Network Working Group                                        C. Jennings
Internet-Draft                                             Cisco Systems
Intended status: Informational                                    K. Ono
Expires: July 26, December 16, 2010                           Columbia University
                                                               R. Sparks
                                                         B. Hibbard, Ed.
                                                                 Tekelec
                                                        January 22,
                                                           June 14, 2010

  Example call flows using Session Initiation Protocol (SIP) security
                               mechanisms
                    draft-ietf-sipcore-sec-flows-02
                    draft-ietf-sipcore-sec-flows-03

Abstract

   This document shows example call flows demonstrating the use of
   Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
   Extensions (S/MIME) in Session Initiation Protocol (SIP).  It also
   provides information that helps implementers build interoperable SIP
   software.  To help facilitate interoperability testing, it includes
   certificates used in the example call flows and processes to create
   certificates for testing.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 26, December 16, 2010.

Copyright Notice
   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Certificates . . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1.  CA Certificates  . . . . . . . . . . . . . . . . . . . . .  5
     2.2.  Host Certificates  . . . . . . . . . . . . . . . . . . . .  9
     2.3.  User Certificates  . . . . . . . . . . . . . . . . . . . . 10
   3.  Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12
     3.1.  TLS with Server Authentication . . . . . . . . . . . . . . 12
     3.2.  MESSAGE Message Over TLS . . . . . . . . . . . . . . . . . 14
   4.  Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15
     4.1.  MESSAGE Message with Signed Body . . . . . . . . . . . . . 15
     4.2.  MESSAGE Message with Encrypted Body  . . . . . . . . . . . 21
     4.3.  MESSAGE Message with Encrypted and Signed Body . . . . . . 23
   5.  Observed Interoperability Issues . . . . . . . . . . . . . . . 28
   6.  Additional Test Scenarios  . . . . . . . . . . . . . . . . . . 29 30
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 31
   8.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 31
   9.  Security Considerations  . . . . . . . . . . . . . . . . . . . 32
   10. Changelog  . . . . . . . . . . . . . . . . . . . . . . . . . . 32
   11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
     11.1. Normative References . . . . . . . . . . . . . . . . . . . 34
     11.2. Informative References . . . . . . . . . . . . . . . . . . 35 36
   Appendix A.  Making Test Certificates  . . . . . . . . . . . . . . 35 36
     A.1.  makeCA script  . . . . . . . . . . . . . . . . . . . . . . 37
     A.2.  makeCert script  . . . . . . . . . . . . . . . . . . . . . 40 41
   Appendix B.  Certificates for Testing  . . . . . . . . . . . . . . 42 43
     B.1.  Certificates Using EKU . . . . . . . . . . . . . . . . . . 42 43
     B.2.  Certificates NOT Using EKU . . . . . . . . . . . . . . . . 50
     B.3.  Certificate Chaining with a Non-Root CA  . . . . . . . . . 58
   Appendix C.  Message Dumps . . . . . . . . . . . . . . . . . . . . 59 64
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 62 67

1.  Introduction

   This document is informational and is not normative on any aspect of
   SIP.

   SIP with TLS (RFC 5246 [12]) [14]) implementations are becoming very
   common.  Several implementations of the S/MIME (RFC 3851 [8]) [9]) portion
   of SIP (RFC 3261 [2]) [3]) are also becoming available.  After several
   interoperability events, it is clear that it is difficult to write
   these systems without any test vectors or examples of "known good"
   messages to test against.  Furthermore, testing at the events is
   often hindered due to the lack of a commonly trusted certificate
   authority to sign the certificates used in the events.  This document
   addresses both of these issues by providing messages that give
   detailed examples that implementers can use for comparison and that
   can also be used for testing.  In addition, this document provides a
   common certificate and private key that can be used to set up a mock
   Certificate Authority (CA) that can be used during the SIP
   interoperability events.  Certificate requests from the users will be
   signed by the private key of the mock CA.  The document also provides
   some hints and clarifications for implementers.

   A simple SIP call flow using SIPS URIs and TLS is shown in Section 3.
   The certificates for the hosts used are shown in Section 2.2, and the
   CA certificates used to sign these are shown in Section 2.1.

   The text from Section 4.1 through Section 4.3 shows some simple SIP
   call flows using S/MIME to sign and encrypt the body of the message.
   The user certificates used in these examples are shown in
   Section 2.3.  These host certificates are signed with the same mock
   CA private key.

   Section 5 presents a partial list of items that implementers should
   consider in order to implement systems that will interoperate.

   Scripts and instructions to make certificates that can be used for
   interoperability testing are presented in Appendix A, along with
   methods for converting these to various formats.  The certificates
   used while creating the examples and test messages in this document
   are made available in Appendix B.

   Binary copies of various messages in this draft document that can be used
   for testing appear in Appendix C.

2.  Certificates
2.1.  CA Certificates

   The certificate used by the CA to sign the other certificates is
   shown below.  This is a X509v3 certificate.  Note that the X.509v3
   Basic Constraints in the certificate allows it to be used as a CA,
   certificate authority.  This certificate is not used directly in the
   TLS call flow; it is used only to verify user and host certificates.

   Version: 3 (0x2)
   Serial Number: 0 (0x0)
       96:a3:84:17:4e:ef:8a:4c
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
           OU=Sipit Test Certificate Authority
   Validity
       Not Before: Jul 18 12:21:52 2003 May 10 20:54:48 2010 GMT
       Not After : Jul 15 12:21:52 2013 Apr 16 20:54:48 2110 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit,
           OU=Sipit Test Certificate Authority
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (1024 bit)
           Modulus (1024 bit):
               00:c3:22:1e:83:91:c5:03:2c:3c:8a:f4:11:14:c6:
               4b:9d:fa:72:78:c6:b0:95:18:a7:e0:8c:79:ba:5d:
               a4:ae:1e:21:2d:9d:f1:0b:1c:cf:bd:5b:29:b3:90:
               13:73:66:92:6e:df:4c:b3:b3:1c:1f:2a:82:0a:ba:
               07:4d:52:b0:f8:37:7b:e2:0a:27:30:70:dd:f9:2e:
               03:ff:2a:76:cd:df:87:1a:bd:71:eb:e1:99:6a:c4:
               7f:8e:74:a0:77:85:04:e9:41:ad:fc:03:b6:17:75:
               aa:33:ea:0a:16:d9:fb:79:32:2e:f8:cf:4d:c6:34:
               a3:ff:1b:d0:68:28:e1:9d:e5
               00:c6:4d:2b:8b:79:14:07:db:c7:61:88:98:4f:a2:
               7c:e3:61:80:fb:27:05:18:ed:3c:c9:0d:e5:f1:dc:
               92:4e:eb:ce:77:91:4b:e7:f3:68:60:b0:40:00:6f:
               74:5b:4e:1d:c9:97:c8:70:4a:66:fc:13:46:aa:d2:
               98:b0:3e:9a:86:de:3c:20:d1:0b:35:a2:2d:e6:92:
               e6:03:49:b0:db:4c:62:2f:59:86:94:20:69:69:7a:
               0a:16:5a:d5:01:a5:08:06:29:6e:85:a6:ae:a1:01:
               0b:f6:1f:53:c5:95:b0:6e:b0:b4:8d:0e:f9:e9:cb:
               5d:7a:44:21:14:ec:9a:a8:ad
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Key Identifier:
           6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
           38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
       X509v3 Authority Key Identifier:
           6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
           38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
           OU=Sipit Test Certificate Authority
           serial:00
           serial:96:A3:84:17:4E:EF:8A:4C

       X509v3 Basic Constraints:
           CA:TRUE
       Signature Algorithm: sha1WithRSAEncryption
   96:6d:1b:ef:d5:91:93:45:7c:5b:1f:cf:c4:aa:47:52:0b:34:
   a8:50:fa:ec:fa:b4:2a:47:4c:5d:41:a7:3d:c0:d6:3f:9e:56:
   5b:91:1d:ce:a8:07:b3:1b:a4:9f:9a:49:6f:7f:e0:ce:83:94:
   71:42:af:fe:63:a2:34:dc:b4:5e:a5:ce:ca:79:50:e9:6a:99:
   4c:14:69:e9:7c:ab:22:6c:44:cc:8a:9c:33:6b:23:50:42:05:
   1f:e1:c2:81:88:5f:ba:e5:47:bb:85:9b:83:25:ad:84:32:ff:
   2a:5b:8b:70:12:11:83:61:c9:69:15:4f:58:a3:3c:92:d4:e8:
   6f:52
   2f:08:4d:b4:01:9b:79:ff:af:c8:ce:e5:5d:30:3c:fa:99:3a:
   48:ba:1b:28:f8:7c:ea:d6:4a:17:85:82:e6:49:81:1b:24:bf:
   01:ff:fa:fc:55:12:2b:07:b8:c0:39:fa:10:73:88:59:56:b7:
   7f:96:01:30:af:89:0f:0a:6d:4e:ae:d8:04:ae:94:d4:67:78:
   2a:c4:36:86:4b:e1:4c:a6:6d:46:d9:2c:73:0f:da:fe:8f:ba:
   02:10:09:b7:1b:c6:13:a9:90:a9:02:15:60:61:32:79:c5:e8:
   2b:d8:e4:b1:ba:eb:c7:7f:19:0c:69:b1:c6:92:af:ee:1c:74:
   55:d5

   The ASN.1 parse of the CA certificate is shown below.

  0:l= 804 822 cons: SEQUENCE
  4:l= 653 671 cons:  SEQUENCE
  8:l=   3 cons:   cont [ 0 ]
 10:l=   1 prim:    INTEGER           :02
 13:l=   1   9 prim:   INTEGER           :00
 16:l=           :96A384174EEF8A4C
 24:l=  13 cons:   SEQUENCE
 18:l=
 26:l=   9 prim:    OBJECT            :sha1WithRSAEncryption
 29:l=
 37:l=   0 prim:    NULL
 31:l=
 39:l= 112 cons:   SEQUENCE
 33:l=
 41:l=  11 cons:    SET
 35:l=
 43:l=   9 cons:     SEQUENCE
 37:l=
 45:l=   3 prim:      OBJECT            :countryName
 42:l=
 50:l=   2 prim:      PRINTABLESTRING   :US
 46:l=
 54:l=  19 cons:    SET
 48:l=
 56:l=  17 cons:     SEQUENCE
 50:l=
 58:l=   3 prim:      OBJECT            :stateOrProvinceName
 55:l=
 63:l=  10 prim:      PRINTABLESTRING   :California
 67:l=
 75:l=  17 cons:    SET
 69:l=
 77:l=  15 cons:     SEQUENCE
 71:l=
 79:l=   3 prim:      OBJECT            :localityName
 76:l=
 84:l=   8 prim:      PRINTABLESTRING   :San Jose
 86:l=
 94:l=  14 cons:    SET
 88:l=
 96:l=  12 cons:     SEQUENCE
 90:l=
 98:l=   3 prim:      OBJECT            :organizationName
 95:l=
103:l=   5 prim:      PRINTABLESTRING   :sipit
102:l=
110:l=  41 cons:    SET
104:l=
112:l=  39 cons:     SEQUENCE
106:l=
114:l=   3 prim:      OBJECT            :organizationalUnitName
111:l=
119:l=  32 prim:      PRINTABLESTRING  :Sipit Test Certificate Authority
145:l=  30
153:l=  32 cons:   SEQUENCE
147:l=
155:l=  13 prim:    UTCTIME           :030718122152Z
162:l=  13           :100510205448Z
170:l=  15 prim:    UTCTIME           :130715122152Z
177:l=    GENERALIZEDTIME   :21100416205448Z
187:l= 112 cons:   SEQUENCE
179:l=
189:l=  11 cons:    SET
181:l=
191:l=   9 cons:     SEQUENCE
183:l=
193:l=   3 prim:      OBJECT            :countryName
188:l=
198:l=   2 prim:      PRINTABLESTRING   :US
192:l=
202:l=  19 cons:    SET
194:l=
204:l=  17 cons:     SEQUENCE
196:l=
206:l=   3 prim:      OBJECT            :stateOrProvinceName
201:l=
211:l=  10 prim:      PRINTABLESTRING   :California
213:l=
223:l=  17 cons:    SET
215:l=
225:l=  15 cons:     SEQUENCE
217:l=
227:l=   3 prim:      OBJECT            :localityName
222:l=
232:l=   8 prim:      PRINTABLESTRING   :San Jose
232:l=
242:l=  14 cons:    SET
234:l=
244:l=  12 cons:     SEQUENCE
236:l=
246:l=   3 prim:      OBJECT            :organizationName
241:l=
251:l=   5 prim:      PRINTABLESTRING   :sipit
248:l=
258:l=  41 cons:    SET
250:l=
260:l=  39 cons:     SEQUENCE
252:l=
262:l=   3 prim:      OBJECT            :organizationalUnitName
257:l=
267:l=  32 prim:      PRINTABLESTRING  :Sipit Test Certificate Authority
291:l=
301:l= 159 cons:   SEQUENCE
294:l=
304:l=  13 cons:    SEQUENCE
296:l=
306:l=   9 prim:     OBJECT            :rsaEncryption
307:l=
317:l=   0 prim:     NULL
309:l=
319:l= 141 prim:    BIT STRING
  00 30 81 89 02 81 81 00-c3 22 1e 83 91 c5 03 2c   .0.......".....,
  3c 8a f4 11 00-c6 4d 2b 8b 79 14 c6 4b 9d-fa 72 78 c6 b0 95 07 db   .0.......M+.y...
  c7 61 88 98 4f a2 7c e3-61 80 fb 27 05 18 a7   <.....K..rx.....
  e0 8c 79 ba 5d a4 ae 1e-21 2d 9d ed 3c   .a..O.|.a..'...<
  c9 0d e5 f1 0b 1c cf bd   ..y.]...!-......
  5b 29 b3 90 13 73 66 92-6e df 4c b3 b3 1c 1f 2a   [)...sf.n.L....*
  82 0a ba 07 4d 52 dc 92 4e eb-ce 77 91 4b e7 f3 68 60   ......N..w.K..h`
  b0 f8-37 7b e2 0a 27 30 70 dd   ....MR..7{..'0p.
  f9 2e 03 ff 2a 76 cd df-87 1a bd 71 eb e1 99 6a   ....*v.....q...j
  c4 7f 8e 40 00 6f 74 a0 77 85 04-e9 41 ad 5b 4e 1d-c9 97 c8 70 4a 66 fc 03 b6 17 75   ...t.w...A.....u 13   .@.ot[N....pJf..
  46 aa 33 ea d2 98 b0 3e 9a 86-de 3c 20 d1 0b 35 a2 2d   F....>...< ..5.-
  e6 92 e6 03 49 b0 db 4c-62 2f 59 86 94 20 69 69   ....I..Lb/Y.. ii
  7a 0a 16 d9 fb 79-32 2e f8 cf 4d c6 34 a3   .3.....y2...M.4.
  ff 1b d0 68 28 e1 9d e5-02 5a d5 01 a5 08-06 29 6e 85 a6 ae a1 01   z..Z.....)n.....
  0b f6 1f 53 c5 95 b0 6e-b0 b4 8d 0e f9 e9 cb 5d   ...S...n.......]
  7a 44 21 14 ec 9a a8 ad-02 03 01 00 01            ...h(........
453:l= 205            zD!..........
463:l= 213 cons:   cont [ 3 ]
456:l= 202
466:l= 210 cons:    SEQUENCE
459:l=
469:l=  29 cons:     SEQUENCE
461:l=
471:l=   3 prim:      OBJECT            :X509v3 Subject Key Identifier
466:l=
476:l=  22 prim:      OCTET STRING
  04 14 38 ad 80 84 e2 e0-16 6b 93 9f 89 f8 46 17 14 ea 94-76 25 80 54 6e 13 54 51   ..8......k....FQ
  67 2c da   ..kF....v%.Tn.T.
  a1 e3 54 14 a1 b6                                 ..T...
490:l= 154 8d 80 9c                                 g,....
500:l= 162 cons:     SEQUENCE
493:l=
503:l=   3 prim:      OBJECT            :X509v3 Authority Key Identifier
498:l= 146
508:l= 154 prim:      OCTET STRING
  30 81 8f 97 80 14 38 ad 80-84 e2 e0 16 6b 93 9f 89   0....8......k...
  f8 46 17-14 ea 94 76 25 80 54 6e   0....kF....v%.Tn
  13 54 51 67 2c da a1 e3 54 14 a1-b6 8d 80-9c a1 74 a4 72 30 70 31   .T...T....t.r0p1   .FQg,.....t.r0p1
  0b 30 09 06 03 55 04 06-13 02 55 53 31 13 30 11   .0...U....US1.0.
  06 03 55 04 08 13 0a 43-61 6c 69 66 6f 72 6e 69   ..U....Californi
  61 31 11 30 0f 06 03 55-04 07 13 08 53 61 6e 20   a1.0...U....San
  4a 6f 73 65 31 0e 30 0c-06 03 55 04 0a 13 05 73   Jose1.0...U....s
  69 70 69 74 31 29 30 27-06 03 55 04 0b 13 20 53   ipit1)0'..U... S
  69 70 69 74 20 54 65 73-74 20 43 65 72 74 69 66   ipit Test Certif
  69 63 61 74 65 20 41 75-74 68 6f 72 69 74 79 82   icate Authority.
  01                                                .
    0092 - <SPACES/NULS>
647:l=
  09 00 96 a3 84 17 4e ef-8a 4c                     ......N..L
665:l=  12 cons:     SEQUENCE
649:l=
667:l=   3 prim:      OBJECT            :X509v3 Basic Constraints
654:l=
672:l=   5 prim:      OCTET STRING
  30 03 01 01 ff                                    0....
661:l=
679:l=  13 cons:  SEQUENCE
663:l=
681:l=   9 prim:   OBJECT            :sha1WithRSAEncryption
674:l=
692:l=   0 prim:   NULL
676:l=
694:l= 129 prim:  BIT STRING
  00 96 6d 1b ef d5 91 93-45 7c 5b 1f cf c4 aa 47   ..m.....E|[....G
  52 0b 34 a8 50 fa ec fa-b4 2a 47 4c 5d 41 a7 3d   R.4.P....*GL]A.=
  c0 d6 3f 9e 56 5b 91 1d-ce a8 07 b3 1b a4 9f 9a   ..?.V[..........
  49 6f 7f e0 ce 83 94 71-42 af fe 63 a2 34 dc 2f 08 4d b4   Io.....qB..c.4..
  5e a5 01 9b 79-ff af c8 ce ca 79 50 e9 6a-99 4c 14 69 e9 7c ab 22   ^...yP.j.L.i.|."
  6c 44 cc 8a 9c 33 6b 23-50 42 05 1f e1 c2 81 88   lD...3k#PB......
  5f ba e5 47 bb 5d 30 3c   ./.M...y.....]0<
  fa 99 3a 48 ba 1b 28 f8-7c ea d6 4a 17 85 9b 83-25 ad 84 32 82 e6   ..:H..(.|..J....
  49 81 1b 24 bf 01 ff 2a 5b 8b   _..G....%..2.*[.
  70 fa-fc 55 12 11 83 61 c9 69 15-4f 58 a3 3c 92 2b 07 b8 c0 39   I..$.....U.+...9
  fa 10 73 88 59 56 b7 7f-96 01 30 af 89 0f 0a 6d   ..s.YV....0....m
  4e ae d8 04 ae 94 d4 67-78 2a c4 36 86 4b e1 4c   N......gx*.6.K.L
  a6 6d 46 d9 2c 73 0f da-fe 8f ba 02 10 09 b7 1b   .mF.,s..........
  c6 13 a9 90 a9 02 15 60-61 32 79 c5 e8 6f   p...a.i.OX.<...o
  52                                                R 2b d8 e4   .......`a2y..+..
  b1 ba eb c7 7f 19 0c 69-b1 c6 92 af ee 1c 74 55   .......i......tU
  d5                                                .

2.2.  Host Certificates

   The certificate for the host example.com is shown below.  Note that
   the Subject Alternative Name is set to example.com and is a DNS type.
   The certificates for the other hosts are shown in Appendix B.

   Version: 3 (0x2)
   Serial Number:
       01:52:01:54:01:90:00:43
       49:02:11:01:84:01:5e
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
            OU=Sipit Test Certificate Authority
   Validity
       Not Before: Apr 28 22:12:00 2009 May 11 20:22:56 2010 GMT
       Not After : Apr 27 22:12:00 2012 17 20:22:56 2110 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit, CN=example.com
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:c7:60:09:2c:e2:0b:a6:8d:2c:8f:86:eb:47:72:
               4d:dc:20:a5:48:69:9c:c6:79:73:3a:65:e4:74:b6:
               80:99:4f:6e:a4:1b:1b:6f:5c:91:29:7c:11:a1:bd:
               ad:25:c6:42:a3:96:bb:d8:c8:11:d8:2a:bc:39:5f:
               e3:5f:9a:54:f5:0c:77:44:c6:f0:ee:a7:73:85:d0:
               d1:d7:34:96:d8:24:83:fe:1d:a7:5e:94:6a:a6:79:
               e6:8b:d6:96:06:31:8d:da:4d:f1:72:c0:a2:9c:48:
               c9:d2:1f:80:27:60:52:b8:12:cc:43:7c:e7:66:ac:
               b7:6e:07:bc:e7:d5:0f:fa:41:b3:37:4f:16:33:71:
               fc:6d:73:17:b5:65:8b:65:03:34:83:8e:98:7d:8b:
               a3:36:f1:a7:37:94:65:af:dd:13:29:f8:1b:c2:8b:
               fa:05:03:6b:4b:26:ae:a9:93:ab:5d:0c:f3:08:84:
               9e:16:c0:13:fa:da:8f:1c:b6:69:95:04:6d:c8:cf:
               c0:12:8f:fd:27:2a:cb:16:16:fd:c2:fa:94:fe:e8:
               78:40:e4:5a:ac:a7:ef:d7:17:7d:e8:f8:86:8c:16:
               35:ff:3e:32:fd:43:1c:c1:20:08:2c:aa:56:a6:17:
               4f:bc:74:b0:5d:57:ba:a5:19:b4:20:46:dd:36:3d:

               15:b3
               00:d1:da:2d:b3:77:42:5f:00:99:1e:f4:b6:6c:51:
               51:bb:0b:20:b3:f9:c7:93:97:ff:02:ac:81:92:d5:
               a1:1c:c9:24:16:46:59:d1:92:1d:0d:bf:66:3a:66:
               c6:5c:aa:3b:07:21:bf:45:40:63:94:20:30:81:e3:
               5f:aa:e6:c7:60:aa:6c:22:8f:47:64:94:9a:71:b1:
               18:51:2e:81:e9:a3:32:64:b4:38:f4:35:eb:da:3f:
               6f:82:f1:7a:4d:dc:e1:c5:e3:05:1b:c1:78:83:48:
               d4:64:6e:98:4b:4e:ce:85:7f:0d:62:5d:1b:8a:72:
               c1:9d:bd:85:dc:37:f0:a7:c1:cc:60:ad:b7:39:cb:
               20:ff:89:9f:65:06:35:93:5b:61:d0:04:1b:a3:d4:
               70:57:d9:d5:c0:52:f4:70:0d:ca:f6:0a:42:8b:52:
               47:e2:a1:cb:0e:17:9d:d6:ea:41:e5:6a:5a:29:a8:
               11:af:52:65:a4:79:8e:4f:ef:fc:ec:a7:3a:ca:56:
               45:b7:87:dd:e9:c7:f9:b7:f7:e8:12:f8:b5:a2:08:
               ce:9e:c4:cc:70:85:a6:e9:d3:cc:76:6d:11:67:b0:
               00:14:a0:55:a6:63:36:fa:c2:e0:bd:45:3c:14:b0:
               ed:88:f6:19:14:d6:c3:a2:79:ca:be:69:52:d0:78:
               f1:fd

           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Alternative Name:
           DNS:com,
           DNS:example.com, URI:sip:example.com
       X509v3 Basic Constraints:
           CA:FALSE
       X509v3 Subject Key Identifier:
           28:CC:9B:2B:4F:7C:43:5C:9D:AD:96:8B:73:A2:4F:58:5D:30:D4:04
           AC:96:21:E6:54:7D:E7:1E:A1:F1:58:86:D9:5F:AD:CB:DC:F1:66:92
       X509v3 Authority Key Identifier:
           6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
           38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
            OU=Sipit Test Certificate Authority
           serial:00
           serial:96:A3:84:17:4E:EF:8A:4C

       X509v3 Key Usage:
           Digital Signature, Non Repudiation, Key Encipherment
       X509v3 Extended Key Usage:
           TLS Web Server Authentication, 1.3.6.1.5.5.7.3.20
       Signature Algorithm: sha1WithRSAEncryption
   1f:b7:c2:84:43:90:d2:06:81:47:48:e7:14:39:5a:ad:a0:53:
   36:fb:6f:d7:e1:bf:b1:65:98:fd:a6:c5:e0:5a:b7:5f:90:08:
   ab:d4:85:2a:d1:57:f2:0e:c1:26:43:de:e1:26:1e:ef:90:95:
   94:6e:74:45:36:01:41:ce:43:c2:91:54:dd:35:a8:6e:57:3b:
   b2:34:71:aa:d4:ea:34:aa:8c:8e:dd:e1:a4:2c:05:45:fb:b8:
   38:0c:7b:1f:4f:d7:3c:d7:68:7c:57:57:6d:13:c6:3f:44:dd:
   fd:6b:fb:65:96:9b:87:92:95:10:af:e7:47:cd:72:6c:6e:d7:
   60:f5
   52:ae:66:df:55:1d:99:3c:9e:17:09:3d:4a:59:19:88:8f:df:
   ee:2b:75:ca:c5:b3:36:ce:37:10:5f:6f:0e:f2:4f:2a:62:34:
   19:5c:7a:3e:a3:cb:99:ae:a7:7c:a6:34:59:a7:43:a3:dc:ef:
   e5:80:86:3f:21:21:95:5b:74:4c:23:e3:1e:1d:14:43:86:48:
   b9:f5:c9:f0:a9:48:a3:1e:52:91:56:d5:ed:b2:56:52:8f:f4:
   02:e8:4c:80:83:e6:0c:aa:e0:d6:b0:5c:75:d2:90:39:52:8b:
   b5:48:dc:68:bc:e5:5c:5c:dd:43:34:af:14:3a:85:60:a3:46:
   17:69

   The example host certificate above, as well as all the others
   presented in this document, are signed directly by a root CA.  These
   certificate chains have a length equal to two: the root CA and the
   host certificate.  Non-root CAs exist and may also sign certificates.
   The certificate chains presented by hosts with certificates signed by
   non-root CAs will have a length greater than two.  For more details
   on how certificate chains are validated, see section 6.1.4 of RFC
   5280 [13].

   TODO: Fix subjectAltName DNS:com to DNS:example.com and DNS:net to
   DNS:example.net. [15].

2.3.  User Certificates

   User certificates are used by many applications to establish user
   identity.  The user certificate for fluffy@example.com is shown
   below.  Note that the Subject Alternative Name has a list of names
   with different URL types such as a sip, im, or pres URL.  This is
   necessary for interoperating with a CPIM gateway.  In this example,
   example.com is the domain for fluffy.  The message could be coming
   from any host in *.example.com, and the AOR in the user certificate
   would still be the same.  The others are shown in Appendix B.1.

   These certificates make use of the EKU extension discussed in Draft
   SIP EKU [14]. [16].  Note that the X509v3 Extended Key Usage attribute
   refers to the SIP OID introduced in Draft SIP EKU [14], [16], which is
   1.3.6.1.5.5.7.3.20

   Version: 3 (0x2)
   Serial Number:
       01:52:01:54:01:90:00:47
       49:02:11:01:84:01:5c
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
            OU=Sipit Test Certificate Authority
   Validity
       Not Before: Apr 29 17:10:46 2009 May 11 20:22:55 2010 GMT
       Not After : Apr 28 17:10:46 2012 17 20:22:55 2110 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit,
            CN=fluffy@example.com
   Subject Public Key Info:
       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:f4:0f:e8:18:2d:b1:9b:93:ef:64:6b:19:d7:83:
               ac:f7:af:12:37:30:48:df:6e:55:0a:ce:f7:2a:19:
               17:66:bc:42:af:7a:af:78:6c:96:c6:c1:de:5e:38:
               67:93:8d:f2:40:13:b5:6f:07:79:de:32:2c:23:e7:
               ba:e4:a8:36:32:83:8a:75:79:86:85:a2:50:d1:bb:
               b5:81:36:7e:6b:f2:64:9b:b6:54:d3:8b:c4:4d:4d:
               26:94:ae:7c:50:e4:b2:e6:5f:ac:34:e0:97:51:cd:
               ff:66:b9:92:98:c5:cc:22:e7:0c:30:a4:4c:a6:37:
               ba:21:31:b2:81:93:0d:24:ee:a7:27:c9:b3:ec:46:
               e3:f9:7a:d2:42:0a:59:ab:e7:a3:8b:30:66:3d:31:
               88:6f:ee:c4:8d:24:ca:99:f1:c8:4c:50:0d:4b:6b:
               73:80:ac:74:6f:45:b1:29:29:a1:89:40:94:02:57:
               23:8b:6d:60:5c:38:d3:1f:c3:bb:74:3d:15:87:af:
               2d:29:16:6c:30:01:4e:e3:39:13:17:6b:ea:58:97:
               75:9f:60:38:84:2c:31:95:6e:d8:6d:69:81:bb:2e:
               fa:59:a2:fb:08:53:59:df:1e:94:17:e5:10:f8:72:
               5a:fb:4e:4f:2f:cd:3b:3d:30:c5:b6:c8:3b:e0:e7:
               32:ed
               00:d5:9d:cf:3e:bd:83:4e:2d:df:c9:bf:86:57:cf:
               0d:26:a9:e9:08:35:45:e7:5f:ae:a3:5d:60:d1:3c:
               2f:6f:db:92:49:fd:05:12:68:6c:d9:ca:66:2d:02:
               e2:20:8a:8a:10:0a:a1:db:ee:b3:6b:c5:39:e6:4a:
               49:b1:41:00:f3:f8:91:07:17:83:40:a6:bc:68:99:
               a6:32:08:4f:4f:34:64:ae:9f:b1:0f:9c:d5:14:96:
               fb:40:62:84:85:b7:ba:38:29:cc:1d:ba:19:83:d9:
               59:21:ba:1e:4b:04:53:f6:aa:a6:68:4d:9a:5f:36:
               90:4d:ae:01:df:58:f2:89:ec:51:c9:a1:20:65:a9:
               de:5c:c9:f3:57:7f:76:56:0d:23:fc:d6:26:e7:01:
               25:75:2a:e4:26:3b:df:db:35:61:02:0c:0f:14:68:
               18:70:13:d6:41:0a:a4:d1:5b:99:7b:32:60:78:7b:
               a8:95:71:80:b5:df:63:fc:ca:f4:9e:f7:a5:a0:0c:
               13:6d:55:ad:17:9d:34:f2:80:66:03:86:a0:a7:83:
               52:0e:ea:b7:49:ea:75:e4:c9:d8:b7:72:37:dd:30:
               b1:33:d4:56:26:e8:33:70:c5:97:db:ba:63:89:3f:
               9c:65:45:51:18:a8:fb:96:14:09:f0:8e:55:01:f7:
               ad:99
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Subject Alternative Name:
           URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
              URI:pres:fluffy@example.com
       X509v3 Basic Constraints:
           CA:FALSE
       X509v3 Subject Key Identifier:
           D2:A2:22:FB:4D:A1:37:B9:15:0B:1E:FC:27:BC:FA:00:A7:1C:F2:29
           DD:D5:75:00:3E:4C:15:7C:9C:49:C0:07:10:CB:CA:4E:07:A1:CE:4F
       X509v3 Authority Key Identifier:
           6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6

           38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
            OU=Sipit Test Certificate Authority
           serial:00
           serial:96:A3:84:17:4E:EF:8A:4C

       X509v3 Key Usage:
           Digital Signature, Non Repudiation, Key Encipherment
       X509v3 Extended Key Usage:
           E-mail Protection, 1.3.6.1.5.5.7.3.20
       Signature Algorithm: sha1WithRSAEncryption
   80:a0:db:45:dd:7d:b6:50:b6:93:27:36:cd:cd:28:3c:39:23:
   aa:e4:6e:9c:f7:d9:8c:96:4d:b7:36:f6:ac:c1:8f:86:d8:6a:
   91:3a:4f:5a:68:32:37:df:0f:dd:40:b7:34:68:91:ce:0f:f0:
   16:02:ee:be:b6:1d:e1:92:87:c9:5e:a9:42:78:26:45:bb:17:
   08:ee:83:ea:e9:d8:30:84:66:90:69:b8:78:ff:c4:09:5c:ea:
   e2:8a:10:e6:f9:64:eb:db:47:0e:10:29:4d:0e:bb:53:65:70:
   e1:71:82:c8:d0:14:f4:24:30:49:a6:fc:80:a8:b1:84:bc:e9:
   73:75
   9c:c5:bc:04:88:81:19:35:2b:ba:be:d4:02:8d:41:25:45:95:
   8b:cf:f6:a4:95:bc:5b:d8:eb:87:6a:48:29:34:6c:ef:87:e0:
   e3:73:ca:3a:dd:a3:d2:d6:74:5b:cc:00:7f:28:fc:e4:07:b6:
   5c:e8:72:ea:ee:7d:40:99:58:26:b0:7d:5b:0d:36:e2:9e:b1:
   40:8d:fc:af:f0:f2:60:d8:36:46:7e:a8:fa:2a:47:52:35:71:
   11:ab:ec:fb:28:cf:fa:1d:a9:5d:8b:72:29:67:1d:be:fb:e3:
   bd:5d:c9:57:6d:75:d5:40:b5:77:52:69:b6:c4:1f:ec:03:60:
   1e:a1

   Versions of these certificates that do not make use of EKU are also
   included in Appendix B.2

3.  Callflow with Message Over TLS

3.1.  TLS with Server Authentication

   The flow below shows the edited SSLDump output of the host
   example.com forming a TLS RFC 5246 [12] [14] connection to example.net.
   In this example mutual authentication is not used.  Note that the
   client proposed three protocol suites including
   TLS_RSA_WITH_AES_128_CBC_SHA defined in RFC 3268 [4]. [5].  The
   certificate returned by the server contains a Subject Alternative
   Name that is set to example.net.  A detailed discussion of TLS can be
   found in SSL and TLS [20]. [22].  For more details on the SSLDump tool, see
   the SSLDump Manual [21]. [23].

   This example does not use the Server Extended Hello (see RFC 3546
   [7]).
   [8]).

   New TCP connection #1: www.example.com(57592) example.com(50713) <-> www.example.com(5061) example.net(5061)
   1 1  0.0015 (0.0015)  0.0004 (0.0004)  C>SV3.1(101)  Handshake
         ClientHello
           Version 3.1
           random[32]=
           49 f7 83 8d 1f 21 c7 73 0c 9f 61
             4c 09 5b a7 66 77 eb 43 52 30 dd 98 4d 09 23 d3
             ff 81 74 ab 13 2d 6b 26
           1e 04 69 bb 79 0c 68 b3 b6 f8 24 54 6b 41 0d 9b 3a 03 31 8c dc 59 cd c2 1f b7 ec

           cipher suites
           TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
           TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
           TLS_DHE_RSA_WITH_AES_256_SHA
           TLS_RSA_WITH_AES_256_CBC_SHA
           TLS_DSS_RSA_WITH_AES_256_SHA
           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
           TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
           TLS_DHE_RSA_WITH_AES_128_CBC_SHA
           TLS_RSA_WITH_AES_128_CBC_SHA
           TLS_DHE_DSS_WITH_AES_128_CBC_SHA
           TLS_ECDHE_RSA_WITH_DES_192_CBC3_SHA
           TLS_ECDH_RSA_WITH_DES_192_CBC3_SHA
           TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
           TLS_RSA_WITH_3DES_EDE_CBC_SHA
           TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
           TLS_ECDHE_RSA_WITH_RC4_128_SHA
           TLS_ECDH_RSA_WITH_RC4_128_SHA
           TLS_RSA_WITH_RC4_128_SHA
           TLS_RSA_WITH_RC4_128_MD5
           TLS_DHE_RSA_WITH_DES_CBC_SHA
           TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
           TLS_RSA_WITH_DES_CBC_SHA
           TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
           TLS_DHE_DSS_WITH_DES_CBC_SHA
           TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
           TLS_RSA_EXPORT_WITH_RC4_40_MD5
           compression methods
                     NULL
   1 2  0.0040 (0.0024)  0.0012 (0.0007)  S>CV3.1(48)  Handshake
         ServerHello
           Version 3.1
           random[32]=
           49 f7 83 8d a0 f8 f0 3f ff 2d
             4c 09 5b a7 30 87 74 c7 16 98 24 d5 af 35 17 a7
             ef c3 78 0c 94 d4 13 9c 29 2b 2b
           fc 1c 92 b9 a8 2a 94 d2 10 0c 54 8e fd af d6 42 22 7b a6 3f 40 04 25 f6 e0
           session_id[0]=

           cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
           compressionMethod                   NULL
   1 3  0.0040  0.0012 (0.0000)  S>CV3.1(1823)  S>CV3.1(1858)  Handshake
         Certificate
   1 4  0.0040  0.0012 (0.0000)  S>CV3.1(14)  Handshake
         CertificateRequest
           certificate_types                   rsa_sign
           certificate_types                   dss_sign
           certificate_types                 unknown value
         ServerHelloDone
   1 5  0.0360 (0.0320)  0.0043 (0.0031)  C>SV3.1(7)  Handshake
         Certificate
   1 6  0.0360  0.0043 (0.0000)  C>SV3.1(262)  Handshake
         ClientKeyExchange
   1 7  0.0360  0.0043 (0.0000)  C>SV3.1(1)  ChangeCipherSpec
   1 8  0.0360  0.0043 (0.0000)  C>SV3.1(48)  Handshake
   1 9  0.0770 (0.0410)  0.0129 (0.0085)  S>CV3.1(170)  Handshake
   1 10 0.0770 0.0129 (0.0000)  S>CV3.1(1)  ChangeCipherSpec
   1 11 0.0770 0.0129 (0.0000)  S>CV3.1(48)  Handshake
   1 12 0.0780 (0.0010) 0.0134 (0.0005)  C>SV3.1(32)  application_data
   1 13 0.0780 0.0134 (0.0000)  C>SV3.1(448)  C>SV3.1(496)  application_data
   1 14 0.2804 (0.2023) 0.2150 (0.2016)  S>CV3.1(32)  application_data
   1 15 0.2804 0.2150 (0.0000)  S>CV3.1(416)  S>CV3.1(336)  application_data
   1 16 12.3288 (12.0483) 12.2304 (12.0154)  S>CV3.1(32)  Alert
   1    12.3293 (0.0004)    12.2310 (0.0005)  S>C  TCP FIN
   1 17 12.3310 (0.0017) 12.2321 (0.0011)  C>SV3.1(32)  Alert

3.2.  MESSAGE Message Over TLS

   Once the TLS session is set up, the following MESSAGE message (as
   defined in RFC 3428 [6] [7] is sent from fluffy@example.com to
   kumiko@example.net.  Note that the URI has a SIPS URL and that the
   VIA indicates that TLS was used.  In order to format this document,
   the <allOneLine> convention from RFC 4475 [19] [21] is used to break long
   lines.  The actual message does not contain the linebreaks contained
   within those tags.

   MESSAGE sips:kumiko@example.net:5061 SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TLS 208.77.188.166:15001;\
        branch=z9hG4bK-d8754z-3be7667f18d2f53c-1---d8754z-;\
        rport=54499 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-33d8961795354459-1---d8754z-;
        rport=50713
   </allOneLine>
   Max-Forwards: 70
   Contact: <sips:fluffy@example.com:15001>
   To: <sips:kumiko@example.net:5061>
   From: <sips:fluffy@example.com:15001>;tag=2eff6a6f <sips:fluffy@example.com:15001>;tag=10f47d62
   Call-ID: NmE1NDk1YzFmYmMzMDVjOTEwMzVlZjNkMTBjZGZlMzY. ODU5YTQzYTMyYjNkZDAyODcyOGJiMWNmOWZmZmY2MGU.
   CSeq: 1 4308 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,\ application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   Content-Type: text/plain
   Content-Length: 6

   Hello!

   When a UA goes to send a message to example.com, the UA can see if it
   already has a TLS connection to example.com and if it does, it may
   send the message over this connection.  A UA should have some scheme
   for reusing connections as opening a new TLS connection for every
   message results in awful performance.  Implementers are encouraged to
   read Draft Connection Reuse in SIP [16] [18] and RFC 3263 [3]. [4].

   The response is sent from example.net to example.com over the same
   TLS connection.  It is shown below.

   SIP/2.0 200 OK
   <allOneLine>
   Via: SIP/2.0/TLS 208.77.188.166:15001;\
        branch=z9hG4bK-d8754z-3be7667f18d2f53c-1---d8754z-;\
        rport=54499
   Contact: <sip:208.77.188.166:5061;transport=TLS> 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-33d8961795354459-1---d8754z-;
        rport=50713
   </allOneLine>
   To: <sips:kumiko@example.net:5061>;tag=00e62966 <sips:kumiko@example.net:5061>;tag=a0d41548
   From: <sips:fluffy@example.com:15001>;tag=2eff6a6f <sips:fluffy@example.com:15001>;tag=10f47d62
   Call-ID: NmE1NDk1YzFmYmMzMDVjOTEwMzVlZjNkMTBjZGZlMzY. ODU5YTQzYTMyYjNkZDAyODcyOGJiMWNmOWZmZmY2MGU.
   CSeq: 1 4308 MESSAGE
   Content-Length: 0

   TODO: Actually use the allOneLine convention.  This will be fixed in
   a change to binary-generated content.

   TODO: Remove the Contact headers.

   OPEN ISSUE: There should be some more information about how this
   MESSAGE is associated with the handshake example.  The dump in
   Section 3.1 is slightly confusing in that example.com and example.net
   both resolved to the same address, so reverse lookup shows both
   domains as example.com.

4.  Callflow with S/MIME-secured Message

4.1.  MESSAGE Message with Signed Body

   Below is an example of a signed message.  The values on the Content-
   Type line (multipart/signed) and on the Content-Disposition line have
   been broken across lines to fit on the page, but they should are not be broken
   across lines in actual implementations.

   MESSAGE sip:kumiko@example.net SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TCP 208.77.188.166:15001;\
        branch=z9hG4bK-d8754z-36f515466f3a7f5c-1---d8754z-;\
        rport=54500 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-c947ab3f4ea84000-1---d8754z-;
        rport=50714
   </allOneLine>
   Max-Forwards: 70
   Contact: <sip:fluffy@example.com>
   To: <sip:kumiko@example.net>
   From: <sip:fluffy@example.com>;tag=e8cc1b5c <sip:fluffy@example.com>;tag=20fad54c
   Call-ID: NjVjYjNjNzQzNTZlYzdjMWUwM2VjYjcwOTVjM2RkZDM. NTMyZGNlOWRkODAyNGY1ZWM0MDI2ZGVmZDBhZTQwYWI.
   CSeq: 1 8473 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,\ application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   <allOneLine>
   Content-Type: multipart/signed;boundary=ac31fa52a112030f;\ multipart/signed;boundary=d0c5ff1dcdc8f431;
                 micalg=sha1;protocol="application/pkcs7-signature"
   </allOneLine>
   Content-Length: 772

   --ac31fa52a112030f

   --d0c5ff1dcdc8f431
   Content-Type: text/plain
   Content-Transfer-Encoding: binary

   hello
   --ac31fa52a112030f

   Hello!
   --d0c5ff1dcdc8f431
   Content-Type: application/pkcs7-signature;name=smime.p7s
   <allOneLine>
   Content-Disposition: attachment;handling=required;\ attachment;handling=required;
                        filename=smime.p7s
   </allOneLine>
   Content-Transfer-Encoding: binary

   *****************
   * BINARY BLOB 1 *
   *****************
   --ac31fa52a112030f--
   --d0c5ff1dcdc8f431--

   It is important to note that the signature ("BINARY BLOB 1") is
   computed over the MIME headers and body, but excludes the multipart
   boundary lines.  The value on the Message-body line ends with CRLF.
   The CRLF is included in the boundary and should is not be part of the signature
   computation.  To be clear, the signature is computed over data
   starting with the C in the Content-Type and ending with the o in the
   hello.

   Content-Type: text/plain
   Content-Transfer-Encoding: binary

   hello

   Hello!

   Following is the ASN.1 parsing of encrypted contents referred to
   above as "BINARY BLOB 1".  Note that at address 30, the hash for the
   signature is specified as SHA-1.  Also note that the sender's
   certificate is not attached as it is optional in RFC 3852 [9]. [10].

 0  471:  470: SEQUENCE {
 4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15  456:  455:   [0] {
19  452:  451:     SEQUENCE {
23    1:       INTEGER 1
26   11:       SET {
28    9:         SEQUENCE {
30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37    0:           NULL
       :           }
       :         }
39   11:       SEQUENCE {
41    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
       :         }
52  419:  418:       SET {
56  415:  414:         SEQUENCE {
60    1:           INTEGER 1
63  124:  123:           SEQUENCE {
65  112:             SEQUENCE {
67   11:               SET {
69    9:                 SEQUENCE {
71    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
76    2:                   PrintableString 'US'
       :                   }
       :                 }
80   19:               SET {
82   17:                 SEQUENCE {
84    3:                   OBJECT IDENTIFIER
       :                     stateOrProvinceName (2 5 4 8)
89   10:                   PrintableString 'California'
       :                   }
       :                 }
 101   17:               SET {
 103   15:                 SEQUENCE {
 105    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
 110    8:                   PrintableString 'San Jose'
       :                   }
       :                 }

 120   14:               SET {
 122   12:                 SEQUENCE {
 124    3:                   OBJECT IDENTIFIER
       :                     organizationName (2 5 4 10)
 129    5:                   PrintableString 'sipit'
       :                   }
       :                 }
 136   41:               SET {
 138   39:                 SEQUENCE {
 140    3:                   OBJECT IDENTIFIER
       :                     organizationalUnitName (2 5 4 11)
 145   32:                   PrintableString 'Sipit Test Certificate Aut
hority'
       :                   }
       :                 }
       :               }
 179    8:    7:             INTEGER 49 02 11 01 52 01 54 84 01 90 00 47 5C
       :             }
 189
 188    9:           SEQUENCE {
 191
 190    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
 198
 197    0:             NULL
       :             }
 200
 199   13:           SEQUENCE {
 202
 201    9:             OBJECT IDENTIFIER
       :               rsaEncryption (1 2 840 113549 1 1 1)
 213
 212    0:             NULL
       :             }
 215
 214  256:           OCTET STRING
       :             B1 08 00 AA 15 AC 59 6D 1A 66 66 61 40 A7 BB B1             06 AF 96 EE 1F 64 C9 B5 72 A6 07 F8 BF F7 95 4D
       :             D6             D9 7C 32 D8 CE 59 98 E3 8F 69 94 09 A5 F2 C4 34 D7 F6 CB 00 30 46 D4 EF BA 85 11 8A EB B9
       :             6F 49 4D 56 64 FE EB A9 EA 71 5D 44 B4 0C 77 C1
       :             0E BF FD 42 17 E3 84 A2 7E 5E 13 6C A6             03 8E F8 2B 34 12 99 0C A9 98 53 C7 17 DE E5 66 5D
       :             24 3F BE AE 14 51 0E 0D 3E 9A             5B A0 66 A0 93 9A 16 52 25 AB
       :             28 AA C5 8D 15 EB 96 29 C0 9B D9 52 3E 38 D8 07 89 53 1D 06 EC F5 10 1C DC 8B 48
       :             86 2D 22 28             5A 47 49 FB 02 9F 66 0F 74 DF B1 63 0B 58 96 B5 2B 01 F2 F9 0A 26 0D 51 11 7A
       :             EF AD 54 01 6D A4 C9 65 C6 3E 78 E3 CE 1C             08 79 1D 31 78 C0 C9 71 CA 30 4A 5A C5 64 89 80
       :             41 85 B5 20 22 9F 0B 70 5A 0B             62 1F EF 92 0A FB F5 C9 5F 15 7B 56 75 2D 7B 3E A1 66 A8 CC
       :             22 25 41 90 2B F5 12 08 60 07 09 F7 73             5F 42 BD 4D 5A 89 B9 E1 E0 7B EB 2B E7 C5 48 53 62 4A
       :             D0 AA 28 95 A9 0D F1 48 54 FF E3 3C A0 3E 51 41 1C FA C3 B1 12 5E
       :             47 AA A2 3A D0 7A 95 E8 6F A8 10 58 6D 58 98 18 A5 C6 0D 81 79 FE 03
       :             0B B3 24 24 D5 CE             21 50 91 1B 0A 97 DB 33 FC 31 75 E9 AC 15 1F 02
       :             F2 A8 E0 3A 3F 1E D2 22 B8 4D EA 11 0A 08 76 A7 4C C8 E6 5F 2F C1 22 27
       :             14 1B 55 8F E7 E7             CF 76 36 1C E0 16 63 37 95 65 EF BB 7F E7 56 47 5B
       :             C5 A7 1B 62 D4 D4 F2 0A 76 13 97 6A 13 BD 17 37 1D BC 2B 9A 48
       :             7C AB B0 2C 46 02 08 B7             6C 20 E9 0C BE BA 4E 9D 2F 31 3E BA A4 6F EC CA 2A 1E 08 CB 4D 1C AA
       :             09 34 AA 53 5F 59 95 3D C7 87 DD             E4 02 1F 2E AD 88 2F 94 F3 C3 5D 3F BF DF 0A 41
       :             30 17 8D 78 04 01 1A 9F 1D F6 EB B3 7A 0B E1 42 DF 36 45 BB
       :           }
       :         }
       :       }
       :     }
       :   }

   SHA-1 parameters may be omitted entirely, instead of being set to
   NULL, as mentioned in RFC 3370 [5]. [6].  The above dump of Blob 1 has
   SHA-1 parameters set to NULL.  Below are the same contents signed
   with the same key, but omitting the NULL according to RFC 3370 [5]. [6].
   This is the preferred encoding.  This is covered in greater detail in
   Section 5.

 0  467:  466: SEQUENCE {
 4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15  452:  451:   [0] {
19  448:  447:     SEQUENCE {
23    1:       INTEGER 1
26    9:       SET {
28    7:         SEQUENCE {
30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
       :           }
       :         }
37   11:       SEQUENCE {
39    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
       :         }
50  417:  416:       SET {
54  413:  412:         SEQUENCE {
58    1:           INTEGER 1
61  124:  123:           SEQUENCE {
63  112:             SEQUENCE {
65   11:               SET {
67    9:                 SEQUENCE {
69    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
74    2:                   PrintableString 'US'
       :                   }
       :                 }
78   19:               SET {
80   17:                 SEQUENCE {
82    3:                   OBJECT IDENTIFIER
       :                     stateOrProvinceName (2 5 4 8)
87   10:                   PrintableString 'California'
       :                   }
       :                 }
99   17:               SET {
 101   15:                 SEQUENCE {
 103    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
 108    8:                   PrintableString 'San Jose'
       :                   }
       :                 }
 118   14:               SET {
 120   12:                 SEQUENCE {
 122    3:                   OBJECT IDENTIFIER
       :                     organizationName (2 5 4 10)
 127    5:                   PrintableString 'sipit'
       :                   }
       :                 }
 134   41:               SET {
 136   39:                 SEQUENCE {
 138    3:                   OBJECT IDENTIFIER
       :                     organizationalUnitName (2 5 4 11)
 143   32:                   PrintableString 'Sipit Test Certificate Aut
hority'
       :                   }
       :                 }
       :               }
 177    8:    7:             INTEGER 49 02 11 01 52 01 54 84 01 90 00 47 5C
       :             }
 187
 186    7:           SEQUENCE {
 189
 188    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
       :             }
 196
 195   13:           SEQUENCE {
 198
 197    9:             OBJECT IDENTIFIER
       :               rsaEncryption (1 2 840 113549 1 1 1)
 209
 208    0:             NULL
       :             }
 211
 210  256:           OCTET STRING
       :             B1 08 00 AA 15 AC 59 6D 1A 66 66 61 40 A7 BB B1             06 AF 96 EE 1F 64 C9 B5 72 A6 07 F8 BF F7 95 4D
       :             D6             D9 7C 32 D8 CE 59 98 E3 8F 69 94 09 A5 F2 C4 34
       :             6F 49 4D 56 64 FE D7 F6 CB 00 30 46 D4 EF BA 85 11 8A EB B9
       :             03 8E F8 34 12 99 0C A9 EA 71 98 53 C7 17 DE E5 66 5D 44 B4 0C 77 C1
       :             0E BF FD 42 17 E3 84 A2 7E 5E 13 6C A6 F8 2B A9
       :             24 3F BE AE 14 51 0E 0D 3E 9A             5B A0 66 A0 93 9A 16 52 25 AB
       :             28 AA C5 8D 15 EB 96 29 C0 9B D9 52 3E 38 D8 07 89 53 1D 06 EC F5 10 1C DC 8B 48
       :             86 2D 22 28             5A 47 49 FB 02 9F 66 0F 74 DF B1 63 0B 58 96 B5 2B 01 F2 F9 0A 26 0D 51 11 7A
       :             EF AD 54 01 6D A4 C9 65 C6 3E 78 E3 CE 1C             08 79 1D 31 78 C0 C9 71 CA 30 4A 5A C5 64 89 80
       :             41 85 B5 20 22 9F 0B 70 5A 0B             62 1F EF 92 0A FB F5 C9 5F 15 7B 56 75 2D 7B 3E A1 66 A8 CC
       :             22 25 41 90 2B F5 12 08 60 07 09 F7 73             5F 42 BD 4D 5A 89 B9 E1 E0 7B EB 2B E7 C5 48 53 62 4A
       :             D0 AA 28 95 A9 0D F1 48 54 FF E3 3C A0 3E 51 41 1C FA C3 B1 12 5E
       :             47 AA A2 3A D0 7A 95 E8 6F A8 10 58 6D 58 98 18 A5 C6 0D 81 79 FE 03
       :             0B B3 24 24 D5 CE             21 50 91 1B 0A 97 DB 33 FC 31 75 E9 AC 15 1F 02 11 4C C8 E6 5F 2F C1 22 27
       :             F2 A8             CF 76 36 1C E0 3A 3F 1E D2 22 B8 4D EA 11 0A 08 76 A7
       :             14 1B 55 8F E7 E7 1C E0 16 63 37 95 65 EF BB 7F E7 56 47 5B
       :             C5 A7 1B 62 D4 D4 F2 0A 76 13 97 6A 13 BD 17 37 1D BC 2B 9A 48
       :             7C AB B0 2C 46 02 08 B7             6C 20 E9 0C BE BA 4E 9D 2F 31 3E BA A4 6F EC CA 2A 1E 08 CB 4D 1C AA
       :             09 34 AA 53 5F 59 95 3D C7 87 DD             E4 02 1F 2E AD 88 2F 94 F3 C3 5D 3F BF DF 0A 41
       :             30 17 8D 78 04 01 1A 9F 1D F6 EB B3 7A 0B E1 42 DF 36 45 BB
       :           }
       :         }
       :       }
       :     }
       :   }

   TODO: For generated-content, change "hello" to "Hello!" to be
   consistent.

   TODO: Actually use the allOneLine convention.  This will be fixed in
   a change to binary-generated content.

4.2.  MESSAGE Message with Encrypted Body

   Below is an example of an encrypted text/plain message that says
   "hello".  The binary encrypted contents have been replaced with the
   block "BINARY BLOB 2".

   MESSAGE sip:kumiko@example.net SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TCP 208.77.188.166:15001;\
        branch=z9hG4bK-d8754z-1c7dd40a5fff4463-1---d8754z-;\
        rport=54502 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-19883b67d813801b-1---d8754z-;
        rport=50716
   </allOneLine>
   Max-Forwards: 70
   Contact: <sip:fluffy@example.com>
   To: <sip:kumiko@example.net>
   From: <sip:fluffy@example.com>;tag=5a10502e <sip:fluffy@example.com>;tag=47e96625
   Call-ID: YTk3ODIwN2FiYTUwMGZmYTM1MDJiMzY2ODcyYzE4MGM. NDg3ZGJjMGVhM2Y4MjdjNjU4ZDYyODhlODZkNGVlOWU.
   CSeq: 1 3260 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,\ application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   <allOneLine>
   Content-Disposition: attachment;handling=required;\ attachment;handling=required;
                        filename=smime.p7
   </allOneLine>
   Content-Transfer-Encoding: binary
   <allOneLine>
   Content-Type: application/pkcs7-mime;smime-type=enveloped-data;\ application/pkcs7-mime;smime-type=enveloped-data;
                 name=smime.p7m
   </allOneLine>
   Content-Length: 564 563

   *****************
   * BINARY BLOB 2 *
   *****************

   Following is the ASN.1 parsing of "BINARY BLOB 2".  Note that at
   address 453, 452, the encryption is set to aes128-CBC.

 0  560:  559: SEQUENCE {
 4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15  545:  544:   [0] {
19  541:  540:     SEQUENCE {
23    1:       INTEGER 0
26  408:  407:       SET {
30  404:  403:         SEQUENCE {
34    1:           INTEGER 0
37  124:  123:           SEQUENCE {
39  112:             SEQUENCE {
41   11:               SET {
43    9:                 SEQUENCE {
45    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
50    2:                   PrintableString 'US'
       :                   }
       :                 }
54   19:               SET {
56   17:                 SEQUENCE {
58    3:                   OBJECT IDENTIFIER
       :                     stateOrProvinceName (2 5 4 8)
63   10:                   PrintableString 'California'
       :                   }
       :                 }
75   17:               SET {
77   15:                 SEQUENCE {
79    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
84    8:                   PrintableString 'San Jose'
       :                   }
       :                 }
94   14:               SET {
96   12:                 SEQUENCE {
98    3:                   OBJECT IDENTIFIER
       :                     organizationName (2 5 4 10)
 103    5:                   PrintableString 'sipit'
       :                   }
       :                 }
 110   41:               SET {
 112   39:                 SEQUENCE {
 114    3:                   OBJECT IDENTIFIER
       :                     organizationalUnitName (2 5 4 11)
 119   32:                   PrintableString 'Sipit Test Certificate Aut
hority'
       :                   }
       :                 }
       :               }
 153    8:    7:             INTEGER 49 02 11 01 52 01 54 84 01 90 00 48 5D
       :             }
 163
 162   13:           SEQUENCE {
 165
 164    9:             OBJECT IDENTIFIER
       :               rsaEncryption (1 2 840 113549 1 1 1)
 176
 175    0:             NULL
       :             }
 178
 177  256:           OCTET STRING
       :             6E 48 A2 78 07 3A 47 09 C0 57 6F CB 01 AA 0E E7
       :             3E 2C 1B 78 8F 6B             40 0B 31 3C 3D 16 C2 D4 F2 BD 41 8E 3E CB 95
       :             CD 35 9C 2E 59 8B E8 E5 35 59 B3 C1 74 C8 A3 08 70 6F 0E FC 3B FB
       :             DC 1B 40 72 A3 BB A4 84 0A 54 CA AD A7 5E 93 39 36
       :             2E 66             D5 0D 68 6E 45 04 CA 4B E5 29 BE 65 F1 51 A1
       :             E3 40 83 95 7C 8F C8 D9 B0 A9 56 CF 34 D4 DE C4 63 BE 67 3D 75 88 C7 5B 32 0A 9A 54
       :             26 55 1D             01 59 F1 F0 AF 07 65 6B 35 4C 24 B0 D0 2A 57 51 8D
       :             E0 99 1F 54 D2 45 7C 49 7B 59 C9 E2 86 8C 2A 7D B1 37 13 B5 F8 26 FF 8D 79
       :             B8 3C F1 84             FC AD 06 67 C3 31 0C 57 B2 0E 2F FF A9 17 8C 24 E3 AA 79 82
       :             B6 6E EC 87 25 B2 E7 04 88 A4 92 FB 85 AD 9C 26
       :             A2 D2 E8 3D F6 94 5D A2 80
       :             2E 45 B7 36 96 6C 72 DB CD 20 EF A3 90 23 8E 9D B3 50 C4 F2 0B 0F 0A 6F 02
       :             DB             68 E9 52 B7 2E 69 3B E7 47 54 EA 2D 5E 38 75 77 CB 05 D0 EE 45 71 B6
       :             BB 95 93 AF 59 31 BC B3 10 F7 FE 72 B9 85 22 51 42 9C 9B 3E 0F B5
       :             80 A6 7E F6 E5 9E 46 32 2C 8A BB ED 60 C8 F6             DA 3B 7B 27 E0 1F D4 76 DE 0A 4B C1 4C 44 51 E8
       :             2D 9E CF 5F 9E D9 21 68             05 05 FB D8 0D 69 A5 B8 1A 51 08 BE 00 51 27 A7 1B 54
       :             53 CF 43 E2 45 2A 58 61 63 3C 19 75 86 67 04 C3 05 77 EA
       :             6D 77 19 3B A4 16 32 38 1C 79 05 7B 71 11 7B 56
       :             24 75 24 6B F7 75 D1 8A DA AE B8 3A 86             8D 98 A0 7E 73 53 41 4D 31 0A CB D1 77 4C FB 81 AA 26
       :             1B D2 80 88 64 52             F5 F4 82 6E C9 F4 8B 5E 5C 13 DA FE 93 44 F4 D6 E2 57 89
       :             B6 11 DD 60 A4 8A C1 77 48 98 AA C9 E0 D2 CB BF 82 FA 5C 0E
       :             58 C7 A8 67 48 9E 09 97 51 2E B4 10 B3 9B 3F 62
       :             77 D7 4F 61 C0 E4 AA 70 58 22 4E B4 24 6E 80 4C
       :           }
       :         }
 438
 437  124:       SEQUENCE {
 440
 439    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
 451
 450   29:         SEQUENCE {
 453
 452    9:           OBJECT IDENTIFIER
       :             aes128-CBC (2 16 840 1 101 3 4 1 2)
 464
 463   16:           OCTET STRING
       :             E8 E4 34 63 AE 68 F7 C1 62 C5 9E 7B 6F 25             22 AF B3 06 78 4E 7E CF 9B 99 C8 08 2F 93 85 6D 5C
       :           }
 482
 481   80:         [0]
       :           41 4C FE FA A4 B4 70 1A 62 86 BC C1 DE 90 94 69
       :           7D 0A D2 0F F3 4E 7D 6F 72 2F 7A A7 4B B4 4A 59
       :           C9           CB F2 22 1B C0 F8 ED 86 6A CB F3 AD 65 8C 08 7C BE 21
       :           8A 53 3D C5 92 EE 23 E3 8A EA D6 31 66 94 0E DF B3 49 01 63 D5 22 3A 00
       :           BA 5A AE 29 ED C9           F9 96 4C 5F 8B 75 4F 7E 22 F7 D6 8A 87 EA 00 FC 4B 97 62 54 D3 13 56 EE
       :           91 DB 78 50 B6 AD           BF B7 B8 5D F6 11 41 3C C0 20 DD D9 24 32 6D F1 0B E8 CF 7C FC 14 90 BE DA
       :           F3 5E 04 38 CC D6 E5 9D 6F AF 44 BF A0 0A 3A 5C
       :         }
       :       }
       :     }
       :   }

   TODO: For generated-content, change "hello" to "Hello!" to be
   consistent.

   TODO: Actually use the allOneLine convention.  This will be fixed in
   a change to binary-generated content.

4.3.  MESSAGE Message with Encrypted and Signed Body

   In the example below, some of the header values have been split
   across mutliple lines.  Where the lines have been broken, a "\" the
   <allOneLine> convention has been inserted. used.  This was only done to make it
   fit in the RFC format.  Specifically, the application/pkcs7-mime
   Content-Type line should be is one line with no whitespace between the "mime;"
   and the "smime-type".  The values are split across lines for
   formatting, but are not split in the real message.  The binary
   encrypted content has been replaced with "BINARY BLOB 3", and the
   binary signed content has been replaced with "BINARY BLOB 4".

   MESSAGE sip:kumiko@example.net SIP/2.0
   <allOneLine>
   Via: SIP/2.0/TCP 208.77.188.166:15001;\
        branch=z9hG4bK-d8754z-c2d73f665e157842-1---d8754z-;\
        rport=54503 192.0.2.2:15001;
        branch=z9hG4bK-d8754z-540c0075b0e6350b-1---d8754z-;
        rport=50717
   </allOneLine>
   Max-Forwards: 70
   Contact: <sip:fluffy@example.com>
   To: <sip:kumiko@example.net>
   From: <sip:fluffy@example.com>;tag=5e4dd355 <sip:fluffy@example.com>;tag=ead36604
   Call-ID: MDQ2ZGVkZWQ4YzJhZTZhZDRjNzE0MDJkNzk1NGIxNTQ. MjhmOTlmMWVmY2ZhNzAxYmZlYzNmODE2YWNhMmU4Zjg.
   CSeq: 1 5449 MESSAGE
   <allOneLine>
   Accept: multipart/signed, text/plain, application/pkcs7-mime,\ application/pkcs7-mime,
           application/sdp, multipart/alternative
   </allOneLine>
   <allOneLine>
   Content-Type: multipart/signed;boundary=e0c6b73cedc44967;\ multipart/signed;boundary=f913571e3a21963d;
                 micalg=sha1;protocol="application/pkcs7-signature"
   </allOneLine>
   Content-Length: 1453

   --e0c6b73cedc44967 1451

   --f913571e3a21963d
   <allOneLine>
   Content-Type: application/pkcs7-mime;smime-type=enveloped-data;\ application/pkcs7-mime;smime-type=enveloped-data;
                 name=smime.p7m
   </allOneLine>
   <allOneLine>
   Content-Disposition: attachment;handling=required;\ attachment;handling=required;
                        filename=smime.p7
   </allOneLine>
   Content-Transfer-Encoding: binary

   *****************
   * BINARY BLOB 3 *
   *****************
   --e0c6b73cedc44967
   --f913571e3a21963d
   Content-Type: application/pkcs7-signature;name=smime.p7s
   <allOneLine>
   Content-Disposition: attachment;handling=required;\ attachment;handling=required;
                        filename=smime.p7s
   </allOneLine>
   Content-Transfer-Encoding: binary

   *****************
   * BINARY BLOB 4 *
   *****************
   --e0c6b73cedc44967--
   --f913571e3a21963d--
   Below is the ASN.1 parsing of "BINARY BLOB 3".

 0  560:  559: SEQUENCE {
 4    9:   OBJECT IDENTIFIER envelopedData (1 2 840 113549 1 7 3)
15  545:  544:   [0] {
19  541:  540:     SEQUENCE {
23    1:       INTEGER 0
26  408:  407:       SET {
30  404:  403:         SEQUENCE {
34    1:           INTEGER 0
37  124:  123:           SEQUENCE {
39  112:             SEQUENCE {
41   11:               SET {
43    9:                 SEQUENCE {
45    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
50    2:                   PrintableString 'US'
       :                   }
       :                 }
54   19:               SET {
56   17:                 SEQUENCE {
58    3:                   OBJECT IDENTIFIER
       :                     stateOrProvinceName (2 5 4 8)
63   10:                   PrintableString 'California'
       :                   }
       :                 }
75   17:               SET {
77   15:                 SEQUENCE {
79    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
84    8:                   PrintableString 'San Jose'
       :                   }
       :                 }
94   14:               SET {
96   12:                 SEQUENCE {
98    3:                   OBJECT IDENTIFIER
       :                     organizationName (2 5 4 10)
 103    5:                   PrintableString 'sipit'
       :                   }
       :                 }
 110   41:               SET {
 112   39:                 SEQUENCE {
 114    3:                   OBJECT IDENTIFIER
       :                     organizationalUnitName (2 5 4 11)
 119   32:                   PrintableString 'Sipit Test Certificate Aut
hority'
       :                   }
       :                 }
       :               }
 153    8:    7:             INTEGER 49 02 11 01 52 01 54 84 01 90 00 48 5D
       :             }
 163
 162   13:           SEQUENCE {
 165
 164    9:             OBJECT IDENTIFIER
       :               rsaEncryption (1 2 840 113549 1 1 1)
 176
 175    0:             NULL
       :             }
 178
 177  256:           OCTET STRING
       :             8A C2             00 50 79 F3 84 E1 0A 63 9E E3 F2 23 FE 87 5F 81 43
       :             55 6E 5B C9 46 91 B0 D4 11 0E EB 38 60 3A 47 99 14 33 FF 15 70 03 8C 07 EC 56 5D
       :             78 01 1A             4F F9 12 8C 22 89 9C 0F EE 81 FB 5C 63 F0 5E 9E 97 93 DA
       :             AC CC D5 F2 55 CD 04 6F C3 9A 1F 56 C5 F4 FB 08
       :             70 4D 07 79 54 83 AF CA 08 75 4B 4A 2A 2F 56 70
       :             A7 A0 B3 68 B2 B8 4E 2F D0 CF 76 15 3F 77 C8 A8 DC B3 E7 81 3E
       :             72 2A 12 6B E6 D9 B7 23 8A B1 3F 27 D6 48 EF 2C
       :             14 35 8A D2 84 22 FB 41 B6 1F 23 39 DC 9A 42 60
       :             CD 36 0E A5 B8 36 F6 5F E1 05 78 45 F7 05 12 6D 1C 70 22 20 86 C3 EC 3E 91 D5 62 78 66
       :             55 0A             A1 50 4C A9 F7 E3 B1 69 65 F8 01 3D D7 AE 1E 9A 00 38 A8 F7 2F
       :             A1 74 0F 15 6F 29 B6 5C 74 21 49 AC 0E 21 77 07 E4 0A
       :             4D A9 02 30 15 45 2F 8F AE 08 2E 49 D9 B2 77 73 C2 4A 9A
       :             E8 41 08 4E 2D B0             9F BF 5D AC 50 F3 B0 EE 2F 49 B7 75 D7 70 39 A4 14 89 A6 F3 DA EC E0 60
       :             FC A3 C9 49 38 C8 B3 79 71 46 98 C3 17 20 A9 13
       :             E7             84 D0 B7 2B 00 C0 C0 2A B9 FA EE E3 99 AA E2 1F C3 C3 DE 7A B3 70 40 DA F3 40 B0 FE CC
       :             0B             D9 1F A3 1F B7 BC 69 99 DC EB 5C 10 A9 FF A8 66 D1 56 BB B9 B9
       : D3 9D 84 CB 6B 7A 37 15 4C DB
       :             08 6D 03 55 F8 F7 38 24 3F 96 CC 6D 5A 92 8B 00 23 CB 8B FE 87 F5 66 E2 7F 5F 0F 84
       :             FB             BD 1E 49 16 DD 31 BE BF 19 26 7F C9 69 CC 93 98 1F 7E 3E 07 AE AA 97 52
       :             F2 EA 8B 34 5D 5A E4 DE D3 B0 DE
       :             6E 0E 29 9C E8 05 D7 4F 3D A0 F7 C2 B2 8E 0E FF
       :             06 DA 46 0B ED 3B 84 BF 88 17 9C 40 DA 52 65 62
       :             A9 BB F5 7A E7 D1 78 69 9D 61 D5 48 53 56 0A BB
       :             DD F3 35 C3 04 0D C0 BD 26 41 C1 E4 9E 19 A2 4B 07 72 DB 48 B8 FE D5 41 14 36
       :           }
       :         }
 438
 437  124:       SEQUENCE {
 440
 439    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
 451
 450   29:         SEQUENCE {
 453
 452    9:           OBJECT IDENTIFIER
       :             aes128-CBC (2 16 840 1 101 3 4 1 2)
 464
 463   16:           OCTET STRING
       :             9E C3 11 33 C1 F5 42 09 C8 8B D2 C9 54 32 78 46             4F 3B 58 6A ED 07 FF BC 84 F4 03 CA 98 B2 1F 65
       :           }
 482
 481   80:         [0]
       :           89           88 11 C3 C3 70 D0 5B E2 84 60 E5 45 2B 74 CC 61 4F A2 E4 03 37 E6 48 F5 50 27 C1 C2 F2 F5
       :           D3 C6 83 52 A3 CF C9 E8 C7 8D AF F3           31 3D 47 B9 FB 3E E6 AA EB DE 5C 11 40 A7 2A 5A
       :           7C FF 6F 10 66 68 C1 D9 8E B0 36 39 56 BF 94 9C 60 90 30
       :           8F 7D E3 F8 65 43 6E 61 65 85 5B 62 AC BF 3A DD           6A 80 0A C6 20 50 F0 E2 03 B6 44 B3 B3 D9 AA 54
       :           99 C7 8B B7 BA           A7 3F 97 61 EE 12 7D F9 4D 10 56 DC 92 CE 3C B1 E2 E0 45 BC 17
       :           43 51 03 F4 41 8C 55 E7 02 5F CC AE F5 02 6B D8 C8 9C C2 F0
       :         }
       :       }
       :     }
       :   }

   Below is the ASN.1 parsing of "BINARY BLOB 4".

 0  471:  470: SEQUENCE {
 4    9:   OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
15  456:  455:   [0] {
19  452:  451:     SEQUENCE {
23    1:       INTEGER 1
26   11:       SET {
28    9:         SEQUENCE {
30    5:           OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
37    0:           NULL
       :           }
       :         }
39   11:       SEQUENCE {
41    9:         OBJECT IDENTIFIER data (1 2 840 113549 1 7 1)
       :         }
52  419:  418:       SET {
56  415:  414:         SEQUENCE {
60    1:           INTEGER 1
63  124:  123:           SEQUENCE {
65  112:             SEQUENCE {
67   11:               SET {
69    9:                 SEQUENCE {
71    3:                   OBJECT IDENTIFIER countryName (2 5 4 6)
76    2:                   PrintableString 'US'
       :                   }
       :                 }
80   19:               SET {
82   17:                 SEQUENCE {
84    3:                   OBJECT IDENTIFIER
       :                     stateOrProvinceName (2 5 4 8)
89   10:                   PrintableString 'California'
       :                   }
       :                 }
 101   17:               SET {
 103   15:                 SEQUENCE {
 105    3:                   OBJECT IDENTIFIER localityName (2 5 4 7)
 110    8:                   PrintableString 'San Jose'
       :                   }
       :                 }
 120   14:               SET {
 122   12:                 SEQUENCE {
 124    3:                   OBJECT IDENTIFIER
       :                     organizationName (2 5 4 10)
 129    5:                   PrintableString 'sipit'
       :                   }
       :                 }
 136   41:               SET {
 138   39:                 SEQUENCE {
 140    3:                   OBJECT IDENTIFIER
       :                     organizationalUnitName (2 5 4 11)

 145   32:                   PrintableString 'Sipit Test Certificate Aut
hority'
       :                   }
       :                 }
       :               }
 179    8:    7:             INTEGER 49 02 11 01 52 01 54 84 01 90 00 47 5C
       :             }
 189
 188    9:           SEQUENCE {
 191
 190    5:             OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
 198
 197    0:             NULL
       :             }

 200
 199   13:           SEQUENCE {
 202
 201    9:             OBJECT IDENTIFIER
       :               rsaEncryption (1 2 840 113549 1 1 1)
 213
 212    0:             NULL
       :             }
 215
 214  256:           OCTET STRING
       :             29 C3 93 9D 71 C5 93 52 80 4B 0F C5 66 C7 CD 18
       :             2F 4D A0             25 50 A2 07 E1 29 CE F9 2E CE 92 16 CD 7D B1 45
       :             5A 6D C2 5A 90 51 C3 20 66 12 FC 76 F0 DF D3 AE C5 51 08 BB FD CF A5 58 CB 35 58
       :             CE 4D DF C8 0D             46 79 DD D4 B7 E7 35 D7 87 B3 69 ED 81 BA 71 EA B4 F1 12 83 AC 94 9A C0 14
       :             E3 F5 A3 A4 CA 2E 36 A3 29 37 86 37 C3 B6 90 A7
       :             EA 6A 27             D1 B7 9A FA 98 78 52 C6 9C AB B1 2C 7B 60 10 26 E9 33 43
       :             83 BA 06 B0 68 05 26 88 A2 68 1A 4E E5 82 16 5B
       :             E4 00 7D 18 09 4A 13 09 2D B5 F1 8E DB A6 C0 39 60 29 14 75 CE 1B 84
       :             1A 02 32 24 DD F4 E6 7A F5 83 29 D6 37 55 4C 42 DA 7D D5 A2 17 DC E9 98 F8 C6 53 76
       :             EF 22 8E FE 76 CC 82 A9 B4 FB 5D 1B 61 90 5E 1E
       :             E8 01 1C 56 8B AD             1B CF 25 DB D2 B2 C4 20 A0 CC 92 BD 9B 24 8E A8 E1 29 4A A9 E7 BC 1A 2F 03
       :             0B 3A 1C 9B 9B 93 9F 0E C9 9E 5C BF 4E DA 1D D9 E4 02 DC DA 57 A6 E6 79 25 77 B6 54 EB 3D 8D
       :             59 EC 89 CD AD             D4 03 69 D5 A0 52 21 1C 44 F6 73 3E 82 50 0A 00
       :             46 66 D3 A3 7A 88 85 A1 C0 8A 8A C3 3E 10 02 F4 F9 A2 DA D5 9E FB 8E 63 B6
       :             4F AD 7D             83 3D B2 C2 28 E5 D9 69 68 35 B1 98 00 92 A5 13 B5 18 7C 01 D4
       :             81 5D 2C 1D DB B7 DB CF 10 5E 7B E7 FC 4B 64 42 1D 3D 24 57 E2
       :             C5 BF 48 C3             00 94 B0 E6 3C 91 3C 27 52 28 D2 BE 2C AC 64 A6 9B 1D 9B BA E7 A2 D9 2D AF 22 C7
       :             5C 04 60 C8 4C C1 6C 9A E5 37 6C 16 C9 00 3A 45
       :             79 79             18 83 57 5F 32 2E C4 9D 7C 8A 73 73 68 EC 60 E0 22 0D 17 2B 18 54 B3 3F 9F F0 E4 44 36
       :             50 7F 72             30 CF 25 53 95 1F 33 96 89 F8 9F 7B ED D1 4A 75 7B D5 14 CD 01 78 DF FC 8D E4 47 40
       :             AC 9C 9B 5A 6B 97 04 E3 06 F7 3D CE 18 4C 54 6A
       :           }
       :         }
       :       }
       :     }
       :   }

   TODO: Actually use the allOneLine convention.  This will be fixed in
   a change to binary-generated content.

5.  Observed Interoperability Issues

   This section describes some common interoperability problems.  These
   were observed by the authors at SIPit interoperability events.
   Implementers should be careful to verify that their systems do not
   introduce these common problems, and, when possible, make their
   clients forgiving in what they receive.  Implementations should take
   extra care to produce reasonable error messages when interacting with
   software that has these problems.

   Some SIP clients incorrectly only do SSLv3 and do not support TLS.

   Many SIP clients were found to accept expired certificates with no
   warning or error.

   When used with SIP, TLS and S/MIME provide the identity of the peer
   that a client is communicating with in the Subject Alternative Name
   in the certificate.  The software must check checks that this name corresponds
   to the identity the server is trying to contact.  Normative text
   describing path validation can be found in section 7 of Draft SIP
   Domain Certs [17] and section 6 of RFC 5280 [15].  If a client is
   trying to set up a TLS connection to good.example.com and it gets a
   TLS connection set up with a server that presents a valid certificate
   but with the name evil.example.com, it must will typically generate an
   error or warning of some type.  Similarly with S/MIME, if a user is
   trying to communicate with sip:fluffy@example.com, one of the items
   in the Subject Alternate Name set in the certificate must match. will need to
   match according to the certificate validation rules in section 23 of
   RFC 3261 [3] and section 6 of RFC 5280 [15].

   Some implementations used binary MIME encodings while others used
   base64.  Implementations should  It is advisable that implementations send only binary but must be and
   are prepared to receive either.

   In several places in this draft, document, the messages contain the encoding
   for the SHA-1 digest algorithm identifier.  The preferred form for
   encoding as set out in Section 2 of RFC 3370 [5] [6] is the form in which
   the optional AlgorithmIdentifier parameter field is omitted.
   However, RFC 3370 also says the recipients need to be able to receive
   the form in which the AlgorithmIdentifier parameter field is present
   and set to NULL.  Examples of the form using NULL can be found in
   Section 4.2 of RFC 4134 [18]. [20].  Receivers really do need to be able to
   receive the form that includes the NULL because the NULL form, while
   not preferred, is what was observed as being generated by most
   implementations.  Implementers should also note that if the algorithm
   is MD5 instead of SHA-1, then the form that omits the
   AlgorithmIdentifier parameters field is not allowed and the sender
   has to use the form where the NULL is included.

   The preferred encryption algorithm for S/MIME in SIP is AES as
   defined in RFC 3853 [10]. [11].

   Observed S/MIME interoperability has been better when UAs did not
   attach the senders' certificates.  Attaching the certificates
   significantly increases the size of the messages, which should be
   considered when sending over UDP.  Furthermore, the receiver cannot
   rely on the sender to always send the certificate, so it does not
   turn out to be useful in most situations.

6.  Additional Test Scenarios

   This section provides a non-exhaustive list of tests that
   implementations should perform while developing systems that use
   S/MIME and TLS for SIP.

   Much of the required behavior for inspecting certificates when using
   S/MIME and TLS with SIP is currently underspecified.  The non-
   normative recommendations in this document capture the current
   folklore around that required behavior, guided by both related
   normative works such as RFC 4474 [11] [12] (particulary, section 13.4
   Domain Names and Subordination) and informative works such as RFC
   2818 [17] [19] section 3.1.  To summarize: summarize, test plans should:
   o  For S/MIME, S/MIME secured bodies, assure that the peer's URI must appear (address-of-
      record, as per RFC 3261 [3] section 23.3) appears in the
      subjectAltName of the peer's certifcate as a
      uniformResourceIdentifier field.
   o  For TLS, assure that the peer's hostname must appear appears as described in
      Draft SIP Domain Certs [15]: [17].  Also:
      *  assure an exact match in a dNSName entry in the subjectAltName
         if there are any dNSNames in the subjectAltName.  (Wildcard  Wildcard
         matching is not allowed against these dNSName entries) entries.  See
         section 7.1 of Draft SIP Domain Certs [17].
      *  assure that the most specific CommonName in the Subject field
         matches if there are no dNSName entries in the subjectAltName
         at all (which is not the same as there being no matching
         dNSName entries).  This match can be either exact, or against
         an entry that uses the wildcard matching character '*'
      The peer's hostname is discovered from the initial DNS query in
      the server location process RFC 3263 [3]. [4].
   o  An IP Address can appear in subjectAltName (RFC 5280 [13]) of the
      peer's certificate, e.g.  "DNS:192.168.0.1".

   OPEN ISSUE: From first bullet, "peer's URI"...What URI?  An AoR for
   the user?  From or To values?  Contacts?  Request-URIs?  For request
   URIs, do we need to discuss the effects of retargeting?  Do we need
   to consider some of the current History-Info discussions?

   OPEN ISSUE: From second bullet: What if all you've got is an IP
   address?  Do we disallow IPAddress entries in subjectAltName?  IP addresses can appear in the subjectAltName (rfc5280 says so.)  Their
   handling is specified in domain-certs (I believe they will appear as
   "DNS:192.168.0.1"; we need to have someone -- from pkix? -- ascertain
   this.  If this is the case, then their handling is specified in S7.1 subjectAltName (RFC 5280 [15]) of domain-certs.

   OPEN ISSUE: First sub-bullet (Wildcard matching is not allowed
   against these dNSName entries): Is there something the
      peer's certificate, e.g.  "IP:192.168.0.1".  Note that can be
   referenced here?  In particular, RFC2818 explicitly allows wildcards if IP
      addresses are used in dNSName entries.  It is not obvious to me whether subjectAltName, there are important
      ramifications regarding the proscription
   against wildcards in RFC4474 should apply to general use of TLS, or
   just Record-Route headers that also
      need to identity. be considered.  See section 7.5 of Draft SIP Domain Certs
      [17].  Use of IP addresses instead of domain names is inadvisable.

   For each of these tests, an implementation will proceed past the
   verification point only if the certificate is "good".  S/MIME
   protected requests presenting bad certificate data will be rejected.
   S/MIME protected responses presenting bad certificate information
   will be ignored.  TLS connections involving bad certificate data will
   not be completed.

   1.   S/MIME : Good peer certificate
   2.   S/MIME : Bad peer certificate (peer URI does not appear in
        subjAltName)
   3.   S/MIME : Bad peer certificate (valid authority chain does not
        end at a trusted CA)
   4.   S/MIME : Bad peer certificate (incomplete authority chain)
   5.   S/MIME : Bad peer certificate (the current time does not fall
        within the period of validity)
   6.   S/MIME : Bad peer certificate (certificate or cert in authority
        chain has been revoked)
   7.   S/MIME : Bad peer certificate ("Digital Signature" is not
        specified as an X509v3 Key Usage)
   8.   TLS : Good peer certificate (hostname appears in dNSName in
        subjAltName)
   9.   TLS : Good peer certificate (no dNSNames in subjAltName,
        hostname appears in CN of Subject)
   10.  TLS : Good peer certificate (CN of Subject empty, and
        subjectAltName extension contains an iPAddress stored in the
        octet string in network byte order form as specified in RFC 791
        [1])
   11.  TLS : Bad peer certificate (no match in dNSNames or in the
        Subject CN)
   12.  TLS : Bad peer certificate (valid authority chain does not end
        at a trusted CA)
   13.  TLS : Bad peer certificate (incomplete authority chain)
   14.  TLS : Bad peer certificate (the current time does not fall
        within the period of validity)
   15.  TLS : Bad peer certificate (certificate or cert in authority
        chain has been revoked)
   16.  TLS : Bad peer certificate ("TLS Web Server Authentication" is
        not specified as an X509v3 Key Usage)

   OPEN ISSUE: Should we have at least one case for SIP EKU?
   17.  TLS : Bad peer certificate (Neither "SIP Domain" nor "Any
        Extended Key Usage" specified as an X509v3 Extended Key Usage,
        and X509v3 Extended Key Usage is present)

7.  IANA Considerations

   No IANA actions are required.

8.  Acknowledgments

   Many thanks to the developers of all the open source software used to
   create these call flows.  This includes the underlying crypto and TLS
   software used from openssl.org, the SIP stack from
   www.resiprocate.org, and the SIMPLE IMPP agent from www.sipimp.org.
   The TLS flow dumps were done with SSLDump from
   http://www.rtfm.com/ssldump.  The book "SSL and TLS" [20] [22] was a huge
   help in developing the code for these flows.  It's sad there is no
   second edition.

   Thanks to Jim Schaad, Russ Housley, Eric Rescorla, Dan Wing, Tat
   Chan, and Lyndsay Campbell who all helped find and correct mistakes
   in this document.

   Vijay Gurbani and Alan Jeffrey contributed much of the additional
   test scenario content.

9.  Security Considerations

   Implementers must never use any of the certificates provided in this
   document in anything but a test environment.  Installing the CA root
   certificates used in this document as a trusted root in operational
   software would completely destroy the security of the system while
   giving the user the impression that the system was operating
   securely.

   This document recommends some things that implementers might test or
   verify to improve the security of their implementations.  It is
   impossible to make a comprehensive list of these, and this document
   only suggests some of the most common mistakes that have been seen at
   the SIPit interoperability events.  Just because an implementation
   does everything this document recommends does not make it secure.

   This document does not show the any messages needed to check certificate
   revocation status (see section 3.3 of RFC 5280 [13]) [15]) as that is not
   part of the SIP call flow.  The expectation is that revocation status
   is checked
   periodically and regularly to protect against the possibility of
   certificate compromise or repudiation.  For more information on how
   certificate revocation status can be checked, see RFC 2560 [2]
   (Online Certificate Status Protocol) and RFC 5055 [13] (Server-Based
   Certificate Validation Protocol).

10.  Changelog

   (RFC Editor: remove this section)

   -02 to -03
      *  Re-worded "should" and "must" so that the document doesn't
         sound like it is making normative statements.  Actual normative
         behavior is referred to in the respective RFCs.

      *  Section 5: re-worded paragraphs 4 and 5 regarding
         subjectAltName, and added references.
      *  Section 6: added references, clarified use of IP addresses, and
         clarified which From/To URI is used for comparison (from RFC
         3261 section 23.2).  Added an EKU test case.
      *  Section 9: added text about certificate revocation checking.
      *  Appendix B.3: new section to present certificate chains longer
         than 2 (non-root CA).
      *  Made examples consistently use <allOneLine> convention.
      *  CSeq looks more random.
      *  Serial numbers in certs are non-zero.
      *  All flows re-generated using new certs.  IP addresses conform
         to RFC 5737.
      *  Updated references.
   -01 to -02
      *  Draft is now informational, not standards track.  Normative-
         sounding language and references to RFC 2119 removed.
      *  Add TODO: change "hello" to "Hello!" in example flows for
         consistency.
      *  Add TODO: Fix subjectAltName DNS:com to DNS:example.com and
         DNS:net to DNS:example.net.
      *  Add TODO: use allOneLine convention from RFC4475.
      *  Section 3: updated open issue regarding contact headers in
         MESSAGE.
      *  Section 3.2: added some text about RFC 3263 and connection
         reuse and closed open issue.
      *  Section 5: clarified text about sender attaching certs, closed
         issue.
      *  Section 5: clarified text about observed problems, closed
         issue.
      *  Section 5: closed issue about clients vs. servers vs. proxies.
      *  Section 6: updatee updated section text and open issue where IP address
         is in subjectAltName.
      *  Section 6: added normative references and closed "folklore"
         issue.
      *  Section 6: added cases about cert usage and broken chains,
         updated OPEN ISSUE: we need a SIP EKU example.
      *  References: updated references to drafts and re-categorized
         informative vs. normative.
      *  Section 9: added some text about revocation status and closed
         issue.
      *  Appendix B: open issue: do we need non-root-CA certs and host
         certs signed by them for help in testing cases in Section 6?
      *  Miscellaneous minor editorial changes.

   -00 to -01
      *  Addition of OPEN ISSUES.
      *  Numerous minor edits from mailing list feedback.
   to -00
      *  Changed RFC 3369 references to RFC 3852.
      *  Changed draft-ietf-sip-identity references to RFC 4474.
      *  Added an ASN.1 dump of CMS signed content where SHA-1
         parameters are omitted instead of being set to ASN.1 NULL.
      *  Accept headers added to messages.
      *  User and domain certificates are generated with EKU as
         specified in Draft SIP EKU [14]. [16].
      *  Message content that is shown is computed using certificates
         generated with EKU.
      *  Message dump archive returned.
      *  Message archive contains messages formed with and without EKU
         certificates.
   prior to -00
      *  Incorporated the Test cases from Vijay Gurbani's and Alan
         Jeffrey's Use of TLS in SIP draft
      *  Began to capture the folklore around where identities are
         carried in certificates for use with SIP
      *  Removed the message dump archive pending verification (will
         return in -02)

11.  References

11.1.  Normative References

   [1]   Postel, J., "Internet Protocol", STD 5, RFC 791,
         September 1981.

   [2]   Myers, M., Ankney, R., Malpani, A., Galperin, S., and C. Adams,
         "X.509 Internet Public Key Infrastructure Online Certificate
         Status Protocol - OCSP", RFC 2560, June 1999.

   [3]   Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
         Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
         Session Initiation Protocol", RFC 3261, June 2002.

   [3]

   [4]   Rosenberg, J. and H. Schulzrinne, "Session Initiation Protocol
         (SIP): Locating SIP Servers", RFC 3263, June 2002.

   [4]

   [5]   Chown, P., "Advanced Encryption Standard (AES) Ciphersuites for
         Transport Layer Security (TLS)", RFC 3268, June 2002.

   [5]

   [6]   Housley, R., "Cryptographic Message Syntax (CMS) Algorithms",
         RFC 3370, August 2002.

   [6]

   [7]   Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C., and
         D. Gurle, "Session Initiation Protocol (SIP) Extension for
         Instant Messaging", RFC 3428, December 2002.

   [7]

   [8]   Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
         T. Wright, "Transport Layer Security (TLS) Extensions",
         RFC 3546, June 2003.

   [8]

   [9]   Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
         (S/MIME) Version 3.1 Message Specification", RFC 3851,
         July 2004.

   [9]

   [10]  Housley, R., "Cryptographic Message Syntax (CMS)", RFC 3852,
         July 2004.

   [10]

   [11]  Peterson, J., "S/MIME Advanced Encryption Standard (AES)
         Requirement for the Session Initiation Protocol (SIP)",
         RFC 3853, July 2004.

   [11]

   [12]  Peterson, J. and C. Jennings, "Enhancements for Authenticated
         Identity Management in the Session Initiation Protocol (SIP)",
         RFC 4474, August 2006.

   [12]

   [13]  Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. Polk,
         "Server-Based Certificate Validation Protocol (SCVP)",
         RFC 5055, December 2007.

   [14]  Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS)
         Protocol Version 1.2", RFC 5246, August 2008.

   [13]

   [15]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley,
         R., and W. Polk, "Internet X.509 Public Key Infrastructure
         Certificate and Certificate Revocation List (CRL) Profile",
         RFC 5280, May 2008.

   [14]

   [16]  Lawrence, S. and V. Gurbani, "Using Extended Key Usage (EKU)
         for Session Initiation Protocol (SIP) X.509 Certificates",
         draft-ietf-sip-eku-08 (work in progress), October 2009.

   [15]

   [17]  Gurbani, V., Lawrence, S., and B. Laboratories, "Domain
         Certificates in the Session Initiation Protocol (SIP)",
         draft-ietf-sip-domain-certs-04
         draft-ietf-sip-domain-certs-07 (work in progress), May 2009.

   [16] 2010.

   [18]  Gurbani, V., Mahy, R., and B. Tate, "Connection Reuse in the
         Session Initiation Protocol (SIP)",
         draft-ietf-sip-connect-reuse-14 (work in progress),
         August 2009.

11.2.  Informative References

   [17]

   [19]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [18]

   [20]  Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
         July 2005.

   [19]

   [21]  Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J., and
         H. Schulzrinne, "Session Initiation Protocol (SIP) Torture Test
         Messages", RFC 4475, May 2006.

   [20]

   [22]  Rescorla, E., "SSL and TLS - Designing and Building Secure
         Systems", 2001.

   [21]

   [23]  Rescorla, E., "SSLDump manpage".

Appendix A.  Making Test Certificates

   These scripts allow you to make certificates for test purposes.  The
   certificates will all share a common CA root so that everyone running
   these scripts can have interoperable certificates.  WARNING - these
   certificates are totally insecure and are for test purposes only.
   All the CA created by this script share the same private key to
   facilitate interoperability testing, but this totally breaks the
   security since the private key of the CA is well known.

   The instructions assume a Unix-like environment with openssl
   installed, but openssl does work in Windows too.  OpenSSL version
   0.9.8j was used to generate the certificates used in this document.
   Make sure you have openssl installed by trying to run "openssl".  Run
   the makeCA script found in Appendix A.1; this creates a subdirectory
   called demoCA.  If the makeCA script cannot find where your openssl
   is installed you will have to set an environment variable called
   OPENSSLDIR to whatever directory contains the file openssl.cnf.  You
   can find this with a "locate openssl.cnf".  You are now ready to make
   certificates.

   To create certs for use with TLS, run the makeCert script found in
   Appendix A.2 with the fully qualified domain name of the proxy you
   are making the certificate for.  For example, "makeCert
   host.example.net".  This will generate a private key and a
   certificate.  The private key will be left in a file named
   domain_key_example.net.pem in pem format.  The certificate will be in
   domain_cert_example.net.pem.  Some programs expect both the
   certificate and private key combined together in a PKCS12 format
   file.  This is created by the script and left in a file named
   example.net.p12.  Some programs expect this file to have a .pfx
   extension instead of .p12 - just rename the file if needed.  A file
   with a certificate signing request, called example.net.csr, is also
   created and can be used to get the certificate signed by another CA.

   A second argument indicating the number of days for which the
   certificate should be valid can be passed to the makeCert script.  It
   is possible to make an expired certificate using the command
   "makeCert host.example.net 0".

   Anywhere that a password is used to protect a certificate, the
   password is set to the string "password".

   The root certificate for the CA is in the file
   root_cert_fluffyCA.pem.

   For things that need DER format certificates, a certificate can be
   converted from PEM to DER with "openssl x509 -in cert.pem -inform PEM
   -out cert.der -outform DER".

   Some programs expect certificates in PKCS#7 format (with a file
   extension of .p7c).  You can convert these from PEM format to PKCS#7
   with "openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile demoCA/
   cacert.pem -outform DER -out cert.p7c"

   IE (version 8), Outlook Express (version 6), and Firefox (version
   3.5) can import and export .p12 files and .p7c files.  You can
   convert a pkcs7 certificate to PEM format with "openssl pkcs7 -in
   cert.p7c -inform DER -outform PEM -out cert.pem".

   The private key can be converted to pkcs8 format with "openssl pkcs8
   -in a_key.pem -topk8 -outform DER -out a_key.p8c"
   OPEN ISSUE: The information in this section needs to be verified with
   the latest software versions.  How to do conversions between
   supported types needs to be updated accordingly.  Any Windows users
   out there want to volunteer for verify the Windows side of these?

   In general, a TLS client will just need the root certificate of the
   CA.  A TLS server will need its private key and its certificate.
   These could be in two PEM files, a single file with both certificate
   and private key PEM sections, or a single .p12 file.  An S/MIME
   program will need its private key and certificate, the root
   certificate of the CA, and the certificate for every other user it
   communicates with.

A.1.  makeCA script

   #!/bin/sh
   set -x

   rm -rf demoCA

   mkdir demoCA
   mkdir demoCA/certs
   mkdir demoCA/crl
   mkdir demoCA/newcerts
   mkdir demoCA/private
   # This is done to generate the exact serial number used for the RFC
   echo "01" > demoCA/serial
   hexdump -n 4 -e '4/1 "%04u"' /dev/random "4902110184015C" > demoCA/serial
   touch demoCA/index.txt

   # You may need to modify this for where your default file is
   # you can find where yours in by typing "openssl ca"
   for D in /etc/ssl /usr/local/ssl /sw/etc/ssl /sw/share/ssl; do
     CONF=${OPENSSLDIR:=$D}/openssl.cnf
     [ -f ${CONF} ] && break
   done

   CONF=${OPENSSLDIR}/openssl.cnf

   if [ ! -f $CONF  ]; then
       echo "Can not find file $CONF - set your OPENSSLDIR variable"
       exit
   fi
   cp $CONF openssl.cnf

   cat >> openssl.cnf  <<EOF
   [ sipdomain_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment
   extendedKeyUsage=serverAuth,1.3.6.1.5.5.7.3.20

   [ sipdomain_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   [ sipuser_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment
   extendedKeyUsage=emailProtection,1.3.6.1.5.5.7.3.20

   [ sipuser_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   [ sipdomain_noeku_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment

   [ sipdomain_noeku_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   [ sipuser_noeku_cert ]
   subjectAltName=\${ENV::ALTNAME}
   basicConstraints=CA:FALSE
   subjectKeyIdentifier=hash
   authorityKeyIdentifier=keyid,issuer:always
   keyUsage = nonRepudiation,digitalSignature,keyEncipherment

   [ sipuser_noeku_req ]
   basicConstraints = CA:FALSE
   subjectAltName=\${ENV::ALTNAME}
   subjectKeyIdentifier=hash

   EOF

   cat > demoCA/private/cakey.pem <<EOF
   -----BEGIN RSA PRIVATE KEY-----
   Proc-Type: 4,ENCRYPTED
   DEK-Info: DES-EDE3-CBC,4B47A0A73ADE342E

   aHmlPa+ZrOV6v+Jk0SClxzpxoG3j0ZuyoVkF9rzq2bZkzVBKLU6xhWwjMDqwA8dH
   3fCRLhMGIUVnmymXYhTW9svI1gpFxMBQHJcKpV/SmgFn/fbYk98Smo2izHOniIiu
   NOu2zr+bMiaBphOAZ/OCtVUxUOoBDKN9lR39UCDOgkEQzp9Vbw7l736yu5H9GMHP
   JtGLJyx3RhS3TvLfLAJZhjm/wZ/9QM8GjyJEiDhMQRJVeIZGvv4Yr1u6yYHiHfjX
   tX2eds8Luc83HbSvjAyjnkLtJsAZ/8cFzrd7pjFzbogLdWuil+kpkkf5h1uzh7oa
   um0M1EXBE4tcDHsfg1iqEsDMIei/U+/rWfk1PrzYlklwZp8S03vulkDm1fT76W7d
   mRBg4+CrHA6qYn6EPWB37OBtfEqAfINnIcI1dWzso9A0bTPD4EJO0JA0PcZ/2JgT
   PaKySgooHQ8AHNQebelch6M5LFExpaOADJKrqauKcc2HeUxXaYIpac5/7drIl3io
   UloqUnMlGa3eLP7BZIMsZKCfHZ8oqwU4g6mmmJath2gODRDx3mfhH6yaimDL7v4i
   SAIIkrEHXfSyovrTJymfSfQtYxUraVZDqax6oj/eGllRxliGfMLYG9ceU+yU/8FN
   LE7P+Cs19H5tHHzx1LlieaK43u/XvbXHlB5mqL/fZdkUIBJsjbBVx0HR8eQl2CH9
   YJDMOPLADecwHoyKA0AY59oN9d41oF7yZtN9KwNdslROYH7mNJlqMMenhXCLN+Nz
   vVU5/7/ugZFhZqfS46c1WdmSvuqpDp7TBtMeaH/PXjysBr0iZffOxQ== DES-EDE3-CBC,9D378A3D852EE5F0

   v4nyT2zSrdk4xhdngH3usAEf7tz+MZXImcKMconstvTcbAd6aootPJnHk+ZZYy9M
   7fOkLvlQKgh/gzKGOQwBqcjzdujoM7KWlCYYs/+4nTMFtQBKKkwnqB4gNOe7h/qC
   9eO0xnXZsTzfcD5XuVCyrC89dzPUDkfwR+tq4WmEtA9EsEWe4V2t0x82puUWHLV0
   HFBnNRpEwuwhaOvWEeX50MD/TrknFMm8mEa84bX+v5C6ziKaSiC2IMPy+s2wXNvm
   NsiCbWeVnECHoGaHHrJ2TZLiwm+DUFA+cyNMjMbBgr6a9piS9vwX327xcSeIT7LZ
   BmNWIiKXr7HWz8hcZq/mntXme1r5TCFivYluUH/DeHlZoBzQFoURbFQsnKS6wqK2
   Qd8hXZtjHv9sQfmdrZ4Js7QNNMFkA1Y+Fqnj3WhjDV9yBJZuTmRoDuwLyKtSiY9z
   sJa0h4E+ixLtqf84DnsnxL1Su1uEPwXIqaNgfTRWo5Xar2z7D+b4MS4ytNLo+3kz
   ENfF54pSYRDp9vc25SU/CdTIlk+KjGBM07pMOQqrvlgRnA3PeOleBAuQfE9drcu1
   fcpFcBAc1IPRHMp1/LvyJuceVqqeTAbjZCdJz/tGVTS0TMzbtYkTBX7yKuWFzyp7
   RRJcH4v4B+eFqs2nVNXg25IdGLt6em5qWIZEx/7xWJNqX0R3R92kQJPPP+mGv/ud
   xzkelLww2C1+jMVeTjLPzCZPnahzzWzx8sh2LnNbSLe3chgrIkyem2ywwx7gTJ6X
   zbCbBM8mGremEoRpBIcytCB6T0lghxf9k0OHdZ8WEyhwjvG12Xtciw==
   -----END RSA PRIVATE KEY-----
   EOF

   cat > demoCA/cacert.pem <<EOF
   -----BEGIN CERTIFICATE-----
   MIIDJDCCAo2gAwIBAgIBADANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eTAeFw0wMzA3MTgxMjIxNTJaFw0xMzA3MTUxMjIxNTJaMHAxCzAJBgNVBAYTAlVT
   MRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UE
   ChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9y
   aXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDIh6DkcUDLDyK9BEUxkud
   +nJ4xrCVGKfgjHm6XaSuHiEtnfELHM+9WymzkBNzZpJu30yzsxwfKoIKugdNUrD4
   N3viCicwcN35LgP/KnbN34cavXHr4ZlqxH+OdKB3hQTpQa38A7YXdaoz6goW2ft5
   Mi74z03GNKP/G9BoKOGd5QIDAQABo4HNMIHKMB0GA1UdDgQWBBRrRhcU6pR2JYBU
   bhNU2qHjVBShtjCBmgYDVR0jBIGSMIGPgBRrRhcU6pR2JYBUbhNU2qHjVBShtqF0
   pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcT
   CFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBD
   ZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
   AQUFAAOBgQCWbRvv1ZGTRXxbH8/EqkdSCzSoUPrs+rQqR0xdQac9wNY/nlZbkR3O
   qAezG6Sfmklvf+DOg5RxQq/+Y6I03LRepc7KeVDpaplMFGnpfKsibETMipwzayNQ
   QgUf4cKBiF+65Ue7hZuDJa2EMv8qW4twEhGDYclpFU9YozyS1OhvUg==
   MIIDNjCCAp+gAwIBAgIJAJajhBdO74pMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
   BAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhTYW4gSm9zZTEO
   MAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNpcGl0IFRlc3QgQ2VydGlmaWNhdGUg
   QXV0aG9yaXR5MCAXDTEwMDUxMDIwNTQ0OFoYDzIxMTAwNDE2MjA1NDQ4WjBwMQsw
   CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpv
   c2UxDjAMBgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmlj
   YXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxk0ri3kU
   B9vHYYiYT6J842GA+ycFGO08yQ3l8dySTuvOd5FL5/NoYLBAAG90W04dyZfIcEpm
   /BNGqtKYsD6aht48INELNaIt5pLmA0mw20xiL1mGlCBpaXoKFlrVAaUIBiluhaau
   oQEL9h9TxZWwbrC0jQ756ctdekQhFOyaqK0CAwEAAaOB1TCB0jAdBgNVHQ4EFgQU
   OK2AhOLgFmuTn4n4RlFnLNqNgJwwgaIGA1UdIwSBmjCBl4AUOK2AhOLgFmuTn4n4
   RlFnLNqNgJyhdKRyMHAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
   MREwDwYDVQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxKTAnBgNVBAsTIFNp
   cGl0IFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAlqOEF07vikwwDAYDVR0T
   BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQAvCE20AZt5/6/IzuVdMDz6mTpIuhso
   +Hzq1koXhYLmSYEbJL8B//r8VRIrB7jAOfoQc4hZVrd/lgEwr4kPCm1OrtgErpTU
   Z3gqxDaGS+FMpm1G2SxzD9r+j7oCEAm3G8YTqZCpAhVgYTJ5xegr2OSxuuvHfxkM
   abHGkq/uHHRV1Q==
   -----END CERTIFICATE-----
   EOF

   # uncomment the following lines to generate your own key pair

   # hexdump -n 4 -e '4/1 "%04u"' /dev/random > demoCA/serial

   # openssl req -newkey rsa:1024 -passin pass:password \
   #     -passout pass:password \
   #     -sha1 -x509 -keyout demoCA/private/cakey.pem \
   #     -out demoCA/cacert.pem -days 3650 36500 -config ${CONF} <<EOF
   # US
   # California
   # San Jose
   # sipit
   # Sipit Test Certificate Authority
   #
   #
   # EOF

   openssl crl2pkcs7 -nocrl -certfile demoCA/cacert.pem \
           -outform DER -out demoCA/cacert.p7c

   cp demoCA/cacert.pem root_cert_fluffyCA.pem

A.2.  makeCert script

  #!/bin/sh
  set -x

  # Make a symbolic link to this file called "makeUserCert"
  # if you wish to use it to make certs for users.

  # ExecName=$(basename $0)
  #
  # if [ ${ExecName} == "makeUserCert" ]; then
  #   ExtPrefix="sipuser"
  # elif [ ${ExecName} == "makeEkuUserCert" ]; then
  #   ExtPrefix="sipuser_eku"
  # elif [ ${ExecName} == "makeEkuCert" ]; then
  #   ExtPrefix="sipdomain_eku"
  # else
  #   ExtPrefix="sipdomain"
  # fi

  if [  $# == 3  ]; then
    DAYS=1095
    DAYS=36500
  elif [ $# == 4 ]; then
    DAYS=$4
  else
    echo "Usage: makeCert test.example.org user|domain eku|noeku [days]"
    echo "       makeCert alice@example.org [days]"
    echo "days is how long the certificate is valid"
    echo "days set to 0 generates an invalid certificate"
    exit 0
  fi

  ExtPrefix="sip"${2}

  if [ $3 == "noeku" ]; then
    ExtPrefix=${ExtPrefix}"_noeku"
  fi

  DOMAIN=`echo $1 | perl -ne '{print "$1\n" if (/\.(.*)$/)}' (/(\w+\..*)$/)}'   `
  ADDR=$1
  echo "making cert for $DOMAIN ${ADDR}"

  rm -f ${ADDR}_*.pem
  rm -f ${ADDR}.p12
  case ${ADDR} in
  *:*) ALTNAME="URI:${ADDR}" ;;
  *@*) ALTNAME="URI:sip:${ADDR},URI:im:${ADDR},URI:pres:${ADDR}" ;;
  *)   ALTNAME="DNS:${DOMAIN},URI:sip:${ADDR}" ;;
  esac

  rm -f demoCA/index.txt
  touch demoCA/index.txt
  rm -f demoCA/newcerts/*

  export ALTNAME

  openssl genrsa  -out ${ADDR}_key.pem 2048
  openssl req -new  -config openssl.cnf -reqexts ${ExtPrefix}_req \
          -sha1 -key ${ADDR}_key.pem \
          -out ${ADDR}.csr -days ${DAYS} <<EOF
  US
  California
  San Jose
  sipit

  ${ADDR}

  EOF

  if [ $DAYS == 0 ]; then
  openssl ca -extensions ${ExtPrefix}_cert -config openssl.cnf \
      -passin pass:password -policy policy_anything \
      -md sha1 -batch -notext -out ${ADDR}_cert.pem \
      -startdate 990101000000Z \
      -enddate 000101000000Z \
       -infiles ${ADDR}.csr
  else
  openssl ca -extensions ${ExtPrefix}_cert -config openssl.cnf \
      -passin pass:password -policy policy_anything \
      -md sha1 -days ${DAYS} -batch -notext -out ${ADDR}_cert.pem \
       -infiles ${ADDR}.csr
  fi

  openssl pkcs12 -passin pass:password \
      -passout pass:password -export \
      -out ${ADDR}.p12 -in ${ADDR}_cert.pem \
      -inkey ${ADDR}_key.pem -name ${ADDR} -certfile demoCA/cacert.pem

  openssl x509 -in ${ADDR}_cert.pem -noout -text
  case ${ADDR} in
  *@*) mv ${ADDR}_key.pem user_key_${ADDR}.pem; \
       mv ${ADDR}_cert.pem user_cert_${ADDR}.pem ;;
  *)   mv ${ADDR}_key.pem domain_key_${ADDR}.pem; \
       mv ${ADDR}_cert.pem domain_cert_${ADDR}.pem ;;
  esac

Appendix B.  Certificates for Testing

   This section contains various certificates used for testing in PEM
   format.

   OPEN ISSUE: Should we discuss certificate chains?  We aren't really
   trying to be a tutorial.  Would it be helpful to add a non-root CA
   and hosts signed by that non-root CA to help with testing events?  We
   do imply non-root CAs in Section 6.

B.1.  Certificates Using EKU

   These certificates make use of the EKU specification described in
   Draft SIP EKU [14]. [16].

   Fluffy's certificate. user certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIIEHzCCA4igAwIBAgIIAVIBVAGQAEcwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDI5MTcxMDQ2WhcNMTIwNDI4MTcxMDQ2WjBiMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20wggEi
   MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0D+gYLbGbk+9kaxnXg6z3rxI3
   MEjfblUKzvcqGRdmvEKveq94bJbGwd5eOGeTjfJAE7VvB3neMiwj57rkqDYyg4p1
   eYaFolDRu7WBNn5r8mSbtlTTi8RNTSaUrnxQ5LLmX6w04JdRzf9muZKYxcwi5www
   pEymN7ohMbKBkw0k7qcnybPsRuP5etJCClmr56OLMGY9MYhv7sSNJMqZ8chMUA1L
   a3OArHRvRbEpKaGJQJQCVyOLbWBcONMfw7t0PRWHry0pFmwwAU7jORMXa+pYl3Wf
   YDiELDGVbthtaYG7LvpZovsIU1nfHpQX5RD4clr7Tk8vzTs9MMW2yDvg5zLtAgMB
   AAGjggFKMIIBRjBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29thhVp
   bTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29tMAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFNKiIvtNoTe5FQse/Ce8+gCnHPIpMIGaBgNVHSME
   gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIBADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMU
   MA0GCSqGSIb3DQEBBQUAA4GBAICg20XdfbZQtpMnNs3NKDw5I6rkbpz32YyWTbc2
   9qzBj4bYapE6T1poMjffD91AtzRokc4P8BYC7r62HeGSh8leqUJ4JkW7Fwjug+rp
   2DCEZpBpuHj/xAlc6uKKEOb5ZOvbRw4QKU0Ou1NlcOFxgsjQFPQkMEmm/ICosYS8
   6XN1
   MIIEKDCCA5GgAwIBAgIHSQIRAYQBXDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTVaGA8yMTEwMDQxNzIwMjI1NVowYjELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSZmx1ZmZ5QGV4YW1wbGUuY29tMIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1Z3PPr2DTi3fyb+GV88NJqnp
   CDVF51+uo11g0Twvb9uSSf0FEmhs2cpmLQLiIIqKEAqh2+6za8U55kpJsUEA8/iR
   BxeDQKa8aJmmMghPTzRkrp+xD5zVFJb7QGKEhbe6OCnMHboZg9lZIboeSwRT9qqm
   aE2aXzaQTa4B31jyiexRyaEgZaneXMnzV392Vg0j/NYm5wEldSrkJjvf2zVhAgwP
   FGgYcBPWQQqk0VuZezJgeHuolXGAtd9j/Mr0nveloAwTbVWtF5008oBmA4agp4NS
   Duq3Sep15MnYt3I33TCxM9RWJugzcMWX27pjiT+cZUVRGKj7lhQJ8I5VAfetmQID
   AQABo4IBUjCCAU4wUQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYV
   aW06Zmx1ZmZ5QGV4YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJ
   BgNVHRMEAjAAMB0GA1UdDgQWBBTd1XUAPkwVfJxJwAcQy8pOB6HOTzCBogYDVR0j
   BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
   EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
   EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
   dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG
   CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4GBAJzFvASIgRk1K7q+1AKNQSVFlYvP
   9qSVvFvY64dqSCk0bO+H4ONzyjrdo9LWdFvMAH8o/OQHtlzocurufUCZWCawfVsN
   NuKesUCN/K/w8mDYNkZ+qPoqR1I1cRGr7Psoz/odqV2LcilnHb77471dyVdtddVA
   tXdSabbEH+wDYB6h
   -----END CERTIFICATE-----

   Fluffy's private key for user certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEA9A/oGC2xm5PvZGsZ14Os968SNzBI325VCs73KhkXZrxCr3qv
   eGyWxsHeXjhnk43yQBO1bwd53jIsI+e65Kg2MoOKdXmGhaJQ0bu1gTZ+a/Jkm7ZU
   04vETU0mlK58UOSy5l+sNOCXUc3/ZrmSmMXMIucMMKRMpje6ITGygZMNJO6nJ8mz
   7Ebj+XrSQgpZq+ejizBmPTGIb+7EjSTKmfHITFANS2tzgKx0b0WxKSmhiUCUAlcj
   i21gXDjTH8O7dD0Vh68tKRZsMAFO4zkTF2vqWJd1n2A4hCwxlW7YbWmBuy76WaL7
   CFNZ3x6UF+UQ+HJa+05PL807PTDFtsg74Ocy7QIDAQABAoIBAGAETgQNHf2eAqVX
   +U+vLwI2bw0lQtYb+vsIl3aJboptcDLHKndPCTZimRAqUp1bT73jwxJON6SxymnJ
   xd4lS0UuOO+kgsbaJ7+LgIm4HZ5sOyaDYfXj27OpsY724lOU1ckKRJ586Ss2xs7s
   HP9beccVbNdKHBmcfO6INbkCWD55nLspPlNOaRZwW/h7ID0hT+Kd4e+U4Kz9TeeD
   NsmugwrPaNX3T1R1QBPK9HDLv8cyo3AJskfN7K+14tY+bkwAH+6IySq2JvhUBHnZ
   xI/ieO0SeX+kG2nEk8nkXlphyrUJ5o+HQBeWec8nx9jYH6jFN1fvB5GsLUEw9GHo
   AOe5YgUCgYEA/KwR2E/pq4oRy3b6WbH3tSktmCcF9nzmBn0fUGYliX0HRtnp1pwx
   x+OEUMsDmnwE4TmMJudzFYLRWbddm4pYHiqZGLjmd96UDUsjU+eV0INw4sebsoP4
   ymO7JEPt+ewOz07/+aKsqtUCeJUFXksqUmz8yPOkSRgwG7WdJtZvcm8CgYEA90bO
   gtR3Owc17X7i1eeNmpo7PHFuAK3b3ULqmLSQebIPBYTMBJ0GMPqSqHcCSYwAuT3O
   HIH6i7B7I2GniqgC2nGaN962yy1nh3S8NnUuJ0LcxoMoDSpy6d2INlL27XG6K9dv
   ROLhVylPlFnlo/QEWJy2OrzXtRPQOYAMJS2iLmMCgYBZLPmXWIzl5/Lj1ngBFBiS
   rZfT7WHjXq1oeNyGaaax4Zih3uLyxWmkXJ4kTaJV8ZNfUgou6NzrKKJugZLeBHOZ
   IfuqiAd/IuUp0+0B/egYEWvT/hLrbDxwYcZ4xCjHXhLUA9O/7TP3jvoySJX+c5Ta
   RnDpE2RWD91ayjxOqrvmrQKBgQDw2OWiJoGvW9mZ5mHYiL2y3RBfUfgb7ztcaqYH
   cK/b6KOa83qn762tHRKlxazTp+q4gstzluJLFu0JTD+c3QJSdB4K1wFiKmpRVFFS
   FZaLpSNWsz7afAMLaLwYdXyPT5tOwnpdNULY26LoUxtKMw3cpV8VHQRZGeBRcTfj
   KmxyEwKBgH/8LJfit80sEYSUB0MDa8diI8Bc/BJwHJYgZpihpjGXh0YFGN+laX9+
   CSgbG9FyvSTO6fRhRlhRSVlZt4fcx9woMXcmG+PzITLcCdaJHFOuqWUS8cPa+II2
   NW30dkcLPKpxa8bOBC7x6mxYzdw4GfpZmQlIo9SS6NwqU7sHuqpC
   MIIEpAIBAAKCAQEA1Z3PPr2DTi3fyb+GV88NJqnpCDVF51+uo11g0Twvb9uSSf0F
   Emhs2cpmLQLiIIqKEAqh2+6za8U55kpJsUEA8/iRBxeDQKa8aJmmMghPTzRkrp+x
   D5zVFJb7QGKEhbe6OCnMHboZg9lZIboeSwRT9qqmaE2aXzaQTa4B31jyiexRyaEg
   ZaneXMnzV392Vg0j/NYm5wEldSrkJjvf2zVhAgwPFGgYcBPWQQqk0VuZezJgeHuo
   lXGAtd9j/Mr0nveloAwTbVWtF5008oBmA4agp4NSDuq3Sep15MnYt3I33TCxM9RW
   JugzcMWX27pjiT+cZUVRGKj7lhQJ8I5VAfetmQIDAQABAoIBAC/Yi+3alslw/vn6
   OwX561Eop3heLk0Xok8XADN9Toa4YHjQAk3QM+lIK0CTr8BoJ2pWZ1CSk39lCoXp
   R746+BKtLxaujohxkCvBlncIY3MzIgX24LrFfviApMAUEOi+cShZPE3APCzLBurF
   /DkDPCc4q9Ma5qPC3el4OxUioBiB/Dw/5BF8TXO2+mqrxidocgNY79EEdR2n9pRA
   xbUNXGfvLeZ8Ran2awCe2az7wa2GpuwOCza2l3v2UqxBP2BpV9c8CnScvNjFI0Au
   wSRukKuulw0os6N1G5M6fi81XyCncQ09LeyON47yme1EZkhUjdxR2aKws/+48BN5
   CAeHuz0CgYEA7q715kYFrkuOYz74A5m0yBlD/fMAoRdf8X18t4q19AY5+EcqcWOH
   2Ptk3HFNcpkXD9FYadXTbQRPe0+uYygytRYVCeDKkuVGP0gm2IjuLi/O57sc6/Me
   6zjgHJPJfxQU+hx4pzciOXWuGFi0dUkwsW3wDF+hVvpqlUUsp7mOhjsCgYEA5R1I
   WtWRVhp34peyhxoyNeiTuglKlPeX/AVGzjkcFIYBCkSu/eDJ60GIyt88nh1hDKAB
   X0cy0Xb3rrsZikRoZjIa3T2FGFJcDT0SSaJu68Zsf3gH49tTPaayg1fCffpUxCRP
   2zQinXoRmwjDj/UfOIYDh0x+3hCmVmdzi0PqWjsCgYALDLqBkJhOu1y6J34f3IvL
   /69wIEHVM1nTujV94cQOqgMhBVpnqW3uk6TVt8EYHxI8PzrSm32QPHTZhpTSLlg6
   ne0Xafq21jpsT5DM0XoFVV1EyRrLqZOy3A00BXt8kJdwBMVpKFpDQrlukxy3mU3R
   yP8l839qoWkxw+QPV73LZQKBgQCh9s5kcB96x+FCDM0G1szx8QUleVYA8vq9DRnd
   xN+F3qkzkhRGorb7GOvTxnX6rHgjzaTKrvFMxBYZrmhCp1NKE1eMWOYSqH4sWaTo
   6uwQvseKYNbrC+vPZF1DnjF+jw2HTsgpBLUHr/hsKYjd5oF4mrw51CjHYOvFnwI+
   S/eKawKBgQDkZ3ptH2nCQOGOQmHcTxukTMQmeRCKiYJB6OEKZNCjSO0R6gHc8Qvs
   Cx0D36UKoLMmKRMlwF+ceEIP7tob5em8mZAtRUmRhd/+I/bXP4NYIBE66eQgaCDG
   NuL1yCJnOplNbsc1Iwv4IuySu9SiUCJopp/8RiL1MnG6eXSdhmR3Og==
   -----END RSA PRIVATE KEY-----

   Kumiko's user certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIIEHzCCA4igAwIBAgIIAVIBVAGQAEgwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDI5MTcxMDQ3WhcNMTIwNDI4MTcxMDQ3WjBiMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQwggEi
   MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9KZU33jUDzO1UjmSEWEjKPjA3
   yzJJTZuKTRq0BOmwtYwPBeGzp3gePo5jTOUB3PAqzm26PlobjqmobPOErKuIFLsX
   1Wz4BsQEArBqm8951Z5TreerajP1SgIvCFHw9B/QOQQaLr7r9JSEQCYSM2mh/w9j
   QzbB/cvl3EV70rPgtOoDxvWu0X11YmblvRjDUum1sECSPOsMbj+a+lZWR/VRkUoz
   /nrRCy1JGLm6U7ZJ+It2ZTXOQHbAHhuOm4g+JduG20vqefF6hWyu7FuPFKSQqynk
   LEqvxU5gf11T50b4cesE3beqUZjfA9Pnuhi80oSmJ4F8t5eLkli8+5CQgkX/AgMB
   AAGjggFKMIIBRjBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0hhVp
   bTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0MAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFP2goFhmLdm2DfWUq+4yspNxHAkAMIGaBgNVHSME
   gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIBADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMU
   MA0GCSqGSIb3DQEBBQUAA4GBALDTtkB6X0HQ08QnmVQBCex1/TuZ5I+sT8IWayp3
   6rXEtRrAvnzgC8wF5qIVevL6jo6D2lShR5EEeu1ICxJzZuDKTZu3aen2XJgyhLds
   MuxlHWCZ+Gxlo4EPzx9cc7NdW7x62qoHr2uyhrdvkNsqUfBl1TJRNc9l+RmdAzwa
   t4NG
   MIIEKDCCA5GgAwIBAgIHSQIRAYQBXTANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowYjELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSa3VtaWtvQGV4YW1wbGUubmV0MIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqjOOrNtR0LNv3rJsUdMAxWHO
   RNj84vrJbL+m7vPtp3E/9hIaAa4u4PXgHpe2J/a0FVFRkYQpaJJIPt6tHem5x1Me
   2NthZxLuj9uRPHdzEfJV4O4a2ThTXWhzFJna+UE0wF3LflfuHKpXk4e/RJTt3a5t
   MQwPnOj3WzYjCfPt2nJHUkN977dC2s28vIkOQ9xBnboDxLMF+GMzwsz5vi8ZdB0d
   94TR3gC0tzueZxVqvl3dUQA4oZy81Jr6vimxQKs6qdHIaADeRTRZobNsvI4GNUmj
   GuYC/ahmqxqMMY6aK5ras8dwhwYtkZhrWUaWU4UhMl2CMn43mw6ri5xz13qblQID
   AQABo4IBUjCCAU4wUQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYV
   aW06a3VtaWtvQGV4YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJ
   BgNVHRMEAjAAMB0GA1UdDgQWBBQMBUFFhDtD8qJTsy0CwsrwwVkghjCBogYDVR0j
   BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
   EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
   EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
   dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwQG
   CCsGAQUFBwMUMA0GCSqGSIb3DQEBBQUAA4GBAFDa/vd7qvbf5dxkpLsYpgNs6cZx
   dWs32afH+NEXKzeEBXPkJfWGqAShD4gaOBYFObF5pPz5TqPgAeHc58/jZedQyE9D
   UV1Sz+aic2ClH8Yy3nu0vtIoc0AvPxaPujfdBJvopjjfwcqKy29j75NG8dp57IOu
   LyZn/Q8Q5O6w+iDR
   -----END CERTIFICATE-----

   Kumiko's private key for user certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpQIBAAKCAQEAvSmVN941A8ztVI5khFhIyj4wN8sySU2bik0atATpsLWMDwXh
   s6d4Hj6OY0zlAdzwKs5tuj5aG46pqGzzhKyriBS7F9Vs+AbEBAKwapvPedWeU63n
   q2oz9UoCLwhR8PQf0DkEGi6+6/SUhEAmEjNpof8PY0M2wf3L5dxFe9Kz4LTqA8b1
   rtF9dWJm5b0Yw1LptbBAkjzrDG4/mvpWVkf1UZFKM/560QstSRi5ulO2SfiLdmU1
   zkB2wB4bjpuIPiXbhttL6nnxeoVsruxbjxSkkKsp5CxKr8VOYH9dU+dG+HHrBN23
   qlGY3wPT57oYvNKEpieBfLeXi5JYvPuQkIJF/wIDAQABAoIBAQCI9zv5WOawGsjZ
   icTUYwxJjB/jtjhyBUSTLmMgZ9JBxiJkmlCjgaYi2A7Hbdz/rVck15Vx3kXmYDUO
   I91reo81GDWj+0BMkrGJad0NREZFJFzgoDH31w1KFU1herfCLTF/1ljXEHPja5PB
   8qTeVuWsi38702YprrfddtHE53qhP3xWgzhYS8jcGfBYCccC8lPYPiHaU4gqErF9
   Uxk6JGOS0D4iCY8Y4mvSQvWHHiYFVegnx9uuUCChX8CQtYZJvfNdOHJszlxxnGy7
   O8/EvrEVrO9hmTrbG10nrFu/RVFUQDrY8N2ngtsVXYeso2aUT+Hnhzg6FQBLZXKh
   lOWejTCxAoGBAPnY0RO5JAoaFjhYmlCd79GySUfBsrI50np6KNdrtWsylS6EETdv
   QR5PFZG/sr3U/ez2FD2NadGABl1rMthSf4MT6J4oiMNuffLocXkVeXwUMgg+eHu7
   rn0gDL8ZjzVVcwQPVsodjfJzC76Cbjb8JZoLxU/pa09agFTIDe2YDF/pAoGBAMHS
   LNA6w0b1O/ZvQj0bZ6SLiPgydufodU6wvkxNBj+93k64eq/+S53SeDQA7oJpFBMZ
   2kEhgEObYbYY+ZH9GGbsIJMGYcCG7dqXqpMljs4RM99ef5QrdzdDFUDRmRbd2Z+d
   /28cEFsPeMKqU/kPTWZtjrJf+HMybQU4Dvb0Xe2nAoGBALJtX+r49j7soF+/Dv1x
   vToBXAoNz6MuXh0vrokhl58lsZpVoMH5BwUxL1M2Ft0xBeK7XnsSybZe+qyuiNIq
   IHwotKB2jC0ddH8L9zWk22x8M7rlej/LKfKb995lz3skOg51MeMHtj6mYIW+Oh20
   dtoLe+704Lj8BdgGQsQiKPw5AoGBAK/biguY9auBQNm1Uy1smxpB/JHt/9MlKKKw
   XMmQLXZSSM22NqNOoL9ewu+0VLQAsVUvZMcppV4yMnLtsCvUr3pbDqc36COuiUuH
   xx3huvOfyigGbs06rt12QWdhhXyo6BcaXTQsC28D17cQokZdqwWfrBSOXTfwbdiJ
   Z5KMYFkLAoGAGL9UX9Dea9qnsJZUryxhTxo55ggbKBcJQv+syT8veEJFL9oBsU+b
   bz+OXOmw0GauPywgok3qpLZ+4mxWs4sX4ca3c/eVCKmpUJ4oWnarhEn5n+jIiWVo
   wJP99QCcEdajdf4r/E8tywJ7LgiE37YMQYl9oWOYexOQNg/HRqtM1VU=
   MIIEowIBAAKCAQEAqjOOrNtR0LNv3rJsUdMAxWHORNj84vrJbL+m7vPtp3E/9hIa
   Aa4u4PXgHpe2J/a0FVFRkYQpaJJIPt6tHem5x1Me2NthZxLuj9uRPHdzEfJV4O4a
   2ThTXWhzFJna+UE0wF3LflfuHKpXk4e/RJTt3a5tMQwPnOj3WzYjCfPt2nJHUkN9
   77dC2s28vIkOQ9xBnboDxLMF+GMzwsz5vi8ZdB0d94TR3gC0tzueZxVqvl3dUQA4
   oZy81Jr6vimxQKs6qdHIaADeRTRZobNsvI4GNUmjGuYC/ahmqxqMMY6aK5ras8dw
   hwYtkZhrWUaWU4UhMl2CMn43mw6ri5xz13qblQIDAQABAoIBAGUDlHoi8Lvcw1h4
   rLEjeiGrmrBh2DUegs14MatAOpxWKo/wzl6Q8mGxjAKcKBAv61F7od2rgqf9qcMm
   hbhrL0eNnZE3Iuf55Hyc4+XvPuw316BXsLebJl8ZzrM7XSrx+EzzXgLuTPPWZYO5
   3VrmyQX4r/WcIugNnEEWMFWH4HL0yCx/JbEZjMHPGGm/O46SsCAHkixzL0vVIuQc
   4AhL3HQM0OUVVEbAut0X5MxFo9TTjmdFH2dsCVTH4CwmHK+ChClNDbhFVaXjB+5E
   d7QAHLLH6Tkb7g2+VgmDm8Jj/rpArdy/0d/6xzHTjVQDAZT4M8gSmHLa1Gc7jV9M
   2eGoj0ECgYEA20TTTcw1eRXurF7Ag5esvuknupMoRw1SfnSXFBRpcMrgvnJhxrTT
   lPfxhkp9iVEE3WgeJ52PrB9iMvvXjnDPOXY92ryGfk9+aE1zuzZJcjoM9hSN9fVg
   orDYMChS7e7qXmq9ttE4j9FXh5VKjwWfdftTPeiAmmvByEnb+my7VQMCgYEAxraD
   IPkSzyuSi05buadaYP1JnCYHPvozQdQpcZTX2HiF8yWwMq0yltz3u2oirH6RvRL7
   gbdq/mES8VQhAUmZUlCiahtmEHwhQ6uSUdm5dq/pnYm7hLO+Nd4UM1kpjX/GBRhm
   000LmDEtM/WU5Y3A9u20cEVw4HZG9dMc33f/7YcCgYBnHKeNh0GCLpktf+ViPJpk
   sLoZGAix2Qb5JpTBQZQQEae8h4eJbRGulSaEM1VzlKEICWVc1dBxbdS9CwdkGZKp
   f/w4d717eqCEJiANYssJJ1lfA216w6hs+WLAysWs1FRskB+k8CB8KULTJJaKSWei
   kMylaUfI1nGrYWhMDIPPxwKBgQCtMF8jOtJQ67oCXh4Ftj1IMRmZ1W8VTX2lDyO7
   0a06BvlADQX/dQKViCsGFh/4VSvyLXw090ZyROr8mIVXmOzfWFXlwtF25qkbUIrr
   eaZyMimbW3Kq2vmZ+1+BzWEw6T8OK9Fasli7oYizM4Q9egnHbS+JdoxFpfB8yi3s
   +qp9OwKBgGnBuEiJ4LDUHdwsBXJTKE1e+nmNYYloui7xH18ZJvZFgDpY8WOczIj/
   ggN/CA7faTvZvA+6XeawYkPImxA5htbWzJJyoBzDvvicntLIzetX9APfQeszjCww
   m1SA9lhGKOTH7XnPgmeTrZvgMUK7IZaCuO1btz8E00RYSVPbepZJ
   -----END RSA PRIVATE KEY-----

   Certificate

   Domain certificate for example.com example.com:

   -----BEGIN CERTIFICATE-----
   MIID5jCCA0+gAwIBAgIIAVIBVAGQAEMwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDI4MjIxMjAwWhcNMTIwNDI3MjIxMjAwWjBbMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZI
   hvcNAQEBBQADggEPADCCAQoCggEBAMdgCSziC6aNLI+G60dyTdwgpUhpnMZ5czpl
   5HS2gJlPbqQbG29ckSl8EaG9rSXGQqOWu9jIEdgqvDlf41+aVPUMd0TG8O6nc4XQ
   0dc0ltgkg/4dp16UaqZ55ovWlgYxjdpN8XLAopxIydIfgCdgUrgSzEN852ast24H
   vOfVD/pBszdPFjNx/G1zF7Vli2UDNIOOmH2LozbxpzeUZa/dEyn4G8KL+gUDa0sm
   rqmTq10M8wiEnhbAE/rajxy2aZUEbcjPwBKP/ScqyxYW/cL6lP7oeEDkWqyn79cX
   fej4howWNf8+Mv1DHMEgCCyqVqYXT7x0sF1XuqUZtCBG3TY9FbMCAwEAAaOCARgw
   ggEUMB8GA1UdEQQYMBaCA2NvbYYPc2lwOmV4YW1wbGUuY29tMAkGA1UdEwQCMAAw
   HQYDVR0OBBYEFCjMmytPfENcna2Wi3OiT1hdMNQEMIGaBgNVHSMEgZIwgY+AFGtG
   FxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
   Q2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNpcGl0MSkw
   JwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIBADALBgNV
   HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMUMA0GCSqGSIb3
   DQEBBQUAA4GBAB+3woRDkNIGgUdI5xQ5Wq2gUzb7b9fhv7FlmP2mxeBat1+QCKvU
   hSrRV/IOwSZD3uEmHu+QlZRudEU2AUHOQ8KRVN01qG5XO7I0carU6jSqjI7d4aQs
   BUX7uDgMex9P1zzXaHxXV20Txj9E3f1r+2WWm4eSlRCv50fNcmxu12D1
   MIID9zCCA2CgAwIBAgIHSQIRAYQBXjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowWzELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqG
   SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDR2i2zd0JfAJke9LZsUVG7CyCz+ceTl/8C
   rIGS1aEcySQWRlnRkh0Nv2Y6ZsZcqjsHIb9FQGOUIDCB41+q5sdgqmwij0dklJpx
   sRhRLoHpozJktDj0NevaP2+C8XpN3OHF4wUbwXiDSNRkbphLTs6Ffw1iXRuKcsGd
   vYXcN/Cnwcxgrbc5yyD/iZ9lBjWTW2HQBBuj1HBX2dXAUvRwDcr2CkKLUkfiocsO
   F53W6kHlalopqBGvUmWkeY5P7/zspzrKVkW3h93px/m39+gS+LWiCM6exMxwhabp
   08x2bRFnsAAUoFWmYzb6wuC9RTwUsO2I9hkU1sOiecq+aVLQePH9AgMBAAGjggEo
   MIIBJDAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFKyWIeZUfeceofFYhtlfrcvc8WaSMIGiBgNVHSME
   gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
   KwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADgYEAUq5m31UdmTyeFwk9SlkZiI/f7it1
   ysWzNs43EF9vDvJPKmI0GVx6PqPLma6nfKY0WadDo9zv5YCGPyEhlVt0TCPjHh0U
   Q4ZIufXJ8KlIox5SkVbV7bJWUo/0AuhMgIPmDKrg1rBcddKQOVKLtUjcaLzlXFzd
   QzSvFDqFYKNGF2k=
   -----END CERTIFICATE-----

   Private key for example.com domain certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEAx2AJLOILpo0sj4brR3JN3CClSGmcxnlzOmXkdLaAmU9upBsb
   b1yRKXwRob2tJcZCo5a72MgR2Cq8OV/jX5pU9Qx3RMbw7qdzhdDR1zSW2CSD/h2n
   XpRqpnnmi9aWBjGN2k3xcsCinEjJ0h+AJ2BSuBLMQ3znZqy3bge859UP+kGzN08W
   M3H8bXMXtWWLZQM0g46YfYujNvGnN5Rlr90TKfgbwov6BQNrSyauqZOrXQzzCISe
   FsAT+tqPHLZplQRtyM/AEo/9JyrLFhb9wvqU/uh4QORarKfv1xd96PiGjBY1/z4y
   /UMcwSAILKpWphdPvHSwXVe6pRm0IEbdNj0VswIDAQABAoIBACW1MScO/ZsbekEP
   CHKz2Kv4dKo0Z1VWZQe3e7TjS4Ezd76L7e1q+X16HK+Veyj4zWO5P3/pnw5eTskf
   LJbJTqYmHGyin7DTdNLrQrTMGnd4uIoYO650rZMc3RC3nho/xw9xzGeirV6Xmawn
   DwrjeeGclItzFSTjJ7IkvoKuVl5DNzDAY2DA4YIb8uTYPsqX/jFMaPwxFFhT+mXJ
   LX+oniwAsnihfHeXbFiTF1yEw4UCxn3xQ5YE8wZshG+8yjHyLzLAc8NQ7XnCkze8
   G/En/LwwTAaX7L5yRSjBeb8Mp+96s11LtlzR+8uGVbu6nfcXbVTD2zYxuLiyp2VB
   EZDaMQECgYEA79YZvUGhNt7F59N+oFpL1xaOjPprN7HV3OevJ5k2sue8B/NjVb5U
   RNDxpANkyKh4wARzR25DEAh103XKlfsPOMCdZ9t/3zdOrl5SC7URPPEd4QGvWyKb
   0KiNbwIQdSmiPHeMLsT/+pXu9HbH7key7Sl0pdGwvgNI1oy5xy3dnTMCgYEA1M/b
   mviLD48Zzb3GtMnZHf4uh7W58muNsy9gAEFb4eNLFSpi11m/5s1+YiqB6WwkGjeF
   Rrp8tGcNyOK6oaAa0G4g/CrSY1GHdDhketD26mFVhbwpYkvr3oPjFcTMnqbS1uTs
   c8dniGnknMlP5e1jh4+GyPg6o+/1/6LIp4nFpYECgYBkg2wiHwE7h72VXNOyzGUA
   bZmsh76rhsJEZGzJwbJk5C2vf1dgNfYHKTI8NJfmaITCpJrTkuhULdeDmdgfZyqH
   9GGDh0BeAkXdWfY0pdvlmH+XLyeYoDaBCkLMBSd0ktBFWyzK5REKqg+NMMK1oCLi
   tf8HB4x09ddu42dwjE5WdQKBgF3SSbIX008HusuO2DTKLHNhpWflQVZT/oO55iwW
   pIiA6ZAqQKtKgSUjAY4LyXx8VapNQe+9tc7fBB/FfZxV9pxfgSFLS7fHsN0XI41V
   5RXN1aOBIgmZCSLvqETnn4Jub9OX13rvtYBZlxVcV2I590BDkZu2fDvcReru/GGI
   ht+BAoGBAKpKk0umVaTdJyrZQQtXy+vTomQPKA9CkAkY2UEtlaMYe6+/NfxG0Kwz
   cWBUlm18LQkN+Xxzfv+fccqgq9bWDxXQOQN4+4kzNALCtpRiVT7PetXyxlIqHSvW
   dR/DaSj/2QyIkamHYlQ/38X/dfgIXWSSRz28HOfBl+KRY/Hr+McO
   MIIEowIBAAKCAQEA0dots3dCXwCZHvS2bFFRuwsgs/nHk5f/AqyBktWhHMkkFkZZ
   0ZIdDb9mOmbGXKo7ByG/RUBjlCAwgeNfqubHYKpsIo9HZJSacbEYUS6B6aMyZLQ4
   9DXr2j9vgvF6TdzhxeMFG8F4g0jUZG6YS07OhX8NYl0binLBnb2F3Dfwp8HMYK23
   Ocsg/4mfZQY1k1th0AQbo9RwV9nVwFL0cA3K9gpCi1JH4qHLDhed1upB5WpaKagR
   r1JlpHmOT+/87Kc6ylZFt4fd6cf5t/foEvi1ogjOnsTMcIWm6dPMdm0RZ7AAFKBV
   pmM2+sLgvUU8FLDtiPYZFNbDonnKvmlS0Hjx/QIDAQABAoIBAC2T730dF+M+ZANf
   LwfTmabAQfgU9g3OY2qXQQU9NOLlpNrZqMRlsb28pl1k2QxjRLLF158Y3wfa/e4Y
   Dj02JnOOUDIpYF4uEGVFC30GVt0Bvv40TnJsC6+5O2T7QY8LvFWYexGOMbiB5u9x
   Pc6NbTl9YNDOXB7z0a2K7jnoRHKKtge3vb+yFul6cTNOp6tqx8doIFjXK/r58Yuy
   n6Z9c8IMTHFIGbavoRBK0TH+PhkhISJ5ZWfgIClx4VA05Y/+0kXKJ1TiVnpSeQ6x
   1fgtvnKtibGuyMOz3ESgPvqqcU69ZzmPgnBDzbLQUnfN9Jlh1J7ZkFwoIpKpKf1f
   wxZW2hkCgYEA+Dm4VWJt/dOGziKwsDSS9y7I5hirBzD5Jo+wjeeQQQQh3rwR8DVz
   m6gggPBAfdzZ6KdREC+JQMoqFCPPIYvMfMXkOoZ81kmCWcqlFKDxnAmL8aBOcwDr
   jxmp6MIAXAcELhIoTmk3w9oQ0LT7xBK6wQpSMJYKdcBnMS9wxJjNkO8CgYEA2GzH
   47QwF31HgiEQcMtCzTiGEU3gjmoSRyJ1hXvF6A1Q6RY19xUS/wUQTR9cwHvToYlY
   Me2cd+E3Sqd3Z8o9gvqwnJm469heT7p7R88NRo0DdQSj/M3L8sFMdsVE49RyTftM
   LjwWFYWp39R7dcoXlw/rrtcPYCRDOEkMnl3DU9MCgYEAiTwYLpS5rPCqggLp3rFi
   Y2ipR5Vx0QsBZJFikkHpHhjzxNoDrONQZEmClua9MRjOHPOMPL+bSYe71eCqXqiU
   yJL8CGNcV3jSqWQA+rO0gIlCprbzSF/E3BvbNUU0v6xdYj9Fq3w+iXhhfZHh89hL
   Cfjz0crSQ6G5K5dH6Fl2pV8CgYAaKTwYaEWP8VLdhgWovMk8aWK7YMCONoAzHRU7
   p3SK0mE/a7HmRiPfs8r+p5Xcpps0YZfJoUFStGSsn4WthCLfXFJQ+7wAtkzgMliI
   m5ytNIqAcKkp++51T6xghwQGzj1q87+Hrze0Lk4UgmjSGjWzyvbgUZrIMln1yc6+
   rfLYhQKBgDpo+fDx/wQ/m1iMV3/s4B2lVCUIIDxZ3784wl785J6tF6TF5rhNg7yV
   QJvNfiyUzIZDuYVahlwlCLa05+btLYCXzD5Zz3r4SD5o84tY7qNidubAiMUiVEZA
   Dr6yeA0l+y2Fpgj/gEm9kNyF/F/WxrOm08ZooAUnaaOyf0PAUdIk
   -----END RSA PRIVATE KEY-----

   Certificate

   Domain certificate for example.net example.net:

   -----BEGIN CERTIFICATE-----
   MIID5jCCA0+gAwIBAgIIAVIBVAGQAEQwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDI4MjIxMjAwWhcNMTIwNDI3MjIxMjAwWjBbMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI
   hvcNAQEBBQADggEPADCCAQoCggEBAOQ2eHy6Rcp2qJwG5nOtjPapW28C0KJgFDWf
   VF3cFearrhGJh5HznphcjhUnyfIoVSn3PA138ZWZ4ecZFDyAgB5gXYfgs3rXGAD6
   3d5iGYeTCT2jV3z69ppZdlDK+sMmySa2N/oZYaQfkHz62MdA0pT58oLPvi/PKWrz
   4EEOAYUrt3u5bCaIK+jt1KkpVkXBitxdlHDHmne6sZ+9foBQnPxiB3FRVPvX3c2K
   fzdMfru6PCAyC6wqR/ZJ2ExoH6AZKB/mMn27WLs1IKdgJecYMh3jWHnm03ZN7sG9
   JT3lSh7HDmbPtTzf8k/v9khx+0jOF9oGAuubRDB7Jmu3Fzr3wGUCAwEAAaOCARgw
   ggEUMB8GA1UdEQQYMBaCA25ldIYPc2lwOmV4YW1wbGUubmV0MAkGA1UdEwQCMAAw
   HQYDVR0OBBYEFC2E2M9LFIlojb9rx+9mOPAye5W7MIGaBgNVHSMEgZIwgY+AFGtG
   FxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
   Q2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoTBXNpcGl0MSkw
   JwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0eYIBADALBgNV
   HQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMUMA0GCSqGSIb3
   DQEBBQUAA4GBADsZEm9o1Pjs0zA7AST1fu7IdkxIn6aEdXCRQ/HQn5QCg2qzVYjb
   5rvv+Fj5Jdj0SNm2fXD5NX/ny5Bcq26mmMzrB5GtZAYPyNxmWvX4cN1MrKLGVVtB
   wIguHgGYgF1AWhCguOMqSBxaI98+J4VMQuJ+w2NR7sW+wtyc9KMCW3OT
   MIID9zCCA2CgAwIBAgIHSQIRAYQBXzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTZaGA8yMTEwMDQxNzIwMjI1NlowWzELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqG
   SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCkJmPQLQfz5Kk9o1cecXFmeipHOMUbWtZl
   QrtDulIX8Y0yTBxXXYcLeSWTpaSgeuet75256Ngz3qH6MhF8TUq+iJ4SwBK8at7y
   1PhPYu8EFkUpRyLVKeGm1QM2NgEV11vAO77hPkSe6YXGt0cOKEySicmg4bNjhFZn
   rY99+DBUpvNrMkClRJhuRo22yQnfxiCOLP3kHLFDFIBwEe/6AiHxAlYf/c/ZW9HF
   B+SdhgHOsXnPS0jAI0lj4FXBpvzLgs3hw3MLbz05NLZbLpJgNZk/xYgqSHj1C5Ll
   1arCEj7JapPIl0PnZiOG2dHd+DjhlHyDtcf61sqSecYFvSRXGQvHAgMBAAGjggEo
   MIIBJDAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFKW0nif3Zn2LNI+/tErRWH8nMX5HMIGiBgNVHSME
   gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
   KwYBBQUHAxQwDQYJKoZIhvcNAQEFBQADgYEAD+RCm+VUeC5oy/ifYiuRVzWw01Fb
   /xtHqVRScz4+SSKCFH/ENLYSIWMNN9waQVpaUWUAtcuQUmhznlm3+qcghLb6IKe6
   5ioKeXfE8QIPn43GM3oikwIIYUc8XA7fgkZ7lPxQNQMJlMUUChjoD5Cfe6cnHv/T
   Npbe1w20tvqjI7g=
   -----END CERTIFICATE-----

   Private key for example.net domain certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEA5DZ4fLpFynaonAbmc62M9qlbbwLQomAUNZ9UXdwV5quuEYmH
   kfOemFyOFSfJ8ihVKfc8DXfxlZnh5xkUPICAHmBdh+CzetcYAPrd3mIZh5MJPaNX
   fPr2mll2UMr6wybJJrY3+hlhpB+QfPrYx0DSlPnygs++L88pavPgQQ4BhSu3e7ls
   Jogr6O3UqSlWRcGK3F2UcMead7qxn71+gFCc/GIHcVFU+9fdzYp/N0x+u7o8IDIL
   rCpH9knYTGgfoBkoH+YyfbtYuzUgp2Al5xgyHeNYeebTdk3uwb0lPeVKHscOZs+1
   PN/yT+/2SHH7SM4X2gYC65tEMHsma7cXOvfAZQIDAQABAoIBAC1K/kjK83UGbdph
   qDVHOZXu8N2scln3tasazzS9rH8WjbqfUA/QiSZ2ICDkv7jW9mgY0ItfxcvKOcKT
   AKgtXMAqogWIvDZiIDp5j7VGRQjaTtgz5fZBHNZvcQMB9hjrRrrvKVby2KUpOpUD
   eCi7nc/Bd7csofN9Kxw2AMkIjZavQXvNLpOCxoNj5k8XwOyCvrQ5SUoqeeA2a+Vq
   FE1YNgmtVE2oFOXw/5xvrPIZyjfR9rwIijD7pUs1Inmrc/WZRYDKuYUfQ+DG0TiA
   IFv1zYcamjVEaOqBErI+G8wM0PA6bVQz/J9gdsmIUtXIXLWkxdD7+5VgVqkLXbOX
   kP+J4HUCgYEA+1zg6p0pMUdh54AU9qghMv1s+di8gBtxHLCF8LP3wFe1AHRgopfn
   NppDz6TjQjcc6+0OeHwLlgoEwSnR3+3ik/Ae4dn1Ynfzrw8RqLuc/hfRgUC4zHxr
   9kvqTIpV0R2Ytj4GaZW+xKTjzVHYR3gEkP+ItDGUXkT0T7w7I1UvAR8CgYEA6GxC
   rm/HIlhwyo9nT9hxGliw7GbiENc2ql79a3H/es7EkSdn4NvDq2dUHvSCinISHQH3
   +b0znHkGaQ3iFvlCdvA4yylRYx8WLvJI19J1K8dmi26BTAVvorNpWgvmSfbmZZHh
   Y61T4BAwi1SToXjcCcfu/2Hz7Jqxg3jXrXRmefsCgYEA5mMGs4NA0i3/ClRW4ozP
   gRDO5WFFxJViY01YNnp9RgodmEESoXRhM6bJKHSU54fkNkmczcnERM0B9poCByDe
   X4HijFddldcjvvwsz17GUg46tCFCQAp6WdDS+zx/058w7TiEYBokM9B+Cx5NAZR7
   evr7rU0UFCNXWg3IlmXpIzkCgYBVQol/hd+N2NWfaNWkM6jh2lEkl2UselZCT1A1
   Xv8yJLF08fioQtXXhbMVG+rbMJc2budxhJdvOfJBDWe3t75K9TpQRJrneprfo99W
   1IxI//+8/E+P/JqEG7502tKipWDFN6tvrkCLfETih6cUX8qQB/jDVEJvtBuUN/se
   VQnWiwKBgGrvslD5N2wGmnCxjBdMb2KvCPRq0t28t/D5plHgGpEC6k1rhRHCtXpE
   IK+QEb6/DWjqGYaWHamaVEfUVLrKPVA25hAl+nMg9qQYC0cufmN+Ufe9nLn47IY0
   NXOdHuhaYsf6g/UQEZKSj2wX9poBfAkXZBWnBYKOn0gfq6KjvW82
   MIIEpAIBAAKCAQEApCZj0C0H8+SpPaNXHnFxZnoqRzjFG1rWZUK7Q7pSF/GNMkwc
   V12HC3klk6WkoHrnre+duejYM96h+jIRfE1KvoieEsASvGre8tT4T2LvBBZFKUci
   1SnhptUDNjYBFddbwDu+4T5EnumFxrdHDihMkonJoOGzY4RWZ62PffgwVKbzazJA
   pUSYbkaNtskJ38Ygjiz95ByxQxSAcBHv+gIh8QJWH/3P2VvRxQfknYYBzrF5z0tI
   wCNJY+BVwab8y4LN4cNzC289OTS2Wy6SYDWZP8WIKkh49QuS5dWqwhI+yWqTyJdD
   52YjhtnR3fg44ZR8g7XH+tbKknnGBb0kVxkLxwIDAQABAoIBAEC0yV/EgIAJwRUF
   EFB104fb3FKa9EfmNOFRvtPh3H6Hv2r2Sa2+tn81UDS1dQG1sSIFdJ1WRfOcbSld
   FztylGYrIHSvtjMDxcLfZMqWazWnObgdzINOsR68lTmHbEIZ1JcgdgwAKbiiwRMm
   KCJSjGyvWAXNMpOmFRFlf0zeyt5zF4wSLWqKJByH08mdt6YrvcmmLtSi5bQi0w8J
   uA2w4BmsITkVyjA4oEr4lJzOobGs0o3RfamcEV9GmpgPXwHHL4PnmBhmBrYz3uz6
   7/As66pNMLn+Usz/zEYAmsqRe7JWx02Mm0aKbHEJGBkB7sIhHBBo4WHd18GZLBdF
   e6HiqMECgYEA02xC2GE+sIy7HLsXVigT2xb8zSMdA+xJwG8XNxcLCsPD5F0frXpJ
   wGNwyCIB2x9DIizWV9lG9q90q3bwTcezJMZbjUscRv6NrmTEyocJSCTWajBf2VQ/
   h+Cn3Xtb9rtUEFRDERxAk7qanvS0dBldwWeeMWmk0y/Kw1HghNApTFECgYEAxsKH
   s0rxuUfARnUb+lpgH2ZNiZLnHkGuADfesAN6jQ3E8izeYRkP9kXlCwc0+ElMpeSS
   b8Voutbn1OA/Q7lepAXK1UgpRZTcsHlHRFbbD6a6SikWQitOFOlsgDV8myMrpNiN
   voFI7bmFzVvCBFw99n3jhq9T1ypjkDRpOpiSiJcCgYEAupX60FfSKaGpqIt85u5r
   x5kb9jac7s9jr07bYCUX+6IVib6drE4WNJIOALHyjV2js896QwFgXWkvP/uxzBMI
   CNZ+Cc5V4Fna1CPegRZ3nJHWINUcYgK2Jsafnxm1aaSdZePXZIxYeYff2ZUAhM22
   Lm+x7s3bRv4QphvmV5AWQmECgYEAqe7n1oLc6GxQF+1IXmOmizIMWPMgZt4Axm7+
   Fb7jqHV9TRDPkHS9EPHxQdyHjUAeKDeke6tsP1I+I+MWM/Do2ZOaN3/ayYLcrIUE
   SYl5AYiq/Xzjau9bcsWf3n3ca0dGqUn85kPi9l0H6OvqlY/H6lb3kM+V/wBe34vv
   7AlGP0ECgYBefLxSwdv+abhBraz60jNpnMoKkowTJ3qxzzLVB7yx/a0e0Sb83Hi2
   I/EMeSUotZcwVNsqgEZSxRqrQbryDsOIkCckzmOgAk8F5vgDXSmZfqPDhFufF1kg
   lMvhtbGLv0wC+ODzIj9VY5PVhYsYSMfVOneGzllkOb4ika9Ms/BSVg==
   -----END RSA PRIVATE KEY-----

B.2.  Certificates NOT Using EKU

   These certificates do not make use of the EKU specification described EKU specification described
   in Draft SIP EKU [16].  Most existing certificates fall in this
   category.

   Fluffy's user certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIIECTCCA3KgAwIBAgIHSQIRAYQBYDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owYjELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSZmx1ZmZ5QGV4YW1wbGUuY29tMIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4FeBkVeK4T9v9Z0Ofhxmfsq
   cYTFr6a1qEnNUjUuTRzMq/1i5+1oduZ5+ceQs3jzv4dOhUCp0gxGE6IQyDovMsHa
   PrN3b/HFOJp6fXewhnygdE4ZHV66doRNDG6kFE58fq/FLMIZe6kXOhe9XnO/iSDv
   fvUS5OvAFTOtMXFprTCCBXndG9mTHK8G7Gtr5APJcml/LNVvIRYt5Oewj5BuyAZo
   hXwNDfaR1UK+FRHVbcoj4qIRmlhDZvHRDDQd5GPjy82/lOKCmsTb4BzFazUa1V3x
   UmFZROkzV0pK0HSmxGRZbIDrNlUqaHn2c78w2qN9ON4yA9TzIQd2hplich2Z6QID
   AQABo4IBMzCCAS8wUQYDVR0RBEowSIYWc2lwOmZsdWZmeUBleGFtcGxlLmNvbYYV
   aW06Zmx1ZmZ5QGV4YW1wbGUuY29thhdwcmVzOmZsdWZmeUBleGFtcGxlLmNvbTAJ
   BgNVHRMEAjAAMB0GA1UdDgQWBBQy79Hl1hR623USdNil4jNtzSboRTCBogYDVR0j
   BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
   EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
   EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
   dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAD5PK
   45I5nux58HROS4WwEOklyYc9XmRq4Y1BTWfsOHpHSi8wkvmMg7CNowB9rmw6123e
   D9o/mden394i7RxP8AwKWIpUL19kYfJHvMItwIT6L9jyup2Yr16Davrw/D8mCp13
   DHLV1xUa+GoAnjL1O/KY7fJysaCGhHpL9kxHwVY=
   -----END CERTIFICATE-----

   Fluffy's private key for user certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEowIBAAKCAQEAv4FeBkVeK4T9v9Z0OfhxmfsqcYTFr6a1qEnNUjUuTRzMq/1i
   5+1oduZ5+ceQs3jzv4dOhUCp0gxGE6IQyDovMsHaPrN3b/HFOJp6fXewhnygdE4Z
   HV66doRNDG6kFE58fq/FLMIZe6kXOhe9XnO/iSDvfvUS5OvAFTOtMXFprTCCBXnd
   G9mTHK8G7Gtr5APJcml/LNVvIRYt5Oewj5BuyAZohXwNDfaR1UK+FRHVbcoj4qIR
   mlhDZvHRDDQd5GPjy82/lOKCmsTb4BzFazUa1V3xUmFZROkzV0pK0HSmxGRZbIDr
   NlUqaHn2c78w2qN9ON4yA9TzIQd2hplich2Z6QIDAQABAoIBAQC+8n0P/6av+gER
   gQGOs9yBzmA5pEuAotdKn5vsNj6egPLLIvG1k5CvzYsdtRDhAt73wDBYyWsKl1Zg
   SR42p11cXNIB5uxWYFln4Q/1fpwy3J0Ymq6MDGIbvjsdBEzyOngD0brmr/q8xJL2
   R6l4Pi1iy8ZBbpeSTkbOXSJ5xD28goHLVrsf4p3wc31uJ67IldjZVDOzNl2EXTV9
   5t8+URPmm5XtLMxAPLJRNyw6yMwTV0j1T5Cr/oIq4/rdx3OImy9VbamKXXXUkB1Y
   nyBU6GHGlrHj4OsKcgMHsbdiaGQNwYcOiCtlED4hzCCPWSJWIbvXUPVNnK6/0sMr
   TnQnYY0BAoGBAOORMfxkGu7R4mln3Mwz/HSFRtbEU2/9gvXJ5MiHWhfQDslxpjaa
   Y4uHuthDORhlsHXXqjPjdvIcELiV95W/XsB9zBxBLQmMRU5wIhX8uMVqSOSfqFWI
   rWEoUXKUyxmubq4J0URoygs9u+17RpsRGmGA6AOlalHZyjRhPJZpUke5AoGBANdu
   uTphrQVjy7z8RFuhP7tZ+mN98ddrXcaVpY+bZUGSZsEGRQuP9SSSFUlPuyQ0iUyW
   Co+bWbR7GLv/2ln2sAgzRs2xH83HWs5BWZrtO7DB5wQNu8DZOkmR34BYTwlyHHtg
   /yvlFvXB+AOlCvi/t8BdG/PIXUcBvClW4e1htZuxAoGAD/160q5CCjfrPdbTd/HL
   MnDO+nZPGpZoplaqYcDI/tVaxKLcuAd/KSW/ZkTK9UDn9k/SINVB3V9FeYLoI7iP
   stzkA7Q8sugNUqakboEUhqKiPpZNYL062ZHYr0FvR/2uv0HnV3Q5hjKvSs+XtXut
   K96/7smnv9qaz7VpaXQ7GNkCgYBWaDSm8/JfzQ00ucH5No3HaWmCakuL6aZtNix3
   kw5j5IKOPSOIZa8fgfBDvVUESoYfT7bgrqCmQRFEpnQ/zTABuf9WFQr6kFEdlRyJ
   hUmBteQgvhlmWjqEs5t/cOwSj9BYtCjkxDgXTjtZyuLBrrPW1gGWH/E5v7pmolBv
   09bxoQKBgHKjXLwCPFdTKwkX4l2jtKfhF/hXo6zWx+TLEyrugxveAxEvdgZAlJ7m
   F6z/zvOm6UM6BYxgPl8X+535ijZXKE5OgGJ1Rnt+AaWnfzXAUi7upOEQD3PkjuFE
   FaYuCSghaWvdgiTwzVjp25iJcFiUJcNlIlNDICDP6emxpSQNEoDC
   -----END RSA PRIVATE KEY-----

   Kumiko's user certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIIECTCCA3KgAwIBAgIHSQIRAYQBYTANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owYjELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEbMBkGA1UEAxQSa3VtaWtvQGV4YW1wbGUubmV0MIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA09YKbZrIDl1nfm44nUfYljd7
   Tq8oqdr/mvkDBrG6GW4bEvAHV2pzRBdVk9BZCDgtzmGhJt610RZeyrY5UCLY4k/M
   11Z2tnOSQnc0Eg6oRrRtIpvqQ5PzK9kO+r8KZzGZWTPMppmGUuqVv2vgNMOGHMOu
   MGr+CUc1jdcJVF0YXO+Xo7N0FGfQbSzT1H3txYpvdpgGHjAXConTQ7pO1w0c65Uk
   Zzpm73BOrjI2nt7ziQO2zpzuI3lLAX2dMLIyr011N9f52Wo+piM6nuAAPtM98rw8
   b/OeWl8EsXkr/H/dQQAIKb8wHsrGH79uvTNilCdbTuBUQ3GWKI/lgnNcutE01wID
   AQABo4IBMzCCAS8wUQYDVR0RBEowSIYWc2lwOmt1bWlrb0BleGFtcGxlLm5ldIYV
   aW06a3VtaWtvQGV4YW1wbGUubmV0hhdwcmVzOmt1bWlrb0BleGFtcGxlLm5ldDAJ
   BgNVHRMEAjAAMB0GA1UdDgQWBBQbJb+bvcKecl8UiVR7P8X6XLM3zzCBogYDVR0j
   BIGaMIGXgBQ4rYCE4uAWa5OfifhGUWcs2o2AnKF0pHIwcDELMAkGA1UEBhMCVVMx
   EzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQK
   EwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3Jp
   dHmCCQCWo4QXTu+KTDALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAYOBu
   i0lImuMrgrLdcFo6zPeMnwaP7U13GTIj0j1ylIoywCR8fzWns1hbAgAQ4wjMfNL7
   4yLUTsxu7g3hLyHuVO1gvH1xSy1BsSo4/4bTx1AKM3jhtjaO3O1pquIPrl2aUhXy
   HkXULkhoH+fQ9iYj7hEQrS2MZizDgBJoGicBI/E=
   -----END CERTIFICATE-----

   Kumiko's private key for user certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEA09YKbZrIDl1nfm44nUfYljd7Tq8oqdr/mvkDBrG6GW4bEvAH
   V2pzRBdVk9BZCDgtzmGhJt610RZeyrY5UCLY4k/M11Z2tnOSQnc0Eg6oRrRtIpvq
   Q5PzK9kO+r8KZzGZWTPMppmGUuqVv2vgNMOGHMOuMGr+CUc1jdcJVF0YXO+Xo7N0
   FGfQbSzT1H3txYpvdpgGHjAXConTQ7pO1w0c65UkZzpm73BOrjI2nt7ziQO2zpzu
   I3lLAX2dMLIyr011N9f52Wo+piM6nuAAPtM98rw8b/OeWl8EsXkr/H/dQQAIKb8w
   HsrGH79uvTNilCdbTuBUQ3GWKI/lgnNcutE01wIDAQABAoIBAEh7PCY0h68iln7U
   B9sI8jqz0SUjGa7EmCDWgwqPVTXOTsU0C88FRVtPAKEK8Ou3DTVIgnNiUKOyG80Q
   fJvG0J7e3x/vHb9f2/OSBecHzNwkcBMfdhCZVuLx6gYxx8V3WxkCeEuozCUizwoo
   RxbGr+S3r6oxcaqLCu/1W+PZ1rQ1RqNmh9rhUnlkrYSbQ5NS9yGuT53mdKcvGANI
   RoCt7WABW+UkRBk/ytnE77JCXTZHsGt/UzxijHEP1Ab4kths4LmgkHDOO6Ab5duH
   IyYno9OzjgaDxuKk6JN9Te40dpwhrfoaAOFcALJxBa3ZsfYYvP+ImBUnNW3r75Bc
   1f1jAUECgYEA/a35zun7eAFgVcG59s2Q3UjfJgisfP00NTzYh6WQUPCU8l2xG7J+
   4xIsClwczPLH//NqK6dtGPZNkYlV+u0flmw8vpDH3KQ+B1p2VGbp800BphH1z+vY
   LwH8wnoGI/aBR0+yR427gTjBQXAvfrI722GJ76i8QO2swmYf8ZtGJQMCgYEA1cYV
   NnTvhsk9Y8FhghTaIA2xvJmCS0K4Wt8mWNra+yF3J6SFzyXiHw52xFXqEXtq2xQC
   Rw3tlxsHzUngWkUmjPrmpasanWQsL/xjHE1sDfcz8jjj/U1r8lvZ6yjC6oLvKElK
   nS4vHr5sI0Rv78IDwiOGKdAlF51TgKzxh9301p0CgYEAvpfy4yHq/IvULDpEFQj3
   eTph5fqIVdQLYKBZcvjSh+1pivsXsN6X9NTXX+U7AkS6PTROJYRCNIoBV4Iepkt3
   +xVRQkAW2VBRBkdSNjGoPlMyFOrTi6b/ornUhO0XJffzw3c+VAJJyVmx4Q9/r6oL
   zNToxLY60nF/5gLCp0zpE68CgYBRkDNVxMYDKlMW9ZirliMnabIv4G47IujOGyg5
   bL9yY/FfmcFIKQ8ehFlCTflx1CIQFpFL5P+K0NBoPlCwgIPV9ID+IsuT072cTXLP
   QKcCqRgTyisK4XhXTz5VIAdGjNCNEXG7iPyHgWYnCpye4OqoLv+ognc0jF1o0hOR
   oFkjbQKBgQDXaNYc8m0OCsYrS8QxkZki3G6r7QKIiUzlWyjMMPWahcXjN/Q3qgG8
   t/9n8qj9dypgoWLl30kWD62bbJu5O79Dmd4I9Sr2cpwgWn+3qZ4VTy4QKlZDgkTG
   SND8Au5HQ/T1Ta92+hFfzSLkqer6to8PbQP+3sNw3l694HVn9kP20g==
   -----END RSA PRIVATE KEY-----

   Domain certificate for example.com:

   -----BEGIN CERTIFICATE-----
   MIID2DCCA0GgAwIBAgIHSQIRAYQBYjANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNTdaGA8yMTEwMDQxNzIwMjI1N1owWzELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqG
   SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJlZSHuyd2wkXwCr6ltCgZh2Sx+Tb4zLJf
   9jqcMSVzNUzINcllOUh0uij1t1djqRJNTUfyi9yPkpK20oQaoENM+GmuJDZfX8V3
   XqP1Uyq8CPvZwJ/g5Zo8XrcAFiLGuwYcUQX/Onk2b2T8xPBbLtOIRkEukCP2bfdt
   tlLgQGd1Qx2AGxicVW5XRIhVaaXbNwZjqV8H9D7JKjy+odGM0yuJ62IdIfhJKhR4
   8Q3R3edPqW+eANWH/cYRDMC8hSupRhsUKZ0xJxRrth82zE3IuDmxNOUNfcLW5PJZ
   ei3uPtpLOAbGzQgziGFeaepdtzzrXjNdcA27APiG9bDp5Rh6ckkDAgMBAAGjggEJ
   MIIBBTAnBgNVHREEIDAeggtleGFtcGxlLmNvbYYPc2lwOmV4YW1wbGUuY29tMAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFMTi3LKH+s23KSjpn7rS2CNSj5JBMIGiBgNVHSME
   gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCWGnzT
   wSQq7bVUksj/MWYznOm23eECefZhBnrGuxT3+0m1Z8dr2xAa2qMc3zhBeFexsEgR
   DBylWHib2OYmnHU41JuEaf5L9LXAEmLnGvFc0q55cKYLfUO2PFnMPq/ZBe+TBNHU
   4VdUQJJeWnfBTNuVwKb0oyQsbV1Jyw/t/HtT6Q==
   -----END CERTIFICATE-----

   Private key for domain certificate for example.com:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEAyZWUh7sndsJF8Aq+pbQoGYdksfk2+MyyX/Y6nDElczVMyDXJ
   ZTlIdLoo9bdXY6kSTU1H8ovcj5KSttKEGqBDTPhpriQ2X1/Fd16j9VMqvAj72cCf
   4OWaPF63ABYixrsGHFEF/zp5Nm9k/MTwWy7TiEZBLpAj9m33bbZS4EBndUMdgBsY
   nFVuV0SIVWml2zcGY6lfB/Q+ySo8vqHRjNMrietiHSH4SSoUePEN0d3nT6lvngDV
   h/3GEQzAvIUrqUYbFCmdMScUa7YfNsxNyLg5sTTlDX3C1uTyWXot7j7aSzgGxs0I
   M4hhXmnqXbc8614zXXANuwD4hvWw6eUYenJJAwIDAQABAoIBAQCx2QI97eSXZjcF
   3LTuxM9MFqPEUTcqso39E+QJwWJlDnU7fhi88Zj3Qva4MpUrHBNFmBUN7E8fbBV8
   rqZWR2aZFeFG/jPqWTiCZEELQ+DEHLj2GHf1lxxIfte9f8oWwxJVETbVQuWGHSlf
   yPC1wc5mwHTpe8n+tG5DoUPlDW05ifYbZZLgCR5WlgNtZq2zcnAOF1XUndgQf8qf
   sZVHv57Gq2hODinitBjU+0fGfzHpB2Su/cgRv0Q1Zdq4ngcQTlGbqLKM/TPXFHvB
   LXd+5ys/nar9dtPFd9qNnj5ApeijP17BXR+rKDB8y4BOoRwJpjp5GP7J0Y2dOyDC
   7OTf/bTBAoGBAPu64RWL8zj8G+2Ch0emjElxRoVvEL4A7pnUAqThcBUtcfmamfHV
   1dNfNZnkitHHXwhSM0Dv5k8We6wxMD6dMY8TEqnU7J86PSb7WXA9LV/6f9DFb/Hl
   jjMM/7EPX1wX5Kb71F8TMevMsRgW+iHVuI9qgk0qLo3Dd75EnoFLQoGJAoGBAM0A
   8lQ48JroRXspH497ztVibFNEHJj2vYtLH5YcFyKWux4MzRhQ8el3S1yu+MK4A4CT
   W9mhW2Rl3QDJWWz+GdDn164kP2m3QOMGnSwEXekJ0SNkXUs2Uk1KxldCWaJS9Ljs
   ujXL8xbZ34NeROm7XlI4OxfGkhiqMtkZN3eM048rAoGAdwaqHxIJc0xhuDAb3xk1
   BBT3j2gwtmaia0H/7g5afOj8F1WurNa7QDKomZeivAZVPQ4BBhdpAsRSvdyUP0b8
   g/Y0wPDY4YEcIS5/375NkjBT91cj03EDh8gBrqriIB18FCjHBh2BYUlsA0P6Cb2Q
   gt+NtQbY9FcUa3buq5v2WmECgYAxnG0InM79bgCCka0lmByx3yO/8tfI3M16DDAU
   r6+Zm0ilOQvZOp2QlmISh/WDieyvDPpJbJclcNFPA2s0yTmOKM01Q2hlOQfm6Q7Y
   PCZN4yZNnlhFf1vjgJkHPPNcKR84MXHO2xB1EzzYGdQrjECDPUBvvIpWlbnAeC3I
   LLh2CQKBgQCby/g44cg6KG089iEHz5rE/JgB4gDRUg9sSuR1V/h4KrB0kryQO+oD
   veBiwSAm4kA1bIcCAGJFu2GqOFBNaHfISLtWGS/L4NxyVnYR7gDeNAvFBpksHbuK
   U0MeEewTkNlAfqapcBiv+2cTJcSZTIgumNet8YtK2LSUOm8ZBN7/pw==
   -----END RSA PRIVATE KEY-----

   Domain certificate for example.net:

   -----BEGIN CERTIFICATE-----
   MIID2DCCA0GgAwIBAgIHSQIRAYQBYzANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA1MTEyMDIyNThaGA8yMTEwMDQxNzIwMjI1OFowWzELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEUMBIGA1UEAxMLZXhhbXBsZS5uZXQwggEiMA0GCSqG
   SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDf+eFo3gjoo6Dg/CbVb19GNnmoN3AG/dki
   BuGqrLyoXqsPtad6U3A1VMYgGiE0yc0dBqVQyCuVZXTdrdmrD7T2r6JxRbLHwxCn
   el0tL+7VOKA0BNWZ0fWbtFB8qfaist5o+k3sRvUmEb5K5zMRAQvtfNSVSqjKhcOJ
   8mOV9yXuIpz8WNCrmiaQTKUT+YCXAFc964052ZYsO3EsASPNZzaoe3yjRUoTbnMF
   XX1VTXziDgFF7xjlWjyTsg4mvmFzJITDb8CJTOROzhCbwS4Vj6Fer8HiTEnwyNgx
   SjvDOoZimiX0Rqn1FiEIgC7mxFHCqVD7lrucSMD9vxjfEFcT8TmtAgMBAAGjggEJ
   MIIBBTAnBgNVHREEIDAeggtleGFtcGxlLm5ldIYPc2lwOmV4YW1wbGUubmV0MAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFKxgVEtcaqkQ0nm7aBumlh1QKD2rMIGiBgNVHSME
   gZowgZeAFDitgITi4BZrk5+J+EZRZyzajYCcoXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIJAJajhBdO74pMMAsGA1UdDwQEAwIF4DANBgkqhkiG9w0BAQUFAAOBgQCA0UNy
   1PRK6aN6kTqDzXSweu+UhmgxZV5pJjImJVdiONroFiRQcmz0gANNQjo6n7ficVfO
   l/CORHHN/KF6KNy3s8RS5ud2P486TOpmR0M3naqWsvtWylxP+FwzWUPiimLBXFBm
   5jhc+mz6NzT/kb2CiXO67HHzcUSt4ErxPaAmFg==
   -----END CERTIFICATE-----

   Private key for domain certificate for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEA3/nhaN4I6KOg4Pwm1W9fRjZ5qDdwBv3ZIgbhqqy8qF6rD7Wn
   elNwNVTGIBohNMnNHQalUMgrlWV03a3Zqw+09q+icUWyx8MQp3pdLS/u1TigNATV
   mdH1m7RQfKn2orLeaPpN7Eb1JhG+SuczEQEL7XzUlUqoyoXDifJjlfcl7iKc/FjQ
   q5omkEylE/mAlwBXPeuNOdmWLDtxLAEjzWc2qHt8o0VKE25zBV19VU184g4BRe8Y
   5Vo8k7IOJr5hcySEw2/AiUzkTs4Qm8EuFY+hXq/B4kxJ8MjYMUo7wzqGYpol9Eap
   9RYhCIAu5sRRwqlQ+5a7nEjA/b8Y3xBXE/E5rQIDAQABAoIBAQDcYJ4t9OqHHRla
   xj/fmmoAR/GEVqff+T4AgQziRnyKnjtqha54akjp8LPROmSZ8EXl3Xgj+BEKOn22
   8SxPaHECmOYY1h+G9qQYZgnwQE2bdtAK3wbdBv3HarAXOZT3mU/FsyOg7GCiSKsY
   QEy62nDGCCGTk5ZpTxyLSvg5wqiLmaPTrT1mgEJ6QAAOTrwVjvJHuZdQ1QwdxaJg
   15zKrnkv+I2xZa+jojOz2qWMFBCsR58/N+Jfm28WWbVJoCyweRodWkWrMYb/cDoP
   Wq8ZofAjkuu6EGqfivnk3R8DVY3KL2ow9FhpbFw47mhEoFtcdwsogR7v3nzG/qnR
   t6gCgG1xAoGBAPR18/5A3TMqXyavgr0ZH10yeH+m7fws7cWJQLJ5a8kz9eVVoXoi
   ba4pkBtfDBAHvSfp8sxEtRoyvh0GBdt+YyVOW6aQsQJh5//Sj0D+vT8ZN/Fz3pwq
   fQE5K0b0anrzfujj4nLurhm4BPz6ZHuEAPb3dARSH+/bYCqBl3G45sV3AoGBAOqM
   ZGegJslWk/ARSi3izKq+6KXF8ObUNtm1m/G1P97YCMjC7m2HRGuGpRb7aP61WKHQ
   5ZnCHNusnhSnYGmPayaMxRIvJMpXAuXE10otCJ9jGonTTArc3wJOXl2AlgPYLdEI
   E4IAwAM6ZdDegjuaWsOOSin0XtqLj8Izm2FWXtL7AoGAdJ5QZ1pKK75q5emUVOFH
   NQ5+rWbU4RgN1c5ELt/9q14+T8kp3znNWOg69tPAzWTjt8bDLO8Z9gV+7BmTccI5
   SfK3hh5AUwKhykiITlk3roI5TdYYvCcIuyyqmI7AvSarxC3yOSHjrCE9P/GzPbkb
   PLWPgwAqfCILHjv0Iywx6sECgYA+M2UdJhejJVauP6eQa6kjTuWbsNamIHk7WzIz
   84Ews9IAi9F3Mnwul9KIObwqcCVFJIT/Nb85cpmpmIm09NfRrVtF60KydkjKbl05
   yp+SxVFwY5yy9MgfcHEOEt+1vUrJOH8T5ucE9CO0NI4NCG4xljaM0cWl54UEV3NJ
   aQJUqQKBgQCf+dCVtWEEPtFtrron48Gw1j41d3prOHEgPaSjfDK5jyxOplvre9ta
   1htMIgENsXeiCvsobmI6LQ1dcdP3B+PCDmGtnPfEQZ7u9tQpThC+dw/dYl0VrmCm
   mIEIx6i15btHhdckAL+2nXt2dZ4wfW56Rgptl3m+MI1HCLLhlMN9PA==
   -----END RSA PRIVATE KEY-----

B.3.  Certificate Chaining with a Non-Root CA

   Following is a certificate for a non-root CA in example.net.  The
   certificate was signed by the root CA shown in Draft SIP EKU [14].  Most existing certificates fall Section 2.1.  As
   indicated in this
   category.

   ASN.1 dump of Fluffy's certificate. sections 4.2.1.9 and 4.2.1.3 RFC 5280 [15], "cA" is set
   in Basic Constraints, and "keyCertSign" is set in Key Usage.  This
   identifies the certificate holder as a signing authority.

   Version: 3 (0x2)
   Serial Number:
       02:55:01:38:02:00:00:6a
       49:02:11:01:84:01:60
   Signature Algorithm: sha1WithRSAEncryption
   Issuer: C=US, ST=California, L=San Jose, O=sipit,
            OU=Sipit Test Certificate Authority
   Validity
       Not Before: Apr 30 21:37:01 2009 Jun  7 22:13:09 2010 GMT
       Not After : Apr 29 21:37:01 2012 May 14 22:13:09 2110 GMT
   Subject: C=US, ST=California, L=San Jose, O=sipit,
            CN=fluffy@example.com
            OU=Test CA for example.net, CN=example.net
   Subject Public Key Info:

       Public Key Algorithm: rsaEncryption
       RSA Public Key: (2048 bit)
           Modulus (2048 bit):
               00:94:93:df:e0:aa:a6:8f:0a:f1:06:1b:2b:60:7f:
               91:87:9f:38:84:43:b3:f2:bc:ac:1c:bc:c9:e0:79:
               fa:ae:d1:9d:76:07:5d:fd:ce:da:e0:38:c2:6f:8c:
               b5:d2:4c:d6:00:84:fd:fa:1a:4d:5d:b5:0f:5e:e6:
               2f:3f:18:c8:31:f3:9c:8e:97:7e:ad:22:0c:32:28:
               39:71:b6:de:a5:18:43:13:d3:d5:62:20:b7:91:73:
               aa:fe:a0:4a:09:16:97:0a:5a:b5:06:1c:57:5e:07:
               40:da:5b:35:36:bd:4c:6f:8b:c1:a1:8e:4b:f1:ca:
               12:62:cf:6f:a3:14:ad:09:7b:47:8e:23:e5:2c:1f:
               6b:17:92:ab:77:e4:3a:db:32:de:5f:d8:dd:e7:65:
               7c:2a:f3:06:1e:40:67:db:f9:0e:5b:de:0c:98:70:
               86:6d:8b:4b:8b:0b:36:7b:12:83:37:0b:86:6b:f5:
               64:3f:4c:02:54:1c:a3:4d:30:25:7f:29:a0:22:5a:
               89:63:d8:d1:46:7c:c7:6f:b1:23:99:39:20:74:84:
               dc:07:f5:3c:bf:8a:61:57:c0:1a:81:57:5b:9e:81:
               d4:93:4c:16:12:59:e5:9e:d0:21:32:3c:99:af:82:
               82:2e:67:8d:ca:3b:28:ad:09:bc:b8:89:61:e1:66:
               7d:55
           Exponent: 65537 (0x10001)
   X509v3 extensions:
       X509v3 Basic Constraints:
           CA:TRUE
       X509v3 Subject Key Identifier:
           6A:88:BB:F4:69:FC:51:92:B1:A0:CC:0E:0B:EA:21:44:67:17:88:50
       X509v3 Authority Key Identifier:
           38:AD:80:84:E2:E0:16:6B:93:9F:89:F8:46:51:67:2C:DA:8D:80:9C

       X509v3 Key Usage:
           Certificate Sign
       Signature Algorithm: sha1WithRSAEncryption
   81:84:69:18:f5:f6:22:46:52:4f:e1:e0:a3:1d:eb:d4:b6:50:
   6b:84:a2:06:6f:53:d9:5f:b5:4d:65:97:3a:15:c0:d3:37:0a:
   3d:ce:83:9f:c9:36:86:32:bf:ca:08:38:75:44:e1:39:b2:58:
   b9:4e:b2:f9:fc:bf:05:35:14:fa:2a:61:f1:fd:18:2b:a3:14:
   92:f1:6f:84:07:cf:09:8a:f8:2b:27:7f:75:34:46:48:5b:81:
   0c:09:a8:af:b9:9c:4f:b7:3b:50:1b:e0:90:7e:a3:54:7d:1c:
   32:91:b0:86:0e:83:d3:ee:26:b0:3f:67:00:b5:d1:21:02:7e:
   af:fe

   Robert's certificate was signed by the non-root CA in example.net:

Version: 3 (0x2)
Serial Number:
    49:02:11:01:84:01:61

Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=sipit,
         OU=Test CA for example.net,
         CN=example.net
Validity
    Not Before: Jun  7 22:13:10 2010 GMT
    Not After : May 14 22:13:10 2110 GMT
Subject: C=US, ST=California, L=San Jose, O=sipit, CN=robert@example.net
Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
        Modulus (2048 bit):
               00:c8:4c:e9:f6:18:17:0e:99:48:d5:b6:d9:aa:ea:
               c9:78:14:a8:a1:2c:c9:ef:6b:00:7b:0d:73:64:bc:
               51:74:5b:bc:9a:48:2a:6d:67:af:53:ae:17:75:61:
               55:33:16:c2:8f:f2:1b:7b:e1:f9:64:44:50:3a:48:
               42:e2:91:8b:44:25:b3:81:32:d8:03:cc:c5:fc:4b:
               2d:10:83:3b:e9:a9:a8:f9:b0:e5:6a:8d:80:82:84:
               7e:f9:95:17:c9:2d:d0:50:28:a0:c2:ae:44:53:90:
               4b:53:d5:f3:44:85:22:cb:96:99:d3:8e:ff:22:97:
               1e:24:e7:3d:c2:89:ce:10:c7:05:65:6a:6d:18:44:
               ea:20:ff:25:e1:95:be:1f:03:51:bc:27:fd:70:da:
               24:cf:d1:43:33:d0:fe:c2:85:0c:f2:75:51:3f:bf:
               bb:b8:8a:ed:99:2f:74:a7:6a:60:a8:31:1f:71:78:
               07:c8:d5:63:38:2e:52:3f:2c:27:b6:42:12:0c:d3:
               b5:f5:90:89:f7:20:af:0a:0d:a0:a2:99:46:40:6d:
               ac:2c:7c:a2:93:7f:f5:70:28:18:af:14:e0:6f:0b:
               dc:a9:e6:22:b2:47:0c:91:68:20:1f:ff:18:5f:be:
               d1:85:5c:1a:28:f1:71:b4:d1:3b:68:e3:c4:03:d8:
               f6:99
            00:f6:3a:89:5e:4c:54:32:69:45:10:3d:36:5c:f7:
            8b:5e:28:cb:59:61:7c:0f:fa:17:7d:b5:f0:85:59:
            52:ee:16:7f:1e:6d:97:a2:ad:ed:3b:d6:37:be:4e:
            9c:d7:f1:e5:1f:af:f3:1b:1c:fa:56:ef:13:bf:53:
            44:fc:d0:b8:62:fa:53:1d:42:22:21:66:f0:22:79:
            fd:3b:51:9f:84:10:e2:1c:3e:f9:3c:75:86:97:e3:
            07:53:60:fa:fb:93:6c:2f:12:81:14:b5:4f:ba:36:
            c0:98:18:1f:d5:19:79:22:e7:80:d8:81:0f:16:82:
            46:0c:49:da:c6:d8:59:7d:64:e5:db:47:fa:41:62:
            99:ae:11:c3:ed:8b:cf:72:4c:b4:cb:93:f2:cc:7b:
            28:b8:22:a8:65:e4:c4:33:fe:dc:d1:ca:4f:38:63:
            04:a9:76:fc:0a:d3:29:d6:98:99:b6:9c:58:9c:06:
            55:36:f0:a5:fd:33:2f:65:31:4e:4b:ad:b2:46:1a:
            ec:80:63:b2:d5:8c:68:b1:7b:33:28:3d:8e:d2:c8:
            ff:a9:f6:b7:d4:83:74:ba:4c:26:46:3d:f5:5d:0d:
            47:c0:37:32:8a:66:93:f0:4b:b3:bf:61:24:81:af:
            0f:c2:77:34:19:bc:16:7f:df:41:9f:9c:ab:a8:f3:
            d9:f9
        Exponent: 65537 (0x10001)
X509v3 extensions:
    X509v3 Subject Alternative Name:
           URI:sip:fluffy@example.com, URI:im:fluffy@example.com,
              URI:pres:fluffy@example.com
        URI:sip:robert@example.net, URI:im:robert@example.net,
           URI:pres:robert@example.net
    X509v3 Basic Constraints:
        CA:FALSE
    X509v3 Subject Key Identifier:
           2F:A3:00:77:AC:EB:4E:0C:16:99:01:3A:11:A3:6B:29:04:04:44:1A
        F9:76:DF:A9:18:EC:27:21:1C:3F:25:0A:15:82:41:23:6F:32:0C:94
    X509v3 Authority Key Identifier:
           6B:46:17:14:EA:94:76:25:80:54:6E:13:54:DA:A1:E3:54:14:A1:B6
           DirName:/C=US/ST=California/L=San Jose/O=sipit/
            OU=Sipit Test Certificate Authority
           serial:00
        6A:88:BB:F4:69:FC:51:92:B1:A0:CC:0E:0B:EA:21:44:67:17:88:50

    X509v3 Key Usage:
        Digital Signature, Non Repudiation, Key Encipherment
    X509v3 Extended Key Usage:
        E-mail Protection, 1.3.6.1.5.5.7.3.20
    Signature Algorithm: sha1WithRSAEncryption
   08:26:de:cc:56:64:ae:39:24:9b:07:19:13:28:b4:67:4f:11:
   81:97:56:e6:f3:dc:84:12:e4:a6:08:d4:b3:f5:46:35:6c:e5:
   90:65:55:52:e6:92:de:b8:2f:f9:e1:fc:ff:45:1b:fe:5b:b0:
   37:97:99:b6:d7:54:30:d6:cb:08:e5:55:32:9f:0d:41:c3:76:
   49:fa:e7:e6:33:9b:ef:3b:dd:f6:f9:01:a6:61:8c:34:91:33:
   86:de:1d:8e:3d:ec:58:a0:f8:d5:f0:db:33:9c:97:40:b9:5f:
   7c:7f:b9:01:56:05:85:ad:35:af:9b:0d:c9:82:84:c1:0a:21:
   ba:99
   Fluffy's certificate.

   -----BEGIN CERTIFICATE-----
   MIIEADCCA2mgAwIBAgIIAlUBOAIAAGowDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDMwMjEzNzAxWhcNMTIwNDI5MjEzNzAxWjBiMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJmbHVmZnlAZXhhbXBsZS5jb20wggEi
   MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDITOn2GBcOmUjVttmq6sl4FKih
   LMnvawB7DXNkvFF0W7yaSCptZ69Trhd1YVUzFsKP8ht74flkRFA6SELikYtEJbOB
   MtgDzMX8Sy0Qgzvpqaj5sOVqjYCChH75lRfJLdBQKKDCrkRTkEtT1fNEhSLLlpnT
   jv8ilx4k5z3Cic4QxwVlam0YROog/yXhlb4fA1G8J/1w2iTP0UMz0P7ChQzydVE/
   v7u4iu2ZL3SnamCoMR9xeAfI1WM4LlI/LCe2QhIM07X1kIn3IK8KDaCimUZAbaws
   fKKTf/VwKBivFOBvC9yp5iKyRwyRaCAf/xhfvtGFXBoo8XG00Tto48QD2PaZAgMB
   AAGjggErMIIBJzBRBgNVHREESjBIhhZzaXA6Zmx1ZmZ5QGV4YW1wbGUuY29thhVp
   bTpmbHVmZnlAZXhhbXBsZS5jb22GF3ByZXM6Zmx1ZmZ5QGV4YW1wbGUuY29tMAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFC+jAHes604MFpkBOhGjaykEBEQaMIGaBgNVHSME
   gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIBADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEACCbezFZkrjkkmwcZ
   Eyi0Z08RgZdW5vPchBLkpgjUs/VGNWzlkGVVUuaS3rgv+eH8/0Ub/luwN5eZttdU
   MNbLCOVVMp8NQcN2Sfrn5jOb7zvd9vkBpmGMNJEzht4djj3sWKD41fDbM5yXQLlf
   fH+5AVYFha01r5sNyYKEwQohupk=
   -----END CERTIFICATE-----

   Fluffy's private key
   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEAyEzp9hgXDplI1bbZqurJeBSooSzJ72sAew1zZLxRdFu8mkgq
   bWevU64XdWFVMxbCj/Ibe+H5ZERQOkhC4pGLRCWzgTLYA8zF/EstEIM76amo+bDl
   ao2AgoR++ZUXyS3QUCigwq5EU5BLU9XzRIUiy5aZ047/IpceJOc9wonOEMcFZWpt
   GETqIP8l4ZW+HwNRvCf9cNokz9FDM9D+woUM8nVRP7+7uIrtmS90p2pgqDEfcXgH
   yNVjOC5SPywntkISDNO19ZCJ9yCvCg2goplGQG2sLHyik3/1cCgYrxTgbwvcqeYi
   skcMkWggH/8YX77RhVwaKPFxtNE7aOPEA9j2mQIDAQABAoIBAQDEaOdiseyqHBUX
   u91lhCVa4qcYpNq/MqWeBGqK9T7KYspmXy17api57ZSDPZZWKpNOo5HfwI7Ui0hA
   Xmt30FBH2tBSeJDp6Pqbkvv1nTo6vms7rQLJoUfKtDHuewx/8bS7ZZt+S3QknPHA
   m6OYJRUhnePpV+dG+/hLJ5WgFZFDUKhXf6+xkfks3N/gi4iqO/fpJZM+2xvjQNqf
   l1YmzhWoDWI/mmDR0CSnomlUOKc0khr0WOO2K5yeJTJO8cc2S08KX9Tr+idHZoqK
   FC/brIM0J9v5ObNGUqhtpSz97MJ5cvms+QO7gmOJkC/wbeGhIyY19xLJSmAtGso6
   mBz/89iBAoGBAPAKzgZOHZgaMEWKaBBqg5QU/M39YXYHCYPDv9UNyPE+amAvGfuV
   JZHAz4pOcVzfdkf7eOsX2YcGV4qC/THHfG6/rwIsQcAF5ovuIm28XH60VrMwlcES
   jfgx8wZXMIgJZXw9+7fHALh6nttFN0dK7ZyFcZazq1qwoIcFnjSCBX41AoGBANWd
   wgJ2ZXwpVFrSVjXjZBotypsuUr+NvadoODX7l/OWlYdee9+jugoimahKHTQr7nBP
   AYiqa+5B1GuOBYHNrrQCetiD/1Pc96bRu93Hb1v8/N8qiOobrN8P8ZhvDa1doRLz
   BxCNv38Yhi4Anf87GqqnZWVG8r9xlUjPXEjSi7NVAoGAbPRKjZwZXLfOX1IyZ/kg
   3i8kjI9NFJifHfrU8Oy/35h4Ck522bXaBq1gxqNSW1hmxMeFHBiIOPyM8acBK/4j
   IdXJpw/VjEZhXfRqFisgRLawf8c2whsc66IocCFVOvog4WL1BXbDgfjOcDKbo7WD
   4r7DTycgSRrQ0lifda/qtF0CgYBKTZGKYbxzL70Tyk4KeIn9QShUSgymbJsne+zx
   eg4kwKBKcecMp1qy484m54C5AP7zOcgCzaS1P1iwALqRqAW4v5QTc/aAKUBLWnDK
   d/CYQquCxLzTEcVT4avbpeVQBF1exgITE/skLled8MEEYn6oFYoDbGZLiSqwJNCo
   0/Ob8QKBgQDh5zhQd7wfV7DCHhxacso0co9SwIk7IX6/MsrL9vRoPB9qJlJLcLUR
   SjJxCycnJq6uA1Fk24KDmiFppe6VB3uAHsOktzGFQ6rN2Y4F6h+XiwlY+pu2nK/3
   2dL4K6mIQzObQRvjChesqs/HmdmKxpDGCFH1H7JKEHjoTdHLWie1tQ==
   -----END RSA PRIVATE KEY-----

   Kumiko's certificate
   -----BEGIN CERTIFICATE-----
   MIIEADCCA2mgAwIBAgIIAlUBOAIAAGswDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDMwMjEzNzAzWhcNMTIwNDI5MjEzNzAzWjBiMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRswGQYDVQQDFBJrdW1pa29AZXhhbXBsZS5uZXQwggEi
   MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMo9o0vL0mReda5lLtBEyQFrr4
   SG8/bHQ6vgYls+5+S/rwLcEayXRHyPqYoBc5Homl4FZkvtTQFJ96A85SeIhErf7J
   yVagTRSUcpk0eOBtlxur0y1O72tmUujMycoa/mMepbHSzvfJtLr4b8BEVA8PluGY
   kw8LV21tl8wOExpX9of2QY76Rk8/lhvcW5SGBiKzbTiZaKuyySdGSb6bZKKIeQUw
   Hv80AeaacdSk98VxJsMwTypRSLJfRSfPCOTzu5XtGB8QVjIINjnzJRsbt5i/h3Iy
   I1SGW/j3RrgKOBP02eg5snoGbfJRwxvuC1nh90k3CmXs/3k+xugIF6Yudz5nAgMB
   AAGjggErMIIBJzBRBgNVHREESjBIhhZzaXA6a3VtaWtvQGV4YW1wbGUubmV0hhVp
   bTprdW1pa29AZXhhbXBsZS5uZXSGF3ByZXM6a3VtaWtvQGV4YW1wbGUubmV0MAkG
   A1UdEwQCMAAwHQYDVR0OBBYEFJRQpMOT7qyBSBOm6uIyMQdmRo+tMIGaBgNVHSME
   gZIwgY+AFGtGFxTqlHYlgFRuE1TaoeNUFKG2oXSkcjBwMQswCQYDVQQGEwJVUzET
   MBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAMBgNVBAoT
   BXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1dGhvcml0
   eYIBADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQEFBQADgYEAfqRaxNc9QXObxn3x
   LWD4NRLvzrYDKdGeIpHBfqoobA7QrP8Z0eAO2ec8z6p5/MR9gqTRi8eHB6z/DoFx
   l0Ilbs31UNUBjS/ymB6+dInXfHbrjOINi1y1i1hRx2gftvMPaTX7eBD+CZLap9j6
   wsAIErFUgng4nwt7K4rHOz49Op8=
   -----END CERTIFICATE-----

   Kumiko's private key
   -----BEGIN RSA PRIVATE KEY-----
   MIIEpQIBAAKCAQEAzKPaNLy9JkXnWuZS7QRMkBa6+EhvP2x0Or4GJbPufkv68C3B
   Gsl0R8j6mKAXOR6JpeBWZL7U0BSfegPOUniIRK3+yclWoE0UlHKZNHjgbZcbq9Mt
   Tu9rZlLozMnKGv5jHqWx0s73ybS6+G/ARFQPD5bhmJMPC1dtbZfMDhMaV/aH9kGO
   +kZPP5Yb3FuUhgYis204mWirssknRkm+m2SiiHkFMB7/NAHmmnHUpPfFcSbDME8q
   UUiyX0Unzwjk87uV7RgfEFYyCDY58yUbG7eYv4dyMiNUhlv490a4CjgT9NnoObJ6
   Bm3yUcMb7gtZ4fdJNwpl7P95PsboCBemLnc+ZwIDAQABAoIBAQCF9kVj/KH+Kgi3
   0ss6aXQNZzPiUNiytjaoNbkkeVOIzghprioZdQNv8rtJqpNJSxpkwiUMMnhx9u4n
   G9K23jymaRi/09OngI4WV6a/WNniI+dzZfzlDYpLI79OQFLTtPACIgn0rJQ9MNis
   xcshb72kQOtRzAMvM35pHdPw6sR2C7tgJARA+kd01KWQsDdoUbmoFNus5BIJ2O8f
   12fbYmX4BPCByGi3uXywuOKkXrxfVwmP2chlz3NjwA1ptdad6Yfa7vy7Yp2Jg0mN
   MHuIohLwolF1jTJExCWe9QPpWzkT5zTTCqFnRyDX953UWiJiizPTDGySsjKcS/Uq
   ljJg27ihAoGBAOlLrH6+SIevLq6Z72f73P4xEdZzhXJogOOskijNbjw/uuSHsdEy
   SL4mSRL3/GBCpWXjurOJcBtjX98qwdrscZhQ3HW6cEFX9BrcC8LssYk6jcinIIK2
   FMh9JpF637wWvo+kiK9dJLSOUW+KTIHSdCOqIEqxVRjfN9Ndk3a0PYIvAoGBAOCO
   QRF+UXu3PLlU9Sdkkr+PJbeDwFvHycelwWu1PsvOQb8Xev8ayKh1XfmOU6r79Ke3
   IdWyESyqy1gGuhtGXDo7rjg4oKgjz96GA9jBfoC8F3kpotuiuQ0Pz+l3eE/y0qaP
   ILgRgQt0UVU/GIlvJ72aLw1oF4TFAgiuULIXOBFJAoGBAI4H1yV2fTu16Gq+JuWc
   jadngl+YBwdnHgj+OCGFJ/agKg0Vm6krvuOc9WIJ/ekwyfdlFHZXVxwlfOml402A
   I4xCtmUqM0tk26U6kCKE7XUJY+Zj8UQCzFZe8wsgznN5OVzEI773qvANsQCCJx/m
   W3SXD3/JxHAW/aq9zpg3FTdbAoGATwJebJxIaUIwsHjvBRxC8fmY6LgHr4NdQMzW
   gGI2JRl+UpEdarLu1S7ukMb+M1QRYg1ybzEHD/NMNr2vL7eS7b5f71IlXOO02PPI
   WLTEIOGNVMlMjwDzIWBl5BxwDZk/evEzLvChufkEQP1BUeH1VqXwVkRAuitjKtDC
   fdbjmFkCgYEAruDA4aeOd6ElmvAXR075Qf+0fg5kgmjq624GGauxfG5armQtvxZe
   guoYUETHIzUiyjAnOCak5k5Jad0ZMdOth5vvjSiGfnGDq2U7L4xcQObpZjCdIUVt
   tfVJqzOZxpiSeGZEsDbhgXo19ydHxGcPiTs6XD/2h3MlEVoNUT+t9b8=
   -----END RSA PRIVATE KEY-----
6c:77:f6:07:12:82:d5:ea:e2:de:7c:b5:16:aa:59:e5:8f:61:

0c:4c:37:f0:ca:08:83:d8:52:6c:b0:76:db:d4:e9:81:ac:c1:
78:98:fd:d3:30:41:5f:cc:73:2c:c1:8c:7a:c4:56:6e:39:6e:
18:21:04:b5:3b:c7:f6:10:64:5b:3f:c0:c9:56:91:55:c4:83:
5e:0c:0b:1b:03:af:42:b5:21:37:46:1b:43:a4:3e:05:b1:d9:
96:8f:0d:d4:fc:d5:27:8e:a0:64:01:e0:44:53:33:30:e9:d8:
9b:8a:80:35:c8:6e:95:a0:62:d3:a5:65:ab:b4:7e:55:91:62:
73:99:e9:9c:fa:85:8f:94:28:8c:24:f4:18:8e:df:3e:d8:75:
bd:c6:d0:0a:42:c8:24:ba:76:97:57:80:ac:2e:ba:ca:17:ef:
d8:3e:7b:4c:86:d9:e0:26:0e:a1:c9:6d:cf:f4:93:ba:d1:67:
ad:e2:f8:69:68:5f:de:25:b0:5d:69:1c:11:61:1c:79:f8:40:
5c:98:92:79:3f:0e:8a:a0:5f:ee:91:9b:70:3d:7d:d4:21:98:
21:96:92:36:d6:c8:40:25:a6:72:ef:6b:9e:11:62:10:74:ef:
f5:8b:4c:a6:ab:c8:e4:4e:32:fd:38:17:dc:e8:c5:6f:34:54:
23:cd:8f:fb

   Certificate for example.com CA for example.net in PEM format:

   -----BEGIN CERTIFICATE-----
   MIIDxTCCAy6gAwIBAgIIAlUBOAIAAGwwDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDMwMjEzNzA1WhcNMTIwNDI5MjEzNzA1WjBbMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZI
   hvcNAQEBBQADggEPADCCAQoCggEBAK2x9ZEaSvqBVpvdG2iyCO66Ryp0ZY0YI8EH
   v/nx1F9ZqUcaJrN8Kv0DGP7mJFxQWy9xaJSL4LU2xvdVEqusr2TXYhTzbTJvFO9S
   TdRGqQqwpqKQSvyaxjrTTGC1B2RRUdVvqr+Q1eyiACxiXjnPJxnFAdRVNj/bxz7a
   sekrkw2jChBdLBsmq6RRbLpmmxOB7/IIub+pZ+QthqHUFS/I/Y5mHd2QB9VCwMfO
   zQUVtik/D4JfwwWFPRR9ScjT2kuIDL55eeqgEfyultBv5pex4O0AHaoU+Ja2o63H
   5jcdzuV26Z5A7MoIg1+Xjg5RE0K2OOpMn642lIh2WydqsHYXI+cCAwEAAaOB+DCB
   9TAfBgNVHREEGDAWggNjb22GD3NpcDpleGFtcGxlLmNvbTAJBgNVHRMEAjAAMB0G
   A1UdDgQWBBQxQBBUszDzhuSJyTDpNZQ+BBLxATCBmgYDVR0jBIGSMIGPgBRrRhcU
   6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
   bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG
   A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwCwYDVR0P
   BAQDAgXgMA0GCSqGSIb3DQEBBQUAA4GBABUwuaPt8wiTkxjT0uKn7ouOidr6F9aV
   WyZ5KuPnkTPiZWKwyW8SAN9+6iU4BJNvj/3sPxu/lrQy9k+YzJ/a7JHbZgVPVI37
   euMOu9SgV2Nc2nakkYwONRnQsnsMBd3NkcL2fgBfV2vVbLNHygaqb1u9XXRr2VWP
   x2FiTk+jxdye
   MIIDTDCCArWgAwIBAgIHSQIRAYQBYDANBgkqhkiG9w0BAQUFADBwMQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSkwJwYDVQQLEyBTaXBpdCBUZXN0IENlcnRpZmljYXRlIEF1
   dGhvcml0eTAgFw0xMDA2MDcyMjEzMDlaGA8yMTEwMDUxNDIyMTMwOVowfTELMAkG
   A1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3Nl
   MQ4wDAYDVQQKEwVzaXBpdDEgMB4GA1UECxMXVGVzdCBDQSBmb3IgZXhhbXBsZS5u
   ZXQxFDASBgNVBAMTC2V4YW1wbGUubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAlJPf4KqmjwrxBhsrYH+Rh584hEOz8rysHLzJ4Hn6rtGddgdd/c7a
   4DjCb4y10kzWAIT9+hpNXbUPXuYvPxjIMfOcjpd+rSIMMig5cbbepRhDE9PVYiC3
   kXOq/qBKCRaXClq1BhxXXgdA2ls1Nr1Mb4vBoY5L8coSYs9voxStCXtHjiPlLB9r
   F5Krd+Q62zLeX9jd52V8KvMGHkBn2/kOW94MmHCGbYtLiws2exKDNwuGa/VkP0wC
   VByjTTAlfymgIlqJY9jRRnzHb7EjmTkgdITcB/U8v4phV8AagVdbnoHUk0wWElnl
   ntAhMjyZr4KCLmeNyjsorQm8uIlh4WZ9VQIDAQABo10wWzAMBgNVHRMEBTADAQH/
   MB0GA1UdDgQWBBRqiLv0afxRkrGgzA4L6iFEZxeIUDAfBgNVHSMEGDAWgBQ4rYCE
   4uAWa5OfifhGUWcs2o2AnDALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEA
   gYRpGPX2IkZST+Hgox3r1LZQa4SiBm9T2V+1TWWXOhXA0zcKPc6Dn8k2hjK/ygg4
   dUThObJYuU6y+fy/BTUU+iph8f0YK6MUkvFvhAfPCYr4Kyd/dTRGSFuBDAmor7mc
   T7c7UBvgkH6jVH0cMpGwhg6D0+4msD9nALXRIQJ+r/4=
   -----END CERTIFICATE-----

   Private key for example.com CA for example.net:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpQIBAAKCAQEArbH1kRpK+oFWm90baLII7rpHKnRljRgjwQe/+fHUX1mpRxom
   s3wq/QMY/uYkXFBbL3FolIvgtTbG91USq6yvZNdiFPNtMm8U71JN1EapCrCmopBK
   /JrGOtNMYLUHZFFR1W+qv5DV7KIALGJeOc8nGcUB1FU2P9vHPtqx6SuTDaMKEF0s
   GyarpFFsumabE4Hv8gi5v6ln5C2GodQVL8j9jmYd3ZAH1ULAx87NBRW2KT8Pgl/D
   BYU9FH1JyNPaS4gMvnl56qAR/K6W0G/ml7Hg7QAdqhT4lrajrcfmNx3O5XbpnkDs
   ygiDX5eODlETQrY46kyfrjaUiHZbJ2qwdhcj5wIDAQABAoIBAQCRYwvxUNjBpdEg
   1YpDsAHaEQHQf20hFLuYryv5wnnI9fvDEBik06IH9bfOZES7IGey5nJrJEoKZLdV
   /1eJaxnEhqQKdVdJh8E2MOYEcMC9ue9A0xZxKfwS8RpVODHfvlGJHdcGUe0+DLuo
   aw4DxWktIMHPQSQPf57e9Z9FVLvaBOU8cgqhK62YpzSe53g97EXGKF+rMres/6Mx
   hLZIgNKAyPzS7xhUJSYScMk8aWubj/yJ0soGCmB8KWPaFyFsDd40mz0M3I6qEVYc
   dFy9cCgsTHdPLRbUqLon5ferQFQhQpZjKhn3a0PxjjnRXcKXqDHSBpVAla5P8ykN
   A59L5EBBAoGBANN+f5XZrKTiSYhLJsGC+PU66rUJiCsRNcjCvPKbLKFD31pw4xjY
   AoFKwwmoU7NrA93NzC7ijwmnTuhS3IV9TDiEuX3lb5tQPi/fs4LxJwD+p5gd1X7s
   rVUjubqtLljPTzRtjnV0vkDgmpl0YubtvQfCzqpARfUxSNeGb+ODAIOLAoGBANI/
   LIP8AXr1dG9wM3V759P9DX1SP/zMI4igqw3C1aeDCLJ+baMS6qFq8bler9Qzl8hD
   8U6BLCfSiNdYfuACd6pAIJjvYPGyJrQoWihbB7GdrrWUcOCpLgMCa4HjDUtLUyqU
   Q9I8EKzDhf5F0Y6IXpWlt35zFA7Br2UWtazOojyVAoGBAMb+300/4xHBWS7Eh1LM
   yTL0nKJ6tYTQTKr5kI81MmkKU73lOcjGdpTwo1MS7q6CosCwQs5anfuXUMeIL7Xq
   jy0etOmgV8LrXZfuBBnQjcKB2W9notoqF21kj/z1tgYaCYxrCP+7OMgSjWSV/fkK
   +DG1On82upxaIw+njt+jA3jBAoGBALVbsTaYp149ZRbLnlf1beC7JGu6C2AxZ2Vv
   0p2oN0ysB1CRJlnI84QSEDlqqBlP99nUYc7qNgCT5157A9aPylGdx4Ck3OcgWaqG
   NF8jRtu7vPz88vGYfgwyhjIgfVM5wp+0DVzIW0nrzyWrbDya/ZvwuvvkoKSqBnYY
   xNYv2FqRAoGAXjAUgIfsjZcx69SwC4GkZdrq3ipoqEUxgPqZl46Nl79WAYaBmCd5
   4R8sdhVY8j4+CHxmluv9f3FTqtomCkp1XtjihUtyihKl/xC6Xgk4EnPg88ZaIX70
   Dok3E3dzccrCjhdhogYPhKV4vp7n3yB4fh+FutmD7GhTDFM34NlEBuA=
   MIIEpAIBAAKCAQEAlJPf4KqmjwrxBhsrYH+Rh584hEOz8rysHLzJ4Hn6rtGddgdd
   /c7a4DjCb4y10kzWAIT9+hpNXbUPXuYvPxjIMfOcjpd+rSIMMig5cbbepRhDE9PV
   YiC3kXOq/qBKCRaXClq1BhxXXgdA2ls1Nr1Mb4vBoY5L8coSYs9voxStCXtHjiPl
   LB9rF5Krd+Q62zLeX9jd52V8KvMGHkBn2/kOW94MmHCGbYtLiws2exKDNwuGa/Vk
   P0wCVByjTTAlfymgIlqJY9jRRnzHb7EjmTkgdITcB/U8v4phV8AagVdbnoHUk0wW
   ElnlntAhMjyZr4KCLmeNyjsorQm8uIlh4WZ9VQIDAQABAoIBAQCE3eSUNidyvdci
   ncNhrVMIVGOnLCBND1pe7JkfzBVYpo1IkngEVCq53yhJtyyV3y51EnlJYqITDaqs
   M+7GXzQQL4munl2jGFKNvBj6zw012IeLwKEO+rEOOsEMqWzrya7SjKFb0JZ0uMnP
   O0dQJ2KmUfWbsvPJSuq8QELWNNQ1KBPUXtgt/TTqdv2RmzOFcvFnGAn4HHFq1vGp
   yrQEEcKSydEwU3ldZ8uqIvTtGLjSBwyQzrdBPCsRqlNvvAO5E3jwNqVIP7Vm64qE
   BjO6XAqWLgI/iu++2vj29vYkwcRPs3MQ1joYH0olVfJJga6ZAqucOCzZoqTCZoDT
   DgiMYoc1AoGBAMUeoUEfl6OcfiGSI/iTVjW+QdNdYF6pWohQOhcl39lOpmgVWw2k
   3BHRkUtVKPJn4LhwkP4gnkHzeqiF14+tKVD/chSiRdVwMV3m5lieEiY2CBQ0tHa+
   pnpCNrywW4pbExdRN81xCjBObL9kpSqLZ20WD4tK1fFUjBGdHj1qHcNjAoGBAMD1
   U+0Z9wRi50AR6K9XDnSZNudiWgYnO0z2StntQVNCRTSi3PV+O/b1byRotMlZywpm
   4o/V0B0jg0n+WM9068QX0b1qTMtrJnTWInT62PWhZCfk8oJi81KhgNXLrCbw9J82
   leXkfaDyglGEVIuYlpLy252EaGPbL+Fyq+jhEMXnAoGBAJjDoij8OOK9VyrhPStZ
   1AgWiKErzpHOIbFeq4Zg/dhFkcU8N7KdP0g356hAOVmTk56c7mFkGgH2leqgv2xD
   wK9bKKhBEmnVZwzk80NeTaZ7XUt7hRg5rH83bYBSFL9m0abSdLKslj7VqIWzlCUi
   oGb0H9vNhXxgD6Ve5J6n7KUNAoGANG20OxU1//Qbn1X+Yj4GSHok5+PaUBeyziuR
   lPsZJ9U21qF15iJBis2PQFZO4PLL72ybHLfczz4J+z3nxZ6gPOy36X6LlS3tCgvw
   2tYZw0vx2cEkf3cBZC9LwUuQ4BfSb7w2KHvYArZB4IJTMoboSs9ACuGiN5ejv98X
   hLQ6iXsCgYADkbNdPjF8e8mwf7XmebDv+sjvUZ2M0H5dzM+QC96X25EQ58/EwASq
   i9LYO/dB3U5bfikFI3ZoLiNj9F+Moe7IaHFqMYqYNdNei/QBRa6GBLxAzP6kZ+N+
   MP8CcUDezwr2h5MiMdErjeI/GziIl6tqsSggZuW+DnU4JhOspJzMBQ==
   -----END RSA PRIVATE KEY-----

   Certificate for example.net

   Robert's certificate:

   -----BEGIN CERTIFICATE-----
   MIIDxTCCAy6gAwIBAgIIAlUBOAIAAG0wDQYJKoZIhvcNAQEFBQAwcDELMAkGA1UE
   BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4w
   DAYDVQQKEwVzaXBpdDEpMCcGA1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBB
   dXRob3JpdHkwHhcNMDkwNDMwMjEzNzA2WhcNMTIwNDI5MjEzNzA2WjBbMQswCQYD
   VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
   DjAMBgNVBAoTBXNpcGl0MRQwEgYDVQQDEwtleGFtcGxlLm5ldDCCASIwDQYJKoZI
   hvcNAQEBBQADggEPADCCAQoCggEBAMbRhCP0KuQJqmOR2Fo/DZx6tx/PpnKhZBpu
   Euw8PkFpmQBm/p7MvpzicT/iEwWP48PokCRwwK9uB1tMTMXObyM2cv4q7vwqV8Bp
   3afhG2GLwxuoUAl4quS3/31nnnwE2+sKORLrFDQ80lm9G6DRua4AKTXbpsNbHB49
   MW6bHe6Yil7YUd5/n+OMu7EDWgyham0rrzjNdbR8gLl+Z6Up9jARWwwaWRKGxJGh
   Dl5kWLS5bmlOqNOnomxisttnDwzbrq5aWn5Wz3kjRqlAjgvhtEiotYLDetpILlSt
   m3jUYGx8OUzPUSGNYDBxrr4kz2ltidJfdtcbQkQJ/w8NKxeZWekCAwEAAaOB+DCB
   9TAfBgNVHREEGDAWggNuZXSGD3NpcDpleGFtcGxlLm5ldDAJBgNVHRMEAjAAMB0G
   A1UdDgQWBBSxkh6t3TKqE/MN9yVjRnNfwUyUAjCBmgYDVR0jBIGSMIGPgBRrRhcU
   6pR2JYBUbhNU2qHjVBShtqF0pHIwcDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
   bGlmb3JuaWExETAPBgNVBAcTCFNhbiBKb3NlMQ4wDAYDVQQKEwVzaXBpdDEpMCcG
   A1UECxMgU2lwaXQgVGVzdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHmCAQAwCwYDVR0P
   BAQDAgXgMA0GCSqGSIb3DQEBBQUAA4GBAByhC23DAxjh3PII0wvqZxMh6WbQJ+JB
   x2tpAywGbNvEpL7yRqJCwLoMofWsBOnWRVEHl020h9hpqjFTNWhq2XuUh45yedEI
   jhFBgOpGn3qWUnGLmbT6iLzCPayrvTSRWpt7NnMyAQJdfRXlZN3gl+czyKegtfki
   l9Lb3Ne0UpV+
   MIIEMDCCAxigAwIBAgIHSQIRAYQBYTANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQG
   EwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2UxDjAM
   BgNVBAoTBXNpcGl0MSAwHgYDVQQLExdUZXN0IENBIGZvciBleGFtcGxlLm5ldDEU
   MBIGA1UEAxMLZXhhbXBsZS5uZXQwIBcNMTAwNjA3MjIxMzEwWhgPMjExMDA1MTQy
   MjEzMTBaMGIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYD
   VQQHEwhTYW4gSm9zZTEOMAwGA1UEChMFc2lwaXQxGzAZBgNVBAMUEnJvYmVydEBl
   eGFtcGxlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPY6iV5M
   VDJpRRA9Nlz3i14oy1lhfA/6F3218IVZUu4Wfx5tl6Kt7TvWN75OnNfx5R+v8xsc
   +lbvE79TRPzQuGL6Ux1CIiFm8CJ5/TtRn4QQ4hw++Tx1hpfjB1Ng+vuTbC8SgRS1
   T7o2wJgYH9UZeSLngNiBDxaCRgxJ2sbYWX1k5dtH+kFima4Rw+2Lz3JMtMuT8sx7
   KLgiqGXkxDP+3NHKTzhjBKl2/ArTKdaYmbacWJwGVTbwpf0zL2UxTkutskYa7IBj
   stWMaLF7Myg9jtLI/6n2t9SDdLpMJkY99V0NR8A3Mopmk/BLs79hJIGvD8J3NBm8
   Fn/fQZ+cq6jz2fkCAwEAAaOBzTCByjBRBgNVHREESjBIhhZzaXA6cm9iZXJ0QGV4
   YW1wbGUubmV0hhVpbTpyb2JlcnRAZXhhbXBsZS5uZXSGF3ByZXM6cm9iZXJ0QGV4
   YW1wbGUubmV0MAkGA1UdEwQCMAAwHQYDVR0OBBYEFPl236kY7CchHD8lChWCQSNv
   MgyUMB8GA1UdIwQYMBaAFGqIu/Rp/FGSsaDMDgvqIURnF4hQMAsGA1UdDwQEAwIF
   4DAdBgNVHSUEFjAUBggrBgEFBQcDBAYIKwYBBQUHAxQwDQYJKoZIhvcNAQEFBQAD
   ggEBAGx39gcSgtXq4t58tRaqWeWPYQxMN/DKCIPYUmywdtvU6YGswXiY/dMwQV/M
   cyzBjHrEVm45bhghBLU7x/YQZFs/wMlWkVXEg14MCxsDr0K1ITdGG0OkPgWx2ZaP
   DdT81SeOoGQB4ERTMzDp2JuKgDXIbpWgYtOlZau0flWRYnOZ6Zz6hY+UKIwk9BiO
   3z7Ydb3G0ApCyCS6dpdXgKwuusoX79g+e0yG2eAmDqHJbc/0k7rRZ63i+GloX94l
   sF1pHBFhHHn4QFyYknk/DoqgX+6Rm3A9fdQhmCGWkjbWyEAlpnLva54RYhB07/WL
   TKaryOROMv04F9zoxW80VCPNj/s=
   -----END CERTIFICATE-----

   Private key for example.net

   Robert's private key:

   -----BEGIN RSA PRIVATE KEY-----
   MIIEpAIBAAKCAQEAxtGEI/Qq5AmqY5HYWj8NnHq3H8+mcqFkGm4S7Dw+QWmZAGb+
   nsy+nOJxP+ITBY/jw+iQJHDAr24HW0xMxc5vIzZy/iru/CpXwGndp+EbYYvDG6hQ
   CXiq5Lf/fWeefATb6wo5EusUNDzSWb0boNG5rgApNdumw1scHj0xbpsd7piKXthR
   3n+f44y7sQNaDKFqbSuvOM11tHyAuX5npSn2MBFbDBpZEobEkaEOXmRYtLluaU6o
   06eibGKy22cPDNuurlpaflbPeSNGqUCOC+G0SKi1gsN62kguVK2beNRgbHw5TM9R
   IY1gMHGuviTPaW2J0l921xtCRAn/Dw0rF5lZ6QIDAQABAoIBAHxgwCDZ9CcaoNyP
   deDnRzWYU410EzXtHzmlmPLusSeszwnAZROlFK4Cv0RuwuWc4alCiUIyw2g8FiAY
   eILapQ5LVt8Irt9UAfeegwsuOTnp/FIGFqQGOCrDrPKf6za8t3OvvorGQ6p2TkXT
   l0AhU961vRIzan0WN133fEAsjCohavopWJfPKVYROsdqOEeqtw1m1QW7a9p3jo/L
   4jBw+xyLnlis5D2xxOjDjvRWDP/NEKAoWPBS4+VFRAnLdqOEIAqBVG0Q+SvZ6efy
   ViI8xhBMq2rda29rNMZkdK5cEr3X0g44YzC70zWgMuXiOIzLYxCEKw9BfhLQPOFw
   YOTNGYECgYEA7Orf2TDxScuESMJh+tlqXjssEbU43K+ox91NVh+U4gvmtWLUHgxC
   EYT/j+Fvd2FoRKfhWEoVJ9K24k+admPdDv4YIPxaUuRlSxmo8FeHhzY62Fkv8Gss
   sCf7SsJ+HLGZcOlkF7ed/eMn+XzvWgHR6bHqLOIQS2hhslIlm03mVjECgYEA1tUO
   sHSDCJ3AjLQeCU0iVn4aDMrA8HlJ4NBJqFnl2sSCZT7nxvs3YIfkTQ35hg6Zz12A
   6gF9hcHk87mHDB579qVBHRauAO5czTy1CAGF6e3gzMy1oz4eaFqoV9NMZfkSuaok
   egBl4k73C8P9Y/o7L9v6aJZ/hrgaEX8P0j4DeTkCgYEAwNFfocp9dkvWu8jIKXqt
   YUfTVA4j2yhzu0ZXXNKTP23kNJfcfyAG3W9a92TIbWavj8D6W/rfQOvzwDh9RAF+
   tmcCiEYZ1QDhl7+oiQMT4G24csATjh4L3sqLcIreTMgWU5j/x3W/dhRcQmb1/lEg
   4IvWRPUvwc+QQ6srxDwgTOECgYBK0i9og1uzn4WVO5IOeT/RUd/uvprN5eA2HTTa
   Hl0wgSpM6si8g3f49bssnwZdiy5Ei3M/jL9T24DK5b3EGcXg1BNGd0So7FuD23XN
   UQJ7w658hXtpXFQo0hI5bEz6YvIDmd9UYlkZpZjjDyJsNJVyiLHAxVGq8OmbWF6B
   Qbnh+QKBgQCF4xV6Ha7dSRZoU6iPYp2t6y4JRCXf9H1kIJVrFzPv0sfysdwflbJS
   XAn+206ShYN6OBPt6f9As6oggw+xzKiiAxHdlhsipuUlQRIUGMIxJ1DQcXtsLp7L
   8YeoLWCvYknXw/k5TT3uzrZ6I5GsqzNSzh0jsay91zp/4qrdcnr7fg==
   MIIEpQIBAAKCAQEA9jqJXkxUMmlFED02XPeLXijLWWF8D/oXfbXwhVlS7hZ/Hm2X
   oq3tO9Y3vk6c1/HlH6/zGxz6Vu8Tv1NE/NC4YvpTHUIiIWbwInn9O1GfhBDiHD75
   PHWGl+MHU2D6+5NsLxKBFLVPujbAmBgf1Rl5IueA2IEPFoJGDEnaxthZfWTl20f6
   QWKZrhHD7YvPcky0y5PyzHsouCKoZeTEM/7c0cpPOGMEqXb8CtMp1piZtpxYnAZV
   NvCl/TMvZTFOS62yRhrsgGOy1YxosXszKD2O0sj/qfa31IN0ukwmRj31XQ1HwDcy
   imaT8Euzv2Ekga8Pwnc0GbwWf99Bn5yrqPPZ+QIDAQABAoIBAB00MijCCtZzz+Iu
   MG10Ws5PLlcqjcljUzfwxVc7ke91MZyNSQfdcx6+uJvUvRuLsC5C8yWLGVIIRyJR
   IQSPSN9Ma2Ez/9JQYDjmmRdZBf9m9Tp+aZc3JUCMh8jm3r3J7XHj0vV+z7b5WXxw
   mA3xWIHATXLgU8bKqr44YD9nV63cdymmpIWoVwGaU7AO4FhRXnL7wAfrNWy2nl+6
   FGpFw/AifIucruXIhdXdD87rxZjMVE0CyEfjbvWLKi3PjMFFuvq4rl7tFEPzJJ1h
   WqZ/B21C8DfrdN14NBwKZMco9DEXtEq2eJbdyfp4tc4Ppw2sW6jyEE9b8y2E8AuI
   pIGvVyUCgYEA/8zi4v+06x40HX9cmrfPbZGgyqTIOrKikmQJvStP7kUjtcG5lFWX
   kQGak/lLBAFYKq0Vz0sMvaL1b3gyMACOZbq3bns8mMHn1QeDX3p6Kw9nV7OHzl2g
   ZDTw9XtjUXGK6IwAnKfwI3BKqnmU/X8gGgscs1wbvgeHxceKu0UzRhcCgYEA9mu8
   2wrY1lDZ4tHTXwr9obgEP9iMpgd5mFFYNPdJt5XCePyhx/vkCp+8M9oW3Q7zDva1
   l/r70rccypjsdXGsL0A114yQjUfdEufaYeUakeUYKdP+lFTDuYhnDZExzm/X9L7w
   87Q1y0q56+cQD0Dj0jPrxMT+wEwS7a7hGIaq+m8CgYEA7SKwVwX8X1bRs2LFo3yx
   I/80E4gtQxUlVxa8XI0RfW7FCxM7ikLKzpexCGq720uvw2hP5qrJdefjJeJEjHGH
   kNFGiXpfk7F2zOs5I8M0DEUsZYY+aNYtAZh+pOQtD2x1/N0FGDUrjn7kCSPLNjGq
   vdn9Ul0aLtFmUbiJaNBfFyMCgYEA7toXQKoO7A2KZNTFcQaSOcLIO6qHCheMwRt3
   yD858Pz0d5lIpzN9It8Z6ZinOLZY2lRASIQ6u1BKVAZOjLgWEebHSZsyMf9KRhz+
   DI2pZ2kMNt8JkHVpEdkpKnlmMZcvWEgL/ezbh6Vy+ToK0v4u1X0GNsBLvdD/N+ue
   u8ssx3kCgYEAt9BBcdkN3sB2Py9yOL+hri53/n/wVBK76nwscDZjc5QP/VYfQn9y
   JawOm56vXzi4jiWmi7A7WJpYAUahkralctik8+uig/fR3SNSQgweaUtj+Y+jNdx0
   aA9FJE2Z/xJeKyWuNcUdr+Lf5mKd05WFKER4ir6d9dRaO6gGcIhoMak=
   -----END RSA PRIVATE KEY-----

Appendix C.  Message Dumps

   OPEN ISSUE: All of this binary bit-exact stuff needs to be verified
   by other than myself.  I'm looking into ways to make this easier for
   someone else to review and verify.  Any code I make available will be
   OpenSSL-centric. -BCH

   This section contains a base64 encoded gzipped, compressed tar file
   of various CMS messages used in this document.  Saving the data in a
   file foo.tgz.b64 then running a command like "openssl base64 -d -in
   foo.tgz.b64 | tar xfz -" would recover the CMS messages and allow
   them to be used as test vectors.

   -- BEGIN MESSAGE ARCHIVE --
   H4sIAOoQWksCA+xcaUATV9cmYV/CIoriGilisQRmJjNJAEHBhEVJEAjQpFqZ
   JBMSyGYSBIOoRaUW14ILWkVcEVRk0brgjhuyVdzB7QUtiFvFutRafYdqK0UU
   v764ftw/Se7MPXMyuec8z33OnQjlGopGLpVjFLkm2lWEavU6vwF4o8Hwn690
   GvKPV7xBCEDTA0GITqdCCJUK6AEgFQJpemRA7x20OI0WVZPJegK1FFW85ryO
   jn+kjc0KC/PxZ5E1UpVHbJxcGqscjiWgcpUMc1VgWnJY4Gg3yBUgmUVIUY+/
   PrlxR4wmQwDDlU53BRkMV5BG8wARAAA9BWpUIZR46dwl/rBgFEXEoCOwjgKL
   3SEUpjEAOgohGABQQArlr2OeapVSrfVCYAQASWZsNIHip1THo2qRxoNMx687
   QqnQokKtB3loi4diWZxYPPFvD4VKuTfJjKt8fvRl//Gjfmql/NWjPbVotJcA
   hejuEIDgV0NlMkog04PMhvxkHGiklC3nxPJj+HKOPBxmR4YAnEiejiMPBIO5
   khgeVxbDjwx3xYeFYeM9yCD5+c0kmfkIhZgKd1oeJ9NKVaha66aRRiswkQtZ
   iyVo3VQyVKpwIaMqlUwqRLVSpcJNFSvU0CktgfjPfo1I5dLKDCrTYmoFfmgC
   9uzeYAothTtRhb18LU+BMk4hQtUTvQQwDQIhWCymCWkoCoo85bh1WbSXRoKC
   niq1UqsUKmVeDi+702II1capMYcXFwvCFNFaCf7j0BgkM5IZhdLWelu/Xnzj
   VkfweaIRY2oKSyFUiqSKaA+yQKrAfW0xKcFkMuWbWH6Nw54KVI55/ZnYXFV0
   zYuRTKlGpdRIW8bgBrT43JLI8X5PCaoQyXBHvNTY+DipGr99YqkMe5WV1/oP
   JBNOGJkOSQlIeUAiGBOzkgkH8a59RAIBNAWMjQy/sNQn9gbMX5xCAJMJK/FT
   luOnAJMAFWgOmBrphxsY2RLDw0BbwKblg4ntn9NTKlaqFVIUtAGsWnqNbU3C
   UAV5pFKDgZaARUsXyczWEJ/tUi3oDAxu6TC3JYe1fCZzMY2WPAJTa6XiltuG
   kX3itBKlWqqdSDQhhBK4hPl6/i8cJP3tIIFgqGeQTNArMNHL7bGRJ+8tFqPD
   s4sLTk+CzlbyMurnSReYrm0+CCsD2RGiJ9dzmsaPZW6xiN9vufcP357101dN
   /tpWtu7hFzmOw/bkdQ+xJHkvTV9qFzpow+e5h+b0uL7Ied8P50K9GWeNUygO
   n68QW2kvFQjNnUghNrc3cQnyNaXYYe+E+sq+CXyfGVvJDivMVXxzwYDbaRFx
   DoN85n9xr5tJlLHpAw3/ux2kOwHcp30flay3/lL+ZUavteZFjo6nKmupj8G4
   axt7DCA2r7/sMax/tcN2dpMNycxkQnb3PuHzGhr6XrZr6CM4ebKZZDZpQ76L
   H9Fk27Eh/U3K2H1zTeHcsHG8hV5Hvr3Qc06CAaG9WUmhkMw+3vwvxzQaNBqj
   aGUaihrTqN4GBegA/wEEgdviP50Kd+H/u2jPIR2Hc4AcPKotzgeF/V9wnirA
   6DQaXQwyRJAYoQrbxXnY3b0tqre5BE4HQU9tS4b9cwjuRCuQ17SD8n+OeAbl
   AIDRIHcarTXua9oB/mff49kYCMNjGaWJW8E/R84COcxYkKfzk/PkbB2bGRET
   zGXFs3URMn4MJ5bN9Y3h+/NlbB2vPfhvi5VACyx8mFmiVfy/JfbfYfyDAIi0
   iX+IjnTx/3fN/18ZWq9aBbyt7NDBKuA18fwmeeL9pob3sTJoj4H/lZpoLYkp
   oIVxD/yYaUxX+5dNocRi4yjCt6oCdaz/tM3/MLWL/306+o+7u4CKQDSaO4yJ
   hCJI+Ar9B3lv+o87SBe406mtsjyfGYJwuDxdMFcWy4ZYCcGR4fEcJieGExkS
   z9FFI2ydnxTP/SAP4n34+g8ECGEhADMwDBIhCJ3WufpPW+udp/90ZLlL/+k8
   /YcYTmAQ9fRiXqf/zMcysW+epHVXBXkmFP7MEAyydZtsN6Zf6ObEG9HZhw/3
   n+PiYHdySeDF81mohcn4mNSaL6pzhzUOoVlXVaiLzntfRU/S1ydklrrs2Kw8
   kzrkqMZZ1zTm5x22N09v/kn+6ORYpNd1eKZia9WRtAaRO+J/fLspp98BYWV9
   tdWi7sk7XK/dqIo2spvyc9gC/x1bClnF3YMSo9luO46ZW0ROSJ5rtYBkNjPM
   Qj+XUv3ZKPvU/csz1+ZbQVM05uUpCbnOEwsr5xyaPKnh+Kbfk88mCtbHR+Xs
   vfd4burxXy+s3TYn9/xn/Ysr1xWvcTy8Td4/4MbRZQ9HLFjUeP7YUhfehuyG
   HRW/AMeSmE9WlLc3KT9u+ec5/j/DfkwhVE9UaTFRJzOAjvCfClDb4j8doXfh
   /6eC/xACugupCBUBaUIc6KFX4D/tfeE/jQbScbfcW+F/MJMj4XOj41tWe2yI
   h2O+r5QD8WCeLlTO8WdROVwWwOMG6oKZ7PeP//8Dpr0RpHWEui22PJ+lEC1+
   ihemmIDJlCpMRMHzCPpPKJa/zCQQGvwMNonAC0zUz0omDsS7+hEJejg8ZuDw
   uAB/+57hMbYdVNyxRGBY4ZpeZroI2UgoScxb0fTQ2ubXykeBRXtmjxvAzWYH
   DGaOu0EpVZ3o/0u9MYG8d9jNhFnM5RtT2N96psSbP8krdYnxTZ49uFoJH7/k
   1ONOk0WGzKVxV92qlHTYEawqvONUNVl05LuhV5ftbl5svNiret6FE92Xg1dP
   px+grm46sV4xU97HaZOxgXURj3VO3+C6fdq5p2vsmZd9L+y8xpxh1WvJvWSS
   2YDrMv0JpYFG3ylM00e5Nk8g2oWM/aFfyboUtFdOuKxSJPvcy+Oh8Yb80slZ
   qURf0oF56daD9gY4C43lP/UpehywLCBKebJ/t1vbyoKGgNvKvfJcgp6mOgDW
   X265Y5IGTGpFZYB+RqZRKQEETN+AQDSwZk8tMD7dPNTm9LxjS+8OrHSYOrq3
   /QxggE++aYa+XlZSpLHy212iUq9RfCCzpGKoTHXbzWJdcACdtX3JrW5FA8+u
   XTE2qmcS+es+hcRh9a5nDD3K5s6oS6uddtT/0ee/b2avRYZUd6kWnYb/b2sH
   SIfrfxBsW/9BELAL/z8V/KcJ3AUABlAxqjtMRWDGK/Affl/4D2MwKsCA1vjP
   gfD1P7MF7yUyvjwE5wBsgBcjBDlMkTTYPzQmmBmN8JmBENs/8CPY/wEKUSEE
   CwRUmlgE0Tpp/U+Hnu//aGO9E/d/dGD5w13/n/nn+v8o3nWwZf3fwlyeLa8N
   9doqAKvxk1Z8CApAKxe7NIB2NYC2E/Mj1gBa439L9PwlAnQmEegA/6l0OtAG
   /xEYRLrw/1PBfyoDElEZVBj/ccU0EHR/Bf7T3xf+i8RiEGa0rEJbrf/5sWwd
   P5Yv50t5MSwq23+kPJjpo+PofGXB3HAw2J8N8bihsRzoI8B/nGKjIoRGFeP0
   i46CSKfgP4j/nM8IQFvzb00weNs6xweuQTzfohnQDiojR369a6e/uKjW5Lfd
   N36zuUwyI5ZmLTIXV56asRysT/4+c1eS/a8B5aSrTTdmLZul1BDWlC/ITllA
   9LM+Yc7h9asffr25/KdB5MaHIr5J3K0jOUf2je12Tew+J79OVJ4knS0wmqDs
   pX8ksd54RbfqncftzxYX1+WkTM3s7t3Ul0HyDKoq/M9XynPU2IzCo/dZvX5n
   WZw/tWRR0aRpDjM2htYyajGkW1G28Jv8U5nR5y3rYrNuPhp7aYulXlaDfv1t
   noUb/TJv4HhRWFTzN/pboxOH+NaM2mIxb+lTwjLi1mzPHpGTizKsfUq8c6Zd
   r9BE3Dd6mnPAxJl7YOFuB85I98wtVk9y7Y+vXfw6DcJy/6ru1uiV4CCS2co7
   Q+gn2VNHNzuv29nktoFktlRbe2ZQt4NaG1/jJzfXKafWLZx3/2tH75KwuVFx
   9k7BdzaEx+sdy3QtJJlt2Oh7qGA2ewjQ90Dx5EH3F0hslg+ijI+09SnYMHe5
   X96/C4QuvtoJO5Zfy1evGSzal27R749su32z+WtWS8z3R0tSqb+Lo24QAkck
   m9y+fmji17YD70XJoeq+rGuzfTYfIlaKllr0SHq41pSbBvZZL7maqGF6iHtt
   OJw5ZcrdZrv1f2y9UXr7+z9gmxlO1+sGj9XbFOc7d0vQmAECeI/F+aC0Dc21
   lslryhgWsanoV253f05XPWU3Oh5XXlgpWKHo75jVPQ/LiBcsXUYkV3iPGXD2
   aWNtv4bpT1bGyS9G+x1pdhLv+aXOqsjoztKMhT3G1DbQ0rXChBqDisV7nUzT
   M26nRF64ywwft47huCf2xrYbuX2WHbtk13i1+wl2VVpST5Ns/8t6zMMMxPua
   2mrGFL+iEZPutjcvW9PVt1v5edP6T9v9H1QaDHXxv0+F/4FCukgEAygiFoth
   mEZ9Bf+D3hf/Q1AQwC+PteJ/PG4sNZgZGM+B/KQ8bng8258v53HZIJs5UsrW
   8aBgpnAiT8eC2f5d9Z//D/Wf13AvRcCqBGMPf9N9kcoyQq5lg7dLn4R5seYH
   Tjbv9pnrXbawAlnmypvVeBXhKS0fexavcRWTJAqWwbFRV533YHdCVtYPn7Zw
   0rz8nIgq+OTFg8I9TuH9IkPqUmYPSSqg2259OGf70DvTQYvIQsf66vsLxq6a
   6sraRlsku716/mdzlxeNJpkpaxv8uU2Urxlx8WWGt1jjfyxemL6ZB+4qsn7w
   RL1jhkPI1HWT71/N9INcUotvRh29n0jJrBqXeW6gxGSPXsjg7D7csCrWkC9R
   4VD7uJRogxLDeHm8vecaO4jRd6Jh4nibxAjHOMfYB3HHU2vytnuksEGSWZ/q
   qTNFobY1T9Iv5JZeri57HflqvAIL8yQP9gsOZSYqBzlsnjraJ+jJozVbVL0F
   Kbv2X5y/QJpEMqu2ustJUqrddNmjtozkle4ru7sp7TQoXmBZFEgQntrJz3O+
   WZr6bZPe41GLBdyI72sTRv+4adv2sfdtfIbuI1/oqgD9D+3vyg8lXoJqKdFK
   LeVZqupEJtDR8z8gAL+k/0Bd+s87aZ2h1XdF0ScQ/2/t6Z83qf9CbZ//ganU
   rvj/ZPRfmhjBUzqNJqaidDHyqv3fwPvi/xhDKAQFiLB1/TcmIoYXw4nh6EJ0
   HC5fxtOJYtiR+DoAaukXxgdzI2LYUGgs/0PY/9WR/osKqaAYRSAUDzKACog7
   t/7b1nrn1X87stylp717Pa3rPwDam5kfbwH47VZ+37D+S6O/9PwX0PX81yeD
   /0JIRKeKaTQEAxE6A37V/m/qe9P/MFgkoiL/+P8fZgjE94+I5UeGwDzdSAmf
   y5fwmaE4H2ABbObIWI4uFuT4ByZwuCEfPv5jgJAmoFOFmEgIw+40eifXf9ua
   76r/vnMNMvVA82f5J20srzOiPPyXdKcmEHr/1i1zcfopSeF2TtWEHrcraJZr
   t9PG/ccwgfXAsJs8nGS2cnRQzoP6Ain2kLH+gdtKrVUPpfOPY7QDAwfGG1/B
   IzGHCPRguc3LM3ENPFcYr2n0MeFQ8vNvuQVuizujuhz1eHVpIONo0cTxfhkl
   Pck5tg236pfk1g0oKdEVqYbX3B1uLl1y/voY65yn68XHI4p37JheJtcftqhc
   zk+bpfdZ2awnv++1d5pSKi1Pz+BfuXgi/6LC0nlZo+GZYK+sBwcK51o+Narx
   M7/pOX3vzJ7LhteEYoKc4nu6huMJ0uXoqYCwCJJZ8YW7SIkBad9uJ5/9VzLt
   V416nQiZWWJD3X/P1/TorOpSLpTgN3X0d1/VTY+6yvpCW44Gr7qiTz9xeFro
   6qrSxiNzNt+luUfsnZdU/xAboUCxGV8JNu71uLDkyKxtO7OHLUaHFtRdZu3q
   OSJE/1ef2eENxHHlefeIsWf/XRx00dW3TVedS9KXjz+UHjp1lNUh8ZGKXm7s
   LOP/OFf+5lqZZleRVMDiyw/w54eUkMWPJ/xy6UTeoUr2paOkM98WSW9+s3N8
   05Z99fdWrznmSlvtTE+hl/w4P7spZnDo4WUbClwSo6ydrlFHTNtplC8xdJq5
   StKbczXZ7qsrekm9TEfamlK23lm3zz3KmQg5Op+mhwf51iRdy3h4+EkjoW/E
   rE211YUHyVnlabt/WGFZmjlmL6em37krxPM1ket4N76r2CQ+sVo387dVNacy
   fw/elHROKkEKMqxFvv28HP/bvh3iIAgAABQ9Ac0TUDQ4A1YO4EzOQiWSZQYG
   m1mbxea8gMETaAAPoJvdZNJOdHYu4PbeGX79yfUyqU+veBv354P7eXgsimjU
   7KtNnmfv9BkGs9VivFu3h/Jzmy7LR6+ryz8/FgEAAAAAAAAAAPj5Asq+2KcA
   eAAA
   H4sIAD1sDUwCA+ybCVgTV9fHCchiMAKCSxVKpC5VDMxMJgsgKBp2krCEJVHA
   kExIQrYmQSBYRcQFVKqiouCCK0pVUERwQRSKglrBDQoodcetShW0StU3qa0i
   BfF7X7CVj/s8PCF3Zk5uJvfc3/+cc4cjVuAUYoEYwYkVETZctlKr+xsAAEQY
   xmpeSUTCe6+aBsEwHguCMICHiESABGMBEIZJRC0soPUJWpRCyZarhxIuF7Al
   Hzivq+Nvvgv27etn0qgu/v7Obi5YhUBmHxklFkRKJyMxbLFMhNhIECXW38PH
   FrIBMOhAAdv+r3e2jKk+WNBO/Z8NZAPZgwQAAB3C5WwJh++osuO7weFeOC6Z
   RIBVOBKZTOQCMJGsPoUDAyAOxOH+OuYgl0nlSkcCQAIJGDSVHYNzlcqj2XKu
   wh5LUn8kQ2qPndjxuJwwaFe5VPzncZ4oiseLfXucIxU7OSjZEY52eDxCAIlq
   U1PZIhHOg2KPZQkD8FQVU0VTRUB0RgCeqeIKaUJmLJXiHEujRKioKipIVflG
   U4NcbNSX+SPf2GPJMAmP/fM+YdDOHA4iU9pjxVEipUDGlittFYIICcKdgFUi
   MUpbmYgtkEzAsmUykYDDVgqkEltZJEdBwml87P1+BVc2oY0ZtkiJyCXqQzMR
   9SdLJUpEosQxYmXI3z/LIVwaJeGy5bGOJNiOCCJQuB1IYhMhAs9BrLYuinBU
   8Nmgg0wuVUo5UpGj1d+HozHEVkbJEat3H+aNSCKUfPXNJ5IxaAwah2tvvf24
   3n3jNkfU80DBQ+Q4FwlHyhVIIuyx4QKJeqwak+6ISCQd+TGmPzBiBwlbjDj+
   sWjZyEiKd1dSBAqZVCHQXKM2oFSyOXyxut+Bz5ZwReqROMqRb6IEcvX94wlE
   SGdWPvgFgATUeb3+4xe4L3iGQelrZyagStVdxdooFNgf0NfTtR6ooz0cMHx3
   CgpMQGWqT1mnPgWIA2SgIdBfTyegn56pdoA/aAqYaN4YmP4xRQU8qVwiYIMm
   gJGmV9/UwJ8twXpKFQg4EBig6cKgTXXVM16gBMcBYzUdhqZYf817LANRKLFT
   EblSwNPcNgTrHKXkS+UCZay2voe2CSoRNf3d+DBvx4dC6Wr1S0Bp6eWsfmjJ
   rciXb9f/rfjZKmrtrJqnp7UA14uPDs03Sb5/UCflN3jQ2gE71/ifHNpwixcy
   LZOXmZrkb6H3oMXY/PJid5abR6v2xuDV+daox88x6DEqg1gLMOZYxTenAE9W
   GTcpPhyDbm2pCBscF4iLc9rE23EmbEoRlXXtatx968Yyd/9wz6rsr1ftxNyY
   mOnk62y+d1CoW/Zm+yrVqjvSHScwc2Nf6Yz0WT4Cg06rN/Euvx1me9xqbOVM
   ovlVDmkV8ujwnMZAt2llWSNmmqYJTYuGkiyOWKe7i7B3Bxw9RFtvCzod2ip9
   cOqmtqXN7kW2K5+Uhkwq/lntyMDQ4Rstnt7PUxlem/Iz0eVwR9MSh8OgtXpz
   EyMKBTsCwSlFCpwcUch6QgJ0wX8AJgHt+E+AQLCP/5+i/Yl0LKQeM92rPee9
   /T+S83g8l6z2HJIdAU+AYYJdJ5zHv6O6ogOs2xMAIviG3WyAC4MEmNwW9IoO
   SP9mVG+uAQEeTOISoTa8p1MCCEyGr4rJoMYyhbRIlprzdAonlu7mKaAG0cT0
   IJaYJWZCVLeAt7yH8QD5He/bwxHQYKD3LApt/L+H1H/X/k+Cwfb6H4Lxff7/
   ifV/px7ZWRTQA6tD51FA5+vFP75E/BMhQUfS+68lithWanfx+0ukSGQUjtOj
   WYCu4/+/8Z8IQn3+3wvifxAkE/AwwIPsELIdAHE68Xy7Hon/ESAcBiASsY2z
   U4UeMWpXBpjCQDGLwdI4O0hncPksYYSKKQ4UsIR8MQ3yFLOEzM8i/keIRBiC
   iHgul00Khwik7o3/21vvxvi/K9N98X93x/8zPhT/Tzt3aE9J0swpLpVpRtkN
   dXkBtpjI2kXxoU4mW5vNWnI8m3YP9SuCVh30+EHQsj+/P9ZJetU+6KX2wsup
   tGtm8w6qLoXpz7EpGYOdNwpbGOu0Tw+DtrBcpDh0s3zf1cv7AlAxaZil95N8
   mNNsoDlBc8XFRc359rT6vbNLhmotK7K8oO+x63D8hdxSez1rv3HKPbrPfq42
   zUkyLMTfF2Kuy80sxnwFAmnWj89h5167wYRjzuXyUHHxjlVPzz7PuuU1/4Ll
   y8VfmRFKiVR+TrpWcSBLx9ycvv6E82iwufQIx8xlDXtcCV83q8y45PiJnS91
   lsourFm0JCxxXM3YAUfWKx4dOGI+CZ/R0Zzs9cH/W/6/YT8i4chjZUqE280K
   oCv+Q3hSO/4TIZjQx/9ewH8ekc2GyPhwIhIOETkQu2P+Q0CP8J/IIZO5HIjQ
   Nv/P4MRSxX58mlsAyBR74JmQn4BOoUbTKb4wlaJWBhQOTGU4qwOCiLf8V09L
   4J/i//+AtI8iWlfQ1dhyeLM6KNWnOCKSmYhIKkO4OPUSwX6fxOK/KwkCEf+G
   mtq275Cok5mgjVV3mWujtNR0TFPTMVX97z9LR3YHUByu6/n9M68m0kSsW0rO
   0PjlHnkb4sKoxxlTgwtG8Ta13ImccSD/pyt3vUZkK4d41zX8lLWlH6u4SMJ8
   MFY58Wl83rqm3NLo+9RfaYLfpauDd8wmhGV7m+Two2jECm7ziZtmqqYIq9UV
   d5pe5d5ZnHHgC7/F9mnxp5Y6uH7nVKN8EVxsPRMWHh3CCHxVpLuDfj/baJ5k
   Un5VkuX2OXxnY0p2kyVjdeHJfc4YdA3rGHSgdtYDeULCvgbwIHLioouhdQJ5
   ++bt5ilO5k5NLZW+P+j53vS7tEr39fn4ZRdKwr6QXy88m+mxcW5ycOvetFUV
   lHgfqslyzpzn8pJbK4faBQSH6acmF9qyzgKz2ggZwEKv/4wF7ihEpx9Ku59x
   yqU6x/WPQtZt3yh3lS24kBvvE/FqzcWvPW2+T02J+v7Ezf6tT+5du4Bdqu2e
   GOY3/GF+RWrKYuuBuB9pQUVfHFf/ovqrd54EpXvMrKtkd9IPzorHoM9k3Ksh
   7wnSqdkfp3Am6E7dZtT78fuv4n9P7QDoOv6H28f/AL6v/t8b+I+Q2DCZQ+LA
   EBHksUmdZf7IPcJ/LlGt4vGEtvE/TeiiZr0zgaZyUbEYNCGV4Ruj1gCRTJVI
   SHfzi6RCnkKaylVED/o84n8Sl8Ml8gAYhDhkAhuGuif+J0F/1v/bWe/O+n8X
   pv+98X/1+/H/SXVXqSb+10iXN/G1rlb7DMBm9Ukb/gUZgDYj7MsBdJgDaD8v
   e3sOoC3/NR72VxKgO4VAF/zHk6D2+/+IRFJf/a838B8AOGqHAkl2djCJiCd2
   sv8PAnuE/zAEEgkIzG3DfyaDK6JRaAKaZr8fI4LAEnoAdAoHT2cwo1nCSPVf
   hKbwJ2JRnN/ynwDDdv9a/oPccJAMc/Bqz4F5MKdb+A/CBPBPAdDOfI8lDHo6
   z/FZ5CBCOoCytCxsXYXJurDw5vATN76XY9C3Zi3Y5/tyyBXUpsn5I8+Fv+Y3
   icXsoFNFizJCrwWef+ky+aH5t1OWx/mX6agS95dZv6hbXe8RHhfTyva+YpSm
   mH7kfE7MrZYDVz0q4d3jQxrvGkvTC680xAdWZs3/cgrxRQgHtbcfCA9It796
   9yhbWp1yJ4vgmFA9QfvU7pkFgyh08NFPo3/SOdVgQvpxRdJSn0PPKRnpWCbq
   wdpDricFhmk/rMmuPTnC8DRi2JA40oyEmKaeDUwIClhjtNT3rF7V7ZfFolRr
   TmPh1vqQiZnlA76r2zM4etTog6gHC7cbkw7CZne2Ju966nGsyKBkSIn9sjOr
   z2CLh30oB6FNSrYp2pS5UoZBXyu/nMJzifd5EZrwzCLVS7TwticGbSU+Y30l
   teT05v1TC+dEip03nE/ReZ6jsylnjPX0EyvoliUioyVaw3S2jMjPY2DQgxT3
   sxPvNjlOtuYOYjYMNr6rl1NZE+r33/lBn1r93/erflitsrKgzIzaAbm4wjkN
   hhvPlsXcZQYeIz8e4zqvYVDWeIuD1+Jk27y+2zYscOL+xy4Hz/82cczF22e9
   vn164bpWcPPl2joM2ru8bIw0cpvFyu8nNBntGTPY4ujKK7dvD9tctkWHXRo6
   /9v7Nla7zH4hPhpWaCB1qJ6RgXmwduLWo8zV9/KTtm08EyFcgz2bcuZ007xv
   ng+doVsHnDoK2TVZVOcOzpqkqySHF5zetSDeMkjrIT3U+mHjKyhQ++VZ8Yz8
   JGHVad7rwL1zaqL8w2ZtTXZd1H/hyv2HWbZO1XUR9QXuGPQVerEeN/KG1+rL
   dYbVZl8XlTesvWuDEpZ63lL4m/7qnFdTVbl+/yDH1I4m5v9ZrvZs5ecj6z9/
   2/9FAKG+/Z+9Yv+HHVlT/SFxySCeDIDhneR/iD2j/0iIHZH4Xv2HRonAs9w8
   hVS3QD4VYsJUoeb5jwCYRWHG0il8EZ3CiqS5BYroQQF99Z//T/WfjrTXZENw
   ouOQkrzjyvItBjJp6+URk+VbDieqZ+ap3VmhqXbES5hx5bW5EY5Ri05OgzDo
   dAaK+WtTjj4SSfAelVs1Pmjp1bWWjPMuszzimBXXx7xeGvv7br2IUnCg7eud
   Q5eMyo5NOCB5sHD0vsZ+i7auaJ2/e92YzefvOD6V1/+IffTDY0MjDFqbf9ev
   wEbg0Fj1cMq6DCej/DqHuLFXLS/ObMCgvY57U3zv6Oq2/oQRbCsc7mugNfW6
   y72lazJnK/ydqafPRXu3zs0e09KcIKloXhw63ZTSXH09KOmAyZUZW5OPR7uv
   yS5OeDF9YPDJHRHuG/qn+drsN87LmBQeXUNnH7uZLQu2ou0fJYn3/pD8ssrT
   i6HNrsxYW25gmzpfPD3e5/RjqxHHfvtlgfA0ssRg1tGRyf6OZSsefnUj+V71
   z3lW9lrPV3uHLY6iz7Z6Vp18wTTwYXFB7ShI/KvhncpZv5stO1r3JLQf+Uz1
   rfXSHEpxJgZtP72vAtTD7W3lBxfNZytxEVIl7s161o1KoKv93yBAaMN/gib/
   QwJIffz/FK1bEvp9bvT5+3+PPf3xMfVfUjv/16SE+/y/F+h/jh1MYofjeTDC
   JsPq+9KJ/od7RP9DAI/NJfyRrXmr/xnUWJYbTa3v/SLpmhywGxNkBVEBKsUD
   YrkFilmUKXwWwzeaGeTxWdR/uQCHwOOBXA6XQ+bBeLB767/trXdj/bcr030Z
   tU+eUet7BvzNM+Dtp2avLgH3bOX3Y+u/QDv+EwiEvue/egP/CTDAUf/ahHAA
   IeIJQGf5P1LPPP/F5v6RF3/v+S++mM4QialBgWImxOLTVM4xTDFLxFTRxHSK
   C8QMovGp4gCYJYz4LOq/PDsQTyCBCJ4NgXZEPLeb67/tzffVfz91DlLLJ/ZJ
   4jUMmrPhxuNXC8PmTg2QTKtwXZ77erBMZ4n+g8AQ+vMlVknrjB7ObZ3OaQrd
   ULfrzKXHAT/2k5amWwaWNbcayKj6sYx5OacMorw8x9sGyrIy8/i2VZWTost3
   XM5rnOskHz8o8nZtwVfJeyeNrXZ/NMGMkHw+0arV+YDlV3aX06fM+PFpmLnM
   Crug9IHT8kvhMbxNKMeaPV+ma5F3DRzpUeKZvrE4ZJfPk1y7rWZJ25/UPbia
   WFVgrXXs2PiDLx42qHJfnam13GJZcERwYX1ipIo02LveQBzw2zPyqEkLW3jX
   54QZJRZ96THkCni02HK2k/6e7DS/x/cWwyEsfXm9e+GrS85mxA8lIOkOwcJf
   9F8fSWzWObVmnyUS77PIpLRUVjXttnuLz9jjJY9bQEe3g61Ot7PvN0w3mZw1
   njXrtdSYxz9em5JLXLluxjJAGI9Bn8D6NF3XOUDJy6vNZmQ9HPTtc6px4OUV
   ZyeWrytp+u+8oE+r9rBWHe2zWX/Q774Gh19Wbgs+TQh2jb1ysaCRUPProHm7
   VqYfMztXkP5iTYzfoZT67WZRZ0ckDte+0nxb1TJv3KXNQy/f9Z/5yCrl1cwz
   CTv3t4aMYC8L/XJE5ej6USk7ro3z3Nl4ZLitjqG9eUZG6sbbsaOjDzDuOy69
   qCO4lOk30pzyVOGU4KPWg668+ZuOJSeXOhlrNz9P4RyY57iv5OtbtVortpnm
   D5uFujg3ZIJFfUF9pXFoXOPvXtzrWitzudszLDIONW6uxeVYnZzeb0a593FR
   +i2SaEiFlr3LsHlBYdBQ62GMvEkbm25S/tO+HdowCAUAFPwkDTPUVdWTkOCa
   4GpwoBgBFmAJJEHACF2lMEJF2QGD6ALdgLsZnn1Zst7L4Za+o+5z9Nszf81T
   3Y6Xb7w/lmtRNf+6PMOvCAAAAAAAAAAAAITwAw72f2oAeAAA
   -- END MESSAGE ARCHIVE --

Authors' Addresses

   Cullen Jennings
   Cisco Systems
   170 West Tasman Drive
   Mailstop SJC-21/2
   San Jose, CA  95134
   USA

   Phone: +1 408 421 9990
   Email: fluffy@cisco.com

   Kumiko Ono
   Columbia University

   Email: kumiko@cs.columbia.edu

   Robert Sparks
   Tekelec
   17210 Campbell Road
   Suite 250
   Dallas, TX  75252
   USA

   Email: rjsparks@estacado.net

   Brian Hibbard (editor)
   Tekelec
   17210 Campbell Road
   Suite 250
   Dallas, TX  75252
   USA

   Email: brian@estacado.net