S/MIME Example Keys and Certificates
draft-ietf-lamps-samples-02

The information below is for an old version of the document
Document Type Active Internet-Draft (lamps WG)
Author Daniel Gillmor 
Last updated 2021-05-12
Replaces draft-dkg-lamps-samples
Stream Internet Engineering Task Force (IETF)
Formats plain text html xml pdf htmlized bibtex
Stream WG state WG Document
Document shepherd No shepherd assigned
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to (None)
lamps                                                  D.K. Gillmor, Ed.
Internet-Draft                                                      ACLU
Intended status: Informational                               12 May 2021
Expires: 13 November 2021

                  S/MIME Example Keys and Certificates
                      draft-ietf-lamps-samples-02

Abstract

   The S/MIME development community benefits from sharing samples of
   signed or encrypted data.  This document facilitates such
   collaboration by defining a small set of X.509v3 certificates and
   keys for use when generating such samples.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 13 November 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Gillmor                 Expires 13 November 2021                [Page 1]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   4
     1.3.  Prior Work  . . . . . . . . . . . . . . . . . . . . . . .   4
   2.  Background  . . . . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Certificate Usage . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Certificate Expiration  . . . . . . . . . . . . . . . . .   5
     2.3.  Certificate Revocation  . . . . . . . . . . . . . . . . .   5
     2.4.  Using the CA in Test Suites . . . . . . . . . . . . . . .   5
     2.5.  Certificate Chains  . . . . . . . . . . . . . . . . . . .   5
     2.6.  Passwords . . . . . . . . . . . . . . . . . . . . . . . .   6
     2.7.  Secret key origins  . . . . . . . . . . . . . . . . . . .   6
   3.  Example RSA Certificate Authority . . . . . . . . . . . . . .   7
     3.1.  RSA Certificate Authority Root Certificate  . . . . . . .   7
     3.2.  RSA Certificate Authority Secret Key  . . . . . . . . . .   7
     3.3.  RSA Certificate Authority Cross-signed Certificate  . . .   8
   4.  Alice's Sample Certificates . . . . . . . . . . . . . . . . .   9
     4.1.  Alice's Signature Verification End-Entity Certificate . .   9
     4.2.  Alice's Signing Private Key Material  . . . . . . . . . .  10
     4.3.  Alice's Encryption End-Entity Certificate . . . . . . . .  11
     4.4.  Alice's Decryption Private Key Material . . . . . . . . .  12
     4.5.  PKCS12 Object for Alice . . . . . . . . . . . . . . . . .  13
   5.  Bob's Sample  . . . . . . . . . . . . . . . . . . . . . . . .  16
     5.1.  Bob's Signature Verification End-Entity Certificate . . .  16
     5.2.  Bob's Signing Private Key Material  . . . . . . . . . . .  17
     5.3.  Bob's Encryption End-Entity Certificate . . . . . . . . .  18
     5.4.  Bob's Decryption Private Key Material . . . . . . . . . .  19
     5.5.  PKCS12 Object for Bob . . . . . . . . . . . . . . . . . .  20
   6.  Example Ed25519 Certificate Authority . . . . . . . . . . . .  23
     6.1.  Ed25519 Certificate Authority Root Certificate  . . . . .  23
     6.2.  Ed25519 Certificate Authority Secret Key  . . . . . . . .  24
     6.3.  Ed25519 Certificate Authority Cross-signed Certificate  .  24
   7.  Carlos's Sample Certificates  . . . . . . . . . . . . . . . .  25
     7.1.  Carlos's Signature Verification End-Entity Certificate  .  25
     7.2.  Carlos's Signing Private Key Material . . . . . . . . . .  25
     7.3.  Carlos's Encryption End-Entity Certificate  . . . . . . .  25
     7.4.  Carlos's Decryption Private Key Material  . . . . . . . .  26
     7.5.  PKCS12 Object for Carlos  . . . . . . . . . . . . . . . .  26
   8.  Dana's Sample Certificates  . . . . . . . . . . . . . . . . .  27
     8.1.  Dana's Signature Verification End-Entity Certificate  . .  27
     8.2.  Dana's Signing Private Key Material . . . . . . . . . . .  28
     8.3.  Dana's Encryption End-Entity Certificate  . . . . . . . .  28
     8.4.  Dana's Decryption Private Key Material  . . . . . . . . .  28
     8.5.  PKCS12 Object for Dana  . . . . . . . . . . . . . . . . .  29
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  30
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  30

Gillmor                 Expires 13 November 2021                [Page 2]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   11. Document Considerations . . . . . . . . . . . . . . . . . . .  30
     11.1.  Document History . . . . . . . . . . . . . . . . . . . .  30
       11.1.1.  Substantive Changes from draft-ietf-*-01 to
               draft-ietf-*-02 . . . . . . . . . . . . . . . . . . .  30
       11.1.2.  Substantive Changes from draft-ietf-*-00 to
               draft-ietf-*-01 . . . . . . . . . . . . . . . . . . .  31
       11.1.3.  Substantive Changes from draft-dkg-*-05 to
               draft-ietf-*-00 . . . . . . . . . . . . . . . . . . .  31
       11.1.4.  Substantive Changes from draft-dkg-*-04 to
               draft-dkg-*-05  . . . . . . . . . . . . . . . . . . .  31
       11.1.5.  Substantive Changes from draft-dkg-*-03 to
               draft-dkg-*-04  . . . . . . . . . . . . . . . . . . .  31
       11.1.6.  Substantive Changes from draft-dkg-*-02 to
               draft-dkg-*-03  . . . . . . . . . . . . . . . . . . .  31
       11.1.7.  Substantive Changes from draft-dkg-*-01 to
               draft-dkg-*-02  . . . . . . . . . . . . . . . . . . .  31
       11.1.8.  Substantive Changes from draft-dkg-*-00 to
               draft-dkg-*-01  . . . . . . . . . . . . . . . . . . .  31
   12. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  31
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  32
     13.1.  Normative References . . . . . . . . . . . . . . . . . .  32
     13.2.  Informative References . . . . . . . . . . . . . . . . .  33
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  33

1.  Introduction

   The S/MIME ([RFC8551]) development community, in particular the
   e-mail development community, benefits from sharing samples of signed
   and/or encrypted data.  Often the exact key material used does not
   matter because the properties being tested pertain to implementation
   correctness, completeness or interoperability of the overall system.
   However, without access to the relevant secret key material, a sample
   is useless.

   This document defines a small set of X.509v3 certificates ([RFC5280])
   and secret keys for use when generating or operating on such samples.

   An example RSA certificate authority is supplied, and sample RSA
   certificates are provided for two "personas", Alice and Bob.

   Additionally, an Ed25519 ([RFC8032]) certificate authority is
   supplied, along with sample Ed25519 certificates for two more
   "personas", Carlos and Dana.

   This document focuses narrowly on functional, well-formed identity
   and key material.  It is a starting point that other documents can
   use to develop sample signed or encrypted messages, test vectors, or
   other artifacts for improved interoperability.

Gillmor                 Expires 13 November 2021                [Page 3]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

1.2.  Terminology

   *  "Certificate Authority" (or "CA") is a party capable of issuing
      X.509 certificates

   *  "End-Entity" is a party that is capable of using X.509
      certificates (and their corresponding secret key material)

   *  "Mail User Agent" (or "MUA") is a program that generates or
      handles [RFC5322] e-mail messages.

1.3.  Prior Work

   [RFC4134] contains some sample certificates, as well as messages of
   various S/MIME formats.  That older work has unacceptably old
   algorithm choices that may introduce failures when testing modern
   systems: in 2019, some tools explicitly mark 1024-bit RSA and
   1024-bit DSS as weak.

   This earlier document also does not use the now widely-accepted PEM
   encoding for the objects, and instead embeds runnable perl code to
   extract them from the document.

   It also includes examples of messages and other structures which are
   greater in ambition than this document intends to be.

   [RFC8410] includes an example X25519 certificate that is certified
   with Ed25519, but it appears to be self-issued, and it is not
   directly useful in testing an S/MIME-capable MUA.

2.  Background

2.1.  Certificate Usage

   These X.509 certificates ([RFC5280]) are designed for use with S/MIME
   protections ([RFC8551]) for e-mail ([RFC5322]).

   In particular, they should be usable with signed and encrypted
   messages.

Gillmor                 Expires 13 November 2021                [Page 4]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

2.2.  Certificate Expiration

   The certificates included in this draft expire in 2052.  This should
   be sufficiently far in the future that they will be useful for a few
   decades.  However, when testing tools in the far future (or when
   playing with clock skew scenarios), care should be taken to consider
   the certificate validity window.

   Due to this lengthy expiration window, these certificates will not be
   particularly useful to test or evaluate the interaction between
   certificate expiration and protected messages.

2.3.  Certificate Revocation

   Because these are expected to be used in test suites or examples, and
   we do not expect there to be online network services in these use
   cases, we do not expect these certificates to produce any revocation
   artifacts.

   As a result, there are no OCSP or CRL indicators in any of the
   certificates.

2.4.  Using the CA in Test Suites

   To use these end-entity certificates in a piece of software (for
   example, in a test suite or an interoperability matrix), most tools
   will need to accept either the Example RSA CA (Section 3) or the
   Example Ed25519 CA (Section 6) as a legitimate root authority.

   Note that some tooling behaves differently for certificates validated
   by "locally-installed root CAs" than for pre-installed "system-level"
   root CAs).  For example, many common implementations of HPKP
   ([RFC7469]) only applied the designed protections when dealing with a
   certificate issued by a pre-installed "system-level" root CA, and
   were disabled when dealing with a certificate issued by a "locally-
   installed root CA".

   To test some tooling specifically, it may be necessary to install the
   root CA as a "system-level" root CA.

2.5.  Certificate Chains

   In most real-world examples, X.509 certificates are deployed with a
   chain of more than one X.509 certificate.  In particular, there is
   typically a long-lived root CA that users' software knows about upon
   installation, and the end-entity certificate is issued by an
   intermediate CA, which is in turn issued by the root CA.

Gillmor                 Expires 13 November 2021                [Page 5]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   The example end-entity certificates in this document can be used with
   either a simple two-link certificate chain (they are directly
   certified by their corresponding root CA), or in a three-link chain.

   For example, Alice's encryption certificate (Section 4.3,
   "alice.encrypt.crt") can be validated by a peer that directly trusts
   the Example RSA CA's root cert (Section 3.1, "ca.crt"):

   ╔════════╗  ┌───────────────────┐
   ║ ca.crt ╟─→│ alice.encrypt.crt │
   ╚════════╝  └───────────────────┘

   And it can also be validated by a peer that only directly trusts the
   Example Ed25519 CA's root cert (Section 6.1, "ca.25519.crt"), via an
   intermediate cross-signed CA cert (Section 3.3, "ca.cross.crt"):

   ╔══════════════╗  ┌──────────────┐  ┌───────────────────┐
   ║ ca.25519.crt ╟─→│ ca.cross.crt ├─→│ alice.encrypt.crt │
   ╚══════════════╝  └──────────────┘  └───────────────────┘

   By omitting the cross-signed CA certs, it should be possible to test
   a "transvalid" certificate (an end-entity certificate that is
   supplied without its intermediate certificate) in some
   configurations.

2.6.  Passwords

   Each secret key presented in this draft is unprotected (it has no
   password).

   As such, the secret key objects are not suitable for verifying
   interoperable password protection schemes.

   However, the PKCS#12 [RFC7292] objects do have simple textual
   passwords, because tooling for dealing with passwordless PKCS#12
   objects is underdeveloped at the time of this draft.

2.7.  Secret key origins

   The secret RSA keys in this document are all deterministically
   derived using provable prime generation as found in [FIPS186-4],
   based on known seeds derived via [SHA256] from simple strings.  The
   secret Ed25519 and X25519 keys in this document are all derived by
   hashing a simple string.  The seeds and their derivation are included
   in the document for informational purposes, and to allow re-creation
   of the objects from appropriate tooling.

Gillmor                 Expires 13 November 2021                [Page 6]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   All RSA seeds used are 224 bits long (the first 224 bits of the
   SHA-256 digest of the origin string), and are represented in
   hexadecimal.

3.  Example RSA Certificate Authority

   The example RSA Certificate Authority has the following information:

   *  Name: "Sample LAMPS Certificate Authority"

3.1.  RSA Certificate Authority Root Certificate

   This cerificate is used to verify certificates issued by the example
   RSA Certificate Authority.

   -----BEGIN CERTIFICATE-----
   MIIDKzCCAhOgAwIBAgITD5FARp09T2LXr/FPQiI+8ZsGAjANBgkqhkiG9w0BAQ0F
   ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAtMSswKQYDVQQDEyJT
   YW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAnFB71AsptFyqxG4qPtbt2VLJVctHyNXtlIUWve4q
   PSo/+Oi9s3sf+t7krrosxlv626L+Wm05t99ZVKWKn7y2uYyO7/IToRpTwHN1sXga
   Uz/u2gjPfS69R20ZNSKL9EiB78hgCr1UvY5elQoW2Y4zqQGR729pQYI5obT15V8n
   wdyHCTvecvvvMGBiaAk66VlMQCZLG+nVU8wYVCl6fE37Z1qAs12XlUJr3DGgVKGf
   ZpMz55xiV8q11Aobhmx4aPPyE4GWshDDt4DbtYJMGLEeik1AmNHBsmyaQCLBxVE3
   3ZW1UrhK5Pb9qSL4gizDZ7ZaGZNudwjJu20HHVIGQT7nDwIDAQABo0IwQDAPBgNV
   HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUeF8OWnjYa+RU
   cD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBAC6D3qI26uy9yKEqxoBLkNLQ
   lpRTKzBn/78v4ejj5HyyNwxkMe2nSRUuLEo65537NwAa9XuOaSRDKRl+SH8ArvGd
   C2XhEfKm2GwW1eyV2ZLFzwWinZMKce3NgraQWYxFndI12ewbUUQr5R4b4AO69lSE
   iOJ2bTWJGHpuCrLKfx98pnarJxFp6hOS6V3wxny5ksQ5NGfqNWnovZRSSvGfyu7H
   HKLp7T1dNHmF1n4bJtnx7/6yks+Eu8jQp9vhhEXdeAq3ZAPJGahY8AIndg01ZGNG
   vAIzxiHzjEWWcjbwtIkINZAPZHgq1u1cjhy7mDfq9GfCoE4/6q55N6Etbuesh5c=
   -----END CERTIFICATE-----

3.2.  RSA Certificate Authority Secret Key

   This secret key material is used by the example Certificate Authority
   to issue new certificates.

Gillmor                 Expires 13 November 2021                [Page 7]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PRIVATE KEY-----
   MIIE/AIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCcUHvUCym0XKrE
   bio+1u3ZUslVy0fI1e2UhRa97io9Kj/46L2zex/63uSuuizGW/rbov5abTm331lU
   pYqfvLa5jI7v8hOhGlPAc3WxeBpTP+7aCM99Lr1HbRk1Iov0SIHvyGAKvVS9jl6V
   ChbZjjOpAZHvb2lBgjmhtPXlXyfB3IcJO95y++8wYGJoCTrpWUxAJksb6dVTzBhU
   KXp8TftnWoCzXZeVQmvcMaBUoZ9mkzPnnGJXyrXUChuGbHho8/ITgZayEMO3gNu1
   gkwYsR6KTUCY0cGybJpAIsHFUTfdlbVSuErk9v2pIviCLMNntloZk253CMm7bQcd
   UgZBPucPAgMBAAECggEAJ56StD0cFfYC5oTRulm5sYK1O0Sp7jKi5CkTiZJrLFOg
   IVPEeVB0255RMiRIIwK/Q5o9g+f5YCyBNN48k54+ZitFM3YVGZlVrwrUwuWhLoae
   4K6pAJ6vJQJ3CCu4c3NJU+Biz3YLm3wRZw9GmV/cojKeraR8djkuqFj4lmmW5yC7
   mj8XLnl1snOAEZEHhi/10zibru5GoCjwFrmJT8qbmYX89gbua24wcVlmqImzV48z
   lQJ0nJDJ8VPNjwvyX27DjefBw2FgUiT8J/iEmS7BZ+1laF/UyEsxqsZ4odJIVfPT
   /JbGl+VkAoM1R2Qrv6ZFisDVfGZkIpWtSaBlknh+CQKBgQC82Y7gYnG3wiotvTKC
   L5BWMWoknCM4LTM5AqYSZjfpnMsOEfOgzpyABUyK+3zKrzoqxokVfuvHlj2Hzw8Y
   EUQ2gqJdU5iObl3dH0C7K5J/9Kua12VEcv5NFiBs5paMXTub6SdG0CyeUUfDW133
   UfdW0rgCuPvPpya7lQa4k2T8XQKBgQDT5VHzRJMXRKTaI6nHw5RI2F88b89nvkib
   BRvnDm2N7bxVfLiKSf2hQUhdLppIm0J8it/ksjJ/zQ197UA6DfilAjQB+mKi/fB8
   h7pmElFElhy71/93T/uv2CA1RaIGSWhTMu+7Z9+/5cb1zRsorgrB2s0tTpDkDnuX
   A1wRbBraWwKBgQCyNUsSi1NsaJmM2AEVwPSfobncGktR87Vmkw1MR5FzrjYfbOlO
   Uip01ItKi89TJM/rFba+xiqRCUG/KrG/sGuCVPwKvZw0rAl/ZMKc3Z09ihF16NTz
   JuC6taqbmW1vv3tEwVwDAudX7rOdslaV0I9rKyXhy9Y0OjPex96zxsOBMQKBgQCt
   Wj7hNojf0FjN3b9YnrkBn4LKfu6/gP0FVfit3y/hnU0m4xJWkJHfCvmYwjeWju6l
   1Te2cdK+m5MeIqsY07VHybWiqKVpkzbbqm7kcrfp1KVNSDjH87eE9NvkuUMEwamH
   53QZbbGv3NwY2+QMM9a5IbgaCNygtviFY0o/NqIBYQKBgQCyki2Y/sKDolNBbjwf
   nFMsdYb+nRmbJMSvLHbJSVhypB6aX3qjHhBlPrTW6WT5KIjumCtSadsDceUtr9tT
   2ofP0ZOXP9IDIF2v1X3165LPsieGZv4VzhLivJrfMYfI4p4GkiK44RSUWcxrBAmq
   9SGCNQ8nx1AsXLZn57U52Oji8KA7MDkGCisGAQQBkggSCAExKzApBglghkgBZQME
   AgIEHPBUYbjdNRelyUPep86pkRfIdEPM9N+yPctTfB0=
   -----END PRIVATE KEY-----

   This secret key was generated using provable prime generation found
   in [FIPS186-4] using the seed
   "f05461b8dd3517a5c943dea7cea99117c87443ccf4dfb23dcb537c1d".  This
   seed is the first 224 bits of the [SHA256] digest of the string
   "draft-lamps-sample-certs-keygen.ca.seed".

3.3.  RSA Certificate Authority Cross-signed Certificate

   If an e-mail client only trusts the Ed25519 Certificate Authority
   Root Certificate found in Section 6.1, they can use this intermediate
   CA certificate to verify any end entity certificate issued by the
   example RSA Certificate Authority.

Gillmor                 Expires 13 November 2021                [Page 8]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIICgjCCAjSgAwIBAgITB2Y8zXRHikdU9jKPM22+7kcZXTAFBgMrZXAwNTEzMDEG
   A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIwOTI3MDY1NDE4WjAtMSswKQYDVQQDEyJT
   YW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAnFB71AsptFyqxG4qPtbt2VLJVctHyNXtlIUWve4q
   PSo/+Oi9s3sf+t7krrosxlv626L+Wm05t99ZVKWKn7y2uYyO7/IToRpTwHN1sXga
   Uz/u2gjPfS69R20ZNSKL9EiB78hgCr1UvY5elQoW2Y4zqQGR729pQYI5obT15V8n
   wdyHCTvecvvvMGBiaAk66VlMQCZLG+nVU8wYVCl6fE37Z1qAs12XlUJr3DGgVKGf
   ZpMz55xiV8q11Aobhmx4aPPyE4GWshDDt4DbtYJMGLEeik1AmNHBsmyaQCLBxVE3
   3ZW1UrhK5Pb9qSL4gizDZ7ZaGZNudwjJu20HHVIGQT7nDwIDAQABo2MwYTAPBgNV
   HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUeF8OWnjYa+RU
   cD2z3ez38fL6wEcwHwYDVR0jBBgwFoAUa6KVfboUm+QtBNEHpNGC5C5rjLUwBQYD
   K2VwA0EA+Zb/X/6jcMIBDyy3UbV+8JMfYgSZRNyyyaW8Oz1dqQGtWsW2Rl0FZfw5
   fUMzFTd/jLQdU/g3LCtyIhuTHPSdAQ==
   -----END CERTIFICATE-----

4.  Alice's Sample Certificates

   Alice has the following information:

   *  Name: "Alice Lovelace"

   *  E-mail Address: "alice@smime.example"

4.1.  Alice's Signature Verification End-Entity Certificate

   This certificate is used for verification of signatures made by
   Alice.

Gillmor                 Expires 13 November 2021                [Page 9]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIDbDCCAlSgAwIBAgITITV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0F
   ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5B
   bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0
   iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7
   pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rB
   X7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQV
   tkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/
   2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVC
   CpDtc0NT6vdJ45bCSzsCAwEAAaOBljCBkzAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX
   MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYD
   VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNV
   HSMEGDAWgBR4Xw5aeNhr5FRwPbPd7Pfx8vrARzANBgkqhkiG9w0BAQ0FAAOCAQEA
   ee6To0QC32Z7njIGt8b6AI/YY2PzmhKakIwc7V/9zCuXwcvYGEDWtmAGXEUKkvHL
   1p0DtQqD3YQ8n1/PjwW3hsVB5Az65E3gFTvRbKXmI8Z4UAYWMJBmuxX3oUd0kZAW
   WRkeQBe3LBATG0/I4tHkpH6WF/lVRf5jw6xwsXFL27xjQ3T1Jqo1GV+Mekzcc7Z4
   y+7/8y4+BxZ0AG8H8UcgLj9CFicysCV/fTUHpY4yh0VXBhH9WUw16XGJUfxpx6ZV
   TszxfaNpxbfeM5GVrgF42n0ztJB9D/6nJO8flXEP62JBO1xD1oziJDnPuMDwE2pK
   KFlEI+TjQEUy5DKiSWjd1w==
   -----END CERTIFICATE-----

4.2.  Alice's Signing Private Key Material

   This private key material is used by Alice to create signatures.

Gillmor                 Expires 13 November 2021               [Page 10]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PRIVATE KEY-----
   MIIE+gIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC09InoWDgWPk2a
   f0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwO
   Rjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z
   34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4
   xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3
   vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3
   SeOWwks7AgMBAAECggEAFKD2DG9A1u77q3u3p2WDH3zueTtiqgaT8u8XO+jhOI/+
   HzoX9eo8DIJ/b/G3brwHyfh17JFvLH1zbgsn5bghJTz3r+JcZZ5l3srqMV8t8zjI
   JEHOKC3szH8gYVKWrIgBAqOt1H9Ti8J2oKk2aymqBFr3ZXpBUCTWpEz2s3FMBUUI
   qCEsAJqsdEch+kt43X5kvAom7LC1DHiE6RKfhMEub/LGNHSwY4dmzhaG6p95FJ1h
   s8HoURI2ReVpsTadaKd3KoYNc1lcffmwdZs/hFs7xmmwXKMmlonh1mzHqD1/BqeJ
   Hc8MP4ueDdyVgIe/uVtlQ9NcRQbuokkDyDYMYV6hzQKBgQD75ahYGFGZznRKtSE3
   w/2rUqTYIWxx2PQz5G58PcsTZM89Hj4aZOoLmudHbrTQHluRNcHoXEI62rs0cVPs
   D7IlZOLfs+SSTeNEXxD57mjyyufpV65OcNc1mSJAmMX2jWQ8ndnOuWPcc5J6fNvT
   au0a7ZBOaeKHnA8XXL3GYilM9QKBgQC35xKi7f2JmGtsYY21tfRuDUm6EjhMW6b7
   GWnI9IXF8TGj15s7oDEYvqSPTJdB6PAb/tZwdbj9mB4qj176x1kB/N7GO974O8UP
   /PdHkU7duyf5nRq1mrI+yGFHVsGD313rc+akYdKcC207e6IRMST1ZFoznC6qNgpi
   nNTuDz4ZbwKBgA5Dd9/dKKm77gvY69Objn6oBFuUsO5VaaaSlcsFOL2VZMLCNqQJ
   +NLFZ7k8xJJQVcEIOT2uE7X/csBKdoUUcnL5nnsqVZQPQwI5G937KQgugylMZLte
   WmFXlX/w5qzKXtWr3ox9JPFzveSfs1bqZBi1QQmfp0skhBo/jyNvpYUNAoGAMNkw
   GhcdQW87GY7QFXQ/ePwOmV49lgrCT/BwKPDKl8l5ZgvfL/ddEzWQgH/XraoyHT2T
   uEuM18+QM73hfLt26RBCHGXK1CUMMzL+fAQc7sjH1YXlkleFASg4rrpcrKqoR+KB
   YSiayNhAK4yrf+WN66C8VPknbA7us0L1TEbAOAECgYEAtwRiiQwk3BlqENFypyc8
   0Q1pxp3U7ciHi8mni0kNcTqe57Y/2o8nY9ISnt1GffMs79YQfRXTRdEm2St6oChI
   9Cv5j74LHZXkgEVFfO2Nq/uwSzTZkePk+HoPJo4WtAdokZgRAyyHl0gEae8Rl89e
   yBX7dutONALjRZFTrg18CuegOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC
   BBySyJ1DMNPY4x1P3pudD+bp/BQhQd1lpF5bQ28F
   -----END PRIVATE KEY-----

   This secret key was generated using provable prime generation found
   in [FIPS186-4] using the seed
   "92c89d4330d3d8e31d4fde9b9d0fe6e9fc142141dd65a45e5b436f05".  This
   seed is the first 224 bits of the [SHA256] digest of the string
   "draft-lamps-sample-certs-keygen.alice.sign.seed".

4.3.  Alice's Encryption End-Entity Certificate

   This certificate is used to encrypt messages to Alice.

Gillmor                 Expires 13 November 2021               [Page 11]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIDbDCCAlSgAwIBAgITXr7MRJB7qx35ms1tFWj7th3y5jANBgkqhkiG9w0BAQ0F
   ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5B
   bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqV
   KfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfID
   lB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdS
   NRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1
   ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv
   9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIB
   aVv4wPxAf1iPsIVKarUCAwEAAaOBljCBkzAMBgNVHRMBAf8EAjAAMB4GA1UdEQQX
   MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYD
   VR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNV
   HSMEGDAWgBR4Xw5aeNhr5FRwPbPd7Pfx8vrARzANBgkqhkiG9w0BAQ0FAAOCAQEA
   kxjgvL3tIH8ZIeI9rLd16aftGuo3uKRl2aU6Hek7vFfwJESn6oNTPrJUQYigoYVS
   Sm/9yvGXmNEON21j83IgbeUfZgcIpgcXkwwfVsrhxnj0bcXLnuAOzvlzZfDgz/YO
   uRSa2m9oaQg1um7CLDWiE/Zqe6XzLD6JKhHzYHYILajnFgoKBkL57GFVJlXFkgJc
   bW2880QchGj6XDdXcJzYiBuQD+pGz+t2phgW6E/8vTUvATZ1s1SC4UN19AyqJyAl
   RQWGJpJdsHN8bBiRenio1NajPMbFnCjz1pf5bNoF10yWJkFcG6A+EWjAMlWgl/tu
   QapHLcsaIPscn6mnqbFNyA==
   -----END CERTIFICATE-----

4.4.  Alice's Decryption Private Key Material

   This private key material is used by Alice to decrypt messages.

Gillmor                 Expires 13 November 2021               [Page 12]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PRIVATE KEY-----
   MIIE+gIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCalSn6i8Gi44/o
   AVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnV
   z5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEB
   BV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZ
   KGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaU
   l/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Y
   j7CFSmq1AgMBAAECggEADgxoWEDDRE5yEZ+s7TMw+WH2o+3XOOrryqnsLbOyv34I
   wAAUWK7qZyjd9rSDOAtBOgFhQNXYhWZlT+0iHslCIfqJMZ8wy1iFHBCIphoMSWs5
   /D+idXrUef5Y23rClBxXH0g1UnSGXnpUH4ehV6p1lvZMh4OJKEoMC4cpyd1SzXrw
   +VGCc1+pXv/tTW3Rb2qoWO9JoWY+Epcssrw5N8OFIFODh4QfbLN6pVTt28aQ4pf/
   1KhLoapjFzXSYp/jrcNjYJ9qRdSAbZsKOJ2yZ0yqjLHDCDipFty+W0pkUZcJhsgu
   Cg1Stt7tKgSvAV/nEjN8e/vA91/AACKBCNcLzEoLgQKBgQC4eTM6BDCzlusXJBK4
   SRC/WwUthJZzfOk2Gmwr0DCTRYhWQSDjBfiQNboazHObVPz45qP10fOt2iPEHeX+
   VWAXTNrN69M9lEzxygA3s76lAejBR3FbLWkzLYqPB3oZwSIE7CrWHTXJipFWZv+X
   FG1R418fnRCUMJ4j85qem5iyqQKBgQDWhQMJu7FC02fr83qsIdLwqhiDtTpwUN3j
   qfp7JoEZOxbm3TgM1xPAkrQTUgfr2ZhXGtUwsuKHyifxQEycrTkBOg0gqAfG0fnv
   ybyXK6/guctHJQiy64lL39kPuvQkKB+YO60B/oF6zbyFvqanoKXjpspObN3i3yBU
   X5/EOu/LLQKBgQCUVwHWeWAgSg+pgBx9jGOnPK4hOCkznRJ7qyuo37Tv+E317lFf
   vYFvlYSd4CJmmiUCkZTvK3FkL7HrFo/HwSeQFQEt7aDkN8jX9bPPFv8K+UoNgkGp
   LA8YVFrDQSPyadfNVYvsuXhzJLZSYGjPOGHgI5JufYLDZ4UDK/T97ekQYQKBgDDM
   ORCxvXTyGiW2USVu3EkaqFDtnMmH27G6LNxuudc/dco2cFWbZ0bbGFN8yYiBCwJl
   fDGDv7wb5FIgykypqtn4lpvjHUHA6hX90gShT3TTTsZ0SjJJGgZEeV/2qyq+ZdF/
   Ya+ecV26BzR1Vfuzs4jBnCuS4DaHgxcuWW2N6pZRAoGAWTovk3xdtE0TZvDerxUY
   l8hX+vwJGy7uZjegi4cFecSkOR4iekVxrEvEGhpNdEB2GqdLgp6Q6GPdalCG2wc4
   7pojp/0inc4RtRRf3nZHaTy00bnSe/0y+t0OUbkRMtXhnViVhCcOt6BUcsHupbu2
   Adub72KLk+gvASDduuatGjqgOzA5BgorBgEEAZIIEggBMSswKQYJYIZIAWUDBAIC
   BBwc90hJ90RfRmxCciUfX5a3f6Bpiz6Ys/Hugge/
   -----END PRIVATE KEY-----

   This secret key was generated using provable prime generation found
   in [FIPS186-4] using the seed
   "1cf74849f7445f466c4272251f5f96b77fa0698b3e98b3f1ee8207bf".  This
   seed is the first 224 bits of the [SHA256] digest of the string
   "draft-lamps-sample-certs-keygen.alice.encrypt.seed".

4.5.  PKCS12 Object for Alice

   This PKCS12 ([RFC7292]) object contains the same information as
   presented in Section 4.1, Section 4.2, Section 4.3, Section 4.4, and
   Section 3.1.

   It is locked with the simple five-letter password "alice".

Gillmor                 Expires 13 November 2021               [Page 13]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PKCS12-----
   MIIXsAIBAzCCF0gGCSqGSIb3DQEHAaCCFzkEghc1MIIXMTCCBC8GCSqGSIb3DQEH
   BqCCBCAwggQcAgEAMIIEFQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIWQKs
   PyUaB9YCAhTCgIID6OG+E29xPAn+g9mtERq3M50uFGqQjP2tx5uyldS+xlSUYk8a
   HCsBfrLFfh2EDZHuGFxwHVwbc5dhOZlJAKyT0jRnZ0jnMEuD01Zxb8V8/LaiBGs7
   j6UGToFIsCSofsLbYWD8rN5wlSt4RzBf3JaiFQ+7CkeTkmC+RQ8eMLN7SxfoToro
   lMEzUHrvVb+0KuD9/6UldmWXzxpzuSFxgQBKPlou88gPqeqFmelBqyWdn1ATkjhB
   /yv1oQNm+Qd/A4fCKL/oQrO4/KvU1zZgsQ6vBWUgUM4CHZRvdfZhMQNJpIJ5lQrR
   Og6/6d2CJqTD6WmsZ3XD0mozIC67VRHm4BZsKjZMa5C9H5J0PgUuN4S5N7fCRE5U
   RKzSHJwFmoAtLbe7qlUT+98iYMdmB3unWwsiUIsrODH2OOMykvjcPvyyjbc2SEGX
   z8iLWdDoxJQz/3hNTDSp7S84G1pd/tOtBD4r9VlCfu1f4yy+ivX4znG0sFK/VEzK
   I6MuP37T2WCHphibX4CAXGjQD7fbIjg+qyF+G8Cyd+L6DgH2/7rbZNa2RSLjGKSh
   j7+lRyafY6E5Ge02H1dhdgL6AYtxRBjuBxsI2qymR5ioJ7zR0TKOcwisTjeTVGMf
   2D35OsbSbJTnE/iOMChj0oxHDWsBbVJ4JMCAVNWEZGUHRdCKQvH38V0nvCdgK/L1
   B/qigxG+Xs4tS7SzO5ayeKQoARPvMif+KKUVsFNVhkZAso+0hEjudwZb52eE8DMq
   goTF1VkTLNA+YhjrIqUyW0726o84yuAi2z2JWO+g4oYQqTmdaWbDhFGNIVmopxIe
   SMLUh9yH+JjjUVImL0pdjSY9Dyhx9hjbITktinfl+QADjd/GmtxCbBTXa6vChDJN
   uv4BiNqL5FL7BAu899dD37ZL2dLpyI5VnC/4t2MjowTlr7DVhJKDicW+4Ax4iyKa
   KS6VICYTlPbJcKn9/q7SBKKYXkNBfCDm/VwYHzJxGashBCAwAg8vXNLx4BBitzr0
   0ySaT7fXb7GwP9NCAfSN1F04BCLfOcs5ZYbRWvjVJP6v9dOdEp3XYRN1Jjnr3ssk
   3viGWyfOGsSNj/w/2dbTqXirOsWu6dn/zXZHNFANjVdfHunySvwMuORnwxipX0Q5
   6XIBGLUeJkPhbgiwgtRwdHzcQ1YhZUTdoiGjfLPWZif2ROqNNsqXH8CHzcxX6nas
   oEpDcCpW4qZ6rH5OAXrZoPxuOdGcRObqvWXq7fN9VKYsKSjgDZGS+Jw9FN2U9FFW
   B1mrABED/pVD1GT6IMRqFTMbnrLgbnwNmHBo231yA/+tu6hwLnTtFk2YZkeinOrt
   6JUS2GQwggQXBgkqhkiG9w0BBwagggQIMIIEBAIBADCCA/0GCSqGSIb3DQEHATAc
   BgoqhkiG9w0BDAEDMA4ECPoEFEHQGB9dAgIU5oCCA9ACIR/7QLUcUI1XjLtVNP9P
   JzjfAjV9GSb/Liw/FRPIZ3b8QujOCQwNqJG9QWf049+am6ZWFH6tzyk4go66d6Lq
   AbsVcRWHAgz8UcxOdLTXOmF2ZJJIstNHsIFDiHlwKWQ4XA+uZQ0gk7Lzvj6sp0nU
   nPaeYXS3nKQUiHSFnKlKdmsn5Iti1k29TEbWfVdOi2xLRecC5tIF5aErds4wREah
   rkBVtWJ72uhcQjFAX0s505h3QSqk04lVl8Z4ktbo7p+YWZZc4t9z7says0XpF5wS
   i7Z/k6OtbZ7pGItUH9PcbNfuIep+uvl+Sxitfmc85BZgj3G+Z3pqDm3YSgosHQBO
   hzllK294R/BLSI4qP2l3dhqxfaJfhdmF17APUCxwirT9yduEwpQnC+ieMVAPJx8a
   2j/Bb/oohiNWwNHVeGmp7+SrGfJBiLpHIFSsGhUacSNSUIMBUPczGboGlIS8+YEw
   BbLau1yRPti0V4aU2Aa41IgLeiogqQ6cF0pQVzVyO8i8ZLRRTLVkuuFxWUTKVMcx
   LLZ0EJx2WSX8cNCExhx/0A6VjbxIQuWZ0eDAwljC2uTiYvYqjVfiUEV8JHpCUQTZ
   NcMvOecNgqRMth7IVAwjm6+iGTz6dTv71Jtm0zE2XbKBQriwjPXXZiLwmtTJjkVn
   tNH6TC05CfZS8m7w16C2d58WYruiR9+QPhXNgnV4ealwk8l1Va9QeM5KUzQVchkW
   5qFLyvDPZG49UbxMMPWfUXdsb+ENU7JIM3739SUz+ubOzOyQCykmjtIyg1Tt4wfZ
   1rWPsgQo7d0zQW+26g8B8aNU25UNYbXikmYi8rmQwqMYng1yTPjGHKrNOurjMwwz
   VQOJIduThstQcjBMorHprA6O+IIOPvCJCIOAiHbktGEbrOaZutYLMZcfMUgZT26e
   1t3BFPVS4OQnEvM8yIrryvCXQu2g1ef4RPsKDQLblXyeCo1bSrXA8fwB0Td3+xYL
   V3O8h1wJUp2ZllpZQU980ACbn7tmQLrP16XpLSpi/7S6rTYWUfNV84iItJJ9bCab
   18iUlUXqprCka2jbCLExCdjYzhE3nWeREGB6AtVj09psL8LqhlwojbfnzmJzV5wz
   +KiBONT4pSjI7XwTBee8q5rKa8+sTr6rVWoIHJ/5a6uILZEJm46ERIzvRM+A1jKm
   6ZybUxEkHDGR91y8JCEex7fUHzUa75liVQygu24wk/4Ssi4DbwqXCmEA6XsBQ0St
   FiTfMkIuRJeZ4Z50ZcmM9bwMsCw6gO6+GYqZJ0pu8woN97gBe4qxygj2CehenxNS
   MIIDrwYJKoZIhvcNAQcGoIIDoDCCA5wCAQAwggOVBgkqhkiG9w0BBwEwHAYKKoZI
   hvcNAQwBAzAOBAidIqBxZFwvagICFCKAggNor23OUC45pysZrDfScxyAOWuCHXIH

Gillmor                 Expires 13 November 2021               [Page 14]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   tDG0yFq18osxZH35us0vb72zhU1Bx9hqQaNq3s8EHnbQpQvJiqUQK0OnOyGKcmFw
   9jXnAH25Qb4oJqzVp3wliuZXZ7Tp+wmQu0Zab+/i1zKK2lisE55IEzlT0U2ofIVP
   DSXjCS8SqZg4pYNXpV3onsBgJUE0lPIpridcEOK6kz9G/eAidQ25/gA3tQvb+dHS
   lrtnHMGwIbYYvwBw7sVHPorbjWN2RR44urD26bdqiA/5CmkT/S1qkwqIoJ44yz4N
   fsrPGK0TQSqgDw0HaN6USBck5f86LapWY/tHCPYrTGb525L7BDGotjzzdVU67a5K
   AgBFYvyr617md+6kQkhRC25xXkI1SQtLkgfZ7NgSDrctil00740bxqV3En4zUQJR
   h2WGLuKmknmdeVCDDVlHR1DWXZBpn3pNOMGTh7hFJiw/vpgyYLfWlFakk0iN6U+7
   UIT7WCTMQcMuSPyz1X3ADv0OQrRYBUoOuA2j/Q0F+QGezzo5+nNn6dt0pZKpVyh+
   Fx+UYzMyPJaxtYQkHH0EXQFXeZ39JBPxukhol2v8mJ+I1KYm2toIxIoyArZ4IEZp
   M1c7ZH0RHJ4G/cGOA29+VDglZQ0RsPKfuLIZvuLjO9p8ns4Bahzz26Dt4HIwKpZG
   XlzKGWgGV/XhCZM8+fV9mij6TUC74IMAT7C05rE+KqvNDMl/ZIHCrb94lvHPVyCQ
   zClY7MuWNILO2ZJNgCTPM3HFLnpYPjWkIm2wm2vnwbWyfec2+iqWJUzRfQ3Dn65X
   dhgGqBRe3R/WP6AKOw6x4jNY09RUJ2uX4ksybr7lAGaV5ufyO35zCMTVyrR1o5F4
   iinE1f1NSfEozUqedh2P/RCZ7tPXv9sMu/8gvYCJkZkz9qJxEA72cH7xKtPhYj61
   oj7O8B4XA1fq/3KFOhZyuSLR9A1vJtaLA5EGuCFWrS+x61G4y82yNUJ4chci2vY1
   ESkbNeiaWswj2UbPSvoPIiW7X/cal0I7nOWrlvx9n1rICWO1SPa0Psx+1bX9LwMC
   jMK7ed0U3Z+OBSfQnHYUHQRYx42lXbgum4kI41fxDNLLXXRLUxUwj4FSmGaDoTAB
   pCEqs41XvECWdCgTTBU1zC0C/9uSRH7pXtbQK7t86VxG4jYwggWUBgkqhkiG9w0B
   BwGgggWFBIIFgTCCBX0wggV5BgsqhkiG9w0BDAoBAqCCBSYwggUiMBwGCiqGSIb3
   DQEMAQMwDgQIehcRLmVUApMCAhQOBIIFAHb5dXZKzCeRUo2ZSj0oyuFS3zQ5HhKy
   fapsyCqbYCKv/lSzNYWvuda7xfa+uOM7/wCB9sWdz0MTpaBMHWx9hvibZIY65oM+
   ry4tTuKKqOJl37OsnjB0dSNTKszsI3faPUjslxqIH3aC1shD7OqhIRGZzRjK44PJ
   yWv626oQrgVtTYR9NYTdee+SbBZbkEt/EpWipwftWXGR6tSYJQn99eO9Vih8HyQv
   wIpidUh3pCFOlow4VZyAqIWOHcw9TAjBXNv+qfdH7fiX9wM5/GvnQReIsqjXCUoc
   6pSQIAqD/f+I/d1F2ZmqM7KwX0LGRER9OWZGyF734pN9GLbNetWm6rKxmlSI/5m6
   +2Jxxfann16P+vBSEgWJ/I8GnJAdzIbBTyfjog4Gi2+lmrPzK7+C79ntM9nfsr4x
   Vzy/BknwZIaJksd4VvOGkS9nfM6shtBJB9uR+GJfthtsvIVUHN0kz2r/lVzMSRbO
   g9yR53hv1H/nXCmUjWz/BvobmoaVBcCmmOnnYZTHMNarIVYdLQFif5ZLH7WV/XVE
   VIoRntNRiKsK96VAHm5XboWQGCqL0hehIX3Nily1genGm1aFlSQNMvLDko1ILDTK
   rINvPmjG/WFoLntpJFPtYZsooT1jjXLw3VTSodtgKQNdPYOEidSJqwIS87fzrCB2
   Wmwys0iGfdsuNhSaqNqa0dMO6FiW2fkux7H+w7SX1/n9YeZUNLOcewLcC7E8IA1I
   arjglZE1L6Yb2ldXxV9q3PPOwKuGnah0TKnD6mLn5BIGOGTzF1VspXRrJhFrcLe+
   xsJR1r6niI3bcMWXXy7gbm1X/CRE902IynxE1oDR+xZ6rjPWDJP7kVf4GvA8trCG
   rot4pbJbmwlBeMIylScdQoHEnyqrenOnRMmXZaKzl3njtq7Wk78qoJq0a6Vh/sde
   0KcOPFkyTZdMBlTztm0K2VJU3jUVzPlM0WY2fyGDoA89ol+/MiNsgiaEghGybXBY
   ipOex+p7j1GIRN/CKmpWsqjZnB78kyXmZ6AE1vC6neD/7zANInDkzXiun6ic72Lo
   BX3JGiCSuM6hIPJ0AcDwlzTDu0H2rCQNw+tivJ2v4KbgeKoc6beQb5fZHs7VsWHi
   kIcpwqB5ngwt34wHgFG0nTS4lZmvzSJ7FMRVGmsDYkDTpZzgNOaxiUBQMcEvxNIe
   3nAmA+dvB7w6XRQVSUsL+vBFhHiWGZ7hk5sCeHElewXK0SyJADgfFlYq3EfEgZ13
   h4wtoSfbBVtzbbyg2LNegUCLfIJkc7fmT7X7JSxbjOgndMHEeMdVb+NFxbgsXYrY
   D8rC2A8l5cQzZrsxb1bvgybEJz+NU/52UgGrPmdjJKuGBK/V2zor6qPvKyId1Gb4
   QQuIoyClwhZ+qk9nE4Eft84y7ISgMywH+lw87HrSHKfpqzQhCxlrLu53IYK/4PhE
   7BYC9Q4tvIsZXSGZ+nju4tyzERSlaNe5njUeIENr4B/+kXULwVDcvMFHqUFJMkFa
   i8FUga7gyipZ+654clGgJjnNBO1va8JcdtdPRRW4gwdrVn8u8J78KBzt6ChkrpKR
   V8VeWKBk9lhcT0ZNpJnNqhDrkfzHBqP0Uo133I7P7C+h9sNDI153W6IOIodyQE0A
   v1WxHo4y/1d1VeGDaB7hOSDq9ZMpm9n1En7F6/1/s4IUZHja/qRrK9hD4M0Xq0Lh
   FXuUzuipo49OMUAwGQYJKoZIhvcNAQkUMQweCgBhAGwAaQBjAGUwIwYJKoZIhvcN
   AQkVMRYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMIIFlAYJKoZIhvcNAQcBoIIFhQSC

Gillmor                 Expires 13 November 2021               [Page 15]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   BYEwggV9MIIFeQYLKoZIhvcNAQwKAQKgggUmMIIFIjAcBgoqhkiG9w0BDAEDMA4E
   CKq4DtyiayOyAgIUpQSCBQAKQtkPOS4sLE6Os7nP4RaJWBuyXl27V/o6TusBRBgQ
   oPzP+aC+O99wgisEKedyB47bAzcO4sba4q8UkERAsYHcEhdD2hGRCL7ou9jTtrr4
   RgZpa5V9CJcBO0t4bqy2lUefOpm6no+RX840uyM4q5Q+cfH1rTQ1a/a+gLglbpto
   EkH/4dfR3ELYiXcM5UrBYTJOHcyME8c+TXbpf7kiplTtlsrlZyU5zrWcxngrBxwF
   A+O85W/uVR3QZSW+EGx/VCYwGruZlNytBvBYjsYsnC+yKYXbqL81DgOePy+eh6VX
   64SwBLXcWcY+NK2EZrhzrUFjl+PXFKY3IVVPJhTE9o7gJA0hzvAanOluWXozD3/W
   PQaXhyIJDwM2MjznjL2MBydpy9K8Cio7XaV6PX8DszIZkfI4DAz5f7G7WbwUq3Ij
   PPPWiUv+JsR+dnqzWDJ22SXc+AdQP2sKqMvP8gOpHOsVlXXE76c5rUcZCZD+gGv1
   avO7YttWqbDqLj6oQEIJ8LX0Qvwd0YEhetE0bJ5uv2njhQDhLkH/JIbmFSgJZeM8
   dtKHb8f5wZc2B+nXGB+TFboGzSuP7gaWu1vKsJNqT/J/FYEqcamI2F+td7z1sGfb
   R9ckAcxXeb2uPVbCJ1a50gRlz9qVm5Hb5f53X7aoQQp3F3LDGQmJ+GFQ/oXXwabq
   n4TvNO9KDhxpGcMMU9RnugUfNU9GBec0vfrzmVKZdmJ36HOmMnLvgRakRhCV3kGA
   BXY83hwUv17E1qASLKcAWIachkCCGpBGyGtP2IOZTn7PsLJR1BzKnePa7MgFcgoC
   ToIpdQnCTtAsalmBm1s480LN3GB5ojeGbQvNf9TAviA0tg5VuT4/O48V6uYSJsIZ
   sawm3tGA/LjxyfV1aLddQT5Zf5ZX9BX+K/PB4oYAFxtUpMK/aL5G1MvppUJ9CjqA
   tnoKE+EkdQmyZ1VoDO9ih44zuRx6XV4AEYafNB8ygjRHGsvPW0/M0Es0w16wzJHT
   uf/15fD/nH7Xh5MzhCF0CtvLn8v+S1Poi2/40O6pS2byjUFRbeCpzEpRxdv90LCb
   9ALdy0yG9u41W3yInKNFnaWBulfOPFCeZT92M1BgwJA8ZcydtiiunRNAH5iWLSPl
   oUpOD1v6En+rat+PoyRXIy2fLHBL25awLhABoZPgRsCiLsiNiohfyngksrQKeRgO
   laBMT92J8r1E4sUKirQlcOdiWBE6vmBSXzyN/twvfgPNIXgR0rw6c7VhhS+hNTrs
   ttg/xcfvJ/bftDbKm+RZL+yQoOkkAf9R5tizyMdMBlaMrpfrBxvNtMiykbZ88SYo
   A70Trwab2aHQluVhs8OjXGBEOqmSudcSdV1EhBpo9HBsDZZi0IwOp5/B9fCHdnTh
   CTiUm80eQ6mX2/DB9LlNh7gHOyLL3azTm12D0ZpZNaXyxLzdiRiAdwpWZmmegOOG
   70yi0D5eIxh6cbnbuU6Ygdp+pFFVYHfAvc5Czpne2OPhXX2k0Okbwawr9AfrFjIf
   AEmBFx5GBGr/lSiUQSkbUC/s209YgaOgWTYt3KXPzrThJJGZnnXZRTGfIi6vp8Rs
   nPX35+Dxe/Lp3gXDdIJeWG6XVA8t3fspcoTqPkm/XGNMmOZ81KX/ReVdP+dC93so
   v2DuDZbYGPmHlD47bOOiA68GD64DEuNtQ8MhWk8VRR1FqcuwB0T0bc+SIKEINkvY
   mDFAMBkGCSqGSIb3DQEJFDEMHgoAYQBsAGkAYwBlMCMGCSqGSIb3DQEJFTEWBBS7
   9syyLR0GEhyXrilqkBDTIGZmczBfME8wCwYJYIZIAWUDBAIDBEB4eSY7MGIcB30C
   HRiJ2xJ8z8hPuqCScCdxvKtva5ASZJKf3B9NdAS8Y1ctgKu0JMdyIu41RFJYCkIa
   CsL6vLfKBAj1OQCGvaJQwQICKAA=
   -----END PKCS12-----

5.  Bob's Sample

   Bob has the following information:

   *  Name: "Bob Babbage"

   *  E-mail Address: "bob@smime.example"

5.1.  Bob's Signature Verification End-Entity Certificate

   This certificate is used for verification of signatures made by Bob.

Gillmor                 Expires 13 November 2021               [Page 16]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIDZzCCAk+gAwIBAgITWeEgizhkG2crS8Kgl56AnNft6zANBgkqhkiG9w0BAQ0F
   ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAWMRQwEgYDVQQDEwtC
   b2IgQmFiYmFnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOZwBdIJ
   UaH/TYwSpHuoPu0S6zoEX8EI3B/ts5tAH+uxSUTaxME7jrrZVmplAN6ffsG+16os
   1RzkIVXrI8IKfDyaaPAHZvGq/OHdrbXstTlXcWgibjXu0iY368EoQejbwJu0vAgx
   t/hGqZDvX859qVsGkREOrcFrR4tUE+dT3bkbYkNaKrLiZPCwQ4FDGZSlLGl3xfBi
   syZRrmi0Zef9yn6/fm+lZAg7sU2WC2cbevmt/0JGgtyPZtsoD7m7RxSQeT+frPG6
   ETkiptTgdYLC6MPHhfUuzrXBhnqKGSYiVEAkdeDWlOWyMnyhGVdmErV8Hc7aBCSd
   n0VESCvvGJ8JQd0CAwEAAaOBlDCBkTAMBgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOB
   EWJvYkBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB
   /wQEAwIGwDAdBgNVHQ4EFgQUF8WEe9Cn73aQOLizbwi8krWeK5QwHwYDVR0jBBgw
   FoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBAD0SptDc
   YKfCH3W3J5whIYabPA3uiIfSQs7bP1tSs4i9bPrFry7m72ArhJtyVIts5TD+AZ1x
   +EZG/9/kvEddBnUmGPUTv1Btur7C9DiTTEu9ekw5ea+nRfypxTmwBFfl01Atd+BW
   +Un5xUSHlHvd7udm9TQZ2qKRR8BxkUIr/AXrfpBtcdj6K8VdJmX+ZTmOMzOynfl8
   TdMJqsvSFbfqXBnc/2bORn9s7f36VyRQkdM5wxVR/GGrendD+xZ3J5ELNpGR2qO/
   DHa27GFSYFjU1nS+RR4fxbGc7dTmxs5adKejod2Vc/YFS3T9EvWXiWNtnNvVVT1E
   lcbF+c7MhV/OtKQ=
   -----END CERTIFICATE-----

5.2.  Bob's Signing Private Key Material

   This private key material is used by Bob to create signatures.

Gillmor                 Expires 13 November 2021               [Page 17]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PRIVATE KEY-----
   MIIE+wIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDmcAXSCVGh/02M
   EqR7qD7tEus6BF/BCNwf7bObQB/rsUlE2sTBO4662VZqZQDen37BvteqLNUc5CFV
   6yPCCnw8mmjwB2bxqvzh3a217LU5V3FoIm417tImN+vBKEHo28CbtLwIMbf4RqmQ
   71/OfalbBpERDq3Ba0eLVBPnU925G2JDWiqy4mTwsEOBQxmUpSxpd8XwYrMmUa5o
   tGXn/cp+v35vpWQIO7FNlgtnG3r5rf9CRoLcj2bbKA+5u0cUkHk/n6zxuhE5IqbU
   4HWCwujDx4X1Ls61wYZ6ihkmIlRAJHXg1pTlsjJ8oRlXZhK1fB3O2gQknZ9FREgr
   7xifCUHdAgMBAAECggEABcQg1fTtieZ+O/aNdU149NK0qx97GLTBjIguQEDDBVFK
   2lu4PhBg9AdgAUqLH1PE+eq65JaGZwvFH8X1Ms2AKiRzYsPOQIoJ4n1hc69uiEN9
   Ykcv4QHOvvqtCtWYjJyb5By9WPeLH6QynJ6FlBoSqxhURSWyYfTuwqt1OHEhsUuH
   d3N5BmbFiRBNj4aIA9zz+i5xL0m33kMKai/Ajj3sI0AJsZ5ZVAhYbC8sCt1Xevb6
   i41p9S6GSwGC19by+1y9WC1QGtb5GDotvChMvmZS/O3NeDc6xC/LZoQcHNVgiZd7
   f1g6iEkJlCYK+D7xsd7Y630w75Haj0vnlhiJObSA+wKBgQDxv8jp2D6IVRGgYfaC
   nUU3Mg70wagX1fgPHO9Sk6e9c8CgORh2uwWjpTawu88xBGFyZ+xnWqr7GCNsltas
   3m94ri4A4R94+5uL8+oOLC26gMDfzATd1Q3k/h919YLk89tonQEUbCFZJdphThEb
   vg2W+nNsEVcQGuClzhX0AyGMswKBgQD0BYk3sdGQbBA/hYD1EYsZfYebUiYv2lTt
   VGRgTohKFclRAWOtGP9YRbKyEVkBLhjgkXzS9xGqKywP71z9Iny+zDGbzk8ElB/g
   lS7GFGX50TG0ISfaFWTYdxt4mN9pduZE2blT/26uyU8DXCEBhF/OqhwQjJqKTYTT
   Rl3Ara5fLwKBgQDQyVtjIyD2q8naY2D8c4mo3vHtzyc21tQzcUD8Z4vSYps1hbos
   KN/48qJmRv3tjqP+o+SXasYKsFE/4pIroLxTVNNkbQm6ektfttwpO1yPG834OwLk
   97HVWOig/tX6mOWg1yBsm+q9TKTrrvm1pRGlmE6BQgSYYy4r5O4u3VlnYwKBgQCl
   B4FvWyDhTVQHwaAfHUg3av/k+T++KSg6gVKJF1Nw1x8ZW5kvnbJC3pAlgTnyZFyK
   s5n5iwI1VZEtDbKTt1kqKCp8tqAV9p9AYWQKrgzxUJsOuUWcZc+X3aWEf87IIpNE
   iQKfXiZaquZ23T2tKvsoZz8nqg9x7U8hG3uYLV26HQKBgCOJ/C21yW25NwZ5FUdh
   PsQmVH7+YydJaLzHS/c7PrOgQFRMdejvAku/eYJbKbUv7qsJFIG4i/IG0CfVmu/B
   ax5fbfYZtoB/0zxWaLkIEStVWaKrSKRdTrNzTAOreeJKsY4RNp6rvmpgojbmIGA1
   Tg8Mup0xQ8F4d28rtUeynHxzoDswOQYKKwYBBAGSCBIIATErMCkGCWCGSAFlAwQC
   AgQc9K+qy7VHPzYOBqwy4AGI/kFzrhXJm88EOouPbg==
   -----END PRIVATE KEY-----

   This secret key was generated using provable prime generation found
   in [FIPS186-4] using the seed
   "f4afaacbb5473f360e06ac32e00188fe4173ae15c99bcf043a8b8f6e".  This
   seed is the first 224 bits of the [SHA256] digest of the string
   "draft-lamps-sample-certs-keygen.bob.sign.seed".

5.3.  Bob's Encryption End-Entity Certificate

   This certificate is used to encrypt messages to Bob.

Gillmor                 Expires 13 November 2021               [Page 18]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIDZzCCAk+gAwIBAgITO17BWkcdhfwmHN7ueuPziuUW1DANBgkqhkiG9w0BAQ0F
   ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjAWMRQwEgYDVQQDEwtC
   b2IgQmFiYmFnZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKrRwJQT
   TIgSJPIiasB5P8g6BVsI/D/WdbmHatWqiLqH746AMo3QPE27AURnZr2iDkkDnqbD
   Y1tZKO5RPB5Q7PSR59RPrcx95in5/htnq2PmpZDCU1z7zAFHQgPPntTie5PdYGFw
   6cyFqz9ynNMU5bCfLRiepocnSV98D9Px7sh6XykEHw7rDx/EuconT3Ilrge1o9F+
   MWNaVAM9q0kgJZxr4RMyhW1uNwT42Fz1J0VjLVxcmtXY6uhG/TP5JW4XWYXgyy7I
   y1El2FO9K/VVxjP6nI3fzYVmKYQngXKrMGjOZly2HZtJhZqqHnBetplBNA4jXYcC
   k7Z3n3dHJZfg9xUCAwEAAaOBlDCBkTAMBgNVHRMBAf8EAjAAMBwGA1UdEQQVMBOB
   EWJvYkBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB
   /wQEAwIFIDAdBgNVHQ4EFgQUSrOsMVMCSZxN42554CVhlT6IYiUwHwYDVR0jBBgw
   FoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBAIeexc8w
   hwtXqn/ptLV/dcKt+gsSOrMcZz36YuqxpMpuzCvoOa2tFFvi2AvTvGfvyK7Oa7ux
   L4sJjVc81RxtyJJLkbdkHw3Wod4BeH7Wn4Ll1LusU1g6SeiuJo4uVLnWmEH6PXQv
   +pEzsf1NTZxrga3SsEdrBq9GztHkKkY4vrTrZaq5uZIN+upV8doLMXGTt+1L0/mp
   2ukafqeW4W2kn3JCYi859PfJmGxayp4Cvw6xoF0ElHfgsTkKp0TxfUfVNzEYnZTc
   ELVUVBO8bMV75SBBoZC1HpAwL752e9a613BFpdFbH/RMsRn4fs7S0I/SKLXD9ruQ
   kDDPaMYBPo0ftuw=
   -----END CERTIFICATE-----

5.4.  Bob's Decryption Private Key Material

   This private key material is used by Bob to decrypt messages.

Gillmor                 Expires 13 November 2021               [Page 19]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PRIVATE KEY-----
   MIIE/AIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQCq0cCUE0yIEiTy
   ImrAeT/IOgVbCPw/1nW5h2rVqoi6h++OgDKN0DxNuwFEZ2a9og5JA56mw2NbWSju
   UTweUOz0kefUT63MfeYp+f4bZ6tj5qWQwlNc+8wBR0IDz57U4nuT3WBhcOnMhas/
   cpzTFOWwny0YnqaHJ0lffA/T8e7Iel8pBB8O6w8fxLnKJ09yJa4HtaPRfjFjWlQD
   PatJICWca+ETMoVtbjcE+Nhc9SdFYy1cXJrV2OroRv0z+SVuF1mF4MsuyMtRJdhT
   vSv1VcYz+pyN382FZimEJ4FyqzBozmZcth2bSYWaqh5wXraZQTQOI12HApO2d593
   RyWX4PcVAgMBAAECggEAEvPt6aAQjEJzHfiKnqt1U7p4UKb5Ef4yFrE7PdTLkeK2
   RjncIhb6MeevVs8gO6co7Zn8tuUT95U3cOXLhVOWTvaHYeurTXaknICz3IeOoSl8
   skiVZko70uJ8pR6asWUlr/zOjlEwZ7RnEUWet97oM0YeA07LDFDkF7eUq//6bfzT
   ewr/QfDDsv+erwJBh+9CRHOJyTuDH1WeGxYV8VK3M6VhdTjFxXxFhrQ4pBe5J/UA
   17Bd2GM8Urg6VYzVo6x4ajnc1H/ezYLdc459poTffv6Fg2trqFVAj2IrQlAeqjda
   lemsa6Np801mUGknq3fjKS13RYGBv/48rCHOT8eRgQKBgQDM5TuS4ANQjOYoOgtF
   xoVjbVlndOo+SmdFkZihzQHxcbLY9HXe5HlbLf1IMXz/nERxl+SmYuuJk0EdiM9r
   HOCcHRLfBmC7t0GdVvLDHSAX8Ec47LbtKZqyM1U9dn7Z+5q4iywqpaP8pP3+oY57
   cgtQax1jle3xhRAj65cl1RBmQQKBgQDVbLqK6wKDfSdZuMZGUtOY0rtamBDCgEU6
   rEqBAyCPy5NpF1pomUFcYKWT/wbReFqtuyq2OyiATB0yHHMko46BUtN7qX/m/skt
   DHWXVWs1+G4IgEMVokM9jjrkgdY5grrJ68sagKC+bgv35BizHPIqgQuO6qnPSrM9
   bevwbQEj1QKBgQCiPE/zeBSnzyjeaTdLxGkR1R+ZX2WqdNdYqnQkiWMkflaSmt5J
   4raEj+GhLC5BZsZ6+z480M6XXFWOwSkbMv5WHl824KHvgKcfoh0OiR1EVyjN1gDx
   wKOQvjycMhs3FpXn0arjCczS2wGSgPGEpUR4JJhcpfaF6kphZsWDWzVlAQKBgQC2
   ivbKltNhj4w2q1m7EGC3F5bzl5jOI1QTKQXYbspM8zwz6KuFR3+l+Wvlt30ncJ9u
   dOXFU7gCdBeMotTBA7uBVUxZOtKQyl9bTorNU1wNn1zNnJbETDLi1WH9zCdkrTIC
   PtFK67WQ6yMFdWzC1gEy5YjzRjbTe/rukbP5weH1uQKBgQC+WfachEmQ3NcxSjbR
   kUxCcida8REewWh4AldU8U0gFcFxF6YwQI8I7ujtnCK2RKTECG9HCyaDXgMwfArV
   zf17a9xDJL2LQKrJ9ATeSo34o9zIkpbJL0NCHHocOqYdHU+VO2ZE4Gu8DKk3siVH
   XAaJ/RJSEqAIMOgwfGuHOhhto6A7MDkGCisGAQQBkggSCAExKzApBglghkgBZQME
   AgIEHJjImYZSlYkp6InjQZ87/Q7f4KyhXaMGDe34oeg=
   -----END PRIVATE KEY-----

   This secret key was generated using provable prime generation found
   in [FIPS186-4] using the seed
   "98c8998652958929e889e3419f3bfd0edfe0aca15da3060dedf8a1e8".  This
   seed is the first 224 bits of the [SHA256] digest of the string
   "draft-lamps-sample-certs-keygen.bob.encrypt.seed".

5.5.  PKCS12 Object for Bob

   This PKCS12 ([RFC7292]) object contains the same information as
   presented in Section 5.1, Section 5.2, Section 5.3, Section 5.4, and
   Section 3.1.

   It is locked with the simple three-letter password "bob".

Gillmor                 Expires 13 November 2021               [Page 20]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PKCS12-----
   MIIXoAIBAzCCFzgGCSqGSIb3DQEHAaCCFykEghclMIIXITCCBCcGCSqGSIb3DQEH
   BqCCBBgwggQUAgEAMIIEDQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIe/d6
   qDQ/28QCAhQGgIID4HU6LzRSQpvpE9vk66QO5SwtHDR5cxPrr0a8GoNDS0qB0vzZ
   6qCUZsa8MBghT5JdWC5WmUK7LXSge9ZQYyutasw5aB74js4C5l+sQfHZ/Qpg98Us
   n4kyQQDNUJSvA0dkEgi5G/XNeEl0OGaAY57Uus0dYFXYu3b04nvrm2UjFnayT4AW
   PNrzs9pnuELccSg8FQDHPTa3xv3kwmtlS4fVLgicL1Vsq3uqtMYb8kiy0MRmU6JB
   xculAl9ncpUH7CNWvHDR5GsZ2LLhaUewBsHZq4PV0WoSzoSyobcsx10tnsoH9pGV
   5fYLcgSKTmVz/5mDUdTjzCfB9euvLgPAMkwWoQFRNHxb9vbL9PVc+8tc5CgSMWcY
   0i5UQws6+vfhGynJuQAY4CcJIIa4N6Vtufr2KHWWBd9AbZcRlVIdU3lLTtRhYoJO
   uiQ6FYCt8V+ntUB1CZyH1hmvw+QAenGoFK0vEa+u0/6QhrlrdlBVx+YOZjtYz8A2
   BlebHx4rUuJDX/ayVSXn9XxZN2uS5vRNjG0NllUBy5D9CL4LR3wEasfKRLTVISNl
   TtZcBTkqvsclBWWQANyQJukavoDJMZ187RbB0Xds8HAGzXjZoXJPnFhjyEkQioWq
   /VXDbONWz7jeqknaDZVz5RKC25y1BHH38+0atldF42/k0Xx4iii/fga3hrJEnLnF
   gMkVipU6lwGbNOC80OAfNatJMws4kxpph02FZp9A0hkEeJ+eeDmYlIE8jFm9gSD4
   MgqznsdOAp0ispDqO0t7Z1YCM0IssO3j4edp8C8tBCdwJ/hOQZ1qCasEM4znG/CO
   nESlEAdCJZHNz+2/N8LzVB8NpP1qiyqW2nJKXXaOMDQwi9qFDUG0n3yUpggF029C
   c98g05SY3e8f/3V9cgtg2HXjtjeEHsln1SWdmfBB7mOnUdkDh+pmXZ4zB9BUuS7t
   H0UTpL0WxUlfgIoz/uk2hi/vXAX5Q66SUqVFifMQtOlf44oYOb/JYOG9wSWnj2pU
   Fih7Y66TYWnX2dEdUyIiPut7WNrBCHuAXmHoR8qZjGIxRobphKAgXu5nWg8vhm0T
   woRq8pdO3uOGHIOOJGyxG4feVHRG/GstW+M6qdYO8/hLaZ4/ZShLxEojyrS9htXo
   oFBwQCmMooC4smAvSFqhbrY9j5ueB3jCECI0sn72bH1nXNbkwonxGWEvRBBjvmFA
   ev5xoJh9Jo0JydKWuI6yXXCImWVvofxbMsnrSY9XWd1gV1JSw0DlN2a5R12zqHaD
   6E2VkcOWOP6pnH1peQAjkFtfWByU4xAx1Jr91TN4r1L2DeVTV5nz6b4spl5ZMIIE
   DwYJKoZIhvcNAQcGoIIEADCCA/wCAQAwggP1BgkqhkiG9w0BBwEwHAYKKoZIhvcN
   AQwBAzAOBAjiGuDSkfG4UwICFLWAggPIECUZsKFZWi4pn4njlMf8F8r2T6iaGOjO
   4xVOkPFV8nC1gb/kKeZP6oSyEVahfb5/bzyrd7qzntTaSNdoVPf9aCGjIaxUAhd9
   wczQ91Efp5SJTGAzJmCiYlss3dmnKgwgc8XEnhp3VDjit3j6vzR+EEf23Qxgk0Hf
   jt9N+oKD8otUr4kH1HJ/6qQEOModxiRi4kDbLfuRl0O17tyMPQhQjzntmy8eRBfu
   7JQrnnRvyuv/a/qgYbf0OVa+tcIHttAd+Vko39h0K0Y3A3TnwZkb+1mmi4XvMtWX
   buOwrvQmvH3E/tMyQKlesJf0Pnk3tmKC5wCFZ4xiaf884nF+2QfqLZC7qD2yM8ui
   2KVsq+TMF+THJKYBqfAZZui8r30KlkXQClLkSkHwsUfJxKQsRjodS51UEPU0afgl
   FEqGZEfRQgInuVhqyYxZodVK0JlGZP1a0n3u8EqmJ2Z8B/f4jBb9XFH7v64P0YHz
   1UH8smmQhmboi30XJwB6QDZCKR8xxXb5esQmAbUY0cTJld4nPZAmRqP38n0f4bC1
   5bYVpUcAVcd+UMaO2acRTtIvjgFjSSO2Hou6/Ex7LVBzoe2mtAyguhOwD59nLxrn
   FChSZCoUlNplU7akJCWQkrtT1tEIEdivZMHOfuluUhgzyzkWxKuppHJiFxki8vZ3
   YgKyVg/K+Tt/4W87c/hEiSWjDd1TEvYK/iDBiDiIuPgFxjUp/2Wmo4u26GskeOvU
   v3PIvmmJoOskp2lOa0jNAd57eXcn2s92c0qqxIfWuEuOUBagfPIfyHTpyKNxi7qI
   JKR20UtgiPSs9tvywg2h/Y451xXFNJuv4R1wxmSgKlv2lKf9OA6aq9kNIafHbhwz
   Ilw/xl98xoncENpQzJkKAgySvtiX51Tq/A5lm9p23sUK8JdL+JtA/8yEa5g8eCj0
   MfcmNx1TlYCfHrGx1/ZdW1DGl4GHJIpllSLkHYxXBQ6sixc7GNJ0qkpRTeDRLiDt
   35yAsv7ESpp5w3/WjLAsPbPsaMVgQjOOhBwjkV9dOwFc2k44XcBjCtVTtTEuhN/a
   LVmwgdH5LFV3Uyp5442Y8aWODlG0i4YDP7oXY3mBu4WrL6NlMlJOQNfz+e077+to
   c1Bw4Fag9f8X+AiBl95HPG/sx8YKnVaID4rcxpyKOO/ONy0oShrkAmbQyM7hRe/v
   fRL4lNB+fyK75vPGsp/shquhF9K5wZCulixVBQwze7q1CcGro2D030YdP/EDWexC
   1xoidBkqssem1oDx+OpsavtdMCDrft0/lO9g4TNnnB8wggOvBgkqhkiG9w0BBwag
   ggOgMIIDnAIBADCCA5UGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECEyHXPVs
   ncxTAgIUQ4CCA2jGt/qN+nxrXgh0JNk53ykzmi76tkL8Rwu1OfRyalJElUvfdDTu

Gillmor                 Expires 13 November 2021               [Page 21]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   O+nEpGRq0rCvD5nUL75s9opbRwlGs4MK5oj9dgMFa8zUiA7Ef6eDjb/Ak3xDoXLN
   a91AgT/Z5x68AxPQVpU5lPOXxqm+JD7NsfVKVASB7wDx9sx8AlsxbmkRcfme1dBO
   p/iY9mim7y3wmd+t6D7KPjiaWxwsCALS8O1Kit3zmIGvB2GnB2ijFommyqydbBM5
   Vg7nXYqeogBN/wY/vr8u7g+rwdroEOqAvflqZXBDecDoCbNpI+uFl8VeufiAKNQ3
   TEPsO9EO7OU39aQyO/oMEqY1hDidzF0CHUaFUB/GMNONSulhFCZT7RIUsQ8L2BBw
   E+Nd5N/XOwtKY/PWzRbBXqSR1QTEOmOzQ6ilPLboxn33ngy5n/6aN6HgUAyPqJ3M
   lijNnrzyDTl8emk1KeEmny4pBRkYGj8WZfszzxnccZput4rGlhggQPjx/sjiIdPP
   R0bj0CU+b3TFHMUCX9g6AzSqpkAiAFYb2ChGyRGbitdAilc71GnsIBxSULHj7EoI
   s//uIPguDcDS/tdlkcE5MeUA5LJ2OtmFAEZFtYOM079MM7p5YJlmnmmq3olvf8BH
   4Q3aZhQ72hZFI+Ug8ZSFMWqj8tsV8d409b+ykvYTHpZTScDXqGDmKFFlqXx/pSRn
   Jxo3A3feSEEPlKGJugx83o38v1o3ZpU9NYZsueUp8+6Dkb7dwLhcfyORKd6TSfxq
   ePYtMz7XjZkrQcCKBeiXtyNoWgsFw/yIAi27c5O8nAd3aUjQc9p4noOHL2qFKa+C
   DM0xgQqyLWDAVJEuWFM/gX+FZCzXpaSGcKt2DDmrsEPyhv32ay3FQpj86S7WjVw9
   MbkLe3USnRo6HaoLVh6oQNAkkE3DByvbEaAgAIIHUc7sG9G7Ma1tDF6zqHEs/hPc
   9B9yzw87ysdpuCTLxANryf2rODY/kRGxbo9plwQYO2qEmEIWNZiBCrs8L6f2GEDM
   fpPBc++q2cs6VKNuG8V9f6oBFrUBrCKpXItNus69+fHlsdjDcrx1cK75R4boyEcy
   G7YhyMoHw7wrxFRPTp1ZCVqShPepiMilgxerst39aEgpflmSusZEEbMTxei/9gKY
   euKDZiqVlw8IggZ54p4GWJGi3jCCBZgGCSqGSIb3DQEHAaCCBYkEggWFMIIFgTCC
   BX0GCyqGSIb3DQEMCgECoIIFLjCCBSowHAYKKoZIhvcNAQwBAzAOBAiO/0ICbTbZ
   LQICFOwEggUIFwT/JI8UjJQPfYTFonJEo8zEbpYWXKboqw6/zZsMGmAnUPgQNQDx
   yuLVprs5jUc437kVB2M3F0x8DjmEppebtHfIoyjoXF7jdnA4EF38tsso0K1nMPmS
   gl02iYZtOqsOvBpfeO5Hj4Ovhi26J9PzTwPcgl3QQPqfWv7CwgGVn4/hntBAriPS
   E4gAlfAcqkxtJBm01QwDoAdsOKOMsYntgWajpr1J3Hm+34NPL04Usf1OpcesPUJ4
   CBxNyLXxjjsOzD78WVvKY+N+j89xTsytz5Y0fEkFqrcl8pgBQxH72jBwSCm5YwHz
   3BhWQgr2bpWJ1f2LWcVsnrN9tx6RhQtAAkcyNgX/ksp5EW4JTo+o6oXLRhXIYauR
   rUrisMY++b8ZJTp6C1t0RW2QdqgMZghSZgaW6FSC6Dy2Dd/ezdkYUCgiEtq8eSxF
   /8WDw6Va2iGVSNt4/p/OJ97yN5yOJ0K1g0hATebU+I3E74PQ9RK84FfJvyHDBC6f
   vYZW/ouMcgp3YmAF+dTm74Hq88X4daV+/UPYf/cVpyiwcBTg6H3jrkrs0yKoWLIf
   rIvMNBeeKZ+fl2Enw1MFzkLI4VGD/UeRwrbhN0SHkh5lIGtu0yRTfq6msYQpkw+j
   r7QwJIdQyrAoaaVaRotVyvgTOLlHw8r6o7v36yoNov3kDPW7DfbSVTWX5lIyQn8N
   qMwa4N1clWT8ukfZXSaYykFSqF3w5zala4iIhu03GjDcfiWLMUlYVAUcvSmcIULE
   1oW7FKiJc8OadeIu0JBySRSEvf7B3w8leYUs+u/h1ptrZZKhe1JdAtlszvHJ0DD0
   kMqA6Ig4yomscGSol/sRUqpecIQwVZTCRRq9dJOFJkKhKD5Eo9E0Z2snp01fpUF5
   qlMeBjpYgkX7jhyFyvq+qDqBAY8izvkcruE69WooBVyorqKHURjWtY+rhzcB4+HL
   72wZKzLnY3iUjJ1UANxM8mC9fpD1NJt/7epqzPyZ2Kd4GJVYi8sQpFKf4tRHDr0t
   I5iUB78qj1EBp1w4qvRn/jC4ii7+Bas8mz/AJ25QeviC44Vj+eT2YYXafDivrmoe
   BuVMIBbD066YnuBC2CeKydNWdiARzc3IfhcuhVwq7riotYfyDqd4e0Jy7Y57pbwv
   4Qwz1yCxRjSwiFQ7/fRa2Cx8xtxKcC/A4LGnXAKISy+uNbDWA7AYaP6RmGgMCaNi
   Xy3F1zvxnE3bv68tXRF9vjuEChUq56N6992qhoBuHP0J/mRItw+JoI4m/OFnEUGT
   3bNyxpEFyA7aXBE91aQdSXl4a97nC0/RSFH/fRwPFYgxr3XdCIf3Cw5PDs25YNsX
   WCsDCVejWMFrwOzmDwa8sBkY270+rGv76qXvb/uGD3M2C+DySVy55Zd42wjghSez
   gY6taT0tqKfLOS6Vl4ELU78Q6va2o8MlcUdi343tOi60MZgCDUwPP8TjKZINh8u1
   KNhzgpwNLz1gE0dd200l3bbzdZ6uio3R52WQWRCk17Z9lUesCJavytcAi0mMefMx
   BPMOdnUi6O8TPDRA0mcohbE5rybwDXAoB/VUbwgM0/qCpZ7VcSKN1lUuoe9+Kho0
   NK/gyMEvntMxGNNI8arV8UkeFollPhrtumvdwqbVCeN8TBj5vXo6Hu+eKB7AVwjB
   k/rRHpZxnnVGXbm8HzM+kjib2cY1diusVRJ/1+Q9GXuo135tQbobgcMzAmqAqZp9
   kDE8MBUGCSqGSIb3DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFEqzrDFT
   AkmcTeNueeAlYZU+iGIlMIIFkAYJKoZIhvcNAQcBoIIFgQSCBX0wggV5MIIFdQYL

Gillmor                 Expires 13 November 2021               [Page 22]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   KoZIhvcNAQwKAQKgggUmMIIFIjAcBgoqhkiG9w0BDAEDMA4ECCNi2K1bMEiBAgIU
   dgSCBQDLIXo4ExcyE8+4aiZIj/Wnh/SVVVR0n7s4PGCbXt+VrOHd9YzTuUicAqIc
   HH62dv7NSy+fgqZG7SmVR1IodadFe+5usAzXoyyhhEe2c+ToeVbr5rs+vBvQUyh6
   X5XTV5QVOAkwSyKGjyfdy86x1Q8cL2D2BM+Rpkm1cFtjgWcB46U6S6w50sG7XOKS
   CMI4a6rnHPVgPPdXMrj3VSPJY8bhBqEDPVTnfSHf/wKZrIi54O3F33B5jt6Cm9+9
   m9Fed8n+81w59rRom72CY9Xii/ULER9THwjxOZOQ+dIml23KauwexuOGjii0UR8M
   eM/A0n7UNys+bZTulgdpWW/mDhJ+eLATnhJw5ro/AWa6YVXG+t5k9LjdJ1ZmqS4b
   JxvBwilpEGoh0MM6Yp0dr1XM4mT/E0JMWD458Ngs05CuCpwAUXGdQmgrVsFrrV0H
   TyHeVLDhe43J3GI6HCWJVOeDQzzmaO3AM+IooRDkTHnJMaxUXphKTag5+f/smNYE
   hzVjZeIc8GFZ36eSI4BNGHSXFACwLu2ThkzpXMmg50JAUhBYxqE/fVevLUH4JPLg
   z869wk8gRlUBo6ihQGrnsx7ZO5IsYahEYjz0N05PVPJYMLSyMovG9i+LpzQ49gIB
   zPu2fdLR41u5n5O5mG1Y4aJ7OCJxMORYhWHuctHdGdpJsgiq8+1iiUwmfyCfb0ZL
   3ePMU+W0zkAsyn22aK8jDBLLVZlvOZIVqR3Gx4QFPSk6qCMQ0E58VkMUMxYvClzT
   wSeEMu66eND/AKTE+XXV/d9bmSmWGk7Y8XrDKLKfmRdrlIeondVJv5mk12YKxBPQ
   GeUqK5XJUa2dzH9zvfEX8iYzdt4281QCiXJ3qwmbT+8RoOLBt4KyOs2e2ZSZnjrL
   9OO4oUsHIOyEfjwnWoLhKbkmun8GJxoB2yCzTawVQf9/qIUXaSzcp23AV6Lf1k9O
   f79HYPW3cQJAtjf6XBVE1xVZPkfTuC3yVLufljs2ed/ctpHg9nuId/xHFH7t4Hbm
   U3/ZufE1GHnsRQ3kbnqA5WXerd9UzeoDaVDjFXGrITp8env08GXYvwWGXLL150l0
   DuJSv1E+1yww86SNjBYUTx0r0CJjjTk27vIUhAYUEA+J71IeifqqPDKYXnrCdUEa
   jbfEdek30WiLR+ChEvEp48Mla6UVTLm/mjziwbsxm5QlGccmz13e32RiyrfseB+R
   yllmzeJtydP2IHkWK7pww9yOlPK0QtZs66IGZKqeXrWBk9QFYDX42gAy/xTfglco
   4KO7akhp3UzTIQyTXnt+OsOScc+ArVm/dwClm+ZxybtOcVyadjpKWydyfAr3aTkG
   xX6RmHrEWr1R9BnMGPYesDs+yeVNs1QdDhff/bQLwCLXdGLWwLe6kitUiyi8F3bd
   fPjR7R61lEUvJrBm7YLmgdxRCJ02LFLGn09iSMNe5vmiNaKiuzfb4Dp9dqEMhmJf
   dsTURagfJIyqULoe08EIIozahivbzoWVA6oPAkk2D8DnTiMegX4IZ/Zb3LPxJKAe
   XO3Ys1YQrNSNZ3B2ZISBapzGzhFZfRVzPOmXhN53pDhlxkw0btkKblYA9CvP+kzg
   wekzCy/Mlq/HbO38CV1NKzay3yg4ntehJ+v9/k7gaqKmo3ZWMGk0WGBv/GFxYhme
   Nd14Y65D9TlypM/zrXSyGoOqZgSA6HlAgogzwwSaGwx9n/o6czE8MBUGCSqGSIb3
   DQEJFDEIHgYAYgBvAGIwIwYJKoZIhvcNAQkVMRYEFBfFhHvQp+92kDi4s28IvJK1
   niuUMF8wTzALBglghkgBZQMEAgMEQBS7n+ELEEn4DxvxQtrFdK1yyK4ib8dvtnLQ
   leuH3hK8w9YNLhkfnVb5+oJiDceNqHIRBkrqZXzGf5yRd5TnxgsECJ1vqXe6ro0F
   AgIoAA==
   -----END PKCS12-----

6.  Example Ed25519 Certificate Authority

   The example Ed25519 Certificate Authority has the following
   information:

   *  Name: "Sample LAMPS Ed25519 Certificate Authority"

6.1.  Ed25519 Certificate Authority Root Certificate

   This cerificate is used to verify certificates issued by the example
   Ed25519 Certificate Authority.

Gillmor                 Expires 13 November 2021               [Page 23]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIBbzCCASGgAwIBAgITGz6zL8fCL93bElmwkKaEVA49zzAFBgMrZXAwNTEzMDEG
   A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjA1MTMwMQYDVQQDEypT
   YW1wbGUgTEFNUFMgRWQyNTUxOSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwKjAFBgMr
   ZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+RKE3URyp+eN2TxJDBKNCMEAwDwYDVR0T
   AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGuilX26FJvkLQTR
   B6TRguQua4y1MAUGAytlcANBAMI9vFSXNfqh5gHVsKHmvMOW1pK2DcDr1GVcmX07
   Hnzi32c/0QVbF3NoHdkpGmjY0P5fpT+SyWfOXwW+93fMvwA=
   -----END CERTIFICATE-----

6.2.  Ed25519 Certificate Authority Secret Key

   This secret key material is used by the example Ed25519 Certificate
   Authority to issue new certificates.

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEIAt889xRDvxNT8ak53T7tzKuSn6CQDe8fIdjrCiSFRcp
   -----END PRIVATE KEY-----

   This secret key is the [SHA256] digest of the ASCII string "draft-
   lamps-sample-certs-keygen.ca.25519.seed".

6.3.  Ed25519 Certificate Authority Cross-signed Certificate

   If an e-mail client only trusts the RSA Certificate Authority Root
   Certificate found in Section 3.1, they can use this intermediate CA
   certificate to verify any end entity certificate issued by the
   example Ed25519 Certificate Authority.

   -----BEGIN CERTIFICATE-----
   MIICWjCCAUKgAwIBAgITDkECFedCINX+zN0f/pVkUiFMXDANBgkqhkiG9w0BAQsF
   ADAtMSswKQYDVQQDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIwOTI3MDY1NDE4WjA1MTMwMQYDVQQDEypT
   YW1wbGUgTEFNUFMgRWQyNTUxOSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwKjAFBgMr
   ZXADIQCEgUZ9yI/rkX/82DihqzVIZQZ+RKE3URyp+eN2TxJDBKNjMGEwDwYDVR0T
   AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFGuilX26FJvkLQTR
   B6TRguQua4y1MB8GA1UdIwQYMBaAFHhfDlp42GvkVHA9s93s9/Hy+sBHMA0GCSqG
   SIb3DQEBCwUAA4IBAQCTvPF9jV7E18mX2ps6jgSz8QizMKiSkd4Yayyc30jx6etl
   BMC6VoUYbN+aLgD9SxJOFVnj8+Rk648nHc5Bgd1myng8b/oBYis7SIdveJazdsPD
   4lG4yzsUItDxs12HYSlVlGK0ce75CTus+6DgVxZgcaCdeO0SnVL+QXBQLzvyUgtJ
   jFrPA6f2C1jtIfjGwqmKYK5ZaJxmloqUR45YdUiuWbLsc1dvc3n7hvpIrMk/626M
   U+rfkoKOf/gSRxR3nc1rxpVcvdT2esjnF6Qn7K37wL461jWJmDbISwjVQJbZVyxI
   GDpwg8nWGPe9iagwV3MJMEPVNBzc1fIHQ1Hsz4Q7
   -----END CERTIFICATE-----

Gillmor                 Expires 13 November 2021               [Page 24]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

7.  Carlos's Sample Certificates

   Carlos has the following information:

   *  Name: "Carlos Turing"

   *  E-mail Address: "carlos@smime.example"

7.1.  Carlos's Signature Verification End-Entity Certificate

   This certificate is used for verification of signatures made by
   Carlos.

   -----BEGIN CERTIFICATE-----
   MIIBqDCCAVqgAwIBAgITfTA2/ZV2DbKUTmbWgsuSzBMGCTAFBgMrZXAwNTEzMDEG
   A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAYMRYwFAYDVQQDEw1D
   YXJsb3MgVHVyaW5nMCowBQYDK2VwAyEAws6AMizeYchNhE1g75Gc552urn8e5Add
   I/IAppL3yK2jgZcwgZQwDAYDVR0TAQH/BAIwADAfBgNVHREEGDAWgRRjYXJsb3NA
   c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMC
   BsAwHQYDVR0OBBYEFGSF4zucHVrN5gu6Gn8IvsSczIQ/MB8GA1UdIwQYMBaAFGui
   lX26FJvkLQTRB6TRguQua4y1MAUGAytlcANBAAqOV3znya6m6uHwPVPLzcj7UHwV
   GuFHnMt23KCQchRicDJjRWZuTVw4oQqq5G9deVqJee8T2cspxkmFdVGWxQM=
   -----END CERTIFICATE-----

7.2.  Carlos's Signing Private Key Material

   This private key material is used by Carlos to create signatures.

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEILvvxL741LfX+Ep3Iyye3Cjr4JmONIVYhZPM4M9N1IHY
   -----END PRIVATE KEY-----

   This secret key is the [SHA256] digest of the ASCII string "draft-
   lamps-sample-certs-keygen.carlos.sign.25519.seed".

7.3.  Carlos's Encryption End-Entity Certificate

   This certificate is used to encrypt messages to Carlos.  It contains
   an SMIMECapabilities extension to indicate that Carlos's MUA expects
   ECDH with HKDF using SHA-256; uses AES-128 key wrap, as indicated in
   [RFC8418].

Gillmor                 Expires 13 November 2021               [Page 25]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIB0zCCAYWgAwIBAgITazo1UrK0irBqUo9n7eep3mSynjAFBgMrZXAwNTEzMDEG
   A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAYMRYwFAYDVQQDEw1D
   YXJsb3MgVHVyaW5nMCowBQYDK2VuAyEALmgxzNMgyJ11NRhNz9bKYSpfDyFmbVBs
   jPbFfaAUPHSjgcIwgb8wKQYJKoZIhvcNAQkPBBwwGgYLKoZIhvcNAQkQAxMwCwYJ
   YIZIAWUDBAEFMAwGA1UdEwEB/wQCMAAwHwYDVR0RBBgwFoEUY2FybG9zQHNtaW1l
   LmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgMIMB0G
   A1UdDgQWBBSBKaD6I6BLIIwNeADe7doWyzQluTAfBgNVHSMEGDAWgBRropV9uhSb
   5C0E0Qek0YLkLmuMtTAFBgMrZXADQQB2O4eB2hfCrKfP5yIwwRVXSFBUKqE97Twt
   xXgQ8/YSpsjVm81NC1vwOCP+X/W7ERF1NVTY4WGHYsK2r5rz62oN
   -----END CERTIFICATE-----

7.4.  Carlos's Decryption Private Key Material

   This private key material is used by Carlos to decrypt messages.

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VuBCIEIIH5782H/otrhLy9Dtvzt79ffsvpcVXgdUczTdUvSQsK
   -----END PRIVATE KEY-----

   This secret key is the [SHA256] digest of the ASCII string "draft-
   lamps-sample-certs-keygen.carlos.encrypt.25519.seed".

7.5.  PKCS12 Object for Carlos

   This PKCS12 ([RFC7292]) object contains the same information as
   presented in Section 7.1, Section 7.2, Section 7.3, Section 7.4, and
   Section 6.1.

   It is locked with the simple five-letter password "carlos".

   -----BEGIN PKCS12-----
   MIII7gIBAzCCCIYGCSqGSIb3DQEHAaCCCHcEgghzMIIIbzCCApcGCSqGSIb3DQEH
   BqCCAogwggKEAgEAMIICfQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIwS3R
   pT1mkyMCAhS7gIICUDFhZmrEWCDBUJidtT/9T8JVj1+gBWH+LyGcyCoK6R6HK8hl
   Ee+qT8jI+cIQ2J4FCz+ZZyHZLvp5EznQk02h97rTkXod3yrrSuBnfK54VlPLZSwN
   hfEc8b4CX8VeQwMdLu/b8G6GFzmtK9Dhnb3UF+3PCc9YSBqyBdGLPghhYthxyUit
   WLy5GhtoLhjrkgxriMUQurH6Gyh36o0wZdoVXLXUyUYjNZlHgZzITf6g0h5rX125
   50UjF+HU25YOoDuE5GEMcT732wWCKPajNKqQSP6WBOYifKtZ2OnNYG6/x6xEyLgg
   vrmFJF9lVfqkHHhdiQ1yZ3GYF9oEYRVZsw283kXMP4Gb9avdSu5AGhWEsF2Z5K9v
   WoNOYNQy9Q0RJFDV2mu6CAe/ExToSp6Zq99o0hH+3pDUSuWAmZk6xOa/HUYyDxw+
   dJHCaFTNZu/BpmCOH+jF+1hbkJsA9KxYzgrbMowdQQec232saG25I1IUo9zM5MMw
   SQ9n21ISXbY01rqPOpTY23pbbKe8uSLFZlrWmMMOBidhVvqrJXhy/rL0+C+SvTjx
   OA5L/phGXa2HmXD/xnaZYg7EzNLtlaEwASlwyfo2NTDuNdmIBmWeVrWZbH4ETGVJ
   Qk/dnkUnCX1yimeYek+N3H4826AC2dQy6MvPzoI7XznzT2j3CoNAjANwVbQwtMSh
   DRBM5jk+RMJDeFVn/l9+obwXW/w2ucwxfDi0PWDnIt19Cd27oEzk5QKcAWxm7s44
   FN2fr0cz8VQ10ozXVp3xLKfh1BOiThGIocO1sgcwggJPBgkqhkiG9w0BBwagggJA

Gillmor                 Expires 13 November 2021               [Page 26]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   MIICPAIBADCCAjUGCSqGSIb3DQEHATAcBgoqhkiG9w0BDAEDMA4ECOMzXMste/8a
   AgIUlICCAgjGICz00XOzEF6f/F8s7SlV8KM+WLuelXUIjGMSsX9Xd9l9aQemTh8y
   n5+XyoNKXfrUn9UfEfpoKr7Y3Xz4L88/fsuLALbLUpDRMW/C+sPp5H/63aI+szyk
   lnKpJIxLpMjlfXDSEafPszf+2ckBgyImQ8+Wqf3J2WryXobhrvXFR7FidtQ0GpDk
   WND6DY6Vdx5pdIV8sLLvRiawV9cx0rAoMItPe8FbSXVCP7JJ5+LyABnPHlfUySQS
   EPOkEc5XUyHigwkvhHweIDe0jiE987esjPsnn6hgepYZjx/YGilFUVrShblj2TMV
   YYfu4FMxaeFR3/kGITVXgWyMJumBS3WfzdmJ1wV2qFl3uk/ONOpCqnwA+yj8y+Kq
   tX5Qz4qPkFqjs/9yQmDYQbRvLuTdcZwp5bYd8oQACDCek+OoaR4EWhbYAet3xA13
   cULY2g3H+p8pVBQC6ANDAY4hVbqoEla3O6i6ZUv2galjze4bTz38Z58vd43Q796k
   Kw3NMdUgkfyU6rhRimMH/GUjyTihEVyLokc9NPJS8mhXblr0WAvY24KhBxq/plf+
   N9Dp2XHLAPK2N672KGGbZTPf/x1RPprsKF0lcyueLE4pVLpX/GEHmm0H++XYMLzW
   uc0icZQt7pERKa5zPKhp3I756pat2gvjMPeL1hl8zHnK+Yi9NbYj2kAO3K1bgz2K
   MIIB7wYJKoZIhvcNAQcGoIIB4DCCAdwCAQAwggHVBgkqhkiG9w0BBwEwHAYKKoZI
   hvcNAQwBAzAOBAho9g0tQyYTvwICFIGAggGoKzdhPK62x2hQseNPvFp4RUVsAToT
   zZLU7WKZr5JnbsUt6wnc/QrrTDYuED252Tr0XP1tn1dEx6Yk3QqN5011tpjupiDb
   821DGT8OwwrYTWOKZpoLiQ17bI35l5Bz/pY03ZHgy8TIH3hJAsUdxnAHs4ASr/ZG
   SkCI0aJosqKTbbA4Y6dBNPClqjG+b2sBncIwedKTXgHO/B+HHJoXtRbl+YZ1CNyq
   lZaIeWouRCccrv6XnPdpjtv3QRxRlvCGg40bHhpqnXiDcLCk32Oqxux64skF6Wt9
   m9Ij05qtGBU4bXCTVSUaUEOf0kpxII0drg+B/eZbOfDwFmgmvOh3zTdmOQhh01CP
   zbeoOdBm3K/L4XJhTV3kh2UKURoQ7+E67nNeiLtbdT8CIhy32oS/IG2gmGsIOeuR
   0quFD+Kpq7rzIobE1JEhlzJV2pGBHEOwKL/FAo5HJ2TS6hw1w675DtjaqqBYwjfp
   vgket8WDrfD8eYH4GJ3GSoM9YgNVmYjHrO/c95GOBeoe9k0u/+DitqVPa2/ljw//
   vg4OHw9HymnWgTlwkFPkpHRE9jCBxAYJKoZIhvcNAQcBoIG2BIGzMIGwMIGtBgsq
   hkiG9w0BDAoBAqBaMFgwHAYKKoZIhvcNAQwBAzAOBAgNhfODEdzSrQICFF0EOCEq
   Fie1peicS9OSXNQjLwbN3kO8lYM2HqeSZoEKJ4JSFlV1kWW3xwfu5aZKrGEYBfGM
   d8renRijMUIwGwYJKoZIhvcNAQkUMQ4eDABjAGEAcgBsAG8AczAjBgkqhkiG9w0B
   CRUxFgQUgSmg+iOgSyCMDXgA3u3aFss0JbkwgcQGCSqGSIb3DQEHAaCBtgSBszCB
   sDCBrQYLKoZIhvcNAQwKAQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQINFcqIEMfd9UC
   AhS1BDgZruEsSaBY+Cm9WKR8HhH3JXh+AoMSrwkDCKytWt+MNIXB0jY2QZHDbN3u
   Fn7qHw06MDthnKniazFCMBsGCSqGSIb3DQEJFDEOHgwAYwBhAHIAbABvAHMwIwYJ
   KoZIhvcNAQkVMRYEFGSF4zucHVrN5gu6Gn8IvsSczIQ/MF8wTzALBglghkgBZQME
   AgMEQOSgOktGopSxl70faInHLRayV1vh25vqmy1fdnFkgJRwJVNWL14k6e17jAUO
   Rmu50E9sjz9BDZTUCoftLEstD5AECJDjaZkfy4FnAgIoAA==
   -----END PKCS12-----

8.  Dana's Sample Certificates

   Dana has the following information:

   *  Name: "Dana Hopper"

   *  E-mail Address: "dna@smime.example"

8.1.  Dana's Signature Verification End-Entity Certificate

   This certificate is used for verification of signatures made by Dana.

Gillmor                 Expires 13 November 2021               [Page 27]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN CERTIFICATE-----
   MIIBpDCCAVagAwIBAgITJJvJ/RfYIwaHOq+JHuYw2w0HKzAFBgMrZXAwNTEzMDEG
   A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAWMRQwEgYDVQQDEwtE
   YW5hIEhvcHBlcjAqMAUGAytlcAMhALLaHeGGRooNjrs+4K40ueetCId1JZik+WAW
   w6J/zm+uo4GVMIGSMAwGA1UdEwEB/wQCMAAwHQYDVR0RBBYwFIESZGFuYUBzbWlt
   ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAd
   BgNVHQ4EFgQUSAOGwWm4eG2u3vPMBrAzrFcy3ZYwHwYDVR0jBBgwFoAUa6KVfboU
   m+QtBNEHpNGC5C5rjLUwBQYDK2VwA0EAbT5OedGDjT2UNivGqR7NVb4UVd6cRPM/
   yEuJ6P2k69jq6tIutanF1HAskHIOi3dt5IENbgCmdOrCqDYay9rdAA==
   -----END CERTIFICATE-----

8.2.  Dana's Signing Private Key Material

   This private key material is used by Dana to create signatures.

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEINZ8GPfmQh2AMp+uNIsZMbzvyTOltwvEt13usjnUaW4N
   -----END PRIVATE KEY-----

   This secret key is the [SHA256] digest of the ASCII string "draft-
   lamps-sample-certs-keygen.dana.sign.25519.seed".

8.3.  Dana's Encryption End-Entity Certificate

   This certificate is used to encrypt messages to Dana.  It contains an
   SMIMECapabilities extension to indicate that Dana's MUA expects ECDH
   with HKDF using SHA-256; uses AES-128 key wrap, as indicated in
   [RFC8418].

   -----BEGIN CERTIFICATE-----
   MIIBzzCCAYGgAwIBAgITblJdPFwwrKiKmpHj0REce7n5NTAFBgMrZXAwNTEzMDEG
   A1UEAxMqU2FtcGxlIExBTVBTIEVkMjU1MTkgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
   MCAXDTIwMTIxNTIxMzU0NFoYDzIwNTIxMjE1MjEzNTQ0WjAWMRQwEgYDVQQDEwtE
   YW5hIEhvcHBlcjAqMAUGAytlbgMhAOAxojYBaRT0sbwK9pEeANIRj13vZjwQ1l4z
   CJs+6CRUo4HAMIG9MCkGCSqGSIb3DQEJDwQcMBoGCyqGSIb3DQEJEAMTMAsGCWCG
   SAFlAwQBBTAMBgNVHRMBAf8EAjAAMB0GA1UdEQQWMBSBEmRhbmFAc21pbWUuZXhh
   bXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCAwgwHQYDVR0O
   BBYEFJ3fTdQF75rsYIa8J20E6c5a3I+kMB8GA1UdIwQYMBaAFGuilX26FJvkLQTR
   B6TRguQua4y1MAUGAytlcANBAIip5JgJkZjKvC3pHKckgOnBxZbIfzNgJ8c65/Bq
   ce91uhvjbdiBeJPAz6a/GB3LRlrV6Q/TEtruGKDC7yYNLgc=
   -----END CERTIFICATE-----

8.4.  Dana's Decryption Private Key Material

   This private key material is used by Dana to decrypt messages.

Gillmor                 Expires 13 November 2021               [Page 28]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VuBCIEIGxZt8L7lY48OEq4gs/smQ4weDhRNMlYHG21StivPfz3
   -----END PRIVATE KEY-----

   This seed is the [SHA256] digest of the ASCII string "draft-lamps-
   sample-certs-keygen.dana.encrypt.25519.seed".

8.5.  PKCS12 Object for Dana

   This PKCS12 ([RFC7292]) object contains the same information as
   presented in Section 8.1, Section 8.2, Section 8.3, Section 8.4, and
   Section 6.1.

   It is locked with the simple four-letter password "dana".

   -----BEGIN PKCS12-----
   MIII3gIBAzCCCHYGCSqGSIb3DQEHAaCCCGcEgghjMIIIXzCCAo8GCSqGSIb3DQEH
   BqCCAoAwggJ8AgEAMIICdQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMwDgQIZNqH
   TA2APx0CAhQXgIICSPQnI0u1rbDuFE7RHOmB8gaSF2Sy8Rbz5yMH9Ecek09CKiuc
   4ZcQ1weWYXHAxMqRKdOBH//kvkbQq3z8tbrrMEIsqpa0KnbceCSAeBoSa6tfaDQh
   WpHoQpXNLxwK3Fmvan0njS3EEQafvSV3eu0KFpZUutMJXceXAFlLWytNtP1b85jy
   ije23fbzq1IeplZbWUjgFFAsC9PQf+3p+KE57HfhQ3pKPyQuGOCg54XuOVJVNOMX
   fGQxdFywK8L5F+KKqzvNwtzn3lEsLLedxzTLjspI0lz6EIKCvlpykkKZIbyZlakl
   rjvSN/VXiLwpzlFJTVAg1Cue0kGmDZIV22LGOqkkvnJ0R+h/3bnWVP/8OuFQGowb
   40IeclSsbxG0JIDcES4uX04m4bvb7Brx79FUHnGr5sXz45AqnbO1rMT8Vl12Qq9U
   Pn7u1CeLpNXl/hjU+zbcZzHcRYz2k+PqSxwHDyCbyJpINDY+LWfy8OOC2JUEhYze
   y6/vL7i0efHTf0CRNV9664Z9RdfxCPXRJEUVSZINSSydASkSWl+OABkAsYA2Fg7y
   PipJm+GdwKNP67aIlhiDatwSEZ2eT/TayNmCwXLlV83G7OSfw8UQjBYNIMmFuvLs
   TR5PLi3E2llcC9geKUHVDdEAGOB0ixgmfv2TqGFTE3sHdDVbLFn5OD3DtfV74YsA
   QqxOnN1OKleljMlJgN1w33jYzx90RqOJHt5ve4/Qj6CRK+TjU+xH0GvTSi6wcEmE
   UPD3az7ZGRrEVGRo7nWh2nNwiJLRMIICTwYJKoZIhvcNAQcGoIICQDCCAjwCAQAw
   ggI1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAjxuoiaSZDbnwICFH+AggII
   UmezlzXbcjLVmLiRmNAKNqzwefymnj/ykUx+3s9jACknIhEZ4nkNOdLffUvcMk0b
   DpzZGevsxLXBAc15x5cpaPJ13nbM/+9lQSnhqd7+wjkERRuRuyWj2Pe6yDauEgF4
   lrkaq+tQJmfSlFJFwlVVh7ZzpFTQlbPLJ0cVEtpGwkpeoLb1wJ0tH0u0/HS3CI/q
   aQ6QtEIIbsBvHG3Wx0gvYeQN+sTnfVS+nimMQSPN8u+ZTx/SsTad2LJqkWSo+mXm
   xG/pjYr7PKezppt4b5djGepPlIKwR+xeKYJdzFNteUUinEdOxEyxzutb0eZv5Fvt
   IfyhaAEMO3J1zN9kmihxKJRopGRjqSk96FqVNZE934JjR4mysGT/aEvGhYHD5kRL
   XX1Pea+aGlB9leBgC21QobStZLIB7OF/NMUXUJtCLuUx47v9hmbS0BjdihVRdf9b
   vouw52jnkbLtxWyFussZX3/SD57thiRroGcjO+j+LKwzjFTsec1TntKsDbuQY4P9
   YEBnNjo92xmnoXht95EcNanlLe7TdPqcKiSriYagpaBvKcuED25Lj0gvZCywJsFE
   UH6QIXoLyawV52Owjxl1PvkwPV5MBKTIAFsspipYDr7mrJBGWKKlOkpDEPj9qsR5
   iDgJjG56IaCLaR0xNhfpJSejC1PUQIw12x4tWf9f9+o+qt+2r4T2iDCCAe8GCSqG
   SIb3DQEHBqCCAeAwggHcAgEAMIIB1QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
   DgQI58n+zdh/luACAhSdgIIBqDm3P6jekAlPi1HmdPOG+jbWocN/FQRP5tMLXjMK
   oZZ7Xc7XXgLEZUX6Y7lwD4tsxBuUmskPdroF7GDXosp+NwnBKa1l46ABS2kJ5e5k
   ZAGaXouPHDc57kapBa3ZZ05CmexJKA48Gv4wje42bhQXrhuw0xXoKFUYiXY5z1YN
   kWm52m7RLN17toCOSzrcEiMr/vbU9Lm1yuJzqmDylJhafQqdujMr3vwA/aegT7RJ

Gillmor                 Expires 13 November 2021               [Page 29]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   757BFtPORkhaMGwHCBkNo07whqWU3CmUk4HLP8nSw0o5Y+YsGY6sxoCI0IXNjei0
   tbrElwTrxOfT4p2t2GcLNRViLsiYB+sdw5z0sSZakF5G1khu2IiWAWNoW3tjd+PE
   aD/AgsyQN7hKkpjSn62Z/iYd9pG6WqSZoC+sABKuVvR3fmfg8r0z3os6//Bdl6SI
   GgBFLWxm7tPhrb5D14nzmnlyomL0ED6Q/uu44TijOWl4b98F0Seals4xmlqy2rm8
   fxs/uvBdSv2xDNOq0zzb1i/BF5ALoeGkZfkhLGSQyrAbUzU6lkMAhABkc7L4SRQb
   pTminYCcp27XsnMwgcAGCSqGSIb3DQEHAaCBsgSBrzCBrDCBqQYLKoZIhvcNAQwK
   AQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQIvYHPW9b5hmQCAhS6BDhg7ISOR7nc0O8I
   VHRyJQdnut5/3/A/HlOBXerMaF9Hhs/at2mI632EAdUrlyZQBHv7CMAmJh0tRDE+
   MBcGCSqGSIb3DQEJFDEKHggAZABhAG4AYTAjBgkqhkiG9w0BCRUxFgQUnd9N1AXv
   muxghrwnbQTpzlrcj6QwgcAGCSqGSIb3DQEHAaCBsgSBrzCBrDCBqQYLKoZIhvcN
   AQwKAQKgWjBYMBwGCiqGSIb3DQEMAQMwDgQIXDvxSTwrri4CAhT6BDiJ3SNFvcnI
   Qzl92lp5BH5gR4yf5jkpq+mVUPke2BBBj2GGmltCobhp/spj4xPrG6zqg0RB4kAT
   nDE+MBcGCSqGSIb3DQEJFDEKHggAZABhAG4AYTAjBgkqhkiG9w0BCRUxFgQUSAOG
   wWm4eG2u3vPMBrAzrFcy3ZYwXzBPMAsGCWCGSAFlAwQCAwRAb7hp2ueeypwrQVGb
   B4g0cM1U9WV+3ku23y/LXhnkFeTqO+MDE5/KBjbU4ykjN2GZyiXPKQF3y+KCdEtH
   VcLNbwQILkOSTOXYyW0CAigA
   -----END PKCS12-----

9.  Security Considerations

   The keys presented in this document should be considered compromised
   and insecure, because the secret key material is published and
   therefore not secret.

   Applications which maintain blacklists of invalid key material SHOULD
   include these keys in their lists.

10.  IANA Considerations

   IANA has nothing to do for this document.

11.  Document Considerations

   [ RFC Editor: please remove this section before publication ]

   This document is currently edited as markdown.  Minor editorial
   changes can be suggested via merge requests at
   https://gitlab.com/dkg/lamps-samples or by e-mail to the author.
   Please direct all significant commentary to the public IETF LAMPS
   mailing list: "spasm@ietf.org"

11.1.  Document History

11.1.1.  Substantive Changes from draft-ietf-*-01 to draft-ietf-*-02

   *  Added cross-signed certificates for both CAs

Gillmor                 Expires 13 November 2021               [Page 30]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   *  Added S/MIME Capabilities extension for Carlos and Dana's
      encryption keys, indicating preferred ECDH parameters.

   *  Ensure no serial numbers are negative.

   *  Encode keyUsage extensions in minimum-length BIT STRINGs.

11.1.2.  Substantive Changes from draft-ietf-*-00 to draft-ietf-*-01

   *  Added Curve25519 sample certificates (new CA, Carlos, and Dana)

11.1.3.  Substantive Changes from draft-dkg-*-05 to draft-ietf-*-00

   *  WG adoption (dkg moves from Author to Editor)

11.1.4.  Substantive Changes from draft-dkg-*-04 to draft-dkg-*-05

   *  PEM blobs are now "sourcecode", not "artwork"

11.1.5.  Substantive Changes from draft-dkg-*-03 to draft-dkg-*-04

   *  Describe deterministic key generation

   *  label PEM blobs with filenames in XML

11.1.6.  Substantive Changes from draft-dkg-*-02 to draft-dkg-*-03

   *  Alice and Bob now each have two distinct certificates: one for
      signing, one for encryption, and public keys to match.

11.1.7.  Substantive Changes from draft-dkg-*-01 to draft-dkg-*-02

   *  PKCS#12 objects are deliberately locked with simple passphrases

11.1.8.  Substantive Changes from draft-dkg-*-00 to draft-dkg-*-01

   *  changed all three keys to use RSA instead of RSA-PSS

   *  set keyEncipherment keyUsage flag instead of dataEncipherment in
      EE certs

12.  Acknowledgements

   This draft was inspired by similar work in the OpenPGP space by
   Bjarni Runar and juga at [I-D.bre-openpgp-samples].

   Eric Rescorla helped spot issues with certificate formats.

Gillmor                 Expires 13 November 2021               [Page 31]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   Sean Turner pointed to [RFC4134] as prior work.

   Deb Cooley suggested that Alice and Bob should have separate
   certificates for signing and encryption.

   Wolfgang Hommel helped to build reproducible encrypted PKCS#12
   objects.

   Carsten Bormann got the XML "sourcecode" markup working for this
   draft.

   David A.  Cooper identified problems with the certificates and
   suggested corrections.

13.  References

13.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <https://www.rfc-editor.org/info/rfc5322>.

   [RFC7292]  Moriarty, K., Ed., Nystrom, M., Parkinson, S., Rusch, A.,
              and M. Scott, "PKCS #12: Personal Information Exchange
              Syntax v1.1", RFC 7292, DOI 10.17487/RFC7292, July 2014,
              <https://www.rfc-editor.org/info/rfc7292>.

   [RFC8032]  Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital
              Signature Algorithm (EdDSA)", RFC 8032,
              DOI 10.17487/RFC8032, January 2017,
              <https://www.rfc-editor.org/info/rfc8032>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

Gillmor                 Expires 13 November 2021               [Page 32]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   [RFC8551]  Schaad, J., Ramsdell, B., and S. Turner, "Secure/
              Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
              Message Specification", RFC 8551, DOI 10.17487/RFC8551,
              April 2019, <https://www.rfc-editor.org/info/rfc8551>.

13.2.  Informative References

   [FIPS186-4]
              "Digital Signature Standard (DSS)", National Institute of
              Standards and Technology report,
              DOI 10.6028/nist.fips.186-4, July 2013,
              <https://doi.org/10.6028/nist.fips.186-4>.

   [I-D.bre-openpgp-samples]
              Einarsson, B. R., juga, and D. K. Gillmor, "OpenPGP
              Example Keys and Certificates", Work in Progress,
              Internet-Draft, draft-bre-openpgp-samples-01, 20 December
              2019, <https://www.ietf.org/archive/id/draft-bre-openpgp-
              samples-01.txt>.

   [RFC4134]  Hoffman, P., Ed., "Examples of S/MIME Messages", RFC 4134,
              DOI 10.17487/RFC4134, July 2005,
              <https://www.rfc-editor.org/info/rfc4134>.

   [RFC7469]  Evans, C., Palmer, C., and R. Sleevi, "Public Key Pinning
              Extension for HTTP", RFC 7469, DOI 10.17487/RFC7469, April
              2015, <https://www.rfc-editor.org/info/rfc7469>.

   [RFC8410]  Josefsson, S. and J. Schaad, "Algorithm Identifiers for
              Ed25519, Ed448, X25519, and X448 for Use in the Internet
              X.509 Public Key Infrastructure", RFC 8410,
              DOI 10.17487/RFC8410, August 2018,
              <https://www.rfc-editor.org/info/rfc8410>.

   [RFC8418]  Housley, R., "Use of the Elliptic Curve Diffie-Hellman Key
              Agreement Algorithm with X25519 and X448 in the
              Cryptographic Message Syntax (CMS)", RFC 8418,
              DOI 10.17487/RFC8418, August 2018,
              <https://www.rfc-editor.org/info/rfc8418>.

   [SHA256]   Dang, Q., "Secure Hash Standard", National Institute of
              Standards and Technology report,
              DOI 10.6028/nist.fips.180-4, July 2015,
              <https://doi.org/10.6028/nist.fips.180-4>.

Author's Address

Gillmor                 Expires 13 November 2021               [Page 33]
Internet-Draft    S/MIME Example Keys and Certificates          May 2021

   Daniel Kahn Gillmor (editor)
   American Civil Liberties Union
   125 Broad St.
   New York, NY,  10004
   United States of America

   Email: dkg@fifthhorseman.net

Gillmor                 Expires 13 November 2021               [Page 34]