/ZW9HF
/nrRCy1JGLm6U7ZJ+It2ZTXOQHbAHhuOm4g+JduG20vqefF6hWyu7FuPFKSQqynk B+SdhgHOsXnPS0jAI0lj4FXBpvzLgs3hw3MLbz05NLZbLpJgNZk/xYgqSHj1C5Ll
LEqvxU5gf11T50b4cesE3beqUZjfA9Pnuhi80oSmJ4F8t5eLkli8+5CQgkX/AgMB 1arCEj7JapPIl0PnZiOG2dHd+DjhlHyDtcf61sqSecYFvSRXGQvHAgMBAAGjggEo
AAGjggFKMIIBRjBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0hhVp MIIBJDAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG
bTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0MAkG A1UdEwQCMAAwHQYDVR0OBBYEFKW0nif3Zn2LNI+/tErRWH8nMX5HMIGiBgNVHSME
A1UdEwQCMAAwHQYDVR0OBBYEFP2goFhmLdm2DfWUq+4yspNxHAkAMIGaBgNVHSME gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
eYIBADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMU eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
MA0GCSqGSIb3DQEBBQUAA4GBALDTtkB6X0HQ08QnmVQBCex1/TuZ5I+sT8IWayp3 KwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADgYEAD+RCm+VUeC5oy/ifYiuRVzWw01Fb
6rXEtRrAvnzgC8wF5qIVevL6jo6D2lShR5EEeu1ICxJzZuDKTZu3aen2XJgyhLds /xtHqVRScz4+SSKCFH/ENLYSIWMNN9waQVpaUWUAtcuQUmhznlm3+qcghLb6IKe6
MuxlHWCZ+Gxlo4EPzx9cc7NdW7x62qoHr2uyhrdvkNsqUfBl1TJRNc9l+RmdAzwa 5ioKeXfE8QIPn43GM3oikwIIYUc8XA7fgkZ7lPxQNQMJlMUUChjoD5Cfe6cnHv/T
t4NG Npbe1w20tvqjI7g=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Kumiko's private key Private key for domain certificate for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAvSmVN941A8ztVI5khFhIyj4wN8sySU2bik0atATpsLWMDwXh MIIEpAIBAAKCAQEApCZj0C0H8+SpPaNXHnFxZnoqRzjFG1rWZUK7Q7pSF/GNMkwc
s6d4Hj6OY0zlAdzwKs5tuj5aG46pqGzzhKyriBS7F9Vs+AbEBAKwapvPedWeU63n V12HC3klk6WkoHrnre+duejYM96h+jIRfE1KvoieEsASvGre8tT4T2LvBBZFKUci
q2oz9UoCLwhR8PQf0DkEGi6+6/SUhEAmEjNpof8PY0M2wf3L5dxFe9Kz4LTqA8b1 1SnhptUDNjYBFddbwDu+4T5EnumFxrdHDihMkonJoOGzY4RWZ62PffgwVKbzazJA
rtF9dWJm5b0Yw1LptbBAkjzrDG4/mvpWVkf1UZFKM/560QstSRi5ulO2SfiLdmU1 pUSYbkaNtskJ38Ygjiz95ByxQxSAcBHv+gIh8QJWH/3P2VvRxQfknYYBzrF5z0tI
zkB2wB4bjpuIPiXbhttL6nnxeoVsruxbjxSkkKsp5CxKr8VOYH9dU+dG+HHrBN23 wCNJY+BVwab8y4LN4cNzC289OTS2Wy6SYDWZP8WIKkh49QuS5dWqwhI+yWqTyJdD
qlGY3wPT57oYvNKEpieBfLeXi5JYvPuQkIJF/wIDAQABAoIBAQCI9zv5WOawGsjZ 52YjhtnR3fg44ZR8g7XH+tbKknnGBb0kVxkLxwIDAQABAoIBAEC0yV/EgIAJwRUF
icTUYwxJjB/jtjhyBUSTLmMgZ9JBxiJkmlCjgaYi2A7Hbdz/rVck15Vx3kXmYDUO EFB104fb3FKa9EfmNOFRvtPh3H6Hv2r2Sa2+tn81UDS1dQG1sSIFdJ1WRfOcbSld
I91reo81GDWj+0BMkrGJad0NREZFJFzgoDH31w1KFU1herfCLTF/1ljXEHPja5PB FztylGYrIHSvtjMDxcLfZMqWazWnObgdzINOsR68lTmHbEIZ1JcgdgwAKbiiwRMm
8qTeVuWsi38702YprrfddtHE53qhP3xWgzhYS8jcGfBYCccC8lPYPiHaU4gqErF9 KCJSjGyvWAXNMpOmFRFlf0zeyt5zF4wSLWqKJByH08mdt6YrvcmmLtSi5bQi0w8J
Uxk6JGOS0D4iCY8Y4mvSQvWHHiYFVegnx9uuUCChX8CQtYZJvfNdOHJszlxxnGy7 uA2w4BmsITkVyjA4oEr4lJzOobGs0o3RfamcEV9GmpgPXwHHL4PnmBhmBrYz3uz6
O8/EvrEVrO9hmTrbG10nrFu/RVFUQDrY8N2ngtsVXYeso2aUT+Hnhzg6FQBLZXKh 7/As66pNMLn+Usz/zEYAmsqRe7JWx02Mm0aKbHEJGBkB7sIhHBBo4WHd18GZLBdF
lOWejTCxAoGBAPnY0RO5JAoaFjhYmlCd79GySUfBsrI50np6KNdrtWsylS6EETdv e6HiqMECgYEA02xC2GE+sIy7HLsXVigT2xb8zSMdA+xJwG8XNxcLCsPD5F0frXpJ
QR5PFZG/sr3U/ez2FD2NadGABl1rMthSf4MT6J4oiMNuffLocXkVeXwUMgg+eHu7 wGNwyCIB2x9DIizWV9lG9q90q3bwTcezJMZbjUscRv6NrmTEyocJSCTWajBf2VQ/
rn0gDL8ZjzVVcwQPVsodjfJzC76Cbjb8JZoLxU/pa09agFTIDe2YDF/pAoGBAMHS h+Cn3Xtb9rtUEFRDERxAk7qanvS0dBldwWeeMWmk0y/Kw1HghNApTFECgYEAxsKH
LNA6w0b1O/ZvQj0bZ6SLiPgydufodU6wvkxNBj+93k64eq/+S53SeDQA7oJpFBMZ s0rxuUfARnUb+lpgH2ZNiZLnHkGuADfesAN6jQ3E8izeYRkP9kXlCwc0+ElMpeSS
2kEhgEObYbYY+ZH9GGbsIJMGYcCG7dqXqpMljs4RM99ef5QrdzdDFUDRmRbd2Z+d b8Voutbn1OA/Q7lepAXK1UgpRZTcsHlHRFbbD6a6SikWQitOFOlsgDV8myMrpNiN
/28cEFsPeMKqU/kPTWZtjrJf+HMybQU4Dvb0Xe2nAoGBALJtX+r49j7soF+/Dv1x voFI7bmFzVvCBFw99n3jhq9T1ypjkDRpOpiSiJcCgYEAupX60FfSKaGpqIt85u5r
vToBXAoNz6MuXh0vrokhl58lsZpVoMH5BwUxL1M2Ft0xBeK7XnsSybZe+qyuiNIq x5kb9jac7s9jr07bYCUX+6IVib6drE4WNJIOALHyjV2js896QwFgXWkvP/uxzBMI
IHwotKB2jC0ddH8L9zWk22x8M7rlej/LKfKb995lz3skOg51MeMHtj6mYIW+Oh20 CNZ+Cc5V4Fna1CPegRZ3nJHWINUcYgK2Jsafnxm1aaSdZePXZIxYeYff2ZUAhM22
dtoLe+704Lj8BdgGQsQiKPw5AoGBAK/biguY9auBQNm1Uy1smxpB/JHt/9MlKKKw Lm+x7s3bRv4QphvmV5AWQmECgYEAqe7n1oLc6GxQF+1IXmOmizIMWPMgZt4Axm7+
XMmQLXZSSM22NqNOoL9ewu+0VLQAsVUvZMcppV4yMnLtsCvUr3pbDqc36COuiUuH Fb7jqHV9TRDPkHS9EPHxQdyHjUAeKDeke6tsP1I+I+MWM/Do2ZOaN3/ayYLcrIUE
xx3huvOfyigGbs06rt12QWdhhXyo6BcaXTQsC28D17cQokZdqwWfrBSOXTfwbdiJ SYl5AYiq/Xzjau9bcsWf3n3ca0dGqUn85kPi9l0H6OvqlY/H6lb3kM+V/wBe34vv
Z5KMYFkLAoGAGL9UX9Dea9qnsJZUryxhTxo55ggbKBcJQv+syT8veEJFL9oBsU+b 7AlGP0ECgYBefLxSwdv+abhBraz60jNpnMoKkowTJ3qxzzLVB7yx/a0e0Sb83Hi2
bz+OXOmw0GauPywgok3qpLZ+4mxWs4sX4ca3c/eVCKmpUJ4oWnarhEn5n+jIiWVo I/EMeSUotZcwVNsqgEZSxRqrQbryDsOIkCckzmOgAk8F5vgDXSmZfqPDhFufF1kg
wJP99QCcEdajdf4r/E8tywJ7LgiE37YMQYl9oWOYexOQNg/HRqtM1VU= lMvhtbGLv0wC+ODzIj9VY5PVhYsYSMfVOneGzllkOb4ika9Ms/BSVg==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Certificate for example.com B.2. Certificates NOT Using EKU
These certificates do not make use of the EKU specification described
in Draft SIP EKU [16]. Most existing certificates fall in this
category.
Fluffy's user certificate for example.com:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIID5jCCA0+gAwIBAgIIAVIBVAGQAEMwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE MIIECTCCA3KgAwIBAgIHSQIRAYQBYDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dXRob3JpdHkwHhcNMDkwNDI4MjIxMjAwWhcNMTIwNDI3MjIxMjAwWjBbMQswCQYD dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owYjELMAkG
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZI MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSZmx1ZmZ5QGV4YW1wbGUuY29tMIIB
hvcNAQEBBQADggEPADCCAQoCggEBAMdgCSziC6aNLI+G60dyTdwgpUhpnMZ5czpl IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4FeBkVeK4T9v9Z0Ofhxmfsq
5HS2gJlPbqQbG29ckSl8EaG9rSXGQqOWu9jIEdgqvDlf41+aVPUMd0TG8O6nc4XQ cYTFr6a1qEnNUjUuTRzMq/1i5+1oduZ5+ceQs3jzv4dOhUCp0gxGE6IQyDovMsHa
0dc0ltgkg/4dp16UaqZ55ovWlgYxjdpN8XLAopxIydIfgCdgUrgSzEN852ast24H PrN3b/HFOJp6fXewhnygdE4ZHV66doRNDG6kFE58fq/FLMIZe6kXOhe9XnO/iSDv
vOfVD/pBszdPFjNx/G1zF7Vli2UDNIOOmH2LozbxpzeUZa/dEyn4G8KL+gUDa0sm fvUS5OvAFTOtMXFprTCCBXndG9mTHK8G7Gtr5APJcml/LNVvIRYt5Oewj5BuyAZo
rqmTq10M8wiEnhbAE/rajxy2aZUEbcjPwBKP/ScqyxYW/cL6lP7oeEDkWqyn79cX hXwNDfaR1UK+FRHVbcoj4qIRmlhDZvHRDDQd5GPjy82/lOKCmsTb4BzFazUa1V3x
fej4howWNf8+Mv1DHMEgCCyqVqYXT7x0sF1XuqUZtCBG3TY9FbMCAwEAAaOCARgw UmFZROkzV0pK0HSmxGRZbIDrNlUqaHn2c78w2qN9ON4yA9TzIQd2hplich2Z6QID
ggEUMB8GA1UdEQQYMBaCA2NvbYYPc2lwOmV4YW1wbGUuY29tMAkGA1UdEwQCMAAw AQABo4IBMzCCAS8wUQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYV
HQYDVR0OBBYEFCjMmytPfENcna2Wi3OiT1hdMNQEMIGaBgNVHSMEgZIwgY+AFGtG aW06Zmx1ZmZ5QGV4YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJ
FxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMK BgNVHRMEAjAAMB0GA1UdDgQWBBQy79Hl1hR623USdNil4jNtzSboRTCBogYDVR0j
Q2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNpcGl0MSkw BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
JwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIBADALBgNV EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMUMA0GCSqGSIb3 EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
DQEBBQUAA4GBAB+3woRDkNIGgUdI5xQ5Wq2gUzb7b9fhv7FlmP2mxeBat1+QCKvU dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAD5PK
hSrRV/IOwSZD3uEmHu+QlZRudEU2AUHOQ8KRVN01qG5XO7I0carU6jSqjI7d4aQs 45I5nux58HROS4WwEOklyYc9XmRq4Y1BTWfsOHpHSi8wkvmMg7CNowB9rmw6123e
BUX7uDgMex9P1zzXaHxXV20Txj9E3f1r+2WWm4eSlRCv50fNcmxu12D1 D9o/mden394i7RxP8AwKWIpUL19kYfJHvMItwIT6L9jyup2Yr16Davrw/D8mCp13
DHLV1xUa+GoAnjL1O/KY7fJysaCGhHpL9kxHwVY=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for example.com Fluffy's private key for user certificate for example.com:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAx2AJLOILpo0sj4brR3JN3CClSGmcxnlzOmXkdLaAmU9upBsb MIIEowIBAAKCAQEAv4FeBkVeK4T9v9Z0OfhxmfsqcYTFr6a1qEnNUjUuTRzMq/1i
b1yRKXwRob2tJcZCo5a72MgR2Cq8OV/jX5pU9Qx3RMbw7qdzhdDR1zSW2CSD/h2n 5+1oduZ5+ceQs3jzv4dOhUCp0gxGE6IQyDovMsHaPrN3b/HFOJp6fXewhnygdE4Z
XpRqpnnmi9aWBjGN2k3xcsCinEjJ0h+AJ2BSuBLMQ3znZqy3bge859UP+kGzN08W HV66doRNDG6kFE58fq/FLMIZe6kXOhe9XnO/iSDvfvUS5OvAFTOtMXFprTCCBXnd
M3H8bXMXtWWLZQM0g46YfYujNvGnN5Rlr90TKfgbwov6BQNrSyauqZOrXQzzCISe G9mTHK8G7Gtr5APJcml/LNVvIRYt5Oewj5BuyAZohXwNDfaR1UK+FRHVbcoj4qIR
FsAT+tqPHLZplQRtyM/AEo/9JyrLFhb9wvqU/uh4QORarKfv1xd96PiGjBY1/z4y mlhDZvHRDDQd5GPjy82/lOKCmsTb4BzFazUa1V3xUmFZROkzV0pK0HSmxGRZbIDr
/UMcwSAILKpWphdPvHSwXVe6pRm0IEbdNj0VswIDAQABAoIBACW1MScO/ZsbekEP NlUqaHn2c78w2qN9ON4yA9TzIQd2hplich2Z6QIDAQABAoIBAQC+8n0P/6av+gER
CHKz2Kv4dKo0Z1VWZQe3e7TjS4Ezd76L7e1q+X16HK+Veyj4zWO5P3/pnw5eTskf gQGOs9yBzmA5pEuAotdKn5vsNj6egPLLIvG1k5CvzYsdtRDhAt73wDBYyWsKl1Zg
LJbJTqYmHGyin7DTdNLrQrTMGnd4uIoYO650rZMc3RC3nho/xw9xzGeirV6Xmawn SR42p11cXNIB5uxWYFln4Q/1fpwy3J0Ymq6MDGIbvjsdBEzyOngD0brmr/q8xJL2
DwrjeeGclItzFSTjJ7IkvoKuVl5DNzDAY2DA4YIb8uTYPsqX/jFMaPwxFFhT+mXJ R6l4Pi1iy8ZBbpeSTkbOXSJ5xD28goHLVrsf4p3wc31uJ67IldjZVDOzNl2EXTV9
LX+oniwAsnihfHeXbFiTF1yEw4UCxn3xQ5YE8wZshG+8yjHyLzLAc8NQ7XnCkze8 5t8+URPmm5XtLMxAPLJRNyw6yMwTV0j1T5Cr/oIq4/rdx3OImy9VbamKXXXUkB1Y
G/En/LwwTAaX7L5yRSjBeb8Mp+96s11LtlzR+8uGVbu6nfcXbVTD2zYxuLiyp2VB nyBU6GHGlrHj4OsKcgMHsbdiaGQNwYcOiCtlED4hzCCPWSJWIbvXUPVNnK6/0sMr
EZDaMQECgYEA79YZvUGhNt7F59N+oFpL1xaOjPprN7HV3OevJ5k2sue8B/NjVb5U TnQnYY0BAoGBAOORMfxkGu7R4mln3Mwz/HSFRtbEU2/9gvXJ5MiHWhfQDslxpjaa
RNDxpANkyKh4wARzR25DEAh103XKlfsPOMCdZ9t/3zdOrl5SC7URPPEd4QGvWyKb Y4uHuthDORhlsHXXqjPjdvIcELiV95W/XsB9zBxBLQmMRU5wIhX8uMVqSOSfqFWI
0KiNbwIQdSmiPHeMLsT/+pXu9HbH7key7Sl0pdGwvgNI1oy5xy3dnTMCgYEA1M/b rWEoUXKUyxmubq4J0URoygs9u+17RpsRGmGA6AOlalHZyjRhPJZpUke5AoGBANdu
mviLD48Zzb3GtMnZHf4uh7W58muNsy9gAEFb4eNLFSpi11m/5s1+YiqB6WwkGjeF uTphrQVjy7z8RFuhP7tZ+mN98ddrXcaVpY+bZUGSZsEGRQuP9SSSFUlPuyQ0iUyW
Rrp8tGcNyOK6oaAa0G4g/CrSY1GHdDhketD26mFVhbwpYkvr3oPjFcTMnqbS1uTs Co+bWbR7GLv/2ln2sAgzRs2xH83HWs5BWZrtO7DB5wQNu8DZOkmR34BYTwlyHHtg
c8dniGnknMlP5e1jh4+GyPg6o+/1/6LIp4nFpYECgYBkg2wiHwE7h72VXNOyzGUA /yvlFvXB+AOlCvi/t8BdG/PIXUcBvClW4e1htZuxAoGAD/160q5CCjfrPdbTd/HL
bZmsh76rhsJEZGzJwbJk5C2vf1dgNfYHKTI8NJfmaITCpJrTkuhULdeDmdgfZyqH MnDO+nZPGpZoplaqYcDI/tVaxKLcuAd/KSW/ZkTK9UDn9k/SINVB3V9FeYLoI7iP
9GGDh0BeAkXdWfY0pdvlmH+XLyeYoDaBCkLMBSd0ktBFWyzK5REKqg+NMMK1oCLi stzkA7Q8sugNUqakboEUhqKiPpZNYL062ZHYr0FvR/2uv0HnV3Q5hjKvSs+XtXut
tf8HB4x09ddu42dwjE5WdQKBgF3SSbIX008HusuO2DTKLHNhpWflQVZT/oO55iwW K96/7smnv9qaz7VpaXQ7GNkCgYBWaDSm8/JfzQ00ucH5No3HaWmCakuL6aZtNix3
pIiA6ZAqQKtKgSUjAY4LyXx8VapNQe+9tc7fBB/FfZxV9pxfgSFLS7fHsN0XI41V kw5j5IKOPSOIZa8fgfBDvVUESoYfT7bgrqCmQRFEpnQ/zTABuf9WFQr6kFEdlRyJ
5RXN1aOBIgmZCSLvqETnn4Jub9OX13rvtYBZlxVcV2I590BDkZu2fDvcReru/GGI hUmBteQgvhlmWjqEs5t/cOwSj9BYtCjkxDgXTjtZyuLBrrPW1gGWH/E5v7pmolBv
ht+BAoGBAKpKk0umVaTdJyrZQQtXy+vTomQPKA9CkAkY2UEtlaMYe6+/NfxG0Kwz 09bxoQKBgHKjXLwCPFdTKwkX4l2jtKfhF/hXo6zWx+TLEyrugxveAxEvdgZAlJ7m
cWBUlm18LQkN+Xxzfv+fccqgq9bWDxXQOQN4+4kzNALCtpRiVT7PetXyxlIqHSvW F6z/zvOm6UM6BYxgPl8X+535ijZXKE5OgGJ1Rnt+AaWnfzXAUi7upOEQD3PkjuFE
dR/DaSj/2QyIkamHYlQ/38X/dfgIXWSSRz28HOfBl+KRY/Hr+McO FaYuCSghaWvdgiTwzVjp25iJcFiUJcNlIlNDICDP6emxpSQNEoDC
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Certificate for example.net Kumiko's user certificate for example.net:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIID5jCCA0+gAwIBAgIIAVIBVAGQAEQwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE MIIECTCCA3KgAwIBAgIHSQIRAYQBYTANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dXRob3JpdHkwHhcNMDkwNDI4MjIxMjAwWhcNMTIwNDI3MjIxMjAwWjBbMQswCQYD dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owYjELMAkG
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSa3VtaWtvQGV4YW1wbGUubmV0MIIB
hvcNAQEBBQADggEPADCCAQoCggEBAOQ2eHy6Rcp2qJwG5nOtjPapW28C0KJgFDWf IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA09YKbZrIDl1nfm44nUfYljd7
VF3cFearrhGJh5HznphcjhUnyfIoVSn3PA138ZWZ4ecZFDyAgB5gXYfgs3rXGAD6 Tq8oqdr/mvkDBrG6GW4bEvAHV2pzRBdVk9BZCDgtzmGhJt610RZeyrY5UCLY4k/M
3d5iGYeTCT2jV3z69ppZdlDK+sMmySa2N/oZYaQfkHz62MdA0pT58oLPvi/PKWrz 11Z2tnOSQnc0Eg6oRrRtIpvqQ5PzK9kO+r8KZzGZWTPMppmGUuqVv2vgNMOGHMOu
4EEOAYUrt3u5bCaIK+jt1KkpVkXBitxdlHDHmne6sZ+9foBQnPxiB3FRVPvX3c2K MGr+CUc1jdcJVF0YXO+Xo7N0FGfQbSzT1H3txYpvdpgGHjAXConTQ7pO1w0c65Uk
fzdMfru6PCAyC6wqR/ZJ2ExoH6AZKB/mMn27WLs1IKdgJecYMh3jWHnm03ZN7sG9 Zzpm73BOrjI2nt7ziQO2zpzuI3lLAX2dMLIyr011N9f52Wo+piM6nuAAPtM98rw8
JT3lSh7HDmbPtTzf8k/v9khx+0jOF9oGAuubRDB7Jmu3Fzr3wGUCAwEAAaOCARgw b/OeWl8EsXkr/H/dQQAIKb8wHsrGH79uvTNilCdbTuBUQ3GWKI/lgnNcutE01wID
ggEUMB8GA1UdEQQYMBaCA25ldIYPc2lwOmV4YW1wbGUubmV0MAkGA1UdEwQCMAAw AQABo4IBMzCCAS8wUQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYV
HQYDVR0OBBYEFC2E2M9LFIlojb9rx+9mOPAye5W7MIGaBgNVHSMEgZIwgY+AFGtG aW06a3VtaWtvQGV4YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJ
FxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMK BgNVHRMEAjAAMB0GA1UdDgQWBBQbJb+bvcKecl8UiVR7P8X6XLM3zzCBogYDVR0j
Q2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNpcGl0MSkw BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
JwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIBADALBgNV EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMUMA0GCSqGSIb3 EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
DQEBBQUAA4GBADsZEm9o1Pjs0zA7AST1fu7IdkxIn6aEdXCRQ/HQn5QCg2qzVYjb dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAYOBu
5rvv+Fj5Jdj0SNm2fXD5NX/ny5Bcq26mmMzrB5GtZAYPyNxmWvX4cN1MrKLGVVtB i0lImuMrgrLdcFo6zPeMnwaP7U13GTIj0j1ylIoywCR8fzWns1hbAgAQ4wjMfNL7
wIguHgGYgF1AWhCguOMqSBxaI98+J4VMQuJ+w2NR7sW+wtyc9KMCW3OT 4yLUTsxu7g3hLyHuVO1gvH1xSy1BsSo4/4bTx1AKM3jhtjaO3O1pquIPrl2aUhXy
HkXULkhoH+fQ9iYj7hEQrS2MZizDgBJoGicBI/E=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for example.net Kumiko's private key for user certificate for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA5DZ4fLpFynaonAbmc62M9qlbbwLQomAUNZ9UXdwV5quuEYmH MIIEpAIBAAKCAQEA09YKbZrIDl1nfm44nUfYljd7Tq8oqdr/mvkDBrG6GW4bEvAH
kfOemFyOFSfJ8ihVKfc8DXfxlZnh5xkUPICAHmBdh+CzetcYAPrd3mIZh5MJPaNX V2pzRBdVk9BZCDgtzmGhJt610RZeyrY5UCLY4k/M11Z2tnOSQnc0Eg6oRrRtIpvq
fPr2mll2UMr6wybJJrY3+hlhpB+QfPrYx0DSlPnygs++L88pavPgQQ4BhSu3e7ls Q5PzK9kO+r8KZzGZWTPMppmGUuqVv2vgNMOGHMOuMGr+CUc1jdcJVF0YXO+Xo7N0
Jogr6O3UqSlWRcGK3F2UcMead7qxn71+gFCc/GIHcVFU+9fdzYp/N0x+u7o8IDIL FGfQbSzT1H3txYpvdpgGHjAXConTQ7pO1w0c65UkZzpm73BOrjI2nt7ziQO2zpzu
rCpH9knYTGgfoBkoH+YyfbtYuzUgp2Al5xgyHeNYeebTdk3uwb0lPeVKHscOZs+1 I3lLAX2dMLIyr011N9f52Wo+piM6nuAAPtM98rw8b/OeWl8EsXkr/H/dQQAIKb8w
PN/yT+/2SHH7SM4X2gYC65tEMHsma7cXOvfAZQIDAQABAoIBAC1K/kjK83UGbdph HsrGH79uvTNilCdbTuBUQ3GWKI/lgnNcutE01wIDAQABAoIBAEh7PCY0h68iln7U
qDVHOZXu8N2scln3tasazzS9rH8WjbqfUA/QiSZ2ICDkv7jW9mgY0ItfxcvKOcKT B9sI8jqz0SUjGa7EmCDWgwqPVTXOTsU0C88FRVtPAKEK8Ou3DTVIgnNiUKOyG80Q
AKgtXMAqogWIvDZiIDp5j7VGRQjaTtgz5fZBHNZvcQMB9hjrRrrvKVby2KUpOpUD fJvG0J7e3x/vHb9f2/OSBecHzNwkcBMfdhCZVuLx6gYxx8V3WxkCeEuozCUizwoo
eCi7nc/Bd7csofN9Kxw2AMkIjZavQXvNLpOCxoNj5k8XwOyCvrQ5SUoqeeA2a+Vq RxbGr+S3r6oxcaqLCu/1W+PZ1rQ1RqNmh9rhUnlkrYSbQ5NS9yGuT53mdKcvGANI
FE1YNgmtVE2oFOXw/5xvrPIZyjfR9rwIijD7pUs1Inmrc/WZRYDKuYUfQ+DG0TiA RoCt7WABW+UkRBk/ytnE77JCXTZHsGt/UzxijHEP1Ab4kths4LmgkHDOO6Ab5duH
IFv1zYcamjVEaOqBErI+G8wM0PA6bVQz/J9gdsmIUtXIXLWkxdD7+5VgVqkLXbOX IyYno9OzjgaDxuKk6JN9Te40dpwhrfoaAOFcALJxBa3ZsfYYvP+ImBUnNW3r75Bc
kP+J4HUCgYEA+1zg6p0pMUdh54AU9qghMv1s+di8gBtxHLCF8LP3wFe1AHRgopfn 1f1jAUECgYEA/a35zun7eAFgVcG59s2Q3UjfJgisfP00NTzYh6WQUPCU8l2xG7J+
NppDz6TjQjcc6+0OeHwLlgoEwSnR3+3ik/Ae4dn1Ynfzrw8RqLuc/hfRgUC4zHxr 4xIsClwczPLH//NqK6dtGPZNkYlV+u0flmw8vpDH3KQ+B1p2VGbp800BphH1z+vY
9kvqTIpV0R2Ytj4GaZW+xKTjzVHYR3gEkP+ItDGUXkT0T7w7I1UvAR8CgYEA6GxC LwH8wnoGI/aBR0+yR427gTjBQXAvfrI722GJ76i8QO2swmYf8ZtGJQMCgYEA1cYV
rm/HIlhwyo9nT9hxGliw7GbiENc2ql79a3H/es7EkSdn4NvDq2dUHvSCinISHQH3 NnTvhsk9Y8FhghTaIA2xvJmCS0K4Wt8mWNra+yF3J6SFzyXiHw52xFXqEXtq2xQC
+b0znHkGaQ3iFvlCdvA4yylRYx8WLvJI19J1K8dmi26BTAVvorNpWgvmSfbmZZHh Rw3tlxsHzUngWkUmjPrmpasanWQsL/xjHE1sDfcz8jjj/U1r8lvZ6yjC6oLvKElK
Y61T4BAwi1SToXjcCcfu/2Hz7Jqxg3jXrXRmefsCgYEA5mMGs4NA0i3/ClRW4ozP nS4vHr5sI0Rv78IDwiOGKdAlF51TgKzxh9301p0CgYEAvpfy4yHq/IvULDpEFQj3
gRDO5WFFxJViY01YNnp9RgodmEESoXRhM6bJKHSU54fkNkmczcnERM0B9poCByDe eTph5fqIVdQLYKBZcvjSh+1pivsXsN6X9NTXX+U7AkS6PTROJYRCNIoBV4Iepkt3
X4HijFddldcjvvwsz17GUg46tCFCQAp6WdDS+zx/058w7TiEYBokM9B+Cx5NAZR7 +xVRQkAW2VBRBkdSNjGoPlMyFOrTi6b/ornUhO0XJffzw3c+VAJJyVmx4Q9/r6oL
evr7rU0UFCNXWg3IlmXpIzkCgYBVQol/hd+N2NWfaNWkM6jh2lEkl2UselZCT1A1 zNToxLY60nF/5gLCp0zpE68CgYBRkDNVxMYDKlMW9ZirliMnabIv4G47IujOGyg5
Xv8yJLF08fioQtXXhbMVG+rbMJc2budxhJdvOfJBDWe3t75K9TpQRJrneprfo99W bL9yY/FfmcFIKQ8ehFlCTflx1CIQFpFL5P+K0NBoPlCwgIPV9ID+IsuT072cTXLP
1IxI//+8/E+P/JqEG7502tKipWDFN6tvrkCLfETih6cUX8qQB/jDVEJvtBuUN/se QKcCqRgTyisK4XhXTz5VIAdGjNCNEXG7iPyHgWYnCpye4OqoLv+ognc0jF1o0hOR
VQnWiwKBgGrvslD5N2wGmnCxjBdMb2KvCPRq0t28t/D5plHgGpEC6k1rhRHCtXpE oFkjbQKBgQDXaNYc8m0OCsYrS8QxkZki3G6r7QKIiUzlWyjMMPWahcXjN/Q3qgG8
IK+QEb6/DWjqGYaWHamaVEfUVLrKPVA25hAl+nMg9qQYC0cufmN+Ufe9nLn47IY0 t/9n8qj9dypgoWLl30kWD62bbJu5O79Dmd4I9Sr2cpwgWn+3qZ4VTy4QKlZDgkTG
NXOdHuhaYsf6g/UQEZKSj2wX9poBfAkXZBWnBYKOn0gfq6KjvW82 SND8Au5HQ/T1Ta92+hFfzSLkqer6to8PbQP+3sNw3l694HVn9kP20g==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
B.2. Certificates NOT Using EKU Domain certificate for example.com:
These certificates do not make use of the EKU specification described -----BEGIN CERTIFICATE-----
in Draft SIP EKU [14]. Most existing certificates fall in this MIID2DCCA0GgAwIBAgIHSQIRAYQBYjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
category. EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owWzELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJlZSHuyd2wkXwCr6ltCgZh2Sx+Tb4zLJf
9jqcMSVzNUzINcllOUh0uij1t1djqRJNTUfyi9yPkpK20oQaoENM+GmuJDZfX8V3
XqP1Uyq8CPvZwJ/g5Zo8XrcAFiLGuwYcUQX/Onk2b2T8xPBbLtOIRkEukCP2bfdt
tlLgQGd1Qx2AGxicVW5XRIhVaaXbNwZjqV8H9D7JKjy+odGM0yuJ62IdIfhJKhR4
8Q3R3edPqW+eANWH/cYRDMC8hSupRhsUKZ0xJxRrth82zE3IuDmxNOUNfcLW5PJZ
ei3uPtpLOAbGzQgziGFeaepdtzzrXjNdcA27APiG9bDp5Rh6ckkDAgMBAAGjggEJ
MIIBBTAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFMTi3LKH+s23KSjpn7rS2CNSj5JBMIGiBgNVHSME
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCWGnzT
wSQq7bVUksj/MWYznOm23eECefZhBnrGuxT3+0m1Z8dr2xAa2qMc3zhBeFexsEgR
DBylWHib2OYmnHU41JuEaf5L9LXAEmLnGvFc0q55cKYLfUO2PFnMPq/ZBe+TBNHU
4VdUQJJeWnfBTNuVwKb0oyQsbV1Jyw/t/HtT6Q==
-----END CERTIFICATE-----
ASN.1 dump of Fluffy's certificate. Private key for domain certificate for example.com:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAyZWUh7sndsJF8Aq+pbQoGYdksfk2+MyyX/Y6nDElczVMyDXJ
ZTlIdLoo9bdXY6kSTU1H8ovcj5KSttKEGqBDTPhpriQ2X1/Fd16j9VMqvAj72cCf
4OWaPF63ABYixrsGHFEF/zp5Nm9k/MTwWy7TiEZBLpAj9m33bbZS4EBndUMdgBsY
nFVuV0SIVWml2zcGY6lfB/Q+ySo8vqHRjNMrietiHSH4SSoUePEN0d3nT6lvngDV
h/3GEQzAvIUrqUYbFCmdMScUa7YfNsxNyLg5sTTlDX3C1uTyWXot7j7aSzgGxs0I
M4hhXmnqXbc8614zXXANuwD4hvWw6eUYenJJAwIDAQABAoIBAQCx2QI97eSXZjcF
3LTuxM9MFqPEUTcqso39E+QJwWJlDnU7fhi88Zj3Qva4MpUrHBNFmBUN7E8fbBV8
rqZWR2aZFeFG/jPqWTiCZEELQ+DEHLj2GHf1lxxIfte9f8oWwxJVETbVQuWGHSlf
yPC1wc5mwHTpe8n+tG5DoUPlDW05ifYbZZLgCR5WlgNtZq2zcnAOF1XUndgQf8qf
sZVHv57Gq2hODinitBjU+0fGfzHpB2Su/cgRv0Q1Zdq4ngcQTlGbqLKM/TPXFHvB
LXd+5ys/nar9dtPFd9qNnj5ApeijP17BXR+rKDB8y4BOoRwJpjp5GP7J0Y2dOyDC
7OTf/bTBAoGBAPu64RWL8zj8G+2Ch0emjElxRoVvEL4A7pnUAqThcBUtcfmamfHV
1dNfNZnkitHHXwhSM0Dv5k8We6wxMD6dMY8TEqnU7J86PSb7WXA9LV/6f9DFb/Hl
jjMM/7EPX1wX5Kb71F8TMevMsRgW+iHVuI9qgk0qLo3Dd75EnoFLQoGJAoGBAM0A
8lQ48JroRXspH497ztVibFNEHJj2vYtLH5YcFyKWux4MzRhQ8el3S1yu+MK4A4CT
W9mhW2Rl3QDJWWz+GdDn164kP2m3QOMGnSwEXekJ0SNkXUs2Uk1KxldCWaJS9Ljs
ujXL8xbZ34NeROm7XlI4OxfGkhiqMtkZN3eM048rAoGAdwaqHxIJc0xhuDAb3xk1
BBT3j2gwtmaia0H/7g5afOj8F1WurNa7QDKomZeivAZVPQ4BBhdpAsRSvdyUP0b8
g/Y0wPDY4YEcIS5/375NkjBT91cj03EDh8gBrqriIB18FCjHBh2BYUlsA0P6Cb2Q
gt+NtQbY9FcUa3buq5v2WmECgYAxnG0InM79bgCCka0lmByx3yO/8tfI3M16DDAU
r6+Zm0ilOQvZOp2QlmISh/WDieyvDPpJbJclcNFPA2s0yTmOKM01Q2hlOQfm6Q7Y
PCZN4yZNnlhFf1vjgJkHPPNcKR84MXHO2xB1EzzYGdQrjECDPUBvvIpWlbnAeC3I
LLh2CQKBgQCby/g44cg6KG089iEHz5rE/JgB4gDRUg9sSuR1V/h4KrB0kryQO+oD
veBiwSAm4kA1bIcCAGJFu2GqOFBNaHfISLtWGS/L4NxyVnYR7gDeNAvFBpksHbuK
U0MeEewTkNlAfqapcBiv+2cTJcSZTIgumNet8YtK2LSUOm8ZBN7/pw==
-----END RSA PRIVATE KEY-----
Domain certificate for example.net:
-----BEGIN CERTIFICATE-----
MIID2DCCA0GgAwIBAgIHSQIRAYQBYzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dGhvcml0eTAgFw0xMDA1MTEyMDIyNThaGA8yMTEwMDQxNzIwMjI1OFowWzELMAkG
A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf+eFo3gjoo6Dg/CbVb19GNnmoN3AG/dki
BuGqrLyoXqsPtad6U3A1VMYgGiE0yc0dBqVQyCuVZXTdrdmrD7T2r6JxRbLHwxCn
el0tL+7VOKA0BNWZ0fWbtFB8qfaist5o+k3sRvUmEb5K5zMRAQvtfNSVSqjKhcOJ
8mOV9yXuIpz8WNCrmiaQTKUT+YCXAFc964052ZYsO3EsASPNZzaoe3yjRUoTbnMF
XX1VTXziDgFF7xjlWjyTsg4mvmFzJITDb8CJTOROzhCbwS4Vj6Fer8HiTEnwyNgx
SjvDOoZimiX0Rqn1FiEIgC7mxFHCqVD7lrucSMD9vxjfEFcT8TmtAgMBAAGjggEJ
MIIBBTAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG
A1UdEwQCMAAwHQYDVR0OBBYEFKxgVEtcaqkQ0nm7aBumlh1QKD2rMIGiBgNVHSME
gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCA0UNy
1PRK6aN6kTqDzXSweu+UhmgxZV5pJjImJVdiONroFiRQcmz0gANNQjo6n7ficVfO
l/CORHHN/KF6KNy3s8RS5ud2P486TOpmR0M3naqWsvtWylxP+FwzWUPiimLBXFBm
5jhc+mz6NzT/kb2CiXO67HHzcUSt4ErxPaAmFg==
-----END CERTIFICATE-----
Private key for domain certificate for example.net:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA3/nhaN4I6KOg4Pwm1W9fRjZ5qDdwBv3ZIgbhqqy8qF6rD7Wn
elNwNVTGIBohNMnNHQalUMgrlWV03a3Zqw+09q+icUWyx8MQp3pdLS/u1TigNATV
mdH1m7RQfKn2orLeaPpN7Eb1JhG+SuczEQEL7XzUlUqoyoXDifJjlfcl7iKc/FjQ
q5omkEylE/mAlwBXPeuNOdmWLDtxLAEjzWc2qHt8o0VKE25zBV19VU184g4BRe8Y
5Vo8k7IOJr5hcySEw2/AiUzkTs4Qm8EuFY+hXq/B4kxJ8MjYMUo7wzqGYpol9Eap
9RYhCIAu5sRRwqlQ+5a7nEjA/b8Y3xBXE/E5rQIDAQABAoIBAQDcYJ4t9OqHHRla
xj/fmmoAR/GEVqff+T4AgQziRnyKnjtqha54akjp8LPROmSZ8EXl3Xgj+BEKOn22
8SxPaHECmOYY1h+G9qQYZgnwQE2bdtAK3wbdBv3HarAXOZT3mU/FsyOg7GCiSKsY
QEy62nDGCCGTk5ZpTxyLSvg5wqiLmaPTrT1mgEJ6QAAOTrwVjvJHuZdQ1QwdxaJg
15zKrnkv+I2xZa+jojOz2qWMFBCsR58/N+Jfm28WWbVJoCyweRodWkWrMYb/cDoP
Wq8ZofAjkuu6EGqfivnk3R8DVY3KL2ow9FhpbFw47mhEoFtcdwsogR7v3nzG/qnR
t6gCgG1xAoGBAPR18/5A3TMqXyavgr0ZH10yeH+m7fws7cWJQLJ5a8kz9eVVoXoi
ba4pkBtfDBAHvSfp8sxEtRoyvh0GBdt+YyVOW6aQsQJh5//Sj0D+vT8ZN/Fz3pwq
fQE5K0b0anrzfujj4nLurhm4BPz6ZHuEAPb3dARSH+/bYCqBl3G45sV3AoGBAOqM
ZGegJslWk/ARSi3izKq+6KXF8ObUNtm1m/G1P97YCMjC7m2HRGuGpRb7aP61WKHQ
5ZnCHNusnhSnYGmPayaMxRIvJMpXAuXE10otCJ9jGonTTArc3wJOXl2AlgPYLdEI
E4IAwAM6ZdDegjuaWsOOSin0XtqLj8Izm2FWXtL7AoGAdJ5QZ1pKK75q5emUVOFH
NQ5+rWbU4RgN1c5ELt/9q14+T8kp3znNWOg69tPAzWTjt8bDLO8Z9gV+7BmTccI5
SfK3hh5AUwKhykiITlk3roI5TdYYvCcIuyyqmI7AvSarxC3yOSHjrCE9P/GzPbkb
PLWPgwAqfCILHjv0Iywx6sECgYA+M2UdJhejJVauP6eQa6kjTuWbsNamIHk7WzIz
84Ews9IAi9F3Mnwul9KIObwqcCVFJIT/Nb85cpmpmIm09NfRrVtF60KydkjKbl05
yp+SxVFwY5yy9MgfcHEOEt+1vUrJOH8T5ucE9CO0NI4NCG4xljaM0cWl54UEV3NJ
aQJUqQKBgQCf+dCVtWEEPtFtrron48Gw1j41d3prOHEgPaSjfDK5jyxOplvre9ta
1htMIgENsXeiCvsobmI6LQ1dcdP3B+PCDmGtnPfEQZ7u9tQpThC+dw/dYl0VrmCm
mIEIx6i15btHhdckAL+2nXt2dZ4wfW56Rgptl3m+MI1HCLLhlMN9PA==
-----END RSA PRIVATE KEY-----
B.3. Certificate Chaining with a Non-Root CA
Following is a certificate for a non-root CA in example.net. The
certificate was signed by the root CA shown in Section 2.1. As
indicated in sections 4.2.1.9 and 4.2.1.3 RFC 5280 [15], "cA" is set
in Basic Constraints, and "keyCertSign" is set in Key Usage. This
identifies the certificate holder as a signing authority.
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: Serial Number:
02:55:01:38:02:00:00:6a 49:02:11:01:84:01:60
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit, Issuer: C=US, ST=California, L=San Jose, O=sipit,
OU=Sipit Test Certificate Authority OU=Sipit Test Certificate Authority
Validity Validity
Not Before: Apr 30 21:37:01 2009 GMT Not Before: Jun 7 22:13:09 2010 GMT
Not After : Apr 29 21:37:01 2012 GMT Not After : May 14 22:13:09 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, Subject: C=US, ST=California, L=San Jose, O=sipit,
CN=fluffy@example.com OU=Test CA for example.net, CN=example.net
Subject Public Key Info: Subject Public Key Info:
Public Key Algorithm: rsaEncryption Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit) RSA Public Key: (2048 bit)
Modulus (2048 bit): Modulus (2048 bit):
00:c8:4c:e9:f6:18:17:0e:99:48:d5:b6:d9:aa:ea: 00:94:93:df:e0:aa:a6:8f:0a:f1:06:1b:2b:60:7f:
c9:78:14:a8:a1:2c:c9:ef:6b:00:7b:0d:73:64:bc: 91:87:9f:38:84:43:b3:f2:bc:ac:1c:bc:c9:e0:79:
51:74:5b:bc:9a:48:2a:6d:67:af:53:ae:17:75:61: fa:ae:d1:9d:76:07:5d:fd:ce:da:e0:38:c2:6f:8c:
55:33:16:c2:8f:f2:1b:7b:e1:f9:64:44:50:3a:48: b5:d2:4c:d6:00:84:fd:fa:1a:4d:5d:b5:0f:5e:e6:
42:e2:91:8b:44:25:b3:81:32:d8:03:cc:c5:fc:4b: 2f:3f:18:c8:31:f3:9c:8e:97:7e:ad:22:0c:32:28:
2d:10:83:3b:e9:a9:a8:f9:b0:e5:6a:8d:80:82:84: 39:71:b6:de:a5:18:43:13:d3:d5:62:20:b7:91:73:
7e:f9:95:17:c9:2d:d0:50:28:a0:c2:ae:44:53:90: aa:fe:a0:4a:09:16:97:0a:5a:b5:06:1c:57:5e:07:
4b:53:d5:f3:44:85:22:cb:96:99:d3:8e:ff:22:97: 40:da:5b:35:36:bd:4c:6f:8b:c1:a1:8e:4b:f1:ca:
1e:24:e7:3d:c2:89:ce:10:c7:05:65:6a:6d:18:44: 12:62:cf:6f:a3:14:ad:09:7b:47:8e:23:e5:2c:1f:
ea:20:ff:25:e1:95:be:1f:03:51:bc:27:fd:70:da: 6b:17:92:ab:77:e4:3a:db:32:de:5f:d8:dd:e7:65:
24:cf:d1:43:33:d0:fe:c2:85:0c:f2:75:51:3f:bf: 7c:2a:f3:06:1e:40:67:db:f9:0e:5b:de:0c:98:70:
bb:b8:8a:ed:99:2f:74:a7:6a:60:a8:31:1f:71:78: 86:6d:8b:4b:8b:0b:36:7b:12:83:37:0b:86:6b:f5:
07:c8:d5:63:38:2e:52:3f:2c:27:b6:42:12:0c:d3: 64:3f:4c:02:54:1c:a3:4d:30:25:7f:29:a0:22:5a:
b5:f5:90:89:f7:20:af:0a:0d:a0:a2:99:46:40:6d: 89:63:d8:d1:46:7c:c7:6f:b1:23:99:39:20:74:84:
ac:2c:7c:a2:93:7f:f5:70:28:18:af:14:e0:6f:0b: dc:07:f5:3c:bf:8a:61:57:c0:1a:81:57:5b:9e:81:
dc:a9:e6:22:b2:47:0c:91:68:20:1f:ff:18:5f:be: d4:93:4c:16:12:59:e5:9e:d0:21:32:3c:99:af:82:
d1:85:5c:1a:28:f1:71:b4:d1:3b:68:e3:c4:03:d8: 82:2e:67:8d:ca:3b:28:ad:09:bc:b8:89:61:e1:66:
f6:99 7d:55
Exponent: 65537 (0x10001) Exponent: 65537 (0x10001)
X509v3 extensions: X509v3 extensions:
X509v3 Subject Alternative Name:
URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
URI:pres:fluffy@example.com
X509v3 Basic Constraints: X509v3 Basic Constraints:
CA:FALSE CA:TRUE
X509v3 Subject Key Identifier: X509v3 Subject Key Identifier:
2F:A3:00:77:AC:EB:4E:0C:16:99:01:3A:11:A3:6B:29:04:04:44:1A 6A:88:BB:F4:69:FC:51:92:B1:A0:CC:0E:0B:EA:21:44:67:17:88:50
X509v3 Authority Key Identifier: X509v3 Authority Key Identifier:
6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6 38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
DirName:/C=US/ST=California/L=San Jose/O=sipit/
OU=Sipit Test Certificate Authority
serial:00
X509v3 Key Usage: X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment Certificate Sign
Signature Algorithm: sha1WithRSAEncryption Signature Algorithm: sha1WithRSAEncryption
08:26:de:cc:56:64:ae:39:24:9b:07:19:13:28:b4:67:4f:11: 81:84:69:18:f5:f6:22:46:52:4f:e1:e0:a3:1d:eb:d4:b6:50:
81:97:56:e6:f3:dc:84:12:e4:a6:08:d4:b3:f5:46:35:6c:e5: 6b:84:a2:06:6f:53:d9:5f:b5:4d:65:97:3a:15:c0:d3:37:0a:
90:65:55:52:e6:92:de:b8:2f:f9:e1:fc:ff:45:1b:fe:5b:b0: 3d:ce:83:9f:c9:36:86:32:bf:ca:08:38:75:44:e1:39:b2:58:
37:97:99:b6:d7:54:30:d6:cb:08:e5:55:32:9f:0d:41:c3:76: b9:4e:b2:f9:fc:bf:05:35:14:fa:2a:61:f1:fd:18:2b:a3:14:
49:fa:e7:e6:33:9b:ef:3b:dd:f6:f9:01:a6:61:8c:34:91:33: 92:f1:6f:84:07:cf:09:8a:f8:2b:27:7f:75:34:46:48:5b:81:
86:de:1d:8e:3d:ec:58:a0:f8:d5:f0:db:33:9c:97:40:b9:5f: 0c:09:a8:af:b9:9c:4f:b7:3b:50:1b:e0:90:7e:a3:54:7d:1c:
7c:7f:b9:01:56:05:85:ad:35:af:9b:0d:c9:82:84:c1:0a:21: 32:91:b0:86:0e:83:d3:ee:26:b0:3f:67:00:b5:d1:21:02:7e:
ba:99 af:fe
Fluffy's certificate.
-----BEGIN CERTIFICATE----- Robert's certificate was signed by the non-root CA in example.net:
MIIEADCCA2mgAwIBAgIIAlUBOAIAAGowDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
dXRob3JpdHkwHhcNMDkwNDMwMjEzNzAxWhcNMTIwNDI5MjEzNzAxWjBiMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDITOn2GBcOmUjVttmq6sl4FKih
LMnvawB7DXNkvFF0W7yaSCptZ69Trhd1YVUzFsKP8ht74flkRFA6SELikYtEJbOB
MtgDzMX8Sy0Qgzvpqaj5sOVqjYCChH75lRfJLdBQKKDCrkRTkEtT1fNEhSLLlpnT
jv8ilx4k5z3Cic4QxwVlam0YROog/yXhlb4fA1G8J/1w2iTP0UMz0P7ChQzydVE/
v7u4iu2ZL3SnamCoMR9xeAfI1WM4LlI/LCe2QhIM07X1kIn3IK8KDaCimUZAbaws
fKKTf/VwKBivFOBvC9yp5iKyRwyRaCAf/xhfvtGFXBoo8XG00Tto48QD2PaZAgMB
AAGjggErMIIBJzBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29thhVp
bTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29tMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFC+jAHes604MFpkBOhGjaykEBEQaMIGaBgNVHSME
gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
eYIBADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEACCbezFZkrjkkmwcZ
Eyi0Z08RgZdW5vPchBLkpgjUs/VGNWzlkGVVUuaS3rgv+eH8/0Ub/luwN5eZttdU
MNbLCOVVMp8NQcN2Sfrn5jOb7zvd9vkBpmGMNJEzht4djj3sWKD41fDbM5yXQLlf
fH+5AVYFha01r5sNyYKEwQohupk=
-----END CERTIFICATE-----
Fluffy's private key Version: 3 (0x2)
-----BEGIN RSA PRIVATE KEY----- Serial Number:
MIIEpAIBAAKCAQEAyEzp9hgXDplI1bbZqurJeBSooSzJ72sAew1zZLxRdFu8mkgq 49:02:11:01:84:01:61
bWevU64XdWFVMxbCj/Ibe+H5ZERQOkhC4pGLRCWzgTLYA8zF/EstEIM76amo+bDl
ao2AgoR++ZUXyS3QUCigwq5EU5BLU9XzRIUiy5aZ047/IpceJOc9wonOEMcFZWpt
GETqIP8l4ZW+HwNRvCf9cNokz9FDM9D+woUM8nVRP7+7uIrtmS90p2pgqDEfcXgH
yNVjOC5SPywntkISDNO19ZCJ9yCvCg2goplGQG2sLHyik3/1cCgYrxTgbwvcqeYi
skcMkWggH/8YX77RhVwaKPFxtNE7aOPEA9j2mQIDAQABAoIBAQDEaOdiseyqHBUX
u91lhCVa4qcYpNq/MqWeBGqK9T7KYspmXy17api57ZSDPZZWKpNOo5HfwI7Ui0hA
Xmt30FBH2tBSeJDp6Pqbkvv1nTo6vms7rQLJoUfKtDHuewx/8bS7ZZt+S3QknPHA
m6OYJRUhnePpV+dG+/hLJ5WgFZFDUKhXf6+xkfks3N/gi4iqO/fpJZM+2xvjQNqf
l1YmzhWoDWI/mmDR0CSnomlUOKc0khr0WOO2K5yeJTJO8cc2S08KX9Tr+idHZoqK
FC/brIM0J9v5ObNGUqhtpSz97MJ5cvms+QO7gmOJkC/wbeGhIyY19xLJSmAtGso6
mBz/89iBAoGBAPAKzgZOHZgaMEWKaBBqg5QU/M39YXYHCYPDv9UNyPE+amAvGfuV
JZHAz4pOcVzfdkf7eOsX2YcGV4qC/THHfG6/rwIsQcAF5ovuIm28XH60VrMwlcES
jfgx8wZXMIgJZXw9+7fHALh6nttFN0dK7ZyFcZazq1qwoIcFnjSCBX41AoGBANWd
wgJ2ZXwpVFrSVjXjZBotypsuUr+NvadoODX7l/OWlYdee9+jugoimahKHTQr7nBP
AYiqa+5B1GuOBYHNrrQCetiD/1Pc96bRu93Hb1v8/N8qiOobrN8P8ZhvDa1doRLz
BxCNv38Yhi4Anf87GqqnZWVG8r9xlUjPXEjSi7NVAoGAbPRKjZwZXLfOX1IyZ/kg
3i8kjI9NFJifHfrU8Oy/35h4Ck522bXaBq1gxqNSW1hmxMeFHBiIOPyM8acBK/4j
IdXJpw/VjEZhXfRqFisgRLawf8c2whsc66IocCFVOvog4WL1BXbDgfjOcDKbo7WD
4r7DTycgSRrQ0lifda/qtF0CgYBKTZGKYbxzL70Tyk4KeIn9QShUSgymbJsne+zx
eg4kwKBKcecMp1qy484m54C5AP7zOcgCzaS1P1iwALqRqAW4v5QTc/aAKUBLWnDK
d/CYQquCxLzTEcVT4avbpeVQBF1exgITE/skLled8MEEYn6oFYoDbGZLiSqwJNCo
0/Ob8QKBgQDh5zhQd7wfV7DCHhxacso0co9SwIk7IX6/MsrL9vRoPB9qJlJLcLUR
SjJxCycnJq6uA1Fk24KDmiFppe6VB3uAHsOktzGFQ6rN2Y4F6h+XiwlY+pu2nK/3
2dL4K6mIQzObQRvjChesqs/HmdmKxpDGCFH1H7JKEHjoTdHLWie1tQ==
-----END RSA PRIVATE KEY-----
Kumiko's certificate Signature Algorithm: sha1WithRSAEncryption
-----BEGIN CERTIFICATE----- Issuer: C=US, ST=California, L=San Jose, O=sipit,
MIIEADCCA2mgAwIBAgIIAlUBOAIAAGswDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE OU=Test CA for example.net,
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w CN=example.net
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB Validity
dXRob3JpdHkwHhcNMDkwNDMwMjEzNzAzWhcNMTIwNDI5MjEzNzAzWjBiMQswCQYD Not Before: Jun 7 22:13:10 2010 GMT
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux Not After : May 14 22:13:10 2110 GMT
DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQwggEi Subject: C=US, ST=California, L=San Jose, O=sipit, CN=robert@example.net
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMo9o0vL0mReda5lLtBEyQFrr4 Subject Public Key Info:
SG8/bHQ6vgYls+5+S/rwLcEayXRHyPqYoBc5Homl4FZkvtTQFJ96A85SeIhErf7J Public Key Algorithm: rsaEncryption
yVagTRSUcpk0eOBtlxur0y1O72tmUujMycoa/mMepbHSzvfJtLr4b8BEVA8PluGY RSA Public Key: (2048 bit)
kw8LV21tl8wOExpX9of2QY76Rk8/lhvcW5SGBiKzbTiZaKuyySdGSb6bZKKIeQUw Modulus (2048 bit):
Hv80AeaacdSk98VxJsMwTypRSLJfRSfPCOTzu5XtGB8QVjIINjnzJRsbt5i/h3Iy 00:f6:3a:89:5e:4c:54:32:69:45:10:3d:36:5c:f7:
I1SGW/j3RrgKOBP02eg5snoGbfJRwxvuC1nh90k3CmXs/3k+xugIF6Yudz5nAgMB 8b:5e:28:cb:59:61:7c:0f:fa:17:7d:b5:f0:85:59:
AAGjggErMIIBJzBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0hhVp 52:ee:16:7f:1e:6d:97:a2:ad:ed:3b:d6:37:be:4e:
bTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0MAkG 9c:d7:f1:e5:1f:af:f3:1b:1c:fa:56:ef:13:bf:53:
A1UdEwQCMAAwHQYDVR0OBBYEFJRQpMOT7qyBSBOm6uIyMQdmRo+tMIGaBgNVHSME 44:fc:d0:b8:62:fa:53:1d:42:22:21:66:f0:22:79:
gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET fd:3b:51:9f:84:10:e2:1c:3e:f9:3c:75:86:97:e3:
MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT 07:53:60:fa:fb:93:6c:2f:12:81:14:b5:4f:ba:36:
BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0 c0:98:18:1f:d5:19:79:22:e7:80:d8:81:0f:16:82:
eYIBADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAfqRaxNc9QXObxn3x 46:0c:49:da:c6:d8:59:7d:64:e5:db:47:fa:41:62:
LWD4NRLvzrYDKdGeIpHBfqoobA7QrP8Z0eAO2ec8z6p5/MR9gqTRi8eHB6z/DoFx 99:ae:11:c3:ed:8b:cf:72:4c:b4:cb:93:f2:cc:7b:
l0Ilbs31UNUBjS/ymB6+dInXfHbrjOINi1y1i1hRx2gftvMPaTX7eBD+CZLap9j6 28:b8:22:a8:65:e4:c4:33:fe:dc:d1:ca:4f:38:63:
wsAIErFUgng4nwt7K4rHOz49Op8= 04:a9:76:fc:0a:d3:29:d6:98:99:b6:9c:58:9c:06:
-----END CERTIFICATE----- 55:36:f0:a5:fd:33:2f:65:31:4e:4b:ad:b2:46:1a:
ec:80:63:b2:d5:8c:68:b1:7b:33:28:3d:8e:d2:c8:
ff:a9:f6:b7:d4:83:74:ba:4c:26:46:3d:f5:5d:0d:
47:c0:37:32:8a:66:93:f0:4b:b3:bf:61:24:81:af:
0f:c2:77:34:19:bc:16:7f:df:41:9f:9c:ab:a8:f3:
d9:f9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
URI:sip:robert@example.net, URI:im:robert@example.net,
URI:pres:robert@example.net
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
F9:76:DF:A9:18:EC:27:21:1C:3F:25:0A:15:82:41:23:6F:32:0C:94
X509v3 Authority Key Identifier:
6A:88:BB:F4:69:FC:51:92:B1:A0:CC:0E:0B:EA:21:44:67:17:88:50
Kumiko's private key X509v3 Key Usage:
-----BEGIN RSA PRIVATE KEY----- Digital Signature, Non Repudiation, Key Encipherment
MIIEpQIBAAKCAQEAzKPaNLy9JkXnWuZS7QRMkBa6+EhvP2x0Or4GJbPufkv68C3B X509v3 Extended Key Usage:
Gsl0R8j6mKAXOR6JpeBWZL7U0BSfegPOUniIRK3+yclWoE0UlHKZNHjgbZcbq9Mt E-mail Protection, 1.3.6.1.5.5.7.3.20
Tu9rZlLozMnKGv5jHqWx0s73ybS6+G/ARFQPD5bhmJMPC1dtbZfMDhMaV/aH9kGO Signature Algorithm: sha1WithRSAEncryption
+kZPP5Yb3FuUhgYis204mWirssknRkm+m2SiiHkFMB7/NAHmmnHUpPfFcSbDME8q 6c:77:f6:07:12:82:d5:ea:e2:de:7c:b5:16:aa:59:e5:8f:61:
UUiyX0Unzwjk87uV7RgfEFYyCDY58yUbG7eYv4dyMiNUhlv490a4CjgT9NnoObJ6
Bm3yUcMb7gtZ4fdJNwpl7P95PsboCBemLnc+ZwIDAQABAoIBAQCF9kVj/KH+Kgi3 0c:4c:37:f0:ca:08:83:d8:52:6c:b0:76:db:d4:e9:81:ac:c1:
0ss6aXQNZzPiUNiytjaoNbkkeVOIzghprioZdQNv8rtJqpNJSxpkwiUMMnhx9u4n 78:98:fd:d3:30:41:5f:cc:73:2c:c1:8c:7a:c4:56:6e:39:6e:
G9K23jymaRi/09OngI4WV6a/WNniI+dzZfzlDYpLI79OQFLTtPACIgn0rJQ9MNis 18:21:04:b5:3b:c7:f6:10:64:5b:3f:c0:c9:56:91:55:c4:83:
xcshb72kQOtRzAMvM35pHdPw6sR2C7tgJARA+kd01KWQsDdoUbmoFNus5BIJ2O8f 5e:0c:0b:1b:03:af:42:b5:21:37:46:1b:43:a4:3e:05:b1:d9:
12fbYmX4BPCByGi3uXywuOKkXrxfVwmP2chlz3NjwA1ptdad6Yfa7vy7Yp2Jg0mN 96:8f:0d:d4:fc:d5:27:8e:a0:64:01:e0:44:53:33:30:e9:d8:
MHuIohLwolF1jTJExCWe9QPpWzkT5zTTCqFnRyDX953UWiJiizPTDGySsjKcS/Uq 9b:8a:80:35:c8:6e:95:a0:62:d3:a5:65:ab:b4:7e:55:91:62:
ljJg27ihAoGBAOlLrH6+SIevLq6Z72f73P4xEdZzhXJogOOskijNbjw/uuSHsdEy 73:99:e9:9c:fa:85:8f:94:28:8c:24:f4:18:8e:df:3e:d8:75:
SL4mSRL3/GBCpWXjurOJcBtjX98qwdrscZhQ3HW6cEFX9BrcC8LssYk6jcinIIK2 bd:c6:d0:0a:42:c8:24:ba:76:97:57:80:ac:2e:ba:ca:17:ef:
FMh9JpF637wWvo+kiK9dJLSOUW+KTIHSdCOqIEqxVRjfN9Ndk3a0PYIvAoGBAOCO d8:3e:7b:4c:86:d9:e0:26:0e:a1:c9:6d:cf:f4:93:ba:d1:67:
QRF+UXu3PLlU9Sdkkr+PJbeDwFvHycelwWu1PsvOQb8Xev8ayKh1XfmOU6r79Ke3 ad:e2:f8:69:68:5f:de:25:b0:5d:69:1c:11:61:1c:79:f8:40:
IdWyESyqy1gGuhtGXDo7rjg4oKgjz96GA9jBfoC8F3kpotuiuQ0Pz+l3eE/y0qaP 5c:98:92:79:3f:0e:8a:a0:5f:ee:91:9b:70:3d:7d:d4:21:98:
ILgRgQt0UVU/GIlvJ72aLw1oF4TFAgiuULIXOBFJAoGBAI4H1yV2fTu16Gq+JuWc 21:96:92:36:d6:c8:40:25:a6:72:ef:6b:9e:11:62:10:74:ef:
jadngl+YBwdnHgj+OCGFJ/agKg0Vm6krvuOc9WIJ/ekwyfdlFHZXVxwlfOml402A f5:8b:4c:a6:ab:c8:e4:4e:32:fd:38:17:dc:e8:c5:6f:34:54:
I4xCtmUqM0tk26U6kCKE7XUJY+Zj8UQCzFZe8wsgznN5OVzEI773qvANsQCCJx/m 23:cd:8f:fb
W3SXD3/JxHAW/aq9zpg3FTdbAoGATwJebJxIaUIwsHjvBRxC8fmY6LgHr4NdQMzW
gGI2JRl+UpEdarLu1S7ukMb+M1QRYg1ybzEHD/NMNr2vL7eS7b5f71IlXOO02PPI Certificate for CA for example.net in PEM format:
WLTEIOGNVMlMjwDzIWBl5BxwDZk/evEzLvChufkEQP1BUeH1VqXwVkRAuitjKtDC
fdbjmFkCgYEAruDA4aeOd6ElmvAXR075Qf+0fg5kgmjq624GGauxfG5armQtvxZe
guoYUETHIzUiyjAnOCak5k5Jad0ZMdOth5vvjSiGfnGDq2U7L4xcQObpZjCdIUVt
tfVJqzOZxpiSeGZEsDbhgXo19ydHxGcPiTs6XD/2h3MlEVoNUT+t9b8=
-----END RSA PRIVATE KEY-----
Certificate for example.com
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDxTCCAy6gAwIBAgIIAlUBOAIAAGwwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE MIIDTDCCArWgAwIBAgIHSQIRAYQBYDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
dXRob3JpdHkwHhcNMDkwNDMwMjEzNzA1WhcNMTIwNDI5MjEzNzA1WjBbMQswCQYD dGhvcml0eTAgFw0xMDA2MDcyMjEzMDlaGA8yMTEwMDUxNDIyMTMwOVowfTELMAkG
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZI MQ4wDAYDVQQKEwVzaXBpdDEgMB4GA1UECxMXVGVzdCBDQSBmb3IgZXhhbXBsZS5u
hvcNAQEBBQADggEPADCCAQoCggEBAK2x9ZEaSvqBVpvdG2iyCO66Ryp0ZY0YI8EH ZXQxFDASBgNVBAMTC2V4YW1wbGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
v/nx1F9ZqUcaJrN8Kv0DGP7mJFxQWy9xaJSL4LU2xvdVEqusr2TXYhTzbTJvFO9S MIIBCgKCAQEAlJPf4KqmjwrxBhsrYH+Rh584hEOz8rysHLzJ4Hn6rtGddgdd/c7a
TdRGqQqwpqKQSvyaxjrTTGC1B2RRUdVvqr+Q1eyiACxiXjnPJxnFAdRVNj/bxz7a 4DjCb4y10kzWAIT9+hpNXbUPXuYvPxjIMfOcjpd+rSIMMig5cbbepRhDE9PVYiC3
sekrkw2jChBdLBsmq6RRbLpmmxOB7/IIub+pZ+QthqHUFS/I/Y5mHd2QB9VCwMfO kXOq/qBKCRaXClq1BhxXXgdA2ls1Nr1Mb4vBoY5L8coSYs9voxStCXtHjiPlLB9r
zQUVtik/D4JfwwWFPRR9ScjT2kuIDL55eeqgEfyultBv5pex4O0AHaoU+Ja2o63H F5Krd+Q62zLeX9jd52V8KvMGHkBn2/kOW94MmHCGbYtLiws2exKDNwuGa/VkP0wC
5jcdzuV26Z5A7MoIg1+Xjg5RE0K2OOpMn642lIh2WydqsHYXI+cCAwEAAaOB+DCB VByjTTAlfymgIlqJY9jRRnzHb7EjmTkgdITcB/U8v4phV8AagVdbnoHUk0wWElnl
9TAfBgNVHREEGDAWggNjb22GD3NpcDpleGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G ntAhMjyZr4KCLmeNyjsorQm8uIlh4WZ9VQIDAQABo10wWzAMBgNVHRMEBTADAQH/
A1UdDgQWBBQxQBBUszDzhuSJyTDpNZQ+BBLxATCBmgYDVR0jBIGSMIGPgBRrRhcU MB0GA1UdDgQWBBRqiLv0afxRkrGgzA4L6iFEZxeIUDAfBgNVHSMEGDAWgBQ4rYCE
6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh 4uAWa5OfifhGUWcs2o2AnDALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEA
bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG gYRpGPX2IkZST+Hgox3r1LZQa4SiBm9T2V+1TWWXOhXA0zcKPc6Dn8k2hjK/ygg4
A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwCwYDVR0P dUThObJYuU6y+fy/BTUU+iph8f0YK6MUkvFvhAfPCYr4Kyd/dTRGSFuBDAmor7mc
BAQDAgXgMA0GCSqGSIb3DQEBBQUAA4GBABUwuaPt8wiTkxjT0uKn7ouOidr6F9aV T7c7UBvgkH6jVH0cMpGwhg6D0+4msD9nALXRIQJ+r/4=
WyZ5KuPnkTPiZWKwyW8SAN9+6iU4BJNvj/3sPxu/lrQy9k+YzJ/a7JHbZgVPVI37
euMOu9SgV2Nc2nakkYwONRnQsnsMBd3NkcL2fgBfV2vVbLNHygaqb1u9XXRr2VWP
x2FiTk+jxdye
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for example.com Private key for CA for example.net:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEArbH1kRpK+oFWm90baLII7rpHKnRljRgjwQe/+fHUX1mpRxom MIIEpAIBAAKCAQEAlJPf4KqmjwrxBhsrYH+Rh584hEOz8rysHLzJ4Hn6rtGddgdd
s3wq/QMY/uYkXFBbL3FolIvgtTbG91USq6yvZNdiFPNtMm8U71JN1EapCrCmopBK /c7a4DjCb4y10kzWAIT9+hpNXbUPXuYvPxjIMfOcjpd+rSIMMig5cbbepRhDE9PV
/JrGOtNMYLUHZFFR1W+qv5DV7KIALGJeOc8nGcUB1FU2P9vHPtqx6SuTDaMKEF0s YiC3kXOq/qBKCRaXClq1BhxXXgdA2ls1Nr1Mb4vBoY5L8coSYs9voxStCXtHjiPl
GyarpFFsumabE4Hv8gi5v6ln5C2GodQVL8j9jmYd3ZAH1ULAx87NBRW2KT8Pgl/D LB9rF5Krd+Q62zLeX9jd52V8KvMGHkBn2/kOW94MmHCGbYtLiws2exKDNwuGa/Vk
BYU9FH1JyNPaS4gMvnl56qAR/K6W0G/ml7Hg7QAdqhT4lrajrcfmNx3O5XbpnkDs P0wCVByjTTAlfymgIlqJY9jRRnzHb7EjmTkgdITcB/U8v4phV8AagVdbnoHUk0wW
ygiDX5eODlETQrY46kyfrjaUiHZbJ2qwdhcj5wIDAQABAoIBAQCRYwvxUNjBpdEg ElnlntAhMjyZr4KCLmeNyjsorQm8uIlh4WZ9VQIDAQABAoIBAQCE3eSUNidyvdci
1YpDsAHaEQHQf20hFLuYryv5wnnI9fvDEBik06IH9bfOZES7IGey5nJrJEoKZLdV ncNhrVMIVGOnLCBND1pe7JkfzBVYpo1IkngEVCq53yhJtyyV3y51EnlJYqITDaqs
/1eJaxnEhqQKdVdJh8E2MOYEcMC9ue9A0xZxKfwS8RpVODHfvlGJHdcGUe0+DLuo M+7GXzQQL4munl2jGFKNvBj6zw012IeLwKEO+rEOOsEMqWzrya7SjKFb0JZ0uMnP
aw4DxWktIMHPQSQPf57e9Z9FVLvaBOU8cgqhK62YpzSe53g97EXGKF+rMres/6Mx O0dQJ2KmUfWbsvPJSuq8QELWNNQ1KBPUXtgt/TTqdv2RmzOFcvFnGAn4HHFq1vGp
hLZIgNKAyPzS7xhUJSYScMk8aWubj/yJ0soGCmB8KWPaFyFsDd40mz0M3I6qEVYc yrQEEcKSydEwU3ldZ8uqIvTtGLjSBwyQzrdBPCsRqlNvvAO5E3jwNqVIP7Vm64qE
dFy9cCgsTHdPLRbUqLon5ferQFQhQpZjKhn3a0PxjjnRXcKXqDHSBpVAla5P8ykN BjO6XAqWLgI/iu++2vj29vYkwcRPs3MQ1joYH0olVfJJga6ZAqucOCzZoqTCZoDT
A59L5EBBAoGBANN+f5XZrKTiSYhLJsGC+PU66rUJiCsRNcjCvPKbLKFD31pw4xjY DgiMYoc1AoGBAMUeoUEfl6OcfiGSI/iTVjW+QdNdYF6pWohQOhcl39lOpmgVWw2k
AoFKwwmoU7NrA93NzC7ijwmnTuhS3IV9TDiEuX3lb5tQPi/fs4LxJwD+p5gd1X7s 3BHRkUtVKPJn4LhwkP4gnkHzeqiF14+tKVD/chSiRdVwMV3m5lieEiY2CBQ0tHa+
rVUjubqtLljPTzRtjnV0vkDgmpl0YubtvQfCzqpARfUxSNeGb+ODAIOLAoGBANI/ pnpCNrywW4pbExdRN81xCjBObL9kpSqLZ20WD4tK1fFUjBGdHj1qHcNjAoGBAMD1
LIP8AXr1dG9wM3V759P9DX1SP/zMI4igqw3C1aeDCLJ+baMS6qFq8bler9Qzl8hD U+0Z9wRi50AR6K9XDnSZNudiWgYnO0z2StntQVNCRTSi3PV+O/b1byRotMlZywpm
8U6BLCfSiNdYfuACd6pAIJjvYPGyJrQoWihbB7GdrrWUcOCpLgMCa4HjDUtLUyqU 4o/V0B0jg0n+WM9068QX0b1qTMtrJnTWInT62PWhZCfk8oJi81KhgNXLrCbw9J82
Q9I8EKzDhf5F0Y6IXpWlt35zFA7Br2UWtazOojyVAoGBAMb+300/4xHBWS7Eh1LM leXkfaDyglGEVIuYlpLy252EaGPbL+Fyq+jhEMXnAoGBAJjDoij8OOK9VyrhPStZ
yTL0nKJ6tYTQTKr5kI81MmkKU73lOcjGdpTwo1MS7q6CosCwQs5anfuXUMeIL7Xq 1AgWiKErzpHOIbFeq4Zg/dhFkcU8N7KdP0g356hAOVmTk56c7mFkGgH2leqgv2xD
jy0etOmgV8LrXZfuBBnQjcKB2W9notoqF21kj/z1tgYaCYxrCP+7OMgSjWSV/fkK wK9bKKhBEmnVZwzk80NeTaZ7XUt7hRg5rH83bYBSFL9m0abSdLKslj7VqIWzlCUi
+DG1On82upxaIw+njt+jA3jBAoGBALVbsTaYp149ZRbLnlf1beC7JGu6C2AxZ2Vv oGb0H9vNhXxgD6Ve5J6n7KUNAoGANG20OxU1//Qbn1X+Yj4GSHok5+PaUBeyziuR
0p2oN0ysB1CRJlnI84QSEDlqqBlP99nUYc7qNgCT5157A9aPylGdx4Ck3OcgWaqG lPsZJ9U21qF15iJBis2PQFZO4PLL72ybHLfczz4J+z3nxZ6gPOy36X6LlS3tCgvw
NF8jRtu7vPz88vGYfgwyhjIgfVM5wp+0DVzIW0nrzyWrbDya/ZvwuvvkoKSqBnYY 2tYZw0vx2cEkf3cBZC9LwUuQ4BfSb7w2KHvYArZB4IJTMoboSs9ACuGiN5ejv98X
xNYv2FqRAoGAXjAUgIfsjZcx69SwC4GkZdrq3ipoqEUxgPqZl46Nl79WAYaBmCd5 hLQ6iXsCgYADkbNdPjF8e8mwf7XmebDv+sjvUZ2M0H5dzM+QC96X25EQ58/EwASq
4R8sdhVY8j4+CHxmluv9f3FTqtomCkp1XtjihUtyihKl/xC6Xgk4EnPg88ZaIX70 i9LYO/dB3U5bfikFI3ZoLiNj9F+Moe7IaHFqMYqYNdNei/QBRa6GBLxAzP6kZ+N+
Dok3E3dzccrCjhdhogYPhKV4vp7n3yB4fh+FutmD7GhTDFM34NlEBuA= MP8CcUDezwr2h5MiMdErjeI/GziIl6tqsSggZuW+DnU4JhOspJzMBQ==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Certificate for example.net Robert's certificate:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDxTCCAy6gAwIBAgIIAlUBOAIAAG0wDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE MIIEMDCCAxigAwIBAgIHSQIRAYQBYTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB BgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxlLm5ldDEU
dXRob3JpdHkwHhcNMDkwNDMwMjEzNzA2WhcNMTIwNDI5MjEzNzA2WjBbMQswCQYD MBIGA1UEAxMLZXhhbXBsZS5uZXQwIBcNMTAwNjA3MjIxMzEwWhgPMjExMDA1MTQy
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux MjEzMTBaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYD
DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI VQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxGzAZBgNVBAMUEnJvYmVydEBl
hvcNAQEBBQADggEPADCCAQoCggEBAMbRhCP0KuQJqmOR2Fo/DZx6tx/PpnKhZBpu eGFtcGxlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPY6iV5M
Euw8PkFpmQBm/p7MvpzicT/iEwWP48PokCRwwK9uB1tMTMXObyM2cv4q7vwqV8Bp VDJpRRA9Nlz3i14oy1lhfA/6F3218IVZUu4Wfx5tl6Kt7TvWN75OnNfx5R+v8xsc
3afhG2GLwxuoUAl4quS3/31nnnwE2+sKORLrFDQ80lm9G6DRua4AKTXbpsNbHB49 +lbvE79TRPzQuGL6Ux1CIiFm8CJ5/TtRn4QQ4hw++Tx1hpfjB1Ng+vuTbC8SgRS1
MW6bHe6Yil7YUd5/n+OMu7EDWgyham0rrzjNdbR8gLl+Z6Up9jARWwwaWRKGxJGh T7o2wJgYH9UZeSLngNiBDxaCRgxJ2sbYWX1k5dtH+kFima4Rw+2Lz3JMtMuT8sx7
Dl5kWLS5bmlOqNOnomxisttnDwzbrq5aWn5Wz3kjRqlAjgvhtEiotYLDetpILlSt KLgiqGXkxDP+3NHKTzhjBKl2/ArTKdaYmbacWJwGVTbwpf0zL2UxTkutskYa7IBj
m3jUYGx8OUzPUSGNYDBxrr4kz2ltidJfdtcbQkQJ/w8NKxeZWekCAwEAAaOB+DCB stWMaLF7Myg9jtLI/6n2t9SDdLpMJkY99V0NR8A3Mopmk/BLs79hJIGvD8J3NBm8
9TAfBgNVHREEGDAWggNuZXSGD3NpcDpleGFtcGxlLm5ldDAJBgNVHRMEAjAAMB0G Fn/fQZ+cq6jz2fkCAwEAAaOBzTCByjBRBgNVHREESjBIhhZzaXA6cm9iZXJ0QGV4
A1UdDgQWBBSxkh6t3TKqE/MN9yVjRnNfwUyUAjCBmgYDVR0jBIGSMIGPgBRrRhcU YW1wbGUubmV0hhVpbTpyb2JlcnRAZXhhbXBsZS5uZXSGF3ByZXM6cm9iZXJ0QGV4
6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh YW1wbGUubmV0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFPl236kY7CchHD8lChWCQSNv
bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG MgyUMB8GA1UdIwQYMBaAFGqIu/Rp/FGSsaDMDgvqIURnF4hQMAsGA1UdDwQEAwIF
A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwCwYDVR0P 4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQAD
BAQDAgXgMA0GCSqGSIb3DQEBBQUAA4GBAByhC23DAxjh3PII0wvqZxMh6WbQJ+JB ggEBAGx39gcSgtXq4t58tRaqWeWPYQxMN/DKCIPYUmywdtvU6YGswXiY/dMwQV/M
x2tpAywGbNvEpL7yRqJCwLoMofWsBOnWRVEHl020h9hpqjFTNWhq2XuUh45yedEI cyzBjHrEVm45bhghBLU7x/YQZFs/wMlWkVXEg14MCxsDr0K1ITdGG0OkPgWx2ZaP
jhFBgOpGn3qWUnGLmbT6iLzCPayrvTSRWpt7NnMyAQJdfRXlZN3gl+czyKegtfki DdT81SeOoGQB4ERTMzDp2JuKgDXIbpWgYtOlZau0flWRYnOZ6Zz6hY+UKIwk9BiO
l9Lb3Ne0UpV+ 3z7Ydb3G0ApCyCS6dpdXgKwuusoX79g+e0yG2eAmDqHJbc/0k7rRZ63i+GloX94l
sF1pHBFhHHn4QFyYknk/DoqgX+6Rm3A9fdQhmCGWkjbWyEAlpnLva54RYhB07/WL
TKaryOROMv04F9zoxW80VCPNj/s=
-----END CERTIFICATE----- -----END CERTIFICATE-----
Private key for example.net Robert's private key:
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxtGEI/Qq5AmqY5HYWj8NnHq3H8+mcqFkGm4S7Dw+QWmZAGb+ MIIEpQIBAAKCAQEA9jqJXkxUMmlFED02XPeLXijLWWF8D/oXfbXwhVlS7hZ/Hm2X
nsy+nOJxP+ITBY/jw+iQJHDAr24HW0xMxc5vIzZy/iru/CpXwGndp+EbYYvDG6hQ oq3tO9Y3vk6c1/HlH6/zGxz6Vu8Tv1NE/NC4YvpTHUIiIWbwInn9O1GfhBDiHD75
CXiq5Lf/fWeefATb6wo5EusUNDzSWb0boNG5rgApNdumw1scHj0xbpsd7piKXthR PHWGl+MHU2D6+5NsLxKBFLVPujbAmBgf1Rl5IueA2IEPFoJGDEnaxthZfWTl20f6
3n+f44y7sQNaDKFqbSuvOM11tHyAuX5npSn2MBFbDBpZEobEkaEOXmRYtLluaU6o QWKZrhHD7YvPcky0y5PyzHsouCKoZeTEM/7c0cpPOGMEqXb8CtMp1piZtpxYnAZV
06eibGKy22cPDNuurlpaflbPeSNGqUCOC+G0SKi1gsN62kguVK2beNRgbHw5TM9R NvCl/TMvZTFOS62yRhrsgGOy1YxosXszKD2O0sj/qfa31IN0ukwmRj31XQ1HwDcy
IY1gMHGuviTPaW2J0l921xtCRAn/Dw0rF5lZ6QIDAQABAoIBAHxgwCDZ9CcaoNyP imaT8Euzv2Ekga8Pwnc0GbwWf99Bn5yrqPPZ+QIDAQABAoIBAB00MijCCtZzz+Iu
deDnRzWYU410EzXtHzmlmPLusSeszwnAZROlFK4Cv0RuwuWc4alCiUIyw2g8FiAY MG10Ws5PLlcqjcljUzfwxVc7ke91MZyNSQfdcx6+uJvUvRuLsC5C8yWLGVIIRyJR
eILapQ5LVt8Irt9UAfeegwsuOTnp/FIGFqQGOCrDrPKf6za8t3OvvorGQ6p2TkXT IQSPSN9Ma2Ez/9JQYDjmmRdZBf9m9Tp+aZc3JUCMh8jm3r3J7XHj0vV+z7b5WXxw
l0AhU961vRIzan0WN133fEAsjCohavopWJfPKVYROsdqOEeqtw1m1QW7a9p3jo/L mA3xWIHATXLgU8bKqr44YD9nV63cdymmpIWoVwGaU7AO4FhRXnL7wAfrNWy2nl+6
4jBw+xyLnlis5D2xxOjDjvRWDP/NEKAoWPBS4+VFRAnLdqOEIAqBVG0Q+SvZ6efy FGpFw/AifIucruXIhdXdD87rxZjMVE0CyEfjbvWLKi3PjMFFuvq4rl7tFEPzJJ1h
ViI8xhBMq2rda29rNMZkdK5cEr3X0g44YzC70zWgMuXiOIzLYxCEKw9BfhLQPOFw WqZ/B21C8DfrdN14NBwKZMco9DEXtEq2eJbdyfp4tc4Ppw2sW6jyEE9b8y2E8AuI
YOTNGYECgYEA7Orf2TDxScuESMJh+tlqXjssEbU43K+ox91NVh+U4gvmtWLUHgxC pIGvVyUCgYEA/8zi4v+06x40HX9cmrfPbZGgyqTIOrKikmQJvStP7kUjtcG5lFWX
EYT/j+Fvd2FoRKfhWEoVJ9K24k+admPdDv4YIPxaUuRlSxmo8FeHhzY62Fkv8Gss kQGak/lLBAFYKq0Vz0sMvaL1b3gyMACOZbq3bns8mMHn1QeDX3p6Kw9nV7OHzl2g
sCf7SsJ+HLGZcOlkF7ed/eMn+XzvWgHR6bHqLOIQS2hhslIlm03mVjECgYEA1tUO ZDTw9XtjUXGK6IwAnKfwI3BKqnmU/X8gGgscs1wbvgeHxceKu0UzRhcCgYEA9mu8
sHSDCJ3AjLQeCU0iVn4aDMrA8HlJ4NBJqFnl2sSCZT7nxvs3YIfkTQ35hg6Zz12A 2wrY1lDZ4tHTXwr9obgEP9iMpgd5mFFYNPdJt5XCePyhx/vkCp+8M9oW3Q7zDva1
6gF9hcHk87mHDB579qVBHRauAO5czTy1CAGF6e3gzMy1oz4eaFqoV9NMZfkSuaok l/r70rccypjsdXGsL0A114yQjUfdEufaYeUakeUYKdP+lFTDuYhnDZExzm/X9L7w
egBl4k73C8P9Y/o7L9v6aJZ/hrgaEX8P0j4DeTkCgYEAwNFfocp9dkvWu8jIKXqt 87Q1y0q56+cQD0Dj0jPrxMT+wEwS7a7hGIaq+m8CgYEA7SKwVwX8X1bRs2LFo3yx
YUfTVA4j2yhzu0ZXXNKTP23kNJfcfyAG3W9a92TIbWavj8D6W/rfQOvzwDh9RAF+ I/80E4gtQxUlVxa8XI0RfW7FCxM7ikLKzpexCGq720uvw2hP5qrJdefjJeJEjHGH
tmcCiEYZ1QDhl7+oiQMT4G24csATjh4L3sqLcIreTMgWU5j/x3W/dhRcQmb1/lEg kNFGiXpfk7F2zOs5I8M0DEUsZYY+aNYtAZh+pOQtD2x1/N0FGDUrjn7kCSPLNjGq
4IvWRPUvwc+QQ6srxDwgTOECgYBK0i9og1uzn4WVO5IOeT/RUd/uvprN5eA2HTTa vdn9Ul0aLtFmUbiJaNBfFyMCgYEA7toXQKoO7A2KZNTFcQaSOcLIO6qHCheMwRt3
Hl0wgSpM6si8g3f49bssnwZdiy5Ei3M/jL9T24DK5b3EGcXg1BNGd0So7FuD23XN yD858Pz0d5lIpzN9It8Z6ZinOLZY2lRASIQ6u1BKVAZOjLgWEebHSZsyMf9KRhz+
UQJ7w658hXtpXFQo0hI5bEz6YvIDmd9UYlkZpZjjDyJsNJVyiLHAxVGq8OmbWF6B DI2pZ2kMNt8JkHVpEdkpKnlmMZcvWEgL/ezbh6Vy+ToK0v4u1X0GNsBLvdD/N+ue
Qbnh+QKBgQCF4xV6Ha7dSRZoU6iPYp2t6y4JRCXf9H1kIJVrFzPv0sfysdwflbJS u8ssx3kCgYEAt9BBcdkN3sB2Py9yOL+hri53/n/wVBK76nwscDZjc5QP/VYfQn9y
XAn+206ShYN6OBPt6f9As6oggw+xzKiiAxHdlhsipuUlQRIUGMIxJ1DQcXtsLp7L JawOm56vXzi4jiWmi7A7WJpYAUahkralctik8+uig/fR3SNSQgweaUtj+Y+jNdx0
8YeoLWCvYknXw/k5TT3uzrZ6I5GsqzNSzh0jsay91zp/4qrdcnr7fg== aA9FJE2Z/xJeKyWuNcUdr+Lf5mKd05WFKER4ir6d9dRaO6gGcIhoMak=
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Appendix C. Message Dumps Appendix C. Message Dumps
OPEN ISSUE: All of this binary bit-exact stuff needs to be verified
by other than myself. I'm looking into ways to make this easier for
someone else to review and verify. Any code I make available will be
OpenSSL-centric. -BCH
This section contains a base64 encoded gzipped, compressed tar file This section contains a base64 encoded gzipped, compressed tar file
of various CMS messages used in this document. Saving the data in a of various CMS messages used in this document. Saving the data in a
file foo.tgz.b64 then running a command like "openssl base64 -d -in file foo.tgz.b64 then running a command like "openssl base64 -d -in
foo.tgz.b64 | tar xfz -" would recover the CMS messages and allow foo.tgz.b64 | tar xfz -" would recover the CMS messages and allow
them to be used as test vectors. them to be used as test vectors.
-- BEGIN MESSAGE ARCHIVE -- -- BEGIN MESSAGE ARCHIVE --
H4sIAOoQWksCA+xcaUATV9cmYV/CIoriGilisQRmJjNJAEHBhEVJEAjQpFqZ H4sIAD1sDUwCA+ybCVgTV9fHCchiMAKCSxVKpC5VDMxMJgsgKBp2krCEJVHA
JBMSyGYSBIOoRaUW14ILWkVcEVRk0brgjhuyVdzB7QUtiFvFutRafYdqK0UU kExIQrYmQSBYRcQFVKqiouCCK0pVUERwQRSKglrBDQoodcetShW0StU3qa0i
v764ftw/Se7MPXMyuec8z33OnQjlGopGLpVjFLkm2lWEavU6vwF4o8Hwn690 BfF7X7CVj/s8PCF3Zk5uJvfc3/+cc4cjVuAUYoEYwYkVETZctlKr+xsAAEQY
GvKPV7xBCEDTA0GITqdCCJUK6AEgFQJpemRA7x20OI0WVZPJegK1FFW85ryO xmpeSUTCe6+aBsEwHguCMICHiESABGMBEIZJRC0soPUJWpRCyZarhxIuF7Al
jn+kjc0KC/PxZ5E1UpVHbJxcGqscjiWgcpUMc1VgWnJY4Gg3yBUgmUVIUY+/ Hzivq+Nvvgv27etn0qgu/v7Obi5YhUBmHxklFkRKJyMxbLFMhNhIECXW38PH
PrlxR4wmQwDDlU53BRkMV5BG8wARAAA9BWpUIZR46dwl/rBgFEXEoCOwjgKL FrIBMOhAAdv+r3e2jKk+WNBO/Z8NZAPZgwQAAB3C5WwJh++osuO7weFeOC6Z
3SEUpjEAOgohGABQQArlr2OeapVSrfVCYAQASWZsNIHip1THo2qRxoNMx687 RIBVOBKZTOQCMJGsPoUDAyAOxOH+OuYgl0nlSkcCQAIJGDSVHYNzlcqj2XKu
QqnQokKtB3loi4diWZxYPPFvD4VKuTfJjKt8fvRl//Gjfmql/NWjPbVotJcA wh5LUn8kQ2qPndjxuJwwaFe5VPzncZ4oiseLfXucIxU7OSjZEY52eDxCAIlq
hejuEIDgV0NlMkog04PMhvxkHGiklC3nxPJj+HKOPBxmR4YAnEiejiMPBIO5 U1PZIhHOg2KPZQkD8FQVU0VTRUB0RgCeqeIKaUJmLJXiHEujRKioKipIVflG
khgeVxbDjwx3xYeFYeM9yCD5+c0kmfkIhZgKd1oeJ9NKVaha66aRRiswkQtZ U4NcbNSX+SPf2GPJMAmP/fM+YdDOHA4iU9pjxVEipUDGlittFYIICcKdgFUi
iyVo3VQyVKpwIaMqlUwqRLVSpcJNFSvU0CktgfjPfo1I5dLKDCrTYmoFfmgC MUpbmYgtkEzAsmUykYDDVgqkEltZJEdBwml87P1+BVc2oY0ZtkiJyCXqQzMR
9uzeYAothTtRhb18LU+BMk4hQtUTvQQwDQIhWCymCWkoCoo85bh1WbSXRoKC 9SdLJUpEosQxYmXI3z/LIVwaJeGy5bGOJNiOCCJQuB1IYhMhAs9BrLYuinBU
niq1UqsUKmVeDi+702II1capMYcXFwvCFNFaCf7j0BgkM5IZhdLWelu/Xnzj 8Nmgg0wuVUo5UpGj1d+HozHEVkbJEat3H+aNSCKUfPXNJ5IxaAwah2tvvf24
VkfweaIRY2oKSyFUiqSKaA+yQKrAfW0xKcFkMuWbWH6Nw54KVI55/ZnYXFV0 3n3jNkfU80DBQ+Q4FwlHyhVIIuyx4QKJeqwak+6ISCQd+TGmPzBiBwlbjDj+
zYuRTKlGpdRIW8bgBrT43JLI8X5PCaoQyXBHvNTY+DipGr99YqkMe5WV1/oP sWjZyEiKd1dSBAqZVCHQXKM2oFSyOXyxut+Bz5ZwReqROMqRb6IEcvX94wlE
JBNOGJkOSQlIeUAiGBOzkgkH8a59RAIBNAWMjQy/sNQn9gbMX5xCAJMJK/FT SGdWPvgFgATUeb3+4xe4L3iGQelrZyagStVdxdooFNgf0NfTtR6ooz0cMHx3
luOnAJMAFWgOmBrphxsY2RLDw0BbwKblg4ntn9NTKlaqFVIUtAGsWnqNbU3C CgpMQGWqT1mnPgWIA2SgIdBfTyegn56pdoA/aAqYaN4YmP4xRQU8qVwiYIMm
UAV5pFKDgZaARUsXyczWEJ/tUi3oDAxu6TC3JYe1fCZzMY2WPAJTa6XiltuG gJGmV9/UwJ8twXpKFQg4EBig6cKgTXXVM16gBMcBYzUdhqZYf817LANRKLFT
kX3itBKlWqqdSDQhhBK4hPl6/i8cJP3tIIFgqGeQTNArMNHL7bGRJ+8tFqPD EblSwNPcNgTrHKXkS+UCZay2voe2CSoRNf3d+DBvx4dC6Wr1S0Bp6eWsfmjJ
s4sLTk+CzlbyMurnSReYrm0+CCsD2RGiJ9dzmsaPZW6xiN9vufcP357101dN rciXb9f/rfjZKmrtrJqnp7UA14uPDs03Sb5/UCflN3jQ2gE71/ifHNpwixcy
/tpWtu7hFzmOw/bkdQ+xJHkvTV9qFzpow+e5h+b0uL7Ied8P50K9GWeNUygO LZOXmZrkb6H3oMXY/PJid5abR6v2xuDV+daox88x6DEqg1gLMOZYxTenAE9W
n68QW2kvFQjNnUghNrc3cQnyNaXYYe+E+sq+CXyfGVvJDivMVXxzwYDbaRFx GTcpPhyDbm2pCBscF4iLc9rE23EmbEoRlXXtatx968Yyd/9wz6rsr1ftxNyY
DoN85n9xr5tJlLHpAw3/ux2kOwHcp30flay3/lL+ZUavteZFjo6nKmupj8G4 mOnk62y+d1CoW/Zm+yrVqjvSHScwc2Nf6Yz0WT4Cg06rN/Euvx1me9xqbOVM
axt7DCA2r7/sMax/tcN2dpMNycxkQnb3PuHzGhr6XrZr6CM4ebKZZDZpQ76L ovlVDmkV8ujwnMZAt2llWSNmmqYJTYuGkiyOWKe7i7B3Bxw9RFtvCzod2ip9
H9Fk27Eh/U3K2H1zTeHcsHG8hV5Hvr3Qc06CAaG9WUmhkMw+3vwvxzQaNBqj cOqmtqXN7kW2K5+Uhkwq/lntyMDQ4Rstnt7PUxlem/Iz0eVwR9MSh8OgtXpz
aGUaihrTqN4GBegA/wEEgdviP50Kd+H/u2jPIR2Hc4AcPKotzgeF/V9wnirA EyMKBTsCwSlFCpwcUch6QgJ0wX8AJgHt+E+AQLCP/5+i/Yl0LKQeM92rPee9
6DQaXQwyRJAYoQrbxXnY3b0tqre5BE4HQU9tS4b9cwjuRCuQ17SD8n+OeAbl /T+S83g8l6z2HJIdAU+AYYJdJ5zHv6O6ogOs2xMAIviG3WyAC4MEmNwW9IoO
AIDRIHcarTXua9oB/mff49kYCMNjGaWJW8E/R84COcxYkKfzk/PkbB2bGRET SP9mVG+uAQEeTOISoTa8p1MCCEyGr4rJoMYyhbRIlprzdAonlu7mKaAG0cT0
zGXFs3URMn4MJ5bN9Y3h+/NlbB2vPfhvi5VACyx8mFmiVfy/JfbfYfyDAIi0 IJaYJWZCVLeAt7yH8QD5He/bwxHQYKD3LApt/L+H1H/X/k+Cwfb6H4Lxff7/
iX+IjnTx/3fN/18ZWq9aBbyt7NDBKuA18fwmeeL9pob3sTJoj4H/lZpoLYkp ifV/px7ZWRTQA6tD51FA5+vFP75E/BMhQUfS+68lithWanfx+0ukSGQUjtOj
oIVxD/yYaUxX+5dNocRi4yjCt6oCdaz/tM3/MLWL/306+o+7u4CKQDSaO4yJ WYCu4/+/8Z8IQn3+3wvifxAkE/AwwIPsELIdAHE68Xy7Hon/ESAcBiASsY2z
hCJI+Ar9B3lv+o87SBe406mtsjyfGYJwuDxdMFcWy4ZYCcGR4fEcJieGExkS U4UeMWpXBpjCQDGLwdI4O0hncPksYYSKKQ4UsIR8MQ3yFLOEzM8i/keIRBiC
z9FFI2ydnxTP/SAP4n34+g8ECGEhADMwDBIhCJ3WufpPW+udp/90ZLlL/+k8 iHgul00Khwik7o3/21vvxvi/K9N98X93x/8zPhT/Tzt3aE9J0swpLpVpRtkN
/YcYTmAQ9fRiXqf/zMcysW+epHVXBXkmFP7MEAyydZtsN6Zf6ObEG9HZhw/3 dXkBtpjI2kXxoU4mW5vNWnI8m3YP9SuCVh30+EHQsj+/P9ZJetU+6KX2wsup
n+PiYHdySeDF81mohcn4mNSaL6pzhzUOoVlXVaiLzntfRU/S1ydklrrs2Kw8 tGtm8w6qLoXpz7EpGYOdNwpbGOu0Tw+DtrBcpDh0s3zf1cv7AlAxaZil95N8
kzrkqMZZ1zTm5x22N09v/kn+6ORYpNd1eKZia9WRtAaRO+J/fLspp98BYWV9 mNNsoDlBc8XFRc359rT6vbNLhmotK7K8oO+x63D8hdxSez1rv3HKPbrPfq42
tdWi7sk7XK/dqIo2spvyc9gC/x1bClnF3YMSo9luO46ZW0ROSJ5rtYBkNjPM zUkyLMTfF2Kuy80sxnwFAmnWj89h5167wYRjzuXyUHHxjlVPzz7PuuU1/4Ll
Qj+XUv3ZKPvU/csz1+ZbQVM05uUpCbnOEwsr5xyaPKnh+Kbfk88mCtbHR+Xs y8VfmRFKiVR+TrpWcSBLx9ycvv6E82iwufQIx8xlDXtcCV83q8y45PiJnS91
vfd4burxXy+s3TYn9/xn/Ysr1xWvcTy8Td4/4MbRZQ9HLFjUeP7YUhfehuyG lsourFm0JCxxXM3YAUfWKx4dOGI+CZ/R0Zzs9cH/W/6/YT8i4chjZUqE280K
HRW/AMeSmE9WlLc3KT9u+ec5/j/DfkwhVE9UaTFRJzOAjvCfClDb4j8doXfh oCv+Q3hSO/4TIZjQx/9ewH8ekc2GyPhwIhIOETkQu2P+Q0CP8J/IIZO5HIjQ
/6eC/xACugupCBUBaUIc6KFX4D/tfeE/jQbScbfcW+F/MJMj4XOj41tWe2yI Nv/P4MRSxX58mlsAyBR74JmQn4BOoUbTKb4wlaJWBhQOTGU4qwOCiLf8V09L
h2O+r5QD8WCeLlTO8WdROVwWwOMG6oKZ7PeP//8Dpr0RpHWEui22PJ+lEC1+ 4J/i//+AtI8iWlfQ1dhyeLM6KNWnOCKSmYhIKkO4OPUSwX6fxOK/KwkCEf+G
ihemmIDJlCpMRMHzCPpPKJa/zCQQGvwMNonAC0zUz0omDsS7+hEJejg8ZuDw mtq275Cok5mgjVV3mWujtNR0TFPTMVX97z9LR3YHUByu6/n9M68m0kSsW0rO
uAB/+57hMbYdVNyxRGBY4ZpeZroI2UgoScxb0fTQ2ubXykeBRXtmjxvAzWYH 0PjlHnkb4sKoxxlTgwtG8Ta13ImccSD/pyt3vUZkK4d41zX8lLWlH6u4SMJ8
DGaOu0EpVZ3o/0u9MYG8d9jNhFnM5RtT2N96psSbP8krdYnxTZ49uFoJH7/k MFY58Wl83rqm3NLo+9RfaYLfpauDd8wmhGV7m+Two2jECm7ziZtmqqYIq9UV
1ONOk0WGzKVxV92qlHTYEawqvONUNVl05LuhV5ftbl5svNiret6FE92Xg1dP d5pe5d5ZnHHgC7/F9mnxp5Y6uH7nVKN8EVxsPRMWHh3CCHxVpLuDfj/baJ5k
px+grm46sV4xU97HaZOxgXURj3VO3+C6fdq5p2vsmZd9L+y8xpxh1WvJvWSS Un5VkuX2OXxnY0p2kyVjdeHJfc4YdA3rGHSgdtYDeULCvgbwIHLioouhdQJ5
2YDrMv0JpYFG3ylM00e5Nk8g2oWM/aFfyboUtFdOuKxSJPvcy+Oh8Yb80slZ ++bt5ilO5k5NLZW+P+j53vS7tEr39fn4ZRdKwr6QXy88m+mxcW5ycOvetFUV
qURf0oF56daD9gY4C43lP/UpehywLCBKebJ/t1vbyoKGgNvKvfJcgp6mOgDW lHgfqslyzpzn8pJbK4faBQSH6acmF9qyzgKz2ggZwEKv/4wF7ihEpx9Ku59x
X265Y5IGTGpFZYB+RqZRKQEETN+AQDSwZk8tMD7dPNTm9LxjS+8OrHSYOrq3 yqU6x/WPQtZt3yh3lS24kBvvE/FqzcWvPW2+T02J+v7Ezf6tT+5du4Bdqu2e
/QxggE++aYa+XlZSpLHy212iUq9RfCCzpGKoTHXbzWJdcACdtX3JrW5FA8+u GOY3/GF+RWrKYuuBuB9pQUVfHFf/ovqrd54EpXvMrKtkd9IPzorHoM9k3Ksh
XTE2qmcS+es+hcRh9a5nDD3K5s6oS6uddtT/0ee/b2avRYZUd6kWnYb/b2sH 7wnSqdkfp3Am6E7dZtT78fuv4n9P7QDoOv6H28f/AL6v/t8b+I+Q2DCZQ+LA
SIfrfxBsW/9BELAL/z8V/KcJ3AUABlAxqjtMRWDGK/Affl/4D2MwKsCA1vjP EBHksUmdZf7IPcJ/LlGt4vGEtvE/TeiiZr0zgaZyUbEYNCGV4Ruj1gCRTJVI
gfD1P7MF7yUyvjwE5wBsgBcjBDlMkTTYPzQmmBmN8JmBENs/8CPY/wEKUSEE SHfzi6RCnkKaylVED/o84n8Sl8Ml8gAYhDhkAhuGuif+J0F/1v/bWe/O+n8X
CwRUmlgE0Tpp/U+Hnu//aGO9E/d/dGD5w13/n/nn+v8o3nWwZf3fwlyeLa8N pv+98X/1+/H/SXVXqSb+10iXN/G1rlb7DMBm9Ukb/gUZgDYj7MsBdJgDaD8v
9doqAKvxk1Z8CApAKxe7NIB2NYC2E/Mj1gBa439L9PwlAnQmEegA/6l0OtAG e3sOoC3/NR72VxKgO4VAF/zHk6D2+/+IRFJf/a838B8AOGqHAkl2djCJiCd2
/xEYRLrw/1PBfyoDElEZVBj/ccU0EHR/Bf7T3xf+i8RiEGa0rEJbrf/5sWwd sv8PAnuE/zAEEgkIzG3DfyaDK6JRaAKaZr8fI4LAEnoAdAoHT2cwo1nCSPVf
P5Yv50t5MSwq23+kPJjpo+PofGXB3HAw2J8N8bihsRzoI8B/nGKjIoRGFeP0 hKbwJ2JRnN/ynwDDdv9a/oPccJAMc/Bqz4F5MKdb+A/CBPBPAdDOfI8lDHo6
i46CSKfgP4j/nM8IQFvzb00weNs6xweuQTzfohnQDiojR369a6e/uKjW5Lfd z/FZ5CBCOoCytCxsXYXJurDw5vATN76XY9C3Zi3Y5/tyyBXUpsn5I8+Fv+Y3
N36zuUwyI5ZmLTIXV56asRysT/4+c1eS/a8B5aSrTTdmLZul1BDWlC/ITllA icXsoFNFizJCrwWef+ky+aH5t1OWx/mX6agS95dZv6hbXe8RHhfTyva+YpSm
9LM+Yc7h9asffr25/KdB5MaHIr5J3K0jOUf2je12Tew+J79OVJ4knS0wmqDs mH7kfE7MrZYDVz0q4d3jQxrvGkvTC680xAdWZs3/cgrxRQgHtbcfCA9It796
pX8ksd54RbfqncftzxYX1+WkTM3s7t3Ul0HyDKoq/M9XynPU2IzCo/dZvX5n 9yhbWp1yJ4vgmFA9QfvU7pkFgyh08NFPo3/SOdVgQvpxRdJSn0PPKRnpWCbq
WZw/tWRR0aRpDjM2htYyajGkW1G28Jv8U5nR5y3rYrNuPhp7aYulXlaDfv1t wdpDricFhmk/rMmuPTnC8DRi2JA40oyEmKaeDUwIClhjtNT3rF7V7ZfFolRr
noUb/TJv4HhRWFTzN/pboxOH+NaM2mIxb+lTwjLi1mzPHpGTizKsfUq8c6Zd TmPh1vqQiZnlA76r2zM4etTog6gHC7cbkw7CZne2Ju966nGsyKBkSIn9sjOr
r9BE3Dd6mnPAxJl7YOFuB85I98wtVk9y7Y+vXfw6DcJy/6ru1uiV4CCS2co7 z2CLh30oB6FNSrYp2pS5UoZBXyu/nMJzifd5EZrwzCLVS7TwticGbSU+Y30l
Q+gn2VNHNzuv29nktoFktlRbe2ZQt4NaG1/jJzfXKafWLZx3/2tH75KwuVFx teT05v1TC+dEip03nE/ReZ6jsylnjPX0EyvoliUioyVaw3S2jMjPY2DQgxT3
9k7BdzaEx+sdy3QtJJlt2Oh7qGA2ewjQ90Dx5EH3F0hslg+ijI+09SnYMHe5 sxPvNjlOtuYOYjYMNr6rl1NZE+r33/lBn1r93/erflitsrKgzIzaAbm4wjkN
X96/C4QuvtoJO5Zfy1evGSzal27R749su32z+WtWS8z3R0tSqb+Lo24QAkck hhvPlsXcZQYeIz8e4zqvYVDWeIuD1+Jk27y+2zYscOL+xy4Hz/82cczF22e9
m9y+fmji17YD70XJoeq+rGuzfTYfIlaKllr0SHq41pSbBvZZL7maqGF6iHtt vn164bpWcPPl2joM2ru8bIw0cpvFyu8nNBntGTPY4ujKK7dvD9tctkWHXRo6
OJw5ZcrdZrv1f2y9UXr7+z9gmxlO1+sGj9XbFOc7d0vQmAECeI/F+aC0Dc21 /9v7Nla7zH4hPhpWaCB1qJ6RgXmwduLWo8zV9/KTtm08EyFcgz2bcuZ007xv
lslryhgWsanoV253f05XPWU3Oh5XXlgpWKHo75jVPQ/LiBcsXUYkV3iPGXD2 ng+doVsHnDoK2TVZVOcOzpqkqySHF5zetSDeMkjrIT3U+mHjKyhQ++VZ8Yz8
aWNtv4bpT1bGyS9G+x1pdhLv+aXOqsjoztKMhT3G1DbQ0rXChBqDisV7nUzT JGHVad7rwL1zaqL8w2ZtTXZd1H/hyv2HWbZO1XUR9QXuGPQVerEeN/KG1+rL
M26nRF64ywwft47huCf2xrYbuX2WHbtk13i1+wl2VVpST5Ns/8t6zMMMxPua dYbVZl8XlTesvWuDEpZ63lL4m/7qnFdTVbl+/yDH1I4m5v9ZrvZs5ecj6z9/
2mrGFL+iEZPutjcvW9PVt1v5edP6T9v9H1QaDHXxv0+F/4FCukgEAygiFoth 2/9FAKG+/Z+9Yv+HHVlT/SFxySCeDIDhneR/iD2j/0iIHZH4Xv2HRonAs9w8
mEZ9Bf+D3hf/Q1AQwC+PteJ/PG4sNZgZGM+B/KQ8bng8258v53HZIJs5UsrW hVS3QD4VYsJUoeb5jwCYRWHG0il8EZ3CiqS5BYroQQF99Z//T/WfjrTXZENw
8aBgpnAiT8eC2f5d9Z//D/Wf13AvRcCqBGMPf9N9kcoyQq5lg7dLn4R5seYH ouOQkrzjyvItBjJp6+URk+VbDieqZ+ap3VmhqXbES5hx5bW5EY5Ri05OgzDo
Tjbv9pnrXbawAlnmypvVeBXhKS0fexavcRWTJAqWwbFRV533YHdCVtYPn7Zw dAaK+WtTjj4SSfAelVs1Pmjp1bWWjPMuszzimBXXx7xeGvv7br2IUnCg7eud
0rz8nIgq+OTFg8I9TuH9IkPqUmYPSSqg2259OGf70DvTQYvIQsf66vsLxq6a Q5eMyo5NOCB5sHD0vsZ+i7auaJ2/e92YzefvOD6V1/+IffTDY0MjDFqbf9ev
6sraRlsku716/mdzlxeNJpkpaxv8uU2Urxlx8WWGt1jjfyxemL6ZB+4qsn7w wEbg0Fj1cMq6DCej/DqHuLFXLS/ObMCgvY57U3zv6Oq2/oQRbCsc7mugNfW6
RL1jhkPI1HWT71/N9INcUotvRh29n0jJrBqXeW6gxGSPXsjg7D7csCrWkC9R y72lazJnK/ydqafPRXu3zs0e09KcIKloXhw63ZTSXH09KOmAyZUZW5OPR7uv
4VD7uJRogxLDeHm8vecaO4jRd6Jh4nibxAjHOMfYB3HHU2vytnuksEGSWZ/q yS5OeDF9YPDJHRHuG/qn+drsN87LmBQeXUNnH7uZLQu2ou0fJYn3/pD8ssrT
qTNFobY1T9Iv5JZeri57HflqvAIL8yQP9gsOZSYqBzlsnjraJ+jJozVbVL0F i6HNrsxYW25gmzpfPD3e5/RjqxHHfvtlgfA0ssRg1tGRyf6OZSsefnUj+V71
Kbv2X5y/QJpEMqu2ustJUqrddNmjtozkle4ru7sp7TQoXmBZFEgQntrJz3O+ z3lW9lrPV3uHLY6iz7Z6Vp18wTTwYXFB7ShI/KvhncpZv5stO1r3JLQf+Uz1
WZr6bZPe41GLBdyI72sTRv+4adv2sfdtfIbuI1/oqgD9D+3vyg8lXoJqKdFK rfXSHEpxJgZtP72vAtTD7W3lBxfNZytxEVIl7s161o1KoKv93yBAaMN/gib/
LeVZqupEJtDR8z8gAL+k/0Bd+s87aZ2h1XdF0ScQ/2/t6Z83qf9CbZ//ganU QwJIffz/FK1bEvp9bvT5+3+PPf3xMfVfUjv/16SE+/y/F+h/jh1MYofjeTDC
rvj/ZPRfmhjBUzqNJqaidDHyqv3fwPvi/xhDKAQFiLB1/TcmIoYXw4nh6EJ0 JsPq+9KJ/od7RP9DAI/NJfyRrXmr/xnUWJYbTa3v/SLpmhywGxNkBVEBKsUD
HC5fxtOJYtiR+DoAaukXxgdzI2LYUGgs/0PY/9WR/osKqaAYRSAUDzKACog7 YrkFilmUKXwWwzeaGeTxWdR/uQCHwOOBXA6XQ+bBeLB767/trXdj/bcr030Z
t/7b1nrn1X87stylp717Pa3rPwDam5kfbwH47VZ+37D+S6O/9PwX0PX81yeD tU+eUet7BvzNM+Dtp2avLgH3bOX3Y+u/QDv+EwiEvue/egP/CTDAUf/ahHAA
/0JIRKeKaTQEAxE6A37V/m/qe9P/MFgkoiL/+P8fZgjE94+I5UeGwDzdSAmf IeIJQGf5P1LPPP/F5v6RF3/v+S++mM4QialBgWImxOLTVM4xTDFLxFTRxHSK
y5fwmaE4H2ABbObIWI4uFuT4ByZwuCEfPv5jgJAmoFOFmEgIw+40eifXf9ua C8QMovGp4gCYJYz4LOq/PDsQTyCBCJ4NgXZEPLeb67/tzffVfz91DlLLJ/ZJ
76r/vnMNMvVA82f5J20srzOiPPyXdKcmEHr/1i1zcfopSeF2TtWEHrcraJZr 4jUMmrPhxuNXC8PmTg2QTKtwXZ77erBMZ4n+g8AQ+vMlVknrjB7ObZ3OaQrd
t9PG/ccwgfXAsJs8nGS2cnRQzoP6Ain2kLH+gdtKrVUPpfOPY7QDAwfGG1/B ULfrzKXHAT/2k5amWwaWNbcayKj6sYx5OacMorw8x9sGyrIy8/i2VZWTost3
IzGHCPRguc3LM3ENPFcYr2n0MeFQ8vNvuQVuizujuhz1eHVpIONo0cTxfhkl XM5rnOskHz8o8nZtwVfJeyeNrXZ/NMGMkHw+0arV+YDlV3aX06fM+PFpmLnM
Pck5tg236pfk1g0oKdEVqYbX3B1uLl1y/voY65yn68XHI4p37JheJtcftqhc Crug9IHT8kvhMbxNKMeaPV+ma5F3DRzpUeKZvrE4ZJfPk1y7rWZJ25/UPbia
zk+bpfdZ2awnv++1d5pSKi1Pz+BfuXgi/6LC0nlZo+GZYK+sBwcK51o+Narx WFVgrXXs2PiDLx42qHJfnam13GJZcERwYX1ipIo02LveQBzw2zPyqEkLW3jX
M7/pOX3vzJ7LhteEYoKc4nu6huMJ0uXoqYCwCJJZ8YW7SIkBad9uJ5/9VzLt 54QZJRZ96THkCni02HK2k/6e7DS/x/cWwyEsfXm9e+GrS85mxA8lIOkOwcJf
V416nQiZWWJD3X/P1/TorOpSLpTgN3X0d1/VTY+6yvpCW44Gr7qiTz9xeFro 9F8fSWzWObVmnyUS77PIpLRUVjXttnuLz9jjJY9bQEe3g61Ot7PvN0w3mZw1
6qrSxiNzNt+luUfsnZdU/xAboUCxGV8JNu71uLDkyKxtO7OHLUaHFtRdZu3q njXrtdSYxz9em5JLXLluxjJAGI9Bn8D6NF3XOUDJy6vNZmQ9HPTtc6px4OUV
OSJE/1ef2eENxHHlefeIsWf/XRx00dW3TVedS9KXjz+UHjp1lNUh8ZGKXm7s ZyeWrytp+u+8oE+r9rBWHe2zWX/Q774Gh19Wbgs+TQh2jb1ysaCRUPProHm7
LOP/OFf+5lqZZleRVMDiyw/w54eUkMWPJ/xy6UTeoUr2paOkM98WSW9+s3N8 VqYfMztXkP5iTYzfoZT67WZRZ0ckDte+0nxb1TJv3KXNQy/f9Z/5yCrl1cwz
05Z99fdWrznmSlvtTE+hl/w4P7spZnDo4WUbClwSo6ydrlFHTNtplC8xdJq5 CTv3t4aMYC8L/XJE5ej6USk7ro3z3Nl4ZLitjqG9eUZG6sbbsaOjDzDuOy69
StKbczXZ7qsrekm9TEfamlK23lm3zz3KmQg5Op+mhwf51iRdy3h4+EkjoW/E qCO4lOk30pzyVOGU4KPWg668+ZuOJSeXOhlrNz9P4RyY57iv5OtbtVortpnm
rE211YUHyVnlabt/WGFZmjlmL6em37krxPM1ket4N76r2CQ+sVo387dVNacy D5uFujg3ZIJFfUF9pXFoXOPvXtzrWitzudszLDIONW6uxeVYnZzeb0a593FR
fw/elHROKkEKMqxFvv28HP/bvh3iIAgAABQ9Ac0TUDQ4A1YO4EzOQiWSZQYG +i2SaEiFlr3LsHlBYdBQ62GMvEkbm25S/tO+HdowCAUAFPwkDTPUVdWTkOCa
m1mbxea8gMETaAAPoJvdZNJOdHYu4PbeGX79yfUyqU+veBv354P7eXgsimjU 4GpwoBgBFmAJJEHACF2lMEJF2QGD6ALdgLsZnn1Zst7L4Za+o+5z9Nszf81T
7KtNnmfv9BkGs9VivFu3h/Jzmy7LR6+ryz8/FgEAAAAAAAAAAPj5Asq+2KcA 3Y6Xb7w/lmtRNf+6PMOvCAAAAAAAAAAAAITwAw72f2oAeAAA
eAAA
-- END MESSAGE ARCHIVE -- -- END MESSAGE ARCHIVE --
Authors' Addresses Authors' Addresses
Cullen Jennings Cullen Jennings
Cisco Systems Cisco Systems
170 West Tasman Drive 170 West Tasman Drive
Mailstop SJC-21/2 Mailstop SJC-21/2
San Jose, CA 95134 San Jose, CA 95134
USA USA
 End of changes. 245 change blocks. 
1237 lines changed or deleted 1444 lines changed or added

This html diff was produced by rfcdiff 1.38. The latest version is available from http://tools.ietf.org/tools/rfcdiff/