[Search] [txt|html|xml|pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06                                          
LAMPS Working Group                                         D.K. Gillmor
Internet-Draft                            American Civil Liberties Union
Intended status: Standards Track                            B. Hoeneisen
Expires: 28 November 2021                                 pEp Foundation
                                                             A. Melnikov
                                                               Isode Ltd
                                                             27 May 2021


                      Header Protection for S/MIME
                 draft-ietf-lamps-header-protection-05

Abstract

   S/MIME version 3.1 has introduced a feasible standardized option to
   accomplish Header Protection.  However, few implementations generate
   messages using this structure, and several legacy and non-legacy
   implementations have revealed rendering issues at the receiving side.
   Clearer specifications regarding message processing, particularly
   with respect to header sections, are needed in order to resolve these
   rendering issues.  Some mail user agents are also sending and
   receiving cryptographically-protected message headers using a
   different structure.

   In order to help implementers to correctly compose and render email
   messages with Header Protection, this document updates S/MIME Header
   Protection specifications with additional guidance on MIME format,
   sender and receiver processing.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 28 November 2021.






Gillmor, et al.         Expires 28 November 2021                [Page 1]


Internet-Draft          Header Protection S/MIME                May 2021


Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   5
     1.1.  Two Schemes of Protected Headers  . . . . . . . . . . . .   5
     1.2.  Problems with Wrapped Messages  . . . . . . . . . . . . .   6
     1.3.  Problems with Injected Headers  . . . . . . . . . . . . .   6
     1.4.  Motivation  . . . . . . . . . . . . . . . . . . . . . . .   6
     1.5.  Other Protocols to Protect Email Headers  . . . . . . . .   7
     1.6.  Requirements Language . . . . . . . . . . . . . . . . . .   7
     1.7.  Terms . . . . . . . . . . . . . . . . . . . . . . . . . .   7
   2.  Problem Statement . . . . . . . . . . . . . . . . . . . . . .  10
     2.1.  Privacy . . . . . . . . . . . . . . . . . . . . . . . . .  10
     2.2.  Security  . . . . . . . . . . . . . . . . . . . . . . . .  11
     2.3.  Usability . . . . . . . . . . . . . . . . . . . . . . . .  11
     2.4.  Interoperability  . . . . . . . . . . . . . . . . . . . .  11
   3.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     3.1.  Interactions  . . . . . . . . . . . . . . . . . . . . . .  11
       3.1.1.  Main Use Case . . . . . . . . . . . . . . . . . . . .  11
       3.1.2.  Backward Compatibility Use Cases  . . . . . . . . . .  11
     3.2.  Protection Levels . . . . . . . . . . . . . . . . . . . .  13
       3.2.1.  In-Scope  . . . . . . . . . . . . . . . . . . . . . .  13
       3.2.2.  Out-of-Scope  . . . . . . . . . . . . . . . . . . . .  13
   4.  Specification . . . . . . . . . . . . . . . . . . . . . . . .  13
     4.1.  Main Use Case . . . . . . . . . . . . . . . . . . . . . .  14
       4.1.1.  MIME Format . . . . . . . . . . . . . . . . . . . . .  14
       4.1.2.  Sending Side  . . . . . . . . . . . . . . . . . . . .  17
       4.1.3.  Default Header Confidentiality Policy . . . . . . . .  22
       4.1.4.  Receiving Side  . . . . . . . . . . . . . . . . . . .  23
     4.2.  Backward Compatibility Use Cases  . . . . . . . . . . . .  31
       4.2.1.  Receiving Side MIME-Conformant  . . . . . . . . . . .  32
       4.2.2.  Receiving Side Not MIME-Conformant  . . . . . . . . .  32
   5.  Usability Considerations  . . . . . . . . . . . . . . . . . .  33
     5.1.  Mixed Protections Within a Message Are Hard To
           Understand  . . . . . . . . . . . . . . . . . . . . . . .  33



Gillmor, et al.         Expires 28 November 2021                [Page 2]


Internet-Draft          Header Protection S/MIME                May 2021


     5.2.  Users Should Not Have To Choose a Header Confidentiality
           Policy  . . . . . . . . . . . . . . . . . . . . . . . . .  33
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  33
   7.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  33
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  33
   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  33
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  33
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  33
     10.2.  Informative References . . . . . . . . . . . . . . . . .  34
   Appendix A.  Test Vectors . . . . . . . . . . . . . . . . . . . .  36
     A.1.  Baseline Messages . . . . . . . . . . . . . . . . . . . .  36
       A.1.1.  No cryptographic protections over a simple message  .  36
       A.1.2.  S/MIME signed-only signedData over a simple message, No
               Header Protection . . . . . . . . . . . . . . . . . .  37
       A.1.3.  S/MIME signed-only multipart/signed over a simple
               message, No Header Protection . . . . . . . . . . . .  39
       A.1.4.  S/MIME encrypted and signed over a simple message, No
               Header Protection . . . . . . . . . . . . . . . . . .  41
       A.1.5.  No cryptographic protections over a complex
               message . . . . . . . . . . . . . . . . . . . . . . .  44
       A.1.6.  S/MIME signed-only signedData over a complex message,
               No Header Protection  . . . . . . . . . . . . . . . .  45
       A.1.7.  S/MIME signed-only multipart/signed over a complex
               message, No Header Protection . . . . . . . . . . . .  47
       A.1.8.  S/MIME encrypted and signed over a complex message, No
               Header Protection . . . . . . . . . . . . . . . . . .  50
     A.2.  Signed-only Messages  . . . . . . . . . . . . . . . . . .  54
       A.2.1.  S/MIME signed-only signedData over a simple message,
               Wrapped Message . . . . . . . . . . . . . . . . . . .  54
       A.2.2.  S/MIME signed-only multipart/signed over a simple
               message, Wrapped Message  . . . . . . . . . . . . . .  56
       A.2.3.  S/MIME signed-only signedData over a simple message,
               Injected Headers  . . . . . . . . . . . . . . . . . .  58
       A.2.4.  S/MIME signed-only multipart/signed over a simple
               message, Injected Headers . . . . . . . . . . . . . .  60
       A.2.5.  S/MIME signed-only signedData over a complex message,
               Wrapped Message . . . . . . . . . . . . . . . . . . .  62
       A.2.6.  S/MIME signed-only multipart/signed over a complex
               message, Wrapped Message  . . . . . . . . . . . . . .  64
       A.2.7.  S/MIME signed-only signedData over a complex message,
               Injected Headers  . . . . . . . . . . . . . . . . . .  67
       A.2.8.  S/MIME signed-only multipart/signed over a complex
               message, Injected Headers . . . . . . . . . . . . . .  70
     A.3.  Encrypted-and-signed Messages . . . . . . . . . . . . . .  73
       A.3.1.  S/MIME encrypted and signed over a simple message,
               Wrapped Message with hcp_minimal  . . . . . . . . . .  73
       A.3.2.  S/MIME encrypted and signed over a simple message,
               Injected Headers with hcp_minimal . . . . . . . . . .  76



Gillmor, et al.         Expires 28 November 2021                [Page 3]


Internet-Draft          Header Protection S/MIME                May 2021


       A.3.3.  S/MIME encrypted and signed over a simple message,
               Injected Headers with hcp_minimal (+ Legacy Display)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  79
       A.3.4.  S/MIME encrypted and signed over a simple message,
               Wrapped Message with hcp_strong . . . . . . . . . . .  82
       A.3.5.  S/MIME encrypted and signed over a simple message,
               Injected Headers with hcp_strong  . . . . . . . . . .  85
       A.3.6.  S/MIME encrypted and signed over a simple message,
               Injected Headers with hcp_strong (+ Legacy Display) .  88
       A.3.7.  S/MIME encrypted and signed reply over a simple
               message, Wrapped Message with hcp_minimal . . . . . .  91
       A.3.8.  S/MIME encrypted and signed reply over a simple
               message, Injected Headers with hcp_minimal  . . . . .  94
       A.3.9.  S/MIME encrypted and signed reply over a simple
               message, Injected Headers with hcp_minimal (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . .  97
       A.3.10. S/MIME encrypted and signed reply over a simple
               message, Wrapped Message with hcp_strong  . . . . . . 101
       A.3.11. S/MIME encrypted and signed reply over a simple
               message, Injected Headers with hcp_strong . . . . . . 104
       A.3.12. S/MIME encrypted and signed reply over a simple
               message, Injected Headers with hcp_strong (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 107
       A.3.13. S/MIME encrypted and signed over a complex message,
               Wrapped Message with hcp_minimal  . . . . . . . . . . 110
       A.3.14. S/MIME encrypted and signed over a complex message,
               Injected Headers with hcp_minimal . . . . . . . . . . 114
       A.3.15. S/MIME encrypted and signed over a complex message,
               Injected Headers with hcp_minimal (+ Legacy Display)  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
       A.3.16. S/MIME encrypted and signed over a complex message,
               Wrapped Message with hcp_strong . . . . . . . . . . . 122
       A.3.17. S/MIME encrypted and signed over a complex message,
               Injected Headers with hcp_strong  . . . . . . . . . . 125
       A.3.18. S/MIME encrypted and signed over a complex message,
               Injected Headers with hcp_strong (+ Legacy Display) . 129
       A.3.19. S/MIME encrypted and signed reply over a complex
               message, Wrapped Message with hcp_minimal . . . . . . 133
       A.3.20. S/MIME encrypted and signed reply over a complex
               message, Injected Headers with hcp_minimal  . . . . . 137
       A.3.21. S/MIME encrypted and signed reply over a complex
               message, Injected Headers with hcp_minimal (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 141
       A.3.22. S/MIME encrypted and signed reply over a complex
               message, Wrapped Message with hcp_strong  . . . . . . 145
       A.3.23. S/MIME encrypted and signed reply over a complex
               message, Injected Headers with hcp_strong . . . . . . 149
       A.3.24. S/MIME encrypted and signed reply over a complex
               message, Injected Headers with hcp_strong (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 153



Gillmor, et al.         Expires 28 November 2021                [Page 4]


Internet-Draft          Header Protection S/MIME                May 2021


   Appendix B.  Additional information . . . . . . . . . . . . . . . 157
     B.1.  Stored Variants of Messages with Bcc  . . . . . . . . . . 157
   Appendix C.  Text Moved from Above  . . . . . . . . . . . . . . . 158
     C.1.  MIME Format . . . . . . . . . . . . . . . . . . . . . . . 158
       C.1.1.  S/MIME Specification  . . . . . . . . . . . . . . . . 159
       C.1.2.  Sending Side  . . . . . . . . . . . . . . . . . . . . 161
   Appendix D.  Document Considerations  . . . . . . . . . . . . . . 165
   Appendix E.  Document Changelog . . . . . . . . . . . . . . . . . 166
   Appendix F.  Open Issues  . . . . . . . . . . . . . . . . . . . . 167
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 168

1.  Introduction

   Privacy and security issues regarding email Header Protection in S/
   MIME have been identified for some time.  Most current
   implementations of cryptographically-protected electronic mail
   protect only the body of the message, which leaves significant room
   for attacks against otherwise-protected messages.  For example, lack
   of header protection allows an attacker to substitute the message
   subject and/or author.

   This document describes two different structures for how message
   headers can be cryptographically protected, and provides guidance for
   implementers of MUAs that generate and interpret such messages.  It
   takes particular care to ensure that messages interact reasonably
   well with legacy MUAs.

1.1.  Two Schemes of Protected Headers

   Unfortunately, there are two different schemes for cryptographically-
   protected email headers that may be in use on the Internet today.
   This document addresses them both and provides guidance to
   implementers.

   One scheme is the form specified in S/MIME 3.1 and later, which
   involves wrapping a "message/rfc822" MIME object with a Cryptographic
   Envelope.  This document calls this scheme "Wrapped Message", and it
   is documented in more detail in [RFC8551].  Experience has shown that
   this form does not interact well with some legacy MUAs (see
   Section 1.2).

   Consequently, another form of header protection is produced and
   consumed by some MUAs, where the protected headers are placed
   directly on the Cryptographic Payload, without using an intervening
   "message/*" MIME object.  This document calls this scheme "Injected
   Headers", and it is documented in more detail in
   [I-D.autocrypt-lamps-protected-headers].




Gillmor, et al.         Expires 28 November 2021                [Page 5]


Internet-Draft          Header Protection S/MIME                May 2021


1.2.  Problems with Wrapped Messages

   Several legacy MUAs have revealed rendering issues when dealing with
   a message with headers protected by the Wrapped Message scheme.  In
   some cases the user sees an attachment suggesting a forwarded email
   message, which -- in fact -- contains the protected email message
   that should be rendered directly.  For these cases, the user can
   click on the attachment to view the protected message.  However,
   there have also been reports of email clients displaying garbled
   text, or sometimes nothing at all.  In those cases the email clients
   on the receiving side are (most likely) not fully MIME-capable.

   The following shortcomings have been identified to cause these
   issues:

   *  Broken or incomplete implementations

   *  Lack of a simple means to distinguish "forwarded message" and
      "wrapped message" (for the sake of Header Protection)

   *  Not enough guidance with respect to handling of Header Fields on
      both the sending and the receiving side

1.3.  Problems with Injected Headers

   A legacy MUA dealing with an encrypted message that has some header
   fields obscured using the Injected Headers scheme will not render the
   obscured header fields to the user at all.  A workaround "legacy
   display" mechanism is provided in this document, which some legacy
   MUAs will render to the user, albeit not in the same location that
   the header fields would normally be rendered.  However, some legacy
   MUAs also fail to render the "legacy display" part, leaving the
   obscured header fields hidden from users of those MUAs.

1.4.  Motivation

   Furthermore, the need (technical) Data Minimization, which includes
   data sparseness and hiding all technically concealable information,
   has grown in importance over the past several years.  In addition,
   backwards compatibility must be considered when it is possible to do
   so without compromising privacy and security.

   No mechanism for Header Protection has been standardized for PGP/MIME
   (Pretty Good Privacy) [RFC3156] yet.  PGP/MIME developers have
   implemented ad-hoc header-protection, and would like to see a
   specification that is applicable to both S/MIME and PGP/MIME.





Gillmor, et al.         Expires 28 November 2021                [Page 6]


Internet-Draft          Header Protection S/MIME                May 2021


   This document describes the problem statement (Section 2), generic
   use cases (Section 3) and the specification for Header Protection
   (Section 4) with guidance on MIME format, sender and receiver
   processing .

   [I-D.ietf-lamps-header-protection-requirements] defines the
   requirements that this specification is based on.

   This document is in an early draft state and contains a proposal on
   which to base future discussions of this topic.  In any case, the
   final mechanism is to be determined by the IETF LAMPS WG.

1.5.  Other Protocols to Protect Email Headers

   A range of protocols for the protection of electronic mail (email)
   exists, which allows one to assess the authenticity and integrity of
   the email headers section or selected Header Fields from the domain-
   level perspective, specifically DomainKeys Identified Mail (DKIM)
   [RFC6376], as used by Domain-based Message Authentication, Reporting,
   and Conformance (DMARC) [RFC7489].  These protocols provide a domain-
   based reputation mechanism that can be used to mitigate some forms of
   unsolicited email (spam).  At the same time, these protocols can
   provide a level of cryptographic integrity and authenticity for some
   headers, depending on how they are used.  However, integrity
   protection and proof of authenticity are both tied to the domain name
   of the sending e-mail address, not the sending address itself, so
   these protocols do not provide end-to-end protection, and are
   incapable of providing any form of confidentiality.

1.6.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.7.  Terms

   The following terms are defined for the scope of this document:

   *  Man-in-the-middle (MITM) attack: cf. [RFC4949], which states: "A
      form of active wiretapping attack in which the attacker intercepts
      and selectively modifies communicated data to masquerade as one or
      more of the entities involved in a communication association."

      Note: Historically, MITM has stood for '_Man_-in-the-middle'.
      However, to indicate that the entity in the middle is not always a
      human attacker, MITM can also stand for 'Machine-in-the-middle' or
      'Meddler-in-the-middle'.



Gillmor, et al.         Expires 28 November 2021                [Page 7]


Internet-Draft          Header Protection S/MIME                May 2021


   *  S/MIME: Secure/Multipurpose Internet Mail Extensions (cf.
      [RFC8551])

   *  PGP/MIME: MIME Security with OpenPGP (cf.  [RFC3156])

   *  Message: An Email Message consisting of Header Fields
      (collectively called "the Header Section of the message")
      followed, optionally, by a Body; cf. [RFC5322].

      Note: To avoid ambiguity, this document does not use the terms
      "Header" or "Headers" in isolation, but instead always uses
      "Header Field" to refer to the individual field and "Header
      Section" to refer to the entire collection; cf. [RFC5322].

   *  Header Field (HF): cf. [RFC5322] Header Fields are lines beginning
      with a field name, followed by a colon (":"), followed by a field
      body (value), and terminated by CRLF.

   *  Header Section (HS): The Header Section is a sequence of lines of
      characters with special syntax as defined in [RFC5322].  It is the
      (top) section of a Message containing the Header Fields.

   *  Body: The Body is simply a sequence of bytes that follows the
      Header Section and is separated from the Header Section by an
      empty line (i.e., a line with nothing preceding the CRLF); cf
      [RFC5322].  It is the (bottom) section of Message containing the
      payload of a Message.  Typically, the Body consists of a (possibly
      multipart) MIME [RFC2045] construct.

   *  MIME Header Fields: Header Fields describing content of a MIME
      entity [RFC2045], in particular the MIME structure.  Each MIME
      Header Field name starts with "Content-" prefix.

   *  MIME Header Section (part): The collection of MIME Header Fields.
      "MIME Header Section" refers to a Header Sections that contains
      only MIME Header Fields, whereas "MIME Header Section part" refers
      to the MIME Header Fields of a Header Section that - in addition
      to MIME Header Fields - also contains non-MIME Header Fields.

   *  Essential Header Fields (EHF): The minimum set of Header Fields an
      Outer Message Header Section SHOULD contain; cf. Appendix C.1.2.5.

   *  Header Protection (HP): cryptographic protection of email Header
      Sections (or parts of it) for signatures and/or encryption

   *  Protection Levels (PL): The level of protection applied to a
      Message, e.g.  'signature and encryption' or 'signature only' (cf.
      Section 3.2).



Gillmor, et al.         Expires 28 November 2021                [Page 8]


Internet-Draft          Header Protection S/MIME                May 2021


   *  Protected: Portions of a message that have had any Protection
      Levels applied.

   *  Protected Message: A Message that has had any Protection Levels
      applied.

   *  Unprotected: Portions of a Message that has had no Protection
      Levels applied.

   *  Unprotected Message: A Message that has had no Protection Levels
      applied.

   *  Submission Entity: The entity which executes further processing of
      the Message (incl. transport towards the receiver), after
      protection measures have been applied to the Message.

      Note: The Submission Entity varies among implementations, mainly
      depending on the stage where protection measures are applied: E.g.
      a Message Submission Agent (MSA) [RFC6409] or another
      (proprietary) solution.  The latter is particularly relevant, if
      protection is implemented as a plugin solution.  Some
      implementations may determine the destination recipients by
      reading the To, Cc and Bcc Header Fields of the Outer Message.

   *  Original Message (OrigM): The Message to be protected before any
      protection-related processing has been applied on the sending
      side.  If the source is not a "message/rfc822" Message, OrigM is
      defined as the "virtual" Message that would be constructed for
      sending it as unprotected email.

   *  Inner Message (InnerM): The Message to be protected which has had
      wrapping and protection measures applied on the sending side OR
      the resulting Message once decryption and unwrapping on the
      receiving side has been performed.  Typically, the Inner Message
      is in clear text.  The Inner Message is a subset of (or the same
      as) the Original Message.  The Inner Message must be the same on
      the sending and the receiving side.

   *  Outer Message (OuterM): The Message as provided to the Submission
      Entity or received from the last hop respectively.  The Outer
      Message normally differs on the sending and the receiving side
      (e.g. new Header Fields are added by intermediary nodes).

   *  Receiving User Facing Message (RUFM): The Message used for
      rendering at the receiving side.  Typically this is the same as
      the Inner Message.





Gillmor, et al.         Expires 28 November 2021                [Page 9]


Internet-Draft          Header Protection S/MIME                May 2021


   *  Data Minimization: Data sparseness and hiding of all technically
      concealable information whenever possible.

   *  Cryptographic Layer, Cryptographic Payload, Cryptographic
      Envelope, Structural Headers, and MUA are all used as defined in
      [I-D.dkg-lamps-e2e-mail-guidance]

   *  User-Facing Headers are defined in
      [I-D.autocrypt-lamps-protected-headers].

   *  Legacy MUA: a MUA that does not understand protected headers as
      described in this document.  A Legacy Non-Crypto MUA is incapable
      of doing any end-to-end cryptographic operations.  A Legacy Crypto
      MUA is capable of doing cryptographic operations, but does not
      understand or generate protected headers.

   *  Wrapped Message: The protected headers scheme that uses the
      mechanism described in [RFC8551], where the Cryptographic Payload
      is a "message/rfc822" or "message/global" MIME object.

   *  Injected Headers: The protected headers scheme that uses the
      mechanism described in [I-D.autocrypt-lamps-protected-headers],
      where the protected headers are inserted on the Cryptographic
      Payload directly.

   *  Header Confidentiality Policy: documented in Section 4.1.2.2

2.  Problem Statement

   The LAMPS charter contains the following Work Item:

      Update the specification for the cryptographic protection of email
      headers -- both for signatures and encryption -- to improve the
      implementation situation with respect to privacy, security,
      usability and interoperability in cryptographically-protected
      electronic mail.  Most current implementations of
      cryptographically-protected electronic mail protect only the body
      of the message, which leaves significant room for attacks against
      otherwise-protected messages.

   In the following a set of challenges to be addressed:

   [[ TODO: Enhance this section, add more items to the following. ]]

2.1.  Privacy

   *  (Technical) Data Minimization, which includes data sparseness and
      hiding all technically concealable information whenever possible



Gillmor, et al.         Expires 28 November 2021               [Page 10]


Internet-Draft          Header Protection S/MIME                May 2021


2.2.  Security

   *  Prevent MITM attacks (cf.  [RFC4949])

2.3.  Usability

   *  Improved User interaction / User experience, in particular at the
      receiving side

2.4.  Interoperability

   *  Interoperability with [RFC8551] implementations

3.  Use Cases

   In the following, the reader can find a list of the generic use cases
   that need to be addressed for Messages with Header Protection (HP).
   These use cases apply regardless of technology (S/MIME, PGP/MIME,
   etc.) used to achieve HP.

3.1.  Interactions

   The following use cases assume that at least the sending side
   supports Header Protection as specified in this document.  Receiving
   sides that support this specification are expected to be able to
   distinguish between Messages that use Header Protection as specified
   in this document, and (legacy) Mail User Agents (MUAs) which do not
   implement this specification.

   [[ TODO: Verify once solution is stable and update last sentence. ]]

3.1.1.  Main Use Case

   Both the sending and receiving side (fully) support Header Protection
   as specified in this document.

   The main use case is specified in Section 4.1.

3.1.2.  Backward Compatibility Use Cases

   Regarding backward compatibility, the main distinction is based on
   whether or not the receiving side conforms to MIME according to
   [RFC2046], ff., which in particular also includes Section 2 of
   [RFC2049] on "MIME Conformance".  The following excerpt is
   contextually relevant:






Gillmor, et al.         Expires 28 November 2021               [Page 11]


Internet-Draft          Header Protection S/MIME                May 2021


     A mail user agent that is MIME-conformant MUST:

     [...]

          -- Recognize and display at least the RFC822 message
          encapsulation (message/rfc822) in such a way as to
          preserve any recursive structure, that is, displaying
          or offering to display the encapsulated data in
          accordance with its media type.

          -- Treat any unrecognized subtypes as if they were
          "application/octet-stream".

     [...]

     An MUA that meets the above conditions is said to be MIME-
     conformant.  A MIME-conformant MUA is assumed to be "safe" to
     send virtually any kind of properly-marked data to users of
     such mail systems, because these systems are, at a minimum,
     capable of treating the data as undifferentiated binary, and
     will not simply splash it onto the screen of unsuspecting
     users.

   [[ TODO: The compatibility of legacy HP systems with this new
   solution, and how to handle issues surrounding future maintenance for
   these legacy systems, will be decided by the LAMPS WG. ]]

3.1.2.1.  Receiving Side MIME-Conformant

   The sending side (fully) supports Header Protection as specified in
   this document, while the receiving side does not support this
   specification.  However, the receiving side is MIME-conformant
   according to [RFC2045], ff. (cf.  Section 3.1.2).

   This use case is specified in Section 4.2.1.

   Note: This case should perform as expected if the sending side
   applies this specification as outlined in Section 4.1.

   [[ TODO: Verify once solution is stable and update last sentence. ]]

3.1.2.2.  Receiving Side Not MIME-Conformant

   The sending side (fully) supports Header Protection as specified in
   this document, while the receiving side does not support this
   specification.  Furthermore, the receiving side is *not* MIME-
   conformant according to [RFC2045], ff. (cf.  Section 3.1.2).




Gillmor, et al.         Expires 28 November 2021               [Page 12]


Internet-Draft          Header Protection S/MIME                May 2021


   This use case is specified in Section 4.2.2.

3.2.  Protection Levels

3.2.1.  In-Scope

   The following Protection Levels are in scope for this document:

   a) Signature and encryption

   Messages containing a cryptographic signature, which are also
   encrypted.

   b) Signature only

   Messages containing a cryptographic signature, but which are not
   encrypted.

3.2.2.  Out-of-Scope

   Legacy implementations, implementations not (fully) compliant with
   this document or corner-cases may lead to further Protection Levels
   to appear on the receiving side, such as (list not exhaustive):

   *  Triple wrap

   *  Encryption only

   *  Encryption before signature

   *  Signature and encryption, but:

      -  Signature fails to validate

      -  Signature validates but the signing certificate revoked

   *  Signature only, but:

      -  with multiple valid signatures, layered atop each other

   These Protection Levels, as well as any further Protection Levels not
   listed in Section 3.2.1 are beyond the scope of this document.

4.  Specification

   This section contains the specification for Header Protection in S/
   MIME to update and clarify Section 3.1 of [RFC8551] (S/MIME 4.0).




Gillmor, et al.         Expires 28 November 2021               [Page 13]


Internet-Draft          Header Protection S/MIME                May 2021


   Note: It is likely that PGP/MIME [RFC3156] will also incorporate this
   specification or parts of it.

   This specification applies to the Protection Levels "signature &
   encryption" and "signature only" (cf.  Section 3.2):

   Sending and receiving sides MUST implement the "signature and
   encryption" Protection Level, which SHOULD be used as default on the
   sending side.

   Certain implementations may decide to send "signature only" Messages,
   depending on the circumstances and customer requirements.  Sending
   sides MAY and receiving sides MUST implement "signature only"
   Protection Level.

   It generally is NOT RECOMMENDED to send a Message with any other
   Protection Level.  On the other hand, the receiving side must be
   prepared to receive Messages with other Protection Levels.

   [[ TODO: Further study is necessary to determine whether - and if yes
   to what extent - additional guidance for handling messages with other
   Protection Levels, e.g. "encryption only" at the receiving side
   should be included in this document. ]]

4.1.  Main Use Case

   This section applies to the main use case, where the sending and
   receiving side (fully) support Header Protection as specified herein
   (cf.  Section 3.1.1).

   Note: The sending side specification of the main use case is also
   applicable to the cases where the sending side (fully) supports
   Header Protection as specified herein, while the receiving side does
   not, but is MIME-conformant according to [RFC2045], ff. (cf.
   Section 3.1.2 and Section 3.1.2.1).

   Further backward compatibility cases are defined in Section 4.2.

4.1.1.  MIME Format

4.1.1.1.  Introduction

   As per S/MIME version 3.1 and later (cf.  [RFC8551]), the sending
   client MAY wrap a full MIME message in a message/RFC822 wrapper in
   order to apply S/MIME security services to these header fields.






Gillmor, et al.         Expires 28 November 2021               [Page 14]


Internet-Draft          Header Protection S/MIME                May 2021


   To help the receiving side to distinguish between a forwarded and a
   wrapped message, the Content-Type header field parameter "forwarded"
   is added as defined in [I-D.melnikov-iana-reg-forwarded].

   The simplified (cryptographic overhead not shown) MIME structure of
   such an Email Message looks as follows:

     <Outer Message Header Section (unprotected)>

     <Outer Message Body (protected)>

       <MIME Header Section (wrapper)>

         <Inner Message Header Section>

         <Inner Message Body>

   The following example demonstrates how an Original Message might be
   protected, i.e., the Original Message is contained as Inner Message
   in the Protected Body of an Outer Message.  It illustrates the first
   Body part (of the Outer Message) as a "multipart/signed"
   (application/pkcs7-signature) media type:

   Lines are prepended as follows:

   *  "O: " Outer Message Header Section

   *  "I: " Message Header Section

   *  "W: " Wrapper (MIME Header Section)





















Gillmor, et al.         Expires 28 November 2021               [Page 15]


Internet-Draft          Header Protection S/MIME                May 2021


     O: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time)
     O: Message-ID: <e4a483cb-1dfb-481d-903b-298c92c21f5e@m.example.net>
     O: Subject: Meeting at my place
     O: From: "Alexey Melnikov" <alexey.melnikov@example.net>
     O: To: somebody@example.net
     O: MIME-Version: 1.0
     O: Content-Type: multipart/signed; charset=us-ascii; micalg=sha1;
     O:  protocol="application/pkcs7-signature";
     O:  boundary=boundary-AM

        This is a multipart message in MIME format.
        --boundary-AM
     W: Content-Type: message/RFC822; forwarded=no
     W:
     I: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time)
     I: From: "Alexey Melnikov" <alexey.melnikov@example.net>
     I: Message-ID: <e4a483cb-1dfb-481d-903b-298c92c21f5e@m.example.net>
     I: MIME-Version: 1.0
     I: MMHS-Primary-Precedence: 3
     I: Subject: Meeting at my place
     I: To: somebody@example.net
     I: X-Mailer: Isode Harrier Web Server
     I: Content-Type: text/plain; charset=us-ascii

        This is an important message that I don't want to be modified.

        --boundary-AM
        Content-Transfer-Encoding: base64
        Content-Type: application/pkcs7-signature

        [[base-64 encoded signature]]

        --boundary-AM--

   The Outer Message Header Section is unprotected, while the remainder
   (Outer Message Body) is protected.  The Outer Message Body consists
   of the wrapper (MIME Header Section) and the Inner Message (Header
   Section and Body).

   The wrapper is a simple MIME Header Section with media type "message/
   rfc822" containing a Content-Type header field parameter
   "forwarded=no" followed by an empty line.

   If the source is an Original (message/rfc822) Message, the Inner
   Message Header Section is typically the same as (or a subset of) the
   Original Message Header Section, and the Inner Message Body is
   typically the same as the Original Message Body.




Gillmor, et al.         Expires 28 November 2021               [Page 16]


Internet-Draft          Header Protection S/MIME                May 2021


   The Inner Message itself may contain any MIME structure.

   Note: It is still to be decided by the LAMPS WG whether or not to
   recommend an alternative MIME format as described in Appendix C.1.1.1
   (instead of the currently standardized and above defined format).

4.1.2.  Sending Side

   This section describes the process an MUA should use to apply
   cryptographic protection to an e-mail message with header protection.
   We start by describing the legacy message composition process as a
   baseline.

4.1.2.1.  Composing a Cryptographically-Protected Message Without Header
          Protection

   [I-D.dkg-lamps-e2e-mail-guidance] describes the typical process for a
   legacy crypto MUA to apply cryptographic protections to an e-mail
   message.  That guidance and terminology is replicated here for
   reference:

   *  "origbody": the traditional unprotected message body as a well-
      formed MIME tree (possibly just a single MIME leaf part).  As a
      well-formed MIME tree, "origbody" already has structural headers
      ("Content-*") present.

   *  "origheaders": the intended non-structural headers for the
      message, represented here as a list of "(h,v)" pairs, where "h" is
      a header field name and "v" is the associated value.  Note that
      these are header fields that the MUA intends to be visible to the
      recipient of the message.  In particular, if the MUA uses the
      "Bcc" header during composition, but plans to omit it from the
      message (see section 3.6.3 of [RFC5322]), it will not be in
      "origheaders".

   *  "crypto": The series of cryptographic protections to apply (for
      example, "sign with the secret key corresponding to X.509
      certificate X, then encrypt to X.509 certificates X and Y").  This
      is a routine that accepts a MIME tree as input (the Cryptographic
      Payload), wraps the input in the appropriate Cryptographic
      Envelope, and returns the resultant MIME tree as output.

   The algorithm returns a MIME object that is ready to be injected into
   the mail system:

   *  Apply "crypto" to "origbody", yielding MIME tree "output"

   *  For each header name and value "(h,v)" in "origheaders":



Gillmor, et al.         Expires 28 November 2021               [Page 17]


Internet-Draft          Header Protection S/MIME                May 2021


      -  Add header "h" of "output" with value "v"

   *  Return "output"

4.1.2.2.  Header Confidentiality Policy

   When composing an encrypted message with protected headers, the
   composing MUA needs a Header Confidentialiy Policy.  In this
   document, we represent that Header Confidentiality Policy as a
   function "hcp":

   *  "hcp(name, val_in) --> val_out": this function takes a header
      field name "name" and initial value "val_in" as arguments, and
      returns a replacement header value "val_out".  If "val_out" is the
      special value "null", it mean that the header in question should
      be omitted from the set of headers visible outside the
      Cryptographic Envelope.

   For example, an MUA that only obscures the "Subject" header field by
   replacing it with the literal string "[...]" and does not offer
   confidentiality to any other header fields would be represented as
   (in pseudocode):

   "hcp(name, val_in) --> val_out: if name is 'Subject': return '[...]'
   else: return val_in"

   Note that such a policy is only needed when the end-to-end
   protections include encryption (confidentiality).  No comparable
   policy is needed for other end-to-end cryptographic protections
   (integrity and authenticity), as they are simply uniformly applied so
   that all header fields known by the sender have these protections.

   This asymmetry is an unfortunate consequence of complexities in
   message delivery systems, some of which may reject, drop, or delay
   messages where all headers are removed from the top-level MIME
   object.

   This document does not mandate any particular Header Confidentiality
   Policy, though it offers guidance for MUA implementers in selecting
   one in Section 4.1.3.  Future documents may recommend or mandate such
   a policy for an MUA with specific needs.  Such a recommendation might
   be motivated by descriptions of metadata-derived attacks, or stem
   from research about message deliverability, or describe new
   signalling mechanisms, but these topics are out of scope for this
   document.






Gillmor, et al.         Expires 28 November 2021               [Page 18]


Internet-Draft          Header Protection S/MIME                May 2021


4.1.2.3.  Composing with "Wrapped Message" Header Protection

   To compose a message using "Wrapped Message" header protection, we
   use those inputs described in Section 4.1.2.1 plus the Header
   Confidentiality Policy "hcp" defined in Section 4.1.2.2.  The new
   algorithm is:

   *  For header name and value "(h,v)" in "origheaders":

      -  Add header "h" of "origbody" with value "v"

   *  If any of the header fields in "origbody", including headers in
      the nested internal MIME structure, contain any 8-bit UTF-8
      characters (see section section 3.7 of [RFC6532]):

      -  Let "payload" be a new MIME part with one header: "Content-
         Type: message/global; forwarded=no", and whose body is
         "origbody".

   *  Else:

      -  Let "payload" be a new MIME part with one header: "Content-
         Type: message/rfc822; forwarded=no", and whose body is
         "origbody".

   *  Apply "crypto" to "payload", yielding MIME tree "output"

   *  If "crypto" contains encryption:

      -  Create new empty list of header field names and values "newh"

      -  For header name and value "(h,v)" in "origheaders":

         o  Let "newval" be "hcp(h, v)"

         o  If "newval" is not "null":

            +  Append "(h,newval)" to "newh"

      -  Set "origheaders" to "newh"

   *  For header name and value "(h,v)" in "origheaders":

      -  Add header "h" of "output" with value "v"

   *  Return "output"





Gillmor, et al.         Expires 28 November 2021               [Page 19]


Internet-Draft          Header Protection S/MIME                May 2021


   Note that the Header Confidentiality Policy "hcp" is ignored if
   "crypto" does not contain encryption.  This is by design.

4.1.2.4.  Composing with "Injected Headers" Header Protection

   To compose a message using "Injected Headers" header protection, the
   composing MUA needs one additional input in addition to the Header
   Confidentiality Policy "hcp" defined in Section 4.1.2.2.

   *  "legacy": a boolean value, indicating whether any recipient of the
      message is believed to have a legacy client.  If all recipients
      are known to implement this draft, "legacy" should be set to
      "false".  (How a MUA determines the value of "legacy" is out of
      scope for this document; an initial implementation can simply set
      it to "true")

   The revised algorithm for applying cryptographic protection to a
   message is as follows:

   *  Create a new MIME leaf part "legacydisplay" with header "Content-
      Type: text/plain; protected-headers="v1"" and an empty body.

   *  if "crypto" contains encryption, and "legacy" is "true":

      -  For each header name and value "(h,v)" in "origheaders":

         o  If "h" is user-facing (see
            [I-D.autocrypt-lamps-protected-headers]):

            +  If "hcp(h,v)" is not "v":

               *  Add "h: v" to the body of "legacydisplay".  For
                  example, if "h" is "Subject", and "v" is "lunch
                  plans?", then add the line "Subject: lunch plans?" to
                  the body of "legacydisplay"

   *  If the body of "legacydisplay" is empty:

      -  Let "payload" be MIME part "origbody", discarding
         "legacydisplay"

   *  Else: (body of "legacydisplay" is not empty)

      -  Construct a new MIME part "wrapper" with "Content-Type:
         multipart/mixed"

      -  Give "wrapper" exactly two subparts: "legacydisplay" and
         "origbody", in that order.



Gillmor, et al.         Expires 28 November 2021               [Page 20]


Internet-Draft          Header Protection S/MIME                May 2021


      -  Let "payload" be MIME part "wrapper"

   *  For each header name and value "(h,v)" in "origheaders":

      -  Add header "h" of MIME part "payload" with value "v"

   *  Set the "protected-headers" parameter on the "Content-Type" of
      "payload" to "v1"

   *  Apply "crypto" to "payload", producing MIME tree "output"

   *  If "crypto" contains encryption:

      -  Create new empty list of header field names and values "newh"

      -  For header name and value "(h,v)" in "origheaders":

         o  Let "newval" be "hcp(h, v)"

         o  If "newval" is not "null":

            +  Add "newh[h]" to "newval"

      -  Set "origheaders" to "newh"

   *  For each header name and value "(h,v)" in "origheaders":

      -  Add header "h" of "output" with value "v"

   *  Return "output"

   Note that both new parameters ("hcp" and "legacy") are effectively
   ignored if "crypto" does not contain encryption.  This is by design,
   because they are irrelevant for signed-only cryptographic
   protections.

4.1.2.5.  Choosing Between Wrapped Message and Injected Headers

   When composing a message with end-to-end cryptographic protections,
   an MUA SHOULD protect the headers of that message as well as the
   body.

   An MUA MAY protect the headers of any outbound message using either
   the "Wrapped Message" or the "Injected Headers" style of protection.
   See Section 4.2 for more discussion about reasons to choose one
   mechanism or another.





Gillmor, et al.         Expires 28 November 2021               [Page 21]


Internet-Draft          Header Protection S/MIME                May 2021


   [[ TODO: this document should recommend generation of one particular
   scheme by default for new implementers ]]

4.1.3.  Default Header Confidentiality Policy

   An MUA SHOULD have a sensible default Header Confidentiality Policy,
   and SHOULD NOT require the user to select one.

   The default Header Confidentiality Policy SHOULD provide
   confidentiality for the "Subject" header field by replacing it with
   the literal string "[...]".  Most users treat the Subject of a
   message the same way that they treat the body, and they are surprised
   to find that the Subject of an encrypted message is visible.

   [[ TODO: select one of the two policies below the recommended default
   ]]

4.1.3.1.  Minimalist Header Confidentiality Policy

   Accordingly, the most conservative recommended Header Confidentiality
   Policy only protects the "Subject":

   "hcp_minimal(name, val_in) --> val_out: if name is 'Subject': return
   '[...]' else: return val_in"

4.1.3.2.  Strong Header Confidentiality Policy

   Alternately, a more aggressive (and therefore more privacy-
   preserving) Header Confidentiality Policy only leaks a handful of
   fields whose absence is known to increase rates of delivery failure,
   and simultaneously obscures the "Message-ID" behind a random new one:

   "hcp_strong(name, val_in) --> val_out: if name in ['From', 'To',
   'Cc', 'Date']: return val_in else if name is 'Subject': return
   '[...]' else if name is 'Message-ID': return
   generate_new_message_id() else: return null"

   The function "generate_new_message_id()" represents whatever process
   the MUA typically uses to generate a "Message-ID" for a new outbound
   message.

4.1.3.3.  Offering Stronger Header Confidentiality

   A MUA MAY offer even stronger confidentiality for headers of an
   encrypted message than described in Section 4.1.3.2.  For example, it
   might implement an HCP that obfuscates the "From" field, or omits the
   "Cc" field, or ensures "Date" is represented in "UTC" (obscuring the
   local timezone).



Gillmor, et al.         Expires 28 November 2021               [Page 22]


Internet-Draft          Header Protection S/MIME                May 2021


   The authors of this document hope that implementers with deployment
   experience will document their chosen Header Confidentiality Policy
   and the rationale behind their choice.

4.1.4.  Receiving Side

   An MUA that receives a cryptographically-protected e-mail will render
   it for the user.

   The receiving MUA will render the message body, a selected subset of
   header fields, and (as described in
   [I-D.dkg-lamps-e2e-mail-guidance]) provide a summary of the
   cryptographic properties of the message.

   Most MUAs only render a subset of header fields by default.  For
   example, few MUAs typically render "Message-Id" or "Received" header
   fields for the user, but most do render "From", "To", "Cc", "Date",
   and "Subject".

   A MUA that knows how to handle a message with protected headers makes
   the following two changes to its behavior when rendering a message:

   *  If it detects that an incoming message had protected headers, it
      renders header fields for the message from the protected headers,
      ignoring the external (unprotected) headers.

   *  It includes information in the message's cryptographic summary to
      indicate the types of protection that applied to each rendered
      header field (if any).

   A MUA that handles protected headers does _not_ need to render any
   new header fields that it did not render before.

4.1.4.1.  Identifying that a Message has Protected Headers

   An incoming message can be identified as having protected headers
   based on one of two signals:

   *  The Cryptographic Payload has "Content-Type: message/rfc822" or
      "Content-Type: message/global" and the parameter "forwarded" has a
      value of "no".  See Section 4.1.4.3 for rendering guidance.

   *  The Cryptographic Payload has some other "Content-Type" and it has
      parameter "protected-headers" set to "v1".  See Section 4.1.4.4
      for rendering guidance.






Gillmor, et al.         Expires 28 November 2021               [Page 23]


Internet-Draft          Header Protection S/MIME                May 2021


   Messages of both types exist in the wild, and a sensible MUA should
   be able to handle them both.  They provide the same semantics and the
   same meaning.

4.1.4.2.  Updating the Cryptographic Summary

   Regardless of whether a cryptographically-protected message has
   protected headers, the cryptographic summary of the message should be
   modified to indicate what protections the headers have.

   Each header individually has exactly one the following protections:

   *  "unprotected" (this is the case for all headers in messages that
      have no protected headers)

   *  "signed-only" (bound into the same validated signature as the
      enclosing message, but also visible in transit)

   *  "encrypted-only" (only appears within the cryptographic payload;
      the corresponding external header was either omitted or
      obfuscated)

   *  "encrypted-and-signed" (same as encrypted, but additionally is
      under a validatd signature)

   Note that while the message itself may be "encrypted-and-signed",
   some headers may be replicated on the outside of the message (e.g.
   "Date") Those headers would be "signed-only", despite the message
   itself being "encrypted-and-signed".

   Rendering this information is likely to be complex and messy ---
   users may not understand it.  It is beyond the scope of this document
   to suggest any specific graphical affordances or user experience.
   Future work should include examples of successful rendering of this
   information.

4.1.4.3.  Rendering a Wrapped Message

   When the Cryptographic Payload has "Content-Type" of "message/rfc822"
   or "message/global", and the parameter "forwarded" is set to "no",
   the values of the protected headers are drawn from the headers of the
   Cryptographic Payload, and the body that is rendered is the body of
   the Cryptographic Payload.

4.1.4.3.1.  Example Signed-Only Wrapped Message

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:



Gillmor, et al.         Expires 28 November 2021               [Page 24]


Internet-Draft          Header Protection S/MIME                May 2021


   A └─╴application/pkcs7-mime; smime-type="signed-data"
      ⇩ (unwraps to)
   B  └┬╴message/rfc822 [Cryptographic Payload]
   C   └┬╴multipart/alternative [Rendered Body]
   D    ├─╴text/plain
   E    └─╴text/html

   The message body should be rendered the same way as this message:

   C └┬╴multipart/alternative
   D  ├─╴text/plain
   E  └─╴text/html

   It should render header fields taken from part "C".

   Its cryptographic summary should indicates that the message was
   signed and all rendered header fields were included in the signature.

   The MUA SHOULD ignore header fields from part "A" for the purposes of
   rendering.

4.1.4.3.2.  Example Encrypted-and-Signed Wrapped Message

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   F └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   G  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   H   └┬╴message/rfc822 [Cryptographic Payload]
   I    └┬╴multipart/alternative [Rendered Body]
   J     ├─╴text/plain
   K     └─╴text/html

   The message body should be rendered the same way as this message:

   I └┬╴multipart/alternative
   J  ├─╴text/plain
   K  └─╴text/html

   It should render headers taken from part "I".









Gillmor, et al.         Expires 28 November 2021               [Page 25]


Internet-Draft          Header Protection S/MIME                May 2021


   Its cryptographic summary should indicates that the message was
   signed and encrypted.  Each rendered header field found in "I" should
   be compared against the header field of the same name from "F".  If
   the value found in "F" matches the value found in "I", the header
   field should be marked as "signed-only".  If no matching header field
   was found in "F", or the value found did not match the value from
   "I", the header field should be marked as "signed-and-encrypted".

4.1.4.4.  Rendering a Message with Injected Headers

   When the Cryptographic Payload does not have a "Content-Type" of
   "message/rfc822" or "message/global", and the parameter "protected-
   headers" is set to "v1", the values of the protected headers are
   drawn from the headers of the Cryptographic Payload, and the body
   that is rendered is the Cryptographic Payload itself.

4.1.4.4.1.  Example Signed-only Message with Injected Headers

   L └─╴application/pkcs7-mime; smime-type="signed-data"
      ⇩ (unwraps to)
   M  └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
   N   ├─╴text/plain
   O   └─╴text/html

   The message body should be rendered the same way as this message:

   M └┬╴multipart/alternative
   N  ├─╴text/plain
   O  └─╴text/html

   It should render header fieldss taken from part "M".

   Its cryptographic summary should indicates that the message was
   signed and all rendered header fields were included in the signature.

   The MUA SHOULD ignore header fields from part "L" for the purposes of
   rendering.

4.1.4.4.2.  Example Signed-and-Encrypted Message with Injected Headers

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:









Gillmor, et al.         Expires 28 November 2021               [Page 26]


Internet-Draft          Header Protection S/MIME                May 2021


   P └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   Q  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   R   └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
   S    ├─╴text/plain
   T    └─╴text/html

   The message body should be rendered the same way as this message:

   R └┬╴multipart/alternative
   S  ├─╴text/plain
   T  └─╴text/html

   It should render headers taken from part "R".

   Its cryptographic summary should indicates that the message was
   signed and encrypted.  As in Section 4.1.4.3.2, each rendered header
   field found in "R" should be compared against the header field of the
   same name from "P".  If the value found in "P" matches the value
   found in "R", the header field should be marked as "signed-only".  If
   no matching header field was found in "P", or the value found did not
   match the value from "R", the header field should be marked as
   "signed-and-encrypted".

4.1.4.4.3.  Do Not Render Legacy Display Part

   As described [I-D.autocrypt-lamps-protected-headers], a message with
   cryptographic confidentiality protection MAY include a "Legacy
   Display" part for backward-compatibility with legacy MUAs

   The receiving MUA SHOULD avoid rendering the Legacy Display part to
   the user at all, since it is aware of and can render the actual
   Protected Headers.

   If a Legacy Display part is detected, it and its enclosing
   "multipart/mixed" wrapper should be discarded before rendering.

4.1.4.4.3.1.  Legacy Display Detection Algorithm

   A receiving MUA acting on a message SHOULD detect the presence of a
   Legacy Display part and the corresponding "original body" with the
   following simple algorithm:

   *  Check that all of the following are true for the message:

   *  The Cryptographic Envelope must contain an encrypting
      Cryptographic Layer



Gillmor, et al.         Expires 28 November 2021               [Page 27]


Internet-Draft          Header Protection S/MIME                May 2021


   *  The Cryptographic Payload must have a "Content-Type" of
      "multipart/mixed"

   *  The Cryptographic Payload must have exactly two subparts

   *  The first subpart of the Cryptographic Payload must have a
      "Content-Type" of "text/plain" or "text/rfc822-headers"

   *  The first subpart of the Cryptographic Payload's "Content-Type"
      must contain a property of "protected-headers", and its value must
      be "v1".

   *  If all of the above are true, then the first subpart is the Legacy
      Display part, and the second subpart is the "original body".
      Otherwise, the message does not have a Legacy Display part.

4.1.4.4.3.2.  Legacy Display Example

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   U └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   V  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   W   └┬╴multipart/mixed [Cryptographic Payload]
   X    ├─╴text/plain [Legacy Display]
   Y    └┬╴multipart/alternative [Rendered Body]
   Z     ├─╴text/plain
   A'    └─╴text/html

   The message body should be rendered the same way as this message,
   effectively hiding the Legacy Display part ("X") and its wrapper:

   Y └┬╴multipart/alternative
   Z  ├─╴text/plain
   A' └─╴text/html

   It should render headers taken from part "W", following the same
   guidance as in Section 4.1.4.4.2 and Section 4.1.4.3.2 about the
   cryptographic status of each rendered header field.

4.1.4.5.  Affordances for Debugging and Troubleshooting

   Note that advanced users of an MUA may need access to the original
   message, for example to troubleshoot problems with the MUA itself, or
   problems with the SMTP transport path taken by the message.




Gillmor, et al.         Expires 28 November 2021               [Page 28]


Internet-Draft          Header Protection S/MIME                May 2021


   A MUA that applies these rendering guidelines SHOULD ensure that the
   full original source of the message as it was received remains
   available to such a user for debugging and troubleshooting.

4.1.4.6.  Composing a Reply to an Encrypted Message with Protected
          Headers

   When composing a reply to an encrypted message with protected
   headers, the MUA is acting both as a receiving MUA and as a sending
   MUA.  Special guidance applies here, as things can go wrong in at
   least two ways: leaking previously-confidential information, and
   replying to the wrong party.

4.1.4.6.1.  Avoid Leaking Encrypted Headers in Reply

   As noted in [I-D.dkg-lamps-e2e-mail-guidance], an MUA in this
   position MUST NOT leak previously-encrypted content in the clear in a
   followup message.  The same is true for protected headers.

   Values from any header field that was identified as either
   "encrypted" or "signed-and-encrypted" based on the steps outlined
   above MUST NOT be placed in cleartext output when generating a
   message.

   In particular, if "Subject" was encrypted, and it is copied into the
   draft encrypted reply, the replying MUA MUST obfuscate the "Subject"
   field in the cleartext header as described above.

   [[ TODO: formally describe how a replying MUA should generate a
   message-specific Header Protection policy based on the cryptographic
   status of the headers of the incoming message ]]

4.1.4.6.2.  Avoid Misdirected Replies to Encrypted Messages with
            Protected Headers

   When replying to a message, the Composing MUA typically decides who
   to send the reply to based on:

   *  the "Reply-To", "Mail-Followup-To", or "From" headers

   *  optionally, the other "To" or "Cc" headers (if the user chose to
      "reply all")

   When a message has protected headers, the replying MUA MUST populate
   the destination fields of the draft message using the protected
   headers, and ignore any unprotected headers.





Gillmor, et al.         Expires 28 November 2021               [Page 29]


Internet-Draft          Header Protection S/MIME                May 2021


   This mitigates against an attack where Mallory gets a copy of an
   encrypted message from Alice to Bob, and then replays the message to
   Bob with an additional "Cc" to Mallory's own e-mail address in the
   message's outer header.

   If Bob knows Mallory's certificate already, and he replies to such a
   message without following the guidance in this section, it's likely
   that his MUA will encrypt the cleartext of the message directly to
   Mallory.

4.1.4.7.  Implicitly-rendered Header Fields

   While "From" and "To" and "Cc" and "Subject" and "Date" are often
   explicitly rendered to the user, some header fields do affect message
   display, without being explicitly rendered.

   For example, "Message-Id", "References", and "In-Reply-To" header
   fields may collectively be used to place a message in a "thread" or
   series of messages.

   In another example, Section 4.1.4.6.2 observes that the value of the
   "Reply-To" field can influence the draft reply message.  So while the
   user may never see the "Reply-To" header directly, it is implicitly
   "rendered" when the user interacts with the message by replying to
   it.

   An MUA that depends on any implicitly-rendered header field in a
   message with protected headers SHOULD use the value from the
   protected header, and SHOULD NOT use any value found outside the
   cryptographic protection.

4.1.4.8.  Unprotected Headers Added in Transit

   Some headers are legitimately added in transit, and could not have
   been known to the sender at message composition time.

   The most common of these headers are "Received" and "DKIM-Signature",
   neither of which are typically rendered, either explicitly or
   implicitly.

   If a receiving MUA has specific knowledge about a given header field,
   including that:

   *  the header field would not have been known to the original sender,
      and

   *  the header field might be rendered explicitly or implicitly,




Gillmor, et al.         Expires 28 November 2021               [Page 30]


Internet-Draft          Header Protection S/MIME                May 2021


   then the MUA MAY decide to operate on the value of that header field
   from the unprotected header section, even though the message has
   protected headers.

   The MUA MAY prefer to verify that the headers in question have
   additional transit-derived cryptographic protections (e.g., to test
   whether they are covered by a valid "DKIM-Signature") before
   rendering or acting on them.

   Specific examples appear below.

4.1.4.8.1.  Mailing list headers: List-* and Archived-At

   If the message arrives through a mailing list, the list manager
   itself may inject headers (most of which start with "List-") in the
   message:

   *  "List-Archive"

   *  "List-Subscribe"

   *  "List-Unsubscribe"

   *  "List-Id"

   *  "List-Help"

   *  "List-Post"

   *  "Archived-At"

   For some MUAs, these headers are implicitly rendered, by providing
   buttons for actions like "Subscribe", "View Archived Version", "Reply
   List", "List Info", etc.

   An MUA that receives a message with protected headers that contains
   these header fields in the unprotected section, and that has reason
   to believe the message is coming through a mailing list MAY decide to
   render them to the user (explicitly or implicitly) even though they
   are not protected.

   FIXME: other examples of unprotected transit headers?

4.2.  Backward Compatibility Use Cases







Gillmor, et al.         Expires 28 November 2021               [Page 31]


Internet-Draft          Header Protection S/MIME                May 2021


4.2.1.  Receiving Side MIME-Conformant

   This section applies to the case where the sending side (fully)
   supports Header Protection as specified in this document, while the
   receiving side does not support this specification, but is MIME-
   conformant according to [RFC2045], ff. (cf.  Section 3.1.2 and
   Section 3.1.2.1)

   The sending side specification of the main use case (cf.
   Section 4.1) MUST ensure that receiving sides can still recognize and
   display or offer to display the encapsulated data in accordance with
   its media type (cf.  [RFC2049], Section 2).  In particular, receiving
   sides that do not support this specification, but are MIME-conformant
   according to [RFC2045], ff. can still recognize and display the
   Message intended for the user.

   [[ TODO: Verify once solution is stable and update last sentence. ]]

4.2.2.  Receiving Side Not MIME-Conformant

   This section applies to cases where the sending side (fully) supports
   Header Protection as specified in this document, while the receiving
   side neither supports this specification *nor* is MIME-conformant
   according to [RFC2045], ff. (cf.  Section 3.1.2 and Section 3.1.2.2).

   [I-D.autocrypt-lamps-protected-headers] describes a possible way to
   achieve backward compatibility with existing S/MIME (and PGP/MIME)
   implementations that predate this specification and are not MIME-
   conformant (Legacy Display) either.  It mainly focuses on email
   clients that do not render emails which utilize header protection in
   a user friendly manner, which may confuse the user.  While this has
   been observed occasionally in PGP/MIME (cf.  [RFC3156]), the extent
   of this problem with S/MIME implementations is still unclear.  (Note:
   At this time, none of the samples in
   [I-D.autocrypt-lamps-protected-headers] apply header protection as
   specified in Section 3.1 of [RFC8551], which is wrapping as Media
   Type "message/RFC822".)

   Should serious backward compatibility issues with rendering at the
   receiving side be discovered, the Legacy Display format described in
   [I-D.autocrypt-lamps-protected-headers] may serve as a basis to
   mitigate those issues (cf.  Section 4.2).

   Another variant of backward compatibility has been implemented by pEp
   [I-D.pep-email], i.e. pEp Email Format 1.0.  At this time pEp has
   implemented this for PGP/MIME, but not yet S/MIME.





Gillmor, et al.         Expires 28 November 2021               [Page 32]


Internet-Draft          Header Protection S/MIME                May 2021


5.  Usability Considerations

   This section describes concerns for MUAs that are interested in easy
   adoption of header protection by normal users.

   While they are not protocol-level artifacts, these concerns motivate
   the protocol features described in this document.

   See also the Usability section in [I-D.dkg-lamps-e2e-mail-guidance].

5.1.  Mixed Protections Within a Message Are Hard To Understand

   [[ TODO ]]

5.2.  Users Should Not Have To Choose a Header Confidentiality Policy

   [[ TODO ]]

6.  Security Considerations

   [[ TODO ]]

7.  Privacy Considerations

   [[ TODO ]]

8.  IANA Considerations

   This document requests no action from IANA.

   [[ RFC Editor: This section may be removed before publication. ]]

9.  Acknowledgments

   The authors would like to thank the following people who have
   provided helpful comments and suggestions for this document: Berna
   Alp, Bernhard E.  Reiter, Claudio Luck, David Wilson, Hernani
   Marques, juga, Krista Bennett, Kelly Bristol, Lars Rohwedder, Robert
   Williams, Russ Housley, Sofia Balicka, Steve Kille, Volker Birk, and
   Wei Chuang.

10.  References

10.1.  Normative References

   [I-D.dkg-lamps-e2e-mail-guidance]
              Gillmor, D. K., "Guidance on End-to-End E-mail Security",
              Work in Progress, Internet-Draft, draft-dkg-lamps-e2e-



Gillmor, et al.         Expires 28 November 2021               [Page 33]


Internet-Draft          Header Protection S/MIME                May 2021


              mail-guidance-01, 22 February 2021,
              <https://www.ietf.org/archive/id/draft-dkg-lamps-e2e-mail-
              guidance-01.txt>.

   [I-D.ietf-lamps-header-protection-requirements]
              Melnikov, A. and B. Hoeneisen, "Problem Statement and
              Requirements for Header Protection", Work in Progress,
              Internet-Draft, draft-ietf-lamps-header-protection-
              requirements-01, 29 October 2019,
              <https://www.ietf.org/archive/id/draft-ietf-lamps-header-
              protection-requirements-01.txt>.

   [RFC2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part One: Format of Internet Message
              Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
              <https://www.rfc-editor.org/info/rfc2045>.

   [RFC2046]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Two: Media Types", RFC 2046,
              DOI 10.17487/RFC2046, November 1996,
              <https://www.rfc-editor.org/info/rfc2046>.

   [RFC2049]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Five: Conformance Criteria and
              Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996,
              <https://www.rfc-editor.org/info/rfc2049>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <https://www.rfc-editor.org/info/rfc5322>.

   [RFC8551]  Schaad, J., Ramsdell, B., and S. Turner, "Secure/
              Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
              Message Specification", RFC 8551, DOI 10.17487/RFC8551,
              April 2019, <https://www.rfc-editor.org/info/rfc8551>.

10.2.  Informative References









Gillmor, et al.         Expires 28 November 2021               [Page 34]


Internet-Draft          Header Protection S/MIME                May 2021


   [I-D.autocrypt-lamps-protected-headers]
              Einarsson, B. R., juga, and D. K. Gillmor, "Protected
              Headers for Cryptographic E-mail", Work in Progress,
              Internet-Draft, draft-autocrypt-lamps-protected-headers-
              02, 20 December 2019, <https://www.ietf.org/archive/id/
              draft-autocrypt-lamps-protected-headers-02.txt>.

   [I-D.ietf-lamps-samples]
              Gillmor, D. K., "S/MIME Example Keys and Certificates",
              Work in Progress, Internet-Draft, draft-ietf-lamps-
              samples-04, 18 May 2021, <https://www.ietf.org/archive/id/
              draft-ietf-lamps-samples-04.txt>.

   [I-D.melnikov-iana-reg-forwarded]
              Melnikov, A. and B. Hoeneisen, "IANA Registration of
              Content-Type Header Field Parameter 'forwarded'", Work in
              Progress, Internet-Draft, draft-melnikov-iana-reg-
              forwarded-00, 4 November 2019,
              <https://www.ietf.org/archive/id/draft-melnikov-iana-reg-
              forwarded-00.txt>.

   [I-D.pep-email]
              Marques, H., "pretty Easy privacy (pEp): Email Formats and
              Protocols", Work in Progress, Internet-Draft, draft-pep-
              email-01, 2 November 2020,
              <https://www.ietf.org/archive/id/draft-pep-email-01.txt>.

   [pEp.mixnet]
              pEp Foundation, "Mixnet", June 2020,
              <https://dev.pep.foundation/Mixnet>.

   [RFC3156]  Elkins, M., Del Torto, D., Levien, R., and T. Roessler,
              "MIME Security with OpenPGP", RFC 3156,
              DOI 10.17487/RFC3156, August 2001,
              <https://www.rfc-editor.org/info/rfc3156>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <https://www.rfc-editor.org/info/rfc4949>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <https://www.rfc-editor.org/info/rfc6376>.

   [RFC6409]  Gellens, R. and J. Klensin, "Message Submission for Mail",
              STD 72, RFC 6409, DOI 10.17487/RFC6409, November 2011,
              <https://www.rfc-editor.org/info/rfc6409>.



Gillmor, et al.         Expires 28 November 2021               [Page 35]


Internet-Draft          Header Protection S/MIME                May 2021


   [RFC6532]  Yang, A., Steele, S., and N. Freed, "Internationalized
              Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
              2012, <https://www.rfc-editor.org/info/rfc6532>.

   [RFC7489]  Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
              Message Authentication, Reporting, and Conformance
              (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
              <https://www.rfc-editor.org/info/rfc7489>.

Appendix A.  Test Vectors

   This section contains sample messages using the different schemes
   described in this document.  Each sample contains a MIME object, a
   textual and diagrammatic view of its structure, and examples of how
   an MUA might render it.

   The cryptographic protections used in this document use the S/MIME
   standard, and keying material and certificates come from
   [I-D.ietf-lamps-samples].

   These messages should be accessible to any IMAP client at
   "imap://bob@header-protection.cmrg.net/" (any password should
   authenticate to this read-only IMAP mailbox).

   You can also download copies of these test vectors separately at
   "https://header-protection.cmrg.net".

   If any of the messages downloaded differ from those offered here,
   this document is the canonical source.

A.1.  Baseline Messages

   These messages offer no header protection at all, and can be used as
   a baseline.  They are provided in this document as a counterexample.
   An MUA implementer can use these messages to verify that the reported
   cryptographic summary of the message indicates no header protection.

A.1.1.  No cryptographic protections over a simple message

   This message uses no cryptographic protection at all.  Its body is a
   text/plain message.

   It has the following structure:

   └─╴text/plain 152 bytes

   Its contents are:




Gillmor, et al.         Expires 28 November 2021               [Page 36]


Internet-Draft          Header Protection S/MIME                May 2021


   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: no-crypto
   Message-ID: <no-crypto@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:00:02 -0500

   This is the no-crypto message.

   This message uses no cryptographic protection at all.  Its body is a
   text/plain message.

   --
   Alice
   alice@smime.example

A.1.2.  S/MIME signed-only signedData over a simple message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 3852 bytes
    ⇩ (unwraps to)
    └─╴text/plain 204 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part
   Message-ID: <smime-one-part@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:01:02 -0500

   MIILFwYJKoZIhvcNAQcCoIILCDCCCwQCAQExDTALBglghkgBZQMEAgEwggFABgkq
   hkiG9w0BBwGgggExBIIBLU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F
   bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWltZS1vbmUtcGFydCBtZXNz
   YWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2Ugdmlh
   IFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgdGV4dC9wbGFp
   biBtZXNzYWdlLiBJdCB1c2VzIG5vIGhlYWRlciBwcm90ZWN0aW9uLg0KDQotLSAN



Gillmor, et al.         Expires 28 November 2021               [Page 37]


Internet-Draft          Header Protection S/MIME                May 2021


   CkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgIT
   Dy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJT
   QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
   MDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cx
   Qq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeu
   Xq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7T
   HNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3We
   ag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukg
   n+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQC
   MAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNt
   aW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUg
   MB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58
   BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAyl
   OvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeu
   OA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9o
   pwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4
   oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPf
   qmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY
   1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcN
   AQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNV
   BAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcN
   MTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIw
   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr
   +E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7O
   xsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTt
   dg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZ
   DQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj
   0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEA
   AaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAe
   BgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUF
   BwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
   ZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQEN
   BQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTn
   euK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qN
   uz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt
   9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh5
   2MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4
   DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX
   MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
   hvcNAQkFMQ8XDTIxMDIyMDE1MDEwMlowLwYJKoZIhvcNAQkEMSIEIESMi+9/LUlD
   fGjj+6U50VNLFxbzvyVJ0wzwnTS114DyMA0GCSqGSIb3DQEBAQUABIIBACJHeayB
   UllC4GdcgdojTUjoeIy6UIbrSg/aKZgAkCB8Dwq0hdU10qiun6WKI/TxM5izpRvL



Gillmor, et al.         Expires 28 November 2021               [Page 38]


Internet-Draft          Header Protection S/MIME                May 2021


   UsNBGmqknPBMFhvwX6KCrwFk0p0j5Y5DZqX30deiQiGTUv3NiwZGTrKJ3JkyymFO
   HGbe5Thrq3inRLVfilEuIZewaJsnJhKfnEq9fS09icTJ5olPDAH6mZbW6hpYmU3F
   KBk2qJNqJX6bo60rCogu3wXDj0wxnqEXmeNDH5/+L9UVZur+EWzviUc8Ldd/kP3L
   DOO7ivs10bAWe8Tbw7NjuP8ZlVvzcvj3nXWzZzxh2ymDIOvyJA+t0LHQvsN/fbdW
   fC6Pm51fEkabbmw=

A.1.3.  S/MIME signed-only multipart/signed over a simple message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses no
   header protection.

   It has the following structure:

   └┬╴multipart/signed 4156 bytes
    ├─╴text/plain 224 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="76c";
    micalg="sha-256"
   Subject: smime-multipart
   Message-ID: <smime-multipart@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:02:02 -0500

   --76c
   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart message.

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message. It uses no
   header protection.

   --
   Alice
   alice@smime.example

   --76c
   Content-Transfer-Encoding: base64



Gillmor, et al.         Expires 28 November 2021               [Page 39]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJa



Gillmor, et al.         Expires 28 November 2021               [Page 40]


Internet-Draft          Header Protection S/MIME                May 2021


   MC8GCSqGSIb3DQEJBDEiBCBBQlio2vX/u19qayJ1Cm1QL6VZY0fBeGz9o7nEzCRO
   +zANBgkqhkiG9w0BAQEFAASCAQARvwKQYbbPuADZ7KqyO9LuESdEfBxOF80sHKNz
   UXrHZo8JdKaKxr/cTAuzBvoTxsmqvzP3ItCBm+javqX22+tHTpqisz5jkoiWyNVS
   e+F++YX8mXokgQpY26mZ+15Mv8pYYhptn6zdkRU1+QOwwlDCc6ykkCZeXyc+Hf7c
   xqM6SqPMQ+G7wIF6P2jHCId8Xyl7sdbL0i6PjotesHU+7nQsCjgI/iVR/ubWUdFX
   CTg8HVy4p683V3Y9DoRNP4MlUdmon8JasHDvA0240JcXxhJn1zEYa4gOnwgu3kh9
   3Y+NeucYCT0bXCBq2RLVQSpdNZfScXKL9QvZ3FtB0r6Bmtky

   --76c--

A.1.4.  S/MIME encrypted and signed over a simple message, No Header
        Protection

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 6720 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 3960 bytes
     ⇩ (unwraps to)
     └─╴text/plain 239 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed
   Message-ID: <smime-enc-signed@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:03:02 -0500

   MIITXAYJKoZIhvcNAQcDoIITTTCCE0kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAE1K2Qo2Ln5O6L9qgFnOdvuAuXnh2dLiYWIt
   x7B9W2VMQCtrxTipZfUe+Y4oV/Rxifp4gChJ2lCgt6A4hHyApD1yNqmR1pCT+ky6
   jOJlr907Jzy9nIADEjaeKTIHePPWEWPiF3Otlrvg25NobNAE/dzcSgaS+SHsfPgu
   vW6gA+lfzdoOKIWNVl1AJfbDRw8DeDi5n8ZPLkb/gYteBpY5mC2Iu8TebZ5qstQH
   i8G01K4xb6E7eMdXKx+gyDxox1P79E4q3dCKwYPK/C6B3AaY52WW55js9mb79OH5
   6/XvIEez58lV4a9d0iY7g+aoARyTPE9Z79miRYT0aagyYhblb14wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAWANrcGMnwYd7bg/TA9Wagm3q



Gillmor, et al.         Expires 28 November 2021               [Page 41]


Internet-Draft          Header Protection S/MIME                May 2021


   dbiZLg3NxHQZRLRySCFHt5wGkq1XcD7bWYwF0hSKiI4AJxJapfGUDEpDk1FYBU4r
   9zS/elrwCnhwpO9sLfbJPRVvMTgTZuCOaY25ovZWvWtkS9MRDH+WoM5SNTf4vHHu
   kjcSx5hafbhyiC5pPLLTRyIjObYgKraIMBXix7XKtSR/G7uD+HSIzhYUXqY0q2uQ
   w7XiijbRd4bq9zqBbXriYyhFdo/JsBnYckjmmKcTLp6DfYTEzILKBJOepEiY5X4J
   0JPeFyGxs7WSKDp1JZLZtjbMwvtEuUAwZ+iXDr1x/rQhq7mZIWqIbG6QpxYX6zCC
   EC4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEBDwXZa6LrdPCgLubNCkd3qAghAA
   kaaty8gkFo4+y5iWeOqsbZ9paegmFbiGsTQxrta64sj8znKQfQKz6/g055IcDixI
   STqxPMV+w01jv6+Azoy9qJP29UTL0mXAP0LDionSBTn/4VAwBMSUDRus6jkq045K
   UXxmIpcO3SeOnpCLksyij6QlnAO24SbKsBex7R5EXYXU7W1G/PCoz9SWlYrQuXJ9
   cU5ONWldvYE4/WeD1m3pjv3XKLNEWiaUIVolKFRhR4v+FUedn6dlVYDgfJrH8xDC
   kW9gQvI1ZBbnBOr/zkoDhMMKtTgTvmzLIauDEi2RWKzlvwCattvIkkrjt+SwWpvr
   oc6i58XfCx/d0YHPp5AIU8pslawDtQXe5ecACY9J/K0OgX1G51HI+O2XMC9S9QYn
   YPxA+CsRxmhKHzQv9au48aQwmLBkhkXZq7FCve8GTnCLdU5AmtP6ff59lga7+hfb
   VSz+jSodBL1WnlIKw/lrBvXFem/A4mtY/W9y9EVhGyRFuhoZDCiGRo/bPsyDNZBS
   WAsjHLI3NJeUgHFFcEn5xOwDmhmJOehzs712pqrzMd0VrT4hALvvhSGB7nybL5dR
   pabbxtpBgqzlwu6eoX1jSh5bF8/RsAJ81dxvn8AWcFc8q81YfYOzjqf7ZnuumT10
   18/rdepv/nfyiYCRhr2Eekj0F3bXjlTG1oeCNTuUPcNHVX6+hQ7FY2CJm9JCqNhL
   7whKhq+kKJuPugHb1e5d2rJFkNHrMIJAga8QqKy9eqKct4gW5FFT70wyB15YToJb
   qVxb3BEZ6u1shpZ9IGVzS0Jmvke+Ptze86it00fQIJWfrFqoag83GcCuQEyYEcIc
   HXWFsZIbQ1UD2+YSWBOzRBUUuJ3U66w3J5oDAYfYnieFNPuP0dhaAMsu7QQfLSZa
   T/GbSibQoFXcDx6MaZ5fbZ1iduvoZZfERNMe5vN+q/w9Lx5e8hf1EZmTNMuoRn9O
   wfT/wuM06Cc8FR2Ft7QLu80jqePQ6tAYwvA5QOvpBN9A82DUWz0I9eRDl9+S8Z+I
   QgjbPcZ0ACFqLCfbT6uzrKp2vGSrA+IcS89+qBB+sKbtWPgTrK7QlJgc7NpHGyhZ
   BltAVXv4fPngqn+gSqGuerD/xmvszHMIIHq6Q4ADxbxDE4R0yoV2afXUVyAMo85Q
   eNG5WJ83Z12msJqx1+1EUzzoQXxvrZHm0bMziCjV/P1cu/ChtmuemopRxkplLbJv
   /mChRaKv9TotDy2Dwzf5N5Xy58gb/0ktMXMdGpYts9awYc742TCscrTqutBAXtNM
   dXA0OyelkVHBBCRcoUEWWhUGQKYmK0NQIpxduJYcLLhkMI+2QfyfdkODplEtXbX9
   LaZhPRi9osmmF0fnSkmt2mtD+W8uxBF7espDkUsidb8NiUtzBrSqTADQUIuAw5xG
   322wFZ0DtpFM6nHpbYBfIGlIR4LyqTzyaSRJtMkMiDFgnMWrNF6pMsToo+4GbARO
   MWM9mq4XSMrKAinqu7T8UGWOt9bMfMJrTrpfETgQCL4vur9nI1CbgcPWW14U2oBW
   2lT1duS0o2eRpeGA93U6zF7BbCmlEqPK45Qmm78NwMcI9i4GgHSG2ssEn8URmv0L
   qp9+UmkhvLT26dZtkB0wPMEVOIWx3e+F34eVzno5jAbiJxuUIdDPDwQg7xtrcLif
   lRsaiGx7MtWsP6paqGBrYdHcXNt8P8k2ywNqRicTSThG0P09CNDWFwNaKa+9Ia7a
   EnWoFmNoNm/IUH+wbRQUnT7oh0qU2mxdgMnygDhEELe1+4tGCTAPTbxSU3gxQyv0
   w686bzZP9uGLoRfivmXKm73Wu0HtUefT1rNdPsJDfqEfo8mEY4EDMh+Fa50S9Yj6
   SGe8X9jDaTEJLd+yL7xEvdEQ7FxHbqo7twj/g4Im0OeG2ngEchWlYcuOrlgog4bv
   kWwcMhOCcQ/9242sgCTG/ATAV1ix0Z16/WCzzY60Zxk1eAlP3Ar9NiQHGuVClR0o
   QxhlP/1KvyVMAQTtuEposNLUdXMydq8lVErFuopYej3NJOPE7eA4BeIXNyrhxqfX
   j23tfb3/C4uHEmgjnfW1LZIjwWrOjoEZa2+lG+Si7YQWLLJWFNqEEH2rpxQMnwvx
   282dIYpyY14PDLLN5nMltY8MeMaNp6Q8rOwTDozmmZ9RONzbKJL3FxSVENKgdJTf
   v+gpLOvXou6qDdidAqxErGM0j68g8Rnsdw7Lj3FQH7JjLZiR3EQgGxRKDwTsV1rW
   ODtsNyKBtHDBOn/zOFTmgTVpYol2x/kV22C1Wn9ZArHFgZDxDyDjjJqxJwHlgVdE
   J+bUZ1C5DatXxvjpFhrTpUz1dvsTsq48cmepEiEnqYO/33uU7KIqjBxY527dagnR
   q01ntVycY4wiLKjuJHHHy/b25ORyxS/x6nVYJsoRNXsvYCZ1zqHC7uh9eQStAyj6
   zotbPet++u2REXKSwzhI+6mTCrFkfeHxt3BqTPAxHPxsZAmquayksNs8e94G5LnD
   VLAbdtwuIdeuz3rDWObafnaOVXD8vzjoMpiZcYKubb9pdFQIdxpYXPyqwz2f+c8g
   9VnLXajpwqByOPtLT5knKWMbsXJ5Gc8sNIGl1blYnj5ao+z6JNV2qqWA8dukpM5Q
   /KwmBvR9/RijeIEPGoqRcwUi92fuvVJV7oZf2ZCCGMLw8W4pSrzfs/xdOJslrTgN



Gillmor, et al.         Expires 28 November 2021               [Page 42]


Internet-Draft          Header Protection S/MIME                May 2021


   trDrAOKlraCKJQ5zHwZyg+c65KUe+5voj4WTu27g/vWTmPjF70htA+UIYcsNVYU9
   yGuznj6x/2EV7rLsUTpMqMFN0s4dQl4Hhfr4gaoDROb7bOdkVtWAvwP4c18wlJA9
   08X9kQNPqID0M0NOruz8JO8gyTIxyAmopnEDREvMT7JCGuwPM9YRE64pVPOZ1AZm
   STC7LY11zMhZL+RvhwbWqjkKeKN3hQM4/45BHGFVgg6k5iobcv78lZHWO28SWila
   dEgJLSobB9ieOTfrWqBrBBHjpaDwuyjS+QwjsF8SFLdRD5TY1IugUvW5Swnucikh
   X1rK/FaRRQJGzUesrkN06LlpFiiRyW9nuDjdpaKV4P9pkEjHmtN3KF95LjJnXs+Z
   07cF0sX2K7FY4GCfFxGPSsqbcR/6zAFHVPjgPGDH51yOTe05RWLhgGEWqt7mIeSD
   ppJdnY1LDFK0AFbXAFnjxhNwlfJiLB4vdsFqxGSYXfAjns8vZR62PgSExxUMxrO6
   P7oIAYisiU+9XuG40ok8RFCZgN2Qdy5oNDbYow8x3XR4BQu8+2sT9nLvJosjYNhT
   8yHMhhAbJl5VWK1EaB2gMxmAISiCCkQQ4YlStMc/LUkl8XOdQmf9SF0L1puuGEpM
   V3BhxNxCReiXA8ulMtnytw++lhl3qapALVu5OsJBQ2sqrhc7VhZTfiRQHr5s/i97
   OrBb1ZHv48NblW+tsS0Vl+jW/7AMUvQO+j7wYDI8Q2GplujJ08iHxZw/YDjR+up4
   bmQjK3xySaCi9Ef58KYOj0Y8ITvS61GMn0bCkL23UGNwISo2gPEcStdOksZtlvGX
   X37skWsFPD3M85DqQeckjv3PFzGQL7ZZLUQmmYqwG43DKrDJSZld7VYHmTY0rrMj
   gNo6iqzI+6Ygi81y14ZWTVeOFIH9tOKvjtuJz+90Qi9vEbDqF43+hiyWVg/aOke8
   4TGy7BZp5j/+SCr78/LvTko/5gafEymhaQmmsR7hskt3AhjfTyUfq/cAtuIm39U2
   MmXRwPdrzWASGy/lF0QnrgB0T85+ID58J9VaP78mI/BtKO20wWMTjbabR7J3Rn+8
   KW4H6eewVWBqghCnsJQuqibbZeFDjFgJ9kIaTvGD0TBehpp9TidmppXM4Dl4J+V/
   u7dSL257DzlKkk42gK4Cs0P1dZwe888KIABF38AZ8dnWtD492eYxA9We6NB2ru1o
   K59oloZdn+slcF3DLfvVpyfkZ8o3EVgAPVXiDfHWuVp1gL8Cv5ahVlk9BJSD1CgC
   Vwsm01V1E7QeNh3gNdQI88tu4wh5SVFk4U2cYI+dDMFUVDMzrUI3tKvWXNZOzn4V
   Ce6Eu2JPIcCOYUwDHpsq5aj9BPKBguhQQybDpAAkgSZLwhzAD7rEvo8TU8gzZ2KZ
   zH506GoFtU4oNinnrvyHX96/bG/VlizOE9YtQNyEfxxSOBsZD9jgd1pG4j/FDF1Z
   Ib+KUUo8Y7GKlOu+l+/WIVcp0nIsyIC4zGdM6DThCT6nGrhKboduTgF5NRH/Hf03
   Vrbj/ZarK0t1gzbzPgxotZiUfCVEuav9AVqxA2Zq5afs6bRfohqyFqwKHiYV19C4
   m00v4HisEFDGG3f5+Zj/x6tnX9QxR81DOomUooh8aYs/iAz0nrKyux6GMHSlj8db
   UbvQ+1VvNE3Fj0xu46HkKzGtFqpgXxzDLkE9e7NJ+Hw4tbOLfINQ0qS7iTcjMbwg
   snexBuL6rf8NF28EdlqQzCPLZVhnOd1+KKJS7V/M8u/R/y22+IXzFSA2TlxhId09
   IduZ3ByCz2HFJfVj7SameC3KANbRnBkdud1hclIBDS5Hhpqk4M8i3zmZRZWgLyjR
   edtSaHuJAlHiKgAtQVeIzlL6Ilw3jVoHL0vOdISoQpoWWhejB9f47KRmUbdb5Pxb
   Ot2ylXJKYFfoCQUs1xkNAyynSJAJ97yEAZm7aDmE4bjs33pz4L3nYxO/KUY6EB/E
   eGgPk3Cdvt2JYY5BuFoxXYRKQgZ06c9mXzavJJXXWQUUB5k2QG0uyKPmwNr2sdJQ
   A8ehhmgGws+7qXwZQEcNC3W0vmiGOBDYP3JVJPiNLFVQN9k8ClE7+0emFn2UcNyG
   294hO1G0uBPAbCdhAyDnNpVj5RS0EgY647agQHyp/gjSt4XeoaCIKaalb4iGpT+C
   4r2BqRcVUCdE3MRQFqiT6ccm+8h8eA7xtMB8c9OgUTEIKk/WSc0DUsCJB62Plgtj
   KJ4xXQXTzzUCDMnACFp6mBTd3g2ZbnfHKSyJdAvPigVbA+Qhy2eWUTYpi6yjTIyT
   eaQ2qafGppn85oLFkdgdmE3Ty1UxOpAsqLyNlNAa6YT3D/0Jl3VnfhFKlmywWIG6
   Z2SLd0r07xoBUuAKHkFUuRauGYbVbU/Frmdylv6I9DhCqV/XEDa/tHOa/LWugvb+
   x5A+g+kZiTiWRRLZYHungyjquAf/zeJsPYRoQEi4KHAQ30xCDk/dhWdhDBnUXT8P
   hzMj8VN3yjQA1vMNA5uefj2/+MIkLkz6+XPl/lJNLFHYi+EERgxJ2mFm/s02h9NF
   NhyWBsBtsEwi+rVbfcRRBpVjR5MwUohNHMGxwgj7rzvUkDe47ueXDP74j+JclO68
   r4jQ3sob123uSYryDHBZxZSbwjFU2ufE8W+XL/NGwTw04alHZfKsH4x4ZbGqwunf
   U4lkcOY/ijmuhL5mn2YYUE6w4oywZuLx5WCv2oAvQawMmNP9AeI1jcV9JiKa+8y0
   sAa1LzD78Dg4FKO8t3d13Q==







Gillmor, et al.         Expires 28 November 2021               [Page 43]


Internet-Draft          Header Protection S/MIME                May 2021


A.1.5.  No cryptographic protections over a complex message

   This message uses no cryptographic protection at all.  Its body is a
   multipart/alternative message with an inline image/png attachment.

   It has the following structure:

   └┬╴multipart/mixed 1357 bytes
    ├┬╴multipart/alternative 780 bytes
    │├─╴text/plain 206 bytes
    │└─╴text/html 290 bytes
    └─╴image/png inline 232 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="0f4"
   Subject: no-crypto-complex
   Message-ID: <no-crypto-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:00:02 -0500

   --0f4
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="384"

   --384
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the no-crypto-complex message.

   This message uses no cryptographic protection at all.  Its body is a
   multipart/alternative message with an inline image/png attachment.

   --
   Alice
   alice@smime.example
   --384
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>
   <p>This is the <b>no-crypto-complex</b> message.</p>
   <p>This message uses no cryptographic protection at all.  Its body is a



Gillmor, et al.         Expires 28 November 2021               [Page 44]


Internet-Draft          Header Protection S/MIME                May 2021


   multipart/alternative message with an inline image/png attachment.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p>
   --384--

   --0f4
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --0f4--

A.1.6.  S/MIME signed-only signedData over a complex message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5229 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1274 bytes
     ├┬╴multipart/alternative 868 bytes
     │├─╴text/plain 258 bytes
     │└─╴text/html 339 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex
   Message-ID: <smime-one-part-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:01:02 -0500

   MIIPEQYJKoZIhvcNAQcCoIIPAjCCDv4CAQExDTALBglghkgBZQMEAgEwggU6Bgkq
   hkiG9w0BBwGgggUrBIIFJ01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9ImM4YiINCg0KLS1jOGINCk1JTUUt
   VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2



Gillmor, et al.         Expires 28 November 2021               [Page 45]


Internet-Draft          Header Protection S/MIME                May 2021


   ZTsgYm91bmRhcnk9ImM4MSINCg0KLS1jODENCkNvbnRlbnQtVHlwZTogdGV4dC9w
   bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4IG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQt
   b25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUN
   CnBheWxvYWQgaXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRo
   IGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgbm8gaGVh
   ZGVyIHByb3RlY3Rpb24uDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1w
   bGUNCi0tYzgxDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMt
   YXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNv
   ZGluZzogN2JpdA0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+
   PGJvZHk+DQo8cD5UaGlzIGlzIHRoZSA8Yj5zbWltZS1vbmUtcGFydC1jb21wbGV4
   PC9iPiBtZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYSBzaWduZWQtb25seSBTL01J
   TUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQg
   aXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGlu
   ZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgbm8gaGVhZGVyIHByb3Rl
   Y3Rpb24uPC9wPg0KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1l
   LmV4YW1wbGU8L3R0PjwvcD4NCi0tYzgxLS0NCg0KLS1jOGINCkNvbnRlbnQtVHlw
   ZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQN
   CkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFO
   U1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJB
   DQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZz
   cWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytP
   bkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtE
   RDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS1jOGItLQ0KoIIHpjCCA88w
   ggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTEN
   MAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBs
   ZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1
   NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
   AQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3
   jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLY
   Yy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dP
   zZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5k
   sKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5Deo
   ULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAM
   BgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAV
   gRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1Ud
   DwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0j
   BBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJ
   eKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30i
   LrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc
   9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94
   M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCq
   h64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOU
   Rza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnX
   MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0



Gillmor, et al.         Expires 28 November 2021               [Page 46]


Internet-Draft          Header Protection S/MIME                May 2021


   aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92
   ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2a
   f0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwO
   Rjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z
   34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4
   xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3
   vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3
   SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCG
   SAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUE
   DDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYS
   HJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0G
   CSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sY
   onX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3p
   dpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqD
   IdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9
   iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyH
   AVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBV
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2Ft
   cGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kp
   olw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
   AQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAxMDJaMC8GCSqGSIb3DQEJBDEi
   BCCBo3TZITs9IUGlq1clkkamrYq1pC+qAOmbM6mBrJaWJDANBgkqhkiG9w0BAQEF
   AASCAQARpMjNRbLD+Z682oraEKCbEbDsym9Mrdu6nkcZ+ivEj+AHTU9rt+LBdvTb
   gHEKrWW8/HJ8C9eybTU4XJlVzbvGLRFhLPrLNz23qygzUH9AJ3nONY9eGAHLRagc
   Ij3L+IAoRjfC3KO00s0/rLfb/l4EmMLCUDJlShrsqCrFfXQxKi9dWWvVZUzEsGqG
   lhkY58o+No6WN/0SsWTHNNXrg1RKql5PyaHfWtySsMZjUOCJrlQDMeKBSE7dpTjX
   wA5N/m9eBDASJyzlxdLOHGfJ1uWn/VR0Lm4xbscAdVJEm5gaH9o4QKf7jXAl7O9n
   yuP+ZEhRpnjHfJ3XjFKuHiZ36Yon

A.1.7.  S/MIME signed-only multipart/signed over a complex message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses no header protection.

   It has the following structure:

   └┬╴multipart/signed 5185 bytes
    ├┬╴multipart/mixed 1330 bytes
    │├┬╴multipart/alternative 924 bytes
    ││├─╴text/plain 278 bytes
    ││└─╴text/html 362 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:



Gillmor, et al.         Expires 28 November 2021               [Page 47]


Internet-Draft          Header Protection S/MIME                May 2021


   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="d66";
    micalg="sha-256"
   Subject: smime-multipart-complex
   Message-ID: <smime-multipart-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:02:02 -0500

   --d66
   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="7fe"

   --7fe
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="848"

   --848
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex message.

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment. It uses no header protection.

   --
   Alice
   alice@smime.example
   --848
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>
   <p>This is the <b>smime-multipart-complex</b> message.</p>
   <p>This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment. It uses no header protection.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p>
   --848--

   --7fe
   Content-Type: image/png
   Content-Transfer-Encoding: base64



Gillmor, et al.         Expires 28 November 2021               [Page 48]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --7fe--

   --d66
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD



Gillmor, et al.         Expires 28 November 2021               [Page 49]


Internet-Draft          Header Protection S/MIME                May 2021


   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCCpaVCRppoO9Sw65TWLCDTpvw7N8HHyZsFXr4qP43kV
   mjANBgkqhkiG9w0BAQEFAASCAQCW76eXVAXnm6vEII1CD4QNEh2kpQeBr4/NyspF
   5VopKxNrBRfQs000ewQ0y2n07BUJtVyZrZOdrP5cG6K9KByxVGgpRY2Uyllz6hUA
   K12zvtU3hU5oKTKVgNtDMh8qCMVqYdJzFSZ+exTGLIaN88bMNErzw9Id1F5TpJYF
   ISUP1mXY1+GpjuXo5WEM8c7cfFH2/uDw3PSFILmuXowedbBptFH7ccGhNg6huY2c
   AxIADVfW6YVG3SWVAaTHUM0QmvG9AyV4d0dce+p4aoZfhUfjAF6nWIRLcrfu18z5
   FBxL02+VfWaYOg0d3TgScxQgE2vjAgdz+TqDbQpPriQXf/h7

   --d66--

A.1.8.  S/MIME encrypted and signed over a complex message, No Header
        Protection

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses no
   header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8670 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5408 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1342 bytes
      ├┬╴multipart/alternative 936 bytes
      │├─╴text/plain 293 bytes
      │└─╴text/html 374 bytes
      └─╴image/png inline 236 bytes

   Its contents are:









Gillmor, et al.         Expires 28 November 2021               [Page 50]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed-complex
   Message-ID: <smime-enc-signed-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:03:02 -0500

   MIIY/AYJKoZIhvcNAQcDoIIY7TCCGOkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABKoUk6G/5pRCkn0XsCial0oDti/uEUw6E3T
   PAqN2WP4KjYkf10gKJZNaJYEGhOmHfu1r53FsuW3jq2IS3A16AkpZHY7ROluKpAV
   3qkTBDqBnsC16f3q5uQxCWZ3DOJDvf9X48iASbXArXOjGk14lgjW8GeC5stnK9s9
   4O5KpkCQges3lVWngSPYxGkDgyp1xjvftn7M/EnXAKf6F2ujLp7is9EgEjdK52zV
   GE6Pqqeq8hy7Cyqlz5pWn76MTbgjg7OxXFzDCTePXiDPUCrOoCxwHpj6yo/bfbrE
   HDq5rZXDY4ZWyHGpTQbVLA8zMMJqoVXiFz8NqNeDwY7ApaODpU4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhI15RwR9LLMR9+cR4l8VmlBW
   PuYAz1vENb+Il48IFNmnN2xqAU7ATw+HvD2noH+6yqf9N0fXz9/ARD0GtsGrG+wS
   s0gYC34/x1zwZ0DWIvrVq5yPsly4Qd5KkFEo8ACtFJFfInL3KaHg7SMHYObg6OcT
   izGKSOp6wBNnVlvknSoIGjdg7IMFO2dVeqUXCkpf7N944kqvfxJXKPcOgleAG0Qw
   n2v/gJtM0hsB6lQhh+vc5RUYIfmX4N5hNW7Polz3NnYrPPB0QFBGyAiCuFFEoWa/
   nj+DWJbH+cYYyWXBMVcqasx05FCNkuX+RcemRzDHyrMQEs1TFj7NxSYjvjCaXjCC
   Fc4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEED8PrzsI9SpFxgbjoB0E0g2AghWg
   gsBBxGC3GwCWWfnJH4kpa67Ta1NLifl03nBkTKakYEGsNRk6BvffDHiQzB1dJg25
   NKp4YLNTAWPLW2OP77KAvc2NQooQgP2bSaaNSuEf7OPnfhb/p2rLvLeMD5o6aSbp
   WGFcMaIhjqmNAtp1BPBANEyDgiTdIFP8mMDklvqRIFh2lJNRN3bCQqfYxH9dCfaP
   RLAmqGnkaG4i4BROgn+kHCprDoHvlWy+4l/iIi8DIaKSwDIvsbtk5yVhUNpbfxZE
   wuKvVdMDRMf9BPMY9QgoK0BfpmovhMuqDClzn9503Rdv/Um1NErlPj9fNgtEZg17
   bxKvsBRAX6k2J6r5chEjdiMsoCB+niFL8pOIH5sj0G556MnPWFfNi4bRehRzq5+o
   91iYlHfNEHTQDNjPSc8zWfH/KqcfymxoRY1cUdXyuE0N4E1FSdlS2kqLkJYXcIvJ
   9ReXT7eyUUrV8YGgsFxAXmjQ0Ky48+TCohDsf2BzgMaKULGjiHwNQPrd5ojhWZiR
   RzVbN+I7AVeu6pDbs35pEyIypgGXTMlNPLzKuHcF+XVuQ8bDJzOTCoEaYTc6sXwA
   c5LxLa3N+p2q5J3PO9hNWY6kt7inpommoAr4X9JmUvCk5Z7rQWf2WWkwkA6GGt5/
   Wtpkne+vk5L2fFKK+DfBNv3f/fjhp6SIgkShF1h69iNzgN+SA/SMQ7c6eXB9WMZv
   dSLKt6dWztY2Xd4DvjiTaQAT6mK2MjpvCxoBbEphmYqtfBVibLBzxVr/v/rBI5j7
   sR4dVHyN0/TMCktR7qZfMdfpDyY5d9uabxzUI0sGKJOxB+fQ7iTnPCpQBGPZCUeJ
   41CiiNif5ybqgjhzl16Pv4UXQfdwBnR0qf8r4z1rMjXO33LM8Vo4H3I3YwFlFiUV
   FwFiDFXccPW7zQnUwcRA8cFkb0xI9oLFyWQ4M1+yhJ2j+x/cLesukAWJ3lDSX9nd
   obBObwCRjPNgYwhbG0DnSK0dSU8oAm2FA65T4y+rkwaT2NnsFJsyISHHZG7LHlPU
   lFwRQ+FND1LO8XUs+ZYj17XndZ5tndZx3wQwHmoweejvJZdgx+ThS2I47YBw/5kx
   Zd+mJQ0E0Uc4FWhtGqSw0l95727xWbF84HEYnC066DaGFGFXsF4bF2+ocq57kKWa
   GSFFm+San0QoMWj7brKmfRccX+MDhOHFfFvVsJ4i4VbVvSNTnazKZLndeZcUwMAk
   TWcVLXwEnPdQpQCwHmfxbuYj7WlmhS3YfISS8Yu915+/U1zPlska+jGJi4W3YN69
   FjGjcoRMn3fyGgvwaITiPcSF/r7QATQOfOiI3vy6KZTHBU5VNXuKYV5yeC2Mf0SW



Gillmor, et al.         Expires 28 November 2021               [Page 51]


Internet-Draft          Header Protection S/MIME                May 2021


   pgwH2vaSlBBgBQDnG44BL6JDRXIC/0JfOaS7ouutPWRWn6i5z/d1NA89f2g1HUbh
   gFBJhM6ayBU6nAAiYDLcN1yGpPykDTCF3QgJsw7hqcdZuA48maulywP4CR43XiS4
   ouRui/DpJk1TdwI2oBY52y0dNb2RI30bYJHCmbxpTJ8yVjdQjjldSGTBs+7ScV/m
   axNqcLxf4ciE5BGr7TVMCCEl/s6yFbL4BrEZKgpaf28LiOQdc/3sWA9jpQCSR10o
   xlVurEK7fTNQhMCTwd0wxqrOZhPm0HL2GcKyIGpAJh6UkkvOAp5V8pDJyzMxmKpH
   K20PQqWU5xVeMFF1Aa6HUOuFYCMb0fKRaWBo65KsEepQCNHcQszQT6PywIFt20Ny
   y5jbiKzcXZ3xpJgGRWeCHrM+w8/bkA+yrzAQaFXM9OVxg9pU7ov4YTxn+DbzA+I9
   bu4ob7lehti/z0AfmowF1db8B9ccBq2KJPoL/r6iAunDoppE8p8P0n+KKX7Ns59f
   MA9cA0ujcnWX2rptYxrJXub8gqIfiPo/6HUCG+Y63iy+MsFXJ6n4KdPbcBQXgsZU
   XsOkuIYpdjAZMsy0trlgftS71fwY+6z3Pirfzq8I7SsKO7IBOqbuOGRxw2o6En14
   i4huYm7fizX5oWIqQb3+nZpgX/mnxyPDSrrblgsCl9IW2NYbIh6FibjG9gOXzSFk
   AvVjY5oPYct2eorxyKdYl8pZq0/mSQfbHSVp5iCOxRJr7F1l364F+KsunF4Qg6Qg
   4qye+wSXYiBDnOIzWRGNR9BPbvwHWv5p0mv0eDObVm8n6kDvdLa7IJnVN7VJkjGr
   8+RB/uWTX33h3N52sRbEs51sstdXkg/4H4PwtxiIRviWWM8bDcXmMjclwot3xvej
   xgJ7iHbgLsLYc4GshIk/lxxaUbZdRJWKqrVRJtUP50AKALjldfUGuKh++Z2SWSI2
   knZOJRjvaWECd0soQMOvwP6oCq5xgKtovIr6JPNe48t4DAAlIb+vvbzHPBVAm1eQ
   gqaZ+DzpYiPR/+A9j9u7q4CtNAXbIep6MbV36W51oix0W4La8aINl4uXxvM/ahHt
   nVvKHs4MQfUwT6CoriHcyPGr4n6DudlLzlKHt2pvotyR8LFUSdfrWaXoZK7gHn6t
   IoKAfNwE7Kqse/JLcVDBkdQhodLwyLWnVWCmabwjUtBr6zMApjpLJGsB27DV7IOn
   VqaBMqMOmurYA2/+zgznnxQeK/rFutc7hckG6I+MO7T47JRgmWECNYp8zbBVsEkL
   A4TDTarRoLLz2z4GaLmFKG1YPR/70urvWINp1YbyhCwZm+WvroLRmF5dYpiVdbXj
   9DUzI1ucxoGKEAWXTxXq9RUmHwNuDN6SvILzaSvFzUigygZgMjCM8CvRK3Nf/rAF
   sHp80koNZ3cfK8Z+LPMHDEdMXuep0ahEhOTBlpVbeq/Idq6rpOkjXpvcowlyj1Jm
   L8ADlcyStEdVViv4/VLyzDSeDLOIqBz9RTBLfXb4Ek2h2nFJ7MpH/BJZi253VYxB
   xXc9NuJ9M1odj9uJJNS3n8U4gLHFm1fjGvGAOExd5M5qmN8b/ASoeA6oHaSg39Ur
   27N4/a2HpnRWck9H6aAOB7PQyh3L497/sWs3yoFa93Mlwe7vO4uYbW8X34ewXTNs
   oX7gH4lRuj+XbbVM6DCH6KzNOkWyazhCNMGBTeO+txUZgoZD01OgAQQE2JPF2f7B
   OT1ZeYkxSDLJH3nkGzfzvhvJ1b8eRUT1f9JrDdm+qd1/fGt+uyTIMp7GqovjiPJL
   q/NbbXq5CrtUZf2rBq6pK2NM5l2l/43h37gH/xMJH76u/VdAbcXRkq5HnfEuG77q
   VXKeoZDsXgwdhQRP3VGVKjCvqLpHs/rXco8v2xGDvqAnOT19mXxFh1jFl82KFbQq
   XDQCJnyMsG4Jvc6Zv1mFyFba5GaMwxWq61thCVEqWA5AwnMsSnTnsyG+CpBctyWZ
   dAOkrjb5/NAgSAsta6S51Nk/7oo+CyEt/yOs+A19kPFdtBjtEot8r2YXCLg9gqbh
   exX1kgYR13wh5x4LpVY5cfMeLkjKWmvUfTPSmVLdjBYuG21F+Sp6T3Z2znQqqYEF
   7qXMocZHhLSLWQOj0bk0DVL9AF+hIvuAlB/urwWuIBKdQyf1tjsS61u7VNQOLqqm
   HB7vNkzdkihIyNU7f56a8D8k75GLF6q9cvZHfTmNWYDOxsU9Po0CbX8OtffpxmAQ
   ikAi+40f0elM5AMV1Au11tYuA6ckSvT/PqHZPsU4bFk365LIZRm/wQ+Lffi8CZOw
   S0L52RfwSKIP4kjjwYHE03XoNXVM3iDgBesI1HMVJQYeP+kLUPrzAtwxtQ7Lccv3
   oLVtVDK0a2VR5DqW6oluyNPddsa/RV4Ld+8GVZVLA+iuSziaW+bmD23OtLw0ycEn
   4pB5heZNxVSvQ5NzE6mY6AYLolSN+trTT9hihc+Z10hN+S2z06w2M4zKYVCd0Qzo
   UnMbJNHbPgaGRDSaLl/dBmezCL0NuHFUklZUCCKD5ut5fTFCY/zEpe7Xky/2WFS+
   Tk+9f9A6Eha5zVx59yTwriWgiBhyu5zOq6vJoeiYoKluDkganEVKyco7Cy1ejEU6
   C8Z/FzC2iuoXf0hH7/D+jSmMhKkCu3bFz4sR4A4+ItamCFgA1DoeljCMrZwLwZBz
   fEwajERkr1tVW0YvyzBB8Qff48MpjCmrGcpi9WRRob9tXzf7DtIURwgXUDAEtL4X
   ApSmswV9ZG0UrSytwzGfFz2v/SIXIcZCcgWzGx1QhpnjyS9Sz6AFz3Ba/SvcUk6Q
   r+Hx6HWqdN4MEVeUnhFwCK7XwzNEA110g4twEYO+M38F2LDXzvPAQkmKkQ2BwItc
   3wpK9Cl3d0Td+TS+bxdKV89YoQNIWw37/Bzg2uSerSsEmrmo+ZGcrcZtGlZX5TQK
   OHgkPM/CUztbjKFcv1mCBF5DH4sXYVNP4G/OticVMLiL9QBIeXAZcjdb0CuSkt/8
   gZyhCDNzVN5me/fhtN+tuTjTETaQFcF7ErTOEHokvns//NdpSFgrUvFe5jhc+nMZ



Gillmor, et al.         Expires 28 November 2021               [Page 52]


Internet-Draft          Header Protection S/MIME                May 2021


   VryVxxW/iDk76C+H1HxF8LWAlXeeVi0PPfeYX+TwWvaKPX2wBv5qOy4KlX/NvJGL
   XyrDB8NJe/csuU21wsKs+k4qlsoDIz7U8lU8JiZ2oxwYFkffqUJBlncHnjX7jN95
   bBKMolpwSd2Rvnin/X2L97QceFPoMYxWA2YWbVHyfXRdQoNpFHGvDWREBqZGl2K7
   UTqWptWWsOQD7MGC5bmGDFj4sq0/D4F1HoAwHDjZ/t/BSYXv8JsahPT1L6ymNJ2J
   QpYkqkUTFoAcPGGdRY7V3LDFnprFHQf329krDizoHx8zXkSWX1RPW/SB8jcxkbKT
   5nN06+GIJI+CmO+YJbT1OQ8a5bLDAE8rrS5K6d8LAS2b1zX1tnYSqFWIyb84iEG5
   sy6NM1VU14rWIzEVnr0iJmAn3PLDGxVtVKJMlzp5m4EZBESadPFUwdLKvQXQUFeK
   bmUo1BAcLxaemP0S8LJ7AS7mfQSHTRQGI1UCAU0LTuEQg75kQtEPdic71NjorMEZ
   a3oBk72PFLq0AMF3KZOSih8PQisdlUJckiUqlppbgoxTJBbHWd7Cb5GykRb1Sy3X
   hLCfuvxZ4ima8SCulHGfDF4StdJMdpqtfdn0ttKbcRkMsIVHrNhwwdIwLKR+JXUW
   UotEh3clhvEkuMvzBtkJLG2eEbmCQ7tSOkZB6+fqCJ8rwjFYrlLxzsrJZMmN6+Wk
   uIFRnM5GAwdr/y3cNcUA0lHliXhYjZ+aux5QqM3hnqiXwRyjtdBqjZIAZdfphdYf
   6kIuJIsmfvT2vV8IWKzoWeNswd+n+u6qqVWGSvIG2u1+F1WhKS+35kVcppVawtA0
   BG4wMhkqEBJg0CIL3RE3AMEMvswp6i6xwuk+hIOlfk2hhenTed8T2Y8vnAZiTxk6
   rmArxR9BCXWBi10JryL4Yr9eHc6e/eOhhxk+QrKC2nJs+QTcArXdLJvbsYXdVNuM
   Cf8xLegWrkMRsK/FbarFPHzESH2Chy7Q1DbY5ICyfluSvFFlFh91FGycMRGgd3rr
   ITLV57i2OS9blJVGZNoF3bmRjejxCCHgl5A+Qz5Jxszsi6HIEeg07IrhE/CCtike
   BfqlJvR3rm8XSZYX6Neo0aqbXOFAMp9YrevJrZ1hIPT5BfBvElbyaJYGX/jWeqx9
   7nJ2Mh5MxNTnzz//xTdqCrU9gCk5bBe2ZvDwnZ7nCwXRbcNd97+x30EAdHirss/5
   kZyJwrWwuDGUFVinUYf1i1Wo2a2dEHlfYymNr8Uwe31wRMJKqqy0bUhB/Rez2I2t
   7U05g0svEnAz/SPbgGk1TUvqcxMqC2GmpPq6Tfk27sDfUCqYKgrDfE44Q9IszBpR
   fAdMTIQLtUWmLCq7ZM2yFkl2mx+ymmEaqKA+3SzC2A32nZ4IKqebD3vIYA6c8aFn
   V8OHuub1VAvFsGjviVitZmXL9wTvTLCFzYlRoZJWqmgH+oZZJ36o1tYaEobaTvCU
   MfpKuuqQO1ifjFtdnO5wJtd4Usw9OngspR3V2EoTiUC4+oGJYQ1ux8ACWjNJ9vEB
   pH7DBVIIGyiAXSuqL+W77PRi2I6xnhA5eWR+jUXRnr0v4DGjdsQ8LWeyS1APmCHh
   Wbf5p/Z6k3mcMF+vJz3DkWq5BI/horJK0/lLGGgi2j4klnus2H52OOh+f+4Vn7Ky
   vYby8jm5Oo6RXgAgc/rFoUinUo3//syk/+xExYZYt37hL6PlewkeG8vhXoFvuJAJ
   gi0d7rnqWYuse+UrzUrbp5z/UpJQp/PyY6rdDlScWQp3WJYSNgEe62EmnMShGf+q
   TboTsuXy8MfKltJsV9ybuJGZdtA6yIrlKwj8YYfbPX2neXmZrdnDMGkOSfdGi3lU
   /yXCBPWOnMCR+MVWVXUpf3wfXlHO4nZfNtyVb/v7e4lRCylyayXo7g2rkmR+LrH3
   dEnczDF/LZLbDnkizNpzlgLU5BAlk9rDW6uwyMywrLIYlttVnRrHwjAol6US+mjF
   sZib126lo8EIeHyccGZIqfyTHld03m32IzMnDnl6dVeX5TAuBmDuNGbXHP4h2OSG
   m6tUHSFI9fMxO2pBT1Tts1kjYBU+jMenqI8GxpP6DD/Y8PUbxBNoPoP8aVR3rkBk
   GONb4ksn6zWoRxT4XyaPvmImvFX5nkHHnvkThvL0DaWcwuIOrjtqOJwmPBTOywjA
   KYPPCK7qVCwVAssJxx7adE1W+F15UoTyyyjpe6pVtgO90lGRcprYQnBasw03kATd
   k8GFN7Ej37OiXIvrmsJ1toHzlhungW5uYedaTMBNmw8iU63r36sMhj46i9nML2jP
   mUjfxMeMvQGMIMmjDBN0j10+5tANXtQY8CdC3pSJLe0lmIIHMB7gTlf4QuyU2LP9
   5NRz07fwamd09k3N3dIeAB0I+YJyeElO69772qnqpiGnx10uq5lnhEyvtJCyH1tS
   vWUvX0tyAFfuIBkdyCKMFP6zhHVxZCCa+r3W/qrfON6GH/tJ3aLdilvjwC2zQy29
   iuNYYJoyAS3PCjC7CL41U0kAOBNJPka6Vqn6PwxpnxGaZZyFCSU2fpAvNyT2auOh
   CmLz/P0tNE7z7l1JXqao62CoPa1dOQJ27NbEjsoR3GobhcGQQkYb3Zsss/y1QZaa
   9lkTdk02ZDXfPPyaIUY46+VA3VcHlmWxChZiiFpqOdV21aAt+f4PJLtspE2/OTEG
   GqHngtafmMV75z+MO8ExXvy5YrI5N+S2eArIteQxBjNs5DjXnsPjE3CGwb7GPx8T
   XMsEmWDQ7TDtqFSUzHAIb8EieTziP0LL2LOd9dpE8xDH1X0gDC82whSxUrZOa15Z
   iJ1sZkS1VRI/iq9/5zc8BX+218FfdN+rbHWZZAM02ge1IMyOsLF9qaaiR1K9ZQPJ
   lYDLcCmnS6Q1oKA2JvDOiB8sbrpKLsLk31lcqCrVJ9eOIqnA4yAijsCNiUjI1DSC
   TefQo1PVS8qAGhfkcA/4nw==




Gillmor, et al.         Expires 28 November 2021               [Page 53]


Internet-Draft          Header Protection S/MIME                May 2021


A.2.  Signed-only Messages

   These messages are signed-only, using different schemes of header
   protection and different S/MIME structure.  The use no Header
   Confidentiality Policy because the hcp is only relevant when a
   message is encrypted.

A.2.1.  S/MIME signed-only signedData over a simple message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Wrapped Message header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4213 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 566 bytes
     └─╴text/plain 228 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-wrapped
   Message-ID: <smime-one-part-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:04:02 -0500

   MIIMIwYJKoZIhvcNAQcCoIIMFDCCDBACAQExDTALBglghkgBZQMEAgEwggJMBgkq
   hkiG9w0BBwGgggI9BIICOU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBmb3J3YXJkZWQ9Im5vIg0KDQpNSU1FLVZlcnNpb246
   IDEuMApDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IgpD
   b250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0ClN1YmplY3Q6IHNtaW1lLW9u
   ZS1wYXJ0LXdyYXBwZWQKTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LXdyYXBw
   ZWRAbGhwLmV4YW1wbGU+CkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxl
   PgpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIg
   MjAyMSAxMDowNDowMiAtMDUwMAoKVGhpcyBpcyB0aGUgc21pbWUtb25lLXBhcnQt
   d3JhcHBlZCBtZXNzYWdlLgoKVGhpcyBpcyBhIHNpZ25lZC1vbmx5IFMvTUlNRSBt
   ZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQpwYXlsb2FkIGlzIGEg
   dGV4dC9wbGFpbiBtZXNzYWdlLiBJdCB1c2VzIHRoZSBXcmFwcGVkIE1lc3NhZ2Ug
   aGVhZGVyCnByb3RlY3Rpb24gc2NoZW1lLgoKLS0gCkFsaWNlCmFsaWNlQHNtaW1l
   LmV4YW1wbGUKoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQw
   DQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMg
   V0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRo



Gillmor, et al.         Expires 28 November 2021               [Page 54]


Internet-Draft          Header Protection S/MIME                May 2021


   b3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3Zl
   bGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gB
   UCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXP
   mrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEF
   XgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41ko
   aZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX
   +TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iP
   sIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZI
   AWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQM
   MAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkV
   fAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJ
   KoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtK
   tl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3M
   RsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0
   LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXw
   fDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyu
   OfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3
   QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNB
   IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIw
   OTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEX
   MBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
   ggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo
   7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+95
   0MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYW
   Tut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfC
   n+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9
   COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIw
   ADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21p
   bWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAw
   HQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwH
   Fwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4K
   kkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30Uxf
   yrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HV
   X524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP
   0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+
   JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSz
   NnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1
   dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkq
   hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA0
   MDJaMC8GCSqGSIb3DQEJBDEiBCCt+Ik56mZTd2mpSgOXM38dS7jM5alU2FDX9/58
   cga1szANBgkqhkiG9w0BAQEFAASCAQCxKLkx5li14OIOcH2tcWqcsQilPLgQ30ck
   qhJL2X9/Cl22ibOGNwL8w3qSEBeG1a+WtHw3bSqJx1ciRYcLs16ms23no5QoZ0pU
   fRLmQuTEgObCf+syiTGnWLj8e+2aRVP1L9yEIbin6+hFyp4s393zYhdMOPAP2ruI
   lg+BxoWXUjXso+8lPgqLawA+9KMI6tQZMnwI9LpGJmZfoSXdHWqWtjdotzZpqsKm
   Ihr8DBKtUetqgZ2zqDO3zo3W2L6EmNM05BJUmqwAt/cN+X9kws5dAqtHDQhPNTa1



Gillmor, et al.         Expires 28 November 2021               [Page 55]


Internet-Draft          Header Protection S/MIME                May 2021


   WUX0oTTkMzn1RAlOxfowEStSnfDOOzIqg+L7LgiMw9jhIgP4/uB2

A.2.2.  S/MIME signed-only multipart/signed over a simple message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Wrapped Message header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4451 bytes
    ├┬╴message/rfc822 596 bytes
    │└─╴text/plain 256 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="20c";
    micalg="sha-256"
   Subject: smime-multipart-wrapped
   Message-ID: <smime-multipart-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:05:02 -0500

   --20c
   MIME-Version: 1.0
   Content-Type: message/rfc822; forwarded="no"

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-wrapped
   Message-ID: <smime-multipart-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:05:02 -0500

   This is the smime-multipart-wrapped message.

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message. It uses the
   Wrapped Message header protection scheme.

   --



Gillmor, et al.         Expires 28 November 2021               [Page 56]


Internet-Draft          Header Protection S/MIME                May 2021


   Alice
   alice@smime.example

   --20c
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz



Gillmor, et al.         Expires 28 November 2021               [Page 57]


Internet-Draft          Header Protection S/MIME                May 2021


   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCCcDIxr7wd3VCCz1VBG9nySvUJ/Fhzo26f78El/UUbj
   jTANBgkqhkiG9w0BAQEFAASCAQBUmMGL40IZQmt3Nad/ymEUOLu3Dgfd/nYKuj6P
   fjKYJFb9UhwtufZK9/WyVtytLsFJMYHZgUSWU3VbHk1L/cO0469Rbqo6CqlLRJPK
   uN2Eul2UCa+3ovMIQ8g0NBflXrdfR0OVRqvfO91hLFkTxLfCDUG8ziRWOLWucgZg
   zkVXqEzvFyOtsSbr3GAY817wWgl1+PTFchO4XF+rg7cNysKqGLtjxP9lN3PcURYv
   TmooTPY46kheab7ZAzKqQI6go7somKmMqD7UsctMLSVZo+EX5/N9vq5znv7bfpoE
   Rgd+NZNQD+VYDIOU1FI5ZjyjHpRmcFpywjvHNbTBGlYhv3q4

   --20c--

A.2.3.  S/MIME signed-only signedData over a simple message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Injected Headers header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4185 bytes
    ⇩ (unwraps to)
    └─╴text/plain 239 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-injected
   Message-ID: <smime-one-part-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:06:02 -0500

   MIIMDgYJKoZIhvcNAQcCoIIL/zCCC/sCAQExDTALBglghkgBZQMEAgEwggI3Bgkq
   hkiG9w0BBwGgggIoBIICJE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1pbmpl
   Y3RlZA0KTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LWluamVjdGVkQGxocC5l
   eGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzog
   Qm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEg
   MTA6MDY6MDIgLTA1MDANCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNl
   dD0idXRmLTgiOyBwcm90ZWN0ZWQtaGVhZGVycz0idjEiDQoNClRoaXMgaXMgdGhl
   IHNtaW1lLW9uZS1wYXJ0LWluamVjdGVkIG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBz



Gillmor, et al.         Expires 28 November 2021               [Page 58]


Internet-Draft          Header Protection S/MIME                May 2021


   aWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEu
   ICBUaGUNCnBheWxvYWQgaXMgYSB0ZXh0L3BsYWluIG1lc3NhZ2UuIEl0IHVzZXMg
   dGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyDQpwcm90ZWN0aW9uIHNjaGVtZS4N
   Cg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3
   oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBM
   QU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4
   WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExB
   TVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEB
   BQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoi
   ZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3i
   Ox7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLo
   OAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqU
   uqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8
   v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNV
   HRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNh
   bGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB
   /wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgw
   FoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCc
   sTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPI
   FlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMG
   HjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M527
   4XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P
   1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1
   SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0G
   CSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdH
   MTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9y
   aXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQK
   EwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxh
   Y2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+S
   tijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc
   9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rT
   iz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJ
   C3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfo
   g8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOW
   wks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFl
   AwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAK
   BggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeu
   KWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqG
   SIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2
   doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVY
   eDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqG
   JdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQs
   Pn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcs
   m0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0w
   CwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxl
   IExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw6
   9Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcB



Gillmor, et al.         Expires 28 November 2021               [Page 59]


Internet-Draft          Header Protection S/MIME                May 2021


   MBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA2MDJaMC8GCSqGSIb3DQEJBDEiBCA7
   4grfze+Y7DQEGFAYHyyvRpNkuuZFR0V+RvSTvu4FGDANBgkqhkiG9w0BAQEFAASC
   AQB1KYVvQNZpe3EKeM0XhJrlJNxneVmZWFCEl5YFeRsO8FeIwJkV65YtFJKjOVVy
   qYuZBGz4MsKaddXxAOXI/Q7cJ+70d9iOc1mL3PD2/U6DOwwhNfJoNSK7miYfMASV
   42TMJWTt0T1ORJnvBitjkTuZDus1tp3xwxbrZTa4pyGaXEhBW/Fc4z6L+z8hpQv/
   +6dw3+ORgfc67VTHVnsVVfb0UPrWvdxFdL5xYdqXxlhDsLMEms2ttHHzvjC003Kq
   As0xMHEmMpfdL5M69MAjvroOUv0SXETfQaxca7IKd+9xUNNRretZ9xz2kn2uD+k7
   unTEyVGeHrWmQMw/8MdvEac/

A.2.4.  S/MIME signed-only multipart/signed over a simple message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Injected Headers header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4417 bytes
    ├─╴text/plain 258 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="12b";
    micalg="sha-256"
   Subject: smime-multipart-injected
   Message-ID: <smime-multipart-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:07:02 -0500

   --12b
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-injected
   Message-ID: <smime-multipart-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   Content-Type: text/plain; charset="utf-8"; protected-headers="v1"

   This is the smime-multipart-injected message.

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message. It uses the



Gillmor, et al.         Expires 28 November 2021               [Page 60]


Internet-Draft          Header Protection S/MIME                May 2021


   Injected Headers header protection scheme.

   --
   Alice
   alice@smime.example

   --12b
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl



Gillmor, et al.         Expires 28 November 2021               [Page 61]


Internet-Draft          Header Protection S/MIME                May 2021


   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCCXRoUdgR7J+TnI6kw8MpGtWVJPCnoAB+XfkDf78dWi
   cTANBgkqhkiG9w0BAQEFAASCAQCitU3JsEMd9FhqUu87UxYScDI1pDfZnX1vjges
   xBmmSy5lq5vvs+axKK/hTOR7YLSuLJLNwxJgDCPEmHi1hV5Tpj5mLH8qEXu4c+kK
   s9is53v0NvibhIvDEpnqNvL/kMVDAk2gTqYHCE2Ij7qcWWNhnGdweMJZsBvLy/Xi
   BLaD2t4qHY9lPaeMugDrxThNWEhjoDIoI5f7NpBPYvJgB7b1cJhXqil5weYrJiGr
   hyTr56lff+Xjs8qjgrrzdJ8HHeUsxDJulrX8auo+pIKudcu41U8Ben2M9nCiVbEG
   aqbbPK7xip5c/YZEaZWYAs8w+dif68J8Eo7QO/kkr45Tt5pf

   --12b--

A.2.5.  S/MIME signed-only signedData over a complex message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Wrapped Message header protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5615 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 1599 bytes
     └┬╴multipart/mixed 1535 bytes
      ├┬╴multipart/alternative 932 bytes
      │├─╴text/plain 282 bytes
      │└─╴text/html 366 bytes
      └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-wrapped
   Message-ID: <smime-one-part-complex-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:04:02 -0500

   MIIQLAYJKoZIhvcNAQcCoIIQHTCCEBkCAQExDTALBglghkgBZQMEAgEwggZVBgkq



Gillmor, et al.         Expires 28 November 2021               [Page 62]


Internet-Draft          Header Protection S/MIME                May 2021


   hkiG9w0BBwGgggZGBIIGQk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBmb3J3YXJkZWQ9Im5vIg0KDQpNSU1FLVZlcnNpb246
   IDEuMApDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjNm
   YyIKU3ViamVjdDogc21pbWUtb25lLXBhcnQtY29tcGxleC13cmFwcGVkCk1lc3Nh
   Z2UtSUQ6IDxzbWltZS1vbmUtcGFydC1jb21wbGV4LXdyYXBwZWRAbGhwLmV4YW1w
   bGU+CkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpUbzogQm9iIDxi
   b2JAc21pbWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjowNDow
   MiAtMDUwMAoKLS0zZmMKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiBt
   dWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSJjMGUiCgotLWMwZQpDb250
   ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZl
   cnNpb246IDEuMApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgpUaGlz
   IGlzIHRoZSBzbWltZS1vbmUtcGFydC1jb21wbGV4LXdyYXBwZWQgbWVzc2FnZS4K
   ClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3
   IHNpZ25lZERhdGEuICBUaGUKcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5h
   dGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZwphdHRhY2htZW50
   LiBJdCB1c2VzIHRoZSBXcmFwcGVkIE1lc3NhZ2UgaGVhZGVyIHByb3RlY3Rpb24g
   c2NoZW1lLgoKLS0gCkFsaWNlCmFsaWNlQHNtaW1lLmV4YW1wbGUKLS1jMGUKQ29u
   dGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZl
   cnNpb246IDEuMApDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0Cgo8aHRt
   bD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJvZHk+CjxwPlRoaXMgaXMg
   dGhlIDxiPnNtaW1lLW9uZS1wYXJ0LWNvbXBsZXgtd3JhcHBlZDwvYj4gbWVzc2Fn
   ZS48L3A+CjxwPlRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2
   aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUKcGF5bG9hZCBpcyBhIG11bHRpcGFy
   dC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZwph
   dHRhY2htZW50LiBJdCB1c2VzIHRoZSBXcmFwcGVkIE1lc3NhZ2UgaGVhZGVyIHBy
   b3RlY3Rpb24gc2NoZW1lLjwvcD4KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFs
   aWNlQHNtaW1lLmV4YW1wbGU8L3R0PjwvcD4KLS1jMGUtLQoKLS0zZmMKQ29udGVu
   dC1UeXBlOiBpbWFnZS9wbmcKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFz
   ZTY0CkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQoKaVZCT1J3MEtHZ29BQUFB
   TlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hi
   QQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZz
   cWxUK3p0OWNpZGtFKzZLd2taCnNncnpmY3FWTXBMMmpvMDQ0N2dZRHBlQXJrK09u
   SkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkKdmRQZjFRWjJrREQ5
   eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09CgotLTNmYy0tCqCCB6YwggPPMIICt6AD
   AgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
   DzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUA
   A4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVa
   TC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse
   2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgC
   ReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqh
   BwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/P
   GeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0T
   AQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxp
   Y2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8E
   BAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaA



Gillmor, et al.         Expires 28 November 2021               [Page 63]


Internet-Draft          Header Protection S/MIME                May 2021


   FJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEy
   nBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZV
   jdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4z
   E4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2
   MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YS
   HjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpA
   r4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkq
   hkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNl
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo
   0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQW
   l+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+
   A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtw
   s1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPP
   dfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJL
   OwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
   ATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYI
   KwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilq
   kBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG
   9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naI
   s3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4
   eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXR
   n/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59
   fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtB
   iN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBM
   QU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4
   as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
   BgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcwNDAyWjAvBgkqhkiG9w0BCQQxIgQgGiss
   3bBs4a2FSojj2NVcmGx+Y2J2N13x7iIWxuaypk0wDQYJKoZIhvcNAQEBBQAEggEA
   huOPBptjY2fcRzq9DPryHFCFCPa75LnQl2zLijpFMW7qyswoyR6BguvTEzV4kBPV
   D2Sbh86FibwmvNdgzzXc2PJzcj6jtYE0R58tdO/ks7qOeIbtZUgpZT3W/wlEpnmd
   Pr7Df4oVEV9qS+vJh0iNASJspYwccPwIf5fKCPJf5H+xhQlSJ1rLIhw6Cu2ogkWB
   bQDijNyjP5jM1X7Xo3mP4ReuauS4e0DnnRMH3pDGUaKAN5dnEVqdXG1C76+yOBwr
   /foPN5vjE8RMtte3DtOKqGeWwsoEcjinU77z6d0kIWQqNYUNmqDHJ7O/yla0xG14
   IPJnl/JphEWKl3FjI6iL4A==

A.2.6.  S/MIME signed-only multipart/signed over a complex message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Wrapped Message
   header protection scheme.

   It has the following structure:



Gillmor, et al.         Expires 28 November 2021               [Page 64]


Internet-Draft          Header Protection S/MIME                May 2021


   └┬╴multipart/signed 5528 bytes
    ├┬╴message/rfc822 1657 bytes
    │└┬╴multipart/mixed 1593 bytes
    │ ├┬╴multipart/alternative 988 bytes
    │ │├─╴text/plain 310 bytes
    │ │└─╴text/html 394 bytes
    │ └─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="932";
    micalg="sha-256"
   Subject: smime-multipart-complex-wrapped
   Message-ID: <smime-multipart-complex-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:05:02 -0500

   --932
   MIME-Version: 1.0
   Content-Type: message/rfc822; forwarded="no"

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="c35"
   Subject: smime-multipart-complex-wrapped
   Message-ID: <smime-multipart-complex-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:05:02 -0500

   --c35
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="645"

   --645
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex-wrapped message.

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment. It uses the Wrapped Message
   header protection scheme.



Gillmor, et al.         Expires 28 November 2021               [Page 65]


Internet-Draft          Header Protection S/MIME                May 2021


   --
   Alice
   alice@smime.example
   --645
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>
   <p>This is the <b>smime-multipart-complex-wrapped</b> message.</p>
   <p>This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment. It uses the Wrapped Message
   header protection scheme.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p>
   --645--

   --c35
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --c35--

   --932
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj



Gillmor, et al.         Expires 28 November 2021               [Page 66]


Internet-Draft          Header Protection S/MIME                May 2021


   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCAqHXFyYQoKOPnaQ8OYqY4ornV0eciFU8bWD8ky9iEo
   CjANBgkqhkiG9w0BAQEFAASCAQAPH0Gm13RZy3gpCgSpM94kN7gG0Qz7gYXsP10Y
   +A4JB3xAPM1deb6TWBBbmoX8KktiMIIQQz+im/6ab96G5VlvSXpaAsHjTg8pkvMS
   K220ePIQLYGMgbf/h/CDO6kXr4D74QPwhaRzo/DKErgwlvY+osiwrC/srFXyv6M8
   673VBGD5XXq8d8LSYQjiSpAQjyGu6Ddo4hZdRNzDQU6a6HRD6qYmaYszb9z6HMHL
   AR28J5t4YynW2Hr8/4HSZ5YMt+sXjm1nsGGqLsOdxo6VmgKSiC2nhx7QbJhqevQL
   CJWufMVWkvIX74TyfK6W0hl1x/pw0YfHnZMimppl69rRSEsF

   --932--

A.2.7.  S/MIME signed-only signedData over a complex message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Injected Headers header protection scheme.




Gillmor, et al.         Expires 28 November 2021               [Page 67]


Internet-Draft          Header Protection S/MIME                May 2021


   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5631 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1565 bytes
     ├┬╴multipart/alternative 936 bytes
     │├─╴text/plain 292 bytes
     │└─╴text/html 373 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-injected
   Message-ID: <smime-one-part-complex-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:06:02 -0500

   MIIQOQYJKoZIhvcNAQcCoIIQKjCCECYCAQExDTALBglghkgBZQMEAgEwggZiBgkq
   hkiG9w0BBwGgggZTBIIGT01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4LWluamVjdGVkDQpNZXNzYWdlLUlEOiA8c21pbWUt
   b25lLXBhcnQtY29tcGxleC1pbmplY3RlZEBsaHAuZXhhbXBsZT4NCkZyb206IEFs
   aWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4
   YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA2OjAyIC0wNTAwDQpD
   b250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9ImNmZiI7IHBy
   b3RlY3RlZC1oZWFkZXJzPSJ2MSINCg0KLS1jZmYNCk1JTUUtVmVyc2lvbjogMS4w
   DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9
   IjdiZSINCg0KLS03YmUNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNl
   dD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zl
   ci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWltZS1vbmUtcGFydC1j
   b21wbGV4LWluamVjdGVkIG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtb25s
   eSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBh
   eWxvYWQgaXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFu
   IGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEluamVj
   dGVkIEhlYWRlcnMgaGVhZGVyIHByb3RlY3Rpb24gc2NoZW1lLg0KDQotLSANCkFs
   aWNlDQphbGljZUBzbWltZS5leGFtcGxlDQotLTdiZQ0KQ29udGVudC1UeXBlOiB0
   ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjAN
   CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KPGh0bWw+PGhlYWQ+
   PHRpdGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPHA+VGhpcyBpcyB0aGUgPGI+
   c21pbWUtb25lLXBhcnQtY29tcGxleC1pbmplY3RlZDwvYj4gbWVzc2FnZS48L3A+
   DQo8cD5UaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBL
   Q1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2Fs
   dGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRh
   Y2htZW50LiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRlciBwcm90
   ZWN0aW9uIHNjaGVtZS48L3A+DQo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxp



Gillmor, et al.         Expires 28 November 2021               [Page 68]


Internet-Draft          Header Protection S/MIME                May 2021


   Y2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPg0KLS03YmUtLQ0KDQotLWNmZg0KQ29u
   dGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6
   IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlWQk9SdzBL
   R2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0
   MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RL
   bmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpvMDQ0N2dZ
   RHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkNCnZk
   UGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLWNmZi0tDQqg
   ggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0B
   AQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UE
   AxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0x
   OTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjAN
   BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY
   60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6
   kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b9
   7enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMs
   wt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5
   chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQAB
   o4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4G
   A1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUH
   AwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3
   DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0F
   AAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX
   /4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U
   8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXs
   U4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZee
   gSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo
   2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJc
   OvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UE
   CxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNh
   dGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MTha
   MDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5B
   bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0
   iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7
   pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rB
   X7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQV
   tkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/
   2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVC
   CpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQ
   MA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxl
   MBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQU
   u/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpn
   HGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40
   BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeq
   AH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ
   2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYTo
   j1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6h



Gillmor, et al.         Expires 28 November 2021               [Page 69]


Internet-Draft          Header Protection S/MIME                May 2021


   noQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB
   /AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYD
   VQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3
   QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzEL
   BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MDYwMlowLwYJKoZI
   hvcNAQkEMSIEIEZJTcpCQRTwXEI88+nlLqN3b7JQ6wZ3y/JlosQRxxY4MA0GCSqG
   SIb3DQEBAQUABIIBAEj1f7sJy7g9/S/3wXfUqyyg/3Sr/4H7n/Wyxg+FP74Bi0Km
   Z01zoauH8fpjsOg0fS/ll14j69FCkaFUqHYotT6kojdodBRM36IGMIHEPPYH6pAL
   4K4CPk62J9PWRwlX+6HYPr+WDfSjzGAL5mDTzYVAuu2aUn46SmTUVNDv3UBaxQCS
   sghtVe1snSHpJYz3LciIWyKrE+Kpw+g6cb9hVY/a4p9jHu11x7MfCQddVg2qjZsO
   9TH1X9hfSzxV6bmFRZ39+MU/mOV2pxVYXyDnk6BX48PVx7C5tFWDtr+hB5dEQ93i
   sQt3VRgv6NwEiyxqfxyQhHgpJY2+DqhoFgwbhkI=

A.2.8.  S/MIME signed-only multipart/signed over a complex message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Injected Headers
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5496 bytes
    ├┬╴multipart/mixed 1623 bytes
    │├┬╴multipart/alternative 992 bytes
    ││├─╴text/plain 312 bytes
    ││└─╴text/html 396 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="a23";
    micalg="sha-256"
   Subject: smime-multipart-complex-injected
   Message-ID: <smime-multipart-complex-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:07:02 -0500

   --a23
   MIME-Version: 1.0
   Subject: smime-multipart-complex-injected
   Message-ID: <smime-multipart-complex-injected@lhp.example>
   From: Alice <alice@smime.example>



Gillmor, et al.         Expires 28 November 2021               [Page 70]


Internet-Draft          Header Protection S/MIME                May 2021


   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   Content-Type: multipart/mixed; boundary="d03"; protected-headers="v1"

   --d03
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="8d8"

   --8d8
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex-injected message.

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment. It uses the Injected Headers
   header protection scheme.

   --
   Alice
   alice@smime.example
   --8d8
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>
   <p>This is the <b>smime-multipart-complex-injected</b> message.</p>
   <p>This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment. It uses the Injected Headers
   header protection scheme.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p>
   --8d8--

   --d03
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --d03--



Gillmor, et al.         Expires 28 November 2021               [Page 71]


Internet-Draft          Header Protection S/MIME                May 2021


   --a23
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv



Gillmor, et al.         Expires 28 November 2021               [Page 72]


Internet-Draft          Header Protection S/MIME                May 2021


   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCA4lKOx9a084fB6gb7XvsxC6U70hVOXe3FjeF9sS6mN
   qDANBgkqhkiG9w0BAQEFAASCAQAfMFJgqp9Vb8dS34Kz4fZfKGA1SMbqun/XqC6S
   9/+EpIiDL54Mw3qug01eU/ms0YoBlu8aV/9CbC2DlOdPrFCRuHTWyFClWgi2X5Mj
   fg57SXgGd1KJmhWAtcNuI11l1k6TeoI/pmU/R9tNKrF349tDVHZU/4GWUfuyiorK
   t6TQK0/Vf+JUySQVCUqnx+Zb+bhvWmKfKuX0CJDEOyD+kH21ar0HMNGLK9S9R3MJ
   dfL9+1PmXCXsTP7TIhmnwCJSpBJpmzzq345uu3N52/3SsJYrahIUkbPLnYxTAKDD
   N1k0ijGbEofDEC9RtdwnoGPfv1UG95LK22Ys3tLqApQqkByY

   --a23--

A.3.  Encrypted-and-signed Messages

   These messages are encrypted and signed.  They use PKCS#7 signedData
   inside envelopedData, with different header protection schemes and
   different Header Confidentiality Policies.

A.3.1.  S/MIME encrypted and signed over a simple message, Wrapped
        Message with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7345 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4436 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 679 bytes
      └─╴text/plain 321 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-wrapped-minimal@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:08:02 -0500

   MIIVLAYJKoZIhvcNAQcDoIIVHTCCFRkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN



Gillmor, et al.         Expires 28 November 2021               [Page 73]


Internet-Draft          Header Protection S/MIME                May 2021


   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFHb+aM8bhyJ1nFFuBDyyBVQf2IplykrvvYb
   mKqBk08i2gecPSOMTkW5e2oQ4+WT4rtU4E0JXfMSA2KukKc+QUA3ycVCoL5zhetX
   GsEx74S5P4JMY/uAoyBlEogGNi2lvagvgOGkqHJCZAjKjPNmqyTfafyv1Y4BQRQ+
   WJi7mURDIbgrc0xfcC/yt7UWxFlfUhm6n7rTvRKhe4D0EOOB8yKupUgcDzBMTw5F
   P9HEy0vFij12+LNKSsOPhVp0PbPkMCVi+ERtXEgV7C7BRVVYBiprpYJxJryO9t3E
   jmIupqHZMgXxlAKFpBsdlPWfI1mrMVZTBpRgy8Bds7CORgWbs0MwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAX1PxPDDlV2Wo766+MhR82lW8
   pD0GWAM1ScYPggh4t5OFmSjFtyiqawhMcQhoRsAkGV387oXupYXH/lkaD7nIdZW+
   pZK1/RZUU0txvlsRIpJduXcWm/Dsu0lQtQSfcg5FaslSMjBpMI41BD2KC9M5meDP
   NqHnzNMFv0ZiPO6x+bTCXhds8WTi/B2DDyXGjEaN6RUFw6rKNXwbXoR0DJCMosF5
   55gQuo1k040YMqYRwdsJGETr/r/JaEPwNekogAfuXBkNE3JQB7aVgePp8mIZNIIU
   0nP6eXp95UwLsoA/zwbOv9XSYgQDCcQ0MWycXmmn4ysbeWi1p7P+6CLwgx/TNTCC
   Ef4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEN9EoELwqIPQUHcQvENM3K+AghHQ
   7MaGZ6VZ5f9fpYjTHCbQSjcBtsF3qd7/z94CkYE+Fdt4Xtm91GlDSRONaVuT9yV6
   vd3hoFTCfrX1aQSzzHn3SPtIh7ySaTG70ctsXP33UjcMjzDbvyvfIl1mxsct5rSx
   e+cJ4z++pLB0vQeq1JlbuqY8SkSX9FyDZegnUD+zCB3qv7YSZEwD+EjifauMcrl5
   p29hRgVx522WoILf6Ty14stVYot76cyOYE5AlEUMxBg98tLLzNgvgpevmhZwNzby
   B3v68cMTXh8Zm8UB6F17oxdLFIszhEMnM4v2RSWB5O7L5C4ab+zWpB58AcOeIesg
   E9TvdhcJVsiQHLMtVqxXcyyzlh/T1g1YZnfI4+Q0gNTTS9kp5y2Jpl8AWiHV3lJH
   ltigpNDSlfbskC4ZUKNLmwMTed03kH2leAZGK9afAC+nNwKvSlhWovXXujmTwGao
   8fQPc9cKfRS3tx5dOnEY5A6ZPbAx3SkcdHpUc/Z6Z9at0NnN80ppl55sichJeP+Q
   yoWX/IMhZwNksoiP1Wqa2KYGk89l3EvBOOKMH3G/IOcilg75VxjfKQ/IrB6xrhb7
   wY3YCV14MtJ4T9gi0rtkXxq6YfJ6LQVXP3BWpmlf3xwxQn3HUsQNFO/dESQMikOy
   PgNT/wkwX0+v0XY59maI2tF9sMFiheLeRRjPDbwaXNCX4ghzpOA0KQ1+0/upcXPd
   O2sskI3b3qh+gbRhTUOxAMA5i/POQ6QOj/0jxfbN081YdiHE49jlx5MA00u/yn2V
   WKlDkXE570tX5Z3upvQvLVYuc7+hfsr0oIC/A+4UKzt3G3kjmHqKvkPeP4ytu5Cw
   VxRQlhl+rWISO/EzflNHsgNwE/X3eOmub8vNl/fX9ng5hMVaz38pAQyQysr2Rg2s
   ZDasrLS4kWuGOtv8gXD+Lm34r31bQfl+0NoVpJFV0iHYzBcmL+refdBec9Jfm0yI
   KkX1YkAovvlnYL5ZYzP8E08hNtZW+rln041yyZa12hRlORO6lBqxb9W23vTgU4O4
   vIRppUbJrf6tmYQMiYXkC+Kugur1nBJtEbLQ2WurYFSkdrrZYLg6+cs/K+sGgCMI
   0GokK2ntwmLWHCVU9w15i+7G0HYxZkschUQeIokU2M6KePbp36Mb0vQlVJhlqTmU
   HdW6EDk+iXDNW72gZccDyPhZbhZT2g4iWHl6xA5iydhE9le80boq437OlgMIHUkS
   2+cEArcITxmKpDQWxREYF74jJyz2Yf8rZY4uI6j97+LHYlds7X5HIIq37xVUKUud
   sDav+1XMQygilVzgdQ6MTKH29rK+/OKJhWZYn5HDGUIa4GzskjL9Sp93xG+sRvtP
   tC2bhURNdHjg7HyyH+RldvxN74NiFrNCj39TXyw5Tzs44nxsVqghdu04BYMm5uGp
   9rN4c7Asn7kfjg9rmntnmnmBotKncRM4W1ybT0zZ4QoBCvl2306QKgll3Qiv4E2e
   3l/POH7VEtTBeYph3JUhCjoF/DU7lQetAaH3sKDdRqvxb8pjvQKI+q3NLUhYMLdl
   /HqrtNXq4ItRsfz+yYsEKlw68fPncK4OEVjxD8e1kP9iccyhEWK9sS+zZmsJmRP1
   +CzHNdV/3F4V2eaa+YRiBgerv8jjqKhozquzKBnFerDrGvBnctYkBCL04sGowv3c
   uxADq5pw1sBo2XIwsA6/hKtCijpkIOiPjawE+uKwDiQdGutdxOx5v/wk7McMU0qO
   tjhrKGa3WqQ7w9lLO/xqNVBsGxKSDsyCZuKnpYlg3MgRK5JEq7GngLiBKRN3EErD
   f74gk2ZQ5l+41eokY/3YTYhAFnDabzhxLK2vZxuc5JWOScoo/Ej7AATgKkhr1U/g
   CHvGyXxqrozMu/Vks564d4QTx7SHcOzJs0pIeN79muMOwEFYBKnQJWZPxyzZ+Bx9
   p97BbhQwhJ3sCJPiwMrLUJCI3d/DDPkz8IPru7rBmuYfTJv2buakTrR4hwjg8oK1
   2YnhHumejoHzR9EfDQelF3hYZSzwCH64ODMsSXGCRZjps7Gu1KWvdRxAiZHHCCA8



Gillmor, et al.         Expires 28 November 2021               [Page 74]


Internet-Draft          Header Protection S/MIME                May 2021


   98vBO6pjBFG+J1KVufCTecBAyFKQOToYBMiQ195wzucZjnEeFtBDlaSwTJAx8rM2
   ROR5DasKHRqdV6i2LV4b/3Xq5CUqZw3Q/kZcdSQTrqtDafc5lTLS/dPdCVWr/XAh
   wjBgP9alKi33QhB73CFNTM4T9HAgR4SkqqpfEQEWkcJOIE3K7pfcQbplvR2uIIdg
   gExjg5vyMloBFEO2YBcBi8bzUKF+sVpIkaOyfeD/tUydll0e/eDkwMD6Mx01ssgT
   POJKR7EggddGlm/BCB29IekA5Y4Ydc7GslOFhO8zC2LCm5OHfNgzCaOos6lZtpzA
   II9ihCb2/P0VRO0XSJ4RoR9Srj4DJji/VlzHqqswZJQyzqJMRJT15mQHf2tOmobJ
   PCHpkJVwJNjHphbKTcqfokzHh1YnOvTJ2f0svarDhV8H3q9cM+ODMDPFOARjZ/hi
   ciDo60l0MciMAYzh5CoAbLQgzlHNUZIM4CCqidPVzHyn1lIifhH+yEWkXkkCO8QV
   1kDFbwmBhLRPawpIxsr7QuZ0aICJBdGZ2Xwx55VAbht7SObllNYbM50QeMtpzJC7
   0vKgPkoctvuqR8vO4lsIqxUc6vtHW8C8YWHhz8g9oLBPeR0o/0I4+AePScm/BICy
   DrnYGfFM9C/rMU+PateE/dvsGiW6dTm+9SUFqEqwIOazGfAwE83G85ZVePQ0Q7RB
   jxvZkgnSg7DZkbuy1EmSRUa5gR0wttH+4jVTYo9Zqrjw7NOvn/OLIIYDcpxQBrUE
   /ntfknMq8luYOMou8YJCIOtx/wL89sYZhJu49H657dGB/A2tpGRVSb82OIei7rhu
   +9quDIPXoPgBcEPh8k5eLtF23XJTfTi2sxD7WU1XwhiX0+0CfvQNFt8ptJUrPB9/
   GzNzN0brNex9YUbFEAeGh6BiopGlTAeauu/VSc6J0Dl2uxLtt/sqx5riBDvgiXpu
   vp+N22l3sEjyMeQ1iO3EJKhAHNpAFbMi6uEeMVCNneg9IxJj8lodiCaWKxjQafhY
   i97omBTNjLQWXj3gCyIr4gK8aD9jrcixrPrUuK1yO4jdSuprINoQcDLE1T/yPd/O
   OTwDZewzygLHRI/2eg0JPHtjZer/m+stDLbRxnhKGfwjTR7Redk0cX4oLPiyVI40
   mRZ30OkMZ53iYRvzrsChO+L7Z3D6q5nZ2vO5yKFvfHgcmy3RZW9WyaiCF+wnLGD+
   gcOtrcMs+SYc1FO1xCpCNd2obYK0icviIqH4TpAuSrW0bYCtM6hzoDdbW1OBtcal
   08D6XVsUPgy4o683tf5TyqMZYqEssG6UbY+O8HElcJ4p1jzb50VxwwFrMkfntREv
   Birra5k4+/Td6nOWE/Ba6lCOWVC8cBy1qp0bkKsm1IWNrbbGZmfLx9hgfLtxtCZQ
   +DaWbvzEEeH6qyGy8VR/rX6kU0+rHMIyohPbk35VysC/s87OfBsuUheFCigfC7xE
   v69dle3NAnXQpCE8OyIlL063AWlQBxEvEMfkutCX9LM/w2h7PI7DGu71Naj1CxTo
   g/74mJrIT9lneVCKlEpkmEMCimLd5NzjUcGatCLu574LfGpsOEDRUDvIi8HBJOAP
   spptpgQ8LMAjnvWilPQZcbd/0WvRzzKEp8i5k3IvtVHi/aFu9lZvnopgDJe43L30
   tT3Kt9d/ZjHRswW4MT8vnCiDkBNF7TTyTC/jUq6pOuHglfc5H6QRgEjow/maBCB/
   ApoGhlvCv+7J8ExVzkesaqrcTWQpHmq2szcTpnnhjgzV5W9CHGv2R0GcqQGHvkBB
   Ds4wYl+OKDQhXczbqX7C9bJOjDb6hhlQhTtlO1/M5iBdW53k2OCcliV056KNLFhd
   yLDvXZg7r7IuGo75lb9urObCI/w2KGDfN3P4Y8yRseJeBY9m+txWMJNyhCyNJQnn
   7jLZ3es8cx/zQC/6AUQtNrjHzM+sIoSxSHXnS61Akj21zY0qyn6pZalPgVM0HIy6
   I5r4BTGdIeI/kc6LoKhrfgeQnH6PwZmmddNIFQo6la3lpXuWgOZfqWOILo7L+2dR
   neQ5AYaQj0QdH8z8aYrIgwwFzxFzETtnGJkE/HoN/MNGSaMD2x5b4y8ObDpvAkG5
   AD8/VxZOsBJE1hTz/v7DBFY062MdYDbKHkBSOAxUPMI0ivu8yV5JzC6+x/98L+C7
   NJTs6g2OIWXqgAX+NHZbFDdeIYMcExoMH8R/mz1zLibFZG8f4Buv73rdhwuRQ1/F
   aKAxL58efL/ppkEvFEGrJhOKtXjQv2mEloseTc64JuG7wXql0/LW22Fiw+b9vP8z
   aowf6DrVDB4CiZBvbjpyk/t8EtByn0JLq+Qp/f5FgIglB0DWteA1PVC22i0zlg/d
   +aVKtOHRCsJXupP+jIjdJUekwJSZCid72SmwS6lfCinpJlVedq7OOA/SrJ9eg5Om
   Etg28g9N3x3BzC4Q+gI5CMSKlfC3d2xHohxxdkwO2MJWdOXbjwPaPxgqYbngJC4E
   WLCXLPTLw6XuTJ6lQJRpF3kk6REmqnRlDz8Dmm3ocpCcNLa7Vo05LkCnZfUvmZc4
   jw/2JwuLcZR9yooiuHRMZj/WOFzRhPmWQWwCESCqcKYfNnXLKVsOZfWaUbNapIbA
   5EOZoVpFQYZRz00Q7vdSodDtJ0REPxvybjGomJTYm8VgsICQZVTAhU8cNkRgh3KF
   tqULWhLK7TzOzl2rrr1+LuSq1pb+QM0Az4ALYByeWEKno920ZaCfa/DxxMitx/Zy
   RDfAtYiUzOmtWKcJnGfPzuInCHQ7QRYh2+xDh/o9k5qSeSV+lrG4MlI0sptm4lfN
   W6oEJR7Y99IoIt1enqjicyLDYpJavZCgMjHznCSPffWziOB8Vy1vpbs80mTQlvN2
   J2V6HqLTgDg27MO6vZoBjjSjBdW+AJcwOzzY0eMvT+hEkLqcSRXXEB40Wr/qtwFv
   aLYhIToRENyvxRbQGmXWL8iT2mCs57m1sr0tvP2t7J4DWbp4CoiPY2IFLC4vZLK8
   KgfPwD1d7qdZEwykzn9tzisOdx83ta0qeXc02kXsvxglglxlhO+DL6oamH2G1BBz



Gillmor, et al.         Expires 28 November 2021               [Page 75]


Internet-Draft          Header Protection S/MIME                May 2021


   yVVaDnw3C72aV6BKL5XFjbW5WdqKr0/2Gh8EE6IPZIw9TlMbt2TxSTdGxXDgslBB
   plIDqlQo47imspSjw1lbZm/duczPWuDpNW1f9uHRyIPcA8QaqXA+hvgeLbVpJuJG
   6Y11FEYeIl+0tX251S9qhkDCvZ8MIZZ2muqYoB/Bac/CsbkoGJHgF5kglRNBMCZv
   aUGnTA/PaUEDyHJY74VsJJFVv8Hbsvwi5M0AUuAIIy60lGL3VZqQRdQjInJKEXIp
   szLOcHyaL8tHY0IRSP4XaSR6hiEbFJvbPUIKS4TqTr9N+mT1FeVkJXxjGJVqwcxn
   GSohbJc93gt3r2sS7HAr5fhJI3xDyXIYhWmRIQatvlKh5SXsg9wSVMNFn4D1Ql49
   Flb9J+ydb3ENJlVnOaKGC/hyGhULNAUTDyg+pqz3Nu5lwejgFNgz3/W/KPNnIFnM
   6vJto9bEpNKATOOBLXW20ztJCjgH0DD7AvQAVTGu8208MBL8PueUDlUysqZduTay
   f2aVXIcEfPFwXR8lzHtDe87Iu/RqKwPnkHy+nFRKUSVhyhQ3EgnWZpLRNzHgPxvf
   C74UbBFrBARWFRty28HGPqM75jNsOIsquad+9gxleRsuPE1klsjiXlvDTltrEYE/
   EF56h9hdn88C7SEO4KFMbI/6ae62JQdpO7CPgq+5YGHMVUZeQHJZkfLAQUVTCRQt
   cZH86BtnMyKPZeovEd0guyX0kv27gswviZXf1h0ey5voAGw0EH9j6+z5SN0sPhry
   AzwG8mH27qDlrrGCn1gX5fOS39+xtuuseqAW+iQgDk9IGrqAstMQYRW1kRYXKQlg
   y/1c1Q5/M6kyq5M2iI9ggd7hrqTcEh9Xy1dRBPdCljXyWZo2eTnp0n9whXZbMtLu
   lIZc102dTwLWWXM7uLK3xDQS653AQKc8C46DW3GslHl5+jW00C5orPHh5xeLX9UO

A.3.2.  S/MIME encrypted and signed over a simple message, Injected
        Headers with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7305 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4406 bytes
     ⇩ (unwraps to)
     └─╴text/plain 333 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-injected-minimal@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:09:02 -0500

   MIIVDAYJKoZIhvcNAQcDoIIU/TCCFPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEqWQtP9NMp0lborDI5F55uEoZxerbw2f8G8
   04jr822TF4ehQnzqtlSmtb3q7XZZGz3OVYv0JOO2DWrWWbSzaaWHXwJ8HdM0vxiO



Gillmor, et al.         Expires 28 November 2021               [Page 76]


Internet-Draft          Header Protection S/MIME                May 2021


   87SvZMWXXzwrZSyrabmCte7HhJOo0FYqMphkC8UoGtIE+J5Z1XpZqjpiicTDHZPD
   qKPIXCE026LS1ujO/1l/ON5cBrdMRlzEE/tnl2vA3e95pUEM2ILObukZPPKLiTfr
   ejLM2/oQUklYmh54leeC3dQA0xIf0Wktzrp4qt/qJPPKI/RCw/JL0Saf2x005pET
   PBRhxQdPEyjKfBRIOm/FMa+LkAqzjHlJI6MbYs7a+zAZvqH/tXkwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEABaLUv4/qgPpg9LQVoTctoa3J
   8+wK32xlFwCr3LzD4A+3AZGAzqgJ6roO/cyDbz6swNjZQb6IvsHrxn2hCLyGS7JZ
   pxaqvNh0MTZ7ppvAAMY/cbtim6oo+aR+YBFMuUejNy2Lf4g9Qugs7C86BqwT/DDR
   8012vrQcTRVqxxgtaJtTSHXPZVQeoTL9QvyvBR69XJ4fNvap1F5CVPlGONwVWgYd
   7u1FQCViH1ASwcJ2VMYTAp2vWgrghn6taCB5NuzPH6TLqXM33bzaEZ9+7ya0kOyC
   h6PtoTm+Sk504F3qTf3EZ9l+pZw9dYKmHXnJSXzhInzob22BUwmi8rmAhyz7YDCC
   Ed4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECnEpHap3uuwIy1DMX4JXriAghGw
   Y9Dgh6eaEPJSGb2YLpt5P4NZqy1iFQN5A5F/ejZ+0XBWbhPihaoCRKaixUL0XFx0
   f1THjHHFDNcuiZ2dxbGtWtuCZkxt44ycJ2GOJpCNcWVnO0aJckEyiPxhjn4yu16d
   pqbT2G4Pt6DEW8teMJFNpaM7AcGbp04KTf02zIy1PQRjQRafhFO8+7Jkm8ndRPUP
   bNfOdLq+oIErDaMDlr84VyUEaSjJzIS5xh7+Igilk1O9cGQViTaOEtDhhL19sWrn
   Tdmrit+/jso6IPZKIlkaA8U1sZ4B3gWEjyxOphDKmtzOY5P5hQNcbXquk6CQT+N0
   2XB5h9OdYPQc5hSUY3PxG0WwUovzQGAQLH/LwCm57sjfSNdTYJO4NijQB5kIzmSI
   8KLqLquMser7JzSyhGaatw3zC9rZl52FUohJQk3OSIzeMhJoXrQ1lyWEQOSfdCFo
   +iaV7OjHoEYQtmmcamzZwOi18JN4FyufRh7DyCBi4RoDx7OwWgKr601VrhcPZNwV
   r+8Ysuqprpb1YEPlE1cqL0ZxVX5z21UQ133U08p4CV9fW0TuuNnMFRARnfnwoXFS
   ORqrSR45G/274tG2/j3R94EdomMSJ8/Zx/qf7fou+EkdhfVNB/6ANb2jAm37bUeg
   I89QvN/BTVcXwhMDsYV6OqPMaHwD3B/O7yF8HjyRiVh78bUX9rU1pIgXSrmnnuyB
   1noOrWKpacjxQenLebNa8CZVG4ZpQRa3f/NXOcS17auNb/qoT/xtgcTaWb6jF5M/
   D3ulDiILH/jCyDaglL7ItSzTKu2BCH9tNXy2DVV0FSMTyfOLrYaZpYGLULvoly+u
   yBqTQram5ZxmWjGhM80snWlmaB4kQ1FBWoW++rnEbQ9JEL+n6UxTJHBbR6bNuY7u
   5jjYih1tEKM7Y6cQbWn/PykRIjP76mukR/PI84WHQGP+n6K8QjCP32Ij5v0BdXCN
   KftDYROYNGK168oej0ozUpPnz5LJw3vbDEFzMVVCjEY2qOD7EdTFAYojNwL4IuGW
   W43/PKeEi7smTQWxGWrbIFxPwuuNKyMOHLGiKXqSJSzj531jTiGasWVpHibEKlUS
   IWOXef/7Q/PZvCa8vxmVGowSQ7gWQTVEohKi0MV7lYuxDTWRacPetjFzkwOZoTHF
   5gFV+/CY2W5VXVSKIR5mr/jjQtBu+7LOAep2MGq1u1LZJgXDaOkPR5Rz6orfCz70
   M7oE85uq430h6goP4YKeCU1sxSE9YXRqICN83AhY7JCzrP4bKVnKdia56XEmxMKR
   LQ29Z2zSakaIPKbSmxMuIqknlOV29PGG1KztSDonWIFVVLJb6Qne8altI7zTxml1
   IMi5zxcto96g35HGN1V0h9zJKA8xOf6q18yhfJnWQ0ONkMpfHrHPTOXaU1r4hzm3
   mPEnuG94PWMw6EKi485rsY0tZgE/PZr1slDsxmAO6r06mqwc5NfNZoHwNl6WFWZ6
   1uRmctWEMW7gHeqly4TfXH4QiRMXAuzDdrYnVjWGqNlk3zEY/v/ppxI/woU4wBmw
   pxwr3LTvna/8jpkt060hM8ZUkAs9zYbtQBGLqrSy1prf+nplrXDQhkIgbV3Lpx2H
   hdMljzMyvPJse5AyQ42L9w5SZa0vIA9t7Rn+i9LKxjpdMsY+zW7tgqMhRTd6U9pY
   kfRsOnDJJuv1ypSBwbaEfZgiNtUkFwuzQRrfKLqjJeKCXw5cpad+f4xPPPc52UM5
   RnJMTFe6UFlNmodzkyLr6pltMRmnLxs12uTXHR/9z8Ni/+mUWg8G/9aTwujB1JOl
   6Le8TE96yPlWqF//qSz8WJVWgTrfPGpQkwpzBWaV251LvgKzETe16/EY8zo/G3nN
   ahlOW1aeBxbKm2VwtGwZM84bYWaH0cLPAQAvkFhv5zk+5pgC98rwifhhXTefYA2P
   0D950lUaTQTWkjrw6t2kzg6mQ7TF0Ee1i5EW+SxVKbd266MQgSZNhzXsFTgs8XA/
   aNmXLx2DjpbQIjI5AzvE5YWeN+d5lHDee4Z54sDp6GsqpYj136AHZIE6I1jxxi8U
   p7J7Bkc1zs/4FdY9cGfHTlhV7ugtaENq3w5whavoMgaQZIj0qi/PyLBSFrScCK15
   3kfdaRRwdg4E43PqQDRW0e49oKWX6VxGzqVlsOhzo4Hq8GvMhvSjC9gJQK1hIeDY
   otBZIhEmOZQBq4rlJ6nVaWEPJkfebn8GB2xkogf3j+o16u4rv+djux87+QJ1h+cZ



Gillmor, et al.         Expires 28 November 2021               [Page 77]


Internet-Draft          Header Protection S/MIME                May 2021


   vOIk/12eJaW3cxzBa/ckfph6TAPM1wEkcdxpLtF+dbNc7WHXK6NV8P5zPBTq58mC
   iCpwhMnRUKY78wOdsAK5/oXl1bya5fFBSrVf7lPPyADaw09puu5di9cJUyOGEcH9
   dWWI29MnuhJ/+GPGLrT+X36CDc4UMuYHNqGI0Eqk6XuEUgZDwbsmpYUt0J2zBvu+
   Rb4xAIb1a94wXzsAQ/4aVKaUSd6ofjycbzcc6aU1vyQtqAOZPFP7S9z3dyN1LCA0
   Uiat5crCQbVhJQNVMabkFBOWIF5kGIIERqmupnlukf8OFS+XGw8t24PPq4os2MnP
   xtdZMOlmE1wvFlcD2/thU8hfXUfYnT2qmObikJpXQE0e7BAsAnYQj6u05eboEhfH
   1bx1ZsZX+8bb504ah7QLfuqwAg9WTzdWooCpiCuYlAS/I7Ey2JW1tna3BZMCYMJi
   SOD4yZG62wfP4QZFvv4WWKyg+NYdPj4XkHse7Yd7qTI5mxCr7bjtccBZi80JU19G
   w+OvdypURyiYXylUYolj55nFnEUX+IP3/pToBWpL7yRizP/Q98xEUjoOS1QV9rz8
   ppg7XjBYZrns2JERC2L2xQUUfBgTtd28lNgCt02PwnF8F+KrS2w+kiJZI9CvN3ie
   No/ufb4uOFLlJU+YWC2c1kBb+5bxF1uVN2jhIfZRNXzbGVVifpTsIaz/qddsFtnI
   8Y6yhImBpFCrdzt9GjsZjdNRFwTy60fJrXdkzwQgTwR8k4b8OF7AWYPxqgLHRhRv
   v2P26GOG2d7+BhGyZcaiz2y/eleV1eG/rgfqYHi+a3IDAa3Iq0hDg9IQ4x6/qh5L
   viDAM70hN8kqGkg8//BaXvgETIIMyupmvi7nWpBVKozs/jGI90UCOSf8uJDDcbnP
   XOnV47XI0XufAeIdxKa30hxw7b9UTqE6DAe0Vzc3qtWLscadPIxjHOoko+PGoUOe
   A7w0vNwutU8beBDHkhz84Ni9hmSWOy9A+7J3XFMm7QxJJTmKoRe5bySvCy38god5
   12WxVrlxuftoGPf8QYtLc5F7B+gx5i8Pv8eI/JJLMnGBdci9OUYkIe6IAw0zMxjz
   0wPzIITHL8l5ejE6cc+Gy+SwVosoa0RC43n0AzP4BWu4wRmJungQTSzMUM+6xb2k
   ku3XkjwdQLVY7qX7M7AbDr/7eK7ojWnixTyNY75zqObQaoyhgKJlD+6iwadbMVq8
   SYpSY2EUnFSVM3+NeGVF/ANLoGcBHzYiokQy1HQZlTpB/2nYA3kBfL9mZoUxN0fi
   Ca8uDcGvB0MsHne8wvOMv9A4GCYYHSQxZ+SMtylTMtZ6qENDdRSz7JFC6jbaho3U
   KM5+8iyAbXOh3PnMNURtJ+9+nFHI+7Uiudkoel/ymgOZgJhrKkbSd6X9i0f2da/F
   SeLx1jFtLx8GDkwZfI+8N/JOTsH0/0tI5gW4UUvWoRtF3XUMU6ZFPnkCK8GLUCqs
   eCgzZdnCV0tYxvZNtQhZe9prONcE1bbRGCJ/OeZRNKKH2CrjdLG811wFC47KfrMD
   xRTM9wFxVsFDyr6VyhxojPuEz2OjmxnStXyd3nofcVVr8kI9VxIqPbRTLvlzevRC
   CMdeZPGMgvEPLXCWAkFTuqpTYwWBx+aHDGj8EPWoVKp/4DRwjwYMEyiErQjz+a6c
   0Kg5lovwNc0x3w5qx+7aU5hA8JF8YGj0+Oj4HdNeFs0n5uAqSXI4IkaiMcik3F5I
   pJRwI5VHLfm/UoeazisJ3IDq3TKAYpeh7lSJ6xotJkZnqlMBFzMA1vu/WMN8Ymye
   1GUEFPLgoRiukUOrfqDC1pfgYKXtvRsJRIFMPiaT/6kGDMA6OOVRjNOBO44OxuJJ
   N2o71Q7+J6/Rig2Gck7bEVmmaZdj/lgrD7H2Hs/aUhFS5vQzdCnTiXBdcfUIyHM3
   AsrOlzmwPgBup6FH4GW6oL64cFGmuSsCzkCwdXJKNt9AMq5h3efJVWhnRnldAYKo
   bgkLdL4u2ls9R802FQHqC9WahhGh7EF/fnVGE+yJkFI13jJUC7ZSU4W+QTLYR41e
   ucYxmO+DmK9UDLOXyExJaSqohfaCba4nz+Dw2BFRSgV3JG3RcbsLsfcerXwQdyxl
   R/u5ZRt3SThNNz/UIgkTZXTYMWZezQbHv6REvER0rwlDtMXpg0/rcPcH6iGSKEi4
   Wn365bCmBTYHd6mCOh8p2YycZoQBgqGAxfSxz5q9OXJGIikrou7UfnSKTHqhubXz
   PVmNwGbxuR5FrEYkR6sHQwpF4Hr9pbiqq4OZFXr0NvdC0fB7LL63x9XWV+TFXnPE
   j9ycJeqxVQgB6fQ83nNfwb7WKCe4waoEARcZ2CNY14V3pePfZttMYwQDtHR7Ssko
   VpjhgDqoQpMP3sdNFR7u7DqmwLkkhwArU1J0LynI72G2IutRxnOx4hWxiNizYntB
   d9bjlUpcOt7UYf6mDnadqFg6gQa69YiYuRR5JChc1P6LUSVTyNNMkCznkoPVOWGm
   VQvaEPkWWZI2/YSmZqtBsuE2G2ggK6q0nRXCO1GxjeNuoJkgaedceHrGFtnyfQBQ
   gHG1j7L1HV840nwdJNS3nMhxceof7nQVsOyllcdHv7Flui5ZSxPzAJb6turW8ssy
   xU8838uMVgqwnwVzj1Hz9mGguIeGX4rATS1tlvVR93GAebDWcEBiGg2hdJLfrvUF
   Gru8B/HMtDc+HFwyDICgwVMrjixqb4QlOMZV8X8B2NdFG66U4KMG2KCmUeVU8ExX
   sCMrf0/JEVC8uXZWUNXby7H1u4rMH257aYkhhXwh/obKUx9DDqkWxW8QFjNeCQYq
   +ACwiXXJlWOPg8CSXw5HQHdTLJHDtUXQ6qGuJMJCB5VCDcnO4SRv93e7wxnqYqpM
   vQeKYt1gEx2SBn79jgkoZUCJ+GKqqdA2X0lWs+n/yl39OSyckWHgEvHv+MzLjx5T
   pAG7lMwClyA5Tg1xiuYhliensL03XmszIm9qLTRD7tQ05RwC+fzpmBa6sU4eyQUe
   ZnLupGijRq4IbhFWng18sDrS2dyVnib3tS3E8dnn9jTBDXxDnQrfgq1GNcK+W7R0



Gillmor, et al.         Expires 28 November 2021               [Page 78]


Internet-Draft          Header Protection S/MIME                May 2021


   n4c3EfHXenwQ1mkxdp5gefawftI8pa7VU9oVPdNHG2DbGtNfyrdcvKBjNV8k5Eq7
   f2ScfXVavYXbDN0kFohBQZJCQNMEdrJRq6G1OoBmCu1joXpo48LWj/Wf4EM339nm
   A0umfbUWwMMUHOtHDCdFwMUQ/pviN4J0u67f32f8WnK7FJGLqcKQSBmT710lp0wg
   B1A2gBGUp3/OtsLsc5RZMSUyXYuqZ+qXjKkhEj8ApsB4sO8mEkho0KJRDqW0uu5o
   yij7OfBY9kxe056y0xWee2Fw4O0SRscjAcuGkkiCZi8Beb9JriE5ddE9Hw9W5/Ai
   Xyxn3C7Mv4ozpFzvKgw/bukNYIKdDZ2nWeqpnRoSyAbuHJ0FFdayEvx/XSSPdq/t
   g3V1bNrMbZMYr/QJkQqCvncusXK5OpFeOF/2jj+EnJrbubrOmTR+GzKAN88Qq67n
   nMRrQVCOZ+3Wiq1ykBY7nrVLfHW/AF8BDW+xqr6uNIO5u084yZRpStkE611JMZVY
   MvTtm+Yb5trb/qUuzJbpgSRT40mlHynstp+vEEcM6ujVFSUEITFCQuaPKmZl/qHd
   M+AqbdMRu6MLGBR1TX5rTVd6kIj2qDTmPbnV/6PK59T8Nv6Aekokdc5CtYgc4oKh
   ftDRa60EjpLGiJgCQzT7khzTrHZMN9YxdtrTDBr4fHitqlr5RjU+Aymx+NL0CXmX
   V+LiVvvQxHGpGiZEaV7onQ==

A.3.3.  S/MIME encrypted and signed over a simple message, Injected
        Headers with hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7865 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4810 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 923 bytes
      ├─╴text/plain 51 bytes
      └─╴text/plain 370 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-injected-minimal-legacy@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:10:02 -0500

   MIIWrAYJKoZIhvcNAQcDoIIWnTCCFpkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEa22w/F1c0bIG8WvzjmjX22NFNUPhwFe1V/



Gillmor, et al.         Expires 28 November 2021               [Page 79]


Internet-Draft          Header Protection S/MIME                May 2021


   qCroT/wns59jF5f1JcoqaBlFwKcb681of5DTO8vnSkWPKWrnokNw+n7WDxPDCt97
   mpdL2yESFnqJNtOPRi8A+wIqaWL3tbMTcVmkNv2Z+x2gkdjvtXpkv1uGrnVdJ3+I
   6GqCibr/IXM0bqpOLOpDAu3oGz7E7phULsVNqf5pKBgFBO2rz5LoifSfzVXb6NzA
   3G2W2+ohE5tR1tEWif7EAVI/szW1nIHh3bjwvMIcL+LPVR4ktMZQMI7108AUb+95
   HJAZQcl6eiyePfhy+Sep7ADdPufBa1sZE28NA6LF8OCrkRx1xVswggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAcikf/KvXtwpXJ3UkcmT89anq
   Gwo/y0iMoldTtl2ZC1RIivydxs2bZY9f4+aGk8eHlvqo/WKedsln6X6h/VuysHg8
   LysyubrBhH7iTE636Jh67I+juBDcX8B7H/qc/lYsBp1ryJ5UGSMp0lctF5OSQsy7
   2MJZkYHuA5EbDAHsUVmbTfK5ms3rkomKkDPeg55OV+aYXZb5KROw/mNzeK2tgvYk
   ec5AGboecFaiedYYXootzo4XkbplhYLf0Pw2GnUhBvNLdzYEbKdB390EQjZI7liG
   5sAbkYcjfQBfCwSrPHlGV+AwgldpHtIRrgYlxywI72HekKN/BIj/2AyxOcKmKTCC
   E34GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEB/2upKq23GgsDZUcUo9+5GAghNQ
   iuAya0TZqTCj2e/BIPKVzRT2h+7eY7OHIsBha+U8Xns2rMqCPtYEwYfyJAmX0nFK
   tkaXj5MDdhXtSBATyz+QMVzEC/m/0+D5U7ssdE9dK1ZfxwW8DpYlzQvNfujGPuXZ
   XP4m2Fwfy4If9itpq3cZubfD9n43HLDcIxiceNYf6Gp0ITvKGPW0z+AThblA0gdS
   aGlRpRokqqYhwNqPS17KqCzSuZz3DfdaOis5d4SDq5l/BC7vSNLb3k10ERgZ5+dJ
   +EaNyDlOuFqL+qm5xnkJzgw5iNJ7Gp9XwjTLbXNwmx7U/1n1X7PufBQPiKsVhTLa
   W98kvrWzckKeHOveCjvjIsHvgtoKBO5l/PL1WINKcDTDH9iFO52FiGLdLtVimTLl
   LqY7ysLEV1N7k7FpVR6RYYdKk6G9xEG3r9bIMlwGQAn4wLk70qFC2BmNGekpzG9/
   muiOdB2XIaweUvNrYGB+jy4oqVYl7Re7+TY+De63ZCBx4odw8tDKgExKWoVHHYWP
   eBxk1vZd/EZjwAkbHI4NMPajKJ+rdT1axfyvRxVfzINsJixkvp1A314fBbNtkub8
   k9kR+oq6R0SxlMOgp9PzKNqkWMkmJyvOORb70BcagZh/Vii+ySQEtRIdoNUZUT+2
   d+TYlunEGiNp3Ny+JvL7n5nSHE0WskzzQrGWV0mZX1pi5lXeaZPXorBt0JPk6H8A
   bzm8480Ioo4QOAohfJsuztHmWlIcBX9KX/fBDzBYux0SGbbsTD3TWK/+ITUZASkG
   gxxt6XJ98uJ/Fji86TMkiE5EZpAcsFQucELhe/IrdTT2sOc3C61c5i7VsGkiCpRS
   URpHL0HcyOmvdLQIKPlpTxEku2W8mBoiRWXWs9tFOcmKatS97ZCj8SbHA8ptq1VL
   0P5Wjuno8PghvVeAafPpq7CI06+EaWu0NETzfywAYhPIs6zfcnct8Zk7nVEHiDZX
   cEBrILiR3pZdigh48YySLofFjYpj1vqb8GuRsVTIhQeyP2K42y4kUHkD7Nteg1Wk
   FpA7Z3bSYwAJp/FGu8+Cc7ItaiMwNstOf+ajrbNkI2+tPJoVuXJmR5wLaXyMFC6F
   PjFkUsJKpB6ZcEFYkJ16WxWYtysYn2FIcQOJXLCQeAn7lPw+awous3Gmfo0wjGo3
   lXjZFKJxTSKsEpMyFPfCHSv6BCwMDfg1/29IjzvhmhGAijs8RHHWm0YexfTf724I
   eBYvn0IpPxfpvlTf+/9gVU6Gp2hJ6u3zkbH/2d/30m2/F9DhDcT5IxIx/9B2r6o7
   Qi0ln9Tx/vCawSIBYE07PCijretGbjthGQzOzXlEG24ARa35tCO4pgPfkD35VSd0
   xHV2bewdZDFKTCpTatl0KhSgBwLeAixU7jBVrZR8VnJByjxWBgFLEDE8KzEddKn4
   Nomaa1oifV+yVBwzzG2C1vZjH4O9paMGCfX3z8TWU90+tOhMmkpwyQriTLjKfIwN
   cIEl2yii4eqWWrrU6gg9POEP04OhmgCsEn48SPlMxnQ6n6g2r0V+wCcow2rPqvjC
   Jsz6VOnLZ1gloZwrJo3Vm9UBmNqiB/PHH/dDjTTRYf+FJFZ2A02Gdc57PQ6MWGYG
   plbzAKYunqcYkVe20/qEV7E6nDaWBK9CkeT1tDB4PVq7MdrzmpgV+Ww7BZ5GVvnH
   KTH+gxoGRd3osBXGiDXSJh1gLjCJeRKyK0L9h281No1WtoF0kEucHubBg8tei6BX
   P4gYgchmcZ/vE3K4adRSm2bnudFRE9jM5tU2ttwxmsp2t+trVIc16MTq193JHYZT
   SzIaxa7oshTxNVJamKzyeabTgeDnB0VQhPrFPxwCxssCs5NQpyWBP7ho+iaqMf58
   tKgV2OegfK/6N33l45npAb2hmA9e4pGuPtbw41/Vvl9q5wdA5M1R2tdMN9PYHLZ9
   HinWeDjg9ibHoQejI2Ji3pbtfqhhBVlVDLGOtJ+4Lc6PoFuZcrR2RWGQxtHOOSdb
   R7zenb+kXANT9Ax0IRPr7MlJAt8etw1yswd/YUws4ifmrfGZSOp+tm9inXWCLzR3
   4bxdlmsUL3AKRqsWQd8xi463Ye69G0W7auEaCl/GR0RnOk5L/FcxcGXAyPdcvn3q
   +mYNGErvcyJIDHAiPbrTvLSrrO61Uy+qU5rv8r6D7JtxUubJujNrs29WmVN44hUL



Gillmor, et al.         Expires 28 November 2021               [Page 80]


Internet-Draft          Header Protection S/MIME                May 2021


   SNcf1d/nLuJH6xXFOK+JheMjbb1wQe8fGh79sLoSqp+HNlHnBH+AQ68o4YgomUzq
   0bDNjU3aYg8hQZV2vwpM+hWAUPqU3NMJGpR3k+Nji32R+0RhvdLWeqN1kfnQoT1R
   4aJub4sThKfLuYV44UGr5lbfaZHyNDgjjTCD80AM41L5m/EZSQs91fjzumpIYwBl
   QypmLkoUGiLOyBVP0wdpwmjA3IzbiWMbOmDKHXHsUyMCbxLGs0SYGS2rriwtcqCq
   5sJJbn1l0PizytS8i/BrJII9Nsab1GtX2J35+njd32FsdtL53FN6cPIL0KcTjElG
   4WOg//34Jl+MGbgVPjTurXXGOVZvsdZN4EHy+4rnfd4fMKRYT4HQ27gYMBXHIDHn
   rm8HIuDZ+jYC8AKin3dxJcJhHlitKYTgCeEbzy/svlbhkA96MQaBjiSpVYrELIQ7
   a7hZ5ud9S2Av0hwgcOiMRonpYCGtCdkCCyHa704w5hVxZiHelf5jThQtfTK86oJf
   3HiCAcd3iUpLlNtxBTZ6fbF1yTymjcjO1iGL1wJGFanWRg2ZV3AI5mY3hMq7AtxH
   Y/Bj90EF0sz1Gs4SSLlfYt9lblYjs7c7uSSv06GWIE9UbD8z7HW5FU5tK+HBjBdw
   LPM8brWaTrwL3XzRy/w9ZXdZEPh70HUIMeTC+Oi71hgemjjQYZUDhvXoYVwaIU3v
   CyZ5FajozqxAHng3E8i3dLOYjNygTlqQYsw9joGA1BA2EpQYgEUjSqhd47gXXtdo
   qHRVrHIl9Iz6LAzkdSZrMwb1IJ6kBCI+aP9p9zygcLC9qTWUI6bye0/ICzGIPOgP
   yQPZFiR0aOo6akIeDznSedHDhR0YN3RE/QMTVDk3v7vBtgyM/z9zDID7bScE/SJj
   KjV5V6BDgnnavicg9wsxeqV9V/3cql39JugZR/ABxhy3E1fqLIc/G1ZYruGH1Oej
   csJrtIOhX2Gq27Cq74oezEg5D6wEf4YNs/GNwBPo8ptu/hOIHEHwyKzX1GAQWgnm
   Ip1+AtGXuZlOsWo+ZsrYjfgoL3ziKIszdBpUJTcH51Qlj7GoSjzyppyIRZZxqXBt
   dl0cVI56eZD+nJuT2oFJN3Rgdv7VHOAOtG8kl5iwwsvT4uO7hA2pcAAV55OutMPm
   vf78urtFFzenepJ2dgShgZB8K+FkWDNJ4dyYpajAhnnqkgvZbzDVd+Jc36UtZhnW
   k90OpLrjc9nFTQkyr0ygZPnas8aKs53lM2TSQnRMHBkvoyswglOyBP0eJpptBiqa
   mJDH5qK2ivjt+J77g+QkzolY0K6MwSELc0QwSGiK8z6XEktHYxd+O2Xda5j+mvAc
   Rlcmgsk6HD56X2Ev5m39bMmAzCwXxH58xa4pB+0SAPf2IMD4iyXkOH9TMwA/yu0X
   8usDaDjHPW0S7mjrrA5hvv/NPJHTmahlOPG9ddaEAXqr3JSCyr4/BfdLX1dDq0U+
   m+unOyia9PPOSk+jNGUgp6Z4kT0cdh0d/Z4PiQmPiH9U9H2UTALqBw4NhZfCKlgo
   2UMAhxv1bB/2ovqz1cczDOgCiNO3i49J7y3kTl7b6igRJo+/J6jJPPQXYs/K2h1x
   MZamB266yvpzEQ5XmQVZ/WD0e8UP8PyWmALyhGObnucvDMBH76ENnpoiKG32qdGy
   aiFbGDagENFNLURcZvcT/ov712ubwbfNK1U346ly4npNqJSCAWiw7X9wFJjnL175
   aN0xf6Lif+eYOY+3v/p+TKT7X4dWLqrT0+G8uS8CWg9m5PRHCh6AWH6Rko6cJcpj
   0Fiv9sxu+FSXCa+4N1p8MGEzy368JojdVB5RSE6+i4DFy9juKnH8xlTaJKTw6JDj
   wi54YOxYpqJT4KLYy6ubzr0ka7TPU1LNdyvxoSDKGS549d56E/jP9jBNBKB5MMLI
   nE57fAvuIoEZsSy/ndjmyC/BWfDDMXFZ0Y/w1n8OSph5sudLk4RCCsq+PeFMis7P
   jZwliinGCoE67migyD2BygrIrj4p1GCfROgcgxqez5IXlxvl5xQtlQ/Cohq/HrZW
   bg/HoXzJbbiZfy0dxv9rg/5t5WrzCtIq7TEvgyk9jPUd48vPBU38YXBPF0jxIAxd
   WUlNZMELTHqGyrvaZFSRnh9Z9bCw6V3i2kRkSEfICZPygt+6ocmIDXmA0uv22I3I
   uZJc7ykY7HlgfzrvgENSKN3bdLKfLH740tiBGfvxD/jyk0iBtY2j4lLmnaKeyZwP
   CcZPmoh6iKc8zruDs7LA7v/zOuzD8Y3snjkmuh+kLGtdpP09IkYYdmdoYpPVkcb3
   4Ndz5BjJ5FpRuRe69hBlZV73KZGaR6cHOPzfoKfHJo7dF8QNoK/RSP+DWaAV9bLu
   6ZRKzgVVAR2QMD+3L3zOa1o8SIiSFKlUwR9B0oILEj5ue5bUes9zgIRmPn3ORBt5
   SxegQO9L65uvcg6vnInvUe7BxIBqqxSZFyjCHFgU8qOrVB8+wB9thdTNXSfh9Qak
   ZVtF3Aw14GdvQJaVCNu7jSDuUP6FykZjqLPSYQQqGJcBzAvaZOp6k5Evjnf/Mnk/
   gPwfCeJdAXyJcxSbFYelbx7V7Xk/09OkHWN+L5pqCQ9BAMk3FXWiv0K7wme0iYS3
   krs55liUz2ZSTlWVDdVxukBGoImY8A5i4+8SaOvVuITfvYhThfYS8ZiIKqgySeKe
   VHQl9cfF5gzko8GFJPJB5zVwX1uUnjGerB8Y93OAaWE9/UE43C8QG5kSb7mLSWwT
   OP0/NbLQWwax7L8jPzn4480ntX4AeOK834Dfx4a7blA9/fKtighNZQlAZ3ec0RpP
   i0MiwFsZfqCYjDGHYhXGot9Ak2BwiN7Qpk4VHhICtr1nH6kJOhUbJaFSTHdRW29t
   10E87vda3aDYjtl2Jabl8HqQSZCsJGUskc+4mVq42BQGzuFHxMiHI4DLvFyMpXnx
   l48QAUnwDW5jtQblPSA8uBG+uKTIHOK/JKmHtPGIFeGMi1h8kEIbGEkfE/Pose2v
   u31RQmBs4BspSiMROnGMiLH/aDWgSsBgT+dvsWrtXaVHISgMVERqfYgy4WmyIJyV



Gillmor, et al.         Expires 28 November 2021               [Page 81]


Internet-Draft          Header Protection S/MIME                May 2021


   UQ04MxOoGjVr5cO8JH6IdT0TvHpagP/lVlb6Acc9BXSHa2eLAL/VEtm74A2tt8Aq
   AYZ2jHlTtREgeU2PLfffLAZk6PDZwkNi6ltHb7XQNBnyupbfLiWpMFZCemVd0SG9
   MxP6COt4ZQ4d/Khd3ZlVpDClsHX5oLy438m/4pjHEEVUrq8IwR2iE2N4oVqP8BuB
   yj6jswjjEu1uxahEYUqagASBAZU/uoue4B/hPrMgx3vVLs18UYPSIvJ2cawRFtEo
   PgFoTvS5uMDlOTcCvcW6pRksNQbOvkwgFa2DnpxAOKWY4o+6zhWcAzzE4o58m+hm
   54sURdkwq9hoDKwv61Yw/OlI1DMSfoZyccoQ1r54PE0+rDcru4IPrPVsK65TMBHM
   utS8DatppiLRuuryLd6YtRNihlELM6V64vPlbZi/i7allO04RQvHjy/vgZTHrCKF
   lHZLaOAmoyGTPVAugiOVsLGc6SE/7P71Qxfmfw4nEAEkD5bDTLNXKrgSXN+26An9
   pjAg/Kv7VzqkNvPeu41Y8dLEOA4LzUx00W4TtoJaGyOFY9jrOISPkYi7v9c7Onih
   Qay38UcMyaHNrJ3ln45GrH4d6SyY3MFF9pCzYzhrYgMrrJoF12VGRL0CVfWEL7Co
   lWmMQ5sg5vYAVEZmdZA/BjApb5/yByVwYdVEcO4YlyZ4IKXutyPDsOtHn2f1YM6M
   eC0mZq3Wlwac4h8oGh+bb5uyDtRxux20x/mFBO3clrt2Xlxg3Kz+30dz0rwBcJNg
   gb0McWbNuvqkrqbtcjrSsgiYSyc3+8jXBZTF+Gzb0lcQocDCH6c5EVhgkvJ0ZK1q
   xotnpJ5KkmutQcEaxWyzl5CZZJvUatasOH+Hq4742stnIjtgec5S7Zz6YyzWL/uA
   PbskoDQW1FBEgzMBwREQ4M+UjPKSsO8CAIVSreGTeSYYS9JAmfe5iGSTx7HkFRft
   cP5KgEr1sm47epBnV7C9qAf6XVUWPpQMR0mbkn+1b+BYNE84NG3CCEDRl3JTs5fA
   7yLCnNJ13+jmqjtyCtcbYfGVFiZ3xnPMTB2fbO16oTShsTx6jDr7bC+a959XBxWn
   WSwc47R27JurX3+t7BkP0IYiED6yydVbQ0Q41E0p3o2Kec9VXh0fjIEuC6Ttctgk
   JyAEwUylj/APoa//GN4qqHQFXIMALaxfwj/1IvyqXWEE5E6WCIhUdV3GFkMhztul
   d/X6IOqUgQyas/1WakdhSpRiHZC6MXI5WUA1Fj7DqwlckxWDar3Poy9VsvtmP47w
   zh5cgHDbi1Kz65mGK0AjVH1D9UYbOgkW6nAU8yO5Bm0AhS8bDceC6GaQzhhS6a5m

A.3.4.  S/MIME encrypted and signed over a simple message, Wrapped
        Message with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7345 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4432 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 675 bytes
      └─╴text/plain 319 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <73a42f8e-8f5a-5c62-b982-82ace766fd32@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>



Gillmor, et al.         Expires 28 November 2021               [Page 82]


Internet-Draft          Header Protection S/MIME                May 2021


   Date: Sat, 20 Feb 2021 10:11:02 -0500

   MIIVLAYJKoZIhvcNAQcDoIIVHTCCFRkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHMG7sjRDCJDMqgvQrFh4sk9MkaJJY7q6B3r
   hY87n3jM6UYk/ZaBi9uzcB1pDAF0hJkFLmo+PRUbFLUrmeYfQI6OuvVElpwIDWMp
   cMtfzlXgKAO6fh/On6aoVhpfv9EmaG1rCU5ezDPPbaXW8caNi2/yvL0ustpqKOTj
   cOLgMK45tPcHeIaSD+8A4P0uf/GLzEFhDPdJrt3mVq76UbAoIGasA/sDhhg0xygq
   ZH3IPQoYShFEUmsK+RC9Sc9dmXtVYPByCEsPdhTieJyjW695dde8xl7ZeWS+JZai
   QK8pXZUdRL8El82+001HTXZYybfF05sFmJHQZ3LlftF2Dqs800cwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEALvjSc3y8/+aA+Mk2+8tupO51
   fsr8cR8BV0+aR/CYDXaeAFg6CPk12PnLcpFRZDdqitxfe7SpMgk0oT3IsBxvuOsr
   0QckRlRLOwlv43Y9jJFMc7VInrB7bJ/cPHHgB07tPtB69/Qf252gsUs3UbWko8JU
   JXBkymfUAe5+x8/gGQYNJdvNC+v9cmnwTORFF/IJ/WcGsyHPhxguR+JZqIJkSI8T
   xjawV40qcahz5G/O3vLI8kxW96lSSmVE9WIuPafsMbP1KZN/6i1gaUOPFcsH1jln
   fdnk3fToayCGwOAQvh/UYvlGTA06Rtnmz44YLZiGbVLFLGlvcXFfwL1JLdl25DCC
   Ef4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEJo6kOdMHnCo9aCxhG8k8qSAghHQ
   oifxeGRuuDaxdcCkEyNhsAq0P92jEteuI38u48FqaDfBniUs9wmW/EiEaTmXWvdB
   f7df3XeOK8yGqyR4pcXSYSK8iGfLezceiIwABbXRS8eLcNT9NPc5MPopD/h4q1Vq
   +L1iuvm8P0OIh561cmKglrAmTebH1bnyjYLw6GH82/dscgRu4mihqvJTYQC3uaLY
   H0dJnqyYV124/K0QyAPKCm3gR9gniHVlejlQKIVwOT649mTdZ6FVeMk9eaLQtKf3
   mkx0trUzXduJnBj4cASKSovC8yySEuGwWu4kROF1g650ledfeU4SC9lwPwzvHPD/
   lk4R/gUA0UAolIj7GaNDZ4CqpZqDYOG2wJvCQjfK7MU9TgoPsSRXhlmZPCam4ecK
   gdybUd0A4UTQ9OlZiCrS0pDyKQyatn0u04SfKU/b97P9VwNageENErZTERoUx1T8
   Vq9yBTKZIWoQe/2wsVvVJaR2+SXunrla9HDwpHqDtZHhR6i9TtnpO8KMOCWLZbb+
   lVrxswrexUtGPCJRl62TBchhyO1dIyz8eWMiUvHhLUkFnSUGh81MdQKItc0qJ9g3
   iu3tSd05AEHxNf+2hKrrTZzWCClatSvyfRbW6/OmlIzh9+JUyJLcCywJbxQUuWRA
   5pc3bHrd6/Ff1dqgw1dbH9x0Q/r0lbKrWK98B+7/KIAfvy/XTW3NAJNdlzpzyhl4
   Ko4ujuBiRJz0xRKIPSMOH4w76YejowDi4O5Ea/F44hlTop5N/lYNVkPIVnGYrEHD
   7s05/cjQTX+A98PpoFVKHxphV+jRiwDz7uUYlW6ClyrC7/H7VkzdtPk07EyY+zXs
   uThq5Js+uwgsbNqnA613vTEF0p8f8k5fLi+HSgL/TYz/UtW7JknTl6k7TvLXuQWT
   UWmrWrD/UKADkkehGkZHpMZe+RaImwRd/x10M9+ZBovlbflDigfhRVimwTppKE2k
   /S+GSXDs5r5ESN7OgIZv8swYTk6Nl8yoFijBD+wvWU4u6JNLl5RlJZZbki00Hhse
   4Of2qogvmNfTpHbAU5DL4UWdehoK1fmPu4KaSpL2sRnTpqzyZEdAwG1JIOB0YAqE
   ztszmcxi1s9KWQ/XdNJBG2QHvSMf4QTCuY2e+335Y9/ZC5WBphpAazRp9xfXc3de
   Pl93N6ydfn09wT5k7TMeLOJrqPa84H06oRAyXqFYwiOVWRvyfrsInUv6AJfhRJBN
   dA3ebIVCwrfG1w8OHerzDBo5yPc1ASLrmuPjaQ42CDrHqzfnMw9tHq5ZajoCGF60
   4mzqu9/99upVaaToFRsA40lUpRN2QoOYUBOl3Ck34mWGWg8vf6akYADylm0SrpRO
   yM+/8WeERonQcc3YqrmVjzM/yh4RLpl89oWWhHIHAAp1YyuwCj+kjiOq2HNhvyuq
   9acwfjQ7mKBfK1i7PAydvWb9dt95VnY5LF+MvevJOdf1lEt6rISePs+AhoQCA1u1
   B92MpDynfPUFoeRMx3do/zhVmY64qN7rlV0XxuuZXUW3WoopjdUzTmHycYBn7sM4
   3U0d02yJgy+IqiTOusRaQGC3/IJiZmXoTL94wBsOB1++cP59GPyvm6qgM7iO9fUW
   VO4ik8lTEs1WegTez1Lr96dwkPv6mfFJQIDlxVoZ4LVRf3FbQa9cZS7wxSe6hgpI
   0Y6YB/s21v13GpCX8RtHEkEkW4Zc/9CrpUv+1/R3QXRvYOnQaWXc96w0/lVkoxCd
   SRrlglhl6yY0QYvOmTbusUdC0QtrcQBRVcVeqqbfLhip9Nxe8vabPkoGQro+l5sO



Gillmor, et al.         Expires 28 November 2021               [Page 83]


Internet-Draft          Header Protection S/MIME                May 2021


   xkO8YwlPt6oa0hh5NjqZaBpMhD0xAqHT0826xj7R5wp49KKtR90K4wuUy0OAWpFY
   NdihvipP1jGuCio13PPc+Vah0+ACMMDvEWjYk2qEy2TRbWooNB9szzUoQ7P0kKJx
   LfMSO7ecJ6sSsjcprsKzgOsjQXtIcAgRMnxFFaCfeg2zjW1I5HC+jbiNtqda0aQQ
   L0RZ1a3KWIIPNBq18u+cXXjfaBy4HQhlXmQEnStkLrx1JuAI1wxhXWYdsrjJ2xEW
   hQBjBwcnTAc5i/vU8H+oI1Pnc32DF8qfa51w1uLdoYl37PUMlerpXq+mPvL9cX/l
   w2zd7Nc+UUezqOYPrBbwnrWOvG1msrjBPqKnJGHZJhlZOfLdmLa6inlsQBpX6kXb
   K+8mpshqf472HOfje8/hrdLnOe9Qxdf8eNyi0DHs2MzxkYRktNJFIEK6JHo62NSG
   /aM1VJbKudK1V7FFd/hrOAVg+uLbrsaFBdI6EE868qQpDThpd3WnyX8HztTkm7Up
   zpPujeRarCgEk4RPLl3erYa7d+8lpD0hzZOlQkEALbSlCV0uTW3RSd60fNp4gvXu
   GCzrJ/gsevjRJNggz3QojIXW9RFaU1Wwy80yIWdTguCswGBjMdUBRghKQlM6LlHU
   qqXGdRL742XbYU76RVNlTnjUvAFvumey5cylAck7Lm68hV8rhTBsWMAJCP6VYhY9
   i2AiW440gsNOWu/uCLBNpxPlfA5UFYNx3fo5XriyTPumhhkwsaF1N/jnWeXm8eUz
   /ylnM5K6sD0gOX0ThLWVg90IC+qbMPNu5dOpCznI9DIup6dIhx8L2j+JoeqdsCBY
   6Xt6KE8silLZAkYFFe5A57qlTq/z1s/p/6TlhmRP/2IC+2sSX9EBqXGDD98gy66h
   rBapI4n5N6RNt1N5fnWJPVSnvFYIDQ145EmqPd/gUmMBF/AalgyLEdxc3xKOT+Gd
   G0BcwQJdvmUp8rPGWgP5oy/qNIAdB3dnlfAdeOeeeiiGhaSpcwVhEaWOfYS+IXUM
   kGWNDccjDIZHvGyLNYSihyAP6vOxZWzj2EWWUEAhtGodCQ74qm6JxRMGyVuBvyFD
   MtZxMQE/AU/bPQmNBNCkN69NXyYW9Uk7p//Ef0EvZG4WYgQvaZ1u4E/P8xOL6au0
   pDcB5UWRoqkyU7jguMb7f167iCgkRTTFSLULD+ljv/4zflFv4F6cQhv+NaEAF48l
   fCUFjEMtGLCp99xxnu3M6CdiabZNCyuGEVkhzL/fq1JpVlgKRFeDFU/wfTe8D4QT
   9tranwYyAVj3gd2f0ijrlQ5/9Ch0s83/X2CpSk8fHFOz3oBS7Gfyz45BugIhDqml
   NkX8J2vKlCBOx2Xo/3waf/Wf3ajOEFXKR9fC+TSO6DrSS6XGBSQXn95SsWrzuA9I
   RuemiW8+wYbygIW4auucs+V60BRwG0wxAzn+0lX7zac+WHjerZui+E/7ehmFc8NP
   ZW/FVFtCYi6oc26dysKTzhpOUmh0WX4TvFHEx4KCL9QXTC/Ya1jrZTBFF+OtsJOi
   oRDK2/yjrGU67Q1zK5escKJg0YdorZjMkfb0nNdjNOeJ1fLNL5eB8em/LEpaF+vK
   aCWLa8tVvuq8ggUZ6PHQNkqeIssJoSXrmCfSP0DEtjk2ZDGsHaHOJ8KUBLR+wiSs
   g+NRIG3Uvch6kARJqN3AgW1BySV42A+C6x+BPUEbcwDv3qz0DLmfNob4WArd+jyk
   42Gnk9VL/bbddnhCyzYyHCr1D0XMIzewqzfR9ppDbgCLMxb7Q7a+8Umlkddd/aC5
   wFUAVB88JT1gj+NqxHZs4BIStd91ElFslmx9yXD/dEUPGfqyl5tbTrbGQpfv393U
   Q6L6cwZS11Rg+b7E777ZSuOWxJL92ATouJmzCYLjafI0jBN9BpGIymvi2QvUYgB9
   9Bia2X/SRc1fc00VRK77c1GtW6Nj9L37eiXMKseQEWY3i94vY2Z61ytosB2BCcSO
   R0QRJSWzXCXTJ6btCnFhZUuGhrnG6ibGKYmrTJTzNcrN4yJ/eByDqOc0YBUR10S2
   uGMqxwB0adJ9ci+r76ZLzdo7OvTIb+WGbOP3IIYeSjIsymkc+ShbO4mAEcodrYX0
   n3wYsjrhRYf4WIDxQhWJRUdBpty2LGl4OGUOTPOQPDaKwnGIiBUiT554NJMvv6WW
   KLEBxtJlJQ8LhN/jo9ZwxwI/FZ68pd0h4r5Mh1atVxJHbLmnWmdd0L2b8w9UyBwM
   ts/zY9bdjfndBgU3zmDsjkZgZdgGtzL9KbUwHDInvCKtODM+X7QQKHu482dRb/vo
   uIkQDy6meuxdj8e/xzdSua2aSQhYaRXuZlE7uq4EyN3OcJB/rE3OR1sgKh5k+7hm
   kSibtsFYYMWvBzh/Mata98kYHs6Bf+Rgx/FdA8989koFmkAb/B41NFKuTuS0DmK1
   2SDKgHb6rmn+cftv1MOzfgJdnGObqa3NCEYnICWitPw6NAbqllvRWdKj2A91oMO9
   YU1P/ZNox2vKWdH6rkpGfKJYVwdtVEwu1Nhaobu6p2c71RyCzJSYuAMshOyLXxgE
   1mCup6EU6+IqLryA4WkD2IdpYbVP/tOdFLKY1fBcGJtSVdgJCXiC/krDLDKhrEkm
   RCiIcf6ghGlEn0Jpk0xU3OWMh+kD01MO2IJuwk4TlT0kBRqZAtYWQQYQv0xecZ/K
   DvOXZNUQQSzXFSpnGo7wOLoUh9gB5GOIbDqtAShYsCXbU3fuXl8/6Lojv+f0YBBN
   capJh5oWBmJAmowJU3pL1JyABd5+R//cj1hQFApBKrs+cbP6ZO2cDabDWavBPPQ/
   QQCPjbMENRsGrU5bdWRoG13qP8+FVk+aNHF0xtn+mc18scGhwfem6/hFgKyBCAZh
   H7RmYuWoRZP73XPLYAM3sfwb1hLZSFNhbKHs0O/Fg2b5MkFy3DwttMbqH+2vDLBv
   6CJ8s0VTULjSk9b+ddvk6rgUy+Nce4l3s8Gq1ZfUUdV/AfYeovwoUhCIkKYj2DFS
   jBB6Zvoo8Z7zQpqNOHIiz+02zoYKtLconQWBGhVhn/A5ytYh05JZ72725AjitaE/



Gillmor, et al.         Expires 28 November 2021               [Page 84]


Internet-Draft          Header Protection S/MIME                May 2021


   9iRvigf0u4hQrowNuR+5t6bjA+5nfpKimd/3G6JdvY+QcN3BizQ39ZyUrUr3pmY5
   KkyHTZolsazk9ZKQY8LU1/nM2IraTuFzLhP6Mttj8DR+zXDjoPX5xxsr9VVWlcTG
   Y1NPHo1SYvqScQ7K3LVVsiqAzbr7SHOABDF8ZtfwVqIDDmk7cubaTlUEdGA/tXTu
   iQMYNv8iJ4MmE0tte0sRrPKKbnEPlf+UiSI2LDEYPuvXooGoroNFHzqPUX+6BswB
   8GSEpsQDPzSJlYTugYrX+2PlM75c89dhfuidAHdubHMqurOUaWtTKTl57rd9en4e
   HF0ZHQpXBgGQyQ7fT51WsXBZjxhWjHM4uDmc3WiST9DQX+blihwoOGx3moRbbAR4
   UsUJ8lopNmbY+Pf5XGvp92PtxzIBJyJ1Wfp0nCX3g4LhuwHpi5JOGu2nfKD2LZR9
   l9OehrIncV0oF5rcJWwKnRZbTBJgozaxKwkUUfp/qEAteGYxEeAJC0wy4ZD3N2cS
   r3I2871gQAni/LsF8CEAPaXE6swdSsfc0GWTi5W+jnDh2oeAWeUOqb10+vwLikC+
   Xm4VabpnHPZPiozLRL6TaVEqvmBpvUXgZffUIXpXHsWbVpJuPsIzMlmgeKEdwUvD
   Efcmnds0p3V5B4ZaXLfR6aHdtrDT+B8eNb1bB2wOP/IA7Up4NzVf9BtEzq2JKj18
   mtSbNmSuhSGqYP3fKWV4inAgRQiDDw3bnazMh/mI17qMLa25lzP9IJ5RNDRRWCjf
   +mljnLpyYHb5RyZ4nqD4+w59YM9Q/v72C2cyL6WygYE4JVXIWdnrHPSTkjBBjoxD
   P1WbthMP6DJcM5v9t8Rv8Mc8bPiUrKzMDCbXNcPJm1HDCnYrWXFYqOvUpKvWn6zt
   Q39rPppCdrHkNzFS20MsvWiw9KsWg2rb/ph+qh418ac8VdyXNcETVgkLeYHnue61
   Rbb04HvCvu3bBNjy8D6yRlFVIVxH3Zy7+iz3fJ70VwlqqpmlnMsidx3v1ykAeK1t
   uo42n/3t82Dx/5s3p9rZnhWXUdO0etjL88GpyzvdwtkYy3Nj/8afvB62iUwZ1fR5
   rcnklWkphSq9HL6brXQsS3lODDHsy8xIJlu5RrGD2MOIOy/rbMxNT5WnGoZ6j/RJ
   Spn1f944h2LkyVFFNgIlq1W6MLfTNBrZZ6kMpJ8X39iL5KmkrQ1me1rgJTtM4heK

A.3.5.  S/MIME encrypted and signed over a simple message, Injected
        Headers with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7305 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4402 bytes
     ⇩ (unwraps to)
     └─╴text/plain 331 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <27139e00-e05f-581d-a339-d2bd43bd0f42@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:12:02 -0500

   MIIVDAYJKoZIhvcNAQcDoIIU/TCCFPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV



Gillmor, et al.         Expires 28 November 2021               [Page 85]


Internet-Draft          Header Protection S/MIME                May 2021


   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFeMxt6IIoOR5Kq2Jiucu85qezrNEQcYm6sV
   Cuo2f+/3QCmr85ho7PNGXSmj0LkmkvIAh4RYf2fH6jqYSYgsxQjT3jOcx70hhTms
   zQV8e/UJvWRvxQHhPbtnDFketPi2CA++Y8zqvbl3L/dBeL+ltiQqcQprqy9RY5pH
   FibcQ5OkxPIzBZQUL5NrjwRf16gujq+nGVrhphjwjWsCX+ypt6ZrrBPtje3Iudw6
   /0MkMj2lJPEkgWvFEFNL/FkcNRzHlH3dQxqjaf28Jp7eY/3tF4NVHcirE9DSc6hV
   7v5zVlVEtthdFE9shnbPxf+Sbww+M3ZTVOxJwGNwPwhM7ehf8wMwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAZ8MBsyH2Tp59sokhPP1DnTLh
   iblpxffhKGR1N86t0QjQcmsND8MhB4aM7BtgsymR3IcdKrchClmkt6ATp9anhFwz
   7U93WrdRIUcSqLnwoCU5P6lGpM+w6XYJqWjpU2Yd76iYLPOYBeAFtMbxdrOEwSCh
   KZH2jyGohfZXtA8jwGbf3rV4sQ4EyZum5yfm0i8cOK7FPSPK/7pqtP797I9IBT0L
   YdssDTrrNMDRBKZ8AXRO/UZFGyWAcX1SGSlwAQ4Ilg87lgUblYdKihC4VhH2Qn0m
   YZG37Til6fmiZqAUFyJZp5nuJW8sUMzgrjzv8vuO5u66W7LoEhCQQYTRSrxFYTCC
   Ed4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEAfIC8XIvnLoAcDMT8ITOq+AghGw
   lTqzvMWiOchU/VM97L/Ya1UcMR5Gp9ca4N2T5OXhTDXkanfsUHQtiKBHI9XXBP1h
   Modt75Gunm5g+Jaj5K6hI2OtXZHGJFrH7MkZ6ttTNUeIHqtjacCA8j6Bunoa2qmT
   MCCdHnTipVzH8tFx8d5xcNETtOvuUjXwIpBMsehYbKBqpEG3qcS/Ke9chuwIEbwJ
   vDwkagqw97Cyn+b+EWAj2hEKUGnS/YtzsrhPwkhox3M+MG7eCJ577KUmIvrJcOZw
   d7vku5E0Z075QiAfw40KaHVkqHsEEuAJ6FtQAOpwuHrTTZkMkTiZpETf40N4SPWu
   uk0JIZpJvbxnZvktxbCDZV9FrGV/6TCpFgo0iAh28LWcjVkiFTS1kOtKqMFQxAu7
   78W/dA6JSkli8OYPhevcdyP8Ffyh+S1j+7cFirJPyKi/WS5oJn5vIZqzkJelySyf
   vzGAiy84zd7AFevlZyHSJhYhvkpRa3Q9puIgF2DveqUvoFWuhhkg9SJ3QMGqVC6v
   z8bPYqk+vG2btGT6FjlzZk/J0et2jpe+luFQ6qqVxQZQReUXaY3KZk3jSyub5M8U
   RmIBw+lOeE7HXor+L/IMW2AV4TC45Crl61YlbOadPDyClJtsleWj7nlRkfRZTmAv
   fgecHCgqAFIin76vB0uB7BcWXEJ1je8QBP9RHSadMFsxtO7QMwVXqMXLil4xaNPP
   hUV3Z+YquW+rpMbb3WpFO1AzYtwUbagK08eIzQmEa3nrpiX0so42imrrde3VgWiN
   l/ZRyo9cPuCmmsdsJkxGfa2pdTecK52lE3Add8BI4qjF+W6ZhZnEmzkMiDuHGmoD
   OOWvV+yV5S40HBhvGFlbBQR9xjKp2k5oIWLiSSbeUxpTw96sQ8Viu+MLgjubTjrL
   bvWPHJzykokgM0VgZs0MwDQ6TNw3sSeI4wB/5btssUmjTwOinqjHbVjyityjM4WZ
   5u7z29MaUNUY3I/rTBvN/RllEh/dBBBh1hCjbywizIQtOv146GRwPUGZeWymkNkt
   xRqRxU+ecdzT3FZIDMjcK4F1PqY0ylK06yevfI8mioUFU3HwNBpmkhfwgKx+K+WY
   zoLatFBnvon9gemuVKvI/HblzOSqMXG30TQVzifza9Zhfeh9Hwz0cnknLCKYVyYq
   NcQoTI6PyBZ44Rc5UmMr5o33OI0pffYHq0+QueAb15SskBOnCi6ELWBi6n38fVEB
   Nh/7kpFO19JqXnUwrsl7jRMGp0gsM+sW9xaxbCkb8d6VOVS78gewysolaGe0AerO
   qMQnNbfzbNH3IqxHGote/Y0husOkU5Kyglq6k3Aq7KCLtIlVLnyT+7rPmpf8jbrC
   TlZmT3IaunHh3qS/c7xo0ybB1sFJzHdlrgwZ/FqMFGI65pynQ5zVGH37MspWs3L+
   ZJ0w1nvA8W1e9cYGh41g/Ipz8Tl8hn4hhxP3XbQrPczDQ6i0cZn3Il84Iy0EyW/h
   u0lLnQtzN9aes0ihuE8uL5H5DKFlG0L3zwE9eayxb9DXk+1wVLnCfO6fGHgJFNt4
   tbFIDW6y1ZLvsNT6FZwJUiLD5i21UIaMUDossMBzruTMGp8sTPqadxEtQRO8u/mU
   ezKAKFr0DP86svFjFtMUK8mp9trqWpg5c6ftgN/7uG4fzq5DKAcPFbUspLH9J+Mw
   WcbS3bojohXXNtpV4VgYbdjOqNFw5P2tKHRHSYFyHmu7eznQCrgklNNONJFQA9dr
   3wHvLNshSt8ECsLarvnHUxyLCqn/i5Hy3Elzalma1iL7wYp3/7i+rl+qx39U6RCO
   1uHAZHWw2/IU5JkDkxjqRDOlkHgcfmwGdIBoKuHbcPxohwAlR7fD6ez0pnjW8RBo
   AiDbgUB1rWOOrLKFQMIabr7QDFrnmjLRQ6f19MJUtdsktb5E+r5odPTE/87yPS6w
   wZxtM3xoFbIkmjzAjc3URxJRtDNVeeyKOCvnyxXO/QSS62Rs10/gOGmrpdiAA0yO



Gillmor, et al.         Expires 28 November 2021               [Page 86]


Internet-Draft          Header Protection S/MIME                May 2021


   F3+n0jCBMkhtMmP7J2DiCDCwTCuuFglWJwxfE+TzeOzEOiiH5Pjce9PBTRgHJfnS
   7apBM8IT+HatvHMcC848/mtO7Sg1ZpYQo+xBRjM4viMwSfYX+HeuiTQ4X/AxjGeT
   sSOsOmozJwJiRkzwB95wY5yaTuSBLZgk1w0cakzfk6elcxVYiN7PUc1/GOR43sp3
   soZF7Q+vI6pIbDzOXGH5gE8yrutkDhHs6pnQJ5hVWi4KBo1R5dFNhYv2FsQHpVKC
   ocw/Ng+jARRSHTEvRyvZTTe61evbTjG0ocCYx7j2rNsyov8MX4b1XpECBOdpOAUE
   IcfQUUqYtgfs+m4h3QGlch38u4UVUPAbhqCy14HHSsmA2y097eej/A1IKx1Q7AAh
   oyjCVIIrKtZClfkfu6gPq9ft3L0aYqwQY4Ns9Br90qNyC57zvklvZDziNDy+/5NK
   9raZxhPSJzek09erc68W5mR1d/M3+hnHUJJtldIfd1Ud5LdJSnqUd/7f98xxFrSR
   zxyxdyPyCnRix1+mcCRoYsFwkYtnocmBcuKgoNtiGpmx9KZfbEk85xHW4OOBZPus
   BQReMzmCHYMPWTsh4RrP0BjLkdjMrlmwZ+P3fr1PE5CCTwie9z9hO5gXnrc2isRF
   PMhm28AVdi7HHNHW0eCBRluz/TtgwZKK/ZsDJ9kx0NXCoWgvyLC2QhU9NT3q5jYr
   LzSdyoaTypOzoYQT7rIgaQ6nyuo2gJ1rtkKYGAAWKp3Z8QIWz1VFV7XDXekKnPK0
   i2O63tw/PtB/PMRXMqRvO4lBP+M3GY67yROQ75RWfvaAmQhyYfA9p+1FkLnaXlql
   8sh6D/BSRAr0aaGBPdxY+M/WBNnIAr0e1VfcwUIav+x8j4/YJDGi7Rb8IJj3C7+P
   9ev9NDQU3NICaUVlYOXo+PCa+WMVG6cHkk2u4GvYu2r5/v57RScgzDYpfOJwadAx
   EINItmSH827SL6mLKPLPr6nvGhMZSONUSVk9M0XqgGWUVlFPh/Vc7PV4qpi8F36Z
   i898n6XP7u1L7TFUvWYHEbsK5x71uURECMlkCr+tueRKzfEfRtfnpP12Y6mVt9JZ
   fBkOGR8I1ZAoghQ0IsC0JP3c1f4z6msuZwleDm2C98WpohbHX3D1AnCFSPzl5RHS
   /abEFkAJ2hfuaSQNc/nw9BWcceX1WNXxC1bA8GsXRguODW/BgfJ+lGsptFZORZqJ
   u+XIpl7NaHPrQl8pnF+pRN5Zqzn+nDO3H0Uu5tdKKpk0spelQenzG4bDzy0UBJel
   l9cTFLJwz0sUXZStIGz5KhwMiIW9O9evFGE6q8lm4LxUcG5OaSgUNmZWmJ2dGWGN
   72Q7Qyg3FSZRBbFDkkBYAWUFrnjrHEAQSFsD9NVjrCAVEXEHfwnGncn2Ysh+gm8U
   Poj0VWH6R1BIAgDQbITeskfo32dyIn9RHWPqwF16914VXndx/5XO/bORTCqQSpFc
   vaTwSt0NVkFVRvCsGG74SCEznwBulWd6ijslVKnOrZqlMXfzPiNUSTk3DEdwatsL
   12yNVNiKoAdKK9oxbIyMHYHJXJWVluhwPy4gS43ND2PllePBWC6DgnFQyIS2uPmD
   sJ8V4fz6MYcLZQyfI0nOVwyRUE80vTKAczJ4u5hJ0HhhIXSoEqBJONSO9X1Ta7MW
   uKmqm8O3X7JHEZcCa1kb1SO1KeFXtVXRudVLhPP5Lc+o+DaxfvtOEpxjD3wjB2O8
   Z3fYwkH0aW3sDo2aWSTuYC98UJ0/imqlxG8+4FrkwRkaoGetwt6oXaDY1RXE8GDy
   FOBIxBrxAncl1gv5dBxsjOmzQmNYCHtMG3T+AfDKmzsSRyPNWhi8NeEK9G0PThu1
   LYezQjfKTm6zhq3Jlm6Fn9DZ3CxXU7MZRqrVW0yXgsjlC0Mfb2WKiXZB7PZ2lQKy
   qi0hZoVubPHAoAK6rezhq0Amd0lf3K/L6qVeilFMD7ilcP7r7dW/6hm2ZV4WS7Ck
   W3R1ERI/HDgJ15NnWyyaXqcbwaRhpJma70FWE6c3lm5s1mcu64txxJDJSB4E4aI8
   HVkz51slcwbuE/YzdNUbNrr98iuAlh+3iJOZ1jKK3bHfb8zBZL9IDYFv+Hsb/fdb
   tkTASb1fZUIp3u9OhvD91Vqb3IYriQiX8RB6/6cmvk3L+lbDGNk8leupqSPrhIOt
   YvDSVbQSyE93KGdNbyUe1U/l3TervPeu2dOL1qkPFoEs+TXThUUxzjyCvp3kapmh
   MmbI3pVHqZKLfGym9BZcm80gOVMLsD/ICYwLfmMQbGXOVvQRBvn0rVLdbu3YKOll
   MZci10F9Usak+agLidFmLlCBWnLk3uBNsj1zX/KkSFMPp9RBCpVDdtY2f4Fm1SSN
   Mg+dmnVNqZHQuXA/Z2nuxwGKxrWF29crk8Nakha13U0X+qnBPUnRrs7X/IFhpsY5
   OsGsD3US2ACHpojAENsGoCpwJ0ydsQJ1926iSbQpcyL1avqxouPA70KoNWL8Jn6F
   uuh/OM/NC2JhKNa3wbfMHg3btoAZiK1hhT8NKFbZ6P7QfDkrmP9j8kJK7nfWsiYp
   psAur9z0EW//oWWAWR/xZ0E5rG0QUVfjTTWEMVQOwf6Q6cjJ1EhxYrpIj0gA56li
   Cw+ZUqUAyl1FHFEvVTPAeJD2XyZW0jwxaL67DyyxeGBLJj5dzTBbBiZ06vkMk7b+
   u5Z/iGaM1mgn3jS0y8a13WAn/y35u6HZzteP8A42ZL4+fBsFL6cmIrWDYsLYEmB6
   0owZ5Iz6xmqLXbfwNkRZBDmixp2eeQPcMX8FnXK+6lZEl/AGlSlRSz5r8HoPOwI4
   /3HE3uykVyRl3dWCnQG1A9V/2xw325/WgbvZ7z4gOxhwsYTNucIyCik3PR1j8OdD
   GfEICpkLRCA/28hWE663wV93bRwVMqJi1MSTfxprAW10ChqZqe91RM5ijXbisdoG
   yiwKF87xW5/lfEbBhVJAnXqjvjMtDZbkBEteBDMOJ4yR2lWOj8/F+96IPUulX6N7
   6BGczTT+dFe22fgjFqjOllOaA5H9d0A2me1oaSpveDLWSd9k++tuhgbq5amEj0+V



Gillmor, et al.         Expires 28 November 2021               [Page 87]


Internet-Draft          Header Protection S/MIME                May 2021


   o8qcJ8YydforXi39Tugm1elPjlJFSfG7uH1LFNzBBKp+cfDWBtfNqnsFUkJoXT/d
   21Xwl9DKzGIfzcjDyrXDQEdf9Lzvh6VJ3CWJ9FwpbIw0rzo49ULXkl40Uyy9nhA6
   JJlX1sI4q6yWxUTSXQunbZH6LogTq9FshR5xAhkHmJhjAdDMkR/d3cBcDxKs0pdk
   5PPw7R1w43Ledc+sV73bvEmD7r+mrQXfbYhvkP8nmLB8VkbPUqq2dqUwvnAq8WkZ
   ggzcOKk8vETew+4B+E1zC3wUzpL+B9O8qhIJu2XHQqkKJraDaB4k7/jTtlgVFjQN
   J3swWfsiDRKYUrPzZfac8+smCyy6FN1S37fGLOAIaDFcTiO1fZc1OhCXRHI3uRpl
   dNXwFG6OepZTs+r3yLEpqH82vnbak35zhJTZgWWlUutcLLYLuulaTv85TntCV5du
   tEPiR2f6oxgo+96zUxxpFAMU6+EZz01IeGYy61+NTJ0aAOhWvlmpff2uDBEJtdnu
   /i7WYT5qC6Pae0ZWIhseLGI1U/CUMfdY295pCfCQSTS8O16J93yHY5bWMwMyDw52
   Vf584mGeE3a5/j9ju9qnjdl7Z5rjR7bc7oYKjCP+Pv+R3pOo7jhNhTKCbipvH2Ik
   xi+aa9nsTlYgNFMTmbFljhcsiTbPSOw6NpNfJmynWlduqM2Ra5ZSMOjdKtOEW5mL
   HKN7LhzMs5nWvxM2m6J26kzfbM3+d5W361BvgU6v9oCE8uSobGI/sSNP0kgGU9Cx
   A9kSrxMnhahtlC02aROS08PSeAcErUnyKJLOdrcACRM/T6iwROLI38Nn3E/PuqmF
   XDcN6aosfk5Gz0WhEuIe7o4bEDcHTKkeZ90/qNyJuCTwh99VUEeN9T6PovTSTYr2
   xpl2Dca+KXzEcdmT6bL3eyrBAMRW8HyfYTxAJntty0pLOgszHc9Im6q5Y+HvKOU2
   Jck3h1nygfBehDUwsLTWPg==

A.3.6.  S/MIME encrypted and signed over a simple message, Injected
        Headers with hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7845 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4802 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 918 bytes
      ├─╴text/plain 50 bytes
      └─╴text/plain 367 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <73a42f8e-8f5a-5c62-b982-82ace766fd32@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:13:02 -0500

   MIIWnAYJKoZIhvcNAQcDoIIWjTCCFokCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV



Gillmor, et al.         Expires 28 November 2021               [Page 88]


Internet-Draft          Header Protection S/MIME                May 2021


   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFlb0uw75g4ZCsNeHmu6cGBIrI1m84iH5M8Y
   h6VbVpYvAPA/KiFDEtYIW4jVzcWrLuDPIwDsb5rhP3fqOJVBb+aPueeX+1O9+3kF
   2cbvhTGXV4ypzmLnflRUDcvJc48uin2W9r5jwnz8Hcqzh/hpxkhyjQ+A43PrkNei
   xFk9DHl+TjlbDXIHDBpq4a9UO0DwX3lwzl6+0wqFrnbAKop04yJ11TLZeNlukxci
   Gb6CO3J97HGPwe1agFIp8Dy/V6dV1oHYq2fYtwgXro+FIMKgQJrJIzO/7oXdFpBa
   zR2rgtoj7vlilATvQjlz0TZ+EKA8bSMdAk4lqTt7jsk7/5ZBBrEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEABqHnnpvSQAY9G9b+jB6pp/A8
   ed7liUtmJEIpUdbJeWjK2wXX/ZMl8npfxptBfpyVUX/hZKv+7CEXxrR3HDmMhegU
   zwTWcF39ZC2cIYOe31l2J+ejNPWr7447svWuKyNG/TeobeZBYsVw0s9TFKN8+8KC
   T11WUqCA63rx4SG1Ueq1WjRc60fEPiCLrC9Cy0iNatfulUFiMWaUsenyUisqu9e0
   pyknncPN27BkIPY1Zj1Ks1PUy7SwrRztAFey4cQ7duElEoKOz3SrF7vk8/k55GKv
   Lh2WfTZozb4iMgqIVj15K3ARmgUAcoLrNRpFlia1MtN43YyHDzIopnbMLVPyuDCC
   E24GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENl7tFWc2MLAxbzfKk5mB5GAghNA
   Xw+XtyPyo6kYsiwxV6nx1hSJyw4mPDO9YbV7MWEBXixmizwqXrF3MT9F6ummVZSs
   6ZNGuQ8grRFzR7jjhZJX+plXiErAvp2ntmD50JQ9kzzrzLK4QvWyGIwqPbZ40wn4
   gvk1s1fgWmKHzmku+ajHLgTDAdIhFWvPw1eiodSmVFWSMT1X/KhbTwwcit+mYHId
   L4qND9defiJ9uuadxJeygvQqQbEI/OWxpmYBJxqxWrepc3RnVOdrDpsDx8ONVHLI
   ujn1VaqKc7MFiNXJyhag2F5FngrUyl5TxvfwUmnmPYfwHBPHb9qAHslbnM4+4Mqj
   Q6IY5cio01a2D2fFFETACMzKexbNKGgLzLv8DGIDcgRJGyLVL7KHXdGPG/cUwlTh
   s5IAlFA0pKjZA/rwtgQyGA1oYoL5JThQmYuA0vOL6PuEFDL31vZf3oXKqaSEFoPX
   cjzMaxiBktvqkGF7vyWDk3fGH4iR1Ttgp/xv8Va5Aw94aZORT0dcW2bPKip++11k
   M3VnfL2hpl+5pOsmPDc2d7kXo7OUHkDl4xRMuz0P4HdSlKNH5Kz2bBlBJsuVX0hW
   8GlpvV8NFcJd8ns4x+Xajfp7cRPz1vOP1ISoGs2z5CKvVUH1jEsSC4mWEWo3m7tN
   zmyTqVhMVduAwKmCXn0dfNY1tOaZd2KqJ5/1DtOfy/0JpsSfP+TVe007asHhWEuI
   6uSui1r1XNhXsS/GtIthhxN1Yh0CBMQ5sCQlpcPvbkckAdfh8gxWy1as6mdnSSQH
   6rH7js2DErqn8SJUW+8QW6cIwXCMfuEwUR3TXAHZJZc4+FDzLDh/SFAjUqBAjUw4
   tAzy8O1zM9lUNMaGFjvTulokTn8S8zdg2E22BOlDN6FDKa7xhrqJy4wMycinZxJ6
   PhEz0Cci7O3l0FUoT6pt6WVZo/jwpjmCoY7SWIREzxn8QISqhOCsQiPixdohSQW2
   5tsfSjC8VS75lGEHT4cqg8EZ4/oryfCLw4LVCZTeCl4V0xJFL1p6Vk0fgSOiN3B5
   niGj6eOHkmAnANr6Okuro3ogwoRyOPhetiGlD1svYxvX87vLGxtHYu9+NU5ZwI7A
   grRd7v0XuI3a1tCs1PT0id5hNWfxWYbJcHT78aPJTT6n4Wzy13pKIxkzromw8T+7
   hYByBPXWvrULea1irKL1QQp4Gl3bMDmNH2QGd1l6WlG58IPLXYMH8R18JQg3YPZl
   4ee+dXq40MaOPe+5TpDgBMWj5CTZGswLUOujsSvP4z+p6/N5H4erXNF54O7yBQ42
   oxQjQupz0NhAouYmXcdnsSEc++VwNrgoaic9EyroUCNHvcowtBPsw/fhJ2TYcm2B
   wUyNqfOaJ7VfqeYUZBXhJidTx3E2vvayQ7F4tY0QdXzcSa/4rO0IWnI4Sn8yBMmQ
   ReVXjN2IqTdNo/fWg7sSYvTKLmqKIfGnEIt/+u+V4horrQM6HoaxXuQ0HP6ekEAb
   GugQ44hyMwvKny3v/fhu/5g4y9V4hgyrwXTLoQYIooW4uzFOIbW3XzAOY8GMgIPZ
   7TTdMGTXpQxMb0k7GoFafSBHiygruaJ2HDVaqpXAnOh33ZdbGHxdBhRPlxfzpT+A
   bJ/P4JP4nG3MhrCtHbZCd6pKANcmLtCK7YCPfndumgqKPPl+Alq3QfwXwTnrksMM
   Aqt+PwwNJSq2i/LuOZoRusH85FqnBAhAHX+yTinsUTLZ1cWh6fkfT3gHcAe0u1Kd
   f/vBsS0tbbkJYu4LV1Uqxr6+mm7oZla/NkUZ73Edf7G9IzixsVRXl03ryB8sr56o
   4ouRHAF815+RUFmVacuMGwpJrOs+ql6NNQblPkllveMBly9ak76sjnwX7LJUuhje
   uxaipDAOmd/49cSsKGkzzzAUCW6Ug4Ar+a4fa95CuX2ZSId+I79Mg9GIXRAiz1W1
   LUYHVf5avjvnsms5d54oJCKsukizbSq0T3ItofhfQt0osK9VhbmT9PlntwwjXY3v



Gillmor, et al.         Expires 28 November 2021               [Page 89]


Internet-Draft          Header Protection S/MIME                May 2021


   5BhGkSp3CtOZpPjkrx6Cc4WNTBb+PX2ZTprF2+uWxxYbHKKyWv3eSoiJcpPkQUjX
   U0ZaKIxDv1er7Lq8wwdXLjUH3x3KgO3YsofePYsOWmcp33+fTef+0zBT3e60sT8f
   hnoUHI5OzR7dRqEiiKLFSN1Zw9fSXtp9cTxBeM6+jcjnZURoxgy6U+KbVnVv/je1
   P5v3Wqau0FFFmWb5vPSlhHSF5L0z5CvCdWZaadU02lZmdRkYbBDtDADUlUfcQrXi
   T+mJlCM9tAl3iCjm9Q88Poxcye3pri9tq+KqE1OUajmX38wWvlBISiXU1YIAxyWR
   HjnIq8SZ3UvJzAkp92r+3ayy41CotY5o+RqG2ZZ/gAvH4FNOuzeZsDAJPeMR5ivO
   grInuAfP6VeVKgvosaYYKvOL1rkm/acdKBs2wBXlKnceKR9mJwdnXvZi7ruILSpi
   WaAcoNvxAPNfd8Cv12IXz3q5t9OTZhHKrXFMhpMRq1XOmMfIdzr4UJgh8A2LQDsJ
   /Dqpc9NVfqhWVP06ZAgWQW3UCQ0AyVRwYpaUh7fsJdR+rthFMusNrt24aWkE7dtn
   sXPrwC/z7e/nhhPnqUaDmEYqP9i4k0ITlnACDnZsNOUbbNB5BZChmdc2CvTHvkCa
   KHrloihhUT0YWygKGc5BEKfif8l/BrUaDATwzWAGICAyWUIu/XR2SbyjmRrulvta
   +dYMsekYozcKnTtu53JAD7AUun0Dj8Q1bK1i6UfJT/4fjvWslGrR3DDJwoaVC7Nv
   t11hb+seTKdzBAtiF19p/ShhraL33qY9E+T7mo5paRO7GPVj/iOFtwUgUopKSt8f
   BjzoYuwcZGacW3YuMd9qbV8P4V2I9GL+FlnOcutSIech9jPS+7Fit6A+J15Ca87Y
   DlIh1n1MAjOK7IvKnq1UC9ly8uC5e3CUDNGs1rbg9YSHaqnTQ/bTJIjfR55qBmBy
   eWK4/JNsE+gjQzWgWUccI1wDVvFktvM5dSIu1RiFEVHkzEcE8wQbMQ3i58EMhJg1
   9ACyTLucKLuGJRm+CT+qsYXF6PEAXe589wo2wlg98EiQLfS5MI+ofrnMkpG1HNye
   pLMo3YoZt8bUZo58v/e2XWLKXG/ELQ+u6X+MsvfWA12HWiwHb/zyEyZuNZDqVDpo
   RkeLtYtaW/RDHyF82RyHYnmtG6xQCqsrsbtkWKVZCiVIcZONGt6Z/5AFnmJaMjZk
   69ShU2R5x12WGXsvaDaw2Jzgb57DJfukOro2KDYebgTSRPiIAIxtinRlvrFAOfhl
   4W0BQehOVTv3Z48i3QYWG/vHkJTHKgwB6fXesTa5ylfs+YKlwCoP11UlLrove/hU
   cvXtsGju6y8Vs3ga3OA37Un2feDCZkNnpo9jUG8ULAmpuKlJX6otzxi/ZM61W/bI
   5pvxe/GLm7f3zzbxCX16ibeO/ZbqPa6VrqZ5rSXSj3TP6p0IusQ3lqOrvib5VEX4
   YM0g5A0VTFJj1yQ09KMXa9qHoxVq2Ux5ai2Ry2/8A7nI/SFOjEex6mpL/NoCMMAN
   ionN1GU5Hx6oN3nS1nBWv9xNJW0sQ57fYI/gHzZ0mBn88RiwDYRoAWhR4hrA7okq
   elg7J9X/lLDDrgIWNfImqQf8eu5MbJ4fteomo/s1usR0xEisF9RwECWEDLoHLG4u
   m3VyXHzgHUbJEdxnOudweHFGfZDIncnCONYkQSC/IiU7p5t/AgfPyXK1kO+yrWkg
   aslamfOG52KaF1bk+rMOSlD9vQoFQbh7lsRkHg/MMznqHwFnN+/+YM9zGHHNd23A
   SyRnOHRVpfdIRPEwPKV0vf23v7CuajncmG35rl7ALYCPAr3W617N3/w8rNYiTk3d
   D3gCu/gs0S6wOzOTsiMpA4fmsn0ze8GIQ+fkQefTa4f8VmITdXIAuh0uIeJcauqy
   EMSUbsJshKgnXg9zAws19VVRz4tbbt5rgSutuKY2yb8y3qst3bOg/AYlDc8jU2Kx
   k7unJAtMqNfDSFBs8yNd8iRh3OJ4u1jAYt3vbF+9EuGKvdmJStSJuErR165grMeI
   4KaV0JacRThFzC1TW42qlNMx2GE567agk3SQ/+qrQJZ9LvJe5AUaBQU/Pga9S0Pa
   t8k5qKewu9L3SFShSuqWjGTNdNlfRAzBj37I+l3wZe6SFGc7w/TBvkDcXBC58duV
   oZCRMsSb2QwNpkwsicLXnPTtjqQBPPsEklS08pjnYn4RJ3QOQ5LRP0M4rJ5i17Qc
   zO/BVXFtzP/SuGgrjWkEX9Qm3vgOLBGbNdk9Zn2uLtog7vrlSjydl6fYd0dF5otv
   GpBBRvOxZ5BzP07L9CfzXyAMeDu46JRA85m3qEZ7CLwo/aIG0Ff33/yUh65AmUu7
   /j7sLtICekmG3q+gzgreATkA45aVN3v0B3DsNHZnKPwIsit24FItq7mun5coHG6/
   jPoIvLiqR8ER1PROs7S8khfPZk3o+uoJmk1cmSPQdXF91y4qYbCeSuod6FTJU9Pw
   lsjWiaX5SORLkLKea/aNPC/s/v7zfe/Rd/3rDv/UtRr4Ys824X0qT9HKGRXpF0QL
   R42XRcIi3rTBsOmalFlyC6Wjy1RRdGOBisZLnQgNI+enmkmN/ik7bbulwXujIlWW
   gXHzxBo8ADKqtxTRrri1ahNzxdBjuIz7/TkVgNxkTudSy3X1oaqA2TDxW2E2oNkY
   t7raY/bQV1JQra8YXe0rbYiia+u/vEfvEzW+5oGTz830wV6YqxLbTgNWvzYqw2ut
   HDP5q/6YQgoAFzT3+jFbqaankizXQHnZbQFrdEQIom24i+I1wuVhc8XuJydWa5Zz
   z6uitAZF/mxEQ7BoFjNXtxoRVdxWG4ki2GypiN9/VzXpRvSUkUEpb5itnQeo51P8
   2sfTXLQtYKK6r/nLs1QwlfLqIUY73qAz2lStvI1P1ou1ORWK/Ksz6CF+kcUfXOB6
   KGDZvl0NnYg9Tu79xu3sktjfGNC9vaev3MD23Q66xK2kLY3OMikpXwAybmrGdu3I
   OQlZRWVaGCtnNuj6jweCS6vvZtjD5m9uqTvRAtN+pMcqzdMwJne4jh4ljFOcv69z



Gillmor, et al.         Expires 28 November 2021               [Page 90]


Internet-Draft          Header Protection S/MIME                May 2021


   bk9Z+mxJ5wfQsRNaH8QoaQmoHGRksaYIQr4sV5L4rA60+AtmXsmTQram6opUAXIv
   7G3ggWdzwt2Nd6iVuMAtq92hiedoOcb7qxCi9/z8kpnLwp7r4X4AzQRsiLq8w6vJ
   rVu96hIxmdP8ob/XU0DXCnZons1fhlw1Qcw00JnxJdQbF2a8aUQ1yBh4ySPfBgZ3
   9ZnZtgzmzHS3LCqEs52r9nJAGvjiGtnWnCmGbFI0xU3j61/XQy4LFQx2Dcx+DCnH
   6qkYaxPJr6LZZQcobiYEHNOCjkajVFW/OTJjPoR6LsQletdRMjOTE8bggbHNEDGk
   ghcwzKUE273LaTdJorbEqsfJ0ZJee3n5l2P2IHA4a+rCvZcXBNfQKlf7JkUabIDf
   f7FPTY0yGj8MuZKzWWFJJ1myE3o73katd7f2cSw/Vi1mFJsFe9hR+9A3ycmjUSfn
   fsaFJNEaMFYckdG5Bg8imadMBrKtO4GsAtEFB0c8qAFxvZClz4/hGXwx7oU99BNC
   LyO07jZmQK0XUNXIwfaZZ5gyfCHQ8nu8AcpuN/7itIRA/ubHl6na3vg2eif+vcEG
   Mh0gdQ3B8gKQ9j2ZYT3X6bpsOjeOXA1e3Xz9KXAgfzcS5ECQeBGPBdg+WIhrhfrp
   WS9+GtY4J3YwFsB9QezWVG6jBZTk60KcqXZ/8JC1Sg19G1sOI/WZ2vyrFPw1mNif
   95zdXk6pM5vyucfXQqOrcIpRmRMez7Dtf6hQv9D06XVbS5sht/bwTqwLXBUe7Vp2
   QjlJhEG6LGv5zuEu7V1BaKfISyMV5YPCqvuF9emD+L0rLirsTgbrOQ10gezruXF4
   r/Biuz07s51rGAahwuWj4vbqaD/onN0G7i4nfAx54YsCW1U4d87ty19K7Rcra93Z
   PeYPT0gwEYcQsQlKVlrU8BmZLIeBOq4SKBIzl0ec/qd+48pPSuom+KuVT/LBiiS7
   JtC469RvCKnlH/kILA6OatQGzYfD/R51QtW3e14LZaJBr102f7oQFFswj1K11Cag
   ucIj54+UQTm4PEMW2SXsWBgwykfLfl1Aimbfp4BF4by3vqcd5pURCG8+B/++tL+n
   DLxf02+KnPHZz6GRhhoGRoB0P4I98hC0/SqHMzbyLvsqDnOWesGUpzpka+JH0aTL
   jxuSDtfR3oyEz6E2v/k66E3Uj5UaRVatOeow8AFZ67WTFmg9v+8yl5wTsw7pllMC
   PNTy2aju5CZ2qP71LA7EprQLjrjc5rloXBGx71VvVgs1iSss/Irwy3WoaI20kXv/
   d4vvl8mGy6Euha2Il+z8l5xCinZgdpf01YTboVBVa4NVhnvWIDihBp2BAIFLWq3e
   I/jpu2+jfPBfPX/9oizqDpQayelhtUdXTL94RRMHR/z8NxdqfJ8X8xOlxLjEZsZ8
   llPcVF7NcqciQEFfMJ7agW/FT6JTBqnwCGr0xXUXc6pRvZKi6qst1ReT7AmNmJS2
   QBF5Rc2fX0e0qQjQEjaXmRymhxiH/sHslb8QNHFzgyw=

A.3.7.  S/MIME encrypted and signed reply over a simple message, Wrapped
        Message with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7605 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4626 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 816 bytes
      └─╴text/plain 327 bytes

   Its contents are:








Gillmor, et al.         Expires 28 November 2021               [Page 91]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-wrapped-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:14:02 -0500
   In-Reply-To: <smime-enc-signed-wrapped-minimal@lhp.example>
   References: <smime-enc-signed-wrapped-minimal@lhp.example>

   MIIV7AYJKoZIhvcNAQcDoIIV3TCCFdkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJG/Nu5fmnMkn1fBsCANbQMYLALsx0mJWEly
   TzK5u5MUntTeOq+fVAUULIJkXaF4inxIe6HSau/bWDWISRy5txztdBIrGLB2RZt7
   Yq6OY4UVqXmD3EwkUab9wJVVj1ZTP4O8ijOAfpCjJkzfcQD5J0ZLr3CRXz7JT1wR
   CUHwhSBCMOuy7/lM2fKeyI+ThUNFUQQRECIjA0PmMrQt1dYM+bXNPi4lY9BVM5qx
   J8DQG9XNcQtPsIfz7ELwD20a7jGykPYUHzyFE681x+4KTBKjRZb9t2Ezecydep9M
   T92aV0ZU4A3Vd8bujGl9sUvWCbFR6/vhT9TOHHpqRUOOLJr20iswggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAKUK3Tne27yc9+vIqGMeTO6/u
   Ieg0Iav3LcaUwnCOGLjLZhlnpZEzC/SfNTobX7d/2yPH5oc4gDxGekJO2YyCkin5
   RqpYlhIeCEWtii45otBUInis/kAroFNbe7TOfJ9ck5tVXxLJ0WwG4mW+CoMlRF6o
   E7tB3VSvplzvuapfi2/TrLtmCDb4rlAfyhTIeIQy8J2LuSEbmDm2RllrWNVhVPTo
   9gQYfEz9VxyC6Ix13w18tJ7vAgvECibxVDj6AVkAB6ThJJGle5YRQHsqbEDbQjBX
   RBXfKBjTQ9eZqxRIKjfP11iYA+tNktr4WRyY6YUA1dWvb+GBV/qS2F78yjK4ETCC
   Er4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEE9Ajv97rc3cRK2SsCiVP3yAghKQ
   4aCK5bc+ic/OjQtKizK3Vidpqd/12OkW7gP/7UOS3BiPtRIUkwQux1cSiCmFa8FS
   B2Hv6npe8PgIkgv6B4E/paVga591QdjPmnyoUmAWrH5ILbAdHllugybzhs45sSg5
   xHftcE9xswAoBb0Es60qRMyNEbOilRKYIDVoXjFiyA5SxLCFxXZTveJGqQV6bErY
   bEsTEhz578Cq+tMZVC6fRR/iSi1ZilyP7AYtCxUH1K5FSgt8qnxLSwk1kiRaBnMJ
   Wtk3Ve+BETCUBTn6jYdL3rBLw8rx2bp+qUcVCu48KTW1Bk/eytSJ6Fn62hJnmNs3
   m7U06C3nra2hvFWYhKva0JgOD+EyAiqGWwXOdD7jRS9js/dkFgguZVT9OewCvEb4
   gGTXLtmTF5oiCipk5o8rRhQk8mkrXQSmfAkD0R7hav45BnaisfI+4rd3VRBqV0NZ
   wXVFiOfEpq4hhA2fCV3owC+DiW+54F6gUEz0htkkfbJdD4r7+8u1Y8oLrEkPZGJU
   7SOjAM5yC7TErr4U9FCligOLjWKmeKud+rV+AGKUVEtgXlAe1C6EPQDY+uToSsP1
   bwRmAroLwBBD1fttSRuS7089AsGqDNLbLfhoxrwkwtyDG/1t0XbjWNNw+8a5y/nn
   xnLklpqHvaHRSzrH6VAcSmrSuJUrJ+bxm7yPWqJbz17+8wrQa1FObsq7NBfUz1LD
   93+hvKOmLVIWTpYq02QlkYgRNyEFSXgTbLslA5l9WChT75VhrwQrRT70JVP+RXwd
   LT9su8myIifWOZpEIJpSgSMAJs7EPDJTdckMkBEVyiQRIcNra7lZsjjI5JQa6nVg
   8pqD7tbH9ZH/AV/Z87q00VNUP3ppQWlkwaw3ZuLEH9DWfxVbrIxD+c9DjzTl+axI
   voBsFnXWUQyW7CsirR0jhoM7sLcLXqv87UnwxlH7WgSiwkzNAoNj5gvZ8FB9xLw6
   ZvndV4o8MOYKaXQuOkIo4fJ8xkjxa4g2suRFsOHUS8+EeuBKmMJhmOXx3P2TVFmY
   jZcIPkXuHbJUMS3sCcDkwsN6Xbt7aa3jzqUpEJwwge3BG/1PC7Xeb4JgWH9uP5Hy
   /JkC7Q4gfLcqXNvBE800MyGXpZCj9iXWNYSbAHLazBYpARpj+a2/nj+D0xjPYNo4
   iwBzCBpOpva2C0f0MO7Axas7XDRRRuoP0bVeo/gDS7Nm7mq+HpH4RYdLP8Idr4ff



Gillmor, et al.         Expires 28 November 2021               [Page 92]


Internet-Draft          Header Protection S/MIME                May 2021


   8wHmnihggUDFmvJnWAEePrMXZb2fCjr0zFAwHG7aL7GI4bH2tbN84uOYFGCUrAf9
   qRe+7v7SGZIiQIXNvQCzsHkNbhSb1hOeAeKpMG+nkU4IHI2GGjs2291D7kEkKN0F
   VA4f15pSlKLlEF8T4HhoWc8S8+sGxdXm4iujbis/yrkXH13bk46A55DNk+aCvDkl
   nJatM4o58mMFun1LaCMUZl/AQW3CFDRJxOU2Ae7VbgXRsb6gokkiL7hmxC0fNXwG
   ff75Lo6/MywhXI8vANmoTBVNeOCO7atRVdzYZ3xvQ7tTgUgr2BCDQlw+1aDLso60
   SxunTtZxDECm9V8mWeoQjzmWYLuYeCbaUfeoY0dhQfwlph8tOrunEfwrbfCMK1Gv
   QX5b1eQURzZ/owrqE9/fUHHY+EjMrxk0T6+45cA+N3oOJS32KkIgv6+91GE43YKK
   9eAiDYmrBaIoDMXAzpW0yyWmzPjSuKuolPsCKnVeMN1bM/1Iib1/lyjF0yegu4bS
   0VIh+z/cNBg9Eetrbr2gR68d5mZzWXvB/Wfa6VM6Odl6t7Kq30wiFUJ5OtVaRPkg
   NSOeAXekL2rUQdmVJFwOtO6FmoYimgc+YD7b4HZICUSbpaernIhy9+ZS3iLrci3Y
   9tiMlikwHpBX8ykQ59fI/i21SK+JVtqzjFOVq6hoRLegzQ/OSHuiEr+RWYmnGXH3
   TLRaPx1xp4S5P5zEsrIGmkQVudXavewItyxq4vyEzC1BS7L4rK0XcK0n940IKJj5
   YwOIj2uiGGew6AFVEF2GsO29XdpbM4XbuIrXMVKBV5VR8B06ppA8NcVOK0PgvfhO
   66yomGxgvUn9V0v76+x/ZZpsyonbIsdfnoHmaK5gIfUcAKVIp8I2B7gN4tH8ut1+
   YumRhc/R6Y37ZbeY9ZpMh1WFDJ04LOaiccFaU8yt0Grdhmg+VLQg+mzOUIZReTJb
   VCP2201EGNisGeYp4sIqlVfziAtyPgnvTN8qtUhoZOZ5ghK5xlB9nmmbhf2wjOGY
   vB3dyw+dTkOBIH3tqqS90ATEddzJHHVV/oXzFAs6FtGbRFA0YpGvgYC+RUpYqvqj
   lcm1OLqlEHl8tpQlrWzTEIGVUMePTRBW77CXSZGNh3yz+eC6l270KPKbhNbvZSQg
   uI+NZXnGCdapQh8NIUmn4Suo/Kevo9/Z5WKg2k1gFI6rZVw2rdMuY0PVZfyuGTeE
   KuLtXAmNZ8GVFBOq/uz6GoiO6s5nFh7587LHc+X4bayK63tuKnkRdKJoqzChoU7y
   P7zFJGwR0Rhe70vFwlihlYI2y9kH11Y6GSzULYY2tYozH0cmAkYMnSTmeo5lq7Oh
   NveHC6v1vVQZ6BUYN+6fm/jU8fuE8aTgrnREfdDNbPUF4G3hZz7Kyzu5KgWxWVjm
   a7Jd10MxVjUhqVtU52/H8eikdanl1QCSTtjnt8BP2apT8lXjzT2zdZsiIeEXhylX
   03ao14tBqMDvpZ2Uriq0S3d4O6zZ8DdCA/4vqyVpdA5GYxj34Wg2tMN07XHZ+5iF
   4D+Dra9pXS3mqmR+U/MUF495/9xM6+eKSN0e3gyHW3LLhMtnc/sNIod0mMvIkexl
   1VblCRNsO/vKpLm9TOgilk4uhk6//Nha+SoknZwZbKpV2HP/yjFm3/yopccmqRbJ
   96z4Uwgqeq37EBPdrck7d395U29Wntzzh122iauJyNYXmer9OqsH+tM71mJ6NWiR
   KQ23Pj5h4nxvhDRAMD2tN65RfRPD+Qjz8QJ/6h9scXL2we2QuzNSZZ/IfITHt1Tj
   c0Qp3HQgFH24JSf/QnhdPz06SUZp0rzR1Ykgh97miSOzOZZt6K0oPYy/YeAC+kyL
   K15Cu3F7fVrk/aYuU3TSSO10vfblioC3K74lWQZHmEd8nOF25++U7FspYVGa68Gq
   lJiI/W8vhtTDUCdSwymn1NgsrVVg9ip7RCkSBjoibnup7nTOLbdi/yNTmgD+s/Fu
   F9ieEEQN0/k8ARP71YAZR8YSaG2dLuYh/pRTpe3xoxLqwNyC6ck2eOWq0lK+LBOi
   /T+b6HH2v64De8MGR33MNDf2DagAJ40/RlJJqXhLm6JTn0ZB4C9gygJRUumv9KIV
   li9yccYXs/dU+zYXiVOwedmN7vtm6lJTkWfet+gTRz4zS0z3UA2+dtiu8LLVm9oG
   5BGb8qiRF5WNXjaB+HC81bpJfuIDzAja/2QPAwFH3tG5ixKlN4/ryCwoGllkamDx
   IiZPf+2itg/7CLDnomfCGn2XEe1WxS8CGR+c+sH1k3umqpDJam0FZ8y1g7gaFUO3
   QhpGY2kt7EvPhOXdbwMhNADHFCu9oEC/TLxknowMsdjme/vA1h00ttDWG0dPnKQO
   VYpCRCFQCVOvNqbrc/kbRRiIZxnuPmcoRcI31MqUDirZWfyxpMJsfgGCQxAMe72q
   nCHGQgaRIC60JXosP0wFPSibg9HloaEAFAwheI6rMoKaLy2WL696rG/zxEQSovB5
   wTsHFs1UAaB70nCVoLu+0lS7mL2s5JPv6Hk0i0+wSi5uYMOpO6TUY2tZE3ay52zR
   tJHKVK0rT7yTe6VQOr6PW//y7Ygqy+glBPVUJo8YV6oV4QF2vrj+StNKV457paQ4
   +ACh6FXcShgGxI6Em41W/wrBQEt2wzOUv2QKsx1T4rjtBk+hA1xfJoCYuJjiTqtT
   HpdHHTPqX4WzGa+7Kelr1YITR7TGAbOlPeJd0IMP8mu3zoRc1p15Te0mrXwM7CuA
   7f+c5VIPIXaPxcQmGdPgrs9t9jzpV+JUpeokAtUpVJ+jcJtTaFf1SQqd/6w6rI3o
   uvYT5IxS05EUu2nTYxjQRuTlonWNXkqVHEDGi99u/FrOgh9fZ10oX0FgTN4u5R6H
   58uGsmJnWUE0Voj+1iSKb86wgwDJw8QOHhnrAoDBxAhtWTuydmuEhjGaFmQdNSKr
   I3xC9o2Q4dqI/Kmht/fzrZiifbxvPleMkvaMUOKPEdWOQXaDeIAauR/Bg14jyrvo
   5GcTdHxa9DBvSpuhE/jpTk0029DBIKhTWPiUK2mCoRk+e1JILSi+k/q6P105sziD



Gillmor, et al.         Expires 28 November 2021               [Page 93]


Internet-Draft          Header Protection S/MIME                May 2021


   TIBCjg7ba04EahFU7f8EReRzToWb2e+a2/F1DIw0r6o8SQJcrDi2MNORjEpOkAWP
   HEAeTHh9WojXnEsnHChwG+pshviy+tZInONjU3Q187xSUbNseO5u+tKVTLtMEr6H
   AnU8UzFHkUDnpw6fjJjRfKYe7BQrM4uxeN+V3CjzNrK2VLQvMiUw5fcuEOboEbBT
   dzhUObkrGKaUGGbuyIBhR5zVRQC3QsATra0ITzrPEBxGD2yY/PkpW+GhiV+6Qp57
   fHtZSB0EQHOM3mihF0XJqLnx8dXAXJobdo5jNBXSo14os4fw88WdUCpmBDPpbWgD
   Fy6hynY8tjtmeaGFQC6o8tzFNMnSH/Re7uO77x45Ly1WeHBhXHARumCEVRkI1Yg0
   8WE9KLZ+TEkcTok4hMcYH27XnKSWElrUNV2ViuXKyH2jDZe2lSvLO9kex+h8Fl3C
   cfgeToh4pYrcxYB1Q+2Sehwy/nubL2pTbq09ZifaTyJaUyf6ilbAX82TUVSCRRn9
   pqGlo6+sFZsKG/AitwV0xZ3DsuFbhVaePSArpAGJ6VLTMeHqHGy/20euCky6fsyE
   DAU/W4DYjv9cN2BoATOxWkWKyI9IbGyN0Ob6E8LfPXoCswXAtuW/MdphWUHWlKED
   v/WYC1ZYL8oRIzDAvNQGJxp7CI9iGaQCEcsbwzoGw7AGsb7pt0lfLJfVTNC28qSG
   tCei/HdZbUvdwUDRwePFXxSh8uhZEOWFNnqaIVTYDdbxnIHfnHNNjBczT+TjKKlz
   s5A5dWgxCtLZcGKGmqcOmiw/KnNsAEJ5y7fFur4fvKrXQvQYctdYiJ5yX1O2gtci
   IHiHmfohFrl4TWB7iKEVj0+pfQqqnJIWYj5Sgd96UkR9FOl+Suc4lnTRqzSkOkYj
   zkYZFaa7SPobvhK3N7as3niAgcb4VfTAoFXkOX7oVPPpDrHcd7UfZ/Vj2RnuO2/7
   4o4aUm89U3k/9FgEapUL/rKCOoCGnazK+w4+Hcg2wzkgkSNFU/sgxEqY7cKAHjTt
   TAxKYh/F1r7MizSf0uFRyksMEa3NSeDqNhDhHV0IbPandc9CWVT2eqU5uvOgsNPp
   oLnDUUFC7rkQhQW1h39BaUzndXGU88LT5Lqb31Z8/8/AMMn4ZxowOTggd3Z0NSVe
   ymrsuSGyuOEU0agx9ipbomjzc5Cz1oOcF2D0/0ofzdTPkGFhb1NtOjutGbg5x50B
   3bIphtV6lpFP+GapZKcX6e308lJ/2AV2hJywbxN1AnLPnqmkGeHaU1nOp60JQ5TR
   It8Oi/LjjNc5hrFa8zKU2aM+c0lXT0VQu9DvEkHqqkMBCH8B35NXlXn7GYDzFwBs
   NnGcrNvJl3y5LbJjdrORsyggVHjl5Rda8Nx3ihLdt2lkse6UBoUkZMJGwc3ZmpGW
   2wX7+5Pv9ttUmQ4bx7xcKy0su4jQaOWpjoJ1l2G5Ju0BzRx0Vfvn2WGX4aY0AJR0
   uIZgeibQy5/3hW5keuHgB1Q7134DgYMSSjj0C4PBvHnpSnuTjYPqgE6+D7UrNnbX
   x6PbWeP0soJxQfy3i26+flQ2yPZcNIOSzSulQdK36RTeOR7C2XcQhsivgBbsM35Q
   3E29rbMMFDfUzCZmdJNivvf+kvHID5I8RtX2p51YIQVcyItTunQkR9P/avTMBqyN
   28vQlzFk3RtJrpOuy8m0nOfNue4VpUV35u3FdYIa6RkqLB8ZBiLcSFoi559B9czW
   C6zz4GlpoHMNJbPN+dNbNFIoTeSi0dE0vHlP++Xo3phOC3bBcRxNwEoIExYwxxBS
   uWGQBDNIdRHsYOVYSSiEx9QE0bOinnitTHLthPcpcE0yMQkl+diABJe/J5IBPee8
   O9sicjpgeFcIozBDz26njPOgLMl5o0xtKDsJ1tKloM2g9NpA2kjXy/4uW1iru69E
   c592xssBoY3eEzoKdAOE2OHUBVnmA2v+kJc51y1BkY3YYi9LICEDPZvR0PTDl72o
   cJY2hGykCCDvfrTBjTuvIB5KeKgMfJRJDMtGAfzPESCXOZcDr4pXX4im1japeGUx

A.3.8.  S/MIME encrypted and signed reply over a simple message,
        Injected Headers with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7585 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4600 bytes
     ⇩ (unwraps to)
     └─╴text/plain 339 bytes



Gillmor, et al.         Expires 28 November 2021               [Page 94]


Internet-Draft          Header Protection S/MIME                May 2021


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-injected-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:15:02 -0500
   In-Reply-To: <smime-enc-signed-injected-minimal@lhp.example>
   References: <smime-enc-signed-injected-minimal@lhp.example>

   MIIV3AYJKoZIhvcNAQcDoIIVzTCCFckCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABgRQRzXTRs0Jqxrl9ouqlyyOUVTZpzsEN4E
   rRGV0bKlOV1O8OiF4s73Oamfc1GowC6YOss5JBen3EQq5NmMsFXjlU5sSiFGgsX6
   IjkVSHC9c9QtdJtXyEoqEhf2lGJ22FcLjU0M21XxtKMlArch5aouJO1+nTj8AIqk
   25JNvqG2dpiLaN61T9hSnyZe7bqDUflBo5Xm5REOc6EBvO+lFgjtIJB73QWiGBu9
   C9iPJPz7du0yIReoX0wtkClqUzrBEiqO64SNQ2MuLTLrl2niNDfaQrvfDa62Y6Zz
   RKPE+I461BxC2Evp18cJVdmOLPE/41b6QPu38l6L8/fSoKYoCk8wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAbgflLBuq/SuTA535o03fl0T7
   hFJz1cRgrOgdYfajI+bAIAncrUXPCxEhAIJAV9DNOJnISnnTNW0E5ND32Dbcji83
   GwhT2iC+Uzx+0auUYuuVZ/go7eHMUWrY1Vm5dqNq5JbTwVgWy8lIC5CatZVYDVFW
   o26J351tuF7mAaIaLYXOnUrLgqWpgqI7zXjHrL0hADXlaJARcCY3Uv/PO1YOsb83
   1zQQs7Mu82fjhmJWqZ4yQX7rBKSk5V3aoPjFcj1w2vQWUXHqczJmr0ZHYiaZQuLT
   gglkNNSPNFVlfipXESE0ksP3ZoM+DzLahjfKSLiQTY1Gacasb9+oVwALBhUoCTCC
   Eq4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEKODP8WCdJVi34OU9/jVCwaAghKA
   Ed5TZquhpH35bEbuVz9wfPotJOKJ6xieYlQEcchc8+87Log3fBKWsZo1NwcRMZzW
   PhE8p73CscBYylFWDtwWTtQfsu+pizFoH1B2u+byGhyr+cEVOcI2hSM7BTFzBEbR
   RlAWNZse0ZlvW9MABUHhu/7QFVwV9LYaL+UlEEAvoPfnX1QP1WPbjyIl4v+/4i4B
   6jk2HBMlN2r7Kjk1+i0hdt8V7WXHRWifGO9rGmZzi4hVkFIiRkqOqXpghbsHOdTL
   mWf8LfMXatmz39ueE27ZJC/1KHygfdFqQkTfSutBP05eP7lJHPn3cb7ktJ3wmEj+
   0iCyGySJlwKB9EFbWPOo3ENWZ90csz4250Djzzx6HIUk5jA2ePiEw8VyoTCq77kc
   n88G6ucn+7hApODGLazPByQeB4OTg4EwkVwa3fZ6CHENZfDNDjiqYtBtxLUh7KAt
   elv3UmZ5PtoWGuUd/7MYNeGiZeVuALdFAzI9Z8uY1BEQE6kZQY4g1IAvvd09Xvu5
   Z7LA4qbfbpw3708ps9KmKmlcrhmDs62DkZP26lKUgC98FmpmKgpKmPb/V475+OlZ
   FLJkE8LVPrhBQlgJWSFmPCj5FTkWml+dAriVS+7RdkeohjOepRIw7ON+BODCpvSO
   AKHry0k5ANJOZhIgYOPCByDs+AypJtqPl8M0azkThmlFLBc1m6HDVroDklpZkGib
   hgANe0pnA87omyIXs3lWpkApS3Ri4HrlJXj8sM1gqJABeQEOOcej3yIlIcKgVh1J
   OYPfeRlibKzDHbIpVFs5QMzKNNwil/t2+VmuV9Reye1pdtpXPFDP68ilPO/VCyMk
   Uq6yKfU/3gtieCtCgYbh/5dAcYwAVwB4XvYqCO4Sxj369X90TBM5Ege/4e/jcNik
   S4wJ1VNVIgs6WlQbAsQ0GwwyULguRbnmXuwXmLySLgKd3pqSeR6mM6HGGXe9rdSN
   miIc53pdrWAaLRqP35oyOCjwdl8xgaaLAV2Un3AD+Lwwts2rSOpiTFbTLRHPYvN9



Gillmor, et al.         Expires 28 November 2021               [Page 95]


Internet-Draft          Header Protection S/MIME                May 2021


   /44HfmulG/cxGTWfJrXq54hh+UteebsyKUx9Um4LGqs29HIx5skDVOxhzYPM3+J9
   ZP/IVgnm/tqkzVvYd0s1SmHdhQyXuGt9BaWjii2JZdrQjbUv7KrtfLcGUNGl3yzR
   q4hyRecPQeCO89AryPZor5CQ2H1fi1ibSDcILtCP2UDzScA9qd3lvMRZV83rFcYl
   cRYGUyckJP6aJFYUPCXRiDei9/nSkLDCIjtVHESDyUtGFTv8DeTH208INYj5xjBv
   cEtW1IM2DXft68jf9Z5XsnUM1QO2jhLDaUptBWmKDgzeQa3KESniqdceGLrTM1H0
   lFgMPFEn9W/Ma3pdi2I21TnzIcS7ZaO+NG/2ZLKXMEVBrXVEU+R7heEo6mey9+qV
   ftDsbNZJoB7mTlMf75Ut4jax9YReArT22jhHyxZ5NiUu1200emE6VMlH2t3UB5gS
   9aoVqxh9xNiDMO+6Gh0xHbc3m712hWT6yIHYcPCHzC/wqBE7VE1jcq5PF3ZpfrBz
   ZMVa18yGAvhW+lF/Fl5GUpsyxJ7LR3RMUappLFdx+OBrAHWI3B59ZIDYTodigu6k
   e4qJyNKMwlEGusefonkkAX/53Z63QXe0RswKzW3cfydOvwfC0Hi0TQX4kqXj4MAg
   N/gNFOVRpbUfLEmaWyohkVEkcgxqyYm2Qvw0oADhU/Loz9p6a1Fjz2E29DNsKtdT
   uszU9+2D+9PptibTCm5BOEbgM27wSfTwjcyKpcZ1E+6SEiGVQthWIIj8cCSkp9uG
   vTQrG0F1HCYzBIUixyzrCJoc1jBRv9lcRrjG+xdVOrRX2gNKz/bgU+9e3MPW/MFe
   uuhCqpee6qMBPJY7JQqa6qsJRDIbmjib2gCdSLsYr8+E/KGTwu1TDDb9bKq1I1lm
   3LWl+d+VrGBz3Hl10N2PDgedjwHco3igrwt3dMiciqF7l4R/aDCJXgQOb2PxOqoY
   Eyg6vrAoykdSfrpFU6UDhXbnxBdlsRSQ5zfX49Rr+YHXOk/VWuQQkeWMA0m9nQ4C
   BiU72A3+nP11Kh7mc0/3FXzSEuF7zzfhfU88tEVvzmTpVJkgNm70NEZ2tX6VBe9g
   ycH24ytDbrYu5voZUP1CepPCdOTwq+uD1iU/UcIKxnsnxwPmnvqU/3Chl/wOd8/V
   4TwbNbRlSYit7Xt/3Kg63vkQa3wOBxZ5j/KOZLLPYkSy1OJTzvE7Y1Glf8T8oeGP
   li0RQbOaux8t+j9ZrHCtxfDvbTOEOXYeVuQV2rnbvQcXg+KOAv8Ef4TEfSnnnG/1
   dW0Uvb+YxJjABh84LTf6X7ja8BTJIY+oyIMIptw3Iw3BKmpHe0DqZaJKatzZ2JP7
   IaBmSS46Oxngqb3tIs/iX10OuvfoYFF8JP9VNwlVacn40mU0YuGJi62oWugI5yPG
   zjI1lcVAsiiTYMM8OUmw/UuTDwIgIO6AOSVNMMjWcihBOQSn5HgJNP3dc9JWCIzd
   xM5npoLCukhsKgzQr3MHHroiP6Jn+UsYwoNvFeVkVzb7nZM9sqmrQ75JJPiqADfX
   NpSGqNdGU6q4o7aCtjegr0coM4xyfyOEKyq04w5oXhYzAQ7qGvN4j0iw+WVtIX6x
   kMV1cVXLzeJ/oNxL1aIgZjt+sN8MGTf1IBftWxfuGO+WKvWwuO7D/BTsxexdfstQ
   J401huuod1YSoSsHMcT1YdDaRospOz9pvkjREwwb9RZtlnCjKALdVGeLDBLG3bc8
   SX/LC//AosoGt1gzAFtBa7/n3Xup3EqME+nXH1K0xjvED8jh6xchDA8U+tSghuC1
   0OmY4GFlqXtshxJOf0tbCGEoXJUGFLeYPUG8d8cn6aLwQiRi3D8OMZhDRSdz3KWw
   M08i6lvavxGnwBPG+XIVDvxkzEaeEZrZ9Ea19/RnW+bZwxMwvC7Ecqk4q7o/djW+
   FKjWedjnGYAJIHSZCljRDosskfmgCEL4nfgMwVfqF+xS8bTxyQu5RxqwBPDk8EM9
   ZN1EH4WY00hgN4N2oqllTUn8L2Ehx5JAhiTckZz+cp/nzKVpKArnjBQpCjTBUDiG
   PT28zjiTkrZi1eKw1C2zwaQ8KOjMjRp1An1P6zSiuayEtf/GW8nHzG9FcJoRlMKR
   TUt05KBg7wgE1RxPumyws1RL4cpIb2oWlyfSqlYNHdNCQykyuu/ubaQVg3VZyz03
   CRl5V3ErDa95ZM+cbaGx2JMXR29N6wTXEGi8FCMZpS5gTucp67yZtG3Ik+PPWkih
   8bYskpn0AcPCl283neE57MhsEp+BOekq9tAx4IEWDVzL7w1EotLT5gp5iZlqMeQT
   A4kCWEbcX0emotgo/KgYhSfgaSDa+LJqvFNlOAqpWU0ApqrBkhDUUY97uznHWjXc
   yS5rzHHDbrO448nJpFo9ioCAwFYkWaEKRCEljUlqlfdaP+jHYIz48nuecCtuVOeU
   gpdgE4EhL0mGG+ylj1wC6Isrqdj41aR5m3ZwMeucBE7RkyiCVMW8/GobcG4OEqGn
   grvjoMjWLjOIoJoeuZsv4ED7JjAbedGsA7WqGGzVTyyXbUVseSuYsb7eVy7I0VZF
   KiPI06KglRA9AQYPtnij3qku/RMQNWWrSjSSwUlm4FceY77GGo9BctQ7DdYSoMOa
   ia2CYsL/nR12wRySdKzJOBmgBPDA+cFORwReVoBwGl4z1YB7jCBCpjKaB3zRrfwa
   RGXijQqS8frHtNaj6+jQqa6myg6vlUPPRnEyPz69WyE5BVJOaSftCOixCtBI+Fnx
   hJDiobd6WBzdueaB7Qc6W6tS79C+F50dUbzHeZLQNRXHztZX/H4TyJ2Jz7Bhy1hh
   Haa5mIhgjdV985ZHUEBXIch5x85lmAjUQPADei3chwO0idxi+nbq/exCmsAxj6JC
   cIuVA764o2gftaIAEj94JXMVy7Xi3en12L8wbUezyFZGKhUxwKi1WFhvb3or70DM
   yT4U/URV1HgDgeKAyOsAkTeSAZsK08cRvhxDrpLl7y5wOfxFkSbN/04KujYb6YBe
   Z/aUF4VZeNeg7FEmpW6XAVSorFQ6DgMLmY2TyIIh5GswHwfcB7tqgYVYSieRM/ns



Gillmor, et al.         Expires 28 November 2021               [Page 96]


Internet-Draft          Header Protection S/MIME                May 2021


   GZ9hks9nsg6NlaL5ueYYOyGs8MB50XHDS42uK18fvRI8qA5liX/CkCdUJC5Hlu4i
   lt3BXM3Z25iaYaKEmosgNj4cMdreoKFckmq8nSBdeZdIJ0xWX4/ioBdOaQRTknIV
   wSSQb1utN5X/AZmKnF/65svl3IgngkLQIbFCCaD2IAzS5itRuTcbK+KZbKSCLNpg
   U/qYmuh0TDeHHMO126VEPQXAQnxvtV/0MobXpswmuo91PVsbFgCU2IA0JDILkI/a
   xwaCsoQSzTnw9qN5BVmIodbT1BBfoDorlC/C2HrkeD/J3+jSX/35Zbb9GnuLnlwU
   j/fQaGftHgt63pLqqMycYcVmiA0quvpMZYRmBGhHPyr+TcoLzkFNAsNswev6//U6
   hxWkF6SAaIVWF7hTAePbDqIyeVLm4s2S5Qhjw5IAsQokxff2C9GZTLDJpBlKv7oE
   r3HBtOIs6Y2CzkCH9nXfQvbv2LWEgsAgq4dLk3Z2NRCt/LZAWF3E5a1wW4YRRH7j
   Ozl8aACWB6WnKnz82+1v2FciFB9L8b0gNwU01u7sE1ayC2TQGzXAhu0riMtqBiJX
   bLmCos3/VelP2TodcI9HmrjSPH5HOWnP0h3M7VgXHbohm9FgOZf+0GNaSI4Hr/3X
   nvFuT6JgJUS4Nrq9uE2RpZ1XDvLUVrwE77tnLaqXMbLeHm/V/TXviqaxEEgtCSba
   iWgsWkhjk8JL/Oa/HBSA5mhf8Sq1ru46/sJXjRdZ1wXGEVmCoSkJmgKTn2a/8K1g
   XE1NMeTFZucz8WJDAC5DFvqthrHHcAcG8YMVTE4EzwfTrYe9dxfHjILMDjP8A3Dx
   c7tlM/6g1c4nQTI471xs28iOsRw3upKY1T4S5MRqidQD2yKYbBVp0zMAwsybq0ay
   Bmugnz5xafztkADCg1mgQ4BzhXWz+0CMNj4txId3kMwGt7Qi20RDf7cDrv0S3krh
   lDGwGSl3fr9aaLISh6m62v7hg5Jn4wl2yXEGxAPj2TXzZwVGL9hmzbghxt8pJM/u
   HR2vMKohagn56K3xIfwi8QrWDBr9r8OKj2Ia88v2i/QeQe8CqOVu6yR8xAxGQFiW
   mJZO3enMPl00rRF9wdj33CxaF2q2kVysid59tPfJanTHUYz+IFV6/NsRfMgye0gV
   9k/ebq0x5OIIjAjhllfIFj/jyupnblUteAILhvNBfkqiDkWg9Yhqd2MZXgIGuJod
   CLUq8fWt0iNV6WkSthZI4O2wMz3ek4YuIfyVrh+oxQcG6PihlwEu5wamZb2g0GDp
   tqa8AD7v/mezlHR4a2xogj9lDLz3RXH1RYOQHSbvvRebgjZrntOG+gidcbQvsB2e
   aS5X3SZXYQ0hbG4KACkwKWTj84Jxflp+KMfdybhVz9HneTtiLMsvlibPVj54ZuPc
   YNmELTHyCxjlsX61mmtydIAoitzN+YrB+MWx06KnPbWW18AsH/gWNX0qtYIRxJjY
   rZkvzOEOUgRBxdWuK9FlOcbAfq6S3fIPMJycTlSalOA6ltq5XtjfozA2ckRutqV3
   1n+JM3Lo55CMe9igKfi4sEuIPmFjQQccxh85PMZKXZv+k+EU/PgD21HxWLbp1y1n
   lwSllaTC9kNAplcvelROfuM5jqi1qDF6Q6w8pwem2m+vUc0aV0CBGJvvz8+Y76Bo
   fho7SD9SeBOnCsSxq1cOKaeWPl10Y001wUfI061oTbSya/tbNGgaE+pXzIbhKCvv
   wOTZ6t3+12dhZ0mx9Ozo1pxslASescGr4MDQePR6lecDPdgU6cJZMCzMiKrbZC1M
   lFlApbM5HdkJOGOAVxHvbBP5u5SSfu5GGDcjiVp27A8kLGB1x1JkFr/ayVqyi0Zn
   7QUQu85CxW0nxqFFkYxXfvWVpPvbzorPySEntj+ZmwdqB6asqBuHoW+WEVf/U4Sp
   7YZ5c4Q6mP9/HZV3J+1b+BaFuuROp8lwuvYuITRpobOncr3+U4Pr77vdBbzYFm65
   kR5uZgS38rm3DX54qlUhb7AeWPnwqtEIaJA3soThkk+J4/GAIDM46cQaJdPfXikq
   AuZkkSOqjH0qEQR2gprYNTTakISQXK3os+aSrdScZq87W55RQ4bW+1pwZjCnlEI5
   zTgzG2iWGCaPHZvoCV0cv+Ln14a+rplNBoRDHhDuN5Vxnd8R3QFz7iL6WOW8XPUW
   Vfhi1ZMHR8/e0rgqlF7nEw8B8XYydKsPRpYDnrjWOUA=

A.3.9.  S/MIME encrypted and signed reply over a simple message,
        Injected Headers with hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:





Gillmor, et al.         Expires 28 November 2021               [Page 97]


Internet-Draft          Header Protection S/MIME                May 2021


   └─╴application/pkcs7-mime [smime.p7m] 8170 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5034 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1082 bytes
      ├─╴text/plain 57 bytes
      └─╴text/plain 376 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-injected-minimal-legacy-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:16:02 -0500
   In-Reply-To:
    <smime-enc-signed-injected-minimal-legacy@lhp.example>
   References:
    <smime-enc-signed-injected-minimal-legacy@lhp.example>

   MIIXjAYJKoZIhvcNAQcDoIIXfTCCF3kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAB4ecHLrDWfKl3yL1TN/yBLvobSKk41XBXYb
   VJ/3GqI6j/32SELFoDOUXgckW/66RyPsEs14KTmJRFA5KWGZ8NBPDN2AM8zjZfS+
   iRgYm1d57/u4DEUnbUTXOagYTa8eanBrWX4/oGHg1L5wI6pZ9zyI5YUCj0tQUaLW
   9t4v3U25z38eCokhtksHNsCtXSvLAQzx2L6KrFRTCfCmgVgsXhsOBEiTCMf4ZiB4
   hh0lhyu6SV+07dm1LcD0T7cLXAD4mkoeldbIpi92W6P66Y/Ay4PJAXZmvyq01+za
   5eYAieaPxfVbMaGdyayOUMV68ISqH69uKJpRVwVsZGhQQZY/MdcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAkBeWGtHTul5YGzJtjM7gl/ET
   UpVPGeHs/jLsqj6oeFQwrE57igqf6sMpY69yrFJnDm3aOjbZdIJg438bax+XjSG7
   vQUy8m6CgeztdBAzlTbdVU75sstdXeiRVwC5fMtz+H0ZymV3SRjjsgCv+0TEJR/j
   gf0IB84y+zjJ1QMgIvCxIEXj3j4qPI6mijEnwqfPZ5nBcBL6/W82N205SArWYX71
   iIt/GE68DH9o6FU4lAXJSQj8iuxVFzDV2GTNJc1pTsgcEFC9bGD9NgZVUZhaSZkM
   JleDMSMloQWPPd8HbXBiogIJG3dRudWSfohmxjOUZVj8Plq5q9JPt8sp6pEIKTCC
   FF4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEMSKvlmchoxV9HtD4C7JxlCAghQw
   uVLuAYWsCKCp+Ltfh81OkGuphM6f7qhorQ3+GLdW8e5C2kjyxEAjowXSHLjFAQBP
   aw7UCTiBJX9XCl6/0D9iCh8MzLDz5XMxwyJmluPAmOsyWvaGfFV8f2mqBrpfgeJB
   kXZoou1UuRjv1MnKCOmwdfGTQTuvfEwawURVVM3cZVNidgP5QdHWBVHayWW4zCwB
   WpdArroepsEA8HvcUJ1j4t+rSefJfA/C3h7+J4HMi+/02tS+0iEUSMVl/xsp7Ote
   jzXdtdjFb53756oCnoRh66ozZlL2EoMs2v18Ccos8yHkPUCkSrBoRjq6fTl76PgM
   mRiREJHwYnNZImV5vNRcvwy/S/+rKwUEfshRDYc0P5NHSkRZuMfNu3yRB6UnaDzL



Gillmor, et al.         Expires 28 November 2021               [Page 98]


Internet-Draft          Header Protection S/MIME                May 2021


   3l/qOhv41DdptlI2mbvgziItgMlXdnzGkJQkS9G5V+GLi8/ISN2S7DtWpFCaJOh9
   A77YNI35X5nTFioQiYZgRFjHkLEB/cpbYiANBHHtX0ZE00tW1w1QOUVJHPo8N0aI
   uRx7oIeHWJf6URM08yVqKV0VSrKHxdQ/RXii8qWDlS5DUk9lVZYypqmui4Nd9Vc6
   N8KjbqEmaOlcA1XKTZ41PRAXCA71pGDPVutOrhSx1CuAqk0UJoMcx3FiM+uCmbQQ
   WZ3K2OtKWpbRzgGxn6AFPMYTxmQfhbfp2WFBK4epEZeK9TK0XEba4/L+V++bPzqb
   SKTa0fYkRmfrXrQ+K2yKvMIBO3yPjSbEXQ5Yq4DWu5tTohOgQm+8zAdYeH//S0UU
   F63qGQyKYlTIu1OjIauM9g9F2yGQdJGRtjSmbuyQ2CGOeeJpVY+Y08/5O73GvyqE
   eytAb8Fa7d5gsToARMcxZzBl/NBgIJU4o6PPF7FYSz9cxYVtBdYiRAJBjuF+CghM
   NWPPVxR6SqsNq9fm82EEunJZNlIzkqv0s76xySZaOizvjtvw9TkjDAkJBCP4+o6+
   eTRjYtGsgn4Z5JY5lMQirVxEy/Fd3gBRwGD85mDxrHKXtKT8j0ke7DjhAUuw2YoV
   uChtI1tGku9UZD3n9mbd515LXODVtbCXAJu2JYkearRMmOq+h0Pu22kGwo+9hYpm
   A/hr6XWNmQlytONCbIuNKyRTAt/CIA91trDVpnXqS/hIKdxFGx3OuYfHz2pELJUD
   lLcqpPhDYWsf5RoVykafGc76gUDzknIl8FdiFCD6NNJk+VjBUkPUvwCEIM6fyIPL
   p07H7arnjZ0gJ6xxdyQlXwINqAMZ5DJ/dR0EgJtxJ7btzBtqZ4K4KyLlsDpLj8qY
   OI1aTBH6UilHzQn5khZgC7XHuEHy1mHIbR9B5QeqqlwezWmtpmfPGVSv4UX3fRHa
   h2yZ1QRqtvwalWPa97xj2fvQw7HbWtqF4scO0yLr0buvksZ+FWmc186t3zTdpnOY
   Kvb1GK9VATs5UNjzpAdqqR/uPfqGyxjOZDM1BrDxVMejTL1bCCfzgpJ88A16tTIH
   OvoLhY+8wUoZwaV4aaQIX2/Jq9H5EuXAJX1nffWbPdBusWlbUECf10DsIhjDw4r1
   PoPvqcjIuHNrp8Rs1G+COI1d4KHKN9mMgOxDTNgF1gKkkw33wEy7DRv7/b8ej/CY
   e9xLlTCQnXW+kAKs+OD179cHdHR42Jv80QEwB+Rx5m26mYsIcprqQf83Z2V4Gg1J
   OYUCxd5T5G5rBdzLtRE+NipJJ0RqEKCEyc3RH39NXkg9LnP2XvA8zsByExwrruTb
   6HZ5ojO7UvEXRZ2A/H9nu94C0+KPtER4mtESJFDq/k6Tn8MF+vw7k/2Dt2Us+TVI
   q3do4FvUJfyZXmpX2LdDhgQE8CMb6B3hNPg+NSJX8KvCdWU8K79i+ppaSCknAaNq
   4cxYavHhYdHz2U9zQKLEJt8am2/Iyf2d46q6plUzvFj+DCFoD3z/yddRNqe0M1Wt
   tdgvklkymsJ6E/G+vpoDw89FeDA7oFc7mOgBsxZggi2X1WY2KUIqJqm5GwYy7j0J
   CGpHfQqU7WDvv9kvADEMOq+vIR17lpn9PRUluwutdaKNwICZEw4A9G7LuSNRhNz5
   Me5pO1Tt2BRK7NtKCdiMiuKFq43ezOpMpCla2VCuEANA6iZwGJlz5iBFckCN2IsH
   NTNXA8oeL2sFcW+J9JVTsw4YnR/KYSgMlpoIU/l44fD+FMmC80+MwVPSe6QJkyKD
   zXE9a/sP2WsAC2WEKiG71U38HDbRXzjyEVJcrTJAN/LSjIh/Ko3PFuuEvTu+2Rmk
   A+pOI2vbcEUlcS9qkQHuvSefxiIosSGR8HSWGr7BJMAnQ4/GYcPfJcib8vpN0l/n
   ID6LcyTTAUsPg8rYb7DeGuiwR43iW7wkReWc3HLO0p9N1UhYWQ9jy7Tf4L9NzK9B
   rZgAIPPrsoHuE22crg85aFU8JR1GHQyNJQnRirCCOOqS4B8t2ArY+bkuWrYj9JsT
   xbYzTYYWhA3pytxm10NRGmwD4MU+SEdVGs+yvTo0YN6BJhm/OaHHFpWywNICO3F8
   NeO3+GBtaPXaxyZc1l7y6CJ1d7xGHnGkE3pQfkg4he8exYfyhdHpzxconSoOZ+XR
   ft4fqgk+tB6hyVGumlhyPz6ThWFMorxnJEgzIZR7iIuk4+ooiePjgTGjrtvp+rNb
   98e09SqpIxqWdiU4yCOwfkOg7hEb1SuJVoNFVLKoRMIgf4vBKIM0DBAv7wUebO61
   9JnhoQY20YMxSsVypdYeycF9TLIDreu+zufX6LNkZt+kq+oP7DyRodCB/4SIcRzv
   tzXxNPUjnE5kHv4dxDXieBiC2S8zbQO2vaQ8kjf4/MOGjpP7eYBA7vK59kELCq0X
   b5ooYbxS2aUF/FbyTSRCIeNsCWUKMBmps0pS+MA1rpZ0zFxVRqdgmlpoMQ7AkjqB
   DI9B7RDDrW6ORZXX0D36Tcm+/PbJxf4QFmq7/SAWKPsZlN7GEYOAlRhfOr+XHHBy
   91jPA+XdUDgKXt+y5kUxEcFRu14yGiCCUIOU7vbWxHqvXdiBMrjulAgduWJlVqgI
   CkI9QEDt2NNV/ElKxUS/PCnqCSWBpfg8u955rLijFchVD6sum7w9+X37tblXKeLC
   rn88xK/Wbi4NxZwEdp9OWbpavugUAe8ynkwBgfYIWP5CVbX+gP6BshyN7Sv23TWd
   kVUjudyfoXXBx6paTL64IgokxXvYMHXTPHmRkPhZhcPjOvaAS6SYr9FiE7cbtFCZ
   yL1EcV03stmTO9x6mpJeWuoQs8mLllqzQFTwIKyLG/2gbOTI8Hjq3hWoVnSwDvxT
   xljQQQSqAGhLFhnGqnGHDqTUI0I31e7Yj1Nn4E3z43ft22Kq1+OSJ+g3LCHrqepZ
   N160YqujX1Kd6/5t8dtnKFNjUlCy9gzJ6cy74pVyfQl4edAmMa1s/vZ12VEECXeg
   hi+EmuMLquKZEVv+U0cNQxPfzm5x6LzWj7ibLkiWa8vDoa1//WGIWBcZX8v7HLN0



Gillmor, et al.         Expires 28 November 2021               [Page 99]


Internet-Draft          Header Protection S/MIME                May 2021


   42cNimy9xklYmdXVZ34711KHEhwRLpYfcrwNOttlwKOtfThkw0cW4bSatAmtguPd
   SrpBwOpbTKI3am0yVsPCr0cgKmeMaNTZSEN5njDB84rsaLZ7aM23+s1UlJmyMQAi
   /CCD9Lrl7S09s383KZNpNKmEUr4VZ9IQYipiDzN4wOI907mC6DWEVRh1II+bZeBM
   cPQlrOrcfVqPqlNu8qiEyJUT/03Rb4xxAjH16EeeMcEIPs+BRujxEybRnBuPA9BO
   oZ3pmIuN/NEFMBMZz7/VKoCbd0zapuV4KIMFzaEn5HmnHbP/DU9lSQKZcr/e0MHG
   7dnTM/zx2VxNk1f0b+yBjvZm15pV6FyjgGeldnl42Rq0uAzkYcs1gcKDmaEy9OVZ
   gNbu2k78DOtDhg58PRfBmX2luk951xf9F+PMe/K8KHSBqQQ+oD51kSUxuMPgQxA7
   rMxjdy8G+mfk63cYrWKZcNrr3vQ9e9w0oLjZ2dCtKsw7jLCxjAc0TIycSvn+bmOS
   kv4vg1BgsU5xTUVEK+6AIRc/bzOA7JkqMW5tsTYaQJ3szW3nYrTRjWMOIEG3ghvb
   urJy/Jw0UBkozxP3zl0Neol8rrhAM6zFQXIE/nuOasAd6YF+TrFljIOIJIl4IgTV
   yTAQMeRXcFLYWRggFpdp3d/7a+M5d2p4lYbo58jydWPvqSF9/1PThswzHbDFT4fo
   iFZK8EDY3wWjN55vyXusuB+8vOXMBLvamfTfFb5XDjZLeXp4jjoyaDf5dI3m65+K
   xegr4fk0R0wvtdx4h1AtBb2C5myMLN3tUPQN6r9aEoc+U9ZiyFZinpaW8LGuqcyE
   MIP4qWglDlE+7GaQbuvQfSsxcQ+YbQI62OyIgczsp6X8zMqKzhB0MgE6k5XSlYw4
   86IzcjlkdDYyDHNvQdmt+yfcqSrHsvBgkyD+ISr7zFrcW5WgCLuzi3WIlaRjgLfz
   IDNUjroPB8xE+3YguefHdSoPF/Ai+lUzFXpRj9AE14JkH0WM9pPKc+JPgqlda2US
   a6hLRd4+z4MF1HGbINbFWDmV2OiPDJrUzLcwaAHWu5QK+NyXlQWmYUB+iwOg7hyg
   /gG9mYNUpzqtJghdu74HZxigX5jGUKQLthULGqDA2EL0vR2KCOMm9gLxeJkOrxqN
   8YvCSpYUkaDvtIJcwExkfGu7LhiTXl5vvHrF0RDnhK7Q8QT9yQo7Er8Aay5ySRVi
   ZFD9GhfQlix5cDox/YBNMyfSQm2T+O8WJdvVFWHF9mBX7ceUEg77EP65fjV+boY+
   ir4XmTJlZ01QUX/RuepGrm0969L1kpgwhpXIecyu2u3RKL4JTv6jLGpK69GMqNrB
   Ol6zRufAgsUbFAzpvS7KeffSMQVeib6TthMSqiw5eTlUFj6stHMJzgnzu2tQphDb
   TUkogk/41XGI2q8oMczv/4AL78eRQVTPTCU9MQGe9jdNlqrnbh6mSIXAxA+MUdpf
   KzavSvbQWqnEEGQzsabx6nLQ5uPV+e5kDPs8IeEV83mi4Fg9v7YFrAtMf8nA30Vt
   eCHnZdgiQbaZQ6lt+hdiaJQ/+Edu9HM2v8aj1o0beiw8Zy++bGo3G32xazJVkFte
   704GrOVWo5W0N0YGbzacvkI9ktZpwudcS7u5qp6HvATahMJpI0Pzujww+Y9j06JJ
   xudfTJ6BgJlak458LUz37PrzSPuT0l8VGA7WUWeTTXjpNQ6WEiEcVyVmyHKbeB2+
   5hIZKHnueZzqbtQjoBldChMeLRpYgA6RyrUxDJjRXrkPKdn0h5hgwyrYqdeQO9Wa
   5pfE2mZ4BJbOFLPZv8SMTKEnbR6a9bP6Fxhir80T30HiPW6Gc6Yk+yUx0aPfiRcJ
   3qFKBOVuwrjEP1QZqVopm0XnjGr6pSii0+qk3f35bykpl15n/wRH3lVpPW1jFAlo
   xKK9/9atIIy6+UejHD+tIgbVZD+FXcJKhtdf0by7WCOMnM7qaRrLqloEZlRVN8pD
   283HqyRu+F05U+0bVL171kjRkPlb5FrtpqiRV3KswxP661pvIpVOGSh75izSb9fo
   YsdVCcSa/8jFS2VxugUa22efyOhAlCNQr+kwHTXztV3V5yMALNpnnUOd/t5IG6oI
   5PUAWfhPFco9b1em9v/XfaHwKt4+/buRfjIXiJOf9v54FoO6FESNXcyAPS9Fmd1S
   lHSqrGKlD/lz5X7IbEq4tnZoBpkTMtbPnQrWUU+6HiHggjrh6goeLwKKp5IgtonX
   YmmGzyiLY34japtze8CfCyUZGtzkJqQIaYg2V7XF7aM068h1OVupmCYlkr3frM7Q
   HWssHhhcyVZ1q5pM2+5lEi6AZTblEVI/gwO6/0Efn47vwAwABCGKOR//MX877q7m
   Zcn1X1fxpT2V8hcEcgCOOmFWebIBdagvTDYu1QNBmGmKUTe9r1OTWhG2OEC8GgB7
   WMrNGS1i6wYDU712ZnjvLfUT45wsDgPBkGToecIEcT6PN/kjj33IYQDQGxxrXAuf
   oZeYnioFc/7aRwh3tYjJNnNz7GpI/gVNwHJRwhufkVvJjlxqkE+sCGjgHaPo7n43
   0ZzaA0OADyFmrLQeFDzeFElDUn/35LjU87CZSZxOisurHvzV4hpfQJtCuJh1FPBt
   hC6ITgbq2hZSjPtyZEd0gYTyMhw+mdDyk/a+fbgquB5UcZDg7Kj8Kh738m+WLxYn
   wNiMwMbeaLMw6tnDt2D6GI6+qCjlBGydFm28El30EfimhifK0qj0utVgbNvhzgJe
   XEJyXivslEzetRVvSRAy66COopqyDb/R/cKXJ2r7zgDmr1+Fq3OXB8ypw00km7gw
   0Tih89GOnyTMvTOVOFF9xaL3WL9lSEi1LjJ4S9XgNxiv6nCe4r2NW38Ql8RbF2jr
   XtOjGt4nY2KSaCtN/FMElqUilj3VtTmRRBzrjB8T9NpnfHSLbIgW9xevNHUeCZwB
   fgkpW+CjkywygPuogLtdq6tuqb5gE0GT9KBDRMTIlQYgdICvBnwDxVnAQreJ3HPH
   VhpRkJ5Yav/37Yq9YF8RSM7XqPuZm+YgZElNMMTHBVKfE5cW50fFWaZLzZHjjS1L



Gillmor, et al.         Expires 28 November 2021              [Page 100]


Internet-Draft          Header Protection S/MIME                May 2021


   75nd9FFceSjzhLMVC8sC7oWZqGdQBpcNg/BYBAn2Stf81ipSpz9WBoqQzNcO25Wb
   qyGxUQfDvto9TVrJe+/7bCFqZbwx6RKZDUAnfgC4hs//PKm8Ts3+suSkwzfEpxN7
   0cESXR3yioZNbkubxRXWzemAJzGn1G+Dk7MjoYQ3h6Pgjv7FJ2MDnmTDoJlL0jLI
   zYNMz6izuerW2r5m3PXfkhffU7mlwn7Bo/6mbR6ztrsTOm6CbjdlkjjdSq4cMmX3
   ZeUnehbRY/W4cGu9zMxJtNVGRTFAGV4zXGqjL8mTEHzA87OHf2BSJjOCM/V545U+
   Td8ulTmmLG6hyNn3E+cL5Tinka/j92yxTzzUA2TU1uE=

A.3.10.  S/MIME encrypted and signed reply over a simple message,
         Wrapped Message with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7605 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4616 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 810 bytes
      └─╴text/plain 325 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <fdccb76a-49ed-50c5-9030-e4aeb83d7f04@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:17:02 -0500

   MIIV7AYJKoZIhvcNAQcDoIIV3TCCFdkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAIEzSE7YJfWjy0TMQGEfYcrcBw2uruGZw+/k
   QaHXEcEFdwDSaKvAzEFoNN0xMpZ090ybC5MHqteYMRpaax43TsCnes6XevL7o7FV
   gSMI6CCnmVlY2Dvj+oGPHkl/ZkFRPz+Hsrnvl65Fs19thjbtQ7LX9uKE8TBODLRF
   nCnuyDdHx7iDJGI6xepIvD4M3zaUwpNa3fFi8XOC7UH7br6+UGCRQCZl9nrAU1W/
   VvfRt+6XSWXl71IU/0syMw4ghwS2tsLgZhIrDkFNlEokgVR8bDejaV9px7jH+d3m
   FJ0t4hBjsZAfnggaecXwoKUaPqlj6Xl0e9cLtqwr+26h1TmA8X0wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEACUHcgXEC4pKuedLh3CB0QLAW
   HULF5htBXebTlJVES1voU9Smp5OkueBMptF18R2ojjM36C5d3xtdsBddVweJqNyA



Gillmor, et al.         Expires 28 November 2021              [Page 101]


Internet-Draft          Header Protection S/MIME                May 2021


   Hgp92O7qVoPyVXvp7BByoNRgZcrMx1pRoTREEjCX585MOXEBFUxRVRPohViZaOAM
   dgdWFB02fcOwGh+RtwBfE5Ege2zujhTpF/ie7XIbNOlWsZrTDGdQ63VaqvX3AS0m
   TPJyeqUkstDWSzOIrOlp1W/YjMcYNjDkygeNgppdV4SEUFYTNxz6rqql4E+a8LxX
   IogOTMh2ruDPamtoAEMfsMvz9XUjSN4TRWXORLkzQeaI0jcPVjr6AHLJFG6etzCC
   Er4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEDyefElL8mhLfkZjajQLY7KAghKQ
   4f1OU+eyhjobu3iIzeCooqq/a6JmdoGQbY6s656cODYMhlimkXQkRV1QEZiLkAOi
   aKPZy3zmuu00h5lnpduDqzFq16Clw8CY/99ep7I6vANjzmvh4pV0onCsR9GuYexq
   65nR8oy9dXdCFP6vkGBFXcrTqnbPQrZF9DSxpXiicROjS5ybp8clDbMJKB0x9LQE
   vHcxB5jaNGAsb+IVHZr3LjvO5V5T0/YsXn6aJXQAVU3bOO7iUjxgvGxQGSsShre7
   F5qW99KiI2cc0c/wPtv4PyvgcVuLs/CFtvc9CfgbIAr/Vm4AupZUbaizLnpxSK3S
   PKY0l/8j0x8Eavv7LsO7R9WzZwS8zK5Zrx3aDRclXUMCXyQkel4nZvCOintGDoKo
   QuSs4Fy3M826VYkKfc7uaVo7j5lzoSeNUeD0q5hpmrTnJ/ce8C9T0FES75jc6P3r
   Q6yAakdLcsTL4XPc9Hi9stkX0pPrGYrK1HYaDBDBKZ92VdiEVGlX/41hltwX0f79
   M/R1sbT4a2j9PsWKRI7Pva3L0nNGV0iajjBslyppdXLKNFBH02Vy4zoujcjj34Mr
   SsrmW5EkoxUZGzlX9NAYV8N5/f8faUCYnSbfHg/QIK9WBKggCTm7e8Gq2iGgzVmx
   Jpj85EkYXLDkS7tN4KhgJRp3ZYRFdRUutoq4SVNzNc3AhYDMVyBWcpDAIY/Y8ync
   ZsHpEFB1Ypau4/vtj14MCjlIfOtRDf3oH7Z0Gp6ecWGFwkZ+P8muIY95FEfOofeH
   gTzUi2M3NwbGVOSPpTMxZE5wesAvXaWVS2pN2KPmQLBXPVij7vqavbVd1e31d8JJ
   cRJwxdVYO3Tfe42TQRdKjYIxQmPrjRdx9d6TyyoZE00mGed11v6Z7lxWcvGZDl8k
   rMM30LF4IgQjCVr7EiAYIybviRYLNNKptCqLK/TvANtevYEhb9yTynwevu1nFW5e
   Uw3rihR3MJgCV7+zSvsjKHubdSpuu5adyMKfYpRyDQM94pKVEvEVxR8Ja51xyVB4
   p8T3Y22rNWjlsBf0B7UAVqb/oDuN5oW2M8K53GVXEPUg+80dlR8r82Wq7ahSyae+
   /jAZcaopN062hQvXXsIFj9vy/B2rdDu3hreUtFIjgLrCmKqmeXIvh7lcBL1hQ9Zm
   EI+F7fIJJSynDna7PLsU0tANrE6lmn9XkdL9EVCVZK5LMFp8LtuGo8EMZ/MxZ2LQ
   99duo1um5gSBdZJYhrxb2rpmsVRrtLjzKCmywxOEBlyj3hYBNjFcdYhRd9RsMRgg
   QjoZME5ovHDRyBABUiwOtyGIFD9rt8xNqjzHWEizeAzfj+WbDfWDz9qrysvx4Myg
   scicK+yCWBwRvL2LbNb+uHhX879Ejj4zzkSlqDIuOTvGduojH+Ti6aZjEdnpfKGM
   xHRFRHBI4hmwuiwzqO6h6CpuX/2aew8wByIAaomyyGeTscBaJk0JumMxhSmeyImn
   T9DTF4dUXR9cGEs2qYquQcSSc2KNZpaRpVDNcTETNPLNh+vFUPJcv485g3e8EJIy
   VS99+e2lECdjkc+iHVMBTXdwSMEgrlYdIlfrPCy2nwsajp9+4lhL2aPk3yEqSs6x
   QHPO9cEKNuL7BG1Cpq9wkr0O7CVayEWY9W0k912ARy637pYpgeQ/w3eNhlGjSuRK
   pXZr7WWgT8MEuF0PJPOVWy2V49JmKjP4po+9/V+ewHievS/Z74/xozJnNhNqyYDp
   56mGQ3FH5Q628WcPdk2V9h897AOsHVyFrjFHlObWeUuQqQVctYqT6QtW/rITmQwE
   85DzWoYELv6ng+IjSswQEeKFm7UIbz6UBPe5IVYJaA6nAXV9Ir0ErT0A8QLN/Inw
   Buz4RnznGuXNgm7mONvWZrYnbwNKGsbO/LSmsKDmlCqDd/CRZLP2/r0mgNld6Iqy
   wuFfFo9Ml8WXUY3veMD4J9+i1sm08jMQfIqKgBOOczsBt0sPn2yE9mgcsDgudO95
   jFz4g2E8RUSRJgj/av9nM1lSCYjnizkBezVvM/S/qJmGHOl8RbYSZlZBIJq+xkAv
   xGKG0oNKVzHe8VtMUwBbi5kOOx5oTrvJ/A3s36MrE0JlcBKV/jMMt2FyDE++PvFE
   0X0zf1YsK5281jNBMBIA8GRbLb8+G/6q5RMf/epfy7c4oJRpDblPVhSMWXmgUNxc
   mLmCftewVJZvvtUu0WWcVWZ4s2GZOjtBFlqXcm8nBdY39drprA0pcrkL26XKWM7y
   F+6CqwCgsMabwViBtsY/BMVeO26UCfXJfytMGyCeuano9d3p12VHCLM49TQcWIpZ
   6yRLmKEYoXxvtThZE7WndatiUmS646xpsLmtoHpAhN9V/AJVUB5DPHDkFr75fWp+
   GYsKyEDDIq/4U6gYlFkzWuNF3if8PWwT8PbkiA+2XWrUs9N0Tw+ugD8LkeobRw5M
   gHcphVR6Zia3WvpXBe7u/rGgNqzRWHSDtT2UWKsJx32iPuQEVb7/KQNT6blBhFrK
   LUa6Xp1ZUtvdiJ09fNx9plaKquHQqjV00YTga++ZCrdLnEL0IxRMUbzf6tkF0fF+
   gNnP7uaCt/1mXRyilDgb68oLxN8R/fCRTSVZibLhimWPRFXm0Qf8nznYR2+nOARW
   K4SfFLhhB7QqsLHuQ6WB8k4vwewhAuNM6EDR9wSyp5wJ4/NRtwm8b+Vf9aYXweQ7
   8n+mGBpKQBwStOllzU+pDdorM+jmLeky2hPVkR59IvEiZmnDQXdzEWZAVEC9jbsa



Gillmor, et al.         Expires 28 November 2021              [Page 102]


Internet-Draft          Header Protection S/MIME                May 2021


   llb8FnL61OedbblBkjfeaXn+hD3iRbz44vyHa/l/4fi717XNCyWMEL4Op/hezWdt
   pGtexT+AoYw2uA9+qNkz7OxtqcSzcVkm3jWTJPJLrYslUUhI5HF8yH7NtbaySqPm
   ybxysODBGFXz7qf/o/rg2SNHfSIcfr/itP0ZpnuHiCtFwIBYFLoY2ceMYeKfvrKX
   9Ble9lgex4BtKL/uPFQopYWNPKAchseKIJzptZpPW2T37kt1UYzEhzieQpC6IDCn
   qSZeq/Nd56iF/kw78PQMDCGLdulJDh/nu18LD62GhCWpZMEGdxDJvP+VdycMEIkb
   BHXKLKm5NNAygyw2Wj6kiAPR3+/ZJBMuRzBFSxI87Zt/iXoHM9PYvyDcgjC8wwEK
   z4jRNokSW2eSmgRp8ty0ZSWcgnnegymkRsYSYkIc7894qFP44PmypNB981mLje3c
   FsuvRcVny3r/KJ4XI14OqbkYWwD8rkHbXohiYQx8N5VUqlfQCMyPpaqYf247fW1p
   YJwOKXeOsJeiv5/uUiC6GzgunABnBhZS5uFVKoCtVITzzOKpqAEFFMr6fG1nOMzv
   Y9XwwT9fnM3XWB6RsXeHvSMKjQQXzOMxc23mtV0wse1Mg01UJVcLURy1jWoY815F
   DDNeBt5irzunTvX3eRCGz9oaJ6Dzl6er72YqmHFyKEGFyFjCpOxMI3LlwZhUCRM0
   MrsbtGKchcht9fmh2QouxtQh8T9r0vLlVrHyJhWwargNxQG+25ZPyb7pmBR9Fs+B
   5PFhN2O3nOr9LbPdrDXxvsGexOwAwf5kp0LdM/8g+cn5qqSNGcj2jDagZ5j2IPbJ
   9S7HmRxx/D0v5RFnwrc+WVPR+z83bYwlN6Ug9KB1S1lwE9E5DEUb4MWbnh3RCi8k
   Uhh0ErIcBWByUooqZz1in408/ebhlpC2zYCOHqUP1AgVsycmvbZf68bHDZxJWPGz
   w4EJYYCAF9DGbvaF+pA3TWnt7jmf8qLliwGCgC7U2XjsL6aTClql8QseE2OvvBLE
   11g4ZbXJXHs/rV9ZuKzzIE7MTQmZTY4923ROG/Bt9Bc/1AJ/a3e/mdYoZ+79TnQr
   /sLP2FiqVHAOtLY8SQXnVP/Tes/Jc6EAxemoCR7fT+959WcC+vaow6MTngjk6JBb
   YQUU5wNNFl/834tnvSLBI4IohjKbp/ZBqsctq6bg3pGb5MjfJgOxybX3G37CdccZ
   yxd3N0+3lXBWuEuUEzusUu1pqxK/TpVTcptV8IJJweiQjwYCESMsp0vHO44a5ruy
   WDiMaDOdgSiKgTl+4LiQsTTqVG1Hd3WB/16hUvIUeCmwbsDLZ7JZWy6b0PyQSqdi
   AH2GwmcRRU0Kiebx942EDTkSTDudSCd8fcE9B3zg7VkgNkTRyHALUW/4kEm2LayA
   Igg5Rkfe/t3w0wiDfiPkx6KZH//S5FpHgbFbPiXGLcKIozH0ocs5kT6L7vKc433K
   es5nwUksTlIiBdSP8fJjknUww179CqF5H3N00HUo3vN9Ghso3bvBvI0WOd84iuLk
   7OX098rJyQR8HBBiUFG6ze6ZY8hd4EY87dFY2/01p24iuQkLpXgxIRPmm2Z49Wvo
   2MlXLGIao+4D+sY3+E5RtOfjJ9oEUFZX1HJ5zjGB9poPJV2O/RSiRXpU4weIW2+t
   T4gvboMSMPZh4tccAsIMZxostc1LjBl3lrLzR62crJOdOc3vKHhDrd9RdR2QM9yp
   ufaOAwJm+Ubb5+liqVPo5bwyXOxJZ5Q5cyBQRhwwFUL0y+tWwPmyGR1ysoW+soFm
   w0NNGgn4qZFm3O0i7wkFJK1gZzo8t5d2XXx1yp063X6BYVLT+SGuTSNrfpk8MuWo
   0Q+6lyZ6UjZ5XLuGvyKFOyraKr3ETdfMCA/bDmx2FI/rFDhziwWgtYJpSaoEptP+
   I/+rZxfQEd1kzJ+SgvggUbpRXR6/UCHBcvjSnJNMyBRnjTU5j9FBfitay2L5ZOL8
   79hudV2c/NO+qTc1yMir5zQyYLfN5oIHUIOJRRTs1/kSu5Uk3i+ByDvAXG9nJ+I4
   t/zZ9FSvk4RatM+nHLbqQvA31qfv8yoz9quVhEAMZRMticGWmwvPkchjZQdtzwTo
   vCKBC7M12xITparw+kZuD5tD2d62xn8vTAgLhaFebflI5N5dF58XgwOkqMEoYq+l
   mYNorq/q659Ac97jyJ35UEGsS8tbkWCAHcj27WwkCcFnXMyfkRrDXasOyQWqZ8iQ
   mmZeVjJKrHNHAV5Xj8l+CI2BJlLwYyS/IwbK45UuIi1xcMAAx21J/HMk80Y8laDR
   qbqq5IPR2ndsYs2JYchBB06t4VXmcJSzK9Y9CFzK8OOOawFE3DpTjcl4ZCxodKSM
   MuTGLS2+ZYqM4buYp92HbeXBz+tjCaFp16wFiPm3yRpm969smGt8Hhc0wkSvJIOl
   LmFkXib4QXDx5ulHVDRH93B2tnq9kCG0Zs/AHaUkN5/TeFx2BIvMEJyQTNHfl2Sn
   kF0+ao3jREVMhAadVzFq5Yvr907MFID/t29EEyWkk7NU1zmOjTzOt02akO40Pnog
   Qibu6gHHGFY6Aje3zHdIBEXnIETJd1vda//GG5u1fdb7bgJzoY/sdORb/U6ZY2zA
   hlqJnifV7+0aT1aVDXD/F/FSd+B8sK96e1MC0oB7YJ517ZxdZ09WJ/fNJaXBU1PS
   2065hVjG4S4XfYonkvE4Ig3OUntnwg6y4fx3ZUgUFo3XJtGhgyBIw6ZNrHrhyJHZ
   w89PxnGJpGTA6tDbJMUNSir6yvR9/uhgADhfVJszdhSFKKre4BdDwn7gEtd3X2dx
   TbkFAs3TzfummzNHO0Cl1v86RR8xx3jRGRqJLd5RtwoaNUoTMIR6oFNx+1KOG/lp
   ADjBJU3otm8hC7Vp5HdTtRk0mH36inha9dPTjFalx1OIUmj3V5icC2ZlLApdAuzD
   uAiYMqntZJGHawGLKOc9UspeMgmUiblo25gDMYsuG0stOfQZjQi9EQLQ2xyyj4Ha
   RIrSLm+guqcYPQJgRhAOEx1owEGqJqYoR4rmps7w/kAW7TrTrdXeXHLBbvavGtwo



Gillmor, et al.         Expires 28 November 2021              [Page 103]


Internet-Draft          Header Protection S/MIME                May 2021


   rt0mrTfHPhPmsYbQz/4T7Lsm2k60TjGbSm8tGgBRydJI5ly45U/FpNXVgykgXBMF
   P+hJLVMvKgHehLCoxn5sBE5Zzf8/PrgZ6c1iG/iBXgnbMW0+yKUQ8sVLvp92YpY7
   hKplcj7RKJL3HBxzUeuUhFGfaiq7MgpKm18vgnFXJoc/NL5N4eKLzn3TD0q/Xhid
   5lpZgm3+6c/mDgS4RUIqtHaALsVQhoMGdrK2Tr1bi2VoKIhEOng9UF2WxQJiDNhr
   VM99rYy6aX8H9bj70xYG+KtlO1fEjp0+S1OEfxeLCEi/DShQjPrEwumCW2dKz0Q1
   7G2u+qo6Zcml9eJp5ZX4GPHrlImX4+ngp27/cNDQML/pHZrTbT+h2HZiDObED3if
   Lj/pAB43Snah9bg7XoUWOE5lNQoOq6uSG+bUFsuuprFeekcs850DtaryNWzpi+4/
   5bScqoMawu64YqNq/1pSCXImEEab9nXtn6q4aPjhKHEAhWD73YR0nP3kV6XUn1yF

A.3.11.  S/MIME encrypted and signed reply over a simple message,
         Injected Headers with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7565 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4592 bytes
     ⇩ (unwraps to)
     └─╴text/plain 337 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0e210732-9184-5855-9a95-2a635560d3a6@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:18:02 -0500

   MIIVzAYJKoZIhvcNAQcDoIIVvTCCFbkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAD2qfM1qd/wlIn5/weLGjTIvhLXq8DBtZlBx
   74LEO41mLd1hgnRYsPIWC2PtjkC/seobOuZC+CV58bybhtZc98t+SPFhw/rCzvKD
   r+TYWJWJ5klGojWrmZJXuXFUA6GW1KvNQYQV2xkntNjeOe0dUY/UwXDXnV2hwOSz
   K0MpYY9/M847oDrGiWv4xDqLd7WrN+ztQiy+4b29oA4Hy40Ll/z9o3yNMYEeZ+ZU
   oICNWAvSHhIHuHztoEhhGI01wF7KFpygyjP34o5oC0MRFwyUPmqJEuj+/o265hfj
   zKAzd20Dh0lY5f4cKRak/Nq7j0YAVUMftIn6Z1AI3NBdqAuncSAwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAmcFRU9fU/PySxv4kLIQ1zBV4



Gillmor, et al.         Expires 28 November 2021              [Page 104]


Internet-Draft          Header Protection S/MIME                May 2021


   nTTHsBv+t6RGYcEOmqToQCdNyyQie+HqTJh6M2/Cc1sbRuOVsrfhJc0RQqKG2VOa
   huevYf4E/x7+3Apl7zzg6rOUfi0rSCv8y5PYLaHe3AbZvJr/ilj5YKIj8+D6JnZe
   WxSSPZTDbmnN+oTtePW9v+hfq6OWomQ/VnUJTSQNUnkxTnhBK5MiOnwmIYBpOD5Z
   29/dLzfgciF1gFtTdEjszQ05IkVB20IvP2hvyaciljfKmFXS3302jAuxLSPiAQIK
   UYw8JQCLz+TEGT7jr2XKXTQQo2yv3dRTB9Y4P0/MglX8fbzqWLyOY94hK8fWMzCC
   Ep4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEBaBWCdD05Wk7rGu0j8AGnmAghJw
   LWbI6Q5pWF3Q3tMokfjJ+6dzF8HNZm7De0S6Hu3eU/9w7ooJDnRsWbdr6B5QI3b5
   fsXYC3Vfjp4iYgwikm2xX4AXzt07T4YUl2V3yKNU5UKPhRLrbH6zb91+ghmZ3Nor
   yEWWu2QuHVTg4xsCaEG/+LX71k2wJTI6Lk4QDH15OyIN6KaivSZkqjNll6OgQTp4
   /0YdExevb/K2WX7w34kdq1KFg0Vju2hGrnPMhgpvfuzkQirtFtZ6FmeUXWm13lX9
   Guf6GeL6F4r6aZqH5gz1JUVh++3OC6bzPG0MdkSVo5hELTYRvfclnSLbyYcoE38a
   v9aMDlRv8v45Nd3eCxClG93Vh/EP8NOS02geATE0/mNk5f3jsZ9iFZOdRMZ+jVuB
   l00t/jCj9PiJaxLZ4+Vf9qB2CJ15PtbEp8CfhNi1mGU3Z8LJbPApUpRW/rzmTf0P
   JbGJzL0mU39zRnEoIRDAFAaqTj5pVgqWiYVJhKkfs7fHXd6hHM7MXqpQXtc4KrPC
   UJWjii4DhyEEeTscOx10QPrGqST5nNFbc6Hb8qFKc0/bIE//QGz9rGerH+cFxeKa
   sOkevWj7Gb6EhMu2aGJMmnqoh0pNj2bp/5vZ6paFmhn37B89nJJhLXqQeDcgglmA
   f7DzuAAN5CSw6KmiJocmaYe6RHZjCEZmILXHSRJoDoTEIIrQiV4NNGxah7Nw3gaw
   wwASkf+dhn6mKg+6y1mVIIPdgW/CjjLSUTvox7WeKdmlX4yjmJSASoCJM3NWGW3z
   BVDdY3nxkSQ6QcpaK1N57MpOmkP2EjbN3ch8vQuj+croYOmR72zD2mGNQ5iMzcl+
   US5jIew4R49N1TavwubkQKXtxl6WnUgVGLeFm2d+J7zGWT6tw88k740Oce8UwVpu
   NBZduEjPtYnsyXIRxL5tYEPqUrSbrTbsK10WesjpTD9+i+fBqvf2Y832yXQeu97r
   9JSQi1Q6Xtyvsmy2lM5ahdzwS8cz2WSxMmJgVyGKlFX7REPjktHf6dkDM+GZs+6w
   SBhDu4Lyf4yrtiwuNsoF1qn2rdhnGQAkjishzsOOIcoctx8ionRi2p+nLn963tfZ
   kYGcbbRaDs27nMBTFCncLpXFqq8Phfmb6fI8Amv4JzptPtqnwU/ygonOdkKoMrqf
   DUXXAJ7r/5otGqc/ABjuCOPe7TeAi4JZm0nnEnJM1SvvuJuPk2cJ18ippjYIF1lf
   zkOU3aaxJtQKofPszkX6eBEuKWlTo9rlh6M7NqmZ3j9Q82SA8K2W43q0ImgYnded
   h+5i3siTYTHrXwSdN07hKtPI7c2ZE9J4ASDtTmWNmrb2i4u9bxF3+IG1ze8lVZU2
   Woj4mqsBYOEO27tKn5IWVGKrCgJ1maKOCEumEi+iICajyyYOXzl5mXu6Z6+84uDn
   RxMCOxu/mualrIjt35zaUVuvkhMMJnkRijEcdbHk+ICM9x0DLnRQruuY9Kxwjgui
   c8YACZcQf0SSMyQZTbMfJjVXvplXUA0TqF5dCX4TorUEiWy7pclCmBvvAkOADjug
   htFRym605C5HtjmVQonQWL5c5e5z4+cDOISgdkaEvVCqg0pu+MSvMLhjiqoQx7dZ
   Mov5sdbk344oo/G0mokjLT3u52mhM00SighMtW+ABfzwBE16DP1I9sC9Ge999HsU
   EU7hw6vEOIzM5O8hsKTAceB6wpXX0ch1um/emFkjglVnxgHGxYegMezigQwkgaNV
   UwuqPnnrFIce4xu7QZ7pcAcpcWVLUZhEtCK1vh8QPUBcdA7CSrcGWdXuzEZ5V0Xt
   LpF2augMYQ+a9XFQjm2Lx0UZErfesN3plZ+1ci/ltQgVNuZCPABIFNEdZpEKtOfR
   czO5y++dgqlPVOAdAP3bhY4cFSFfyoeOTtJo4Ev1kph7Cgp9s1zR2QEUrwah1zMa
   4zyeqnwomcZtbJfFysNTlIOT8FeRrynOImEZaj5HoCRvicEBUB2Y0X6uFcFlyydv
   1pEEIBfoI2opc5Zczm4x7sr+MUAaGbvVBRoXTn8L0r46JILp7hVYlXt+DeoR3BEt
   sKKSE+q3uuGbWCmhAxeoYZEZwt9VGFv5DPJyhugkn62dA6P6AXPHYf+NbIQIh0oM
   HFRx+3xZwluTmCq4+MFlLFekGuYenQnBEySm7ps3aLRBxjdKTuG59Z7nu1KIeLjg
   nyVhQfyDgyheDLdf4EWpb+moqjmfKnW1k83KSMLR7v8EQyWYBO1jSCCoOTeEFez1
   Z0E2ALHfEWKMFt8fGHd7VQoJlwoIoixNj5jYlm8xGBDvNbFDBCa/4e2CaAIj/AZp
   lhRBXc6JJibLqOihgoxc5fMNTE2klv3qWa47QmbYnkQ1VV5C/u3mwBBlnFHSVHu5
   s1MduNiVpN6Z6/Cex5nloPZK/7TqixnA6/058Ckrqf6nLZUGIT5gFo9RRYyGqbNU
   ptIeBZqRpOxLoFanC2KSOFnJFhDAd4XVzaoXTEvyCjj9miTbccY9xh08ldAlWcZh
   0RItsVcqKhkVD25FH9kViSKjct1V2b1fqBAEcuqwytnB4gp2aUNCRmvu6RDPBpy/
   yNAM6d9dgDCyW55KNpv2aUoJmSxEGLuZhSMJjbiZ/B43ipxJHwpMmP1Vj8y6UX6r
   bzpaSRXhPv6RCdohH0Z6dY8rpO2PEufTa+4YNYcv5ehCY0AVcVSGGy4PgSiS+M9t



Gillmor, et al.         Expires 28 November 2021              [Page 105]


Internet-Draft          Header Protection S/MIME                May 2021


   HezSWjMkqB/Oa3a7rEKo0Em/n9Y2L+h3npXY5BPACo590diiPdbOajojdP8s9DbH
   kGepW9TxYpBKKSODBZJF7Gv/yUf1xJ23g+eZjnRgOBaNTRImSe484pSgmSCbOg8N
   dW4Odnk4zyoZg61obVAQShRtmBU2slIx6Yl9zrVJUIxo77d1dkybPob6mtgAauxZ
   RDKT9uaaC03fm4GEJ9HEWfKwK2m4lt8EiHLrjz5Qar/XUW7JajxsJG9+d6pMZtak
   TKevdDYv+3Sr7+TSDUEYtYgPbxBdPtT8yXZa0vruA5BA9yazmxIfbK3HhKe9XFVW
   CEpR1kHad3g8t+xQFEvdKJEEfwrWd31KuqXCmPJqPEyT8uZ51NLG4xqb2oTM14v1
   DcoREgm8ZFVpsvuwylItnwH6jluWV9yzetCoL4AbH/M8os92mzgl9OCygBl4PV1T
   t1UGyDidOpv1Pa4tWvvzJQioGf49mPeatlpFv14W+Iqqw1cKsDVbmq1MusOXgafm
   qZ9nNYAnxLU07FfeN09ljVyAEYMTW0BglxWU2Vo65GoZURH8mu5OHau5gD8FPOqJ
   yl3kUiZ8PKoQp+TCYfWs4IyEDXCo4+wKJ0TPVOhH8mBeAZBQsfmYEXtZhBGSlWxB
   OMu9DJMuEXMSlUWFH0NEajhn1bdU1KD3KUvLXx6lH35NoL6c8ER8AwHTB51wPWsp
   hMiG6T1bhXc8mSrz5Z9ftBXe+5NIN+eChmxUZpYTbv6wvUQJ5aq8iO2CTjBa5948
   RhXCrENgzF2sa2tRVQjWOeMzU5G5NGo+v16bIZIzXv9GsWJdhQfiwJ8PEjdNGEnF
   gFb/zSPJbno41vgKhA5vp4r3T9IGR8wqID6Q4Tf6MnP6MkEPwwzqH6lp1tEhNElV
   2W7lpbkL1n63ciSw+2frJ86QiDDeKMU5OFpWR+pt/6dGuHTSCOG6lKIlJRzDLRpg
   Wg4hOEJOFID+9RU6DBZiNpW1FIt5VZ2ZHYjrqSYEy8z+tenmX/yg42YFxI+1UL63
   PAeyXDuNQ+D2OSrs5WqPz+ac9SGqA1NicNMDnLrm+82OG/4z/1xcTUlTI1ewQRCD
   VvXiTNxll1PvW+/wdD5YGcRz/yjBSTqV+Xb1ALKPTk/qrLpHFerTxWw1BITpNEA2
   kKM3lYBpYZQK+ubTQexACbQeeE7129OG5r9rUEtcTEeh1vzg1hiYrWoGzFOPXUET
   G+ru146zMsDoJSALJuJjgZrEQX/BMumYdFHwPVxAXy7d0lzchXUTUlbzTOMteAUs
   Hn6hpaELCpuWYhKPQ30aN/Q2zWpat7jz1w6rm+NPTHbnw1loE0zJclaw9huFUCQZ
   If/DRPbKz9JTOdfZiz1ZqCxDXilpfYXHgFMWa6OMpcMYQ/yDOggqD7/z2fvwUdOU
   NlDv2HxpoZKuBV6bF664gJ3qdHmHEteecKXjKbuzUbTrQLE/dsZIsgvZyW/sMiZy
   ErLCFA+pcGIeO6za9DFYVQheIpv6/y+gJgc/H8NPJXZVREbfbRqnhqkMGmnw65FB
   lDRstzU1AYvq65aeLXkDaT/9wydtN57ebZWD7zbum6OrgEjdBtJWd3NuiUQf/pqY
   dbKBfBifI8r8oUWomyJV3l7HOxXLZO7bwXt6sykngeZhnW6gULF0J2VqRShN62iL
   ycHtr7ug33fo+EGHE/FTia3Wg9SUJXgssrcxB++igW1Ou96AHA/Ub4IQZM9plIpE
   BH4a07A0ia2DxYbpWCpeWZWuKmBa5jEF8VIyVy3baic8L2cWmMPjPZ9+DyQpsemj
   RTutRPZUUI5pNUPiGvAby+c/s4zLFtKFFzk0/mE5MhFhwws69llz1BOA/L3QRNX9
   py9AlucjDPOjFrJ4zmvDzdogkwkXGVSF4ELZgh6Jpe4ZKNqkI0Xrv79GOngnHm2Y
   a1srIFshEQj8TxXc3GT4W7HrzrbCjT8NLGE2YVq8xva6iOAX6DcpPLb0DH3fUcJh
   IYBE0Wxlr6ZSU4DaahCfEuNvKBtLv3oE8izP+SBDvo62etQXWS7ku4kQi3z9Xhlp
   1qjLh1ePnZXdO60RlgrpvfwbmT6sFWrnRrOpeCkjU4YgMRJWwzyhWDJK9VVvYpFv
   axcyjGzBgkmdh3+EV8ha+Owy6OCY95+9tZmv5c3jdBHrs8ErFh1AsYDfVWCeN9rW
   T3PcOGahl3AKqRWT1g4yPxIJSGCwxLR1238YLcd05LigKh6VDV10X1AgiON5fyP4
   5o34WccEbM4qvroR+sEBvlFJkA7k3965R1K1exSFkVqyaZbn5P5EgvY4MMgtCxez
   KvYoCaS26llcK8ofGVy/UTyV8B1N6ViBX5NPcKycjVNrnSroPIDZtXjwRHjZiPud
   iboVmbLDgLA3m5hoUUGeLi1jbTkH+OUVga+0rQy1QSNHX/MGTP4zV4Gcj5NU76CQ
   0XWwelntePs9LTNJCJfYKyLPcelDAJ31JOia3Lqg4GtYEJbp4pq3rwdp8vF3etkb
   8QHUBcwfEPe3kyK1VYRPwfwq4tpmLrfWtvofx/mZ33TAoMa3e1p9SXHI+Ndb+Sob
   KL8Fyp43miL9wUFYKnv0Vo67do3cCXYOA6F/wbJw4V+oLdBS2amMQnMwpra94Scf
   L+B1nmzQsGVpl5nieCQE935uFDxfxGUatNbKbsqkX1ZOIORPplfX+TJrAfShBsSj
   E22uxGfq0Bj2W/3tdFVKnkxzCuNtKECq1xQSuTaWkAHW5apFfpVBpWxzGO5eoiE8
   CadNkpr8YFGswCrirpoYqPgGHE68I96yIHal7H+ufo1XK7QH9ZtVSL7CEirYG0Xi
   ZhGhDlQwMBDAhI/57sF2xfGgv8UEm7l7/94isN0XPkSqEmmbjcBpGhRBvRmWggnX
   7DHoQj0viTY2Cj8B4f8ATvdCEuPY+JpCU3xWVdSTJSOXq9NH/isNzxWWxx2aCS2z
   T/K9ol67FcXMJN8tH3TCs0VmXkYwID94DrPknaUXMPqr8fiTedByso764tCoK/bZ
   FcDRnUbdpn8UCN8koJF4UMp6mHOwWxIg4ekX+V+REudBAWOXF9pRdury8xbVFb6A



Gillmor, et al.         Expires 28 November 2021              [Page 106]


Internet-Draft          Header Protection S/MIME                May 2021


   t+RvY9aZhTTr7sFFDHOSlhOnRndzfOVj5u0iiKmdmk4NDMf/gIMq1kQ6m2/vjAEu
   2H1p8DJ6XNsLCIZ4nwdqU5326tFOaeylTAcwSXox4M/23zzEHW20+DCSXn+GAd3v
   U0iN+AKsss6pGPFxzwwBzaWBIpCdXmzV1w3JOoLiHQOx2IHkGXXEeaNPDBOa2PoY
   G/vQRsJCv3vgeYHuq+oKiOORye1rLkFakmuSZjgG2Wo05B5tapxMHoW4plyNDDPJ
   0cezb1xnqbDkceXcHa+nTeCouRCqd/P6YVz5ocD4BIdSwrda5GX+6U0bl/e+IDoP
   pHWKijdsU3DAM+uCJrE9EwZHDrkW2qL/Spp9AhtbdMsugaIqVuuTQyCWhoK+wpz7
   wjCdyk1XEMoCfQ8PAS1RyaSUz7fYAsIk9P+FZ6qwyvM9zhmvFQcNoj3E5ObIq18H
   GezlvPOeoDwieqKamAHWkEwefrUb6X4IK9w8dBJrYQgCjnwPq9G0dWu+MbbP8xwE
   w7LgVMRJKMMDllquSaKDrQ==

A.3.12.  S/MIME encrypted and signed reply over a simple message,
         Injected Headers with hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8150 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5022 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1075 bytes
      ├─╴text/plain 56 bytes
      └─╴text/plain 373 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <27139e00-e05f-581d-a339-d2bd43bd0f42@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:19:02 -0500

   MIIXfAYJKoZIhvcNAQcDoIIXbTCCF2kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAGqHqgj1xSnDA+I9w1gM5jscfj+VbIfCbhnx
   X0JP91o2lvOWKQP/faiuh+g/m0aWux3LmKbFTmeqI1GthooqMKdrsneFFPkq2YVr
   t/bKwwt9r/BHWX7YmC4IaUEt58wY5EpJjyNgxTS6W5rYW0L7Or1u4VavRwDQy6UB
   Z3PwtibHKXAWPRt0GdED9tUfwJodE2NUhpsww0GfbObN19UazD99Tb6l5ez64avb
   v6qp2I3T9K2777AyeI5mTPWLosR2e20ph8VVAaElK7eqoj6fNWUl9oCHEKZ2ugnu



Gillmor, et al.         Expires 28 November 2021              [Page 107]


Internet-Draft          Header Protection S/MIME                May 2021


   V4cMPsaqOAJFHnqFjoBCVtzMwKQUlSQdPD/G3M9QxD1eZyUA360wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAe+PncR8a8M2yRVIrPvFoFBJ/
   sjeT8XqP0JrDGQJAlltXX4VP4yv5f8QnxVyI4GPbmDE18nGDWewzgOcssAWZfuyP
   28Mwa8EFDstckvkFea4MvtoVbIZ1fj6zztvZeb0d/cMz9IWpM4qfaMrF9Ejk4jfE
   AkagViFvjJ6168alDlLbJfAjFUAm3Kg9QMM3GVQrXlLxlhoOAANP+MzTZBk4a0/r
   LS0jU0v6KIq8T5bXj1pwGW/64+koLYA1ilvbMbN+G/1KucNgyYOc3++6LI50BzYX
   woOnmcNJtX32+f0kz33Zlbo1FNI+FGISzxYk3+ENNJbzOApIgRK8N/n6ky95fjCC
   FE4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEF8YHUGL0G/9JbgGJzcUb7iAghQg
   j91e8wyDIuHSPaIhkChDZUXsZphbmazatN+8ebg9nq7kB2HpmK4PyfOvv/kXpOdv
   lMsP8vVjcQBneqza/wHl6Zj2HxqH0ou5sCSuiyfW55y8pquGuqLf77fb+htPIjmE
   +Cw+vCEUw/Y3ekJO3kTSBPoZIb7EWEJXM2LHQ2AW5eE2NhAi7XZVWfMKbSwsRx3d
   LW28ErQcGCDYoF9CTGyGQ7dFn9snr/mi5lJk4nrEXr8wVJpqgfxvcZqhWEAndv2t
   9okudg/3f/kzY8A4yFfoapBF1SCT+ktTpWo9qSQ3gG1j/uPNhKIip2sCWBcwuyJX
   MRv0DBTxObkpv1rgbLB8Rw/8TDRfPdrk/dttoRdqol/t/e/+Bx1KPMGRH86sPPLK
   2csc2fiEGUT4aOALq09mp1ayzHXHBqH6izqKGrR4LvTMEAMgnzbvhBSJVtS35Nu6
   LeJAgytmK3AI8NUzlPa9Wbxn1urGdP0vqisb7YcZ3hfZvifPiVgPgIcODL/6Uei9
   fL7yxqC5FR1DLzJh8KrZ6512xKNLWAH1A/RrY3KIPQUvZ2L1BtzVm1xvvju0m5oj
   1pjWVs1OnfZbft/VCbhyxbpILmOW/XK3lhzRd7s6anzb1nioBPsFw5ToiXEKkbT6
   Pj3Yk+mWPGZbl6Q0pB+o9lgWtcNHr3fc4RIQfjM6H+WqV5VwozCA1CssSL07yYOi
   jQArheZZjo0AsMlr5zOfPQTM/BlQIc9oFtFVs3Yes1pHGeX3c7xiQJ2aSNb2YtNk
   89toDxtEJpzwctlfbaWltjghW/fTBvXj/pDkSO3i2rI/XxuPror1BS5OO/4tB+BC
   qj4Rvf4ZGYerXQuZtNiiv+xwvQ1wQOqVnEbzAx9d+gfh8xNzk7xoAuNUJL9JNyJS
   OnmM0pTPnHyRGFPFE49rE4rpRqWko1t5NHy/T67FZj0rGhssJR/y8RZf0Esqg1Mw
   zHn0qVaCy1ZQimCM87D2+mvZMaD4VOYRanCWNYVOV6NLsjPxG84UCfuPSdNH6SZr
   ZXSy5M8KJgd2IkgxBVwCy//G4mBsgFnQUs2E0n5bh9HnQEQAB+ttVLElGtRitmrF
   UiuJwzCVat0Lp8yQLk/FlLz13pqZSpABLdxKngIfBR7tTUd341/rcLadnF6u7gZA
   cl7ymFwoQT8pRg5yPHqFHoCxgreM6nXEr9Eh/ScaYKB5gKsPTdCGFKDOiJG2bxO9
   Y1RB/EvydEyoCQTLD3qdgFTqEoBqH8Z4u/jsxakqg2+qypO89Jo6QNhrZK8amuZ7
   q0L+ltxcZRefx45cyYrzqTodXk8Gk4UxjD1qvj4nfK1l8JZY8cgEEkKEgCbrsyO4
   mLnmMxvNT11PWqdMhXeQ9KyoDQEYb1Kkkr8VFu9PCsw4XvwP0u/DvvASM8XDawr/
   krQtixD6aXo0ps13JPuzzXy21fJ1qwOnSBnJ3bIrllaeferjBFwmbaxzESi4UtK2
   p0XwQpLKBh7LS+7KToClbvgzoqZO2mN+nTqn+mR+G2PXnW6KBFPsYaupBQoNoJAC
   JwokhlrcdMZXy0C+YNNdmj8lgz3J/qNH7BFAhGYNaqMi9EODs4wBKxt4+WKuC1az
   7lqbFMOy5eofcSl5txCZZyYjQp7aU5QE+2GkY867RtUqqJ6IrxEtt3BBKVZtBwWj
   DeNAeX/UENoDi8bAxuQyggjGsM/ozgfq94q0i4wKThvGR2N7lfKs7dlF2Vk9zuWd
   G9m9MKXmZBk040HRtYDJlvXt7iuHpp/vvqlx4OoMf6QbG1nI3UT48PUHqHgNxbxW
   NHPvNqQGW5ay44ZIbDmpTIAp3e9uUWGqS7F0bfAQJ/IEDnoizEFCL94MB00KCeAO
   DBiKlneEHjY4EnsaKB9XwEjdEumhfveVgwpX9wn3PR9BDKZpWXIxc81I4C1B55QZ
   zfKr0fGcvDRDVLIqFcI5/E2/D0+maSJdtvI3mHv0quU3wT863lDkKruz42ym/h6Y
   M0d9qr9+MHllxedB+l+Qo1LMmkNg8XtVBYmqtyOEA3eu20AqqX2a81YZj2S6qqW7
   fCwiLuSLNvrRxCrTOVkrgVRrKYynK7gFPZFRNaOMQLa3fv0mxiR59bVYSA7qh9OY
   h7swt89nizA+IDKdaUpkN9zfhxo9IvkexukoaxbqHY+sYmy+ULLg9ZuJ9ZdiJpu6
   waBgNKC/ELPvV1V/MwU6u08X+L+LZKnLRc1Ct/EOJlevDVm/MaHEcerKIUmkxUWP
   UDkQoUjjrIznQIODRYllw6E2pKK008gCglnm7er7VjE/yjEPzOdBuFAoRqatVsLL
   pCXATV+wySNzFgpxJWxHcGwRSs+JkWnw2rdbLQJOxrZr4v2rrNztx1BfA8WtGWmb
   vGXqztE2LV2mob/aK5Nb14ZzcySbt/rqqzJo2bGPU7TU++WxlOOPMVjjpURS6Do1



Gillmor, et al.         Expires 28 November 2021              [Page 108]


Internet-Draft          Header Protection S/MIME                May 2021


   HeTkgb7JYS65kCYDnr0hJMGdWJCEjqh1lSxOtc3q7R2tWbQokcU02rcFHFabA+4y
   Xc6rDQykW5xeB4XVJ0fO1QQ0L+k5WIj/9ZIifmO3kILrA7d++x39Ewnn/SrQ32Ex
   lbsOIp4AMpyyUx34iNjsQXLUq70ixvWvs0R+B7gVdwa3w8KLgZUYkk6pR7pg06y3
   +R8CzTlKktxNSonU3AazQ4V1TWVcyMxZZTG5+MicEpSF1MUEvDmjuoZHfWv9HgYA
   K7G6hjQ8Q8y6+fY3rQiDDhAAGmLI9FDvoMDCQ1g3zHJuysZlXcOu4x8sCPTpz4O3
   GvtM5PIIB8K2NDeXucYc7jilElUX72sAYixlyoGWmCB+fM1yIgnKXITLRRcGnzr5
   eB3Qjjb/2H/tIOdKysOg1u6Ki3ZwaHQZdLRwRxmQ/BUGxpX54WYAbL7Dv8CioRNy
   wBrzuxldQaTqWsMyOsxpgPSIlzoJRRRrI8WLp2iK5PbKjaEXhdUXOD0zqbXV7KvJ
   EO/9efDUSocGHT4mfTNZHRCxT6AE+rNZ+vPoO6nUpfV0ZIrVEUm0Vi3TTLAvPAR2
   +loTHLSZQJzay4LknzauN0IsD2Gkr5YOYBP1mb8nqHGrZt+9wA5SPfPpBb0tqSzq
   aRIBl5t+Nh3aTznqurQUXoJJlA9F6nXZQoFRwtMhgXqe1c2j9QrD/6r26+wPW2ZS
   3VFH2ZDYLJP0t+wudEz0hdlqTgHqZrJal2tnqdE/Egh2Q81qDE6UiOEBsVa8cx69
   gWz4lfJ9ptmUGuxOjN/Wx/lo/V4apwrZlJarxhkg1DB5/s5rZXHgWen68HTg9nIa
   cc4N7qBN0twqdDpWPebdEMuEms7KqnR/uW5uBTp5DpDRxTyu++71K76HhUaCB9J3
   98uyxSYBZdAl+7aDiKQn+HjJ4R2EaxBNtPiAwYkej24SasQ6sp51IcB+OeXyeIMn
   +EzweYVGn74tHQ0R5ZqBroPKpUYEVz536UCFHb5//9vvy14C1sMoaaqKn0TCZ55R
   zocRoFruFTkwRoEaNnfnB7g/CHrfvm+NIsbcYqIrmyM+FQsRv1SmJcjVxhrB/z9s
   6I6UwJVQNHXs/T05Z9yepEhY4UJDAS19NKDZoH6NTFD13O7PhbW48uf/9wVCH734
   PeVT8swKZjBEfY0hVJ0I5Xh0TchKyUaMZzemCpf4U6/QE6poSggivtD7AF2uwwHN
   4SlXi5cKjwZhk44GEIVRHkjam9OC611yNOJC3DRQrix5ibeXjdVHRYJOk4jCXJba
   hGxhJp21ZLPktke8lVR8BNSs7fJN6P0OahAuWaGxd/EfL6exWfTv+rm4nyDuCDBU
   FxbF2HcgR3b6AStXGhUKY+nNL93roNcpxU8sTRlJDHuuFUmp4jrGVKMs8mSvUyWJ
   BgL9PcNjfV155M+5ggj/VyipUv5feFKGiPa4wYq4zTWBMg3ysl3v4i9f3f2bxBMs
   VwM21BgajuV2ilXi5lbNbLNgLDSeTH+VKEOWs230GfE4dsL+/06qsmVQMVowMtRN
   xgHtzbcKOZcqKgZUe/lb82s4ZmY+EuKF+Uj2lXeGdFO/SeJ2X6A8thdFMnnUpkrS
   eJDZ0xo5B1abVVPldqGPK6d5bC6V8NovF02t24Y09T8FFE4PPdup/yKeZXCa5g8s
   VgztjBNQkrl5K81YBd6gMDMvMdzAfKnbHdzCmF4BvEiES6wpjE2jf7pTlFkrCEew
   uva6sKsdcH/zPshz/BJCSYyNK9r0oy4moHWVrKLvOO9kTc9L+CYXG5TCmHRM1Ad6
   Itbv9249SBepyBJX9Usyf2NNaXvUtWIpZ1PmDH/ctWPqpVYnX9heLtaoDLmJB5aG
   H4QROqKT/EIvaW23xzZsNr+Fa6lgaItjW1z5U4VLW3T19LX8uKpuNefu1fXKLaxY
   nOSsFmsYh+dkJcyfb18W0bhXWPreC2ALI3yOcL5RH0Ix99fu9ivLQtkmUrGcL16c
   9sCqNZJjUbAENUYeGJYLVHnhEGgzHmYsHvp3LcbgBnzdTyPXanAek7Rl8VhIo0vl
   a52LAE0Ld59Cz4Ta1wGDbQezt3wvwJSngKOmJYbraSn7YfmLviPbemeKo3/G2Yt5
   DVzqQBfelLUTdDIm4VGIrUv/UOwONBtlgnzaUOMXJdEE8+Ky95RKeajkPU2ipkSh
   rv3rAdyNx+Hv+kt3PQEkScMhvLSrsbqiyx7nJyjewXzzyNZvu/4glNWZUGQfXzV2
   8+2Ce/zx77vugH8/UulNZntk4CP205P1KNPjQn6Nuw5OqerOOKWx/EIFEUmGmVA/
   Bf46FMejHnrPsEdFJu9eVGwpwF0ut+CaekLCPUhBOBTSCI3n+4f8G8ESTN2KJDQB
   41u+LFN4vhJCq6m85SRcX+tc31GF9jYDXCcrvPFpU06FxKmmKv5rLISPVH9nfzyS
   L3ZhsgUz5TURM2H8OaL5+mYpSpNJvIFajeqNAmWiXsUbZgMSes24ZEgvSjGc4SGd
   IlGCxAQDHbfFfoB6hhb1C9I/Xj36DqNRvqrW8zI+KprW0vDcq6r30/imHn4OE8W5
   jUA/dPpVFRRvMdSkeQfx81FlbNDOThSpNQkrhCEWwp47U6LXzGs7d/WJu8LoxuGh
   jQntq+bhctOqdnolTHSDp6wp6siguul0zobH3O8zP8KQ+y9CMJSKumgNATgvWUtY
   2nDEPTUh5Tjp2MZ9IxVFH+ogsa1A2XRG2iSIKwSrSLzfzgVSTqO5SUATGJYs4qSk
   Kfaz8+i749PZTDtviMTQi1t6QnNH5vHezV5CBz4w3aE1CSDVQJPm3DreSNEXjnzV
   Vy82bjcSw4LCA8bl05swwHmCysoqX/nluv+remcFOPfTEw/gciH5kjBhDhtEV4pz
   DKf4+Sr4OJ6Z1Qnfle3lL8xNCFScL4G7mu/dQnWLklhnlpmBG35elwvIPK+ZLU99
   MPsRMedK62OIkxIE9WzG5Hq2xMP//v67FT/wZuJ2qnXV59u5NlJNc0iWbo8yGy6z
   ZQa3f7SIXoCQAgGbv16T+Hk1YsDFapC5HKLzAAKaWsd3ytmIoecsChRaOsKLla5h



Gillmor, et al.         Expires 28 November 2021              [Page 109]


Internet-Draft          Header Protection S/MIME                May 2021


   GehI5HUD67UHjiBqarFwkZ80V4auIFzR6Lt9F+pb/HXyUKsGL33WwkES6TKOnxP+
   8hYBdWGWBZtC9tHkfvrdb2bQi8RNvnzez1zX8V8fCizEgAziDXaf2hWbipC4+xep
   hVf5mMD8KPaME9uD+Rb5Z+AlP+U7ka/d3wKh/DwDPn/4djy94SLJ1TxE4lpUaBm6
   5EIIvnz5LoXEHizghqOIP74y/0FUggCWKEAMzCtLa/eBK3M68r9OFoznUy2QQeYc
   i5Jx+vaP6J5GYffGNPXgL17777goCMNdN3UvWjf5ukDEhE6Q5v130nzlqG/3aKDS
   WSi/MrnZjvhtn3XZix7pb267F4hdBp4HZDG7yLZYRd+O7BoDArqciXlQg6gaI1wA
   2KlImv39QHhJF5aaNUaSYw9vMql0aKKG9OPCCvE/uSLGSbUNT7mf/fRMPznkatlC
   v8UhNIzE3T6bIIlr45gNQdvMZsAgQ+yg/hPFpkteawKdqhZL9cvyyXcr5/f24UE3
   USxH7XiIobz76C93oK4gdEjBihN5uglkedwukwqt1/WAGiHBDpM+kbXuKNx/t4R3
   tIMfrLdev5ssBTnBDuh8134RfxFHGHEOutrOd+ECZAIy4yPilypr44SfmKKjECUQ
   bCu/Jr6NkD+89ZjMo9hssAD9If6Ctu4ryx/jO2lZkUzzlDSs5WhwhIhTC4G2wzFj
   p3YYRT1xvaDdkCwAD1gzInssQvTUDEkzHeWpCYSu2rZJHS4ccCiGGA9xhLceD7+h
   4X4epNtb24KysAfBXYIY6HDKnVJ4FEApm53BcLbMGiuM430VfyeMLsTw9qSOFuyh
   KBXW42iEw0ubD12cIKq3CuuTTYSQj+lIDxgNddD8T+WmPRWP+Oi7dLqGoJXRZyaT
   RL0lj92WZ2h+/3P60RwV1+D4zc1x4ptNRG/KV5UVI9rjq801dLEZjayHDm4/Wnse
   raZJV5bFsui/N+MyODq9WTDlHF5GgxAa8Lyc+muDOPOQffIccX+YfaL0aBueXemV
   TrVyq9wE+EXFj9V67c/9iGMVqhjT1Fvq0kCP7ROlPBnJIwO2SzMWKjQLpE0rLZ5g
   nmb6Ii3qM79NNCZHAPMkbdvRGkCfURrR+s/Yi0GXRcF0oT2h8eIwTR9xTFgDFtcT
   lQgVNoS2UcJYJ5k/+q+WQRtRkX39ATSR0HuO2Xfi76p/TnLOqzIKVeesB1BIs4Fo
   DYoG3nvcSItb/G3wLrkryWtRbktpBaEHIDtYrWtITkM2sx6qjQuBmk9NdRQtIfch
   u6MSTmNwqpKIj0rSJ4h/IV5pC9FGxrvF0bVqMU0+CzXHOjjfa+XQWPEZAT1ijOQA
   x8UuwNnS1G6MeJGd5oXIzA==

A.3.13.  S/MIME encrypted and signed over a complex message, Wrapped
         Message with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9450 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5982 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 1805 bytes
      └┬╴multipart/mixed 1741 bytes
       ├┬╴multipart/alternative 1118 bytes
       │├─╴text/plain 375 bytes
       │└─╴text/html 459 bytes
       └─╴image/png inline 232 bytes

   Its contents are:





Gillmor, et al.         Expires 28 November 2021              [Page 110]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-wrapped-minimal@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:08:02 -0500

   MIIbPAYJKoZIhvcNAQcDoIIbLTCCGykCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFXRckr86ZKdjwWngyWuYzh2C83A2vwhjy3X
   CIP40KUvi3zDTIC3bHcS4J2+dfZughLHJ4zAUpLaV9aE/mXRFOR4R7+KFsqgFMq/
   AdZYFzPSolrBVrX4mJ/S33n9o4C8liWpYKOHTuCuaIQoncwJnxMjC3MNkTz3IQu7
   bA+8YQsXHKfxgYx/fDqE+M0vQ3WXdN3hNqFV1/vvn9XBcJ4vEqJUWbh20jrq6SWH
   LA4Rf0ehkqkTO2eLfW816sEgRDjbmz9YnwPZI+9v9lTA54DOUHqGRCc4bF22Oauv
   cSMSlXYqYc5t7GG+m4FJr0ojYP2mfqO2fqD5MAWREKiXps55bM8wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAX2QNNJI5Eh2BB+XRtjP6Xj8w
   I99B8w98DcikKNcEO97Wubdh2e6zqTd5ZcN/l4RxDDC0eo63xq5urZxpjPQMDHNO
   VssAn8w9g5jZ3HSCqGlPqf91uRuZysIqA1QftgYEgMoyv3SJDsTviruYnPlOk3QZ
   rQhq9crW5eMPwcU3pR0fz9RBnUsCA2YSZtZ1Gv46IzxmPIhgn4EFX3gQE5P6Eh/k
   IGdNg4egeONZfpHJu2od14RrII/3keYC8dW5PwqJ2O5M8glq0tcERYG+9G1R85vT
   LVh4+wzEUKqUBG0ZcNuuB4XCH83w18aOhnVG5MkHblyqJVujKuVBlMzS5lwzBTCC
   GA4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEC83L317JnRlmVmZGWUVqz6Aghfg
   Dhdevr/n3aQc13mAIW+gC2eax7HfkRXLt5pfz22kYNixmJQTrGScKgeySwqUIaqC
   sSIOtsX9PkCc0oTY9fer0LFSFCts+Z9N6Br6R7XA4o1Q4+rIiJKAgkxRZaN8HUZi
   DMrz3JPbIRAmSyP3snRlbLpHZWHBml1PaE//wIjBX5JyHwIUSMbfKqZAxunlzuvX
   23zJx7bu9CZBfo3oUF54zLWFNIWSd8Av6TCo8fNFB4nb5CCeUNumnAEOI/gZqhSu
   /RdeMvB+HtAc8MiXyOZGbWVL05EUWIczY0rVFqU7S1MmlDX646Jh+2hBDkExTGLz
   wjWnJ5QvjY375XxHB5SMidNuCWV+/ZxyYPy7GkFZCmsvjPb6J97ABSRJ03t2X67p
   yNz16lijBj7vepUuZvPbYc/Wn6oy2tbTPww1OeWkw/LtzmbNGzMm+f1FWVvuxxpY
   9pxluovr69RfrHzbl7f6Dl2EGVbvCD5yjXxARqXkR+2Nr43KmhLcuaKnrjHdKooG
   XaFmlLfY/A62d9btJd+U2uFFc156PVl+40/q8CVO73bSIZqPEo1MFN9pCs/x6mX3
   RVgzipeItwteQdd8xcBvwYHX18lRVO5j7tql7KqKe2zTGDW4Mm9cy9Jg2o/9CESE
   IDv0nO5Gr1NP4wcu1y0Y0uoZjIK402enFrRAjWKx12ai/iTFfJH05QwkQLWrOycq
   0sHjaqtDgDaTSpSIdctC42QkvoikltgeEyjFC11zbt4CjD9bYI8/MoqN6MjltwI9
   G5TVT03tyBNaEfZrUkcM/CDd85hkClVnX2tBF28T63Ozui9GbVFviW9WUs+I02Je
   KWN6llM7UWNb5XIwR//UG2fWxhvFK3aJzhEIHRV9JBQAQfzK2EVOZsRomgmOBnRg
   mvOMH14trTNPaOcBn/SzdJ4ZW6FvvYjVpH3x4bJ2+pvWWL38t3jY0MgsfXzq/s19
   mvOhoIG7+UcchsQGYR5zrRDIb3oSc+hIJyHk/wkPM5a/iUFCvCIpGGw8ytP6ywhh
   O5KBYA/iEw9mjfJP6t9LWTky1pANXCYYxPXGqBQEQTc0i/yYIIYMwhvyBDiBAcS9
   aAbhlsPEjP2OO978H4MjdMpYlc9ftI62beqXnWRYq7SutLwG9xrdQo0NNyPhxBcB
   h3xR9xNgkC3giBi7DVj30uzDSTVZaSzNf5dtctS4T3SlBGeeqiio0uczevPxwHQp
   xQibg4IbVKSDyETS6TIVL+sDliAWiPTjozptNzXN3ZNxk6pEM2Dtp+6kuje/KHxU



Gillmor, et al.         Expires 28 November 2021              [Page 111]


Internet-Draft          Header Protection S/MIME                May 2021


   mbNiR4u4j/0/+lsOlCPtXiso25Zy5Db4FeWC+0kLHcMfRRcHTW1BJGBcHAtDlcwJ
   RnMQK+RSRRGUI6B/bRUsosAWDk766bgJj42Q6YE/047amHvhtgCScqYaELG8G8+T
   rG647BR/rxj/tMX5EKlQvc3qm+/MMc+LprO0WGVWMrGV4T64H5kcbvP0ai7nU/X+
   I6L3VA6v35uWbwi8sfzcrjXh6tyZ5dTSM14T0xkuyzXbahTTEL2+UxXH11qbxh/A
   ZWHpYu9NNocE4/V36BZ+sbsisu6G9dwEAEtX+/rB3U9hm2QJ57lG05SAZ2mrcU+Y
   x+tbMRIBz5dqJSN4hkL4r3ySMjU+p2hSWNWHYX2LHqjywM3+l0Dubjr9BvJAlatn
   uawkgIOLgEbr7BYqyfgr+/2HVrYTu+w7kGWHnGyEZgB9dIZ/kmSdJLJbW8qVdh9s
   v1Z1BJB7ZWIpQd/kI7EXEm/OQsNM7soCrDZycDLDqy3n8G8Y2pu4QkOjvqpjP89v
   T/TssRnDi7wOJ9+3RldrycQSnexuO57PsBQezZHMDbiZ4rRu1heolgsggygdpeWM
   gRS58oqxDakL6S2n5uM1xcBMhY8NBHZQfOvcU0koJo7hbFFoxzRzo+USxJDsOuuj
   +NhqRmVo/Wp0er5yKdeEdeqoqeOSq9IrS/txX58DX2lP/Wnohn47dm3tRE4eImj5
   VsCOyBV3LNTnu0vsWGi6sm5wRLXvQtSmfwTCPwexiTUFjyz/UEpQBUONx5TWhiON
   kBeoz3OFR7SNj0vmLVVny5cIMa5CWqZ0F87ycT7vFzwo/X1QQppmcnEVysipM8XB
   e5AoYlMkcDf0Lh+NFtbksT8giOHoWHhM8pnQSRgScM2TdXC2+YayIb3G4ukgdOTh
   KT8YJolbeEZrzegm15LBwcUftfAcUcxt20MUExVZSf/qQuKmcmwyFrle4thxK9yb
   CAHCNBa8iYyKU6qAdjWX+aH6UoRI/7ysWlx6SupMf8Bd2Ghk+iUllT8CrORNi2Lb
   M2SjZwKA/zNn4W584bAoV6fiwka4IgXh5SvszkU3c7OJYXtRuJwD5q/TpY+0fiAg
   EOoPrqLiTTrEDE9obzPh9lDHGlF85m7WRjqtTmbgHYjuHqydXYAG37QgWMnyoSAF
   YVHWqh7UhFoFvsHpn1Gxp2aqznkw2qXzoGZYoaCfTJ6cXbJNNID4n16eRztv1bOO
   XLVG41ldICCbOH6pmA28+DbNKQBx7cB/ZSpfwD/pQCNg4IXUuJA22p0WRdd+2yVw
   7fPWdABaWydzQtKgN7HnXWCogt6fkz50t8gLkY1F1Q9pRzLDBZO0O/bCMlvPXy4i
   rXGP3BgH06G05OIzxcs9/EbNereRb0/OzXmd+A0wTDaBarQJYNu5IyaV4EIhVLBj
   7x/tYSf+74o9uuw1hjiz10u57ZluHI2LfXcITXRufM3+i4VBlI+RSe9uUgv3dWcr
   zwqzUsMLxqGpVLUyISDoMMjIueIVLKg5TlsLIrjXyQVwj+ZX0mEpubL9US3AKDjr
   UG09davXIkfK5OAPIJn4T9YOmw+bwtt39GCcd0ITKpX1rHhblJQKy7f5yqm3XNPo
   Pw9l2XAYAJ/vnvHoiXwp9pVYWqGY2qoLuCg5VLzlHgQIN+mN0OdzSqGG3KW8s+LP
   9cb5oOw23VSA2AGjEYiEuFcunP5aZMCT8o0wh5J08a04/zwV3+IkaMRfC1ZPgyyz
   YZ7NNh+v2RvR3VeW/QMPOFB6lTnzcHcYQdmK/DY9/BPrmm94yDS9t+wPfvVN67Ce
   zIkk4arX9S2KEJ3mOH0Usky4Co665+9R968xOjzSlUYaPdqmRb46TvYJ8BzmcUH2
   fXMAjPRsxaBeApglXFOPVCDR+H/6Y7T2lqkKWQCZqsIcOIPlD1YVILdPJFTRwXrm
   N85n+wflN50jpAoKKEg6CAsxgR8YxemQB1TFMee02Iv8j2Z2gpnu2TQALVo5dyjV
   PykeuGpWooq9za2hdLQkolkfCmn619yzAsfZIb1eFVNxyMvZO8BdtyZQ/u08eneT
   4a9bAEXzzNTT2iDTXj1mlhO/ifXojWiEyTBUqNeT1eAnD+pNiLqZEQHqtlev1T5w
   MaGx1M3mMUyiU7XN8F7UpfclDuJyOLP2dg3j3ffg+xBD/GAWByXjqTpOFaN0zg89
   qA2wTkLGOFqcJzOWDHb35uPQGdHDkzXaWOSVWr+ebr8w/i5PNWYR79yL0MOzavvs
   rvbgs/DL52R8llVHG9XYxHAVUxDrrvkOczg/e959xFntSsdART8NkuSEQnCBcJiK
   wTHjgd5vke87yC5dMdswj99kG5OJiUSRpBAOZNpUVqL6CaENsg4c6csACQUR15wS
   QBR2MOBaXxiqma9k3i2JM0SPtkpCzfJoRrsSTvShKFVvBQIQXMybiVwFP8HTrnqw
   i63Xgew19nYRXv5jjsmQNvxZJDS6/mM3rbcyLBk3uSXciPFkQuO1sm2wdKb71Rt/
   8ohiCt2xH03dmk1poVq3r0kzelvR2yt+gxqZ0G7DpIhIlm9SASZuoL/GIT/d/d+4
   fecTkPr8dK8SobUGqCscev0ngVJWsDMM/1Q5yxZPoKtccOW9IOqY0zBGgwQxv9s4
   4Bz3vo3SNDRvcvaTyfehrJmQIUm3+ObehmjPMh8l2Vlw19wQbROffjlg34RF0OPg
   spdcAupeeK6rzGz/qZkqs8qvioUM9M23oliyUJQ5j0DlywlnbmHQwbDTRzccroqY
   e0zpiUZ0RX2Pd/aXaDVF3Rvd3ZQjHagWvgXizhNW7LmHyqTxupwYseE3mtBHllZJ
   rNy+Ako6qxPslMv4x1+TrPiEC3xqFQxQ8Fkl2tJ9waY0PnZapSTNIaxf1n/zayLL
   uqVVDmlsJ7W30QxAR8MvazDgW9R3pA/QlTHZTT74vxkjEhUfsG0xNnumWfRmO5Wc
   H5dsE/Bg6Y9lCPsBUQ8bTF6d2YqgHrA0jScPf3S2Me0zpzCYnkgDJGMiZ/DVXY/L
   GUWuItZr2UqLG43LcVuzVAp7av5swE4ebwc5NRKf52UCAJE0R2wwYdHjj6ETd+q2



Gillmor, et al.         Expires 28 November 2021              [Page 112]


Internet-Draft          Header Protection S/MIME                May 2021


   1R0Vw8GL1aUn8FE/SvyOTMaCseXhKCb2olnoLm0K6i+EskVucCIeNwwL5+g7kcf8
   /wnTEC4sQA8zvtG68Kr1wQI5zgMNK+/MzYn+Dz2Hkm0NFJRXJFp2JG7CeO+D/OTk
   RX/VBd7Q0tqQFeOnLd3JX5n2Fd/tpsrim7TuThDGVlUevg1Lgp4n4bucUFe+A7IN
   srRmfKChsjU9Yl+Vjyk6wyM7OwNAMLJ8BtY1aCJegncTMmNhTK1IQF2D6lUa2hJX
   FG5Ewc/xqd44hI/pchtFV0mKMX562GIAsndqsqBpgVX5rDReMt6DN0h23f7yzXIY
   xpan5It5aQE9PrIULl+oceRQPJ5tg2JajyJWwDv0nrRLQVk10Ryh2IZnpnFGmrPa
   ukEsJOBde8kCoGpE+4Exgsenv61MSpYxdmhQrm4AgIAHtumk0xBFh7k0TByZAYig
   MuuYUn1iVG87c4E7hGqSKmT3/oycprhRUTSzR/ZErszPAZZYTr6i4wgvrSEoFfxC
   TrVw7w391XRsysO65KEN14pHDUWV6tswSoMpWI1FlcVNaGvfHipT91BVVJyUKoyG
   iEjGzCa49IhqeTjLyjaBfB6u6LDAyC10ovbMo9gmRuEK45UqRWt3E414jUwXD4hT
   jdzX5fdYmHjHfO8dcp7BOKOmr0SEwbhVMxjdGDCj0+hPOJC82jsD5FZJ/sfRtdvh
   lgKUhtAiTu4qjfmq09u4KXeYrZ+8UWrX2XvLlDlvNKYhe+iEqkjQk6SDzfWBYCa+
   UNaDw9SG/cTBWH+JknHQbB1v9e/Qtj4n8FT+aM13D78k/kaVu1tyqa2NfyWIG2of
   59N2IfYFnKc4gw187MPp6NeuhFMqphqYqYSHSWsFa1LSa71R78eK0R8v4q/e6q52
   BU1kaUk8isdPWkG0sgS5Mmejm/ajtoMHYCzsCWySkDfXqM/h9mOZVKRRfDI9Gpvp
   7j4ScwbL+lgKu0XkCv8Qjr5a/rUY8ltD3g6WLSuu3RIWuslmkkfrMHGUUuw68Fcd
   XQ2B7y3vEWU+t9kWUnHnQc1n2jrY25eZ7S+bpuFepUR5a7s3+FIjQJ4EdLActfzh
   YFVC1fNR1vzKI+xtdqfU5p1wddbe+1zlbrmits1fnisg8GRjFjtDGPeHLv31AZMe
   ihvH8devCgSSac+0CTgL0XAohSnnqOemBYYtBKTYkLYPMBnDHpQlqoPuU/2c6OlP
   VLRinaHgxkVx9ZkdDNbY/clTbIgE+hVTOLxTmplV7CPnR/PPa6mWm/DkJXr6T/VU
   vHxP8LQUjPWVYuxSZ8gjRujebi1gc8JSzK4drOf2qgZuRY3pRjHlrK+HdcUAUu+4
   XdzdVBFlPuVl2p57eYJi3QQN5BOHbJfRyCdnitccyLDGNkXbx1fLJf1aGn46LHV0
   kgrbHpg5p0Az+s0XQxvnGMf0n0IdVQ0MwPa3MNvJzMPohAqwfCC47GXAaZFde/6C
   1x+BGQr6SqG+PaHcp7rxBLMGK+IXQhqlbFZ3muwW/AUsTAH47PbM3F/Gcft1m3pT
   LjIk1dbqKQtGmu/cwq37WrMldgPQ6r2Uc4G/0tOMo0B2nV13WJe7jgorb547WUBJ
   3Im1Hl4rXx/uf34FxjTVhy/tuA22VA1vZV2gzwBQ9idalMzX2ouziaoebF8E5uBI
   IcAQmA4oyiaLRQmOwAGy4UBNREEqW91MCGAwuIvQO910iB1mTUjFRx6MskpWUuuU
   BmA3UPzXu4QbBTVSrrbnLZEuVaSKbFRSjhOUdsH36OWQLereNZvg4FyiSm140lD8
   0U2s8e6c2k2Dj0UBAWtJdeCsRLg6xyMCI6z6Q9EbRVsfoJGKB3eEGKl3zRzaTwKS
   3+EA3Mv/0UUshDFV3yd0tnkBC00BXbmKS4qc4Vmgx/N3UlCO+9AlEXoyeb6Z8esk
   cMY6GbsBZwtdRAfNWg9/X7rV88emPa1kUFI33iXVw4XYdYZMtaWEXQZrdab7dBws
   /aHvkHUAan7/Nl+lbuTcduLIHEGshkI7KKO0F8XDTT8TXf6mSgDZrTd6ICKKa74h
   NzO6xEtr7fElIhvi65O2ybWGKA/SVIyIVT4TXpz40GpzzY6mPC/zYv46RfzTetVe
   Msn2Jpi/tnjGVUGVzOLJzo/rQHukaNtDMKb8biQR2SHpxUauizdM2t5KQlht/GyL
   nmvHbV0PdFCKVRrQ2XtwOR9XCmQKr5o2cztaE6Sqh0PLn9PxEwrpmswaMBhHfbdi
   k6hK3gDPypJQYSGohd2AtUFlxokNDO4x/4yzHLCfK3Mpqfg+Q513EiPHEqSubZn1
   Z2i+qSLRnlfYDt2UjPD7jcSelW3uUdLtSfd0bN3uHxZZgqf+3WCi0ry/0WlG/lfF
   g87KfUhWhUtFF/pMN0wdp6BrMWFxrjPfmTb3B9aQ1cQPoMeTQXYc05HxS2Rx6/HI
   LO9s/HNehvLt8tyOy65KdHzCnLfxSlSl4vtRbhW73TYgbrh1BfSEFpzgU9sM1UkH
   8cCzrZ1U2cm6vbv0CO6/1wVhTnL+Ij3i0y3cvCUZpHSz2i0gra1wxEPMT/z5p17t
   z5sppHHZZhzV0eS9ehUkkLdxbguwwFbKWl3OJ2wG82CDQb8Xdtc03K/zTD4QJJ0I
   LSvoCYwnBJi4waoVQCbLGN0FC+cJAqqUaMVlAEHXauQ3VLDOnOWVISGYuUQZ0b3Z
   yom88ScoNdI7jNxjfRp52y6mVkgTY6Mm4z+X5E90+VqH9Bwg7PSFlaaQNC4hIkyP
   ygciHDwcmQHDkzDpoY9+PCZb2DisR7DLxmGEKqX73POlGYTZGXb8pshypv4cqcnO
   WqtJoXs6TPvgu2UvKwdo4vrw6OhaR55wruq5+99irV+IuUk/qZWojKmLdd744fnM
   fYJEKLcU88iPoEHohals4z6km/osvbY7GHH6vRzgzRDIOMV64lONZD0kxW7j+DdG
   JeyoDuxKPICR/Rav1qKCjBxdzhHU73TZijFf4Ht2YelP4g1mx2ciLoZuyfQgaf45
   rqFSXo/GlftzXbW2zSqr5uhTY6J+Wh7kk534m0yqf0lJ1Oa4avYqsZE7VNe+/Xnd



Gillmor, et al.         Expires 28 November 2021              [Page 113]


Internet-Draft          Header Protection S/MIME                May 2021


   x8JqZf2FFqnf8+H6FL9DOtyfZugJTQwrDs0egcIVsbTHi3i0N37iDKGGaCAotdso
   Ix47BHaBznn2+lU7VpHEkxTcTSZGAPJQ/5zZ10mQf5wwVAWUnaJlegnCpjjlr3xd
   t81KWFMWAPVuL3otm2vp94yE/lcW1AGGO0tTb1e1e7G4qCzjQv16cy8FlSZv9Vj2
   efUOVSINU+FmK8s0hMsgbJ/hY1yWGkhkL41wrcfvYfkt+Iwv0wzH0Rpan+9zC953
   /KIAvVqO6BK1BQfpYh5u/hOJ/tBC+wz7uReLT/q5qfZrP+bRvvQoApGKZHkWczif
   9wBhsM1cEPWfpDDIhTYdAsG7JFAaznlhb2II7n6g0CXiLP9pNktsLD50oJ9p9RVv
   0bvGc9Ag9x9gTQBOiAqFeT8Ifk9gEfKKUpbpdHYlwiEKBNEvboJ5Q1KROb56OgaI
   gm3i3+Q6lIibNQub39Xdka+zl8NVBf5id0zTjZpFt85/7TGvHGCNuGudW79Jl17p
   TFXMattXtTHGEuAlWlqRKYoFPZpLMynTLsTT5z+gqHIAgURgTOMa9YY7+7QsNLXb
   8et3eNsg5E/cAgzt0OJO/hpkQ0fL5k4dB6DTiJrwEMiedvp7cTeHPtlOdMa/KDge
   Mqk0daemNTOUbk3Vsj2s3SfS7BpDTnulb7/1U0Ti4oMF1Eerc7fb91dOhsKkh+13
   fRAIhT6rto+gbnDKGQffeQ==

A.3.14.  S/MIME encrypted and signed over a complex message, Injected
         Headers with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9470 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6006 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1771 bytes
      ├┬╴multipart/alternative 1122 bytes
      │├─╴text/plain 387 bytes
      │└─╴text/html 468 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:09:02 -0500

   MIIbTAYJKoZIhvcNAQcDoIIbPTCCGzkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN



Gillmor, et al.         Expires 28 November 2021              [Page 114]


Internet-Draft          Header Protection S/MIME                May 2021


   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACHOyBpdzWJH0FBPgjsElRkfM603OpOAWv2e
   JJk17KWFDzNyqNUeh6amywEGtKMI9yEQMiWNDafOaySww5OAyv4m5Td1NqvM7yAK
   If8GwwHBsZkZfcQD0XsPeileAUpW6vhIAXNHv+Jx8PxoLef1IlqbpvIch/OYXMrA
   vrupwwg4fV17S9nPLPAbAAsHxkIblgtQd3VA1KUwW7EmuIyZYKlrO1oHXOTKu9fm
   f6+ZYptlsGhqn+sxjWqgdryLyWgHpAyC5lGcRA8/oA6NVFOseeueqYEfRS7d7S42
   34MgvX72chqxXnrEEk3jyq+ofs/LYiOQxNVxnsAcw7uInwzthXcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAd2UGrRGdkmM5K4skCB8Bv28Z
   MhHF+f/veYUT+lxq2ui/KUjsxbCAH+Wp9KZxoAqgCxuoc+eqhd96bTpfJ3m1iCNO
   V84S2KOXiq4A1G/IqM056zklYbvPfLI9+EOotWXXW5RSHyMczxsw3GrFEyLLSGsy
   X5mYSLZpdPLzggn7VIP1Qk0gMXQXGgsjqxoUJUhb7PTmYR7F9f7qB3nhxBSIfdQq
   itXe1GgvI+e24eURa+lH57FivKbQGUCPmf24pB7WhjK66EuQZNWJvkMeQPOa2Qao
   lHZBshnyMuTzY88yDthhUd7M3zkzTLTbgOQEFY5JdB2Df39AmhWD5tkD+PD0dzCC
   GB4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPcJVIQSixxxaBzyW99anlaAghfw
   myNPcQDx8BhQw1sJYG8BmQwWk13lQo28xcdZsyQgbKJ5Eq7Og124W3NJFCTWKtwU
   CmTyu/IU50zFxmD9xm7IPCVFnCZRwuCfeNXiDfQy8KRQSIzMYnFz2CIWNnyJQ9wZ
   WoeoJPTxQapw6ILEm8CAEpmTtpCarvrENS/MKQm7FmfYP6Z4UzIKQJMBjVS99xO7
   3TU5KrneCPFYS3F5i1J2yNQg9O1ACQDZk5O0/arLdYaOs9ybOFMXLofxTgOYjATF
   Oz/2W0ElzsJMhpZo/yCNa0lq/dDSHQSumJTcLhKjSUDTPnj+fTELU2KUmmKmsRWz
   VXxYuusjuDZ00PRUp6NUF+I3goOYuR7+hvXurJFHGQhSp1rQ0fCkAHsyLCjfU6ux
   i46LOkVYZrjQiuCIVFvs2otvHYN02xqhZBARNckq2rEORfA5CaH+9iGwEekhRfND
   +0Nwa+IQmh7AzEBS5vm7Rog5zymsTOu0Rv6j0QlonUiLiKQ6KvTlYHzwbZlspPuE
   aSEq1UZAriavn7Rh7fhX+JPcys6ImdXbQAqE8dl6Wtm+2y52HCaaoKHcJbCAvKY5
   +AttDKOEzkTbYAhmlYOqEaW3NbKGyLGm5MhZ0iTyyCaZfk38P2c2nnOsotMJmtpG
   sbdYA1qWrohadiGUOsLzbtqJaHCF0+TwdVdQ9/d9ecfmmdWm6oHTqCa3zOG2urTS
   JtpVFdIjtp5+5EYGT+HQKYnxEl+Zge43Yzu+70i9Vv+y2j8kubLLRXJXF5bX2Dpi
   cyluo2s68DqrcXrLQ3d2ixmnq5gt87/HZPCykbKzssCQNhdgYR7Wv+01EZtroOL3
   yvqRihxSqg6x4Rg44J29GBUL9b5arwRVo4pciz3F8WPP/jZNldLNqSeqkH+GSXtO
   MlGg6s0dZlsRGdClr5DYCrLN4cqOA6VxCQvW2JiU+Jiwpt3XZ2v84WBEX5ZmKjGM
   oQtVe8fx49OZHrnQsgTMYBdY/Lx3nnzrbnpZwIza3V430HUtClnKbanF1zbnNsyA
   dn6aZVliZW867m37N67g7Yl9VNrB9Qwwg0pEA90G826vXoBNI8aao2ZInTS+sEt0
   iuH8Wz192z+gFFzfD3cyN1HczxBdXaOF5A2pOUEhaWCJWZYhFCLBj29/oUv8ax8w
   obsApX5/RJj4F0POW412xRCePCeQghfuhUUyUYLWn99X4V0ZqAVXmJhNUgfrmass
   lUdPvQDm+FMK7v7Tz23Idt9nmuN70H5GG/Y0r/5e2JkkcxxTS8+yUL4SbVw3/03r
   AbgpVFGYCMcug8UI/BX1CGlSI2PrMAg5MFVhpNW87ph2rOub4mJS7SESQvbPEYht
   ZgOv6gDLCWluJ7QrxsGIUYYOwHw82nqertruj3oZPepIR6WFiDp8JPgTLn/fqaGL
   gMdfGV+Z1VruX4yCTkVdd60MITN0sPCbWoLQqK77QMk7i3fw4PahAnVdasuF5xnz
   /xUYoelUq0gkY/7o8AFjc2zSFM76S+XWZMrmnZpM7IiBx3vBSPWPyR1INQYrD4ZF
   WpK9LVnAOtK5pxIlEziaqizSO1gp+DsY5JFa5W9TPpwbPw3nm3UMrd07cJMGu4yw
   dzeokbYWSAAAu4qfjXB2RNHSw6HhoE6lTHIUJhH2+dw0LA/e48KfRgoUs/BA7E5h
   qCVOY55mqxcYl4eOitv5cYPdJeeqltpifhwEIiW77YFk8bjsZIS3y/yiMiqbYb9m
   +lih/CNy0gLa3TmhpIzVGcTtsGlc2eSl2/GAX4rgg3db6Ut6EyE3MlUquOuQ4eOj
   RGufe7coSwJ3HqwvrFgXYIWNPdus7cTiuIq4ryIqFwg8fShJIDVf9XFncTXNdkkB
   Fbxt2Bd4Eko5rXRn73wDKbtHKI0WclWxChNqGhkpydmQYgEV9GqHXtHTRertkVR7
   sO4Ua2U/is9C5JVtwnraYPNnsggYYWBQUs8zrAiXEGNH8G0mTonPEvuWlay23SbA
   KsnWxrAkrSREA3KX1klBsKhLvJexr5jezV/VoulQs2buTUa3T7Poa+/gygxaZQN7



Gillmor, et al.         Expires 28 November 2021              [Page 115]


Internet-Draft          Header Protection S/MIME                May 2021


   0YPZ5FvBdHWZMrnTCgIPi8JyEmlvZAYw7OD48Gv7p7GjudPd3NtUM3v6g7y2Jazy
   wTrQHVCW/BfBs4Qd+0NV4GSzzvGLjsGe7PSUQ5uNL3aOqbPcSanZbtE2DIRF8q4I
   KyI2w+uRh/uiXk0xh3KYUq69xXMesnAICQxdDjqNE6Gcvdtw3NjxAaXUn8MJC9f7
   xd+Je3t51s/r/VyD7p16lo9UXurR/QjtOrMcoC7H9+xnmJ4xPD1aB1Nn7zE6DmH4
   uC1P8thxUQxysv6UVS2QuU91vC1jk6ioamSi7zbfXi/T11Z9pFxKxvjOT+w3b2W5
   A/rG+zou4o7qO6ad2KWpei0ySQMVOW3XZN/7DcFXcQy5gGns3iWurW0L6R4bX6kx
   QQqYtXQpDA8NxfBWu5ZyhCztkTXiuj+Z+YN0/xjie7Lw5wevJHNcqzHpshf9xEH1
   mX7lWpcN5F4Z/uaG6hFyKmICCMCPNimEusCjpKSBrlEl2/ZfasAf7+nlot7gGRLa
   +nEqpZAHK6eZ2u1cOJcqlM6Kd+kj9Igp8evi2IaY/Z1FyQ/3HLJE7hDpP9GpGJGe
   alBt1pfu0IUyEJ2Fe7lJomcVreEXYBMdcPpc5btJbnsuamK82qCUaZBbxzxWfvGD
   yofGz2WySMZWttrMHUiCVLx6cFa9FMu8ME6HjaoqN7FbXplabt2ae+lsFJZ/Ehmy
   5uz/FTk0QqExHhF4uWvfoP92qUUgWnrT92Bua2CLMs4nGxh2b6pH6pjGLLmdNDwT
   w6Z+Cy5FFazNnA0w54FuIGLyV3HL8m8Jbzty+uiIB4NnfpXeAmWvhqStV8GVzH/j
   6VW7ZaZbg2acn1HMTSfKYa35m0RQlakc+1bzIqnLWMdbRB7Pd8mghNSHrZ8rrrCJ
   yUPhO0A980KgzFJZgh/3eLG5eYWwN+6B3nlkT0vETiALnTOE0+ICP6D25yyiy9k+
   iEAkiXY00vUnUv2QJFTKmgrYMRBpnebYE1y5VgA9etEUIOV0tlzKgbMYVlxgcK5v
   TnLVmTioj1DgSPpOwkE8EKlRgjjc8lA14Ih5pcW6qgarDkyW60ZRHfLRsuWkNw6j
   jFnRWskK1LukllBvG+S81ygPvfc1SIMlUg/nfqp3EF4i+1tCA5am5AuOrp23bBsw
   3k15q5FKpsbn3rQ7b3L1NquBtPwIr1E5rIMx6pWXOs40M4GSNri6Fg92eo4ZZfYZ
   BeJZy4jerGNxR4SE7NunWj66j9UumyVyE6EbgZ8ITuqEKt3lx9JMJpWHnkgeqDsA
   K1YI/+L2zGRIMo9WOoPuw/WdojEEG+4r3JMAK3/fqKWiiQosStG2u54XExuUfTpm
   Jzc1keEorZKCvmyhiFFObkQli1Dn0ZwEpx6qZbowDiMmXSGJgC7l9XUd+3mDzmJo
   QPn5IIYwOIkdoPastOGNuuax7RGUOekjl6f+T9SoGu9eVu8sTVNExarMAnwReJTh
   dnrdqWLzSNuJweyR3snwxMruvYE1yy2W9mxiQHM3Mj9apwIPmU3dtE+H9p7uP6CN
   HAMiIUsegY/2du9cSeesA1re3B4Z1nJ8Jt/7wFOk3ob4Ox2lCk+U2RRoorBpJtvk
   8P/BRHq3EoUpbNnoB89N06GQ1w5DkfqOeNQC5E/wDDhx8JXWUHnad54UWGS9++fr
   4mHqUNdU6uA9wgUYUEeXkfUEyVlxY2OZAgKmb7xwAvfPrWxLadODpWMPb6dogmBY
   icxx9Sg4ZOPFgBoSuwLlc+43NZNz++ziOgdIvtbpf0a8GJVfg3ql5Ch8vUsNIfNU
   9cYkQg+hTn9RehPdM0QQzOXWQX3C0vFshV5eGqrko4z+Tw+7E4wfA16Hm6S73trc
   4YmHZtlgtgvWPb+CvQvmmx/xNmpatBYSDzPyusaA3GRb+0vxeIMqGXxdoriD0qrN
   lQeADPDYPcZvGOAYjvpn3UDs8aqKsZrqB88QUannTO+bhBUrjD8GBTSAg/Xj5yrP
   8DMjwc5Q//QhiizoUtsAyDvsfjYFNriXiX0XsIydnVCqBQuk0h2spfIHqXT8+EIo
   nNTq78WLbZiHqnKBNxWWCXakU7L5MeX16GlggHB/Y+klrWq9rcJEsoh68klYO4WN
   jCrLweQMCmAAktbQQhS2TWoN4gtwd3lmjtoCU+97K7Umh0nQOOtOLbOPCONfxwLI
   rnV3HG2gyILR9mOjQbAh70F0GjAgov4C8eDdzVTv9WL0blN2APdNT7dbW69Q/1Aq
   Zh0BncXV4QH+TIH3A/6gwEhsrkCMeLgSpEDAsQgZgPp/2XQ0JjxlnkxnTmsDie/V
   OWH4X5rj1uKa/5dF+RjR05EmGzbExxIYgI9GUx5K3JbDxnx2teEGznvpFa4o8fjb
   dxOlpnrV/NWuQBtyS6Ated+0ngioqqaLDrJBRaWp2Wj7UIepTctAq3Ps0ZaJMGol
   DRg4LtubSNRDDYfcnAbwvMprC1s4IMzLPjtVK7lHwwvqGO6BatjcWUN2qwbKMA96
   GqQFeXZ24loj2rPYGD1vcnFkUHty+ZfEo7F/hdmwLz3/WCnmlBtGj4/ot/UTW3UE
   VFTXxoz5m4JpRIm/eozcLVHh0FT4XviB8RrrrMqelN0dtzNTib0LnklcbAo7Fs05
   2MMWRTWxEokIx3Qmg7X+umqUKehNFtz+DaSmyySZ2i+7zlnWFY9yYV38N5D84Dca
   1BrbEpMpwxREaWTpnxHQOOPPmWAOpdMvBBePNinw2jSQxGLnJt5IGjQ1b+YxcDA5
   OSPvZp0igRaqNi+Dp2L9DATcvz2o3VQtqRDwzEGZk35K0vSaeD6BrFOLSsVhSXWG
   FaMKB5RaX1el+CB7L3wvIq2WsofM8rBAEd0ExLiyk/IC+n59WQPQjW/2UZuGUQiW
   CtgTtpWak+D4V9LSGiET/kUBXor0R1DlKCPmqXdvkd4E//Gwfbg74J8vyZM1y1o/
   dlfTicOJWZhqu7AUdLukBs0mo15P9JHXOg6Txgp/fpAGkYO8UO84AgHfpRDbzHKl
   HGTrERj8kAOv7MdFqDwVZHIdel9+JMw/sUq/TvJgRwrOdiEKLOaeVrRBUoInAe10



Gillmor, et al.         Expires 28 November 2021              [Page 116]


Internet-Draft          Header Protection S/MIME                May 2021


   RBFqcQOgTClPZ4Q/fVroIuoNxMQF0OnAMNG1KEDVYt/Gwq3syNH9wUFBLuEriOdd
   OKiFmj+beOl0n3JDREGM9pasBDnE95JnMF7X+EDPVo57W+5ua549SctYcT7SrXzO
   v0Y4LgT3y7EdiwQQy7eyxzTs1fkyFHcr0kLl1ajGLVxaaZWfMchfGIfyEYJWRLip
   HvjCdUhPGjzrAkpbmhWuWbEbUTNpyi1UIzC4rtzWYthVIdL1n/CodIiScKCk7QOH
   0ysSOAveFCmabvJG2GCXo7mcu0x7ruDxWZar3RBaLS+7gLLhHwZeZjU05E433yRc
   2Wme56dOTguGIVv1sBVZjGoQsGg5h1iYBxc0PMfHBCdD8Bz8cFhsU3GzA7lvPAw4
   ILtHuw1pMVM63YEHOeoZwPYUoriQsKCG8C9QDCJGXL2BL8b75b9+aZYojvRLzACG
   YszVDnQ7809N1M7YER66bWpr7Ni1w6+9x2XogefKDYUwV3+cw9BrelaXK4xGJmkp
   cjucFDnUVuTKZwLnmQ3EeBEuAJTdLbTQmKlZi7nX+Sgn5uiQRySg7gy4hAxPlNB0
   ZowjiMIxrr9ba9MYUgS78xP8iOclFJ/C5WxzTAz5XzYcbR4jGoMpwWY4CHAxFERz
   Tm3ZBqVvxqkLYoAts279KnjpYWwft6bL9acZ4Cmovb2wSzsCi2YXeHdll9uTz1be
   Lx3eJ2P3AR80F6LMDtEIL7/EeYHI5zF9bBVG7s3xtb7u0CEAzEUG77vcdQBZOMsr
   cMjEZ70fza5GFIi+cIYtPlVjocd0p4mCfSuFuBrICQDA0iLP3nqXjc+5RzZSkwKq
   TpuVs6PSp52rikxC04IUozxpfaJvqRNQ6fusvMn6/ZinRbuS5ZWncTyfqZYP8JCv
   3OHtdAyF+uGuqgycMGPQU8zZz4/+ZDXP0zpySZQ9WUiQ9zpqeuk8QkoAT1HgwnBE
   53K8HE+ceV32CrS7EODkHRKoMI6WhDg5PL9FobgSfqhNGLTYEW9I3lQxD7U4a1Bq
   MSu4z2QGHPwYjSGZ/aQgs0vu6+3SK9ERSjXzENKDeofah4AVooYoSAMXuKkEevVe
   bjnUJBVh/SBMGx3NTlEVu0JBZqgbfpW7PHDmg+Si0TrrJVSD5IVWYYfxM2iWdLzo
   GHuckDuw8f+jpdZtLpEoQhdzOD3iIiKJ+hrk03sf4vowSZSAmIsNhr2Xjxt2roFH
   KzIHyuIOs1RDc5O1DCZvVjjoC+HbDwaFErZGEQgIcHgZqPgdaTcubsMU0ykmmdw9
   SsRq83TpNTj5fbwrT7Nq3z8NtCr1l3PW11KwzbjIBJooX+bBoahkb0pG+Xuth8eL
   HXmpoGViY+Obet4pzbi2g/41VK4Yrp+HWgc1ZqzlBWR7GxC6lkc+xY6whA00L5Er
   3pBhXMNkyKVzC5hYoscocLOXmAlQVcDoMA1G3Bu8r1e6Ak+SYIviiHj+ElD67kBw
   gIZ0Qruh5GnoBiwIFQgsKUXFyNDF2PSljsWcZyevAJBiue3SlANdztwWMZQ6E28s
   NXMpF345BMGThDDK+YP80rmcwTrF0nOK3oDcn/hFKxNM1RQHHRpMkED8fiGKeX+n
   U32xWYhSBzuBKZN2sZWHzNju81AoK6braMqPjRTxkxX5Lvy0sKkgtGxxu6sHlvru
   26oZloZnCsBvjJyFw7Wqbbq8X9HXzGGAhBrBTCMcuL+TVShMbcgiV40GwCJDQ9SJ
   zaVS8VFoAzYtm2dpjnmjLOAp3QYOhNu78cEtjtS4GXFv+5jPdOuyn2NC/3dT/BI1
   mV0f3NKviHWX9TKLll7LwEeAkdycM8tJAXEydzq/Jyrj2Fk15P8ZM/ltzC85dnht
   qljIT+8ENZSL4U1XFFTOXF7QiEpCmbenvSlyG+0xYb98FSk6Y0KoO1I++qcsr0UW
   n08vhhv9nuhNRAHHcbR5ogv4S/Cr2yW5ChCht0u8a6R13cyJeHEtOZIB0Jr1+/yR
   Jv+tZZRzkI9Bjtppm2W/W/gSMvXFNdx+C7naU2Gtt7fBBTO6i5bRvfy1bGEAJksE
   ht0Wz9ri23JT/NfeL3rQuAfgbp2WaWQzCkuAgRZODnJedA0xOWm5rimru93eISWX
   sDx2eQPdTxndKBxP6b9aFZrWmX0srW6jKeAQ5f4Quy2sXBvU2jAI5vjkA/wWiG9z
   v8R1sTbkXzM8VWz8kJbT1uOEMFNtG39kQoIRq2lQSHrSFn/VhyG2wh49wG5giLB2
   eUtnSUvo3miqqCDfZY9B4rpHLbeDb/3NYlcMMQPQwWEKKR20zGiqKmMV9/jhaIoQ
   Tr3gP8TUhPeuC7vbS/IFLDkIAliAzgpoYllAWUwZmW5J+84dDPMrVStiQMK/CAZk
   ZIBLxwBnH9s6ucxtZWNFaatjMgz3Y03Twn5GOjjOJB9eaR6SdAZxDTeODajJIuGJ
   jB4cjm6Un8lZki3PTAyBFOupETWxRSczCs1aPnaZVcRWkfOV/O8LILxCA7lesZmB
   IrJ5U9LqJLoluggC/4wuxCziXCRXLz7nT4UhxYqG8ZoJ9rjHtf2t1EbmpmT00D+S
   71rAVNUg7Oep6ucSAR0gPQEA6T1sYehVYmIkz0QIJpQVP/Ls9ArZCkVpsmLoVhyu
   +pU/HIn6mLmmnqSlAYl38M8F8xjNX8UsOEuJ1X62coaGREi0FWgmti6rnzzYx0DQ
   8dsaQCHtZR+7+tgxYGrBls6PWxpP2gjwk2u/5kDiirRfIMhvke1ZKLmwK/DvlhSI
   p25G88scGcwUoLhsIzPSfFHoYEIG9MPAS+CJgbiKqljpyhMZoKfsHXyHRdf9YrmZ
   bemiWCBmwQK5J9zAcR8l5ULfkVC3kxgkdHff4hXsf2U08D+oANABAxDhxZFNMIvy
   d6HCmDdxtzdeUNcHF9XTJ/YGme8gsU0PJ1dPBsMPS0lBw2TXJAkHmY01meT8/r0v
   r2uYdPt44EwrLtWonChUe1LwMWeK0D4soADI2Gc+cGxt/CWTFRFbULZF4BRc+1N9
   xKgCvub2mwWSwCGP4tHGKWpAaoTX2b6uP5Kb7N7HDRE=



Gillmor, et al.         Expires 28 November 2021              [Page 117]


Internet-Draft          Header Protection S/MIME                May 2021


A.3.15.  S/MIME encrypted and signed over a complex message, Injected
         Headers with hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10120 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6474 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2095 bytes
      ├─╴text/plain 59 bytes
      └┬╴multipart/mixed 1600 bytes
       ├┬╴multipart/alternative 1194 bytes
       │├─╴text/plain 424 bytes
       │└─╴text/html 505 bytes
       └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal-legacy@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:10:02 -0500

   MIIdLAYJKoZIhvcNAQcDoIIdHTCCHRkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJY0bRwKmnM0NyOz+IgHeWMgMOX8/jDwHHrP
   t0MXudwDeJwQDmKd2J6YtkG3fRjZx+MS7bpLReFPedY/7RAe5oW3JgENYa1HpIwm
   aD/h+qIxTicIrNwzuiFAgWpkAArav42vaMmG+/Xh/POG6Gzi0KPeJUnHyySf4Tp0
   AfyjVj25criwnRM5O747uUuPB/jfGaQpY3juME48/ncykOBtoUJjZRnRfGPEGXi3
   PC7dqg1DU6psEBsAblddc3UiWHmvbupTrzFRZ5GJpQxxAiEP+dyYkhEmmymIwVkl
   LmxiN/ym+SGbYN8M6bEyQV+fa1XHVz26LJIZNTM7f6ud9rZlRQswggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAP6JUg6dihpC+SAwERMVQthSf
   ztjACWhmPPjx4+npojd9dah/Wc2iimFnMUpEUzU7AA61CmqDuC3TWJh0CUFy+QdZ



Gillmor, et al.         Expires 28 November 2021              [Page 118]


Internet-Draft          Header Protection S/MIME                May 2021


   TS4Z/46E4te2mimwnE/vh84lgRX0G7+XjemnjeWlfbbtcxjwmUQA+largOX/O78C
   3Wq6s45zUj/3gAUDOaIrbS24/VdvM0kNjbflYC5bVoRV7zCrnsv9HZ5Sl4R7aU4f
   AMPAEzt6JuNb56XLUeEjtLc/J1rg+by71moz+bl2vAHrCV7KS4rjuvdX5mtyx+7Q
   RsxO/4U7edUDYP7xwoRJH7BJuQ4TCpribA9gExERt+8TKVw1axoZ8q0gfLklGTCC
   Gf4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEELIL/TZpjp5jGGOzwxBSul6AghnQ
   2G/ggROJ0uuf9cWwp4La4W+lALvFdSImHu8llX0XfYLiBrQWUJsRX4pa4bT8jUPl
   Wq/HHEZvS8ehM3FIlpxebnDey2FCxeAQ6Pn4oByw74UnzFeluL21PEeQeJTPbui+
   sLqZqq4HWlA0WpDERVLbWxhMDGXLNHrgmy3tYGfOa7kP0mKnLahSRBI1FG2HSzpd
   71pHqYy90RE81qK6B6ocsK0+2D5pPZHFOedAS+xVMhagBRJrK9em5mSoTVZPUBWv
   sITwwJI7lA98wuX7WlAHwk2SGNrmq59wkU6hF8ZVpIg+ItMwDW9+5lKI4sEJy3Y/
   oxP/zQX/+/GhQJSArY/Bc2k8dOcLZcFSGKglv46bm5NgDl0tQlg/waZHVYfyvDO2
   lB0AZpiVnum8B8KueauYQ95Mfaq4p5dldBye09fCjNNOsPuPwmmJMyYzwr1+fmQR
   C9yNfArM13+/2aRYo6ti+8nldGl+cnCQDBXu48KlLZH8oBIsghIEmMw+3wGVb3ka
   TXpTsYqAQtjg6V3J9FFTNbyX8LlHhAUbs0I6lyDwgILSEI9/pQdbkTE8oqJ8qChu
   wz4ZMwh89+AcMqInzKkhsOq48DbBLVeZoliknnJsLcejbM/ZN9tYVc+wqZ0YUmEo
   gCmd56WDhEGwKoSz7O3reLmAjen1wrKH8wGIzhlbL9rja1rgWSC1PrlcPVug9ghv
   6AlqZA2q7C+dVqdu2WhGgEktkccAnM+DDmSJxJxCzVjJomW9bdLoVxdvbhNfleQm
   VjxPiY0Bxkqkq/JhyU3JcRpQ+b5XhA7q9PIhDRllcMOarUK4sMEVK3n38fZmaSzZ
   xl7/DjiQn3EKwnEQso4/dajEdCAOe4cjRBdn1heQS5xnZgm0uuYajJ+jv35EvyE8
   gXayeJiyXOHgUesgqNBFzT/Ld4qwQm4v64GFa2NHyUYcyqKpzIa1cWMKllMhaIbr
   iGQun4s36wYtiUEaDDxkfbcMr1jDDHokB+nCNz3Gg36zBRQJyf/LFsIk0tQiCOBk
   qOxMrcYD5x0GT8EDHKYtmfoXlCE+H5I5wAjK3KNlpWDrrpO0Ynp7fYHGeMClt23/
   cDej4eqGpy+/OrVwQMeiJ/V2hL5Q0Qk+POhjUEadbPPw4XODQADBeT/y/kn3hWYU
   otNWg7bnJYhh4pMYXCxYwFSK5tpc5cszCsaR0+CtSRyTVMxWTl56IWl4n6xk/A5m
   surHCqVn33S7TIjH9aTCltz9pB/5c7/Lq/RJbGl3vw48ILJaC6qr7/w1eWJFp+tL
   ZEnFg6oVFa/aFB6QDQHkJfyGa1A8AgtCcCSLPsugeEOMfYsC4ZEg7KooLxDdIblv
   FiHFv0N+R+p8PHNbETNO9NezL1CIGgzS74xGW3wbnOlVbCtEJbGjVljVYWdpBnyN
   8c6i/ASwjIMX4NuAROfJ+B/XS5Q2WTMwNmwxwsEBK6ZDEYEKIgiMstS5cwcIJ5EL
   4f/f/O/7XkE6n2SJ2+n8wSJXQM9uEO+QQSawXBkGeoSVDptDAwiiRVpj+aNmr8Oe
   Hqofz8lbdz6t10Xm9j9+DG7Q0kqoyLBnjBdwc2JGPlTD96BRFz879V/jgTw/FEyr
   x9aGtx+5sBFTg5ds+WzfraqR9DSOd0q9xEGZ6gRKbN6LRI51q96rzoAGoaYTo+bS
   gIL8dxU/PzDxEZ8GOnH110vtnt+b7lYWkLQe/K+tMmEBLMmNMsMHDO0amRU46xG0
   Awak2XOOx3p9lsuCR453Vn4CZwaIXpskIDFo3V1iWIJd58tqHbVwnyizjpnrcnq9
   FILQGrEoLhrOvP7S/utBsZ9PYihbD8aduzZNpNWxC/Lv8LSP1FTDB/ZPogYeDw//
   wRxo/m35QFwfG4U7U+uW6Z/7N/5fX/DdPd4bw7vuJQO1JShB6PCfkK+dGh+1XMKX
   /yI5PkmM7tFNg4y2BORcHGWjaKNp7/xU0PpXFraIwENhXSGT7mOWjvyONjaOldxP
   Tigh3VrsWGOf4kyOPpBDzcdqUs8wbmp3F2OQ7OP8wpa2ou84Ka85rIc+RyjT+izE
   nUAq/aT/agOktwHBAe8EzXBQDpSfCpTQaCfv3NQPL+QK2Ty4EcMq9FnT5idTnlmv
   JP8Q3+Kk8oXz/bdkvW+dksfQw+yE8fZfyfwRJKLIEMzWe3HtOMr18WbVU3pHhwfP
   OouEX/9OCZenycf8P3KJ+ViaS1RrRL/O21jVupUgcC7kumJwiYYYjH8q+e0JI/PO
   FqExNOjm1xm9ZX7xu36KUawsw1HiooaI45x75ddQlRpjmt14pQJYNoaweOActoba
   V1c550tHt7xlOIJNwhLFxIgN2axvPEdhONDLMOqwPjCvG6xep6wBagxrKHvRUjU5
   XLvsPAeItrX0oUCvvydX7Dl6PmWauy8NCNlDZrxrcYrFHQdTWYzVUp6M+pt4SRIE
   V8YYAvAavVsZBWSG9cYTEkiKGBnV07qPfrKn0gzjaqDMGtF+FOxoqv8EiZ8bI5c+
   IztGlNoT7bpFoVv7Jcx7wNcYV9Xh+/+Y7R2GAaW1GN/A7OlLmezgJD2HdfHvaVZ4
   KEZMo0QHuBoJLsqhS7XSLoLgkaq+72VPNI1xYpHC3qO63wW2K7LvxxTs7Z3na81g
   c5brAyNhyERIqGLKUypxNLehBzqoA9/+VoBxnjO5DLpV+7lbVCXuI7PUdvMwWemW
   DFzGgIhjZUf00RXc7/3mxiFtxXc+9/GcBwIluNcC06RiC1cqo8zGbwC2bMVKvrKG



Gillmor, et al.         Expires 28 November 2021              [Page 119]


Internet-Draft          Header Protection S/MIME                May 2021


   7n+1shUyxz3QFKXQu/Qv7ZPpDy0QQvv4pOrC7ArCYi1K100uo/lfN7WWF3S08RC/
   5VCzAaUYA0h1OuKbNmhFcK8GCHM91b2KBU91lfmbF6QNh0qeEdVABj9uBO9+26LT
   QaQJZh+bBDQCzTUVu97wHfbQKbd7xy6epVrSoBki9uAfof0pElcuTbpSFtTtgKzT
   kOAWYgmt9QE8ZEqjf6Duj2CBkcXqFKOEacx6QoUxC/tMMrMN4w+4vZyJp0k61/00
   2TgmIUBekdqFx1cg60v5G2ad9fBB/a+q/IwIPI+T5NsepMxapvH3OfqBIfPCLAg2
   3SJKuuPa/YYr0i1z82XHKtbmFwF/pVGVksiJYg4mLZbXAor8RXzAgATQEQ1Xz4XR
   NLS5PAGD4KpY/EFnROv0Iq56t7mEnxISi2TolvjtWnGkML279EDZjBycik9+yRAy
   DkBcMhe8WQdlPKgPXlLLUWZE8QteESP8YJSNqyQ8sYB/W9JzKSmDPYgwHOl+q2P5
   Y1gY+h8uPLzv8Hgbs4WvEq3ns2FMUaP6XuuMeWO5qAgAirUU5L7pNLQUB569z1NH
   GSAhjSAJdhNug9nuubG4upaWuc9DGMbPJe+EC6itqitSaBtL5lxu0aBa2TMhjn+A
   PQEVzDMf78TQSUhZy5HJnj8c2DupKL6i20NIaF1doHHgOHXRxS6VPJGxq5X/XanK
   TzMV0cVB2cltkcf75/JYu1JALe3o+49fm+nGUHrGlp6eHqXo1RwMaKFh/2Kw0nVs
   nivNX2mAoZAQRlZSJJCm9KOX7AtcY+uo3E+9wmNX+3iCwudxTjWNqFmD//Og9CED
   aiqxFmvJF5AopqL5peo/BqH0BsEwb8lbeR9gSP5LUKmFFQ/Jeaf+EmCznUfMi5JV
   q2GzcVsLjsKjBipSccydc96D8TXbWSJJop/qz/47usS5kAlha8RhEDCKGe2s5mPV
   MRtJ+Dgn3HHzsVf9Mhb7IWbrq4W9jG6elr18hRxs39FhzZD0ovnFXPdiR64caAQP
   gyMFBrUdR4AMXahTwyl+rCtAt7SUBjAyIOXsjqEghENX/M/qi56IuI8nWg+cJtDL
   yFWhq3oJ75wEZGSX66GHMYcog0NMes8Lx9rsvBun5MXfmM+Dmq2VHjkAKP4NOPlQ
   jXo+kxW6YjfPGRAdBmlWrXqRqJljN8qffpgbAOgIF4uq/QD0dRx+dUmTWIAcU3C3
   AW7Wux5f3w7AUNZDjt39eD0ivI+3jgMiSUGxCp3yZ+dQ1hxjnpq3YnVCTU9iJJ2r
   MXg8pOQFK4ofZB1EmBmhxJd/2lN1WAvAJHpgFXGs7Qy89WhY6RObYwvBPpkULu2D
   aWVc6sEPXCgdBiSUd9fFbWNhDQd5puLpEuqLftejN7WNE1+Db9aiIlA+v05T3zX7
   PYGxVGuYxf/P+Sl2wBR4yl8r/vONAyctAALCYP/KudSIgXQ7zWVC1klAjqRksWmK
   SDtNmnXHlMfPTt7Av4vHX8iZrz6sOGpMso9j+Sdo62Ppmbwl9vS8gbZ4zFeelkXh
   OXXIbRo7p3tMeFwsogY/7o8Y+9gxep0rm/w1mTWsQRHJr0t967Ki3AUrX2HoIa0j
   mlOL846o7a1kMrKIK0FdFmWUFV7/iWbjoaX6GWJ0ovF5+KffFmfF1jPYDptlKR1K
   PFjDwpzWuIu94fmDL5L7KcMUA/cGd4eSkXaIpYjNBQZ3QD9kqzoT2KopK2yG8DAX
   ScKlkB6EehTUzBIpvYRA2pA0W1Lfjnbzn5EU0PWa3sp2Yq++C4fURxEt+8yT8t6N
   WlFlqUJRQfWmEf1ZLHTA4Lvi7/HUN8JZDfNw7wckorMO4ZPWYI6+zBQmhx1IiGun
   PZ5s+lUSQKPi1uUArMwfcT0CkTE1ebt44z02GEyLyou4ZelKbz5oXh/mz7qyUZcX
   U6WcaNHuvIu+3r2I1RlblH1FYHB0/l6CQYQUPZh/GvVTliPpg0VqxbE//9zTYi+R
   JF430mMMRXBhiNvJhWEfbdVr2YQXQKwN8yngzIlC1blCWWXE8LxrSb9HWbUrFmpG
   XcHg94A9B3uUcZwX80AuW8Km35KgCqNR5se9r3EMWeSvR61cTjZq5jU9lwwpkGdD
   heD7fdGDLq4DRktks2jvwn4UIm7uEu//7A77jhhvXgxv5no1EcrctPsMZsIuSsp6
   wUlMgY07vUuRVTSxmdeSwUXzwTPKqsSCq0XgdPe5bEjgIU/+jCTQczYeIUHqRwLj
   5qay14SkHSEBv29pwEXTJg1R9NXYQ1J9GtPtHrrS9Nf60YWMbsWvCdeM29BYHE0A
   4bZm0KrNNtiQcQu91diLXG4lxsW/ukLTMndvp7zHbKdq0dX0I/uewQsecCZOTNkb
   o/NyDKUd215Mo5LOTQtvvgZ5BB1bB9y2fWGsRvGbI6rZXCcEa96PoCaNlFAjT2tM
   IjEiBcc/5T5qY1zNcw9HgU47GEIY3iTVNTVAdDAIfN9IIt3rWFhjiOgD9jcGBMyf
   O9NNPwapxJ0QDzFBgOxYyQXe5u84T7PTxvsJ2W9wYXawqx+yr44zPrSTGcRC1ed3
   EH1VhSuooWwzhlXFtRKure3d5K0lGUoNXwQAlqyNPA9GoyjGRdUnO4RY85uf10za
   76z8OfGYqxnxyir0ZNZKhCqOhzGI8I1/mNJ/tvmjfF9hLbNOXWajrL4ziMeb1thT
   3Oj2sTLyFWlEcakU+4XhU05IAJDk8RyqRPXD9mmiJx5h9pgAaa+B4huIB8Tbx6Hh
   jsPszUbkzFNt64/+C4y0Oq9c501ZPBKxiSx5/1U6SlwkepBL2TZjio1w9fACjGSx
   /OxUjlZNpWe959WL9eG7GICIy9yDNWGvHiQxxSZZF6mlN9ob1N7KR6jpKhWyKIwh
   EukNuUKuYYqBnLO+nRNCuVJpSPOmXXmbTcPC5QRTrTem/krg6cGRMP1qCQ84jJDB
   XBY+MX1QqAKrK/JLuydUrWjoIeN4Zpw8USZEaBlO9ZNv8ZJlYNv7Y+mkz12ZbnmI
   8cF6pB9Dw16c78ESuwTE+ghGnPtvxZ5dn15oxlkryWIWHkOJod2m+3x6assc2ADa



Gillmor, et al.         Expires 28 November 2021              [Page 120]


Internet-Draft          Header Protection S/MIME                May 2021


   HULNQRYqyR1RgwUysf6rQLMT0WRWOEoqn4n/SuvPpfLe0VylldnBMT7Q6awFkTtY
   Y2kWJ3NwP1G1Q8rcW9wcXj6+92XH0NU2sn0bNei7+wK6YnLL5rGgmp5QjPYlYJrw
   sBGZ4hPtxmmuAKRWtoy8+oyT0kHjIEmg7nqxUZ3WJjk/SxQt2j+mYTaBPvqrIqmo
   g0nxu9cnUVNJs1ScnF7Tceu2GFtN1yaBFZlrkW7uX9FWL94LtGletsVJlEPB4oPN
   dT8x2siM3HHmqdCUiQd04oRUYG4A33NwI2GlI6RQ73deLlEJqUPUqhahyA3FvK6K
   lU6x1Q13/TUj2satyjiZe+YNhlUZXmwTinPb+pUtsuo037yt0JcXjqdjkTEJc2yk
   gSKWwYZxQJtZkYRme1TnI0sciULrdtLNWQ1CDR+V4lyoc+6P7w9voCM297Ip819b
   xif6PKmHwNqdigey565yB8ngz8JwLtvq2BbbQjmm2QV4nMbeMJGkvwDijp5q5pTF
   9Rh2ljMBcJq9EY8w0fYcEEEB0PNF8iIVPoIvJNSfUIPoWhz4ocBxQCJTlD9ZhWMg
   yCpOuYjcLm34O1swrvNvO5hb5Kvz0xSMlYhC/bU2phWV3EmnS4DBvZCfNxIUAok/
   zfbfc1B1AzJ+w/3X6dRRcG3tD/zn6GXT+SBJGOAKZ1W7fJcNA0a8yzHq6IkpWdjw
   D+WeHOYQUN+UPiF/8pN8xPi71fyzJRpqj6s792yudJNvcg2WZEf0gdty2LEkQ52Z
   m6mVcj404cGhyeiI8Sa4yD/LP6msfMUB9NGxKpknMfkzE1STGIuVr+3E8wdkLfbL
   Tl/HyfO5GpxgIb1Zw3i/EUGDkd1dy1qI3nq2ILccaYJsY/LjHKnbjAltj/CCyWqB
   W7rmbpHpqhNEHomC1on2C/mzN/Ea28tzhci7bErT2giDHVlqqfaAsaDFGngmbOGx
   G8mpoj9yjrrew9b/KfUjd+eUzuXoWlFVqmaj3IEIGsSK17dd6TCOYbujDyRNfpVf
   nH9H7JWBdpdH3IJMapHuKVj3Gdfb+L0KHgAImHMA2yQQQxmluvLZln38UQuM2a/B
   mXHx4D9tIzk+wy5F7atOqH73gx9KoZcQRvU2E97H9y1ddcTTDEDhhohuupn++5ni
   wX3IE2UywQEd2TPYWV7xCx5/LypsNG+tnwLneN0HFrXle5Yvt+zTKiZDlCl9UkOM
   wphDI6TRyOlIuvK7h44fTyBKSFoSYyev0CBLDP9tUgo3oSR9zlcDJlP0v2XPoCQ5
   jTlj7L96h1JQnKX9xINc5bPDLocMG5ht8q2VItRHtSEQVrZtyVqokJnRtIVDR68F
   aho1hjC9pZoU4fEB6Qwpsy1ITyDdkstjuYl71QDChs0ceoN0xx4TO23czVCLN+z2
   UF5zQwK/fwz4Zf8xpStxhoqEfG29dkXR1y77I6hJTjmjxPyOaWw3Ffw9fFU2mtQA
   f/DrlheHMOyogBSllBX1xXeyD7tneLVebUK/RPzB1wfsxA+t36+f4X0XfI1xMbWV
   Bd9o1bxgaob+zASOSoVhpi/64FCReUQPTrqQlyu+5rz3GsHSVxEBjV3K+F2ZFgXH
   FMt4lj4LKlErUZpLKS+PsoR4Uc71dlrcTni+baJtgsdkuUCnLbI1o1+c33qqtWyu
   3MD2OOEkIO+2AReqvbhT0R6BwkZGlhU7k1sZQcmnjS+wUR6zYRdnQ52zJs/fglEH
   fwKJaRagDSb3+HvCFsQVcgTia2ppzcbnORTYTfHiugWv6TWYBLOtOh3odigIrMZb
   I+a37z4tL2bBR0engUKRha///Hv0HX9hYj6HufnHbrakx7kJ8QDiM7/XbHmp/EFa
   QsubLIXp07htSBG8rYeyFcnY5DCygtNRyeBa4gvrQxN/fsssay7wDPylUjIc/83Y
   WRxvKlsONECIPAUYovLO0AvHZeZsoes55AdGyzqZqhCwOUNwwZknmhL/3D6sZE+M
   8acu/0dBUSVkQKceswjAlK3mwHoMV87E8s8Kvg4g7/mpZbZfNZ0ux/cj08Ilglb4
   C55JlH7H5a7rueuUdkAedi/QB78MjZKsTFHlfeiov5z7C0zv/xxswUxTHF0l5l3c
   N8IWLrgaKG40QoFhHjTPe2QAmgXt4Zhi5BCp+e4JqYnPmmBrw4GjwbnMD4AE5YKf
   SI/JkCSQTaGeL5cl789uzqnVh+wT0rft5uQpB8l+RgekwIqAcwmeHww8VvTIGtB/
   940B+UBeiWsCgFBANm350hrfLn/dh7HwOemg6CRbmNpBGXpIjWwE5L6V7aD9T5Qk
   fPZgmPkc65oZ9S7EejomfGH30OyUr1oC2jsVPd+1llLYlH4Wv8pGWzkKYhXmGyjj
   TKOdWcOsc0/9ChR0cHy5b4E0NVKm0wCoJstY+bgpDRYbA1G3Urmmh43g+pbfZ15p
   jVnx7oQmlzeLpfpWcFZbJ3NmLBb/Y/QmMlmoEtYbakYkbLYgB2DMrBdM3hN7Bwi3
   8VM3WUes9gb1xvz3X4IEVL6Z2cAJDlxgyyFD6dtFlvfc/ONoZXF+pydrWQAalxQZ
   uDZLKo+pdGkVZC5bHtHQd5tc2EmWiNawzK04KhEVkYTbO2KIYWQvwoN0aiDZEY40
   Gb4Pf9kUUMCI0T/uG75DqVrjIvNooNPWOUvE5PuVN1sK7vK9sKxzhHgyElygOCRl
   VOzHKuB787LgfyXrHlTfY2PEIOKCqa4FuYYT8WTG/NtgqVjDE2yCZsHu/qUXSe+9
   EwfhEUDwS3np2N9dwcMUNZKvefeOnc/7D57Z5xCvsioU2yns/NGMlbewMpbVaDjK
   08G9pfLq3EDTU0Jw7iAZgG2duaIouYgQS1uursITbg2npAD42JbQ5iebrRUE650s
   z2rLkM+/7/tz6TWhUbcIJv1BbP5M+xvnWwCCzvm05Rm8CrLzgb+7jFbYHDIaaYPE
   gfGxSiuIXxBYyTAWPj9iIiHuCwr1BBw71VY3U2gRqxk=




Gillmor, et al.         Expires 28 November 2021              [Page 121]


Internet-Draft          Header Protection S/MIME                May 2021


A.3.16.  S/MIME encrypted and signed over a complex message, Wrapped
         Message with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9425 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5974 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 1799 bytes
      └┬╴multipart/mixed 1735 bytes
       ├┬╴multipart/alternative 1114 bytes
       │├─╴text/plain 373 bytes
       │└─╴text/html 457 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0b3ea6dd-0e91-5a91-9bc0-3d553f892983@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:11:02 -0500

   MIIbLAYJKoZIhvcNAQcDoIIbHTCCGxkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACjMzFIXlc3EbymBS0JPbwPNsuC8oupYKV2Z
   zEPTKjXpbK6gAq2DHXW+UN6VxRnuK5og8/5A6CH1qssj4VvZFE9BYmVtXBQzdSYg
   UB1lOVwT16EfEhaHMPlw2rZ6F7hnMApYrpiH3oMNzDF3L3AOMRwwu4botbDl2ONY
   KC1TGC2i77Uy3EfyHxO6yx2mOvL2xfzXf8lu3uP6j0WcOAI/bcwmMybxP1ieHsxp
   MM/wy92eu4cRreEln/W+FDwp2PCTEQE4EMeJvq9ovQjzRSa9EjAsadZmJ66KRbDH
   OjIxpVISEgPCSD/nmY68P92JPWt4lySKmjm3Z4tzNVWcVYtxKNwwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAI/LCW328CZK5s77+nE3oW/7D
   8ciV58oIhhU2ACOcQX+pBSXDPWl4DcBF0PbajRnzCL+RHbEDOpvV8iIv2pG3izDU
   XKvS9U5iVvFM9ZsCw2aUfOSiyw1sCT09gVMZAJc32hASFpPZDQvQnIMG8lnPMHaH
   nsj0CFc7M1RNcgrI+5hLoc3YSZzlv/khKsj04/TkKtfqJdhoei17Ch3iMRXLXHcT



Gillmor, et al.         Expires 28 November 2021              [Page 122]


Internet-Draft          Header Protection S/MIME                May 2021


   J5z+Pp56onPplEa3l6SFYEqj9l5k6aMqIfujFipfXU2xLN8wthVGnus6wroDde6G
   Rh19XCDBTwsqlr46QAOUMie+JOx6mA4anWEDK5UzWmkAsJ70afNOF+TWxpTX9jCC
   F/4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENOmE62/eOPyBJsQx75+tcWAghfQ
   RlceRC3Yh6DhNhJPej5k0aSqZp4yYE3yGFeQ/nuY7KjRFQ43ZJ2D/McFrfRQrox7
   2JXDYRlN1QDrFY5Ik1CkCArMAH28D4b8+VUH4bLD/hjoCti2nfROXY4dZaBVdB4k
   1sOplPXAHoy5gK8TeMBToyXoIwdQ4SP7BJFzfU1uZq0JIrC1Q7muA1MM2AY+nPhU
   fMv4zr7pODpQz7YWK79GeJVM1Xsu40gvduJdxdt19Tz3cqB3Vg64nU08vDXp5A+e
   fP8qxogkv2pOn+hPv2Etg6TIpZYdcfHIysbQYwGjkdrXxFoSijD9Ankc/OAaZCvm
   WFv6+GIff0jk+lI7vWje107u2WIMsceo5cXdVhBLL4u7/x18RukgCpJF7LPEvT4e
   1aWzI6nfCM+yz7GucNXeRUJ3PP+zjmDyzFJg9KvgL/fibz3G1js3CibezT7cWPDy
   9WeLULXNgvfd6qdeRAk4oW0NN7Wk1ar1Dz/LOyv+tC0YVx7B9HkplY4x9XP3dvqy
   cfgTJ90Z2b1JN9YKa44wGN4PfJkT8ChCpaw+1L9LDZrTQyQAzfgHkAKTTazOS1S6
   SUyz02sM5cx4w/FwQzdSEyHZSzor80DffYiwSUQEgvm8aO3gYtWGvRdTQD9re/yj
   cotzfYeezN3Z2gr6LdExUwyykvpctLjDM8IAPgXfcaJN90QHbfOPoqOCgP/68ohS
   5tY9getzCcNE0UjwWxmkJIRBCoy3IcCKNjAtxwaEEF2Q3Ummaw7i0VkvYaN1f4Kt
   M4uYYxV+Jyde528ltqIYcAsB7+P0PzJ+192TSO/zA4mCH2PlpQZ7OaUsgY4WKo6h
   oiYgTNxNgD1I6SlhqQtRkuQsAOQcVy5rpss453xZNBU7gOlbUygMMZ9M00TDuW2Z
   cGGRi5KtHOxIVkdN8R2/zFLrtyBXIm+erRUyfUupYrHxCQr+BlZsLWsuMwL6nY8d
   beWupZ7uD7l9xdbKwTuHDXwttRhzRzM+IkH5JUh769T8IKNU+DpJ8APSs9sn4Q9w
   y/fuORtJIHKMo6WmTyV1zipHd653aKFL7Zz16rYz4Meg/qsKxzyjlH6yGhgccENV
   2xa6DXmbLMvKp8eME/nurEB7g0ifozwMPab85eJDxSQfPktofgDESqa826WGQI88
   rzHyw6BFBC1uPn1hcMq0r6LR1zPhAcqQsx7zDahTYRspN4xSEUe0p3oPJ9tVJKvr
   mHAHO5GpEx2Zs7RWzXLBYb4fVfrCHu55O41EbXWU1ROX5JsVJS6+lLUQViqUKk3F
   tyBIYZhylAGEFHft/J1JdjNz/6iMrsXntiKNIpRDSkvQdVUT78+97rH9t5DbetxJ
   NnH34n2ZvQEuNghL35vBQv6Pcs4inkZ7OLY07k+3Zt1Qogqxlk/3ZZYQ4gg0x99C
   6bS84GZV5OchQR0h6Ci+iCiR0G4+koTYo0BDZUa6JNR6kyX1LVPZys0QSbwi34BN
   n38Aenw57CUUkLigHfrcd+kw8nfF/VjMFda2wayrpQ0llmYWMkM+XfUtFQjplZ0c
   O9sdIQdE9G5+bG7YcU8UZfyl/UoqTBELBLyVIR7y7+80IDobuErkIi7WbQrs/rkK
   Jzx1lI7Z2zR/Cer5pTgaKURcEzGEyHwUD1jwNdpUstVXgSLz+Pe0zdQOLucAVgtG
   Ct8VtAE6xpdYl9KxU40Ke1VH/FU0L7uq9Br5QBawLVvH9R9a98JgfKdB7Nu4teg4
   P1X8IWna8kT75n1V5o+EcrZTExyNPgQJyAvH00tCdj9cof0QNWQ3gw8RitEGIocX
   +gWqLaeFmXX0500a6a5ypQHQuU6sUujZMj8biD0NaboGN+wMiftu7fRZBcxS+3n6
   dYx0pwlU6CSrDGET03HvVVWaJl9rJ1iGB86Q9VFXvELvwysuR3IpUxmlH8LDyb5+
   LHKxe0PIEEO/DGBPE8YFycGXIpOUGeO/NIRYXWJy3nF5UoVbYLuBrB5i98WB3CY4
   RNsk5UBmoZ+q0EKmzasXgCYc+nO758kBgNtmnVyH/cRrwrQALA8oLm+qURNUF1PO
   vIrQkKnFNh6QH/K+mJEPMQGzSprhkhS18WOql2gpgqiVNbUuj2qQ1DC/riJZOF+S
   b3wwGyBN/0WmTs1VxM7TjyWwfu88RXE/SozKwWbpHrOIY10kQkPxtE2zYACwrXEp
   TVZr6RTCbiazzvaps93hXruLDXBKc0UUUn/wTgAzLyCVuNl4obrl9CAPDkZIgU6M
   sJNArE/HJti3cvWTIavEOf4ez/OTpdzoIsnyv31Wc/0QkGk07qLaxq90nNwiWPJq
   J4HsMDwPzuLhfg5cOaA+9xzKzEEQQquXx3UMKRLht3/i4mwuNepZdYpGz9Go7Zal
   O5ZwzzKde2H3XGa/3wsXhXYfFD/wUagmDYEmILXwFifSKLOo0GnX7E4zR40T0Kfd
   6JJ76u3RCo1j7BMas+dbw7RQ+X0wCd+KQi0lvd9IMZ4Yr7vurZnpGRdQQh79QHbK
   l0RBMx4nyEsHyUQii6VxfmvslF5yzRGzePQD6HW8O6LTci96omIBsdpSt4rSr3CT
   Ig3IP0gSNI/H4pu90R5XButCbu4fJcNFmb1VQswBsmwTXl+5G0QTVRoqst3a8tAI
   +4mnaR/uZRfTt8LBgMDK59jSuFNNWxgrCTUm6PSRaqm/9ZVcwvXHLWXNFYFGC+6L
   tufao/+k2Bphx261a/AERJyRJhgFF1gDyA8G74wfrVcYXXLYwNSP0sirYsjN9pE4
   RVMFNKYFaLsMyYiBAJLAoD0waXEBg2/kKeBPKhpNr8yIgQoNbpSxYV7oYqHCtBtT
   k6o25FIj2MXauDvdxeN27drfjXM40x2Jtm/ryuBhZkF70do8bqUjMWEHkGxbGUa1



Gillmor, et al.         Expires 28 November 2021              [Page 123]


Internet-Draft          Header Protection S/MIME                May 2021


   7M7vPMReB7lfJeJs+HjTYrhHXqtLsKMJoHD64boPNMAOQnaJTKT4WwVt0Op552yS
   rgc9vhaA//BN0oONV34x293H6Z7l9aBY6Su5xp5frwgT4vy2T2xXYASSN6ewGsN/
   TSyp5RV7n93PmeYxcssAxRGs8Ww8V8AI8xk1Wi+hRxoLy/IcxuIKajUzdq6XYEBB
   RzAQslcM3bXpIA7xM0OR3P/grAqH1Qhh4zBGouljMH7LWRUqspCW4xGZdBAuPogN
   JgbQaijQzPL8I93qw74qce6qTVTio0EK2ljRdOQ9Q1J/teG8hfaRlAcC5QUAr3GV
   X1Z+CjNG8ywLaOyyYHoQ22yRYmiLuKkR93u79W9gogN8bUE3Qrw4wPxLOKfKZlQn
   k02QnVMrHaQAcY3FgXOpdvMC3Gxhpi8AQzF2OWQDo35UHDjB6rTWTrRIxI7O5oxN
   icVPihJ7XZF5eL2WpISJzJ+zj8tcVDA1GOFiNlC0zF6jHEUEdRvc++tOSao6Ckwa
   +8sfsmoYRAijrsKN/BW6P2NC5K7KH6LwzySHdJNgDofW3Ekgw+mrSK0TzhrE3F9h
   R7m3/mFa/22I2cHgAti+uF3RSL3xli0HOoiH53MM2B7G4xpkcTCWO4tmqfYBrNUI
   BnLSoz2yLxWYH1mYGnH03ooVK45N9/BGUadV5ByQaB9nC8sD3BEft9wTxq0jRBPn
   eEFeiIDpbz2TzkJ5XTrAS14mR6jaxT0gYfM6T0YMhlt60HHUujWtv3SMoC3JBXiq
   lx62lmdvxvJsoxmET9nTA5RmpZJPUSXn9R6jXVNg87CC3EHXGYS3SVyGT5l24X4x
   90mRan9QiF+a3pVjQTt33UzHgpW2hwrljL4OEik9jFwXf4plGBT8Itzdud4P7Wqc
   4Lg3cbsBe+I53m3Ghy04tQ66fggE4Zi23OH6DxljsE/JJ8DBlnFA5kCBvLfAP8zc
   ZLbOMo799nbexsfJp4jo/0TkFzMbjk5Rp0vRvJlxqCxZiMpj51FyPH7q/hd3wd9f
   s06pJpXI4AkUXxeMl3EDmcYe4e6lR3RdFR0Oj+uHlQQFwvQSKMWK7Jq6K3bK1y/t
   DfutHObp05kmTjgoAEJPxcuKV6y7bSbPc6LHKU1SPg4E3hKHVK7e1TQqAbTMp3du
   Hza0QeEbgXw0+6/8pcC089XAoQ9Et/YvfxmYLZ5LMGfYkAfHsmnsy7kKLEOiPQNS
   ZNwef1XUfUecsdGxg67Y4E0y2RvivaKFsoCrFCKVIRXzKIIwVUTo/qyDmbUJaI42
   SsqdxKh0S42Uj0Ey8pew6G5SJuMK3YhOvmraZeVqJvfpQxj/FpEzQIqCKMiSF1jY
   H009sESdyCWH2F0thzranDGRRNDlIbwv81kaflTgl5Ug5Bu/aoPnaBhMmTd86YPs
   PNjBFdcr92jnEjj95zPhy2nGn+o96s/dzrTvaQpq7BIbtZcZRxvQEkY0tYGoZ98R
   C1M+kKImegPFoU+4UajtEnPVhbPxom0kZcPffJcS7i4nRPlrXKaOZnQ4Kc9jxwIQ
   kqJqXakWQqGri3vGaUP5PIfdbEdjVPONpf/WJPMHCz1v4fn7eEsu7uB1livaUVpz
   /vhLzvjMiJB4D0z+B+YKDKmvtnGK2+JNJbwbYiPTaykXBUXxmTFMeClhvz0yZRST
   mWtRFKopcKiK/ME9roq+FpZOeRSPkP3inpZYZQ6UpcfX2GHa6sVmIAIrrmPKjWsQ
   MFNMQXUWT7fwmHRzZhWV0jzDzjPxAIaJ9PAtEGkdOwAbWManCx3G+gju0lJV+WtR
   NQurz4x7mAotU2E4+DwGSAw/XZO7E6Ht+oMKDI13EGzc3P+Tbceg+uoUE3bncrr9
   f9jOXKf8fL4OTvmPeLJMbgzFDTYs/vPzzSuL7X673geebfFhagavUweDx80kNn7j
   ywHTAFxmWEa8irFA/pof3J9T4kVFspdLQoVoLx8PBoCwDhU/12jZ9C4LgbWLbkMh
   4i/eP8ULCiEvw2wNMKt+BJMv9OmDQ4oidBMpxYfKeOullKPJ5FXKF8swhY7XZV7U
   ku2PwEQXP19Ry6RK4+KVWZQlJBS7/IBggyN8mVx0sgpbpPPk3vmesSXRcuiOQe0Z
   3nCvCjOV9A05lk+zS/+O4rwudTmmf0+DJr+cUa0VNSZLNsaykm9HF5txo8Hg7tC8
   cJdtUI2UBTGfc+EAzpbsv1hP0K3SHABmatOuJA8YCOdIb4LWyxxy3EcFsHXx9UhT
   K03riK52wFzaoAkZJnIfx6y9GK1StAQCKaAmo3OrxNWajKV+oWT75ZXfPRa8Cu/D
   sA907g1qT87WmtVHQu5JFE4r2NC52B8bC3UIJVOU/qtijVPhAkundJp2yx7q58hB
   Vo8A3Wv3U0XMpED7wbJBKO6CJc/wa1Kx7RehcEfh3JZhZvYSpbRNkhKBFszW7K/T
   j+Tght9wozEQoc3uVsXflHAN2mROTOT6axo234DmJ8K3jUlpsU+zI3n0qwF6VMgD
   5Qi3lfsbBISRsVK18OtRr7XGGlNNHCnQqsyi0AoTbHSO/N+BhME2jBw4IAh2Hd2I
   0ERKvOuFsy25IrlSUwoTcS0wDR4gUNB1UE+JMRMY96uGz9uYhNby3TnNUclhBGTv
   jH/rmHcIPy6+RAGhnC9E8ejcW7KJ2hwWkvMRl/wsR7M3OSzy/yOMYzQkTSEOJ0os
   cLB9ROASnPBp4ymEoUuqxYd6L4eTxlnUlcSeJK8PI9CspQ2tFCoMs1lJh/eFwp7P
   FlISQEJh05Wl7a7svhDpg9zsUNbrqeyp1UMO4f0ZzQaXK0xwZzUVXoPyCsoS+TpO
   zAp0isrlLYRlHPZFkl+1GctlX0/ho0UqNdhh4v383mGOQvuGridR1J6aOOBUeI3t
   W5ZbD1Z0lZOMYHQRHd7UefCBWp3Iv4qd2iyBoW68JmCLrEnA5MQtBNeuPRFztBjS
   RrjshjrpqthStLAORaX3I7J2tEilicQXD8ohSqRk3GBy922mc5F1RWV5lem2irva
   Vq+gz6DsGaxwdF1AZXnngDw3MjQyCYgMs8ecGOoPr+hJYguhIT0DCNGFix8fCWWr



Gillmor, et al.         Expires 28 November 2021              [Page 124]


Internet-Draft          Header Protection S/MIME                May 2021


   joWeejmNokbN8ZDadID9or68y2iCVVVX4N31yxqWUppojT6OiEs3ANhIG0SA990e
   6yaZH9fkG4fA/GoiUviFGy1qaulO6jFmP8M3FDZ0srLnJAf1PtWgGOpxXA+sW/uy
   BSnRUm5fv60rs2T0NsQYPIMoBDwtjcQHKH3xgU4NA94EDi+BGTBVOq3+qgXVwPhh
   0HBDQi6YlRPTDB6Rq68k1ybSxqxIjf7Kin/33fn0q8jA87kl5dLvnTHskZ53R8O2
   QAPRABkjmOUAyYWZIaNU3GUsQhNDKnAi/s6X1zM6YFmgcFdfZZic2N49DD93kXgH
   hjecAv2fmgsFbYlHb+t9rTDX6IQk5KolfbSAsYnFASwn0AIyKnkAkczEGg/p+1oK
   gLp8KQj7dyG7SNI5azVdsyZZxGkzV+zmgfnN7mfGOlAWh5KLvTzGFwd9EtlQDC8z
   CTCrzOKm9Pa7SwSQKIOH4o74XXgeijCTSIYWwRDqF7SWF+0E+kQ9TiMNl9cjG20P
   VWvHv2kMBdCXEfBmPCwkiqmgSIP4txiq1FvS4swwnoT5WzMlEi/gKxUkwC1D/o7o
   d3m3ywLOzq2co9zNNiuvlxblIUCCz5MbCU1rz19rM92IglljN9mu5g476PvzKHPt
   K3fyU5YxOqhlR1JxUgL1dl2tMtBycqUPu/eT1yO6ER4b5Z4v5jzWQ91a/La2l/tV
   gllSFIQ5yGPB745+CZ3uCREOAFnwwXYw42jaV1MxJptchjJHY4oKFarROlXF3Oe+
   7nwuFS4WMkCZuXXHLevrRBPa7F0DX9tRDs2fYpJeEfpOR8epvB4nglk7x+bL0RKd
   xrY6dRH0cS1dJ5TXTWJtvCL/LocfiN+TKJDhlkgq72I8aKOZqxhqDk81nu9y3tbt
   V9QGTzXhtg7KzXyQacxYUoTHHCDopEVVr6CNc0PY1xGN9CpLIg1BTduuBlIoTJyi
   EBgE9dL64xi/D5jYLsV0L+iWO/ASRYEhKzqETSyPte8kWaqvIUUgH8bQCI9rJXab
   mngAU8eMR5Fdl8aXE//FCpUiLfK3cMQtKZn3q15gymnqSKi0BSZoogU4tFQnyC2E
   gghhGe0fsdJgUbWUqlTyhtFTGhNCsFtooFTWVotcPAuo4CiUevm5v7Yu9xm8mvX0
   r4S6I2bBoWhyiosZcd5lZensmUHBAwoHgKuJGAScPSfGQep5nUXcAx8rgW5LOq4+
   0kedmfwIvcvpc0WEOuycX/zFBHgZQJ3bnbNkBtzZf2xPg6jW+BRi7vOlfkzhhOcK
   fSwVELORItBGxRq5eysPrNnNhsftJPv7yy9boCE+MwrwH6WGG+4dnm3Gj6sNKdZv
   44QYT81muB6IDi5lpbK1PNEsko/Yxo07eMjWgx3ChnuuNdfgY7xWh2gnqBFvF1b7
   m1D5AuZW+XAJ/yJTbLrJHLQzSoVp9+k0kvbe/suzbVsGNv+Awqs6E5csFgTM+lwg
   geqq+lF7R6tH4GrPdpm7raGmQxZVc8vh6x/CKDEBqY0Cc6tGr3V2e/gH2oiuHIc0
   V8O04kjr3hJQBBZk34jWg0pFGNGxzPE4WtEI0CxvINs9aYdNvEY2iVRfH1Wi6+HS
   KwuRnMKbysO6rwIevDe1wa9JqBmqJFGteKqkdGzlaHMJTw9ehprhKrRAjf3aJ15C
   xS3AiWc7guUeZiS/pN+DYpgX8HuFTuyf2FxEiDdLFFa0A6ozlq09CzQ3i6OYjQcO
   4fckHJD2PyoaQ3bbHdiEp/UNqq5OrAHSpVlqCCcN/gkTAZun5mNEZ96Yru16QrUw
   jwXRwRff4Fhtux5WQklxflspTTPkQWG33X3WELecjw0abCYo4gcpD1kTjb74LmhB
   eO9t8/YCMC0Di96YRHTvsux9qLFeYzI7J/hSeVm8G2ho7/McWU1q2jQMhdF4e1vv
   G/pjZpCRUj9jfSCGoA9Yu05C/ifkS6p41mt1z1SrE0ttXYGYYgTLZzCR/XsyCHSO
   rLxSXEp59N+Onc48lbgEpcpN3Z0Cf+bOPYIODGfLwRorwoqJpG+cv4UJQfj2ZX9A
   bhBfC4dD0ZlqMAhBjK1zvfDDjafmY/5CD3xfTqPDxKTDjW/UVShgxuLn/Ida0NAA
   pAcZk4SNuLYBM4uG+YEl6ddJfuzndZgKOb4MbCPu34rRIF9AWBNu8P1Gca5dlzuK

A.3.17.  S/MIME encrypted and signed over a complex message, Injected
         Headers with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:






Gillmor, et al.         Expires 28 November 2021              [Page 125]


Internet-Draft          Header Protection S/MIME                May 2021


   └─╴application/pkcs7-mime [smime.p7m] 9470 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5998 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1765 bytes
      ├┬╴multipart/alternative 1118 bytes
      │├─╴text/plain 385 bytes
      │└─╴text/html 466 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <b10dcc75-cf43-5fd7-9e48-f932a9d68fb5@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:12:02 -0500

   MIIbTAYJKoZIhvcNAQcDoIIbPTCCGzkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACg5SAEbJdRyrU8Bf5P1nTcvjMySeblcbXsC
   SPaTgaVlplQQBJ8FmEBqzqelnX/JRwlJblVRu3LpDq0jaXSvJOnU0G9n1uuVbwIO
   g2rKZmzj1nR3GUfnvVip5f7hfxCXtdIkTW2nxYrhrlMuOCSn8vhIg1vaZNKflzwl
   B7xn5F94g+SJwnxyOi66u35/A9fzexPN2CziSG9z2UAf6L+PV/AUSM13NnnFCNxP
   WwbnG9DqAOuCPVXq+W8Y93CvFjG4p4UP+6PLTeLcciFe60QKqeZoeE57xBzferxu
   u3HOrMm1m6nLHXXzayGx2PPfC9rGZqHBdS6EeuMd50SchpyVeNAwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAQIKKinEhs2gGBlkr4wmROMLj
   J5BtZ9ui0KT3QP47qn7cy9N18l7BK3yBTmqx3Lrw+Zb0Efyk6Hf5uP7PYj0wdET6
   smbGw9rmBbRIsTxqu/Jpu0jUEwPperuRFfSOU+2h9CkXlbCY9ZnntltaGVKJxFCF
   myXpOYFf5MfVyG6+Z4WljpR9JeiI57DTAPbD/+2LEedm0z/lvhDN/QSCZLDIe0Jo
   vOfS5CvzHmLHyPtUbdHxJ71NMQvbkQhu0dZFbxtFUypWTFk+X84PSCZQt5/NvrKB
   W7+SEzylc/Jbnp3je5M7bd+XjgBdhblYEO2CNw4EwnQxEtLhD+JNn9wzeelrJjCC
   GB4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEJyJ4Y4LdbBu1BDaj40MuPmAghfw
   BPr3MdKD9K8S+bENae4nFDCZSuX/TxLyWxeCErUi452NWR4++LedhDvwMIO9OQPI
   zEzvs/1974yrRPhTfXtls8uyKS2MArtXEP+SwkqmF/sI60Miko1wrYZMm/ccCSor
   G45CdWIfCZmRaFJ+sui9+Uoe9aUw8gFtDE+4J7smDXWo/slu8mBcjbe+ncGk6ahx
   4607LxUagIoUT2ynLRV4N7Ex2uQ/NF/geMAqmAyYhD4mjjWC/WmIDVuQt+j1tZzR
   hUiADCdmR1qtynmG+cNu0RIa04lBw7NQSYZoI6ysnYKyH2e4F7cT42LdcHsiVrPQ
   sgiSG6zyh+pk+Va27L2Ou788dSg+yZ0MvZn129vPksqn1z5Ep22JQh5WKKX1f0mT
   U2lJbn+4AMGQPMzo1dVFydx5HFfV7cbhY5spO9uTV/IZPJOogOaZkNtLM8MMJDJy
   AOWO2iNyFJ5qQUCgK3gHwAe0kwsX9eIKaoCK0m4VeK5a3JLI0ktQduEw8y29asp9
   33CDvr/u2qpNe29ouO7rw0G4K61uA1w9DKUxuSOCPVYocazFKd4zsdlSXgHmKwuW



Gillmor, et al.         Expires 28 November 2021              [Page 126]


Internet-Draft          Header Protection S/MIME                May 2021


   GGdYGTvfLD/+ZWSbXWwRXIj40cPzbyHgIRLWOGxkEeBRyHnKp/wdX4QdpwOVXItj
   +fxqvCYc8iKEz/993R1FdGtUG7StJm0gCfOjU4DWnYJhNBSNfv/rkUd5bQtmUpHI
   HxxG7nC1EC3MQdGlZXSghfj2PKVDW6mFU6p2ExpsRkIOJ0RZRrhJuWXsNZvcNKFn
   05GrZzjKiCI199cyY5yJ6hUMl4rinVtr2YEibH5LTTHJAVX1ihv3pS6x1mFsWHXV
   196gLUqHbu1bNceZ1GCS8KJxsm/IGL8lPWWVup/QF4d/528m65Fw6Ww9d2NsSUPf
   byY420MylkUlZslOsepqST14h7jAwYJqfctT6SvK7RBF15c7CH2MNCyta7no7PfM
   6xpq1xQylmBuOEYu3Flk6Z3LHwFNRKxYlz4+rN/5Om56uY9nsGECpC56kjbD3pZj
   cbjrOMYJxmJk8NQ+tPLmNTHBINtUGGUrO9rv2xYfNSPVKOGzKDacij2i4aNhS4IT
   kr/j9Vq6qF1QCZ9J6sUJgAynKQKiRZS7QUFwp0LaBjV7/f9iJE0nthxnw9z+ndFj
   UQXnqTczPc0fzCG8r3Z6TCH3KvVBvJ7uc5gJAo7hlZ2p+hzsaTne3xmQlclorzJI
   53qD6jn0AO3mCb/Ce7atobRput6cflyu4wsgSX7XqjB6GyEtyhT/j2/uZUEwuK1L
   sbkVt69LerG19ALgz+zEpmoivn4Jz2TQ+h27TKmAm/IZv50EbGbIzoJR9ZAYf6ep
   EBoj4XtWSH04kqmTs4qY5EZdzaPgzKrAP1y1H/ouxeltesKOqQAbpeuoNLt17oEt
   SZRfzQemo4cYuqu7cBfIOF8JAn81NupfzD89FhoDIzIpz2Fa2PdUZ8v+CBJSfUmU
   aeem0Y+o1TmoJnNBSLHBCVkzgpvph7efjk2mxNHREOAw0iqdTErh2j1HxHMWJyiz
   NMmzjEUg6Sm7bTTkY16zqMK2j61pH+cR+4nSi+OyFboJbf8PF5Ge2XN4M5ZTbd0F
   /+CXTSqe67ncl9nxl51dz7U9ghr8ryYAAsl69pk1Ozq15Ek+jdqsfj6urjHWIZWU
   ejb4x5qicfhWPbEnmax/TG4kV3LY53KjYQzIzwcHE+jwq71so4uMUf/LnmNv6o9u
   ti4XNQvk+j9hvQoolMuuzOzJO/XIxte3aSjhukE72mcjoU6U4Mid0fFgz1UKELv3
   uH9o4DsLL35cGaJUYo7AYyRXz/REm1VT0H5VtdBPMMvWOC0FaVCnZqHMoZVCSPrI
   Jo+E7W2l/sxNrzKAcy4gVzZKkrazvIEz8tMzWLaIMo0tkiu7EVjUMvHoMLf7Y9g/
   he+JNo7GbfCro0PaycGakfvTBX456kxn9RmWi08hJHVP3fMDGR7DVZyoVHmhgRuF
   o1PYB/CnVop6SHoXg651w5MVa6aVPmTtb+oMK+BzZYshlqQ9JRdbF1QiQRWW9rew
   DPZAkc8AqkDmMa4hUbDl7wPn+noVZk65Y5Jqq6Fn6gHFZSZxGiAwp2R+iF6QbBi+
   GFAYJsmuBRXDquJi//1eXEDFhtWGOOrfhyvtdT62RgANWeaHF/pXXuhVczwfQTwA
   3Bigvd/PsJ/vHT9iJUItTMGLeS3N00xJhmz5VLywW3P5yhC7DOExk3w57guBl+35
   Xxc7Yz76vkKpAmiqHO2sPkGtn8Wke7S/w2uZsfLiflJ3p/8IOQMNK7eTaPuQM/ez
   +0ktdSTvambpu9xekyCqTLyLSwZtlN5Me0iox/Uz15ytNzshe/2enklHEgLMJTrB
   5eHy6J9SykSRSHbvw/aXAIeJYeRqL/e7uG2JHxYsdbJ0gmrPA9kvtTdPvWC3qRMK
   36UP29i9YZQTH5g/3+lfOSL/D4k10RXVO/XfIuU/LnLHeijCIpdQ55hvXFbO6w85
   otk5z/NGQdqO2N2w9dh2dv85SZRZQappzuMVp5N8M0Vb922vhZbOwMTtSDNjyeIS
   xLarc3xrmdl4FV6xRDLWIKVsa12Qv8PGLvYxGvFVHBbdtW1nwP1yEyc8unlBAYvQ
   V73tgsZhwXJ84FoVwGtZ0rRoQ9l6edqNlOYUiSkIX2ai9amIlWuxKYf/rIvu4T2n
   6/t8n3i+MqBKcOmcPGxVWMaYfLxlBQqg0kCh031MgSw/pLm40eV+lHgI8GixyBcV
   QrAV7c8B7Tf9u3xDZ4r360k3Nbm2TnMvVWaO2brcwU7UHrGhjKCJETK7Yn4G0lv2
   YsHamXmxD9ae2+8QnpwJ1+j1QW2K0NzQbj4p5boMQQPZ8UhVIw+btgqK4uu7tMLc
   4a97LDsZY9GefcbovG0IgNFNIYmSolJQyk0vdzRgfcKXbl/yUGagjfL7RuhCU/92
   oVSVl07mGeCTu+WRC//aPCodyT7Lrv/Y/dd4NYzIv7QSyf/RklYiJ75lBhLuwLoI
   YAOtiSV4s6FpOZkRvPby+FuUZLWrD9wmED3Yq2nMsYGSGhDtaZGsWqnrFatfr02V
   ajh1j9WNBJPErhO3LifrWhU3SpSnbzRORZh7AzjjoDBJU8M8lMgkr5JCn+e3COfH
   AfRR9cansxaCXTM8Su/+Dtw6oEm/K7aWAim7KZ7uP1vnhZYJq70vu6/YH01MD00z
   fK7P73+JMs+c6s0PcaMMRm3j1WILGIKQgGk65iFAUW8iGAp6T4Zsv8P5tPPn00Da
   F9Vr6Fz6APk2ueLwrF1dk4eXKt1IrbFeu8sMzPv3O+z6kC7IFv9kL8Wdjlq6MNLE
   BdCVosbTYq+QPWAh0mg7Ky7t52QHi3n5YGLClsj+RXBcv6jwNWlcqgUFjZOAhJDC
   zjPlrRuufAGTK2QCLBnHoVcl+pwFJniCT5B0VuY8sZiwuMhNGRDpMvILw5w+lEvc
   CIQ1lqR10a+OvwFN42YOYmTCZtnC1wkH/1OoY3O0m/lnOrypLKLc27WBV/4ficGY
   VXf6nwhYCAzZEfChQfdXxpAqYp1JmWO0IvKwzrhI+dMr925V1pP1Q6SIubJyci1d
   3jVOHYeFLBr8NwPMaDgG27DnM4RicmIb2qkXDgs4l0jQ+qCEEFF+Itbk+agNOZon



Gillmor, et al.         Expires 28 November 2021              [Page 127]


Internet-Draft          Header Protection S/MIME                May 2021


   pILFOAJfkZ7JVptHD0p10AgrZVRx2efUJ3z/RHqmRecwc2S1bftaq4MSVz0R5U+D
   G9ppeQSZwGLXwMhPxgoa40Wu2R9nQAfGB3UAsZHB7yJy6XRZPKncuPD6981lkxAX
   lZG/Ft2lHLAEmnXdzQI85hRiDdwVOY7YgzL7Jibv5oFLOxv0qBEPC+UDurkTOzjf
   w6QS+QQ0gVwpIODaRT4EFTT5rbqAV44/qx1u11JX8Uacz6cGlqu+KBsQ3QAomg4C
   B5PAl7ZaAKOtCPBEbrSSWEwXVgozYVHDJDACGc903cz7rJgcJilvMEM+ZVwbC1cw
   gAM7I3h4Xsku4JZ87lSFz8guc1q8D2W+Z7rq9fMwIxD2nMK11K7LbBMNhUzrDFYn
   vmRGWIU6qatgzDe7qG9lvsGuFS/V8aIMnKjcFuDMSBH/nj8dF6r3X+BBmJuKRK+D
   jDbzogBI0oPnBjs8AyaGYHS415Mn3P/cTsrG1tddngVoKX3Cz3NV8pjd7uIKaBUr
   OHSAwdB39RU20Jbv1YqQTRcgSyBOnVf2HKqP6N9836DAQKfDofz9TQxExaFlbxhi
   xEdc2HSIewAZM7fJY78vpnvLwB6IOuqd3egD/AUjjhK6SDcSaVwfNhp5CLGUDSqb
   zKccNVWu9M6hV38M7yfV1S3FqSZNkZucmd5VTuZmNBpyQhm7mfc9XYVTK+WrBFEv
   E5lGiAkMqW+TBE78MFAf90L2ZkwVXlUjFXrDc9OURnEu7j2UaupA8azc9Aq2Ho4b
   ri7LWwbJplfiGi66TS2CstCnokV8XZ4S3GK/UgATxjVq4hpt1vGWBF7hWIduHJE0
   pNtkoyWby3enEXPUBilH+SSZRU/ZnItmjK+pyjSwJm2SxjIqv98nCB3sSdU4jBpW
   tmqVR2pfUM2+8Jr66Wk8iLRYf0xlNKlTk7U/yKbN/0lvan3nPoXkFF2/HLYdUCd2
   LblEs76eo+TxaKIHu8XKZRDbJ1uzqIJYaOL1INi52kN2gZuKmS6ARdfXJ+V4l19Y
   sTCVMIb6uTrZrzcpPkuxNdSPFex5+jrfeB7+7qmW9zD/rQFPt88VNu6wrFnpNvhd
   hNo0BtEegVk866eJBmKjBFQDzDR3gtRIQXsi9JRyllg414TB7cg75L3VbODOLqmz
   6t2ErgUFZRLRkSepH0Ylz6He4M3LangIBaAd1DTM82I+i8vY8bh7JZsm215BafqQ
   Xqf4yjjfByjcE4nbjeVSFOKrPNCe41caINZd9LT0PMDULCiKQamYCIlyKz+3y6Br
   Hv0Bg+mcHZEqmnNSqAQfY01sWnlqYwqqAat/LwabfVN7AJyXgKsHwIV2aM78Msfv
   2XAx+axVvelIEqVO/IX8g/dQLJ7Lrd5ZVMywRHxs77ObYHrCnhan5m5r765kiFo0
   tUw6ff7ReuRIQvX3i+Yy2LlsIWa4aIOg702TN2BKTEcPo4MHB7frMD+9DhhlmlHW
   oGCNlgrPBZUOU1h3A5LTmiqV3cyeB67xjPMrTVsMp3r8mUEJEXfU9gXXiecRem7G
   vL7KsPSnDnV+YV44fHKI9eaAtUH/XTG3ELho5jN4z6KgzALpramB3bqPmsi4palc
   Qim4NKqhGB3vin4gDCOOlopKpn+CUaKFsBsmmsOZXR5llHXkHiGDAvet0x64xC6T
   /Jt7Ywtc/oIaRxNYAruTQXyva/OEll4Z0Mic2rZyn2UU8rjB2Ax1yKo9N27DbPrv
   wlHqKFO5wdo33s+XECogMJMqmW2almEzw9oliDNWODU/5qDQMUz6/gEBhW3g6nBH
   pF1T3Uwo7S2OGY4+qChysyV9g9uf8CcykQtXMVSYDboo7B9ClUWp4+0W3woVnVZK
   nAgOI0N4Z0pUOg742DDn4kEZMBurUT67ssblb6SFzYrUIXL3hVtJAyLPlkVhIkdW
   aahmeBMAGhq0vgTxlGKvT4DaJZuPCy1rxHDkley5RKiZBHBzzH63kAxikarKEhO3
   i/aB0Btu1Y0Gr4vrM/ynuIwTE///giigc8rTfZnXnHkojWBQVehHaE21nD4wXZbs
   V5FV+RYNnhNs6IpNRWL7h6IdvxwtGZmq1iGYyMmJ3vNIMHaDJyev87ytQEvjphi+
   re9BMYGXIGsbxTwwdKW/VViBMP7MxVoDHO4e4pBoVlhFElGL5gcnpCG7qiJ98i96
   VlJyTFF+ktUtWmDhE8ozkbTnqbz1M79BRsLJIrsOSWSzDeRlfBUBEfBpYwlMfKik
   hEjL4FZCL3UZtE6lpEozA5XWxavUDvFOO+4sXwSYLeos/G9RGCGHs41vVoTu/vrS
   RyCRTQFm7d2JU4yNNUCLKrjSXyJ5ob3OYMZTrpseVwy+9Onwvg5ic81vYQ8ScL3h
   xCfbUxuFf9c72lSNYUrDHCUGdiqPmi7UTfEXn5JnnhG+s+NXY9iK65DcQfuUSL64
   LjGqZNEMw5Z6+UgPOwgw5qp+MC10iOAXvrIXxVeqwAPGTLKpPcSzH/p8z2H51AFG
   xeMNcUYrb4sAY+IkFjhe1lkNeymFax9HogCSsYiYXY9OAjNLsp/gpS9QH7sZqdll
   UHp2pj1BHqumW2EzhIEURb66+/nG/3o1T0JFwwCMVV7mm0pLRuU6QfBet3oU+iin
   9gIymNrJLYa9K3hJ/FpyA2tcglkSdHFGFvHBzKJD2m0B1Y05FIIlDuTAUpjujQWy
   kDrF+g4EWmTn4flTGfbugxMYIDFV51sDKMfOWtDXRGcvef7PP7qFSw3RworYPZed
   e4AvoToZnVIC2Lq2oUGIJbU3bbSWlw6iIOmENBKA8U0jnbcCN6TUEPO2vY33AypE
   BbzgkIO+ruZyIGrcDlhVeAE9grptGCtc342Ii+ywDMPYSkgNC8qs3y+I5WI6NDt5
   RY8Vrm5sYnkJDIYZ6wtkDB2C0VXLIqHtE4qTL3gm5R1pGGZ3y+CRD7ns9yUs5kQM
   a+aQ8AwV2cvmLNgZuJDLlyMBMzrJoTjiHFq7N2l72XRx3BUeDykK8gWeXj1vBZum
   OZen4mUXUskGH92WZcHG3soz4ceby+uOyxJPKMusxJ8wdEfGDJHUKia7jpvi4v21



Gillmor, et al.         Expires 28 November 2021              [Page 128]


Internet-Draft          Header Protection S/MIME                May 2021


   qvQ12fwmBV/rPiEunNnKEakczNB3fmZBDeTHmkkUpEyOtIAW0U5VHa0N9sHAjHh+
   wCNB34BFZpHoXQ2yy0D7UHmFep1hFu3dahHfeohp2FEHAi3BkNc8l/Aem9ERznY+
   IvCpxQbLb4pqtnWm/ko9Ai0MI1ouKNAyNzEbwF294ZGn9ABYHOChppB/zGyDLUFn
   K8PmHio/OSyddzwXyHi4gV6+Njnle2M+R/07SMxTqKS05TDIvsgW2i8AN7U08lwj
   csKC9T+4fO7CMFrJqgeTwE9OBE6CY10mCe3AdF/f+a7sgt8Oe+vTXgBvtfo0GNLw
   P5eqf2atPl+/5WzQdjtGSC+CWVmK/WJk/98n1DpoZ0hXn4m4F1AUq1nv7/g5TFlX
   WUFpDbjRb676ynX7UEj0AzyYjrUU8hAzPBvcQkndrjeYSWaKkE4DHn3bbH7wAhRg
   AOhQqXFMIbOnyC5e0NWsIYn9nab+PlY7HUGjmWtW8XSheJkBh6Wf0aaO90OHTrq9
   ZLJ6XZkwtuh5pNUGYdjSrjmVcEPwin14wieGfJXkCbmBsZ8kJXR+eaQBR3qadKcR
   Cfn8kAC4efD761OJk2HvzjNZaIqvdNVekvJyGMiTWfhHpuZjQ0fcJC5NDbmwCdNY
   Qz7iS4YWdbXg10JNag32tazuhNwUegZFGXL9a5gcNkv7AdmWGkSdt0lsSPV05kfC
   QurrTtShb3hfJkR6KnVBSK3jFjcF5asLM/VxoQ/iBgaanPhen0fNWgkyJJaVmDJi
   4xzAhz9r6kPENqyCY5C+e62MvEaekDidg0gZUWuo/gdb6moIoBrCqZr4J9y4W2Tt
   6AZQtChAdW/A4OqDgXlXmXc/tXMy65zIccDzc/JMzufzQcP4wC7DbYC+sg/bNvv7
   LWWT4esu7njEbX7Ni4zIjhBlynqL+qecT5kB8ipGeql6+Js2iKNsi1HYQ+hTt4Xz
   k/sEobzFVLp6yWNpa0ZqyY7RTLcb3OJUM+KCgSftZd6FWi7M1cPn7PUWG+Hdof/R
   dxOt/PaXDxNYEK9yrcVWP4yurQ1YS+0oXzpmuAMQIbWvQki+tr0JcpsKnUxcvvsH
   ZFxZ02bTi73DCFCSWK00j8j5IVbvrRBvtgkVOAl4c5WU34sh6nwJPPBTeO002wFE
   VgO2F6dPTTys/6D9eOzd3yb3aEJ9PNFhpzY4uhS3TBWhEcuyJlpus8ximdQjwjlQ
   IgvT1ty1v2SRJLA8gVY8cmR6yn6KEL2lc2PsclF6zjYZd6khKSyrBBu7ZceIo78Q
   bnPly68qrr8l7x/DxYHFJ6pwZ8LYPg8XkZb4k3TmLZrA4ys3a81R5RKHkwmc9qAI
   kyNSd6lJLMeD2IMC7rxCupV/dIJZ2cIjH/46ZTOTB4jADtrHN1SjeFWOqnHhjKr+
   naZLCDk2EcSquYtna4J4BvyQXdcebEz8/zSNK6jS1v8=

A.3.18.  S/MIME encrypted and signed over a complex message, Injected
         Headers with hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10100 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6460 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2088 bytes
      ├─╴text/plain 58 bytes
      └┬╴multipart/mixed 1596 bytes
       ├┬╴multipart/alternative 1190 bytes
       │├─╴text/plain 421 bytes
       │└─╴text/html 502 bytes
       └─╴image/png inline 236 bytes

   Its contents are:



Gillmor, et al.         Expires 28 November 2021              [Page 129]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <fdccb76a-49ed-50c5-9030-e4aeb83d7f04@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:13:02 -0500

   MIIdHAYJKoZIhvcNAQcDoIIdDTCCHQkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEWYkOXbozCgn9S8iXQC0gutDVG0YPIJVm7k
   oS/9bJiQJUvaRNUw+Nj5QB2RYBoyUkAYI2JX/1q8PUAHH9KfUR6EOHkMWMYjZNZD
   cEOKyz0lFkhUUL2hW4NtriRalYxcQoQb5lbQpBIm9sSSxSUPLOVfDCKWVtfezLtG
   +G4qtZyK/ih7LmcWW05GTzOhoaWx7QM4n5UqIxvleH2ncJZdWtQxp2nhkww745ME
   jkOBqXRxUpeCGiulXT3lU4efVIsHcJA1G9q9mpXz1OZFewtvLkdUDlVgm/gA9+Nm
   D9LXe6z4VLwWjTCS1k19/9r/GMjxhYn0yD8iwo9d6jXYsTSv8iUwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAFjcQW2naUCwQ3YNI7QTekTBL
   hqLffZscJbnMbWEWh87qQh/++/hy3h4XCgB/28tCMiBkuBAQHUFbrudBaFPbk2D7
   jdhwdId8QCOV64VIP59T2jHwqqEl47M7+jN28ipnVHy4r2hg1XdS8xN3EcOOfxbn
   rE9ERd1D6IIHrGTNMEfzs1Ntvd/6katezKqYtV2zDUkF/uL3SmkIoitIb7hEW4mH
   hy8UsLGt2ZmEhY49lsQWJQqxR4V9/7NYqFCSdSKt+oIbTzv3PVN7rtvZOeM2MG13
   /2zLagsWuUMPrvpC5HMMl8YR4mxOPJOi5m2xMrIS6kgfd3/KrpX1niUfuvEgiDCC
   Ge4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEC+d2DmVGu7vHFBEpLF4Ke+AghnA
   kzd7S/YbQDNpFka9cVZpJMyZSUzF+U3YQH7KjV7717o23YBLQPYEGxsA0LWTSILa
   JOon1R9d7vP81XGUWVHmpP4T7d45bOgQWHysoAREhkMQqyUb01mW3F7kSJkOmKcN
   uNjVH8MJuhr8wiraPjN/GT7+xYy7tH2bXYmkuuzruXMH3s+P2+ZN4nqzvY9KPUDM
   m9muevN1p/dQhYq2vPTFrrUS2QBOtuPjgxOAG02R2jNwJlWiVQrSCG8O3li2JNDc
   Inem3VkMajeDw/8+dSjUz/eZ2/xvmWKhJ9YwtGu0e001+SEXNzMRO3lbJJN9yWqL
   2j8VtnuAwX6QBcauaUg+kZY5DInb3gNPq6pX0px7rKRY78nXLsRpYsOM7Y7xiu7z
   5HoDzf9Hxim2j3gkYr7M+ULToQ0e8t1Vo90GSWB9Z7PnGt/NbCwK2LtDsuzZswuM
   EclO3+Hfjey44GSB7GtuT8hc6I/NBnIEAPV0IbJfgH2MqTowuuM/GZz01rL9ijgX
   Rn1FFGLkrba+pw/DpqLjZCE7qS1vZUS10Br3scbayUl/4HTVWnLbrV2C1SGjVinY
   1pHqiZQSpk6KPtNXoiL+XXNzpHXEv05VFrpulXheD1kz8w3D/Z4YqjR71bb8FVJs
   okvUR1s4ifDrinFwenBtdtH+Ra+8lejaXbbp0wuKX3Ne7hryjX4iKFv7aaJsg+bx
   38DaXujx+9pF2gXULSSFGIxaTujy5fdIhvcKqHdAu/c9YZMlWnkK0xyvC0asGM0M
   H1Rzf4BWMxk3XpVZYzyqW0LIR/K5OUPsl2pN7B2y9QiWBQ061/8Mv3pViiu91thd
   73uzgY9gKdPwsrKYhsSMLqrvuV4O6qTxZF/EwiKn7JRPwRozIVcnZtJSz7+MUH2t
   6mqUNygJlPPo4BF3/NZk8NeqfaHTic+nhgUyYwejhXk3dii8Z7etAFMsyTWFiEw8
   xvdzI521CcmTn/+Ov6kOWSSbZkfzcMkhYSSpoh+8/kk49VPpvEyhT3D77pfIzTd8
   isKyyxyqIxFje1wDXUvKwoGHI1tvRsmxmUkRl9aa7iO1eXHVtQnXosajrM41MKI6
   GYgKCLBh2jIAP/3Ae1Rwrd60XXbKhJek+4W2F9yqehTN9+ev0ZQ/Shtz9I4QiT6h
   gWkk56ijCZGUjxdIIAO4dAj/Iw35eGxvVxpKk7AE0kA9W1PV1NyrxytPn1SHsUHj
   zH536kW463PEBuVbPucedwr7GiAKHZaERhHZwEtSqrXi6Hk84z6LVzb8yG0KEuuo
   a7WnjdliVc23EQsbY1CV1/ZmyxaMZ1cVnKsvda8xko25KI+/y0mD2YK/VcXprfRe



Gillmor, et al.         Expires 28 November 2021              [Page 130]


Internet-Draft          Header Protection S/MIME                May 2021


   WOfck9QWC5cvQqMTVpxV1ykMFFPMOOLRqyFDYK79WoMKLV6LTqKEsuzj+JxeMFf1
   rjR22h5WDEjkglngB8P5KYHmpKIJVlSycemCu0gxu4iLZ1iAkncXF3Q/jVe3OepT
   4pj1hiRE6NbmzSo4yiQWiRMAziXu965vloLLlqhyGkeBgI4virllLegB4GM958Id
   iahOSRan0S5zijfQFWW/6ugAOK3d/iuZc5/OnzL1DTP6jISOVpkfpwuh6Va9vxkQ
   dUQZK4bjSW3A3nLl6AHn9RzV4pS7RfINyx/hYN+XoJl7qkfwWBLUxYtsUt03qqJv
   +n4eOpFQXSEOHyFWbIsdoWMUrBjwKCa8xLYCjPbxqCQv2IuLcekNj3rEYxjRWFkZ
   OzxSHhqlmKdNCLrUpxhqRwivDQSHr0VRpNCCfv9HkdP49zdyoF5bOXW8b754aKxI
   BN205TjoGRCbozJ/QmFsrKRKqURPo7R5Pi0rTe51HbTC0aLP056whZjIsjAhNXxt
   QXu0K/ZHE1ip5QD/cfsOQL94lRjwSQPYbv1+hNvxx/52gWrf7DnkVk80NyfNHMcm
   UoeiVgQxp1GpHz8iv/ducJBx+YLCyJzZ6S0MswL1uPuk08Dlhz1ALM3deKEQcOoS
   /665Rb+ZMuwDNFIhi7c7EK6d9FWHLpvAv4OOWVWtv+tQi+cU00CNKKO9R1TLZGVP
   oDii0CcFszUyiluAO5mCUwbgk98EHv4v5tqICI1oUpTy/qF85vqg+//6OcwJrYYP
   4MolKXNYLVaYvjzZZeYpcyx4kC5bLZktp/Yom7Kq8/Nof/AoBJjbDc/IU3f0u81R
   vZXM+b7PTwbfTlw6TQU5UFqEz8BarVINhrMlCkOUKp3ddgkRbnnBsXQp+BvQwh+i
   dQn5LnTew8kVenRPozwG/nThBQd7L/XcLYwM7S5cytcpbECERR4h4axl5FS0jud8
   UltbXu9mG2xSL5ZKDiPteQm86aocxd3bcwD9zbYnx0T7/2nr0gnkitMpO1gGVEC2
   jGJUrmMjvBX3VZK5Pi32FlWJ8u0xWJchY/Sfx6k8hrHiBuyYkHYyhbos7VDL5E/Z
   Pki+8m6aa/LBEV60ll/ZP2CpvWEjtaLqOoR2qUHsHFLTQsGyL6Tvauh0NI5hkFG7
   1nqhmJqp0jL3H2L/UO+cw9HpFUxC5BSu3L1bWp/xsDBvuHQkfvlI+WSaxZCHUYys
   XjcXrrr8PNYKixOlRDUFs3bu+vWhO/SQaTzRKrlHyWOO3M3k/mJdwFh7cQMwXchf
   vpfHC+Ha4po/MLphNa9ZCARlh+OjHt3Wn0TqF+NEqo7Zckqpu7eWKzV6yr5CNk84
   UeWzHXpoXnOF9CDINDj1/+1/ODooRjSHSTk7GSlPzmrl/IUqhfwPTkr+XfozBwWR
   /m/IwWAqdVeS6rxE7IcN3m9cTqE66dX3uHBnOdlc/E8N5lhEmKJJSDgcpWDdfiJn
   YVK4PWHify+iQEg/DI7Bk2slTrmQBTiYHjWPaRhjFxBeHTBkhWeCTbcrT3G/1q84
   3LjrkKmn6VGnc9Oifl3ua4EJinHUoWn++5HgyEosifKWQiPWYkfV6uIYUSMf0Y/9
   5RiU6dNxqPrEwbTRvGaqNoY5EE7/zDrktHl+ZavezUtEmFCGfVru4GmV6JRAAC72
   /J1YcQXjfscu+SRW7GS8pj24jGMM60f5RZy46efRlmqVqZ8WF5ciJN5BAEz8FQ7R
   5KYqHDdRsqImEf2folbLvbSFkDmsnFrLswKdXVgInfdr7ddiud++nRb9KgFugC8a
   lSNt3eOwkEmc6vDd1+auovLXXF9fPnSPx+9N0wBnQbIDMEG4Qbo9FBFOHiiMC89u
   8Up9kmfyqwNge4JaQxxOG0RvQMP4OypGAhyNk0NhGYbS2OcHp+s2kH9BiYw3Xn64
   XawZnKQtQWpBSCKzq/aBIGya2kY/olHJm59NXRoBax60vHf08xGhGWTde4sMhned
   fRlRRSzwoJRYu35a3Xg+iZ8SwvnwkGnAB+pxAip1XDm5kGiR2mXckNJ/8JQQf+CS
   PpMeI3aieEoApqh9CiSgKkNVZnZkzMMBXoN0l0nQ75sPficTVOplYZ0DpbTgmieY
   Kist3Yf6kKH0BBXUmc5tAqPOK++TkFx6wff2hpJKJu0mWhMpTVBVSdv0eiFA59wI
   NwuI8ZccVQcdH2dP1Vqun3C87y49ClagneW818TxK3KocUSJ84/jInFucc/v41Nr
   Kdbl6g43MQmj97zcaIYRB6JM102A89bN9j6UX/GpsICafLb4Ml622SH5LZyrcVSn
   RujexKoiLCTYJscg6VfCnxeEkgrsc79NZ/rp4jd9gc5h3B+azq8uuJj4VwcnqjPZ
   JSdLQKCMSH/nyb+hv+30zi9r+4HXn+sqgqAD6iUPsWB2GL1nKnMHKjMo7FnmA1Fu
   w65i510BeSAkjF2Gx4FIKycoaRqUBjICMtMrorrO/KmGP7l7dRpuhauOukayTOS7
   8VKnb5lJOewHkS6VD5sAEYYrp7xMlX+w+azPxYG6subuEyiACJNRBylcFaKv5w8y
   2FCf4SVXO08bCgM5v6X2V0+44rNTq9SYygUIppVFbe2gZuPA8ZNi0iN0hwTsO9lw
   yJndiesu6NDfxnUqeP4k05b2dE3NMzgfqICUuI+gRVBNpsauXSkZmKRZ5xGSxztG
   j95vpUKXzyzzC7mIrzRq2ZeL7tj7X2u8t5wl+AFWeu8d5jkiII4jFIZlL3kWPSIH
   guBvePaqkcR7uOzPksP7dx/dYMjGjsMucdnf/a9fqa1uouurpZXCp8hSpxV3VHD0
   gN9ojaFQlNt1wqW7H3iy6eY+b8PngKY4//wdyoj3sazcxUWN44nUa+zGHjQWwFFB
   SgSFidez5n6vQABTwhkZrBz47Yhkc0QF2WwzlvEx96/9+eG20MfTrQINCPx/cDWT
   N/PP8QpJkG86x3Kokr8thJYQHnlxgLXZywLIx31jKR3FSYzsD5PERTDzVU9cNEF9
   tGwSqEYg8AcLBFHzOU/iz0ilU2/i1ilcEoAivRD52H4OgpMArMZEL+x7peLEKs7n



Gillmor, et al.         Expires 28 November 2021              [Page 131]


Internet-Draft          Header Protection S/MIME                May 2021


   a+on1E1RuQE/YSrA8KgGQ2kSaaouCuybeqx5SyYi1B003c4QTvcE8ShVbJhhbTka
   3vpcb/Zw9rZ+AeYyFfKj82Z6n/ujgEhmd+6Ianz4LNdgPgATpTgD9L/MiFv0LaWl
   CtcGCBHSpBgk1ghemkMlVKORFy+CALQFdoVWtY1dJ2rDZl+BkyQPfTIXdoBmW3rm
   P+TlHYBTA8WmOyS4Td4040h37gqNzk6WOi7oxY2Y5qKL05K1mcuymIvDXdDTTRY/
   Pf3NcnBEHMVBqp4n2P/tDdqPLhkBHzGB/c82A1BXxt1tSrNZrKNYL3sPZYWEUd82
   EtMDgKaNw4on+whyZexNl7hDS/JpO/2M1h8TaPel8EaPc/n0WiTgqajrNWdNUm0K
   Idf5gmeOjTLbNHYyBg81nkEif5k/73YvJvJDDAxZ2CxI/URgmpeqNWQ8SNukidiE
   qjkO+uvxxE105UIOEBCqwNd3MQSxmggMPHyfAIy6wVkE1zaRuEZvikZr2lMB4/qT
   myc4tp3JVK2s4cK2933tWE7NYLMZMGRZJa5EDijFi4rBggiHP0uv2u6MYFCL9WZL
   fahwSlpa1mF3Az7+LaglL7ymyXMEcr1xHCwzolL3pX2J5q98rciCvkw6qkGLZYlL
   x4nAJnaRoxkya7eWZmHb/WcHOV4KghwYifsv9jlSfYrGZrB8YoCksuKZUlcZWB9f
   8992P0K+Pmcngtn2mBh5lTJ5nxPHUOLap3Psh77FLvflfkitP/Py7BPWq6uEQdgs
   Zy5j8DbSQ8gUUzpDIHxwhx0xyvK8jIfAaKmP9ldVI79n+kElJt3ay1r7Gvm+2tsT
   7+AEjB8Nt382mAQte2zhmF4ecl+c3fgEFDySkbM/n/ws2Wp7tbNBDQVGUOTHUq04
   3dUTfMyHdsW+wQPEUSJx5U1OA7T671hwtf/X2OJDdC963efXDdLUiwMJTvK48HzX
   zjWlKwe0PNQj0qmLnzLsz4jzAo0lYeBzmfGmnXQb1+ReiQLAbzvg+q2lKrR93X06
   iSOtSpNP562saAYSD6mx/9ngqTfdODqZUsnD/wcn29hNox/RHVVf7+CJ8lWBrU0U
   7u/E+wKVfvFRkiBw9Aj3gEBC24GSfsb234xYILlIX/9zMMurslXL9uxZz6lKtenR
   As29a8xlDNiDUdZMwJhZbtABJC2gXsw0RK/uCasbkVGNeb5FGYEfOgN9NLtmryP1
   2dcHQtug5WHcyDrtAjxVY6LuQCCpF3/9pzAtpH//f4qpf6tzumnoKwjwXMs54UlY
   snBfIDQHNpRNYINiCyAO2mrNO/h6C6ELJu42zqZFzHcPy/u2Kq7IQAO5CvF7/2TE
   kpe+PusukCdfpJeR6xOZJlR8Zd+CD271ZZSbuxveRU8Q5pu13Wena7aBMXySt3Ro
   RlKM2sQ6gI4TV2hZgk0uOg3g6l02ebXe39YZba2RU8FVsz2ySIgTYDixKmBpnZ0H
   rrl3xEUl5FW3hcH6FU/Bpqtv+K2xp1MsE75l92JIIZOMF88gtbw+/i+gao8lAMmx
   MF+Oa0ulBxpG/uRFMxY5+4iPRK3qZrZNLyjLAtOZ0wBbtoN8ws+MIV7/W9IiWbYB
   Oi3Nu0SXCYibdSFjHizV9Q1SBPHw64V0+wFb+kcAFeOxMeRtvAEsWrQbYlFxRxFx
   17Nm/ldToQ7jMwZZ/zrL2Z9WD6SQgAadPqrXOFtZ1EiioHceNCb4X45GkA1wecsc
   U2yBmjyGiRpNu66D7qI5WjmLI0pYY8ozFJ8sWYWjVnx6B1mi5mOhPgiXjcKnLW7A
   007QdGeAhxOv5nHmPsH8iO29nbMkxioRu0xqw/EvluwBEl18iXyGQXyu8BPXYMzz
   3EDi4Apeu6D0lssgxJySo//TQYCowW9gE05QHTPp6ucMiuFuxRbxmGFz9QvNihxM
   OZ9/d0ZDj+d8uOWSJhDzN+g/Wvegmpe+l4QsSMtPz4oY9xp7MmlJjdr24m8OsS8G
   6ugkxD/Bx4INuQ6OBClWYEn/abxrWJEdsIAnD+8VyVYERH1CJPuEpEtEKPGZpJub
   tlMGAP5H4G1v/vcRNuzwKtwBfwy+2HrCsEXg2ID6KNkaQ5rsF+eaEP40sW0Agrqr
   XOWjvttcSHMzWIdYnKM+dNlbJYQCfszPEyrwoNPy0TZvj/GbhkvptZhxfYlyc1wC
   5bakTYtX/VEQZ8K9u0tHKKbkm1YCq6s0Cj2YoKWDkpFPSqAtw6a91TyWAO9MP1DK
   JAizgrwwJjZz7W68oVeUbVavIiSBqaJEU2FuQHftrpALDTL7Vb4HG+uwlCU1MlTC
   gfl5Z18q5GwJe2BM2ngEUfsddtsWRh4pKYtRoQavbLS6F7A13tvxbjKVU7l18VVl
   bp8WlPN3soXuEe6N1tWfvzZ5LPhC10lUYBv/QasAjyUPC6quYnz4L8YLOGZbnCB3
   xKkTH9LwK3dK3JSu4Br8tURe5tMdEJFmE1XjAXGjwLS7Ao1Yzo7EMtIbdXNFxj0N
   O0BE6ZedBUEoujik0cRtdckZ3yVZzQKkLhA2iTYV1JSpoRRjb/hCEqE7q+/oIqz7
   HkdmKbCWa9YEm9u195BSS5J9vRSADFR3h/uSQEGlNgnxnNBKMNTfXGya7B9IzNig
   MUwlW6IL7sHcUsQI4lfV25+QaW6ii6dZpHXVNUGfFkjk9aVv2D4oBhekLAJxfS9D
   t4FU7GQ7FElrJTiGq+L7+Jo07VBAHQpTejhFUe/myA5y3CfQ/cM6GDOyDJ69Lx3E
   8/lv3Y1EmzbhE6BKCmGTv/3BtGcP1pbMN/NC/SQCYLyQaL3oGjrWiJTLmaPYT+/P
   EQMvuIfoIEplqHLqrZ2tKihBx+dcmt8GvD0ekC5yHDhlZWUFxtJ9LRYaGSY6SgPm
   poceJ756fN0JQFIzUFHzifY8u0TplXEmtbMSLw5qMnJzKcMwHjItG/3/HhaR7lO6
   ZzhrGGCubD3fdnmsSvEIf+3TRMaRX9umMR9hl5Ub6eAp4j3VLDaQK0llQooxFXsq
   Y3a3Q3zq67sDJhUDdxwfeRbe5omx0ut5BygkOWRtT5eYOGyOISlA4f+mQCO6tvVr



Gillmor, et al.         Expires 28 November 2021              [Page 132]


Internet-Draft          Header Protection S/MIME                May 2021


   1EH0pncE7Cjm4Dhcg0Q3FxSfAPbr3FubD8D0bqFAAmDdGsR5iowWNiDnVd3+baqz
   PpL2PXsA4zA2fewBQbQtx+W9y8u1bG8R5F55QgzTIU1COJAdS4GF+jUkH//ZUUeH
   0peDMkTIFIxTrbUK+cM8XwnrfixWuKU+hNSKULUxLZ/U6Hwvve9gCRH4nTZrzpX5
   7r7noQBDDA3C8ly4CME3QMrkav1uTnjroXosgGL3u6z1BpuH9Reh0FUYvWo4x2bk
   aHFs0tMx6BOg2mi/ut4POToN+WW/jh+1c8HJfbCEX/XbrQlpzn8O/a1/fU535APE
   pB3AThi0b5dfsMMHGVGds/FT7EnmubAYgnIdTgmXI5aXu6mGChd2SSi1m4DmaMbV
   PsTMF9EE781RWHX3fRYGItLWLTSckZ95wmsW2ossKiLkCpc+oOAfzn4RNcRCxgSz
   KcZaOMhzY7N0Kfq+KZ/iHBcdMxvdVXiQMkAwZlv+xBledRBexuZ5k6psEYDcBXbV
   qhxNF/k1v3deCPJKZs1222LfsxqjzKKk/m3HFwFcEIXPfsImyJ15CYR3m0E27LJr
   YctpbBPYSLzZFHHVOLJbOwrO4u1B0mC5mVW2KNg4sMzSGPBRzr9RGQk77ERDVcSm
   FLIH1+7m7Vvgew4zq2leQtCMKc3j/YHDiWOVse12qugp/56ejA5y2yWcsS/yULqp
   FQb6zqvkZk3Zq5IauhrTrBJrkox7viiZtDXoS+iM+Ohuk0bEecbePs5DEtmwUI5R
   XaaRuKREGzxvPqeTlg6jZu4XuPDwE3zb1vQudey71NDSy5iccWd1aqXDyVxvslwy
   I2srfh1W8v/y6yIQuuwi90/3fD76LInAYUrrr8d12hNdq6sLmrm97vy8Bj1LgLKw
   WlNU15UOIJg3rQ58tfpPt0G2ViULWhYgzS8vQqCsyMExwODbnUUPz4x3RId1lYRh
   p0HIVCVIhJm0mA8IxdttmyD7uPdzaSNNtgHb42q3GhRUQuSDvRumJWastCC4d+bs
   mPjNST59uJgARWKQJXskVRPB0UUW4nmof/AFzI5hcmMsLTWDasaJdQkJlJjib/Mf
   AUTEGQ728gzYwnD/NTvGr2NjcmCzI+O+MW76ACBWrNlLJNssqC0PQ4hDOhk5yRv1
   RMm7qU3RoJ7lRP5Jcv2q1Ttw5zd6FIHBwQmltm/Y6MKQkkPdto7boCm0Zom+xW/Y
   +AnlYDu5cR07uOnX3sYcOp+hye6uWL+IwdDDjZ7aXA/rAj0c1X3A8PAJIkp+o7zs
   Gd0+hXYLrw1ooZzXU7ujig==

A.3.19.  S/MIME encrypted and signed reply over a complex message,
         Wrapped Message with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9750 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6200 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 1964 bytes
      └┬╴multipart/mixed 1900 bytes
       ├┬╴multipart/alternative 1130 bytes
       │├─╴text/plain 381 bytes
       │└─╴text/html 465 bytes
       └─╴image/png inline 232 bytes

   Its contents are:






Gillmor, et al.         Expires 28 November 2021              [Page 133]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-wrapped-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:14:02 -0500
   In-Reply-To:
    <smime-enc-signed-complex-wrapped-minimal@lhp.example>
   References:
    <smime-enc-signed-complex-wrapped-minimal@lhp.example>

   MIIcHAYJKoZIhvcNAQcDoIIcDTCCHAkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAC6XPc3wZgeB3FCnDRhzs7bUIr/hjZrbZzPm
   H8yaAt5YW8XRZI/Bt31j9i1OtPWRqthYxM4xwIc7ShdGhF92sGkV6czLsH8kkT0p
   Z+FD424d5ohgjPw87eyufum1GL+1q6TPItjC7DDM4kq3v+kwMaF59PCZ1QdbB1Yp
   p+bGYko42Dd55Ur9xrbkklIuFI8KQuLrt6kdLehhPU8EFF2Trd5s0hbHR8/AE4GR
   46lKp9nZNgkNRo9KKMXSMB9bkVe9kaTjGYKjtD23AbNDDFrwUE15jrgBkQWtWU9j
   BuZG/k+vtFch7NNVzGYQy95etutW1b6Efh1UJ7/sEv1at40ipKEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAkZniKnyo4dOigzoqg0j2AJRM
   57gPSOt7RygacVe0zmHsvEnmvVeRA2u3C9gJHoxQpZWdDilIEDhFUEG0POmCvksB
   Dl50HiQvSP8h7RDohHPCAT4TpgnFcuLwxASBXOGVEEFUfQOaTxeR3ZecR2vqfXXt
   TTTh+gO8j7y+uKqAdpwaSVRcawrX6KQwjiafPYhWYGkrZ53cHhN9Ljn7SvfwoigZ
   fY7DanPi59cvr69ErFFVQBwQUu2IGpQ2q5O18GPuk3Rjv1WMyG9aX97OlbLxjJnM
   Ql0ajLoSdrQaPe5y4pw5KisbXIAamC7Npu7hc0Trwftyn6SdydpdrUNVJPGf7jCC
   GO4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEIT0h4LUiMtMNeOENaw0gB+AghjA
   h+dlTSrH14NOYcnRg88Aj3gjke5sIzCIy5dF9rptdXw4wmUr6pAL44ufkCY0Qm24
   cq3223vx8qLJYROZRn6DA15kFHcHw1o7mZWLW2EjNo8VsNo2eIrPmT8S/2UqEU8z
   s9ZtYacYtD2bTJesQCr1gGck5kMJ3EXMknPUL4razcOxJB6sJLhb940fw/FsoeRC
   tuaMNP4wYV1FsiG2zDGuOtnIE0Z/f3I8uhLF5uSsScnCDzURA2ERWPK5SwGy2Wz6
   PSw3nvIN0UtA2fSmRETWAog9DFWo/t/6sU428swxvqhFCHH7VZY/jqbE48GffVhV
   b8YyTr6jJvn1QJydL5n4V0rPPJdUMvmeXV/84/5oVPVY1YlOGhUXlgA0yl7JfM13
   q+UubdpKCGXCOXg8NT5g1eBagomHvqjtStAscpcIgvcj7SaydqtnIgOKAzJir0AI
   UkOe8L8uiAZAQ+GjRUdvJVkrRood0EPDUwRO2DFXbfaxyaZOhpc2EsJlm08BTAyW
   kzuRRaZJHYPLqQt+UeibGg653Uo/WYi7m32gjgU9MktBqKw93URtmw8Kmy5xGm6R
   8s10FNZBg1Cj3aPRXbPjkTP5WUb0bxJA/aYBUTVt6bgHgV5NSbUS9DU9S7gf+YPb
   h0LoTqE1DeQktnMjFCeNUrI98js/Hfnq3OYRCn/w2jsJSvj90SR3djIgiUXl0wUm
   YEh2cD6/OAu7UJ+LKVR9JhnJhjCfWACT1G36BLWdC5uGQ1f7/mSmYFxaD/+pwf/o
   GgNZyGq/ob9PLpVXjhCUozHxc6Ucy1KoBZkdPFdH3AZ918oDdQdJCOdf9jP/BV2i
   zPg7W17Ppd8i6QgdgUs2nrRVgJW2J7Jbf4ahlsMGeumoehsElc5BcLqM5daBB5jo
   0RBUrIxUtVpuwjYlJ4fe82vgSUlaa5prSvGQlVhpD2uHqaTf4/5qtCxQimxGMHyz
   +SUSnoglLsYBiDVaaDgVjTv8KRtrXb3ld0PBz1RVRBKJkoynNhgw6GRxjQrce0+T



Gillmor, et al.         Expires 28 November 2021              [Page 134]


Internet-Draft          Header Protection S/MIME                May 2021


   qajjmpGWKScDPemN7booTxzKi66Igp/PMsmlDE20VTRH/lrg2pYcdsqz68OBLClp
   lE4mTpM68YcFD7O6Cu7qlW33fxw0hU6jiIVghR1bLm3j0oO1I/wJ9qu8zn7TLc+y
   EFYmOVTWE6DA4Ntoj5ASt51wNAXr7OLqoyod7N/A3XxJ/A80+LA0j/uhLBeqE74i
   qHijFBkdtM+m9mSxhBoCJeOCo/hIWDKP6ML+AQsUKoa5GqkswJ1+OhFkp73Y+PQ6
   3qONvmpgf0qrcdpK7txfva0fxdaqhHZ9Ua8GC2s5CQJD0CyncDWg2EAmC+fQOrqa
   2qDPldVoeUgdl0pSfi9VjpKcG0u6T05WmgFlpEAJr8dJiu/T0u/fCPhkBspAMP25
   glP/sRZwDlmAT2DBDK2TXRFQaqHvXnHfYkbYtUVWkVDwfloeYOL38Xg9CCOOwly7
   S5J91Pp3yFCAQCVZb2m3LadnkMYz22Xy2cxqViP53JPzNdqx7HgsklSHgp5ZZED3
   PV0LNpkeeokGxjGEg59/vA4gk6rxP4Vr6wrpVPo4+WFTRk9QjHN5UbjMgiOYtWhU
   SWJb5G6j2ABx/UpkOY/ICSjqBmJVQnLV5xKJvai6DZhWYdYuRtAQxhrmnJC5Azt/
   7ZTDqdQb0rgyyfvrPMKGB9uoJLgaMevQH3zASx/oJlnbopA03UNaFcDFDejxtj69
   /p696TJesf8841xrZi/JyEnF7eGEXtlENINRqSpdvtNjHCqrcPHfn0zYijFdwrtt
   mrvX8MpUFXTnVZps7bfWOxRzeYbMjCrYmHxt+3belAtrNtuWRAOBNFEU9w0fPtBF
   QKi/Qc69Rc67mGDPSMa+AFIPk9ncJUZN/Sb9Pmw+rj/G2ckrMhijEeSCtI7lNDj9
   +Arts3gZ+jVe8GkP0y5ECwmSMufMdKxfEzslBAEoCIWJuhoK7bms8tPUAJA3mCfr
   IPrI8Q5+2tSMIjqFH0ZY4gACx4RMe22aV86ZuClbXfGeu1vODnk3EcW4x1yLC+jq
   X0bhYHaXmBAjW0Y67q+uNarcKP0Stw17eJt9sgJm2vXUSiY2rsCrWo6oHXo/kiGJ
   OWTx5hMO5eDvEiDvnl7bQx89k+2a9hVLXYcN2HElLhaaW9ngi5DyDU4z0ZIk0dBl
   Qq0celJQYKW+x+2h6DL5JmABT4DoNAi79VI45N9Ku96NZYilgmc7u8HDFJXOA7Dn
   B2NxrmmFx3eAokwXXLr6cO7D7ftHyheRdapaB8Lf5saoKBDE8qAxdspu8pWLoEWN
   SpaLeosea41JmiEvzt6IUFYdPMRCZVbfdo/IY/IcjES/8BB6RCEYCci+MU+mzmUt
   o9e33NxPpO9QHmNrQC//sxfXBevzPDb5fLx9q7RMt5GJUSoggzf1EQxkxGXR3nyI
   uUicEW0zaNfyPUtPyXYDd41ntrNAr5GWQjbtmFzpt2GBK7DeCAmVQTU4Sa7SjMeq
   jqlFtJI5JTCxOyyFF/zg+9qht1beTTTjoxHbc+PFjfGyO/nOr0vbF+/lMbnZ5Wh0
   zCYbR9uDYhPwpyv4lIEtZKgt0udSp2PaaD3N9A/U9AlLl9+cey8yf1li984B0hTa
   3rK50GyIpiP5+KYLS09E0bj8U8r8QilSt7RIbe03aQ3JpfRZ3xRiKwrajfG3VBwB
   8DTgMea5un80h4/RsdxpIN5h7maqbm8pWU2fPe+BIdoDnuM3DXlB2xafZwTTdOoK
   GDmWMBoY7RfFTKryA7vNU4jw3KUHQvE1czL/nIc0ORhLmQpDHQYhgZh+VKUr1J/y
   leQ03G5/iVRNIEY01V/Zf8akV1RIhnGB2Hei0GsxtFsaH644VVedyDspWY49K3ji
   ivtMMZPq1HVY8PADH6bdeiCh0R2Z2T5JqyqCWZ/DUzM57mvj4B/7uw29gF5EDIno
   8qNcdQcsZRCsM2btmeTtN9JNvLrL2v5mSvH4fS0Rd9e56lbMGDDGaECpJHo6BAOt
   ZcVps0041mDMzkFoOs8G7t7bkiNIMTpRaMxNQOz+XBRz6yExkfSgTXaqqs7tv1He
   65Vv/otPZJg1h1/TiyA+wpYnSpH4YDY06pWpk4BNlVDCM7iIeQqPwpLEoZxSVguR
   9JWLLzvPbcOXTJruCoylL9Sf1zgyqwYya5FUhUIEftvzZ1Qt5l6qOD4HrQtz6oL2
   BbI7Ftdy9iodZh+CW6GxaBxPbpvrBtsAazmXopHu+u4E0O9PuwR0mi+WwY7z+RU2
   nMzqFtaNRX0SS+jzPpew7soJjGpPSAwrOinh+NyM/dqG+pTZhOwJuaZqNCQBpXLQ
   696fFQJrddleN9bAV24mjfKy/AK1qbtJRk8TJv1HuxWU1iKqpzV5318i6hilhmDQ
   KBh3S0Ees8vXUqSgj8pG0wGFuzfj8pAEWmEanZko0c39BG/q/1rJmm+bDLIiSgYL
   AzzNTxcHjzDiY/3W6Y5nzV7Z9f2+jYOtAGtDMuS2O4DNW4Lhwo74ud/SIlFkmKtg
   7zTR9X8iK+DUVFgT9DVL4awJYYfoiP32a3Acxa1prL4zXZfF5MY6T7WLn1wMIwnl
   vGxn4/THyTGAOGIsf5zYx2NNxy4xntI3DZO/XJV+nIlN70RrtyuqAicMfzZqkmU9
   3j9+OGSPNys6GMPtxBiB16QZVzk1uUXuA10tRykNnnwWBu5zdNGbYpXcnBm69BgH
   QF2IzlKfh3xwNZQA/oSxxg3oWfCIvVJ2tCrgk0MngZMTmyyabQaEUI85qKAMzfav
   joYB0dUwEHs5RuyGPL3Jfz/YqBaS95p2B9QFC0R9f4sFAQ41y2w51AabVSEt5GcY
   fY9BZGc4wKCiRURjk7NNLRELClNVUmBnCnAkas4QpZK/Ghc/l+AgrJep5vsmpH2p
   gsbY6zBmUm84p4U6f2LXEuNkzHynvyWUZ1o43LftsbfIJM1ao2pUbYjY/Qi1ye+t
   liukpKbGB38YK4GBXbv/9TwCfRMTSjkm9Kh/tz2c0qSVwjhSqoyQf5LZDOdcgNPc
   MlXtVPVGl/fkJhrhzO+Odo7sK8/dpEWf1NRalSHeBrYszmlp5MoSOrRaJs3jBGlc



Gillmor, et al.         Expires 28 November 2021              [Page 135]


Internet-Draft          Header Protection S/MIME                May 2021


   kns5SrxM9Ollto0eW72SLZGewu9L6gBg9qjVRuxXzPFF3l5RxKT23/irwrxMzvYr
   vNmopJpIL6WYv0+7K8m3FunsYGc5jowFU2fE+EpzTth2SlobIb0TeRPsiyhq71eg
   +W9hbB59VYURK9kNMtigXpUTP9FENdWBqNVBzalbxKAWi6s9Z1rHDwuqVWp0eJ+x
   KEfkdZg1M9WqVrcNW5JxEFrfQOACB/tzusOBYV6CFXQGPKtwLQmrdspRsSo3obxh
   pt1gEMJYULiMIvZk1q87iemYUCc5ohRKHPvAYgs2k4IHaDQobHM/4va4fnyzJrAG
   u/3ii1nGwO2Ea+//5AMQEG0txgdmA4KOuum4tKNK7iKAEaQ1+WIho9rtfRoLxHbz
   5tBmRgjAdhj6Itd1e2RDMiMRGWiyYzrphyupJ0NSzDxon3PknHg1daQHtAa/BsQZ
   Ptp4QkEUNs9j00gRpZPgMhu/GAwKnOfY/Ik+dT70UvgB069b50yaSKhMCiwALiez
   KnrH/2+IvyjPcfaRuaDbJFA2hYnyUVpDGfV1rOYh1gtuyv9cWImJtgkvJ3O8keZp
   eydNOvmhqDR7NDNIxzjco8kveA19r6jAXyCzX9cTeJZTZUAEor7jedsQq8fHijOo
   l3Hi9b6/6eDNcR1Ud8vjxmTAHUg6cXMVGCxhSI12hGcrPmXK3l3gGhuZjEyEoafm
   Ax2QRrfS7lYGnyrS97BmtJBVQ4AxOD0ajkYXEBbztPQZCtUPqv1/n8d7sTAMjFHn
   qDLmy4btxKeH1q10k4s9Gk8Mhv/jczXtv8nB98ZNrGMq8WAL5Gc6vIMQBoBwpk8B
   BdKVsBFezHCefTgV/cmi5llkhc/Q2rQmXQi9a0MgfrkvlyP9Lvw1AxqJGaWGsWjU
   6xuImeZ9rqsY8jEDV8+cNBwa63CPSqqNKeWUdBNF0r4TVlFHk/IwQ4dEnRKhSrvV
   tjLSbCxhzlL+FHUM8+DjysvMLELs/ZgvBGrpBr3vKrdQTqVKsU1fkNem485O+HCc
   Ir5RiwWygdvavp0bdXSoXY0vR6xKrkoJGbhmtWgh/UYkIcQKUQ9mRdzwlmRXgzHa
   yWi4aWiLTKLKr4yTPXQxHOpblDN27Sjkj85wFSUSHuo4b1yojvFFU4CiID/BGezr
   1FIUd3S7bhVh/HgAD+qW8mR1JP06m9S/vAcgmalVdEsOKo4IpN5Bie8PP6BMcYBV
   VTnLB5hHdg+saN58UlqObWnNetICxcHlGC5yYpcmxmbZQe+uT8ARIYFB4jlvsPeU
   FUN2QDZT+35UqnZGSNat4CK4r4pCQS3lFGjbBAApRCYdV2576fU8LfHCFGqtPgv4
   0JYcdTlWVNMI09LYmnSLvmZYLeKDufYXDuF6DXt26etEi2E3LLTkjg3j4EZUuL2i
   mvPEiRIJHquSkVHRZP7Njg4k3SjcPVMPwp8i9jHrxbuEmXcsPWqogN3XZUFbGXiv
   i4bfdzJAhDjAwrKWjLWUzFhNh4ChDeptuCqs/be1uW8O26xebnk0kW4DidmKUcdZ
   Qpef2nA3e2G/tNRrgx8ogeV/FFrI5jCwWSv3rYGEgOR5az9NaffzN/uMkL6vn+Kc
   gpIi6cIH6wBLo1DrSI4IGocAPllvO+iTvvVHXPSsdkiePtvRdDrLu4rwe+yUB/Bl
   VSWZkmTyIq/nOwfpRX6mU6HWYlvdvYoxJRRwKKhWjE6Dbe2h21fYAOjvPkTwm8Tz
   sXTYlt803yU8ipgdaw93lvuuxNMlkIvKQ20Zo5hOtGdbuq4jyUZ5o4if8monlcQH
   n5xv/5nK5jAAD7ZHmbcaOoMtZlvPf5DIBfAN1kWUQlD+ehjAq1jMjo6R2e7MkBc1
   N8xvK3WB7xJ2pS95NeESyDv/HyTASLaY352extAacSMlDUo2t7/s6aGMbZdjchCq
   x8oc8Ez2045fKfvvNezvTjY8PFKOgzm7KlVJDaVpkDvae004GLCa1b9IeUHCKT8G
   DJnM47hqBAQecijjBczXUHxC19B05aAPJU02CrlxASiG3V2aKI3m9lciNaMpksJb
   /fr4kaMVwUpqZiR5RcgjUAkoSA7OHaUyNkQOL0UUFYh3Kl/+q68gpy06S0PCcU3m
   RIY/Ky4rjCGXGeXhT3uOFRJtZ5vfX4cQ/cP2YZZ+kO/DIzZ6fVYQfRelvC3Ds1zV
   2y/bI6wNn2BdUTtztg9Tyamj3WTumOwZ+o7+XHzjuhBjvc2P8gZOkXVOXTXNFrqz
   9jNuGa8WIIRv3zRHAHCTFxazxiqeoDLjLc44YmTqpjgRDodAuaccAeD+wx+XBYLH
   WbvQarq+aAbVWWaREZ81hRnuac1uxybbkV6JVFi61GW3jFdLc0oOLKTa2RBeO3y4
   U8e2tqSlM39u25lzF2qrKbIyCNK98BvxotWWnogDsH6s5TF2MyqcQpq5kzs634C9
   ZI/8Sc33Qb0zLFDBnvtWQzA26RP+0KLN5PeLJ+2XkjCHJraxg1HRkWbXdCNB/8s7
   gZ8LQDqCj7ieG70FuUWJIPQ32lHpwwv8CU8xPTrMdfkOabsIK0MkwNv9Quv6umHR
   gfToX0l39hV35d8KBuo0SGPkZF6btK9z/V/9RSgGktCC8wsb7V3KEp+C914pQsmU
   XqQ9pF7tZLudtn9J7e1WdRjAYf+Vh9ro80pV/cv8VkMI9OaPJ5/XD/CJMeVuNaLS
   hbWrAiLU6bjhRuuYBgtnxXPG1QKBFwqCyMzP+7ia2VNVrKPjZM6F/D8Q1M9ifpTX
   CkvPX7xi2tiW+zXtAgZbmEnaMp38CoKB5KB+HvM+LB+ms5GVhQV/CpeuLts/2SKJ
   gjpj7dZb9vtU1X8JX/Ek0I/BKODPCyL7ZD2FuR2qYmhgcA1/G89Jb4PWPRlsuRTc
   DTexBIIygaLt5WYDqDjQIslOV9T3Bzbj9mSGqjzTFhwX6Bk9hUxIVcEee8221XRU
   fZwwfkp6wlvSVKzavpRtDFvGqjVfHbHx8IGW2ILWlc/yF3/B2uNbTWFahKpDipyw
   syXCwdZsDDpLFYqxrhBTY0WApT5hYsJSK3jqbBQU4RiDfjXhHpu9RLLpI/abs0nG



Gillmor, et al.         Expires 28 November 2021              [Page 136]


Internet-Draft          Header Protection S/MIME                May 2021


   63XIGhiS6nN7d7y9LbkOyq1PJ8ZW+2OD6aq4Cntlm6hXZVHkmOz1h8dTk/8UIKwu
   jmmJI4Mf/I9KR6+k5XeZob6Tfi0sJdj/EretoBPWPVA+lNUB57LbPdWM0K4VRS7a
   Bk/ZoH9phhKRhWMDLdMTqm1kDx/dxqe7DS8M6BfgmZCtFHeQvqPnd5i1npik5bmB
   ivkNet47fMpy+FnQF75Aj6EtKVyNpTWgy2Iju6xiPTle5/1FwrUc2cl7tbHxJhdA
   vmDsIC74DTqN+qw/WUrf5VoUXjJfiVXN+v3JSiBRy34TF4HSsqNRSikyu0Yr+2iU
   UIGhg08JT1WblGjiqxG0+oUyb7lDPtjWeck5fH/qwm8w5CSpVTjJPgLDh9ij59p8
   TZjZS8vQJmp9tfCL0IALmd0OgfmZgGZEiDrsOzMSxaTObpt3kUa2T4qbzVeizQfl
   thSR24XcH0maln/KhLbo1X2mVMlGN1KJf0bMdA3fjL/4tn6JNQuUXzKGTEDhVBVi
   KKmuAkaZhc4Wm1QVLnbNmylr+Re7r87jKAXkg1h1vVg4LxuHEKSv2iWkWoTfW94z
   uSA4Rz0goegkrbsSRdSqxnI99zVVF51FT0PdMRUDG4PdlHpNI9DEZDwJgWipU4pw
   sjvxWKCU2pKv2iryIyChOTEf4rrVNKRNrDA7njq7s8czkNjopR5UUiu47TFIW5H0
   ap+5+Uzl38mqbjwHq/SqhzOzdx0G0duvGc8sX5PWUOCyN8qDn5w7HJT/owvsCQa1
   Z5BQUwmHmnCskr6QzUnXKe2pK4f4udI2996Y0E1ka0OClffCsNAmVDd3QhjvOE3M
   C3S09VCYNAjEdO5QsENSGfdp3+xtH2JhpQUaZPuQUVUUYn4bl2q0oyAdKYnjvGtj
   ag3O8gXaBJB7yu45KE58jPOgokCapn1jykmKkg5iqNla68oUqW/4V4u8EJuzY2Xm
   ZgLL1iOuHYsGGCktPwR3YpFPEd2/t/lmE5pEUyGWD0lRX689zahgvF1ez+sRkm9T
   /dqT/26HERXw+hzdM7PvTdL+9HBkJLO149x0o2WlYLQCo1yc6MWs1ucM5nWiggN+
   rdYvFODbhCZKqJXf3L2n4yO9i87wPRQI7VAVRS8A9Yn9zbMT/7xPwdJzOet61O9a
   P6iBenWdJFJOurnLi4d3lq/Nce21G3eTLlBy3iNo/B/edQbl7L/K/GZ2hdGe3xqL
   EhuVvdmkaOS8RUjAg3ZR5ch7FBGgGFQDZgHdlBS9YNzIhMhLvBpdBaRD1uYX26s7

A.3.20.  S/MIME encrypted and signed reply over a complex message,
         Injected Headers with hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9775 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6230 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1932 bytes
      ├┬╴multipart/alternative 1134 bytes
      │├─╴text/plain 393 bytes
      │└─╴text/html 474 bytes
      └─╴image/png inline 236 bytes

   Its contents are:








Gillmor, et al.         Expires 28 November 2021              [Page 137]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:15:02 -0500
   In-Reply-To:
    <smime-enc-signed-complex-injected-minimal@lhp.example>
   References:
    <smime-enc-signed-complex-injected-minimal@lhp.example>

   MIIcLAYJKoZIhvcNAQcDoIIcHTCCHBkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAE9HDUrbtMm6tMXFiddE04F6o6+6+bjTxH8s
   sdumFvkas9JR+jvk2mMX6lOmglY5/r87cdSAMFq59MAGLAxpBHkr2qzzLsKX8JGc
   x/nMEwX+pAqvd6gGEYtvJlEpOY4n7MIaDSXcivOOEDd2JQemZ8nCqwAePFZ161r1
   NgmG9hanvscPHz3slK4QEiMI5SJ/81EHuYFZsktu6JtqrKzR7vvQFRRMwKZ+xcI5
   QYSQEIMIhLG601FHAW9ZvQpb4lIcm0BZOkVk05zLUimqAN5/g3Cb3rlPzz8rH0ZO
   maAO/K2OcZG/3kR4r2/mMRHnNQQw5atxiBz0bMSfPCnjjjltYDQwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAC0bAX0tnVecfETyTe/YHNlO5
   RkMhIq7QWdrJlsMTdIDQIe4LtcL9iyHi0+5lbftUdhHByg7az0TKs6rJ5NV6Uwo9
   zH5FDMzk+Q1ry+KUdDuZqlW8gCa81n9VIZj1bnn51/7jTfa656ILTD4oF5l4TB39
   VfDJ99OEJ88aca8MKwB7YQp9mQGMj6ZBHMR8qz2m8hov8t0iVnuXEv2LqBXxh3nW
   TC3/Tz4eVbhsFWQWnBolLPG+vbgXy1UJl1Qc1g4qfcc+NoNgIOVsF4Ydj5DJIhSi
   TObg8Atl72wKDLhnMFmdj0thcdhj7j1+UoW3xpKXoZtdU0JjLKyz0JgKZ+mMQDCC
   GP4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEDvsksBd/Sxh6/HtirTanleAghjQ
   7halciQ1qTXJOovaSxq8ykfDhIyzuHI8vAv2YCDVAmRhBA5BURTAI8ByapJwuHJY
   1PMlCXJGYaCJ2YMGfvUHW8KMQtSJwbPz6FuLznN5wHVEbm9rLc9HsevvFCi/HFsP
   igfu6k10vP5CfLlR75bs3NY3QnFthGdoTGsta4jf9yGqYOA5wvVNQ61N8Yw4DALK
   SRg3kE1cAvXmjtUaEq5r8n7F97lCLhbces9aRK2sGDE55mCGE2VR3hDSkeMEkve1
   mmRBHYnjRBlqA9ph+tpFMkdaSTNiBxDbrN3tfJglSxHAwFfncx/5CaldBZ0rvdwP
   3msCeJNNkTy+wkiqEN3kFUo3lbkcgijteAxSmGz2xePytwONy+Bg3/75PmGwSe3H
   p35HdfqzMoHtgoyOgR9opKsRVfGKtoQwsi/oXGTvTmA3cMh9LRlL441yEjxuFKnK
   tqax8Hz9bJJrXqItUqr+0kSswEMvGalw7B0GFlAoCDsqhfECwvqwoftfIIWmddcY
   bd8kQhRYwMWzg7Xpo3RoH0b6AYP2Dc3uRlpauq9jHRzozzbBni2ZvGnRRausVvtM
   Qu21NXdome3FNZMNLx1a4RlN5x/VXWvaU8snlCIQqcUAT8pCsrjP++WvXC0+dHIa
   MgQyGd4onroTh11HeyjNmJgINh7itdqXBSDlZUMBymcZOXByB3SA7OfMB/r+3MEW
   rOHNtEWflM57fvHu9HgTeEDp1bwh4nb7K7BLAmbsp8RXmWum2ZiCIpqac/NXaeeA
   1sKziN9yC89npmQscQy+BW0KUxoqPzRGJqLb6uUyy2ieGuHcWfkT6v6+BZsCfWDM
   wGhLP0Po6LaG1RwzPwk3z17rIlo5Z0B6abzDo9J+3NTTlVE4/dkbXfhi7LXfwJBK
   QnJN7ZrPtVLK03auuN2oKaqaP6RYnFU3qNlf2azKqy2U3lkeqvpa2iw5Gz0EY8uc
   GYV58Qu3YQkNWRE78lVmKL37A7RkVGBi6Kpgi2XDmpOqIkDa49Eu9hBfMseivXJm



Gillmor, et al.         Expires 28 November 2021              [Page 138]


Internet-Draft          Header Protection S/MIME                May 2021


   Ym7OgfRNSiwej4Ccj750yRKr59i6TwEzrYkIviEE4sXsVMueDFWtDLcjvQ9NRt/L
   0E0zrmnWX8T+yMiqJp7fUcpHjnOATpO4QHbpGU/+l+N8hT75pQkwgW6iVCyNTClH
   FuziSdoSvq1hT5bUGBK0dVoHLcTKOaKhxDSwQGcb9C/+GU3wYVUPh3qa5s9VhXmT
   Xwvw9wln6MibrbfKoc3P/k/9q2gNiXmaJvK1SfB3hrMt67OVALZu1QKmJd/S5yPU
   7vBKUXwCqr26sxATQPqJ0Mqvbgasy5V41ffddwXMwXzH86m+epy3fIQiAPoEA5NL
   LrwBQVFV/1DCMJYAlAXTFQK2tkq9B0p4CxnXbkyIDG++Py3a+gSBKmhlEkJBnYsW
   5WqKABo+4k32Knds0mmp2ZCZ/tI8RTG0q3CAF6gfHRRimdlv3uiOXhF7JlBZZAeT
   pM4PCTT6hpZrlNC9Ipo83n4qjXnsy8D4eS7hJgZ6zdM5E9zczCYislSqPWkvC2ew
   7kpccJHw8D73e9bAicUPaXyz6+Z3C7mDEdZpJ7Av6C6ChsCaSFGwrV92QLzTAIHU
   nfKuln2TArGYxqyKiI31ihSrMM/F4AnNkAAZ1hh21Ni3WCQ40qVWmbW2LCSBUHKu
   vcBYJ2/kuTKBZOqouORkgZQiuSatoesjHptHsWnCVxJE/+0o0xoJphODfP516ivF
   zgJ87tb000E/Kn+yUASCHg8bS6cNxnQ2995mC0wa27htw+xvWpwPfw6gPL5r4pDn
   pO1SfDuCO8iMbyNaIg92qiu/gFdkIXSIAXYLABAhSgThV1wauWtdJIxPif3sYsoc
   AoxVRPBQXyfBqL+RE/iSyhkeKH6NfN/f2gmfSQ+SB8xmb/NpkpA0clKIxgCLUFiG
   3sWj5EY/02raa1T63+g6zO9+UcYNpeoqu8skzVPUrudhcVTZtBBTYAjA8ATsmkFJ
   nm3eOj2BkJQ079qQ2RIjXk7nj+b2RMI9UPbM9fFxP5fsjoiMifNsBA6Hddlskiae
   c2a69VT1LlKi2mQCgxdLiTkIGBuf6t7k5moMFeG4iKnIgi44EDYHAd+9hsuALS5Q
   w7A3NHF3LXvugAse192Vq3aEsXoeQqOajPdDybctE0i0cQXLvD7e/We/3jZ5MX7/
   uEyLBJgFeZCqwLzX64Lt+Z5saUQVbq75JbrmA/kLcweoJVOIxnz/nA8sX1G5tTub
   T0i/nJkUkktL5rLpEgPwuOpt3ed1i4hna0LNBDNsmPonyS9nguNCMyU0VYK8Q1xz
   GDvPwH7WxaVggn+3zQ0DDqE0i+XmYjuryEemgx0JC9Aki3yZbXCf5QaM++pqDdFt
   U/HX4bfB5sofSbNIqhq6TYTqhJEmUuQaQzH2/4m7j8sJgC3EzQwVvU/yffiKBGUY
   CeSgy+eLHEDzqC342SCAY+okSep0jgrZwsRx4r19PuBeVq3I1vcWcNPrEcjamk7U
   m0gMfi8KTIiGex1He+eoO0yupXu3JI91gDoIwZCSjjq4bOlBOrvV35OjlRZl3HRI
   xAYa0etVtrtBUrBLayFWpFBYDcDHlD5CwU3YpgB8UWEMtcci3qjsiBuKWLQ1tjhU
   A+xXrEg4yBHe2NNPbUxqYtxFf4lA50QRUP2vxOnixOiCjd70AfWSXm52tYijD3eO
   uVkKgyL3g/xJsXVA/oNlq+a37PY8sb5Lp+gc9g4NcI86ZaxBWNE+PfTTFTT7TzdJ
   CVajr0dWZMhWmPm4hwwUuR0Jy9Y8nxiFES0erfL36ftqtpZbcdeK62W9EUKGD3jl
   X1gM0TF8z2UHUqQ5UWq0aHKrSDaL4+Ipm3JWBxERIAWEtiznc58B3yyiwm/4Vh+L
   n+9V1F43psU3KLUTZ6XkD2uYS/AenypljtUJFEEFCZtwKLXugKEB0AejSpPUqNFO
   pa5338v5ocqMowr9c3ErqEJZcQLUj9TdYAry1FGe0Spv3LX7HmHr4KcvDXAWSUQD
   lii1zJzQatmuwx75SYMeN3x5D7yhjYL28bJaJcPvFDbgCsHrW8YWu6+o9Xpg9rKA
   JVvjtThGsLEllTA8c+HYCf97mS7ccBoL1JqW6/TgYF0aL+jnSTulcB1snBhGAjB4
   fK8sYQcBAFUHbIMuxjr2tHhxWirfSkI1zqaaVg37chfkCqp/r7uMU++xs3xbiQvS
   mOI/intNv4bZBE05guL/EP1dHyjyc1EQu1t8Bj4cCGlDC/AfmGJM1Zz+GFImW3hT
   DZco+uenvnMhTi1O0vqGYYKwTmlw3VQGhllo6o8CUf2HL9XhmZBaA1sAzPByJTlM
   2FjPMzM1pG6qj2vYMuRHK6/GvqVpHcJESUIrXzwT1RwxhDV8H0j+ygZIM2Kozgkn
   Xwwanf7euqy562uxPIWP+kXKCSuCyAZX5oZG7Qx6yUSCcTV02zMOrCS8WMYLxMLx
   MB1XS7EjqLEkfasgW/IzRR/3kgznp9PU5FaT7VaiSwkIL5PNl2RoXfoCAu/LKBF9
   bYaaGW4FVkn/JocuQKtG7URRPji1uL/kM4sePpgRuDJmvu3AD6YjQ/6XUt4GfPIa
   JpTVJT0fFH8vRpdiZ2zRlib7meLI2If6swEzv885sbp/smsi1SjNIuTgzqeK/Rdc
   XOdLutvQ/MZyyVDKHzw/rG7ceTKniijS+tqcPtI+2IdSxuGCxPS0tE1dJ+DVPBS6
   PfPx0uM+l4T7QEWgDEP3wGDKXyAETj9fCgPPaTi5qjX1bEqCo4xSSoFi3qu8tFXo
   nPBrPnJbjk0Qpd/gRXsudKm5T3Mx1iL43FtCmNrdRhyrAMZiqIXVqvFzoQtxutOB
   X5KTBb4SB/2NCnEwhZwfPaiZVU4CdTQWocffuyzi5Q7VpJGZZA2aj+FPyx+9R8w7
   V7d+7yBgkEsYBfB7c7760QaVvNWdIza9OY44VioMGt1KYmj/xLoR5MnZ/CPLDRLw
   V6wRbsmyuLKn5eq2lkOZPK7zRjhPmk4jMI+hZ2NA2vxgAOnP0iQbTR4ilXms8NKz
   +wgvr4W6zr2h2Aa+CLPESKeo+OQKWaxr3AwBsUHgVUYkFk+gR5GZHRuZWre7KI9f



Gillmor, et al.         Expires 28 November 2021              [Page 139]


Internet-Draft          Header Protection S/MIME                May 2021


   zMORjhYthKy2l/52+MFIirsEBmIR5aB1b3MOUWU1OvaWR5purOVYi6KO+zzmZGZd
   lHja+wOi8/KC0liG6kja2JGy/Qrmg7icn0ScrRTEvXb8ut9Ej2/ybx0WK6oty8VH
   +HnRdKfb75tmbmsM3wFCO64szakuLwJyE6qmBmWej4tf0JAZNXpt0f2BIzE5XzdX
   sEbiUZpc5wk06obXxVmpluMRAJR0mUhhDWiCcdRF1LrxCYAQprmS4AV7/kxOxSTT
   Uram5vArneefy66nIZ/pPajlWY1oZC+9BhViGk+/TJLBbGCCWRWWDHLmlnl/UjJ3
   uURhhEu8qhu8sRqUh2iTlYlspfZLnlldZYhKX6gbfzPwK/l4ydF8JFSUTKE39qRf
   hrzxsVEjpCKJOGGiGUia9B6trZvFAAYr+sxpqcYkqwNMB/pxRVT/0GMN2oTjq3uR
   Z21zPhtNL6nUjUrQRYyiqlPc6OYPntu+ZkrKFJYzfHBkqfmNQtvLY1V14Y3V2vU0
   QjrjhvreW0IFKeadZpYjP4uDLz3r75LJ6zLkjDEQajl/ZAdEXUf3EeA1bgncFYO0
   PUTlhxXf5LrsPLydaZIetBAuklKSCBtfohVt6HIjWWUkwDj7evmi7KvrumyFePU7
   4QNya3C05HgmmE3RYgrmYBDiX7bG5z1NmiL6p2vCRs+inOUMDjEelYLAIKjLWqx2
   lNNS7ZR0ZyOOBq0OcvAxwvv4FFez6APBzLP9ZTj627I1ZQg0pCM74YKmssvFmjQ9
   IoHAyp5Ru7W6hDZLTYKNYycybL0aKe5YafV1NUZxox9k/9iN5Kf6lnaOuEtpTDCh
   8V9kxHadOFLmk3QoPZ/1ufih6ZV3Ael7XRPNL2SZ6a03/rpf6HFOqWxRnhR3V9fY
   LdNe+/Xu5yBYSjoW9CxCR5YACYhGSesSUR8XZwwuN+i1BLUC9WjjNh6Gpar1Y/ll
   mWDKSSdPXZUdF4iD7i9CDaC+eFd7eW370mpXTJNXyCD2jMvYpXRzyf1JC70Atooo
   WAP/eNkAiN2+JDzOYSw/ZGv97Ba8Tz0oNVMIj+aZnw3tlrAmUGWywVOnDoGKPj88
   IVCX007BDnM7oUjmgaCPJpGiCGDGh8+CdU0105cFUiZP8g4Mv049tuE3VVxKQi3o
   h4VwVXU0qa5FLhaRgRiSvpB91ni93oQ6Qc/vB+q0sBThRpjwW2Cra5TAWfJoFia7
   N3l6XqntXZZOsCFDrBs4uzgJiDFj4w0+l43vwIuBS+Z5sCl3pJANNolwdL8jEQu+
   6crgYH64Ib/eJpOEIHu+gXa76XBO/zQ49X25qXDmzDslq786kzLN9QXfBhNykO5g
   nkW0vxIx6y7bI0IzRrx1kP7H80I2d/JR3RwTA2Fokw/9LCptXZZ7D1mv0N11p3qV
   X1doUFDHi/5TkrlmhsnP/1QARy9dLn1FEu3R4GgWNNE5+r/WlODUxh1Qmv/8f43e
   4PhXYiN8KTj4XXNYRVi5Wz/wflZF71V8HbYXWLPD64DuKM9cNGlHpX6SoR5NbbRj
   7H9+OpCah2Rf44N8ap3J1x82FTr6/y2vPOtdU9LRJ3dJZzYUvXe/LRRWN52R35I/
   wBfTgxY+nErhCCfaEcT4SBtQFM75SlxHNHD1IHFqV3a+6q6DEgqAbYz2Sbs56qAc
   8IirCPglJUIxCcUe0fWstwHTdcOIZE/2AhoSOHftKgreC2GkBSTrmWFWzA3Pkjd0
   oovsv2tTHJ/YI87UX9PcUaP1u9lI0Dm78jJmM3GNSCqbWQf+E1LvXvqrF2p/TgGF
   2s4gFm5yanbPUEDDOe69OkZlZjTIy11Qsor6vmwDsHBsBB7DSeRUa+08WRh4TyJX
   FOLE5wpcAj9t2FjAYAEiPVOOMHAnAQFBf18SvKeUr7T0uSVW2RYFjdV3iiE2U7Z5
   WW7UBG86GvttCLRDmL2Yhgp/ex7mEu3L6YgwHg3hAHWhATqeK/yKsN3mA9GA1FvM
   7rI3+SUV1jfJ0/GaauFtXJnZaI58K9SnDG1bCQ6xjzgUowJjjhh2F6hHe/WwjMUd
   w5w6d3cjIUqp3olkQKL/RE5ZmqP0uQIntfQeXDClM5HN1vg4UbnPXXw4d78ipK+N
   2Zu9sYkFX52YcZ2hC5bMenJ1DjU4o4AU8bTdnyTNpBLG8S7Pw0gTySG9rK11SerO
   qaC/xcegf6IkbkXy+YHIdplzsckHl3Dm5Bzh/q82H4YmaikExr4FqJewOyNUydGp
   mYRKNeGcArMblb2XPn8ooEhGvQQaPKRtuvlXdXd6fYbR24YevWkX7Uuatq+RgiQ2
   WmRo6Xx3zduNWxI7Z6Ha7ZFV85jGGikr12ajydccx1GvofrozDzrG/7acdiM0hmw
   OzFFc1N2MBFW9uerEA0jyylw26TCOILN+LBBME8SXzjo2rbBFXJq8Mt94r0PwiEB
   hWuk+jH+4llAEy5Kel1SXDeKfcQOvEpo/2hhrP1XXRfWNv79DF0jDxkWx4jV3B4i
   WmPrWExY5cmEysXFjDzqF+8E3pR5p95nYax+qnvqY4DNzDztQ/Po52ILUsxsw2Gu
   B+lrTp6qVxZoll/lHgxSsR262gMhxJZYOcCkfcQ4kMYzajYZpdqsMlUK1TfuQoNq
   dsHofrYZ0sufTZ/wXZpTmKvkxc2DUaCi43iWmj2aBFYokUA8nlWGA86Nln/GtXR3
   XPSCX0ZBmZ4bYdCMqhJI17JjiU2r9VkdvkaevRMsKE5Gum3NgRkLwAB/EMnvYefS
   9rF3DmqZl7ilyrCIJo+6EZNTo1Ol0y6Pj5mogmix3ZMaVHmOwUCknAFcShsxhV5d
   2h+SSL4EVSRn8OPWRPzYEnlu8XVZ+EW2lHI3nsjuqwiR+4PllpC51CqV1a7PHwHP
   fNXJqyCq+Ru2eFMelIzBWBmzfONXniksGQHn4mX3F7Cby1v5vfJsEut/tkppEDa9
   1Wo0FSMe1IN+2nNtEh3i3MUNykzYJpgM4PGuBNyAW3KInaMmQPifQN1d5Bz07fHN
   sx+uRhi2Kt2dLDZwjLl4U/ZdUILGorGDtisRPyGxZYa1+pT/2RHugdVEFAytR8cI



Gillmor, et al.         Expires 28 November 2021              [Page 140]


Internet-Draft          Header Protection S/MIME                May 2021


   LVsGtEL9H1vg2lzHIlFfM5oOzyP9B9eO5XBG9O70+aP2g/kNWWETJcGzm/YE77SJ
   TKZakC+QgAEvfIhHRUx5obw/ekJDyZlcJRIN3wn1HwJ63USgBHMl5OfRyJNkg1fX
   2P+ad2rjEyN/PW7XD6EjNQmAnbRCo3/Yamyg/6MzIu586+MIFZV3mhjXzgwZWzG9
   Oz7R7hjPcaK0Y3kgOGHR/RYWW+MObEesTdCSiLwcGOaucbMK1lRwG3pvFSysj4DV
   DjIhAKF9ai+qBy+G9g/rTO+J2nszZDBW/RgVz0EkOmyow/F+zPk37zavG9VUKYQ/
   Az3CEO0SXCUWRJV4DsaRRMte6TnKMF9grNY/TD+EkWPKKv0rdt80OA7R+y0f6RTT
   EcAG23jJrReBRCwmopkoqhFv4w1vp+OHbMxj/WhiZQUda5UP/ks0YiGSim0BG715
   ExLRXkV1CtgfPji/ZRKdK2oH4rJVTWZ6ej1TOyLhu7UMWfOZyxMei49RP47oV7Na
   wMz44+oFm1oOCqloOIugc2wrsFS04OiAzpLym3wc2kSF0PfnaPY5JqoeRA/D9j6H
   RKhFufAKlJ4Nd/sZKxM45OgTSWjsDBX49UgdRBoakZKhgTVgNzVncZ4AdF+D7egf
   9h2KZOCqWcysKEc2mqEe3MWnusP/QyulTq8gmL+p9tEz/++8ybH1vXVb1VGiFMiZ
   /J2yZoT2l6wBSM5wn8lK7W+Nk9F/ASqVfOnhXUQs9uy0c9+A4Xw45wgxHQWgK9hP
   2dMW0WXIaHCmqPGvg7jEa6iuJI5aOlf0/4xJeqDGfCHR2Rgv5z5K3P7McigBW/ty
   +HAMHnaCLkJ8D/mBDe3ss+INPxnWPti8Dgo4Xrot1hTrdTxopSw13iG5F3i7fXuL
   8ZKQFnWbzFUnhg2ZD7ODrOpjI0/pEe0C6H/Xs2ZpZj4yyhjrA7bHvNXis4D3pF1r
   XbfBYGttazBT8UpAMo1jrUqP4lQ79nBKaTn+nvLD8hpARG1IYiSUe/VMpRLyJ+1J
   Tk+jwqMrD00wALSsoGM5pgA8CWWIAZGz6T5YXkZxI5ArGJd4bj0YR8g7kUI/TYfn
   sMZcROMB31ts24gfQJLWAqYbLI01rf0DH48FTzhE09ZHDDNO0kolViosU8i8HTI+
   xL8J3luyoECvcHSQKXXNLdV56bYrFm0p+KeclsKH8kE9rQlBfLaoO5TOhwgGZxgO
   g3FFo5gLqwtlasf+hXU8ZJanCjUEh1WBjtZ+AwLqMjJtsDyswvxr+c9/WET+4z8H
   BvdgLI+cdV+sKOi+2EJ3Vg==

A.3.21.  S/MIME encrypted and signed reply over a complex message,
         Injected Headers with hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10465 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6728 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2278 bytes
      ├─╴text/plain 65 bytes
      └┬╴multipart/mixed 1612 bytes
       ├┬╴multipart/alternative 1206 bytes
       │├─╴text/plain 430 bytes
       │└─╴text/html 511 bytes
       └─╴image/png inline 236 bytes

   Its contents are:





Gillmor, et al.         Expires 28 November 2021              [Page 141]


Internet-Draft          Header Protection S/MIME                May 2021


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-complex-injected-minimal-legacy-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:16:02 -0500
   In-Reply-To:
    <smime-enc-signed-complex-injected-minimal-legacy@lhp.example>
   References:
    <smime-enc-signed-complex-injected-minimal-legacy@lhp.example>

   MIIeLAYJKoZIhvcNAQcDoIIeHTCCHhkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAC/zB+nn0jWI57wKmTVdRPMb0gUX5+I/CyN7
   ggibIEWkRQ/Xg5h8RS74HQIHBq8apDwJsMtsEyZLnkwh/9/O+7TYYpMomQcmfT1+
   /O9kt0bP+X8CyDwC0ObwzdTw5sfCpBvRC1s5wmsCG4n/dBxyf+xbKqH34C4DlJVz
   mB487vVdUQ3G+M4C/P1epEahjuskm0LOIt1ZAFqPig3fI60NOAoE+169vIQ4WWbV
   AYEX1n3Q+n4L9tB4LsEt/WjfBU5HQ6IsoHJ2WeNLF4bnd/qthy/qtlbeqrhPC6h6
   nCEALq1hiYMqT0Ydv6U86fXu+nG+GZgf+l8Vl98hhcwJErevsuIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhpgwI1cnPotx9KvqcZS0mQl1
   3xkhoArwNvQ/Nv7J9vh0+eeo1AjvC35wOwmzlT+8eoFNjdxVcab/KssfM1Mtf2x6
   m2iM9ReNrTCVHXxWhjvqwGIHPTvhFfdlI9cwuMis9+PaU87fjrOCLLrEijZ1x0Ia
   DPhJdrOVe88xtrf7e45JuLRJPchcjavdPW7ip661mbVTWPEXW7eJk2OBENEoEi0S
   hU68if0w8bagImEKJOyvoFI3WxjcBMBulAnOKY17foyTxPKBDZmX2FzQ3de7ZmoH
   HHlNV+qPLMMn1stiExGftWAZ66ld+oCMU8YIaN+Mgn/Yj2CT9R4nzCDgUM39xzCC
   Gv4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEFlhhAGXoQFFBU0VQo5Y/UyAghrQ
   /LkVplLBhjWKm2DFogyc3/xl0LWqqWgOWrpFuST/KCrWlVgMJ7lEoFaMOZ2jrX4K
   2JwnspyqbuKU5Ng/he+vMsgHM2toGSaZmPa+KmyoYlnyTNKdDx9Tnx2Ey54UGl9y
   DGvSVWzmJ3Wi4G4rc4TMeHHfbHLR3a7bcNT1Sb9+X6IPW3qPAplqrwmpRLWwO9Fy
   GXayWTOyw+HVshCBJz/rPziePAJp74mI8+xaZNSfN7O17F6eAXO/vgwkilOrtnm1
   0krF2W+wsClWDaJDZQUTXeGWirhdiHSWhrJ+RRaQFBCC8kXT2J6HyPVwrpMKR4JP
   H+SpePyK+Hf2HcTwMFwiiatmxZ/gDnG59TCtYatlrAYOIEkXNayfbAOTpRogqNE1
   36ruGUw53TuvLx6xlXYlnnDjSaAFZxN6dPEQNmcW/p3HQFjKJnSQJ6L4pIluSe4H
   3eiY8bpCW7AkgldmG0qRyBYbPHXHwk5GbUq2FIVUtiAYZCaeP9kcvjh7KasV4Fup
   eFeAtB7Qy+L6gKMD+sQ173rGihy3RFwe8Wqhki5vYXrcUdlEF11DnTtXem9L8bsK
   YX17pQyWJqH0gvIoMJLrMWcRhpVHsg+zLDo3yoqDdEm6hP5LtBzA3rlvd6DQUfMf
   dACsi80tYH8vnAOJ/BO89yP3VU5E/hFF59AfzD8rkkECjeiDxsyqzKeIxLj8O1kD
   t4pn0Eeg19dAJYZmeY3lZ8i48ELRDE5IJEhfE7QzagG7Qkd0xvg5QJM/43qm0sQZ
   2w6QBnBpm9SdrHCT2N/SQhZsvGl1ah4McdNdyRC9VtuKFIGxU0DMd5qVuRZCp6dq
   ORWhw8b8egfN4D/TUOoiNVNx0//s26h+G2jZgvC7XSAgmKyF3Ivh07OPqtyz124z
   sqt/ee4rRpIi1KWLrZiHwAuZbVIEmSazCmgX39q0BvaORTXjKFpaCkxCIPhMV7L+
   Qq6y3LtVxWHtIyyfoQNTti+OwSiH12eTU0oraWpgCxI/IF4U9dInnN/xP8yyetdT
   x2uG9+hIVfO0zvay0sCNMWPN4pyG7OigfqAeCkwzjFjV7/kwwe6vlEh1mwvDqZ4R



Gillmor, et al.         Expires 28 November 2021              [Page 142]


Internet-Draft          Header Protection S/MIME                May 2021


   NcmjdHSU2tsCd4IhXkmcP77UUbGp6UtheNxbeAUTsQtMDcgLJYitRV2ndVOxSmQc
   UD5KzymuUI8Wg2us2wSB8PZBBDii0gjEBJmReQwHwGMMkcBHm3zxDU/Onr0DwcZv
   lDmqgx9Zpf8yLSaA6WDqIT/SU/dar2gF0N0Tvmx0gFiR93eaS1Dntxkb1CiGG8t1
   5sKwJ8HYNf+4Dey1e72vsVNo1WPxZHBH8BAXzRkXD1r8YiztX5XJhIHO5PIqApse
   q/zLbjkN59G/t++Bc0eg3KoBJvaF9JSw9Pm9ta9gq37AG44PcTXctwK4rtv0yyQg
   D2cUKwIWVNrUei6cqSRmnG7o83EmG6y+0730a8g7OEpksZ9TM2pHGwTI/+CW8Cf1
   o2UXIE7HBbjFMjYEYXGG9629kjE51Ez0ChSfg5xF6ZyDUI35YY7mltwJ3f0SYQgG
   wWpE2a0uIxSaG3bIkbwcwThBlbpuO2w1nlqNndglQVxaaBO2wO66zIuIYqzeCe/3
   zHEE0DOq5XL+eCIRt8G3cT5eYcKCafyPkrQagGlFDIPis76awxukHBpKGpn38RQ+
   quvARDsEjo/iKRl0ZFICCIQbs2Cx0TuO1luhYMjfa3//y8X9p9ZBGRzuxvBu2eXm
   SsWfUSYjMw4bra1Jmcf6dqebJDVQ4NQs43n0k8kPRUb4qxlfkIJpFcbpmb8UabiT
   BZzzjm1gDwhd6nkq8NhOzoDmZKnDw48feY+NnLpltXMjqMugOa7KLGmNPvc4rFq1
   TW5SD3Yp+wH1sdAq46Je4WLRtYvb87fRPz/0fXIl8up+VVMFQIL8BBRhNOEYOcQu
   Eg8xGm3sTf8jxZP+8Nbfibwr9Q/3aFV+fj7AJQ3RDDgm9neVpOqwNQ28OtrFswlB
   GW5V2kjy3U5LrrvKMiMuVQ3Xk2TQgZZ1IsIir7i6NCLa0vzJY8QzgWNMqmIGLHZg
   KUTMrg1yhwbJFaaO6eM99zS2Wrf48KXmRPUk0clq9UyTfXcZsC3zTv7hILo8Jyes
   ASV789kpxXyMvNyBcIcOSL1NLUeb6sdIZUMi1aR42ryELCbM3q9RLzVrvr5sRV23
   fwKRLZNwUaAK20Ex4l714A4tN8hKQnqT/KBEUV0FQzxY8o7zfwXpBCV4AYCybvPl
   EVsHUGB137G/3p+mFfzlfEsJSrqIEIMSIRNIccmRJGNpmI+OwXNda04sWLc2gWYm
   gdJR9WLH+Jb0nhAzrVBJgj2VgYBuMi3LRQ1YT1stq0LASfAoarg5c7Y8rH19qVuZ
   AeiOrJ8xQHPoYcLxWT5magiXtxWXDARA9H1uq6eqhTDHNHYC7HIP5yoN8w195XV/
   OZ95+LVH+7CYCljUjBzOoetB8WdEfa7qAsjL6qhUIhzHo/VlRkbKBSj0h2nmH77Q
   JjhOW+FbSiB6IoNlIUCb8kyQ9xWMEhLgdlcm5ZvEnFoKJZAUmQXq63MdqlwYIR8D
   WCy2f7KLP9Po3UFuOrVbpjqmNWO4o/Pe584gam+uX6gfMVSM2cdAfkV2YWCmgTwq
   RdQZ0x3E2oJZnnjUgLx6KHndgYRU1KMd30z+cgao+4U4bHfZSjKQtnmeQ4+jNtFq
   OCTO+fLfS0j3wlXG7NBXDdibeS5ZPJ+KzumFR7txFAueKMbt4UA+YvlOD12N6kl2
   SrtREk02JRWbn/YTtSSJT2MIGrg9c+HFMr0ik7THx0bZlCQNrsoqm6jZ+NVyaPvd
   EdzXXaMupFomKXiMJTeXXDnQGtlaUn3jBzn9Olugy1P4Xz7gwFiZfN0ph0NqjDIw
   u6j6I/FPvJXK/TLCrf6+iOmXawf5BQBVxzAfS4Msbqo4NH7Trg8Gc6v1p0GB1NOD
   efJABG61HExQ7JVQ9K/b7DECuQPqUcLW6nhFP2sjWF034ICebBN/pt2+tY/eaaau
   9RGPcKMVkkWuTIFHn9Lk7Sqw492Flh9bV1HEN+UBahcW0rKFlrZkUJqtGGiCcsMO
   bICmiqLQiWoSYsPB5pT3VFPu3R49T///Xfe8HZHz1ZpVpfcobDemuM9wZGNOej0i
   08cEX/hLuANdCdiRsK4rWs8gB7u4mvGqM2ZUxC+QGkp4Ao7OucZ4h/V67MHdOTHW
   VUHrp689r3G9NnLrUrux33R1VZtMMSwIeMeP7I7jm8eOiBSLfHOUkptF1NFAtlGM
   +JJvS3aAey2rLNGLw4/SoYUCnRgiguHvlD/fNljIeMx6pGIW3RlK8OtR+CXKwtm4
   2Zfdj/mDLv8A4owJuDPT9aA6dzWOHE0a+8G2Fn6Hn5jdGmmI+d0sBE473AzbFUYa
   W29iA0+AWS/9hnB8M06m/w0G0Cgqr1+OQz+1KJ+6QRDuVJXcXN1FqsIZowQ56/O1
   try8d/dcNetdckBHQuLY1FjY6xC6EJCsJQFeYI/a9g2IIAH2CGJVm9rNxzsCrloo
   XTUQk/rvIs9NENlhOPlJsjB639OcJ3GLcLdcABPfSWsj7dzBjqdZngyktA9k+rbg
   TXVM389FjhIuCOIgHeD94pPpeMmul+yc1CnqxK7DoiRqwgJAoY4CXVjIae8Z/Z4G
   S/R2VtmTRLj21UtRGDfpp8uYehNjYnkBbS1yt5/2mNSnsq/Q8gRFhikWX6t1m8Y5
   v4QKafDWWQBqU3xF9MurToO43+6UMIrvuKO/1cJle+g/q5PQg3/Cnx0oDRJdnmMD
   mvHGMts0C436RZCCtz1xZdYM79O6fmfDM1cmjM0gAqeatX8ez7wdvhrHm6pipDdW
   AzsPfNG0+Tfke7IzSAPmFyxuffmMqBx0BzzqIUdni0wXOivPy/Vlt9rTX0EPr3Ck
   e4VtrzExz1Axc8lN90/bGf0d8P3iNQDbgAkQHURlxfOvJslOs6tK3U09/36shqQk
   0x2j0isAmQXHZLUCxrnfUVWsPJ8iMBxDPlsV2ee3M3YcGu5XXJZYCXl+XJgbUWcI
   M3Gussx0MfwwjxLUT5K4c3j9HB2zYPORfRUvZOpcUME3iEXAo4s3pRqLynbRoYTJ
   LYzSOPb3ifcKQBDzUyATi3MgHSZWJ0F0FCyyZnkGaN3mbuc/bcPhx2/3578iHJ8o



Gillmor, et al.         Expires 28 November 2021              [Page 143]


Internet-Draft          Header Protection S/MIME                May 2021


   hKOxesF+l0rpS9VurYe2rgxOY1KCYxcqF/OeoUfaFvtv/Wqi6vr4DFXoUSj1H5Bs
   uQ6BXb+Zheul5qnx2JhpuYN2iGYDWk28rQN2K/JmFQzNAItKIDZG3/1XEaRb1xkT
   ZK42IXCuE178R1/j2T8usGivOqmTMsIRrvEFQJzBJBuOAwcyBcnhRfqa2jJSBKNn
   99vDNOhWfQBRvDMSZfHrK/Tu1ra674y7vSb0/Rk9ygjUAi+rV4C2hM2F7wZ4adyt
   ejdZM2iBgNgCuLFd5GnOwbALqZgxD2Ym4pes3OfexsmQqmHRKAQ+l3zhJfOKhUYx
   9VORuUUDacAv9Ho9StvkBq6T01xfqyAVHhr63QXGj5I3s66Aa2+tiIcMItEuPrKp
   Rb40WXQUdUMYy3LwoJqGjdzZPL5Ea3R7LM4KFZRqhyqG72WndyLxvANb42QWADFk
   4KPYY6K3CNhPP1Kfpa0FlTsirv2nxkaUWNqm7oqFOhoDBBj+ISP72PDEEGju0mZF
   ndEKOcx7oI1HZdS9FgAyE061liam/bPl8DLWi/57/nbNxKfK5WEMLHLEpFs6IBKy
   HxpXO5cl9vA2Dt9X8UVfFuEcZd8ATe7+KjUD6y8Lx50Q/I88kBPRzZS3nhY/ozvA
   SXZ+Zxqi4W9hYzHLOC3XOX/nXwW/ygzr0BkysxFRZ4L2qo192+1RkjmSirJttZCc
   l7McK7jLAWIPlNoKJzVghZK67VVLY0jHM6apcLl5AVoG97ljCxWUIveqyitPcvAV
   nMpBbEIbS4zGEnR4GByckP2yqV2RkeqVpEFQzud9HUmwon5UqYiFQX/XsuWorY1L
   2FHsc1NtbBPzv5SRBsoy1vTQIZw3ULSURd4rfU/F2gUllz8zzvAY/qkkQiO16eh2
   6EBLOyc2R8gMVDyAmF4W898+bWqAZlrivmR6Uj316tofX+4fbil7e/V6iZtM9+OO
   voOp9bktOUMLPMTQSOSVVOVoBA1LxE/4lUyeivyRPhqlk5Z1RWgoCrXOxdqsG4BX
   ltGUl78UiN/kwmcd6m3ZClbqPEZF5QzB+6RkMMPaEd6UkqzE0FRfTYtHMDs0xOvR
   aDBCjIaQRjPy8lXY2NEjBfNnBPlhuoIae9y+5ThWiGUU9RAXJlisfUeUgQw73nd1
   VPjg0iKbVIuOSaeCHnYjEwHkvc1KY/J62vZvDrHfSk06z8i07+0IGDsPK/bvpsjw
   W6ElsSPlnjVpXTfML36aN+u3dYNjlfW9aX1Mqqc/+WNl/PcukeMbYv7EJLkeqHSK
   dJk5cD70xn6lgEe+wQcmbvAWZ3TJmCxLJoWlyisUWr8m1OeVlT6w4Ar4ddQZ7tfU
   96WIRJmKYJFRpfqcHiwAJP6QgAoRZmM1jFyT9BOPxydJtmfxRXDecv1S7D11oLlw
   16eOZEVfgFB+OuDrHaK5iXSMe7vXiqOnuLMxHgAXgulZD0iPZL+nkUT63hM7uDvM
   h0YKbNE63mRBmjXApCgBl6tB1K8yj9PNBHh9C6i3SznAa+YTJb7BxGCqPSkjTTfz
   fxkvCymv5VxD0xRz73f0CAy3bqqaq2jQYdPrNI42JPoBKgjWeYoBSbj/mGxRX6Ls
   I6jX9uEmY2h7wqn/sY2vPx9Pj2p/cmmmR4r+inEw6J0O6M5gDFh27ssY8vpMN3vY
   Mws5ZwqJSBdF8gGHHcqAzfed0yCaevOVIqdOyyb+dtg68aC55PKV1PGky0KdHa6H
   ERNAq5xVStPLvtr4dotA414f4/WRQg2l+AuxVGDUICxaRh5oSPkXWQMYAwy7oKoa
   4I1UzRKe93tiGH2NNZXKDEyesYk9rxIO2fqz6ON8M04Oed6V1LqkJdSmLz3CqZCf
   TZFXuLgLMZFNkknmXzoaOwwDsmO0fPBmzuoiXCUOzOjGNtC2kVmPC/bX+EZu+GPw
   IbOdskU1U4+kVNP0uhE9lvOEwwEbkqpvxhUL18N72XLkhJj36BrUq+WbMYyraFgF
   hEyEctugebCv19CaCS1nx0A+SCfAF3q2D3oTwjQXAHnbuQhAggTTc0GsWDnre+Oa
   eXHIAPbTBEsPk0ti7t3l4hGapCmfzw1PEMxPHJLoIBriL5+ctj5Om0tdpKYHGm4b
   dJvP65UE6JRY9PTuC+/lTRii0GLp/QDd4IAuThgSbXCfMxmIoPP6cMboGm64BKoc
   Dn//tXU1OYSntM65z9kzuRTca+FA8biAkUG1OBQq/HempIF/l/uroL5mMNgD8HBf
   7T4UGrtArL1OG+GPhNnXiL1lunnMsgAKXb00SlbTCtiG8JrC6uFmCYB2r6Ih7GIQ
   EQWK6vxW3RGLanVtlpQTEdlYC6TSsA7fThk6xOvvacHJc35wyogStNIT1BS1xnvV
   rUnuTSlDvLCnrBAuJMMLOoG8m9POcbR2v3Wd0g/BkAXEZndsxX+jwfT18haQJQqr
   Ii53EgmJEzN+dkhs8rYZple9zhRfnIntwvKB4wvFu3HgKD8a4oFEF/OCNVbCG8Eo
   fNuJ77xRVzNNytWMN/BSdgq9MH0P9puEpDPYyeaFOZQcCqZCRSL/dSgyRWeqgppd
   xyjjTXvucoR2c2pDLeI2MUrT3Qa2QBhHOlgVLDFWD/kespr8jkbYl9cM1nnJXWgM
   TYNSn+AIvLnjPyRDSsJL5BWeh3UkRxvnYMaDL0SqEZe27fFIlLMEXPKkBisggpeM
   gz3Ju/0B0Ot/ZlfqnrwEaS8WGTx/yxAwf/l1jfyvyHzoXt56fAEdq7115OMO2zLu
   W/X/Ry5bv5Wl3I+a8PNC0TyOGS2A+U2C9OEZP1woCAj7DdmXdyetKRWkcABk+R8e
   KRBnIZBYY9ufMcOeKlArf2S4x+CfuXtZdJL0tU8/JvDNYTeJLPPSmOQq+IwO5uS6
   VQ1DD1yK8V5ynKOdqcVrP2TFCYX1TIQXnS3tk6L25l87Pt2PJBgjpr/LrX41qSdM
   KfUIMAHKxA9IxDzfSxnhJ3K3l0kwYR5NNGpIR3KF8iMaVM12hfzPHuhGqGmRWz8z
   ahPKQ87SDi55gUFgEyv7xKdyKKkMGShADfuS8orLlXaxOtmFKrf71HOGbWlCF/VN



Gillmor, et al.         Expires 28 November 2021              [Page 144]


Internet-Draft          Header Protection S/MIME                May 2021


   wPbDc48mSPEciIHRdAS2+tvHJ1HjrEOAqNrdyOrsZz3/PcpMSbU3BhkPG//1yl7B
   XJ4eBEiHp+IoSkH0Li/trO9ea/Eq1s/8yvJLU9I2mELlFCASJBh9W7jc6tdVzxdw
   PVpXm/zDLyqsnDkCP4zvb/l6h7IWNBSlsjbIMzz/VZi4EN1zAINFovRikvdUxzcM
   QWXjLmXT19X28iV8nuLZjueceeydvjpP5Qacj7WB6TEVHbR2dvMvuColYATbZ5IP
   NDUyvEXlgI2L0fiVZpjO3zyB+cykMUHe2SACwaiLnS6m2xl7lP1SMl/Ivmjrz9Uo
   B0laA6uv30t11YX/FtOfCayEnX0MXKn0QxTIWDkVIqykzbl7fnli7sipcxyrYKjL
   vuUoTs01FIZLiiR5f98FSh9VgRcaURa7bM4RlpSVrIkxDxj1uQkjFTW/fm6EmYxZ
   U9uXCQMILgp2exD6qY9UTgTS50ZYTsGuzHUMShpvy089IAWafd7MrClWAAgJ9TEA
   2OTmeW0CUhpsuU7SRk3L5khrRDYUhj0gLHxjEPpBnk9iIeXDOYPTsEix2aOXQAOz
   sMxfuPy0BLk+b0AHmp/JvreYA/3Fe1OjNIDHXSYJBowUwrqnJMC2BQ1ZA6q40hWB
   /a7K5uBNRB4wTUVXXgXTjRM31F+qjYfYGf6Gcw0PVlgpWCNnUwN89omFEON3Iydu
   7m/40WGHkRvY5DO6PEyR38hVnnlcmxMAI/BT3GopBxQSdEpym2uagH6UeaIvFkUM
   pnzwM/XvkQJqy6uVjiVLwADPRuxk49k0FTNKY1XPAC1TVMbg5JIn3lvA8MTZonAT
   hMX+GjVBx7oHgtF3g7MEjdoW4evc+HieF4JmN3Efij5+HWv0Olo8kR4G+leYrSXG
   qk9Smld4N+UX4X9PonDtC2hxUs8ojV2dblyqGWgl0VrBQhIWAnn3e76A1km2fqEX
   HrqPRGdkt+QcP0BFP3dec7/YITy6Zy4PodRCDBwf+IVgK6Rm9y/bgJFuYIdODnOp
   wpzoP4qSK9pS58RuBKZ0iAV4za1UJ9QxaPc1nkc6DnqeOufHz6WR/7IjS94paerY
   XsC7ly0HnwcwL53zhKGjsv48WdWwXFca2b4gAVuC4HWNFaQkYPUtFcC8Ahmj/Mec
   L/TmVjEKU9IfStmwvzylTvHhnbT3udRVKXPKmPUyImaQyNU/1qzvdomRbhSJTDRo
   b66S3GBWcFTLdLt1lfZlQTWgvQyu4thaxtWQTtGMX5YoOLFsmDVahsZjoqikKvbX
   CJ0YhvEqJEL4+sfSXMRHqtZbOjO4o18I+wRKp0xq3yzM2rzFWsoTAwryoBHxzLvR
   q0LdDURt5qXmNDx5+GDiaK85QZ3KyKvhKkd1Bqn/GP87dAc4kk3T8fgTEnh3TOXq
   9ie1lpOQsUgrg6ad7jDku5N54QLEoJbKtw++9HtQhpjNWemYMnR+WK3Rh6ZGjij0
   hulTG4WkDkLQJBf94j+F0e0AwAGPfR150U1w3fehnCMW6qdV3TQ2YqZ6aL0XoonH
   5q37KcgoJk636h+qXkOKikxVCnwCvMcnaF+ZQE6IwmgiV8TUYVVbSCrtL0Dk+5W9
   T+ZGROgZe6Ro2g1rKYVGU/D/MpqYJodUNII9AOloc2eWXuIXdGd8CcJADmDJP6z5
   bMoGLXudivQpm0hGScHvg0s7A5KUuSGYGJb3eGuKh1GARjkxW/pMbSwpMmob5oMR
   UCEA91EKlSWVsYT8utyarh+MHyzSruV2+6qC2n/WVUTQ4moeDRWWDaDiiu/TjVIU
   WkscDMV9SU2BaXDlYG/ING15oGkjo/xFxXIF5/eFFXUo8PQNbI6iI/WVsuQGHBMQ
   5RYRifuLhgL2N55990m3oajpGCQW/NODMbfK2aJqvcNsgs/5+hmuQBMPN/sbr/C5

A.3.22.  S/MIME encrypted and signed reply over a complex message,
         Wrapped Message with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:










Gillmor, et al.         Expires 28 November 2021              [Page 145]


Internet-Draft          Header Protection S/MIME                May 2021


   └─╴application/pkcs7-mime [smime.p7m] 9730 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6192 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 1956 bytes
      └┬╴multipart/mixed 1892 bytes
       ├┬╴multipart/alternative 1126 bytes
       │├─╴text/plain 379 bytes
       │└─╴text/html 463 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <95b9bb39-c028-5ff4-99b1-f179cb5d7585@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:17:02 -0500

   MIIcDAYJKoZIhvcNAQcDoIIb/TCCG/kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABemnHHf75QhIl2ZGjel+3wmhpKAG/LVZP+0
   rQgw6ZvFFxGLNvTompRv0NrYzBGh7tJR3lr721cWSQKzBKtnpAind4NjL3EAO/bX
   4hICimMlE3HWS5LqmGefPGd8vhuxP9eAjXGh+RaGp9YJEQOCptHAEeHHYnGV0gOb
   3dQEJY3PAcn1JhIX0gPGIbPmjbqCgRbC49F2zWBJvipWADfQ0CE4H0icrG/GoBo3
   KbeAMTV5CRmyzb2dbHdJq3MqM8cZ6WfoeeJKeYSekwe1p/KjbqXhqtnWL3KB10Cg
   y9Mzr9Pn/HOeXgB2utuszGfi8n83rihuQBpuWTKPCgdnrGoYaXkwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAPRgN6kAFQanQSKXPQSUt2zjy
   aTK9dJDqvQrMrgWz6QjVGxn4hAPnZHoEYhW1RAZ/q9XkAV5UQb3U5fgZ9IkRwTy+
   V2Gu2Z4AWIAsWx0kRkYxcu/h2JlYjOgaJmKDwTFzkg1SrgKgre7OvivKmGfrxl58
   D6IWTY+8lTkTSwPMFIeyv6is+IPsGwdz9O+vYPxxaap0sGOCtYKAqwkqRyYaOHH/
   zM2/OyFQ70e/SleSGmndLkodcDQV70VJeznDoJ+c55sJ73aujN1YN8GWL94ZnMx0
   lKKCeOG3/gQ8jBoDMdGZBIJm9y/1ITfYskE+SFesVMJbcXGT6il9105lrRLhDzCC
   GN4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEELPsK65V7wIe15uJa7OWzeAghiw
   mRkClkXZhb1LxibsQotZWBEOBE72+pz9l3DXSIkD5Dvd0r0Jc21r4p3Z/PxxX6f2
   fMSxjP/an/OcfPq19DGzbLon4NThL64YLmAjAWYeoP22DJZNGirpvUXDyMdqR0u1
   egDe78jmp08JMy0F3p8v++lkQhOu9WZeg5JZ9yJB9x2BJwnve3r03X2ixRQCPQDc
   S9UCcBXV9zIpRjseHhe8yhLimaIqcI8Ug7yqY2gM85ETfzHFX/KFALO/hQuZJo6t
   kmHxfsJ7WvowszS4n1Rt776ooXRW7iwWH9xdi3NIGFilJLsbRAzR9g7Kg1V/I5d6
   Nh2G+fD0akyrytsW/lKg8jw0Mqja/f0UFEvTVGTN6D4Yd/I8c7W3CtQke99QM8gB
   N1A9KOexpivBPZaxb4MG9Y7UHo0l131XIQxvbBlUB2/eK77PVKJq96NXusHZbzEe
   qmGM0/GAEccBQI10JHP/i/ozD1icRENY+v9iNJjBHIfLQuyQlxqM++FeJoCU2c0e



Gillmor, et al.         Expires 28 November 2021              [Page 146]


Internet-Draft          Header Protection S/MIME                May 2021


   ZsgVGlTvjl8C4XCtfh+9MxlWdpldoaTNvpsmX6r43N/TF2GaEyHU9O//bDpCr+Ck
   G0NI88+I1oJj+e5t7HNJt10BCZCZ8NkYmE0cwmieBWzIBHB2bp9h6g/nzgpVU1bP
   37++dp5EOFf92RBfL4/wEXoeKs+iA7BpJbWXF6AytE+FpcH1K42V3+p1CBlkfiJ+
   KaXR+EqmztZUBgUfJgB0HioauckrGHuSL8Pb+36j2f16yHsMCvOemme+gMtm2Vbu
   YnHvx39UkvFMjIm5DHhDe2IMo898rc5wvri64HkOltEwgJWS7zNCU3FINVy0otUe
   yYRaGD8vP+QWxEnVV7T9t9gIoPKdiMUXmzE7GdB0NgSew1PgTYeKp7JD5xR7Di7l
   5G8Sia5KxFHMTiqFQEHIQfRCd5ka0pSREu24A1oqhH5AERlJQlIKYzH5yzur8jUp
   RYprPX0VJ7A8TWfcpETQkJaH9n4iz6uv3AzXqziQiSYj9OqRN649iuIWALNaVsGA
   xEVOgem8cBkx3TYOFyFTcrbCgiQsUHmr+CoemXL2lGZzYpeMCtcfl8J922n66XA6
   tc8hLQ2zv8T63MkXGTLUvVKb3gDDHfs6q0Yy7ZUyk4ULUsVne4bAhDSuC5LdGjuR
   A/8V+tpElFfC+WcmgkNpfriJWAobaQajXyKfmpJCpn8NSX7UDy0+3Gqc4SLN3rU9
   NfiwB9me6rZOe3SJ+8gQUvtJ/r8pEE3lfSWDxkiLIcuHmSLCAtJvOxoHUXy2WhFL
   gHPvj2AncfDF0Uz1WAL++mZ5o4eazqFUf3znZJka4XHa8ge/5NsfF8kGp4Imw2IL
   BNSa5p9GJMvMMMH9by5idjxhzwGSEmWpXgO10DatC0rAjrwNb4MbW8w5L/jHe616
   qnKFAn07LGQBxRLmymUBTfkDGQzgK9ioV/z6A8aQqPyFmWwCGr+AyUwkb9RCpdoL
   B+nhHWFuwdoH4q/J8YP5AxKWudtipj0s45ABs9OWRnWsmeGlR8Ont4NuZJOdpzAB
   fSNl0PXJP/bJFfDmqsRt4kzp71nSK8IW6Zda/NlLlua6BBhBUUkYtW040/b2miT8
   iZU7+k4GN/Apg94Wq09JNtUltma+NZ7+Sp0gRp21OTxW7pbaibpxqRv+YvouNjuu
   f7+oDSRzjNSVinMbngLjNMXonk/dxyFVpnTLCqItkgGEgFSq/90lgpWPi5BU/sXG
   jjkIcXyPn6nmpzCHz8izZyPLO6j3H2fcoyijuiVeTQ8pf0CshykSbZNI5yfpEgwv
   U4ZDdQFih9VfM318ILVh++BIXu4qNq8YSUaMF+TbjKZY85ls8i4x4E9UbQvG6KDS
   gh6G1yBmBetkNO+JQSo3v4JraMTsfqlngVXsSs7MnWgDAPpmQbSqFWouXGF0K/cb
   ZM3uc1nU19EersOpH+0d9dmYNUIXzRbN6op1prxbeY0A/Wfac6XtGjmn3s6kcVKN
   BkrG5eZmX/bv0YNkirtILqRyLg1b6/cCUHMBWPzQHvqrsRYCJia2pU1pBahP4fFd
   ubUwBL+Y163DF79VxGZIyCCLT3/6mlJIK9hzxGPpua9RPpRDPYRWgjI9lKnUHNTh
   SfO0dKNfflVJ+RFHdTuQKzRrpVjmVgU8nIJ5OAqY1GLzkL85oS9aAgVz5Dz/Ub6Y
   RYMyoreYicvlFJmg3+Xz4TQ78TUfDODIxXvajAr2nvrGNDKd/1zs+UK9cD+RyqBw
   pyj8oswX3mfxUxDD51CY6eu2uA2XkKyDqB9+9o2qMpAzn/sKpb8Gufs9+w/h3fYq
   wN438dwrgm3QmrbnnKd5DIiGN73R/sfbU+jPdBPt1+mbEcSuQfOpn248l1XXfkC+
   AqgOQt/g+zVzEarovYShdrzisNOGWiL03B8I3FjMPORuDOL97ocFjEzODi9qB4A0
   JxNkOWVZSKqlgdAPsnMFV6VJsUzY4n5UU70CO07YaYhUcTNDflyTogDLXdZTZ+XA
   seYTmasKA4AjEi1ryHc0xakiCwXnTREDoteMB0PdsYfETV4epJ1Ulp4Dvuyu1jst
   LW/z32sLvxI4Vf+0+zhdoSsVZbLccdRrGpZEswWl6jGigJnfzHmv/49VRbHk+4Pn
   34xgC6w/oCKHHT4nMxZb9ZVBOONWmPu+pJsv+6oR/AEup4RPFRttX4Su8WoKV5h1
   FLex6YsmBt8Z4EWUiJ1MXOJ7mLsPg15+unnWWrka83zLgjYKa47PKmQtXRgY3AO0
   NnwuF4h3tCmR+1bYmQAwdJhph7ZMS7H2yEBFEDDj7ZWZMinYn7uWLYRHx8hQJTWj
   bxg6I/4HYqav5AvpaDw+4boD1vHkIQiWZcDCKbalHSrUkkwPwAfRcaEFFtVaHrTI
   Og1NXqKY82hT6wuaEZ1FM++S8ggsOzphHGHzfYa3od1VNFKDY7tmBdZR1UEiYFJu
   vuqYfrR3HnaUXhJ9f6yNalXHluAOSRpkCd8mU6xNcZ6WFjRvtR/wnIUbCHRMB9qu
   NkRzDtXFxpzOc/OM1huFXkvkchS998RqIiRBzbQn3IJnuqcS42SadtmzVPVFcWYQ
   B/XQAEQOqxbBRnxGuTIQO66lQexPgZSdDWOYBt0iwgzvNo2jhw1sEAAgre12U0lX
   dt1D0NX+ng4MSmm94NQpOUyVubUx2gOdktIeCptoZ/JVZ+52Pu/3pEi96QW58iGY
   yQVrTTxMNHCa7y8EDgwhJCTF3p/+OBQvy2WeAxbuT7eJM8XNAeYl2h16qc9R2BLK
   JB9N5n+tP1BOeVabmdYDFK9dxuR5OdiPe6p+5Oemjqduphq+THutCTMQLiMdbw9p
   80t79H8ghZa6Bfp4MiWAZR9jGT0Zwti3eC9hsXAA2YHvwPjO2WGQTxVxRe4Tt0Ma
   g4FQ8dlj+WhiNS9Trc6hHy5iyaKf6n/ElVbhzykB+6GVMvu59gsgh8nVlERNc0te
   V8Kge5H+nrflBVaXUc9kZDWcoawn0T78dZ9rdZYhE92mtWsmcqHJzKX/w2q0ysP6
   cC5Gr6raTsQRI6YM7jMgQP2RDCqWO6FNZ2oEjkR29Z2ILJ3I8O5wyHzjc4wLIIIh



Gillmor, et al.         Expires 28 November 2021              [Page 147]


Internet-Draft          Header Protection S/MIME                May 2021


   +g8oEfuQBDoJDKEGA9oP/KwO3QdwCiL/splag+lFAnQ7ZY/8V6/ODPHZe11dX3Zm
   52H1sFC2kjZi5jrrmAXEYfgrQz/9StGReHiB6xTnt9qNe5hzkhutkU5LCdMch8nh
   2MrEghbmoCyDnMOGTIIs1MshNYR0N4akI23TtSjbxxc6tQO9KjUWGc4qBYBJMs4W
   iyCYwDVIuO9W/wtEh7uHvFwiiUL4+wfVv/mxwdSCIl4iRxBbPWgcvLobNqE6Ik5w
   kFPsfZ8Slba4EkRlgfjK1c2o3c1khnFVJaHCbc1mKSGOO6y2WKasLYczbfyfqv/G
   vmVmF2SNmun6N2n/R6Zv8eGmFKC7tPx75tMva6+33+uRc2kBva8kd8pvd7pFHZCN
   81P1jf7+Bz9zV1t9sal3NPwtST3CSlRr6fSEYKGF1Uc8K35ex4AOlAxAIGn4PvxN
   8stHYQ/rs/LuxYw3AtFOGBNALeivYyjv7h5c5SMH5xgIUD7OD7WAJkSI9EAsxKSw
   c8FZieyl7HSGzY3Zw9UuYU5CEbkLznkQCwbsG+g4IU7dIGko6tZNDl3TbCG7E1mG
   UzcAfLlF/lC/fdVJCgseGDLiBGkXu/CsN7iS+qvRKOBflryc2fYnwzc60FI7T9H6
   Rn1wpjWzX5FaXu4MPnMl1QmK+rk9R0xkGoYalw8PJ2hWPQYbui4igEjzIj8fjWn3
   L2X5+Xh+utJJjqwnDZWPCgOVJe8ALGXcBm42K+YZpSSbh6urdfpN2U2cZIOUHHbG
   +7FYUD/BbHZKEc4RhZ0PDI62jm7XmK39RgFWkFNEJx7NR2AqMcrzabBn6ThywOmO
   XukMU0t+IODdxCkv+Eur3zD6Ckfp7nVI47jXuV+7lRThbgtf/vBsiVEgY9UsRXIp
   KXR+BqXZKU6eXtVdE9mFntfpJgzY/gUGVUAC0FnkPCGGZ7nJxwBiefjogTdmwumr
   OpMhPLemmKcyw4lhoDmEpfw6PC8V7Jf6mXvk7y/YBI3jhd93d4MWGrYo6sfk40aN
   ipOogZChn1vVF/m9dhJCpWwYAHAWL6hs9aBMPgAyX1Se4yoryvpwCICQqTDE3sIR
   FwSiM0FTJg/b3kNXbqDL2y/F+MD7GAj8wkTAfzdz5cF0zDwGEYI8VSd/Fuo/8iID
   LMERjH7EBIzrDRbDN7y/hNaYW0f2IH0T8U+IsWMrE6L0M9GrVrla8+5AqBfFQNeB
   0W3hiJVKBuWEAj4GMEbe4ui5brMgNMQ8gmsFSSChpsI8DDOuDsXT7PdBpTGluPR6
   RFXW5Wg3NAVjB5R+oTTEDiERj7H4mQQBkQY6aYsjKgiqUoh0KMvggBfQlSMhoXPp
   akeggomPbrjWDTZB7oIxb7+5uIJ/E8QpV1RSpIM+lkcEKwOd52pNGmFdYam9f0uB
   E8fDDmgEqLaxpH5pT9EHCK93SvSGpgknz9NjU7mo4BwF36FW2fQ98MmnqCTppcOP
   HMEh0PPuwbIPwMNXYJgtxIXVVOXHcpXPZ8Ma0AXkm+GbQ/bJ8DNwhCjym3lvnHid
   c8zhr2OqPyyobkxgqqDmXd/6j4ktgbE6Mj5BhGXUlhPJvaM3SMYSK7glVMzJt6/0
   l1P8Jj36d3Xuc7Q1f8DYQbug/t2+EUyaEFFAMHdhRBT7UVARIlpsLgOEIHQhgYAp
   jbB7ifMNNwzy0Av4Ljw8blaTXOAiA9XXbXxUA9cWTehM+q4aNwpC62qpIYfDsiQE
   1PylVVLaXp9dvgVoUx79PSYL+IK0oJVBd/8TC+vxrbE4oMJvivfKpRjvb0Gs+df9
   pGwAyquOK0Mca/VhDTj4iz/wRfVN/XyxlYrIqL2SNDvZOK4XK1yoM4Hpl7VR0fwS
   tsVxDUoufFGcOGWdcxa4G2xFQE9J8PI4zt05aTPVU9blGobxY2h3RK1ckPueqzcN
   YUIaBCLZv1tWXaq15r09dvH/77Ft2cij1UiWoSJqCsUpGqaupjYxm53Ccd6GcbFC
   26NoeKqn65VNLhBo+fEiN66igZhLaARY8pqqs9vFJPFXiz9iWQskIXul7B7dy5oP
   +ZZmb570ZWUWyCX95um4m3h+OpjjzaKL3NGiYSIZG6xmJipZEFBj0Pz7oSVbeG4M
   JmjpQoLAyFuyRjjDw0khwxWfURov9+vWTTzCriLC82Y3bZ+yMsLQzSVRe573LgWP
   IHBWKHQCzAUO6OtKVhk8kzOav4cxUqjt2Z7iBTLmOAnBgNQQ1GBSr1WPddryXjTt
   8px6zLd61sG1ki/4Wms+C02hZVc/p7RpK1C5SrsI18TvIk9Bkhcg1G3lwRSsdRkq
   +mVXfiszPZL1zUJebHljoGK+uU3l9MsLC5rBQ81WvCr+M6ggZE2ep+fZTs8TAgPg
   YpfohgibWutxc1bkDOCL51nO6IbN4DS5Y2/VenQ6EivFGLsnB0B8hJ8lAAQ3WyJJ
   6GbRxlkkOhYYLTBl+DOaVc6/+ncmBQVoKeV4ATm1GDybxnNvPXGTGx+zom7EVIrO
   btfAlEE7Yp+Q+roXlXhZIiS/W0virxKQxFKthhhzGR4jbR4Hy9HKeQGeJnk/7plG
   9RauFd/iHdYQk4paXxMEyKPEj5/JMNhcY08i8Yzn8wUnHMgRzSN+hJ83XBODW4fN
   Kg5TXhAzWy8hX5t0xPU/xzyzwj+TGGbJd+7dkv+9GTJ65MZG1VVHRpiEBEFj9Vxi
   c3xTrice9/QULNIHR+o4beT8j2SnWY2UpyhYL+Rbo+7nRy2n4o9PKjzMYWVS6tNV
   biFel47a+ulvyTi751Vhd9xV+VdjO1IEMHbzN1T+5KyXOvZBfx4eqkdsZ2Hj/5Gt
   3pFODRzhz9H25rePaGZEba6vQe/lKsnba+2WCH2NGXToa4i/CHWIvUMyVM67AwT4
   wVoIePNZcFI24Pnmp/8ACtumdCgTSD8pfFc/mh1Ysq5gU1tRLTODTaYv/9poAVOy
   G2EiikP8TST553FyQesWtlkOcUvZyvGHhECjsixSYJ+8lrFGd/3SuaXP053Iwavz
   KswYHRp5ykstVEbkLCBUh4pBvKUCr+lzY3EYbcV6IenO31PFHwbgWwoV+5Savazt



Gillmor, et al.         Expires 28 November 2021              [Page 148]


Internet-Draft          Header Protection S/MIME                May 2021


   f4oYeWzl9fyzY7ek15NqVpKIo6Hi/SkZ93ZDf6IjcN7fBot9uZFQZ9IJ/jva/r/x
   9O3e787qED29fhcqQbP5mYtvnUTEgYXriffbqPnrY31e4UMO4XuncNoXBnO1uDKd
   EQCyYo7Qu3HvxE1aS1H2jx6wliBzBhIv0QTSlkSjY8KuO1Y4zYfdo89GcpEcAUWW
   5Wz8i2jtKqHpochDl4qnRKIcu/N5ped7HZ2jtoxR0erZkrfokujVj6qx/Mzpj/ta
   XF2wNkSwJSMyeluo8Vagsk3a/aNDwwN2UAb4S+H23mVWFb1LmlK14CSSOiRLBbxr
   72b5u34wsMuaRjs9sy4YTA13PBpRga4vLyQ4dBntDj4mp4w0iLXS22xx1u9y/FGK
   WWKDS0MTmTubwZ9RB766/e4EYc2KeGMq6ytTC1GkBSDTLzMGoJXvMaoeVcaDzclV
   w6NCA712RkT29BI81vNW8M5d01Xp9LyVz/HJbP+Ku9EjdUX1DHiv3nUSvEtRKYaD
   ayDvY9avOqX2x0VVx8i1sSx00ramjBfX+H3raR4zIdHYdEylEQNaVuukLQweTbuc
   48BJi4WGzYmrNDhZ98qxQIJJOU3ENFZ2Nd6dCPGwsoiRZG8B/oLZCwbduEdyUhVf
   574qupgra4B7oKrXn2bBb6GCufPrDkqcyYpq580mMuCfio1yajem0ozLFSm4xjMy
   dYKR/FTb60MfAM1iDPTCDhUtg3NsxjbXlaxFjoipdaFT928fR3sbi80CklUxt/JP
   1hyM/aOI0d9eFpiAJvaz0QPpqCrR8V1c8+edYxhymI4uY9ZFzTA66wgYOr50r/gm
   OQDYGfPdIsst89dimu4VsjOQCCwH8KSLL9xdxp1vLsbFMWBxCNh+Wso/HLEhwrrN
   nd52fJCIqLKknBEH3wNPWsadrsPyJ+gzhEmF5Bcl9zhiiloGnCFZ6H4Vl20dO0du
   K9MXE4g5lJUAWEGCLU0VZRL05PmPDWu7nRk/00Up5f3acJ3OhhuBoNMCF1hYlDd0
   r7xKN+8PYIGuMAlo6FtLtHQQ3OMAMspIE0yvpQy4z8DFHF7Qg1OJe4iC1GS3LHcu
   8twH8qh3nAtD1RrUcTzBtxFhN+MuM7W6KHNN3PX0M6ZaKmK85kbmjQwyW4PKL++O
   bfB+XK5qKwwLFmhVt8hGp8h/ZNjn2rS0JrNHWc+4vGmgVLjoiGtYz21WpQmDy69z
   mmU5qH8GnHbw7bhKwCFIVBd4FHS4DCSNVDqpxD/hI4k9mlRyIquhSacoWk6J3rH0
   ntIkWuAsjw4v8+arLCCXfutBqMYLrKtFlOED/6OidqsFRtCH83DsgivRTvwBw3G5
   ogcNF91U+tf7VN8ij3t11LhGaXIGdXUzb659IiSVCAmqzojCLBPmEPQOgeWnC8WY
   TkJnfZ7E01g3WkOiTheVE7sCVGy2oGQ8HzvzH+AVv4lNi55IxPVWVgLEFwbQhRvM
   MeRPidNChc78jREtwyVJPsxKm46gyN/eYquZG4cMnMbM+IzMid4tESznXMmiJJww
   cZi/nN7mSSD/M64BqvsiZ1L81JdDQQxHvHJrTlWH2R9nozsGkSzr8IpbSienRF/F
   iX7pNZXAq/L3mPo/4iC3XUPEPluweAVJfoa/irEZA1tu8eKFqIqQt0kGsFYO9Yf4
   LCXtun62PTxnZ8b9NfqdzWYR3lsJE494Hq8PwMChPCE+YxtVjJI5Wtx9A59otG2S
   FhjPjS2KIEp6rONnbasJnAfb9JGqAd9l+yofLqbajiU=

A.3.23.  S/MIME encrypted and signed reply over a complex message,
         Injected Headers with hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:












Gillmor, et al.         Expires 28 November 2021              [Page 149]


Internet-Draft          Header Protection S/MIME                May 2021


   └─╴application/pkcs7-mime [smime.p7m] 9775 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6222 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1924 bytes
      ├┬╴multipart/alternative 1130 bytes
      │├─╴text/plain 391 bytes
      │└─╴text/html 472 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <23abef5f-8781-5c95-a46c-61e3a4464d58@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:18:02 -0500

   MIIcLAYJKoZIhvcNAQcDoIIcHTCCHBkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAGgB6GKG3BktdYx9b26f98xIYUpPO5jQYr8y
   mu3jMU7EN5GwAY0Ip8BEEtWVO4kkV3HQXLjPR9kQ+v82Lsj0MX6+ByE29ESGUDhu
   xH5X4grXCpBo7QCwHRP3vMrvz2rnUwT3qmP+15eIT/mpSlCSn0nVe0yY9/awCKEY
   FmhxSOz8c7ZOeJnKwD7Dcen+TGr48KGfjykISEpESzDQRkMxRHgysV3/LtVP4Z85
   5GMCQWcWhCsG3gjYWv8qsinz5dzgsCvNdyOrK+q/PwTtAaoGZigwl7Jp4qzp0Jfk
   KdovaPtczTI3cboPx4J9SOlkuYOoXHTvs8TVhXehUejBEpRXnFwwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEADPLALl6xgtRSO6KJPbXlmwZQ
   rDBh5k3KXiAfi100Q23nJ0d1cwaDu0zASg/Gfsl2zg5PbVesXD2KiIQrHxnGQniD
   6kXIvExpulKzi+JVIWUHDsqAiX0rXWC+pqu4Xasq9vnDFiahZfjv432Nfu7ntbR9
   InqjlWZHCnm6Cx5luBIqBjyI7X2ScuUS5IxwS7x5NPmo5zvOEAiAqFwn1+sQvnLB
   1IfVpAJzRlWOQ90wRxHOJ1TdCKUPBKz4DjNPZ5QkKoyrcZL1NRmZhc1zYaO6/WkE
   fKcHP9whDZMI6xKPVXopLdoG69yridXDfJ9/cqPHZvnOQ6C9FnDFb7UAOqodpzCC
   GP4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEOtLatHfIQxoAtToDlaMkYqAghjQ
   vboyJHrq47OmceZe8qUJUTMbh4n9X3Xm6okY6K1/HEL9ocSqD+YLGlbuJ5LLqkCb
   6okCbGytW+zDCBPmxbvXbNfCPVDeq9S82586o+ZkJWSKk62Nvvr69nIOjsL8i1jM
   A6gmqLvYBlyzPX7ZJpaqPSG/MTBaErO5iawYfcMNw1eMcmOWK7JKypzAMuYInsyL
   BCGP47SR3MOtq3Qhyj5dvUNCNhl5oVdI0iWJdwVHVPyGdtMZZcTrZI65+hrvfcJV
   Kz+Js6If3tQUGXtcoHCpERiT1UwQXJgjuGOlYdMfpGGRdz2ysKclBfoOjnxJ5W73
   7uBt+1Gp70CnII+OnwqBLFpPlb+VyKv2QovMlyDMtc1YGHbZR4EkWgqmfa6j728t
   BhqDt85tMy7wVc83rrDfcz4xnlwBFjG8rzoZvldmBCDxW39oeMLnosnPaXltFP+v
   hunoJtQi+rtocaoMOC83Um4OXmNvhpIMQ39WbYGEeJ3riQFQbvhkNr3iMHUo6yt5
   SK8U0LJAd2eUjPATP9fR94bIp9I1JaVB2Sv2BDcPeggly+GI5bFlR7FEO+AtMw+2



Gillmor, et al.         Expires 28 November 2021              [Page 150]


Internet-Draft          Header Protection S/MIME                May 2021


   nFjFf1oFgW3gYg9z+NEepQtMfIo3IrZGup68T0XuxvObSnUMx5vdjaIkILUxukwU
   AtxxNzwbX6J2Hu0P808wz0i5IwfMONZGE9Df5g9d3OF3RbM7oDzOAvkljMTYC61C
   FqkoFmsaiQIDihugvYjOcQBfFzCU51Uw8e3L0nkeJbCK6Mh7mPRop6MmBHPW6dLO
   twq/HLZCx0ShnjfVshxS2dyxSJuFrsrqhM95RuOWEFn9Jb+ww3eZBw4FRyYsTXda
   V37J1UpU5EFWjFaZe6h/fLZLm578XhVt/YuutPgNoI/nzAl6zf8MmSIAMLsY9aWh
   0+0TBltpZe3Iucqiio5QHpAzeXSkgEnc4M9lorjhc0q0EPTJ4DyWN/P6L7DuDhMX
   zHua2+LB7Jk3MDljYcZLwRcTWACnzhxk23ie27s6lr4AQMNqtJ2McH5I+LDaV/4B
   o7v7z3e1ytN+lu0kD/LcnobD0vPCC/kNdzybZrdK1QmXf1B5g8bKtn9U1r4hylhr
   q/5knv4BOoq0LO6ZrJF4SLR7V7yc5vlwPnde6S97l+0rWCKNYdQo71S9oQ8Ng+LE
   FF2+qgTPFrxieYkjfcg4ufwvobr+d/a34cXCFtkRzzdRZtHezc5SET28L8QMUKQ0
   Dzu9jNc4CVpwZcZJCt2piSNUP2ZtG5Aw6TJoU0j03RgsRjYZRRK/J38EnfWQFDQM
   NVgM/W9t5eglXpW+5lfvbOwGdkF/MSwsxUFMdGkTedteqMlhEZ7gYKKRyeYgTlHu
   wXnWR9F13+ia7i0mlhW37dTjzRgFqFgOkWcZaLGHtTA0//duQNRCbtpqpaXsPBRS
   LB7fLc8FtcG2j32tDLJ196R6U0cl3/4f+ReLxt7SHl+UA62IhnljYjC5BHQClMZ2
   FOD9J3zM/TIwhDgGd7giwr8E6CcgzEfhR89m+atgRGkKO2P4KMZ+jsDZHm57RIP0
   SbeCDIHU/12syY9XWVkqpQ+RxFuqOg1ifw7w8OtS16NXIB+hvc/ods33JdaKPmhL
   0xHMYOG49VaXxBNZKMUV3lhbH9qTOujjvq5Wv/Pn3VX2Ikb9on1iLhGNnWB/7wj4
   y+5kyQYWEWJLEgIHNMOYRkz4ZNO67JJzUJXOa3FEDUHaX/LGb5BGxzSStP5+gdbC
   bZauUhSd56GP/DG9hkJBkCaSoh9ucrwRTy4KA5Hq9HW9hbF3bK0O1GuxGXME0ATn
   MBN7QGvv1rEsIq2It+P7SJ8lOYXd5JKqhOA4l/pXeMkMJd85fIH7/tA1vmmaiRp4
   89fTehgfU/hFs7ZoUMKyRMoYwCxSBNPFKQ/pQ7oKQlFSFMhzSZOzXU0galm0JGWl
   wWx2zVYmMWt6CsDUDlPxRJF1stohJhCqAVaiWf0ryH6wpyisOkqEiSc8haCbZoaE
   n7CklIz3SX/Y3YcdGa1kLdBNiTTeQgaDp2fCjubN/XgAiNN+0cSXyrXS0WyXux1Z
   vk26ZFeM+IUrlTpqZSLqmQQThHPmScIYN8Az/tTHkGPqWhl7GnMXrLtzGN7SPCs/
   AzAULXxJuf7WysusSsZ6V6KBF42ommqNIC/3IBuDRZRSblG1LUOV3LcvCj8q1mSp
   kdZz0O6G/gcWvPwFBY+xNfjAmAVLbOOK7szIjoZOL39aFlaqkLAzvBKpZSs2cRdC
   qhHhqV4by9F1FTNoKi6+X6ahWpgtzrT0Q67StiCX0yKxHxXau/GAoyt55fGG6dHM
   gFM5n54FlJqUKk+SugjX8zjs1VlBA87Qd6hZ5zpi9iQPZT7OxraZFJ7usdgnt4w4
   P8oCyLsT0OP/TJ5uyyOm20oPiNy/MO5svThrp3Sj2hze3QtVyehi+GdC2QtsGgtL
   p8yk5Am+hpvUj4Ui50sO104C1eNvFCu0CtiBjiGAXVa5v6jxCauIv0b5br82rDTC
   QdU4NQrFD+7940k+Zl0vnQrO0nZtXzbglMute1QB0RhFx+e9SFlXqXwuFichOREb
   Hhkf29fn2lCjqPsvamhIADTDHWMMpvB1mp7ra03vRNTDaiPDGAIxs2hbKWUNZ3qY
   rgnNdjqCWoXw1cJEgPIVhZF88/eRRaHg+4bUQ/1pdhUt1nrgUESxek4Km7FJkJkl
   zm24dCn/QvpIP36geABxN3PMcu5qUCrWn/kDwaK28VftOdRuArsIslNMqvpCMKJU
   c51NYTnPC6zFZv7Jcuv4Udnxlt5Txx1i5FhWeH2BemDiTGtKXYhfpN2WQmLKG4R2
   5UUH97g4/ccyPFTdTo8Vt3flD4o6j1bx46rKbIVLrCGAnDkvyYcNcdV8lGSbzMXr
   h9/uax1DQ5U/yJAz7EpCDR3V4kqdGyf0wN4Hu/U7kufOSgEZSAfmMM4Zt9uOtfK9
   gen3dxOg9syJuFf72gEqzQSB7eTPhmNZq5Fz1LTSa1JShZ50GYBuF4g2DCtt3RsZ
   PQzFCx+0H1EtS2LWwIGyqrVliN5sgXqXNZ9jvxV+oxuNJ9tLqJmP6rPsuwnuWNqC
   N6lr2LLq/DNI/KuJQvjB8c9z/znftdv7b4hBVEp9Avu44fhDAuku+tRhTCyrfFYk
   cdJPY4gLrADre17btiR2V2v/MlJ5mlZlZxQlWsCcxn6ZlRRqoBUi2bVq8ZoM3YSu
   FzCnqtx6nGQLhIbzQSlpt14dJVjslhKRTXV8JgmcBNXGsJXO6CyZsl1pOQSonWuU
   u19s0K++2XliTOeRL+0mNjI8n/Urz8gUyNrLGDOOP7/Ad1Hl29J98m/JwO6YgT/8
   WzbLdZhBtKLsa1XRJZsaClJSVSU3KLOHG66+nRxvjWGqjRdo29OqEWTLm5LN42wg
   +18plDsVOGE/k/GYQG/1CUajmY5uQe2GxFa3MHEYQuutoJzf9zd2fwgi2awktZCS
   X/L7nQ465BX/5/a1w49QGLIgdxCs7aZDluH24w/nKQilDFmcu32Zk7E1raivt1T/
   R0UvQY31YXX8FOPKdqrkmYVup+Jm/HcUMTUFfeox/U1Mp/5hpQCQPLJtqsiFz8d3
   UtEhsDAWhyT+qvmRWWaaZqLxB8U+I413kqPvbzi+eT/7hW3uWHJHQENILOE52Gzo



Gillmor, et al.         Expires 28 November 2021              [Page 151]


Internet-Draft          Header Protection S/MIME                May 2021


   vTnIqg0aDcVlW7c7LRDxgNyBbmhfstoE4edSLucbgFNDK+MnLCu5CFhKTcFnncXb
   k4eCuMhXg6C8t+ync2+EFLGwFci333MMLRxDu5hWvFHBKOWHZlwdATg6Rk+Y8GrH
   8w1DDRvFU883fcdTEnzs9EzAjSQQljinQ5bZrG4z/f4E6qYM6Wx5V74dSbt3UY5W
   ytC0sBSSQuwCaT9RWFgQg/NSI11hSw0UpzaLBdx6o7UNZf86eLZ2dQOUpT5dtt9w
   dggL1xWPwEimCFdAVIakcKQgkZzPpd3ZBNFNEnN6hvmc4exXJJSr06HEdl4MwxYd
   7kBB8EXsx07J8YWThRUKydVvgmZI9beQAnLomg1HdkUYZ9AtLNOceTTOF2k2KN5u
   qbuHfVlJs8Re8z0G2IX4piN2LiNugTXhrhNMDRlHkg8TIlYJVD8r9wldWDvCvhCK
   +vAFJXtYG4w0jJDQwLpYWJhP40O4OS7CO1m8X+SpF5KHsUbHXiImHX2j2QfBlMJi
   ZOMZS4q6c0BI9/atOx9Vc+aPqqw3MPSQPmOJcXGsZqcn2nRvmmouVZhejm7FUq9l
   OqbwzgMV2VPiZZcwNt0BSweQmD3uEf0Dxx5yoK8h23DhhYnqIyF4lFvTa5ZMunqj
   8cdbo9W5XhSK3XfLi3LFSLASSZxNoPXYLPsRy1If3NPrMH78uvPvFv7PFE/bUy76
   UnsJDhbCq/vIXlthN9fBsrlgc0/n8j3Zr9cuVnyQ/SIkumPbNdlN5cnoLNXJxqUX
   DRw7CVz3EHt/oGO+ZUw2oT7TBfYRzNorbRPaPG7KPm8s31/FKD3FDXJVCoe5uuqT
   sIlMtDmCizdddEX+GL8nWvR45zNZN9LwfpkATiBm/T2fbbLXJDWHpMY68VRBN+tr
   BXgDwBQPFjezurdjg2zNd3oYqMQSi8TZVcEl4l2fI5nW9h9+C+z8pZJ4LO1+rnGy
   JKigIYJ7XSyU2yruJmGm8E3gq1nfCp0xHiEYI+w/ihtWHtBKDraKKc2W3SQsV54K
   cQ7mwmjYy6fROLRfJvMQus6BmR0p8itSLMwJwRH7PlBKZHHw/zwAWlCSKz4yURk2
   PICcVErMcXGBrvFFhTZ2syLuMFwgQ+wL1mF43D0byWTq9IFPvkfuv8CLwuN2oh4/
   LU1eQmQGGYvKXlyeJOGxaltAj3h5/aBGLgRekQUDnYxqPUQWO4O4OnB8ZCotxOFG
   RXLoH+tCMjDZx+cdqoEk1OtJLvu1iSY93qSccN+kBRjwXMeCWpHJPFCdO+IXpV9a
   d/JwtIqbHRUqrNc2SGOKB4FwhisJOEdc1gfVQGmK267Hr9tLmA4A3AzvMdFV+3b3
   +zLamYS34bxF8MJ5Jc1YTN2pFLbzRbnSrwSwL78AK3kGC1+bfp7UJySeL25HOo+n
   2vikgi67xoEiXadTCL/3zfzlpnSK9gk1nuzDIROAUNXsbuNDnHi7YML9wRhbtuPS
   aNhb5ySowG4b+2y78p3Xag3OWhn+Kr5zdvo+V519f184cL9zHs/sna4QZPLo1JRI
   8h/BkZT22D7sSEw5zAaq3BZexJEbRnc6H+9xCmeS9HYsFHTunuLU6DviMX3SqNuf
   SddFF9lvdqL8MbYmJOwL4U8V8+f8cjjtEPK6jIRvlcM04eVfoUX4qfhmQO0wUKrT
   VOSegJhywPhN2vI98u5oTi/DDIY7oxg99c+BVGo75Z6RbicnrDH+R/CqMr8XUbod
   Ehg65XJUmgKdI6KJhV164dwArPVdjLtQhaM8vEn7GmxNfy0QnAa8AwQEJ2O8VSf8
   0W9d9FH2pNdmYLifp73MOauTe4/U8nGLcydoNQfD1d8aZVsH2ISevmoTTqbeFa4I
   4l1ldSHN8KXFYsd0yGfJ0m3uJmiZ16dzydARi272Xv7crs9MODe6hv4LZEPpUWlI
   DeAOqmsuXU9VASfWw/31kppojLc0aW4UijZR+5Xqac7DLoFW6ufll3cbje9TT6fj
   sUTp8v9aaj/SvVY8nLvyNx9CG82UmaBdZbxQfyU73t/D1a6xa3Q1bsbtDIMyilnw
   ZwzlNHOnDewl8HdaYxpPFHF6TfcV5Y0vVxBYWYjeZ0M8qNOoJmHRnq3MXTsaLXph
   6PlNkiVojCH6Ior1phf+PNP5YDohod7oD+9XP+aVRY4sC+9cLjIfNQ1GDz9gczhn
   dICiefRTWf7LxFg0qr2snwSTWfqXJwLE39hSYHFz9O7rkfeiQjnHWuXmHoLPFW7c
   Yub2CPqdpnndpREzbyUuyxr3opHbZVNyDKFUWkT3sk2T459phaIqJW7aqjML5Jd5
   +l6ABe6W85seCLT+KX7urHrcRVpp7smcK7TuusUN5SBgty2v1dySrsOHOfjr0ruH
   N8sKn0cONU437UF7m7zNNY3KlTOhap9RAfhrPhVgVNDvsTcpRN+i56smOhH/l2VQ
   gZqwa8wz68jgNK/OsfC1nonpeIAA5HUIwwflnZmh7K60QeJaNoizoil6iUmbUNzY
   BrvKrB6Jv5gIS/eYat5RMG83dbjWg/ZsKT5dKqsAyK9FGtwuvR6woG99CUU2SCFr
   IbiqTDdg2myr0t6NDZ7Gm+a/WMrEO40z0cI5wbMOTACb3ahp6+woeM/Q0B79h8q8
   NaEN3+ic3Ewb7aoZK3mKnuZMRIGa72fzl2Wi/2soh/sKlFmcPnBIYgPJI2k3iA3Z
   fzOvwMgnRNc8E/IJkW5Sy6x2hMTUAyxlDaQ9Qtie16n/PBfL6k4bOe4uGyMjEU5J
   BShNoZE52sPdju0JSo8nB+lgGsrcH5VP1gC3b6CMGWl8KjFYL/LoB9fQOQ7YLeGY
   tiu2lgGPFpFF+WBTEsrPfkkx9kSWH4rn4HuwO3ZpiifvA9SovEyRG5pKD5iPVKgL
   cMtgzAoC4eBWRcQGjO1/9ASSw4osCP0UbjzRFa6AnWuI6r8aBKvbAsFjrnS3Oe/F
   LTXsVSLHt/7bBaAbBTuMtEi+DiSI6qqa4ECvwzZlLt1m2OpfiZsQnQm0Rr5Cw2Ob
   PrJODZ1Mdcsil1wqQ8C+/cByHvoy8UTXNoQ3eBiBEcsWVjAAue/OVltk5EilvOlL



Gillmor, et al.         Expires 28 November 2021              [Page 152]


Internet-Draft          Header Protection S/MIME                May 2021


   U83Y4YMvE9sU+sPjyk0Gf9H58myEGYe3ZQClRYh0ZhBOlaxV6JM8NxwZYxL8yxjH
   qwglYfwJT0z5yMwZNZ2BoS0lQi22mpnGb5RpzhMYaB9olbluh0agYXq5qawkqdLo
   Y4I0ABTvcl0i/fgkQpmfeaqROJfKamJXw/gAsHnRyE+PsBOZ2alRqqke9nppP00V
   VEWg04UH9+Wq3/JocxQDwM3WdlGiVq58dGeovLLp96qH0ZncDZMuS/VRfbNKt/yX
   DnpPTmg92qmy25NfM0jJm2TU/Wjl3bEtniJ53e/pGrlslIvPi6jlMslDocv0a+dj
   D1tH2RGhyPSGZm0AzEGCq3rImyfFVRVGNFv73nm/9GZa4O2RaKKeH8+ocyadRZDB
   +vbQSRAVggikC6BnCpnpBRnLasxp87mqFcpSHTkyi7b7RBZvyRDIbzrZD1e3Y0+F
   HORdtVtl3B5SWv3LqRaZUg4XIixdGM+XwbO8vyLoURMmsy8dIr4mo++XC9Freohh
   fUDz5RKfkK1s/Bu/9TdJwLTtyPZ33r0bO4mJFzNxleAC2D3prKkf0k2ByYqzKY3V
   gUuHc6OtKgbgcX2gaHESYxgC0iVlOO7ll+txdAa6+BE6QV46NNaeX0CPyKPwgz4E
   pd21Z10844YAF3GhXSydumDXuCaRVwxB9BLHqHm90dING7UbZhKzF8BcIjVQsksL
   ccAD8mWP9MBG3aCywE4rapjPZm3xH+4dv/Vw1FWkeyneTY/nOrgjTtyjiIO8oVSM
   30vCtBUFF7GZZKdmfQ37KSgcgt6TmX6U9cI7lyl/y22xoJHgsB40vRpGHBiWXxP7
   2s2X1lnjSxT0Vv600rcoWT/YKnBfvlzf91thmS48kQ+msFYVOnDa8JUS2NgZuyN5
   tejdY8YGcFoL3PzgL6ryoDFovW3L6lm2CxUnkmEmzLVQdjSr2iJTBJ2DyW5MOOQ+
   X3yIh6fNm4epRPiA+sEnknx0ENRKtO+Cws9pWWU6oIahcZO1mokXAe4xXJtjH533
   tWHtZRw7mS5olUxmq6YbAAIrkc1Wkubl73T+Qppr5i6bU6zxEo7MGglfr/aB3z81
   KN6tX8ECWG4/IAM9fL7jsn4+CKkSW+JbtK9hFubv0IU7zBg4uyLGjggddvSnxMCA
   fcOQYntZaXLmExvuG0W/SLhiG5j9Grxp1ESsloVdQ4o2xOzsW8bRNq6MNss0lFZz
   R/AxVLrepd5uW4wF/wpIYjhS8+72rkEx8e7P+Z7qWLWKpYtdYemoTmQxIHRt9bpX
   TOU7LYJ/mYljf8EPJgsqKRciADk7vhTugpMkkQdHJCdAUbgt9RvZ3RVWLMJ8XzwG
   p0Eyrc8bqjEqa1TD7BXY2NgEBNvSQHCa+nikW1CXhx7p26ERd3sLbgU4Upsir/Sr
   hUt/oRt75UHlBuiHo3hPoKD8BlVbQ3P4unFMkP4E5viJvPIlvpimfU0QbQd1CTGD
   LCiwzxtY5VbUTJh8Bzmsk68W9XYOoFYM86C8eQiwT+iv6SEThhlJ97ZkbIx95jOn
   h1HSVD4BG/VrP1sZHn4LDAoIBugbM5HpwUTVX8UvTkHbqIau4kzadGVHHfyKLw2H
   YfbatQCNwK/lHTMjGdwd76j+jUZ0QfBYD9e2SwhPF2qGok9gx1glZue65xEC8XM2
   hvpBysW+9HrKwp+/SvJc7974MKCcFs76A+Q93/AnXq0lKcYZeDJtBJfjkbqCuvbP
   dTYlFvjuVh2TudqGzxeP9g==

A.3.24.  S/MIME encrypted and signed reply over a complex message,
         Injected Headers with hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:












Gillmor, et al.         Expires 28 November 2021              [Page 153]


Internet-Draft          Header Protection S/MIME                May 2021


   └─╴application/pkcs7-mime [smime.p7m] 10445 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6712 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2269 bytes
      ├─╴text/plain 64 bytes
      └┬╴multipart/mixed 1608 bytes
       ├┬╴multipart/alternative 1202 bytes
       │├─╴text/plain 427 bytes
       │└─╴text/html 508 bytes
       └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0e210732-9184-5855-9a95-2a635560d3a6@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:19:02 -0500

   MIIeHAYJKoZIhvcNAQcDoIIeDTCCHgkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAA0KmSPng+cWNJVCbPBeSpZbXks3myShz3E0
   bUW2BwUhb1U0UxNgcFJyvDABOeYHXa6U3BHuJC6DwqwlEsFCpsCQuZqrBbsk6PgV
   VRKAltBb8K2+qArXTlSYg14dOhhZy/qBAJmyf6JBkzrTcNmndsZe04WK11b8BfJY
   OR/YT4FczqIXRt1WyqubDsG0WEJk5GnOqqj1nQkVXxHE6EQKPVPvYvEnW8sy+aju
   /x5WsXtiJkZvuVuN5UKoFv0vMsS8MjmHSmeJquJLDgpxzHZA06E9X1+MjCqxorQa
   BDiXq9fr1BVfcV1zmP0jCnEa3zW6F9lCmjdFHdTUd7qtGFdZhqIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAAfHEHAfy9YX7TEVdvY8simkh
   Bei9XOrSiZXM4BL69LYDtuWUSahVtQo3mFwtvfqavK5uxP+sIPoevoj75M0cqJML
   lzDsCqECiKY0uEVbXm9hKIBigOFT7hxnEETs3V+RmEoAz5mdL49NJcYyWU4Z++6K
   9B/WKLDAk1Bdfg8PWR7mi7W8q78Y387vn3CXsrqH+LlLDJjqT2xoNMYKtWtwjYQ7
   em70YgIA/R0695lQbowkAY8Rov42cxWUmVeUicU3MmiNOoiBA8EM+1l05kUvI3H3
   tA81AH7lFXuTX2rHrVclfKSLrHjF9VYx06iy93/DG16JnLHv0NpCTu3+avrGuTCC
   Gu4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEK60EiMA0EoglYVOjIJ5jUiAghrA
   Neb6sKO176aT5ELOauda/XWYUZvn9qoGG9dp6SAaJiS2O8zmEgyZyPhdoSIs7wRx
   d/pP/iNoITUD6tcWewEY1ZoBF8+Ozcinaf3jthQLlrnVf7XOolWTDK/pRjUoFSyV
   KFPx9u1qcWxCs8vlcL1CNR74nySEM4sre3ZxaZrkxA0lLDQKjiOVfWkGLTWJpqNw
   3NuUZel3dCNXZqrLAuGedX3guNXYP/RtAL23lCU5oFSwsc01fsKt73oK+Pvvj7+F
   iRiCPx+9P+1jQPf2cFnpKZObeF5EVMPGf2HwptXnalLVAPzlKX38Hedy4LENKz0i
   nnNm06i5jkCv57B1PaamC1zrCBnAfrT1M3E6MPiC6yRNyPLMAjuyHQfFnF4wJHCQ
   HbkDGEzY6U2hwIgD2DJxGQOGpV4hLj3AX8PXC7PI98XoOLU4BTES+zaCvxCJYWG2



Gillmor, et al.         Expires 28 November 2021              [Page 154]


Internet-Draft          Header Protection S/MIME                May 2021


   +KlzCtDp47xrUYpWMl1i4LVRqKItfyz+oQmShiRr/Ie/0eU1fG04l42IP2kpsB7A
   /jPsqvZUHBlooQnAvpjZocWdQYSznsVCOpu76grXUsaIsb4NAkdYcrDgNwbY6ZdM
   QmqfKU7JWfzXUQn5R8CMC8LNlqAPv4A0q/PecHvPIxjTood0oGAWTYGYmLDSMma/
   sGlrxv767FD8qnwMDNkOedgsP3U0Z+qjvHHg3iVI/kDH5x4WmnUfzpFZgaTu2GBT
   WZJVR3D4reM+7ppqKHL5f7rIlzabUIHbG9Y+VN5UsfO3VVdeMzioix45v5u5C5eQ
   Y6Ce0doonm7JZMn2rpf6VEANXzHBixgjyY9ZgIQXn5sibRV4vD/qqvkKQsdm99qt
   2kXjKb64W0TpPq5mGsouHLrZwLa8uoeJQ10Y8oxmRWcgp66Qp480G2FOeV6J05Ic
   e/6zvsTVIE1/Vjwr4LkKBmh1rxsP0ExTQxCvHsj07qpV50oj5Wn7eaEWUOAXXKWe
   OnpVzB425SxlBSgKhv5Jyfy5+NeLlDUWnm671iCJzKy7rTV9xy3fG3b6u1QzLyFs
   2/Y63S4StzziJbBEF8W9m9z8TQ0cYX90mSAn9922ZbogHzQNKy7glkGcB2htQPjF
   BOKIOFavJqP8GMUByyte2qo9FOve2gt1hNHiT7cIAGjm6/i5Ax4gM/GxoLxkK3Em
   WisjwDbLvUrlYtUJAGZfwC8dsd6i3EWlNkqb4OAlGrl8qa4FsRLuTxU+t7XyAHdl
   qNYE8OusIf391hL3HVJDmF6AgT4fy0NnST1FRcBf5Y6uO8ZIQblSFAVTTm8E2Geq
   vFDzVCIb6OGrlnmhWv0W20FEGBjTFxt3HZBF40E7plESAUbEEzH3IXOdJeqVtOFl
   uSULf6DTzFDI8ulhLLnkhad+XSkNZtAj585s8VwQELTIlNGbuFLvY6eU4irsQ/sW
   3h20gqVsP0m9taF8h8xQ82Cam+Ok9OMPEt0YkZlGOed4x86lG6jraQw6N07qwmhS
   C5n0jDaSAIFlpr0CmBTpgbS3fkt0+ZBO5VKrywl3KM2tUwKTyDovrkxl2WhjK+Mj
   Xji9A7IXzVnn9H3eMcPAewYSbsuflUEpV5Kq9vZhriFMZUeVPDaw+PtD9hBOKckT
   l6g0Zo+XYqeJSzTCVheYp5LCqQOKS93ptpeElKP7M8M6QXvknxcLXWWqrB8aE2q+
   DJqXUdLPUJP0c+H3OFsyV5dLbuJRvVa7cUvH+IY/iwtGwDG44/ZkAveXFDu9rfKT
   YALvpdmGMTWmW03m7f6uxy3condgOdDLlkTzQ2wZu/cdkm+580kL26KmftTVtwCZ
   dqy3nYiw9R/kin8uTj4TrEecIO4l5pcWQ2yfMPVhUHCfrn9JV7eLcvxSaVwl9y12
   DKCNXw4FGiPo+6w0dTIT2axXZDHkxRzmFebYD1hr1UbOCW7CfJdkWjsPyDLkw5MP
   Y1bvtlWAzackfQu417Jng3WgDofQtQibOYxr1wfPnzTfkyp5iggYcIarm4xYqoDg
   +oheuV6feQWDNqq36dB4DKfVgGtUYTxXjBSwdedgzBW7AuwiZSfH7wa/+iphdksJ
   P97BGRPrRoN0zmtDcQFuI91do92A8PnB7+7DNvheFaxCHkEFsPpMX8zON3P7kSQQ
   HvLcbcJBtHlRHGIaRSWYqZujLFE5Ot1COoncNRdGT0rFi1GFGtA9m9sNtfIAecSU
   d/WySb/wCvrewbdxuMh0/j0MVhdv+ip6ev4bDIm52wTxCb80yww7REwtVdSoCaUi
   KDDD+XD49n2pxsa2TTqT+trxobt1JcqsYuBQFb96ygeRkaq/P47NZZ8i6WL9RlkZ
   Z6tD5xrNLOOsw2S624UEvnZ1B+tjS6/js1N4RWRlJqxQ9FH3LhlmPpRj8IvhCdVm
   XM2vh+987iIx6CCkRaVR8YkkpBHTON5DbW48x5NWlynBMQ9eZoPrxTtCG+uHuGz2
   x7VSdnA5jIqDZEukm6WIvW9eGBfoGwMkhOGvsCnyKOG408mH3QQIea6WFw4SDz2K
   uMnNjCDZ9q+w3j9ZFExd55p9UCX4Eak9rHH/xgHfSRdrsC2bT7cfu7lpJhRrzxdj
   rALLXtPkx9hTlVdoRM/ys6uJU2WsnosnJvyxH95LAQSO2QgBA8AxVoxW0LQWULzr
   gOIbUGjhkTdYI8GkBQiKq+dHpeU/ktG//FhffRirsXdVgdgH0l1q/PJFx5JUOZhN
   eHK/wmtr4NyQtvMujRSIyOPcUzLBAixiyFC3XbZEBjRr5xVOK/Pj/EnS32iKEV3H
   VsNr0C2hJmQpp/LszAXttAHBhZHy6UrXAgvYavUuEEGvFTNgk8m01kiDd9HXDJ2E
   vLXcmeE7O/Hv0Ydafv4lzY9xcWR7juMCEmeBOMuHkItOjccPgex2JdQpKE40x+Fr
   DrXezIhXUpuZyUyx+JLfkIX/pJpIMPFai/rbbmNGSxtNOQd/AijcHr1ETwk1qAYY
   CyoG+GGEr/qWYgXl+bhiVIECK/ZVxutzCj8PyqBuhpvMFuWLRRf6mgwoih9dgl1T
   CFUAM64zn2DU6bnRFEc9Yiap/Dj/cS+rkH+YP7gq3j9VfXxdXaap+cdLVR4tiP25
   cwN3SOy9VJznWNgeL8ZwFr82KXzPvyzxQ0pdr3YhrBm7OBEWbyNJICdicKiNI9my
   CSmg4VxkVX3faQ96e2ywYzO6th6ZlSl6/bR40AEQyxA9Cf1UpfkzzL17E1TF+l8b
   t1fZvJZVAbr12cFJAJ8nmXp0hV4NPU9TgdzhiX+7U+SyD6/t3r9l3x82Zf2k1XKA
   6OWk4WBgVFfvVlQeo5rViAd3yCp6SHZTTA8PbYaYEvNptCYAJm/9Zu16j2IS52sS
   7dzQmgkrfKA9hr48zl24wOo0D96iQXbCNwgOSTwBMWJxNhLnPmapMKFBUsaWiTZx
   zWW4D1TYBFJafcMCkO49O7I8CsN8EA98BY4chjTwYBVG/BrUnGGy8w/lSMW2dtKM
   f88mSkaVK7hzfWTXYL/ZH3gSGMuttb/8FFsqG3ctvR4aFc55L4P9cYZy19tSiwAu



Gillmor, et al.         Expires 28 November 2021              [Page 155]


Internet-Draft          Header Protection S/MIME                May 2021


   +28tBzN5cwaMTtFyBjPAzcM3hPidF2eGNd/td7jcs4UkfjLw5c3Fhrys+EbFMFGB
   SGqg0YV1DClFzVOmuCh0Z/ZBigcuCMA9p7y7UuQwQVi452xhykMQZIbj6QWrmOQ3
   wxESQYQomiLon/oOf5KWGCF3CgdG5J4ic80U9WwWxUj/w4d2zXzbON7HGOOuLoTA
   NjbeOPROIXibe37kknekXgH4NZZyhQytOpWbGt423IzF5HYs00nqgUg3xnvAmmBj
   nkm7GMIFUHATKTnTckmmbB/Aoyucwq1fE5vvzrNABTma8tHIQvl4gT0ku6AETU2T
   AqnB25ejz3T1ZoMUshTubcoIOv4dAbyBNPOCUiwOi9O1wyoTt33gy8Iyet0fkYS/
   C6641TjHg6sxPym4tBgi9J3p6vgp1ULPINlv7YMXljvaCG5fJxG4wouP4evt3zwD
   w5ArhYyafGCsBewemFNM2nsnl86lW0HoumNUsnrs2Llu0/qb0qEkDICELYyZuj4y
   6d3cRXv/5C2Gxl1cf4LRhiR7hRtZKFsmd7y2QgsdBrxqxy5n/SDzmT+gGPUp5/hN
   c17wo0l+rdHBDT2p3L7zxepCpyjCvMYOXwwmki7y0Fpo03gp79BBGzo7eZQkWm9e
   wuxjFsPsZRl4x6ZLu9xSrohGDjB3rdd0g9A1Kqx6tlmzdg98msxQVdYZbt/lDl6f
   xbxWiBvIOgI4/tFSmduKhw7tuyrgge053c+KO7XdfVH/1LC84IGQOEjpFGLU4SLf
   BIUp1EZ6l8EdOTKQOkOT8zwi0yVlPELBsy48UxCT0h3Vd02YPIlkaJFnniCyjJx5
   CcH/sLjaotbKc072lfoPtP4XbMnLO08XD8aUjxpg1qam29fAEZwvOlv01wVVD4J8
   nMFKyEbtYV9MtyuXVAKr4Ixw2ns8dMJXmOkfqFWlfJdsABfdd4wtxBQbPSN2R36F
   yYMvPSBUbsfLJkn1klRQbhR1YUSMUjJUEY47e0b8MFUbdHwjUG33Rln0hucvGrhk
   7drbe/YvjRkSGggUdIm3oqnliJApDBc/T5E7B4zYdKGKI+KV5LB/xfFI91628AF0
   UAmPjZNmUT70/YdS7HltLuUJi9QVuvZ0K0sVhsDsnlXG0ZmZ5lqQJW1d4/441QKo
   XBlZBzp9BxTZdbOxggV/ikBGjscrhG/H+i91g67HzYsb4Ag43WEyNGQtSAhQUraM
   BQ6Wc8PoHDDPdydtKA0saujL8+WUUczhtliH00s7vi8He0Hop3g/vnufZYjY2Lzr
   A7uCjBiFwMjKKYQ0D0uECwEoLfp0wn1Jsbrl86dmu2ekckIbdng+G+FUwE2mrMf2
   zfk83YEV2K9bPdHhwvzmHhP+DKzdj5MpMKIbIcMux5jPTS7gfBt0qbxm98+LxKx+
   6oYK0lNTSnPiVW2uaZruebLBk1FTt8WLq9qjYPvxxfdnsGMSxp8CcmWtZxvWbRtC
   ZlyHuN+2E6ZYzJLh4Vpz7FFw5J04KziWN0edvB7AOc8BJylnp77m0aAWEcPMCifB
   wObiwHIIE+UtuSFCb09HdDLXCrc/eojjgUEZ90kibxPAYF/jraiFhAnOKcpunphn
   Xj6Xgjp5gHYvaF9xMHOON+t9v8E+MBbEiW4mNOQhbH0xAKZ8VbjJdIE5m8yDgOtQ
   O6WZLtMZ3yr00ygVK4MFTZW+IHTiuMk+covoZdssEFAauj6+YUyzs1OwdnrwQuv/
   0o2L3LDyfqLmdpjPxaVWtfWjmRkHFxv1/H8Q4CaMxdOVOhh+qn+pvPsA0itAQ40/
   8Gq4CIss7IEN5fZNl1t0z++2xXXAh0VZVkSJv/PKySfiAog/Iy/jmOAzpH2DlVSC
   rtnRcbGOqzlFpsTcfdXieZxGbla5xgfknpCy2af/AUByF0Q6TDS90dEo0WD3xrDz
   F8qcvGXe6rPkO5dHj6HYe5P4vwZgPLrI/OGcNU9ArnNSWX2Ge1oqWkmz3sFaM+jo
   Em7hj82lgzGSBP9lE9AND7y/3WDyRq3TlnGq/hr7hcKW0sxq5icIRXGFcHS3KHM/
   35gTQ443YWCTkuy1pfZdSAe9Ezki/EWB35SaV/4SaPWZVUFa0GxXYwV2m1mmaBvJ
   rMsnwkQuNoDy/5ccMqPmjUMl248Zs9VCNObO36wLYgLNFCp05cnmcl2LRp8pid6W
   h4ChWXdwYOM542N8pxG6kHT9thPblSXkSIDUpkiNMePJS8S88zl6W+D31QAZyVll
   xTXiQJkQ8yIoTPdeIcx/7h7l3KaiThewRFXd/D4BoU5g2maPl8ecBpkdMWPkWuqd
   R78AhYCzcME1VBCx+PB94born54di/MNHY5i8RsvnMndj14DAkzvcCr4E1jvy6fH
   ajQLpkY3N22z+iiE7O6FChU5pk3qCtTRJqEzJKqHd4b7/UtqE2zrScRxCw582PLY
   kggH7GX5n2h2f6ARwtGj52GtFiy4HjPLmvx04V/W2wskHLP3uO0ePMLQKvgFipNV
   tIXvBdyYnYOJLzDtC00WPcYXhO+lakXTl1MkFqzTVSFf+0UfnrDLnPiEp8mSUr7M
   yg+fIrBeUVfFb2O+UES2MqTGcl+nXBbtNsTBQnf46xUN+3afRd5EAWCpeGtDSWRt
   Fa6SH9kOoF6QGSJIIW5NEdyumD199LDOFkw6Sp4ciXZBFEo/diep6mcJQX6AWJEU
   aqX32sSgxXFUrLkkcXxehnrvDsVvw5f8s0ehZnR0IooVdRC6owzXPHQKlww7UrO1
   foWba1f8kfUmAOo6/ghDcTTzQWPcUqvMC/QBvLn9RSHNN6qqJB6hSrjj8zpmT9K2
   LVs10Eo3BOfZn3/rsDyBY4xZZxSsjZlCd6QVi8rJnnf5AJUi18qSIquSeMvKDp1d
   NMRbeyC/8F0yuh3QllV5Wtk+FV2lUnieHxaLhvy7H6wCfJdLRw3hUj8SLwclvcpO
   z6mHIFpjRSZIWprxyx4A+sSWVSlIKKGMySYv7xClj6PkQwZHBOkESithtm4SnIHe
   fYzUylqgQc5k+11Sp6sF/uK/S96wTIc2IffqQBZ3qaoxY944nJL4PnzqU7dQd2Js



Gillmor, et al.         Expires 28 November 2021              [Page 156]


Internet-Draft          Header Protection S/MIME                May 2021


   gP1KqLZlaYgh6fhaV6dmS0NmdsUc4kRUYodbKS2rhexD9c8mpXYbE/P3/wa0tWHc
   PJw/UNgw2oDpbWEQNIWmXPyD8nCIvSTQ3BzXbY7zfmbPRRCd0UdHWQ47RP66ImSN
   ZzA6exAJfR9zyjOYznT6hqfAscsRtYZNyGjAJkUtj3ckNZkDWzlrBnBwMuvLtrr/
   o+eeK+/zD8PF6DGD3iokIerhLIDZMMEf/OW49DlcD7yu3MV2qTFBudL1Ng/uVBjT
   pM0UEGqLkIBh+TP1FAa/fq1mNeV0NEdUieJIvXd+FMgoO/tRK7iBuIc6FuhpSMmX
   zuaA4ctZ3gyP67Asx9q7xUGwZpmjrzD4FRCZeen8NjlS9dYEdUjJ3v8G/kqBQQfc
   4mdSD7u+AuH2Y4WnjJfifJm8NycnjB86kLo5/sbuiqipsvLKmyM0cEDd8SbcPA7r
   GBDsSHt8vC2l8HZHWamIjAxfAb+ggL/RuFoaLNggI738SMBlekZH+dDnLobylpQH
   d2t3VEVqGNuubLagBuad5Xth6N2AJHafnYps79at7rlPH7fl3gf1Vfjrabjv7tAt
   D6uvYJkyg5wdPULGiFZ0Dtql7YRqWujy7AL3fmedeRgukrbsDugA/1r95pNe83JI
   wTiWFj5IVWreCwXhXqPvFynoXqy38Yca+5T+SoXPFmKq178AmIqC0+118L1Jz0GE
   Wh0NC8aQbSsIsDHP5IzVogNOTTtI5/yprHG90z6nuAsLLBWcr6eYfL9/2MuNlPHs
   pUg8MOQuoZRYzvD1RJJd+tY8z+Df4eOSHEptbNmrGgACJaLh88hteJRDmQMP/ep1
   bun7lkK10P3IsadldT7ryEGfV0ZXDLJ9wHf7lQI+kDxZTynmmUgr8AldFDbzOg2K
   /APDjgoK/pErH1d3CQBPniDIRERs0aLK8XjtNB8MtnTVY08QlHiXvDqjmtg01nMs
   C84nqFSDaPvJ0eUv6dbPPQNwnU9uSdLgIB3ZUrLXR1CGGs2OtR10DnwkvbOQr95I
   JTIJfuYp8IGKQvd+F8tXCFDiGQgCw04WTTJfdc4lrc0FDcam7wjYOftu3XhSRYKf
   R1bb1wQQWBxW6eB56/f25/cz91PGpZsWFgPub/Yc1TxZ5oxlxjdiBW1iqT3NidQd
   w7iGIDx+kwd7UGWdIETluUBZMHsPUXXBtrKurqiuH7hQEjAk29sHpk1JQI4J/ZkN
   l1ZSfk4yHwwqt4RzTH8S+umZYtEONKOWoDflx2Xk7m2G1eghOzGYknu1sOMqwMWC
   7zHrKben8nWLAnSxYuWePm9pS0EeXtwCE9oUPcGwoKTq0ubzYpZry884J8uw+e+9
   D9SxrAd4BLjEcQW8gVJhPNnvfdx1iSRwyIk6f+Qy3WQ3d0nF7wwQoRFNpUi+MpSc
   2RMLciHhcroQ0NG71XG7xE+c4o5TQOGXb8leAaGH7G3fEILGOaVnxfYMcumL2xk7
   kfToo/Ubqfgv1weZMzJUZxv2X+HkDBwWGydj75Tq7lVlN+Y2dwtjf9HmrOrTfWZg
   z+jgF+1ufbrGhmsuoP+Zy7nqifF1G6KgABs+9TXWg4rZWxGb6/SJRYu49C5F8EDD
   P4JNm+1ntLqBaRZqbLXQ2zua+nrG0/Ja/JEjdQfRYxQ0t7x5W2PMJvxLFmtCL+AS
   n2Qs0AXcgQbnYRI5KYVKkzJ8PBIP7TegmMhgi+nY9w1KNMbmAiEiYcIgqJ9NUaL2
   by6eQGK/ELXUcA1pAbEYiGnN/uH9ttINrhiOz0Gd8D6MajMmwNqrbERxHYlxkGKf
   j1i76puXo7lTTCak82jvkbTq+T18OLigbyaTLhTBC7nqeN/3BcvJEOzjaGGRuRGA
   9zMXWyB7H03entzGRmSGNexkR94G8b1UbAQN3GRcXRT3hTvd48ksocIeDNYx3HDl
   44t6pExdRBR0YPp+kVXSrph4vdOKYLdh6y019dPy0vw4m5NrDd4uNtUOkWtGMhn2
   wE71YSl3b5vy7wOQaP9Jgps64bhf3iRAr1gSAkoT0rFW0fDJR7VV5rwSRaB/re7y
   dS8ddUx/0qIE+/iddSWKkPZIIDWiCQrcUxQqOjS5fxDnzoaaqll0umEDR1zy9KdX
   5UyWiNctfexihp8WuPGsO5WoqdaVUUHLBaa3ZzIEgbVmXW/OCReAxjIwZpsOUHWI
   PilkacVmrYOp2Msg1Wqw74MekZZxf/v9oAP1kFkA12psIw5fnYXKiejtsrxOvXdI
   0Uc55ruTMaMI/SqihEwu6CRjjSDCr6xaFMlKhsE/xAKiJZH0u80QaTm5yT42Cd47
   2n6rCBQmKBoJBKELW+YzoN7v0Kcf1gogx8OXcA0UzZLx9/JLfaxlfUKt8dx8kPzZ
   UkEdz448mE/V90sUVHGPV1rSOZGSaxe+OKchRRUpYM12xcvldvbDxynLfRI6OUYQ
   OC2cH0uJ4wCTCqlRKVvlpZBYRGmQZzfgtZNuFPXkGMfgJ/nMtKasqPNdqTglFubI
   jyUq8xdFzYuIeydv7m6Tf2jBawV8zHbQ/2ZkLl8WUPU=

Appendix B.  Additional information

B.1.  Stored Variants of Messages with Bcc

   Messages containing at least one recipient address in the Bcc header
   field may appear in up to three different variants:




Gillmor, et al.         Expires 28 November 2021              [Page 157]


Internet-Draft          Header Protection S/MIME                May 2021


   1.  The Message for the recipient addresses listed in To or Cc header
       fields, which must not include the Bcc header field neither for
       signature calculation nor for encryption.

   2.  The Message(s) sent to the recipient addresses in the Bcc header
       field, which depends on the implementation:

       a) One Message for each recipient in the Bcc header field
       separately, with a Bcc header field containing only the address
       of the recipient it is sent to.

       b) The same Message for each recipient in the Bcc header field
       with a Bcc header field containing an indication such as
       "Undisclosed recipients", but no addresses.

       c) The same Message for each recipient in the Bcc header field
       which does not include a Bcc header field (this Message is
       identical to 1. / cf. above).

   3.  The Message stored in the 'Sent'-Folder of the sender, which
       usually contains the Bcc unchanged from the original Message,
       i.e., with all recipient addresses.

   The most privacy preserving method of the alternatives (2a, 2b, and
   2c) is to standardize 2a, as in the other cases (2b and 2c),
   information about hidden recipients is revealed via keys.  In any
   case, the Message has to be cloned and adjusted depending on the
   recipient.

Appendix C.  Text Moved from Above

   Note: Per an explicit request by the chair of the LAMPS WG to only
   present one option for the specification, the following text has been
   stripped from the main body of the draft.  It is preserved in an
   Appendix for the time being and may be moved back to the main body or
   deleted, depending on the decision of the LAMPS WG.

C.1.  MIME Format

   Currently there are two options in discussion:

   1.  The option according to the current S/MIME specification (cf.
       [RFC8551])

   2.  An alternative option that is based on the former "memory hole"
       approach (cf.  [I-D.autocrypt-lamps-protected-headers])





Gillmor, et al.         Expires 28 November 2021              [Page 158]


Internet-Draft          Header Protection S/MIME                May 2021


C.1.1.  S/MIME Specification

   Note: This is currently described in the main part of this document.

C.1.1.1.  Alternative Option Autocrypt "Protected Headers" (Ex-"Memory
          Hole")

   An alternative option (based on the former autocrypt "Memory Hole"
   approach) to be considered, is described in
   [I-D.autocrypt-lamps-protected-headers].

   Unlike the option described in Appendix C.1.1, this option does not
   use a "message/RFC822" wrapper to unambiguously delimit the Inner
   Message.

   Before choosing this option, the following two issues must be
   assessed to ensure no interoperability issues result from it:

   1.  How current MIME parser implementations treat non-MIME Header
       Fields, which are not part of the outermost MIME entity and not
       part of a Message wrapped into a MIME entity of media type
       "message/rfc822", and how such Messages are rendered to the user.

       [I-D.autocrypt-lamps-protected-headers] provides some examples
       for testing this.

   2.  MIME-conformance, i.e. whether or not this option is (fully)
       MIME-conformant [RFC2045] ff., in particular also Section 5.1. of
       [RFC2046] on "Multipart Media Type).  In the following an excerpt
       of paragraphs that may be relevant in this context:

         The only header fields that have defined meaning for body parts
         are those the names of which begin with "Content-".  All other
         header fields may be ignored in body parts.  Although they
         should generally be retained if at all possible, they may be
         discarded by gateways if necessary.  Such other fields are
         permitted to appear in body parts but must not be depended on.
         "X-" fields may be created for experimental or private
         purposes, with the recognition that the information they
         contain may be lost at some gateways.











Gillmor, et al.         Expires 28 November 2021              [Page 159]


Internet-Draft          Header Protection S/MIME                May 2021


         NOTE:  The distinction between an RFC 822 Message and a body
         part is subtle, but important.  A gateway between Internet and
         X.400 mail, for example, must be able to tell the difference
         between a body part that contains an image and a body part
         that contains an encapsulated Message, the body of which is a
         JPEG image.  In order to represent the latter, the body part
         must have "Content-Type: message/rfc822", and its body (after
         the blank line) must be the encapsulated Message, with its own
         "Content-Type: image/jpeg" header field.  The use of similar
         syntax facilitates the conversion of Messages to body parts,
         and vice versa, but the distinction between the two must be
         understood by implementors.  (For the special case in which
         parts actually are Messages, a "digest" subtype is also
         defined.)

   The MIME structure of an Email Message looks as follows:

     <Outer Message Header Section (unprotected)>

     <Outer Message Body (protected)>

       <Inner Message Header Section>

       <Inner Message Body>

   The following example demonstrates how an Original Message might be
   protected, i.e., the Original Message is contained as Inner Message
   in the Protected Body of an Outer Message.  It illustrates the first
   Body part (of the Outer Message) as a "multipart/signed"
   (application/pkcs7-signature) media type:

   Lines are prepended as follows:

   *  "O: " Outer Message Header Section

   *  "I: " Message Header Section















Gillmor, et al.         Expires 28 November 2021              [Page 160]


Internet-Draft          Header Protection S/MIME                May 2021


     O: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time)
     O: Message-ID: <e4a483cb-1dfb-481d-903b-298c92c21f5e@m.example.net>
     O: Subject: Meeting at my place
     O: From: "Alexey Melnikov" <alexey.melnikov@example.net>
     O: MIME-Version: 1.0
     O: Content-Type: multipart/signed; charset=us-ascii; micalg=sha1;
     O:  protocol="application/pkcs7-signature";
     O:  boundary=boundary-AM

        This is a multipart message in MIME format.
        --boundary-AM
     I: Date: Mon, 25 Sep 2017 17:31:42 +0100 (GMT Daylight Time)
     I: From: "Alexey Melnikov" <alexey.melnikov@example.net>
     I: Message-ID: <e4a483cb-1dfb-481d-903b-298c92c21f5e@m.example.net>
     I: MIME-Version: 1.0
     I: MMHS-Primary-Precedence: 3
     I: Subject: Meeting at my place
     I: To: somebody@example.net
     I: X-Mailer: Isode Harrier Web Server
     I: Content-Type: text/plain; charset=us-ascii

        This is an important message that I don't want to be modified.

        --boundary-AM
        Content-Transfer-Encoding: base64
        Content-Type: application/pkcs7-signature

        [[base-64 encoded signature]]

        --boundary-AM--

   The Outer Message Header Section is unprotected, while the remainder
   (Outer Message Body) is protected.  The Outer Message Body consists
   of the Inner Message (Header Section and Body).

   The Inner Message Header Section is the same as (or a subset of) the
   Original Message Header Section.

   The Inner Message Body is the same as the Original Message Body.

   The Original Message itself may contain any MIME structure.

C.1.2.  Sending Side

   To ease explanation, the following describes the case where an
   Original (message/rfc822) Message to be protected is present.  If
   this is not the case, Original Message means the (virtual) Message
   that would be constructed for sending it as unprotected email.



Gillmor, et al.         Expires 28 November 2021              [Page 161]


Internet-Draft          Header Protection S/MIME                May 2021


C.1.2.1.  Inner Message Header Fields

   It is RECOMMENDED that the Inner Message contains all Header Fields
   of the Original Message with the exception of the following Header
   Field, which MUST NOT be included within the Inner Message nor within
   any other protected part of the Message:

   *  Bcc

   [[ TODO: Bcc handling needs to be further specified (see also
   Appendix B.1).  Certain MUAs cannot properly decrypt Messages with
   Bcc recipients. ]]

C.1.2.2.  Wrapper

   The wrapper is a simple MIME Header Section followed by an empty line
   preceding the Inner Message (inside the Outer Message Body).  The
   media type of the wrapper MUST be "message/RFC822" and MUST contain
   the Content-Type header field parameter "forwarded=no" as defined in
   [I-D.melnikov-iana-reg-forwarded].  The wrapper unambiguously
   delimits the Inner Message from the rest of the Message.

C.1.2.3.  Cryptographic Layers / Envelope

   [[ TODO: Basically refer to S/MIME standards ]]

C.1.2.4.  Sending Side Message Processing

   For a protected Message the following steps are applied before a
   Message is handed over to the Submission Entity:

C.1.2.4.1.  Step 1: Decide on Protection Level and Information
            Disclosure

   The implementation which applies protection to a Message must decide:

   *  Which Protection Level (signature and/or encryption) shall be
      applied to the Message?  This depends on user request and/or local
      policy as well as availability of cryptographic keys.

   *  Which Header Fields of the Original Message shall be part of the
      Outer Message Header Section?  This typically depends on local
      policy.  By default, the Essential Header Fields are part of the
      Outer Message Header Section; cf. Appendix C.1.2.5.







Gillmor, et al.         Expires 28 November 2021              [Page 162]


Internet-Draft          Header Protection S/MIME                May 2021


   *  Which of these Header Fields are to be obfuscated?  This depends
      on local policy and/or specific Privacy requirements of the user.
      By default only the Subject Header Field is obfuscated; cf.
      Appendix C.1.2.5.

C.1.2.4.2.  Step 2: Compose the Outer Message Header Section

   Depending on the decision in Appendix C.1.2.4.1, the implementation
   shall compose the Outer Message Header Section.  (Note that this also
   includes the necessary MIME Header Section part for the following
   protection layer.)

   Outer Header Fields that are not obfuscated should contain the same
   values as in the Original Message (except for MIME Header
   Section part, which depends on the Protection Level selected in
   Appendix C.1.2.4.1).

C.1.2.4.3.  Step 3: Apply Protection to the Original Message

   Depending on the Protection Level selected in Appendix C.1.2.4.1, the
   implementation applies signature and/or encryption to the Original
   Message, including the wrapper (as per [RFC8551]), and sets the
   resulting package as the Outer Message Body.

   The resulting (Outer) Message is then typically handed over to the
   Submission Entity.

   [[ TODO: Example ]]

C.1.2.5.  Outer Message Header Fields

C.1.2.5.1.  Encrypted Messages

   To maximize Privacy, it is strongly RECOMMENDED to follow the
   principle of Data Minimization (cf.  Section 2.1).

   However, the Outer Message Header Section SHOULD contain the
   Essential Header Fields and, in addition, MUST contain the Header
   Fields of the MIME Header Section part to describe Cryptographic
   Layer of the protected MIME subtree as per [RFC8551].

   The following Header Fields are defined as the Essential Header
   Fields:

   *  From

   *  To (if present in the Original Message)




Gillmor, et al.         Expires 28 November 2021              [Page 163]


Internet-Draft          Header Protection S/MIME                May 2021


   *  Cc (if present in the Original Message)

   *  Bcc (if present in the Original Message, see also Appendix B.1)

   *  Date

   *  Message-ID

   *  Subject

   Further processing by the Submission Entity normally depends on part
   of these Header Fields, e.g.  From and Date HFs are required by
   [RFC5322].  Furthermore, not including certain Header Fields may
   trigger spam detection to flag the Message, and/or lead to user
   experience (UX) issues.

   For further Data Minimization, the value of the Subject Header Field
   SHOULD be obfuscated as follows:

   * Subject: [...]

   and it is RECOMMENDED to replace the Message-ID by a new randomly
   generated Message-ID.

   In addition, the value of other Essential Header Fields MAY be
   obfuscated.

   Non-Essential Header Fields SHOULD be omitted from the Outer Message
   Header Section where possible.  If Non-essential Header Fields are
   included in the Outer Message Header Section, those MAY be obfuscated
   too.

   Header Fields that are not obfuscated should contain the same values
   as in the Original Message.

   If an implementation obfuscates the From, To, and/or Cc Header
   Fields, it may need to provide access to the clear text content of
   these Header Fields to the Submission Entity for processing purposes.
   This is particularly relevant, if proprietary Submission Entities are
   used.  Obfuscation of Header Fields may adversely impact spam
   filtering.

   (A use case for obfuscation of all Outer Message Header Fields is
   routing email through the use of onion routing or mix networks, e.g.
   [pEp.mixnet].)






Gillmor, et al.         Expires 28 November 2021              [Page 164]


Internet-Draft          Header Protection S/MIME                May 2021


   The MIME Header Section part is the collection of MIME Header Fields
   describing the following MIME structure as defined in [RFC2045].  A
   MIME Header Section part typically includes the following Header
   Fields:

   *  Content-Type

   *  Content-Transfer-Encoding

   *  Content-Disposition

   The following example shows the MIME Header Section part of an S/MIME
   signed Message (using application/pkcs7-mime with SignedData):

      MIME-Version: 1.0
      Content-Type: application/pkcs7-mime; smime-type=signed-data;
         name=smime.p7m
      Content-Transfer-Encoding: base64
      Content-Disposition: attachment; filename=smime.p7m

   Depending on the scenario, further Header Fields MAY be exposed in
   the Outer Message Header Section, which is NOT RECOMMENDED unless
   justified.  Such Header Fields may include e.g.:

   *  References

   *  Reply-To

   *  In-Reply-To

C.1.2.5.2.  Unencrypted Messages

   The Outer Message Header Section of unencrypted Messages SHOULD
   contain at least the Essential Header Fields and, in addition, MUST
   contain the Header Fields of the MIME Header Section part to describe
   Cryptographic Layer of the protected MIME subtree as per [RFC8551].
   It may contain further Header Fields, in particular those also
   present in the Inner Message Header Section.

Appendix D.  Document Considerations

   [[ RFC Editor: This section is to be removed before publication ]]

   This draft is built from markdown source, and its development is
   tracked in a git repository (https://gitlab.com/dkg/lamps-header-
   protection).





Gillmor, et al.         Expires 28 November 2021              [Page 165]


Internet-Draft          Header Protection S/MIME                May 2021


   While minor editorial suggestions and nit-picks can be made as merge
   requests (https://gitlab.com/dkg/lamps-header-protection), please
   direct all substantive discussion to the LAMPS mailing list
   (https://www.ietf.org/mailman/listinfo/spasm) at "spasm@ietf.org".

Appendix E.  Document Changelog

   [[ RFC Editor: This section is to be removed before publication ]]

   *  draft-ietf-lamps-header-protection-05

      -  fix multipart/signed wrapped test vectors

   *  draft-ietf-lamps-header-protection-04

      -  add test vectors

      -  add "problems with Injected Messages" subsection

   *  draft-ietf-lamps-header-protection-03

      -  dkg takes over from Bernie as primary author

      -  Add Usability section

      -  describe two distinct formats "Wrapped Message" and "Injected
         Headers"

      -  Introduce Header Confidentiality Policy model

      -  Overhaul message composition guidance

      -  Simplify document creation workflow, move public face to gitlab

   *  draft-ietf-lamps-header-protection-02

      -  editorial changes / improve language

   *  draft-ietf-lamps-header-protection-01

      -  Add DKG as co-author

      -  Partial Rewrite of Abstract and Introduction [HB/AM/DKG]

      -  Adding definiations for Cryptographic Layer, Cryptographic
         Payload, and Cryptographic Envelope (reference to
         [I-D.dkg-lamps-e2e-mail-guidance]) [DKG]




Gillmor, et al.         Expires 28 November 2021              [Page 166]


Internet-Draft          Header Protection S/MIME                May 2021


      -  Enhanced MITM Definition to include Machine- / Meddler-in-the-
         middle [HB]

      -  Relaxed definition of Original message, which may not be of
         type "message/rfc822" [HB]

      -  Move "memory hole" option to the Appendix (on request by Chair
         to only maintain one option in the specification) [HB]

      -  Updated Scope of Protection Levels according to WG discussion
         during IETF-108 [HB]

      -  Obfuscation recommendation only for Subject and Message-Id and
         distinguish between Encrypted and Unencrypted Messages [HB]

      -  Removed (commented out) Header Field Flow Figure (it appeared
         to be confusing as is was) [HB]

   *  draft-ietf-lamps-header-protection-00

      -  Initial version (text partially taken over from
         [I-D.ietf-lamps-header-protection-requirements]

Appendix F.  Open Issues

   [[ RFC Editor: This section should be empty and is to be removed
   before publication. ]]

   *  Ensure "protected header" (Ex-Memory-Hole) option is (fully)
      compliant with the MIME standard, in particular also [RFC2046],
      Section 5.1.  (Multipart Media Type) Appendix C.1.1.1.

   *  Test Vectors!  We can point to the relevant test vector in the
      main text by reference.  We should also include in the test
      vectors an encrypted message that references another message, so
      we can observe the effect of the HCP on threading.

   *  Should Outer Message Header Section (as received) be preserved for
      the user?  (Section 4.1.4.5)

   *  Decide on whether or not merge requirements from
      [I-D.ietf-lamps-header-protection-requirements] into this
      document.

   *  Decide what parts of [I-D.autocrypt-lamps-protected-headers] to
      merge into this document.

   *  Enhance Introduction Section 1 and Problem Statement (Section 2).



Gillmor, et al.         Expires 28 November 2021              [Page 167]


Internet-Draft          Header Protection S/MIME                May 2021


   *  Decide on whether or not specification for more legacy HP
      requirements should be added to this document (Section 3.1.2).

   *  Verify simple backward compatibility case (Receiving Side MIME-
      Conformant) is working; once solution is stable and update
      paragraphs in Section 4.1, Section 3.1.2.1 and Section 4.2.1
      accordingly.

   *  Verify ability to distinguish between Messages with Header
      Protection as specified in this document and legacy clients and
      update Section 3.1 accordingly.

   *  Improve definitions of Protection Levels and enhance list of
      Protection Levels (Section 3.2, Section 4).

   *  Privacy Considerations Section 7

   *  Security Considerations Section 6

Authors' Addresses

   Daniel Kahn Gillmor
   American Civil Liberties Union
   125 Broad St.
   New York, NY,  10004
   United States of America

   Email: dkg@fifthhorseman.net


   Bernie Hoeneisen
   pEp Foundation
   Oberer Graben 4
   CH- CH-8400 Winterthur
   Switzerland

   Email: bernie.hoeneisen@pep.foundation
   URI:   https://pep.foundation/


   Alexey Melnikov
   Isode Ltd
   14 Castle Mews
   Hampton, Middlesex
   TW12 2NP
   United Kingdom

   Email: alexey.melnikov@isode.com



Gillmor, et al.         Expires 28 November 2021              [Page 168]