LAMPS Working Group D. K. Gillmor Internet-Draft American Civil Liberties Union Updates: 8551 (if approved) B. Hoeneisen Intended status: Standards Track pEp Project Expires: 29 December 2024 A. Melnikov Isode Ltd 27 June 2024 Header Protection for Cryptographically Protected E-mail draft-ietf-lamps-header-protection-22 Abstract S/MIME version 3.1 introduced a mechanism to provide end-to-end cryptographic protection of e-mail message headers. However, few implementations generate messages using this mechanism, and several legacy implementations have revealed rendering or security issues when handling such a message. This document updates the S/MIME specification (RFC8551) to offer a different mechanism that provides the same cryptographic protections but with fewer downsides when handled by legacy clients. The Header Protection schemes described here are also applicable to messages with PGP/MIME cryptographic protections. Furthermore, this document offers more explicit usability, privacy, and security guidance for clients when generating or handling e-mail messages with cryptographic protection of message headers. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://dkg.gitlab.io/lamps-header-protection/. Status information for this document may be found at https://datatracker.ietf.org/doc/ draft-ietf-lamps-header-protection/. Discussion of this document takes place on the LAMPS Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/. Source for this draft and an issue tracker can be found at https://gitlab.com/dkg/lamps-header-protection. Gillmor, et al. Expires 29 December 2024 [Page 1] Internet-Draft Cryptographic MIME Header Protection June 2024 Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 29 December 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 1.1. Two Schemes of Header Protection . . . . . . . . . . . . 8 1.2. Problems with Wrapped Messages . . . . . . . . . . . . . 8 1.3. Problems with Injected Headers . . . . . . . . . . . . . 9 1.4. Motivation . . . . . . . . . . . . . . . . . . . . . . . 9 1.4.1. Backward Compatibility . . . . . . . . . . . . . . . 9 1.4.2. Deliverability . . . . . . . . . . . . . . . . . . . 10 1.5. Other Protocols to Protect E-Mail Header Fields . . . . . 10 1.6. Applicability to PGP/MIME . . . . . . . . . . . . . . . . 11 1.7. Requirements Language . . . . . . . . . . . . . . . . . . 11 1.8. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.9. Document Scope . . . . . . . . . . . . . . . . . . . . . 13 1.9.1. In Scope . . . . . . . . . . . . . . . . . . . . . . 13 1.9.2. Out of Scope . . . . . . . . . . . . . . . . . . . . 14 1.10. Example . . . . . . . . . . . . . . . . . . . . . . . . . 14 Gillmor, et al. Expires 29 December 2024 [Page 2] Internet-Draft Cryptographic MIME Header Protection June 2024 2. Internet Message Format Extensions . . . . . . . . . . . . . 17 2.1. Content-Type parameters . . . . . . . . . . . . . . . . . 17 2.1.1. Content-Type parameter: hp . . . . . . . . . . . . . 17 2.1.2. Content-Type parameter: hp-scheme . . . . . . . . . . 19 2.1.3. Content-Type parameter: hp-legacy-display . . . . . . 19 2.2. The HP-Outer Header Field . . . . . . . . . . . . . . . . 20 2.2.1. HP-Outer Header Field Definition . . . . . . . . . . 21 3. Header Confidentiality Policy . . . . . . . . . . . . . . . . 21 3.1. HCP Definition . . . . . . . . . . . . . . . . . . . . . 22 3.2. Initial Registered HCPs . . . . . . . . . . . . . . . . . 23 3.2.1. Baseline Header Confidentiality Policy . . . . . . . 23 3.2.2. Strong Header Confidentiality Policy . . . . . . . . 24 3.2.3. No Header Confidentiality Policy . . . . . . . . . . 24 3.3. Default Header Confidentiality Policy . . . . . . . . . . 24 3.4. HCP Evolution . . . . . . . . . . . . . . . . . . . . . . 25 3.4.1. Offering More Ambitious Header Confidentiality . . . 25 3.4.2. Expert Guidance for Registering Header Confidentiality Policies . . . . . . . . . . . . . . . . . . . . . . 25 4. Two Header Protection Schemes . . . . . . . . . . . . . . . . 26 4.1. Injected Headers Scheme . . . . . . . . . . . . . . . . . 26 4.2. Wrapped Message Scheme . . . . . . . . . . . . . . . . . 27 5. Receiving Guidance . . . . . . . . . . . . . . . . . . . . . 27 5.1. Identifying that a Message has Header Protection . . . . 28 5.2. Extracting Protected and Unprotected ("Outer") Header Fields . . . . . . . . . . . . . . . . . . . . . . . . . 29 5.2.1. HeaderSetsFromMessage . . . . . . . . . . . . . . . . 29 5.3. Updating the Cryptographic Summary . . . . . . . . . . . 30 5.3.1. HeaderFieldProtection . . . . . . . . . . . . . . . . 31 5.4. Header Confidentiality for Referenced Encrypted Messages (Replies, Forwarding) . . . . . . . . . . . . . . . . . 32 5.4.1. ReferenceHCP . . . . . . . . . . . . . . . . . . . . 33 5.5. Rendering a Message with Injected Headers . . . . . . . . 35 5.5.1. Example Signed-only Message with Injected Headers . . 35 5.5.2. Example Signed-and-Encrypted Message with Injected Headers . . . . . . . . . . . . . . . . . . . . . . . 35 5.5.3. Do Not Render Legacy Display Elements . . . . . . . . 36 5.6. Rendering a Wrapped Message . . . . . . . . . . . . . . . 38 5.6.1. Example Signed-Only Wrapped Message . . . . . . . . . 38 5.6.2. Example Signed-and-Encrypted Wrapped Message . . . . 38 5.7. Implicitly rendered Header Fields . . . . . . . . . . . . 39 5.8. Handling Undecryptable Messages . . . . . . . . . . . . . 40 5.9. Guidance for Automated Message Handling . . . . . . . . . 41 5.9.1. Interpret Only Protected Header Fields . . . . . . . 41 5.9.2. Ignore Legacy Display Elements . . . . . . . . . . . 42 5.10. Affordances for Debugging and Troubleshooting . . . . . . 42 5.11. Rendering Other Schemes . . . . . . . . . . . . . . . . . 43 6. Sending Guidance . . . . . . . . . . . . . . . . . . . . . . 43 Gillmor, et al. Expires 29 December 2024 [Page 3] Internet-Draft Cryptographic MIME Header Protection June 2024 6.1. Composing a Cryptographically Protected Message Without Header Protection . . . . . . . . . . . . . . . . . . . . 43 6.1.1. ComposeNoHeaderProtection . . . . . . . . . . . . . . 44 6.2. Composing with "Injected Headers" Header Protection . . . 44 6.2.1. ComposeInjectedHeaders . . . . . . . . . . . . . . . 45 6.2.2. Adding a Legacy Display Element to a text/plain Part . . . . . . . . . . . . . . . . . . . . . . . . 47 6.2.3. Adding a Legacy Display Element to a text/html Part . . . . . . . . . . . . . . . . . . . . . . . . 48 6.2.4. Only Add a Legacy Display Element to Main Body Parts . . . . . . . . . . . . . . . . . . . . . . . . 50 6.2.5. Do Not Add a Legacy Display Element to Other Content-Types . . . . . . . . . . . . . . . . . . . . 50 6.3. Composing with "Wrapped Message" Header Protection . . . 50 6.3.1. ComposeWrappedMessage . . . . . . . . . . . . . . . . 51 7. Replying and Forwarding Guidance . . . . . . . . . . . . . . 53 7.1. Avoid Leaking Encrypted Header Fields in Replies and Forwards . . . . . . . . . . . . . . . . . . . . . . . . 53 7.2. Avoid Misdirected Replies . . . . . . . . . . . . . . . . 54 8. Unprotected Header Fields Added in Transit . . . . . . . . . 54 8.1. Mailing list Header Fields: List-* and Archived-At . . . 55 9. E-mail Ecosystem Evolution . . . . . . . . . . . . . . . . . 56 9.1. Dropping Legacy Display Elements . . . . . . . . . . . . 56 9.2. More Ambitious Default Header Confidentiality Policy . . 57 9.3. Deprecation of Messages Without Header Protection . . . . 58 10. Usability Considerations . . . . . . . . . . . . . . . . . . 58 10.1. Mixed Protections Within a Message Are Hard To Understand . . . . . . . . . . . . . . . . . . . . . . . 58 10.2. Users Should Not Have To Choose a Header Confidentiality Policy . . . . . . . . . . . . . . . . . . . . . . . . . 59 10.3. Users Should Not Have To Choose a Header Protection Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 60 11. Security Considerations . . . . . . . . . . . . . . . . . . . 60 11.1. Avoid Cryptographic Summary Confusion from hp Parameter . . . . . . . . . . . . . . . . . . . . . . . 61 11.2. Caution about Composing with Legacy Display Elements . . 61 11.3. Plaintext Attacks . . . . . . . . . . . . . . . . . . . 62 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . 63 12.1. Leaks When Replying . . . . . . . . . . . . . . . . . . 63 12.2. Encrypted Header Fields Are Not Always Private . . . . . 63 12.2.1. Encrypted Header Fields Can Leak Unwanted Information to the Recipient . . . . . . . . . . . . . . . . . . 63 12.2.2. Encrypted Header Fields Can Be Inferred From External or Internal Metadata . . . . . . . . . . . . . . . . 64 12.2.3. Encrypted Header Fields May Not Be Fully Masked by HCP . . . . . . . . . . . . . . . . . . . . . . . . . 65 12.3. A Naive Recipient May Overestimate the Cryptographic Status of a Header Field in an Encrypted Message . . . . 65 Gillmor, et al. Expires 29 December 2024 [Page 4] Internet-Draft Cryptographic MIME Header Protection June 2024 12.4. Privacy and Deliverability Risks with Bcc and Encrypted Messages . . . . . . . . . . . . . . . . . . . . . . . . 66 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 66 13.1. Register the HP-Outer Header Field . . . . . . . . . . . 66 13.2. Update Reference for Content-Type Header Field due to hp, hp-scheme, and hp-legacy-display Parameters . . . . . . 67 13.3. New Registry: Mail Header Confidentiality Policies . . . 68 14. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 69 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 69 15.1. Normative References . . . . . . . . . . . . . . . . . . 69 15.2. Informative References . . . . . . . . . . . . . . . . . 70 Appendix A. Table of Pseudocode Listings . . . . . . . . . . . . 72 Appendix B. Possible Problems with Legacy MUAs . . . . . . . . . 73 B.1. Problems Viewing Messages in a List View . . . . . . . . 74 B.2. Problems when Rendering a Message . . . . . . . . . . . . 74 B.3. Problems when Replying to a Message . . . . . . . . . . . 75 Appendix C. Test Vectors . . . . . . . . . . . . . . . . . . . . 76 C.1. Baseline Messages . . . . . . . . . . . . . . . . . . . . 76 C.1.1. No Cryptographic Protections Over a Simple Message . 76 C.1.2. S/MIME Signed-only signedData Over a Simple Message, No Header Protection . . . . . . . . . . . . . . . . . . 77 C.1.3. S/MIME Signed-only multipart/signed Over a Simple Message, No Header Protection . . . . . . . . . . . . 79 C.1.4. S/MIME Encrypted and Signed Over a Simple Message, No Header Protection . . . . . . . . . . . . . . . . . . 81 C.1.5. No Cryptographic Protections Over a Complex Message . . . . . . . . . . . . . . . . . . . . . . . 86 C.1.6. S/MIME Signed-only signedData Over a Complex Message, No Header Protection . . . . . . . . . . . . . . . . 88 C.1.7. S/MIME Signed-only multipart/signed Over a Complex Message, No Header Protection . . . . . . . . . . . . 91 C.1.8. S/MIME Encrypted and Signed Over a Complex Message, No Header Protection . . . . . . . . . . . . . . . . . . 94 C.2. Signed-only Messages . . . . . . . . . . . . . . . . . . 101 C.2.1. S/MIME Signed-only signedData Over a Simple Message, Wrapped Message . . . . . . . . . . . . . . . . . . . 101 C.2.2. S/MIME Signed-only multipart/signed Over a Simple Message, Wrapped Message . . . . . . . . . . . . . . 104 C.2.3. S/MIME Signed-only signedData Over a Simple Message, Injected Headers . . . . . . . . . . . . . . . . . . 106 C.2.4. S/MIME Signed-only multipart/signed Over a Simple Message, Injected Headers . . . . . . . . . . . . . . 108 C.2.5. S/MIME Signed-only signedData Over a Complex Message, Wrapped Message . . . . . . . . . . . . . . . . . . . 111 C.2.6. S/MIME Signed-only multipart/signed Over a Complex Message, Wrapped Message . . . . . . . . . . . . . . 115 C.2.7. S/MIME Signed-only signedData Over a Complex Message, Injected Headers . . . . . . . . . . . . . . . . . . 118 Gillmor, et al. Expires 29 December 2024 [Page 5] Internet-Draft Cryptographic MIME Header Protection June 2024 C.2.8. S/MIME Signed-only multipart/signed Over a Complex Message, Injected Headers . . . . . . . . . . . . . . 122 C.3. Encrypted-and-signed Messages . . . . . . . . . . . . . . 125 C.3.1. S/MIME Encrypted and Signed Over a Simple Message, Wrapped Message With hcp_minimal . . . . . . . . . . 125 C.3.2. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_minimal . . . . . . . . . . 131 C.3.3. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_minimal (+ Legacy Display) 137 C.3.4. S/MIME Encrypted and Signed Over a Simple Message, Wrapped Message With hcp_strong . . . . . . . . . . . 143 C.3.5. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_strong . . . . . . . . . . 149 C.3.6. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_strong (+ Legacy Display) . 155 C.3.7. S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped Message With hcp_minimal . . . . . . 161 C.3.8. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_minimal . . . . . 168 C.3.9. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_minimal (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 174 C.3.10. S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped Message With hcp_strong . . . . . . 181 C.3.11. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_strong . . . . . . 187 C.3.12. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_strong (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 193 C.3.13. S/MIME Encrypted and Signed Over a Complex Message, Wrapped Message With hcp_minimal . . . . . . . . . . 199 C.3.14. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_minimal . . . . . . . . . . 207 C.3.15. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_minimal (+ Legacy Display) 215 C.3.16. S/MIME Encrypted and Signed Over a Complex Message, Wrapped Message With hcp_strong . . . . . . . . . . . 223 C.3.17. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_strong . . . . . . . . . . 231 C.3.18. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_strong (+ Legacy Display) . 239 C.3.19. S/MIME Encrypted and Signed Reply Over a Complex Message, Wrapped Message With hcp_minimal . . . . . . 247 C.3.20. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_minimal . . . . . 255 C.3.21. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_minimal (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 264 Gillmor, et al. Expires 29 December 2024 [Page 6] Internet-Draft Cryptographic MIME Header Protection June 2024 C.3.22. S/MIME Encrypted and Signed Reply Over a Complex Message, Wrapped Message With hcp_strong . . . . . . 273 C.3.23. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_strong . . . . . . 281 C.3.24. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_strong (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 288 Appendix D. Composition Examples . . . . . . . . . . . . . . . . 297 D.1. New message composition . . . . . . . . . . . . . . . . . 297 D.1.1. Unprotected message . . . . . . . . . . . . . . . . . 298 D.1.2. Encrypted with hcp_baseline and Legacy Display . . . 298 D.2. Composing a Reply . . . . . . . . . . . . . . . . . . . . 300 D.2.1. Unprotected message . . . . . . . . . . . . . . . . . 301 D.2.2. Encrypted with hcp_no_confidentiality and Legacy Display . . . . . . . . . . . . . . . . . . . . . . . 302 Appendix E. Rendering Examples . . . . . . . . . . . . . . . . . 306 E.1. Example text/plain Cryptographic Payload with Legacy Display Elements . . . . . . . . . . . . . . . . . . . . 306 E.2. Example text/html Cryptographic Payload with Legacy Display Elements . . . . . . . . . . . . . . . . . . . . . . . . 307 Appendix F. Other Header Protection Schemes . . . . . . . . . . 309 F.1. Original RFC 8551 Header Protection . . . . . . . . . . . 309 F.2. Pretty Easy Privacy (pEp) . . . . . . . . . . . . . . . . 309 F.3. "draft-autocrypt" Protected Headers . . . . . . . . . . . 309 Appendix G. Document Changelog . . . . . . . . . . . . . . . . . 310 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 317 1. Introduction Privacy and security issues regarding e-mail Header Protection in S/ MIME and PGP/MIME have been identified for some time. Most current implementations of cryptographically protected electronic mail protect only the body of the message, which leaves significant room for attacks against otherwise-protected messages. For example, lack of Header Protection allows an attacker to substitute the message subject and/or author. This document describes two different schemes for how message headers can be cryptographically protected, and provides guidance for implementers of MUAs that generate and interpret such messages. It uses the term "Legacy MUA" to refer to an MUA that does not implement either scheme. This document takes particular care to ensure that messages interact reasonably well with Legacy MUAs. Gillmor, et al. Expires 29 December 2024 [Page 7] Internet-Draft Cryptographic MIME Header Protection June 2024 1.1. Two Schemes of Header Protection This document addresses two different schemes for cryptographically protecting e-mail Header Sections or fields and provides guidance to implementers. One scheme ("Injected Headers") is more interoperable with Legacy MUAs and is mandatory to implement and interpret. The other, older scheme ("Wrapped Message") is described here to enable interpretation of archived messages. The older scheme was first specified in S/MIME 3.1 ([RFC8551]), and involves wrapping a message/rfc822 or message/global MIME object with a Cryptographic Envelope around the message to protect. This document calls this scheme "Wrapped Message", and it updates the scheme described in that document, effectively replacing the final two paragraphs of Section 3.1 of [RFC8551]. However, experience has shown that even the updated "Wrapped Message" form does not interact well with some Legacy MUAs (see Section 1.2). The more interoperable "Injected Headers" scheme of Header Protection is introduced in this document, and is preferred over the "Wrapped Message" scheme. In the "Injected Headers" scheme, the protected Header Fields are placed directly on the Cryptographic Payload without using an intervening message/* MIME object. See Section 6.2 and Section 5.5 for more details. 1.2. Problems with Wrapped Messages Several Legacy MUAs have revealed rendering issues when dealing with a message that uses the Wrapped Message Header Protection scheme. In some cases, some mail user agents cannot render message/rfc822 message subparts at all, in violation of baseline MIME requirements as described on page 5 of [RFC2049]. This leaves all Wrapped Messages unreadable by any recipient using such an MUA. In other cases, the user sees an attachment suggesting a forwarded e-mail message, which -- in fact -- contains the protected e-mail message that should be rendered directly. In most of these cases, the user can click on the attachment to view the protected message. However, viewing the protected message as an attachment in isolation may strip it of any security indications, leaving the user unable to assess the cryptographic properties of the message. Worse, for encrypted messages, interacting with the protected message in isolation may leak contents of the cleartext, for example, if the reply is not also encrypted. Gillmor, et al. Expires 29 December 2024 [Page 8] Internet-Draft Cryptographic MIME Header Protection June 2024 1.3. Problems with Injected Headers A Legacy MUA dealing with an encrypted message that has some Header Fields obscured using the Injected Headers scheme will not render the obscured Header Fields to the user at all. A workaround "Legacy Display" mechanism is provided in this document, which most Legacy MUAs should render to the user, albeit not in the same location that the Header Fields would normally be rendered. 1.4. Motivation Users generally do not understand the distinction between message body and message header. When an e-mail message has cryptographic protections that cover the message body, but not the Header Fields, several attacks become possible. For example, a Legacy Signed Message has a signature that covers the body but not the Header Fields. An attacker can therefore modify the Header Fields (including the Subject header) without invalidating the signature. Since most readers consider a message body in the context of the message's Subject header, the meaning of the message itself could change drastically (under the attacker's control) while still retaining the same cryptographic indicators of integrity and authenticity. In another example, a Legacy Encrypted Message has its body effectively hidden from an adversary that snoops on the message. But if the Header Fields are not also encrypted, significant information about the message (such as the message Subject) will leak to the inspecting adversary. However, if the sending and receiving MUAs ensure that cryptographic protections cover the message Header Section as well as the message body, these attacks are defeated. 1.4.1. Backward Compatibility If the sending MUA is unwilling to generate such a fully protected message due to the potential for rendering, usability, deliverability, or security issues, these defenses cannot be realized. The sender cannot know what MUA (or MUAs) the recipient will use to handle the message. Thus, an outbound message format that is backward compatible with as many legacy implementations as possible is a more effective vehicle for providing the whole-message cryptographic protections described above. Gillmor, et al. Expires 29 December 2024 [Page 9] Internet-Draft Cryptographic MIME Header Protection June 2024 This document aims for backward compatibility with Legacy MUAs to the extent possible. In some cases, like when a user-visible header like the Subject is cryptographically hidden, a Legacy MUA will not be able to render or reply to the message exactly same way as a conformant MUA would. But accommodations are described here that ensure a rough semantic equivalence for Legacy MUA even in these cases. 1.4.2. Deliverability A message with perfect cryptographic protections that cannot be delivered is less useful than a message with imperfect cryptographic protections that can be delivered. Senders want their messages to reach the intended recipients. Given the current state of the Internet mail ecosystem, encrypted messages in particular cannot shield all of their Header Fields from visibility and still be guaranteed delivery to their intended recipient. This document accounts for this concern by providing a mechanism (Section 3) that prioritizes initial deliverability (at the cost of some header leakage) while facilitating future message variants that shield more header metadata from casual inspection. 1.5. Other Protocols to Protect E-Mail Header Fields A separate pair of protocols also provides some cryptographic protection for the e-mail message header integrity: DomainKeys Identified Mail (DKIM) [RFC6376], as used in combination with Domain- based Message Authentication, Reporting, and Conformance (DMARC) [RFC7489]. This pair of protocols provides a domain-based reputation mechanism that can be used to mitigate some forms of unsolicited e-mail (spam). However, the DKIM+DMARC suite provides cryptographic protection at a different scope. DKIM+DMARC typically provide MTA-to-MTA protection, whereas this specification provides MUA-to-MUA protection. This is because DKIM+DMARC are typically applied to messages by (and interpreted by) MTAs, whereas the mechanisms in this document are typically applied and interpreted by MUAs. Furthermore, the DKIM+DMARC suite only provides cryptographic integrity and authentication, not encryption. So cryptographic confidentiality is not available from that suite. Gillmor, et al. Expires 29 December 2024 [Page 10] Internet-Draft Cryptographic MIME Header Protection June 2024 The DKIM+DMARC suite can be used on any message, including messages formed as described in this document. There should be no conflict between DKIM+DMARC and the specification here. Though not strictly e-mail, similar protections have been in use on Usenet for signing and verification of message headers for years. See [PGPCONTROL] and [PGPVERIFY-FORMAT] for more details. Like DKIM, these Usenet control protections offer only integrity and authentication, not confidentiality. 1.6. Applicability to PGP/MIME This document describes end-to-end cryptographic protections for e-mail messages in reference to S/MIME ([RFC8551]). Comparable end-to-end cryptographic protections can also be provided by PGP/MIME ([RFC3156]). The mechanisms in this document should be applicable in the PGP/MIME protections as well as S/MIME protections, but analysis and implementation in this document focuses on S/MIME. To the extent that any divergence from the mechanism described here is necessary for PGP/MIME, that divergence is out of scope for this document. 1.7. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. The key words "SPECIFICATION REQUIRED" and "IETF REVIEW" that appear in this document when used to describe namespace allocation are to be interpreted as described in [RFC8126]. 1.8. Terms The following terms are defined for the scope of this document: * S/MIME: Secure/Multipurpose Internet Mail Extensions (see [RFC8551]) * PGP/MIME: MIME Security with OpenPGP (see [RFC3156]) Gillmor, et al. Expires 29 December 2024 [Page 11] Internet-Draft Cryptographic MIME Header Protection June 2024 * Message: An E-Mail Message consisting of Header Fields (collectively called "the Header Section of the message") followed, optionally, by a Body; see [RFC5322]. Note: To avoid ambiguity, this document avoids using the terms "Header" or "Headers" in isolation, but instead always uses "Header Field" to refer to the individual field and "Header Section" to refer to the entire collection. * Header Field: A Header Field includes a field name, followed by a colon (":"), followed by a field body (value), and terminated by CRLF; see Section 2.2 of [RFC5322] for more details. * Header Section: The Header Section is a sequence of lines of characters with special syntax as defined in [RFC5322]. The Header Section of a Message contains the Header Fields associated with the Message itself. The Header Section of a MIME part (that is, a subpart of a message) typically contains Header Fields associated with that particular MIME part. * Body: The Body is the part of a Message that follows the Header Section and is separated from the Header Section by an empty line (i.e., a line with nothing preceding the CRLF); see [RFC5322]. It is the (bottom) section of a Message containing the payload of a Message. Typically, the Body consists of a (possibly multipart) MIME [RFC2045] construct. * Header Protection (HP): cryptographic protection of e-mail Header Sections (or parts of it) by means of signatures and/or encryption. * Cryptographic Layer, Cryptographic Payload, Cryptographic Envelope, Cryptographic Summary, Structural Header Fields, Main Body Part, User-Facing Header Fields, and MUA are all used as defined in [I-D.ietf-lamps-e2e-mail-guidance] * Legacy MUA: an MUA that does not understand Header Protection as described in this document. A Legacy Non-Crypto MUA is incapable of doing any end-to-end cryptographic operations. A Legacy Crypto MUA is capable of doing cryptographic operations, but does not understand or generate messages with Header Protection. * Legacy Signed Message: an e-mail message that was signed by a Legacy MUA, and therefore has no cryptographic authenticity or integrity protections on its Header Fields. Gillmor, et al. Expires 29 December 2024 [Page 12] Internet-Draft Cryptographic MIME Header Protection June 2024 * Legacy Encrypted Message: an e-mail message that was signed and encrypted by a Legacy MUA, and therefore has no cryptographic authenticity, integrity, or confidentiality protections on any of its Header Fields. * Wrapped Message: The Header Protection scheme that uses the mechanism described in [RFC8551], where the Cryptographic Payload is a message/rfc822 or message/global MIME object, augmented with a Content-Type parameter to indicate that this is the explicit intent. (see Section 4.2). * Injected Headers: The Header Protection scheme that uses the mechanism described in this document (see Section 4.1), where the protected Header Fields are inserted on the Cryptographic Payload directly. * Header Confidentiality Policy (HCP): a functional specification of which Header Fields should be removed or obscured when composing an encrypted message with Header Protection. An HCP is considered more "conservative" when it removes or obscures fewer Header Fields. When it removes or obscures more Header fields, it is more "ambitious". See Section 3. * Ordinary User: a user of an MUA who follows a simple and minimal experience, focused on sending and receiving e-mails. A user who opts into advanced configuration, expert mode, or the like is not an "Ordinary User". 1.9. Document Scope This document describes sensible, simple behavior for a program that generates an e-mail message with standard end-to-end cryptographic protections, following the guidance in [I-D.ietf-lamps-e2e-mail-guidance]. An implementation conformant to this document will produce messages that have cryptographic protection that covers the message's Header Fields as well as its body. 1.9.1. In Scope This document also describes sensible, simple behavior for a program that interprets such a message, in a way that can take advantage of these protections covering the Header Fields as well as the body. The message generation guidance aims to minimize negative interactions with any Legacy receiving MUA while providing actionable cryptographic properties for modern receiving clients. Gillmor, et al. Expires 29 December 2024 [Page 13] Internet-Draft Cryptographic MIME Header Protection June 2024 In particular, this document focuses on two standard types of cryptographic protection that cover the entire message: * A cleartext message with a single signature, and * An encrypted message that contains a single cryptographic signature. 1.9.2. Out of Scope The message composition guidance in this document (in Section 6.2) aims to provide minimal disruption for any Legacy MUA that receives such a message. However, a Legacy MUA by definition does not implement any of the guidance here. Therefore, the document does not attempt to provide guidance for Legacy MUAs directly. Furthermore, this document does not explicitly contemplate other variants of cryptographic message protections, including any of these: * Encrypted-only message (Without a cryptographic signature. See Section 5.3 of [I-D.ietf-lamps-e2e-mail-guidance].) * Triple-wrapped message * Signed message with multiple signatures * Encrypted message with a cryptographic signature outside the encryption. All such messages are out of scope of this document. 1.10. Example This section gives an overview by providing an example of how MIME messages with Header Protection look like. For brevity, only the Injected Headers scheme is shown. Consider the following MIME message: A └─╴application/pkcs7-mime; smime-type="enveloped-data" ↧ (decrypts to) B └─╴application/pkcs7-mime; smime-type="signed-data" ⇩ (unwraps to) C └┬╴multipart/alternative; hp="cipher" D ├─╴text/plain; hp-legacy-display="1" E └─╴text/html; hp-legacy-display="1" Gillmor, et al. Expires 29 December 2024 [Page 14] Internet-Draft Cryptographic MIME Header Protection June 2024 Observe that: * Node A and B are collectively called the Cryptographic Envelope. Node C (including its sub-nodes D and E) is called the Cryptographic Payload ([I-D.ietf-lamps-e2e-mail-guidance]). * Node A contains the traditional unprotected ("outer") Header Fields. Node C contains the protected ("inner") Header Fields. * The presence of the hp attribute (see Section 2.1.1) on the Content-Type of node C allows the receiver to know that the sender applied Header Protection. Its value allows the receiver to distinguish whether the sender intended for the message to be confidential (hp="cipher") or not (hp="clear"), since encryption may have been added in transit (see Section 11.1). The "outer" Header Section on node A looks as follows: Date: Wed, 11 Jan 2023 16:08:43 -0500 From: Bob To: Alice Subject: [...] Message-ID: <20230111T210843Z.1234@lhp.example> Content-Type: application/pkcs7-mime; smime-type="enveloped-data" MIME-Version: 1.0 The "inner" Header Section on node C looks as follows: Date: Wed, 11 Jan 2023 16:08:43 -0500 From: Bob To: Alice Subject: Handling the Jones contract Keywords: Contract, Urgent Message-ID: <20230111T210843Z.1234@lhp.example> Content-Type: multipart/alternative; hp="cipher" MIME-Version: 1.0 HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500 HP-Outer: From: Bob HP-Outer: To: Alice HP-Outer: Subject: [...] HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example> Observe that: * Between node C and node A, some Header Fields are copied as-is (Date, From, To, Message-ID), some are obscured (Subject), and some are removed (Keywords). Gillmor, et al. Expires 29 December 2024 [Page 15] Internet-Draft Cryptographic MIME Header Protection June 2024 * The HP-Outer Header Fields (see Section 2.2) of node C contain a protected copy of the Header Fields in node A. The copy allows the receiver to recompute for which Header Fields the sender provided confidentiality by removing or obscuring them. * The copying/removing/obscuring and the HP-Outer only apply to Non- Structural Header Fields, not to Structural Header Fields like Content-Type or MIME-Version (see Section 1.1 of [I-D.ietf-lamps-e2e-mail-guidance]). * If the sender intends no confidentiality and doesn't encrypt the message, it doesn't remove or obscure Header Fields. All Non- Structural Header Fields are copied as-is. No HP-Outer Header Fields are present. Node D looks as follows: Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1"; Subject: Handling the Jones contract Keywords: Contract, Urgent Please review and approve or decline by Thursday, it's critical! Thanks, Bob -- Bob Gonzalez ACME, Inc. Observe that: * The sender adds the removed and obscured User-Facing Header Fields (see Section 1.1.2 of [I-D.ietf-lamps-e2e-mail-guidance]) to the main body (note the empty line after the Content-Type). This is called the Legacy Display Element. It allows a user with a Legacy MUA which doesn't implement this document to understand the message, since the Header Fields will be shown as part of the main body. * The hp-legacy-display="1" attribute (see Section 2.1.3) indicates that the sender added a Legacy Display Element. This allows receivers that implement this document to recognise the Legacy Display Element and distinguish it from user-added content. The receiver then hides the Legacy Display Element and doesn't display it to the user. Gillmor, et al. Expires 29 December 2024 [Page 16] Internet-Draft Cryptographic MIME Header Protection June 2024 * The hp-legacy-display is added to the node to which it applies, not on any outer nodes (e.g., not to node C). For more examples, see Appendix D and Appendix E. 2. Internet Message Format Extensions This section begins describes relevant, backward-compatible extensions to the Internet Message Format ([RFC5322]). Subsequent sections offer concrete guidance for an MUA to make use of these mechanisms, including policy decisions and recommended pseudocode. 2.1. Content-Type parameters This document introduces three parameters for the Content-Type Header Field, which have distinct semantics and use cases. 2.1.1. Content-Type parameter: hp This specification defines a parameter for the Content-Type Header Field named hp (for Header Protection). This parameter is only relevant on the Content-Type Header Field at the root of the Cryptographic Payload. The presence of this parameter at the root of the Cryptographic Payload indicates that the sender intends for this message to have end-to-end cryptographic protections for the Header Fields. The parameter's defined values describe the sender's cryptographic intent when producing the message: Gillmor, et al. Expires 29 December 2024 [Page 17] Internet-Draft Cryptographic MIME Header Protection June 2024 +========+==============+=========+=================+==============+ |hp Value| Authenticity |Integrity| Confidentiality | Description | +========+==============+=========+=================+==============+ |"clear" | yes |yes | no | This message | | | | | | has been | | | | | | signed by | | | | | | the sender | | | | | | with Header | | | | | | Protection | +--------+--------------+---------+-----------------+--------------+ |"cipher"| yes |yes | yes | This message | | | | | | has been | | | | | | signed by | | | | | | the sender, | | | | | | with Header | | | | | | Protection, | | | | | | and is | | | | | | encrypted to | | | | | | the | | | | | | recipients | +--------+--------------+---------+-----------------+--------------+ Table 1: hp parameter for Content-Type Header Field A sending implementation MUST NOT produce a Cryptographic Payload with parameter hp="cipher" for an non-encrypted message (that is, where none of the Cryptographic Layers in the Cryptographic Envelope of the message provide encryption). Likewise, if a sending implementation is sending an encrypted message with Header Protection, it MUST emit an hp="cipher" parameter, regardless of which Header Fields were made confidential. Note that hp="cipher" indicates that the message itself has been encrypted by the sender to the recipients, but makes no assertions about which Header Fields have been removed or obscured. This can be derived from the Cryptographic Payload itself (see Section 5.2). A receiving implementation MUST NOT mistake the presence of an hp="cipher" parameter in the Cryptographic Payload for the actual presence of a Cryptographic Layer that provides encryption. Gillmor, et al. Expires 29 December 2024 [Page 18] Internet-Draft Cryptographic MIME Header Protection June 2024 2.1.2. Content-Type parameter: hp-scheme This document recommends the Injected Headers scheme, and the presence of the hp= parameter in the Content-Type of the Cryptographic Payload implies the use of that scheme by default. If the message does Header Protection using the Wrapped Message scheme, it MUST also add an hp-scheme="wrapped" parameter to the Content-Type of the Cryptographic Payload. +==================================+===============================+ | hp-scheme Value | Header Protection Scheme Used | +==================================+===============================+ | (no hp-scheme parameter present) | Injected Headers | +----------------------------------+-------------------------------+ | "wrapped" | Wrapped Message | +----------------------------------+-------------------------------+ Table 2: hp-scheme parameter for Content-Type Header Field See Section 5.1 for how to identify a message that uses the Wrapped Message scheme. See Section 5.6 for how to render a message that uses the Wrapped Message scheme. See Section 6.3 for how to generate a message using the Wrapped Message scheme. 2.1.3. Content-Type parameter: hp-legacy-display This specification also defines an hp-legacy-display parameter for the Content-Type Header Field. The only defined value for this parameter is 1. This parameter is only relevant on a leaf MIME node of Content-Type text/html or text/plain within a well-formed message with end-to-end cryptographic protections. Its presence indicates that the MIME node it is attached to contains a decorative "Legacy Display Element". The Legacy Display Element itself is used for backward-compatible visibility of any removed or obscured User-Facing Header Field in a Legacy MUA. Such a Legacy Display Element need not be rendered to the user of an MUA that implements this specification, because the MUA already knows the correct Header Field information, and can render it to the user in the appropriate part of the MUA's user interface rather than in the body of the message. See Section 6.2.2 for how to insert a Legacy Display Element into a text/plain Main Body Part. See Section 6.2.3 for how to insert a Legacy Display Element into a text/html Main Body Part. See Section 5.5.3 for how to avoid rendering a Legacy Display Element. Gillmor, et al. Expires 29 December 2024 [Page 19] Internet-Draft Cryptographic MIME Header Protection June 2024 2.2. The HP-Outer Header Field This document also specifies a new Header Field: HP-Outer. This Header Field is used only in the Header Section of the Cryptographic Payload of an encrypted message. It is not relevant for signed-only messages. It documents, with the same cryptographic guarantees shared by the rest of the message, the sender's choices about Header Field confidentiality. It does so by embedding a copy within the Cryptographic Envelope of every non-structural Header Field that the sender put outside the Cryptographic Envelope. This Header Field enables the MUA receiving the encrypted message to reliably identify whether the sending MUA intended to make a Header Field confidential (see Section 12.3). The HP-Outer Header Fields in a message's Cryptographic Payload are useful for ensuring that any confidential Header Field will not be automatically leaked in the clear if the user replies to or forwards the message. They may also be useful for an MUA that indicates the confidentiality status of any given Header Field to the user. An implementation that composes encrypted e-mail MUST include a copy of all non-structural Header Fields deliberately exposed to the outside of the Cryptographic Envelope using a series of HP-Outer Header Fields within the Cryptographic Payload. These HP-Outer MIME Header Fields should only ever appear directly within the Header Section of the Cryptographic Payload of a Cryptographic Envelope offering confidentiality. They MUST be ignored for the purposes of evaluating the message's Header Protection if they appear in other places. Each instance of HP-Outer contains a non-structural Header Field name and the value that this Header Field was set in the outer (unprotected) Header Section. The HP-Outer Header Field can appear multiple times in the Header Section of a Cryptographic Payload. If a non-structural Header Field name A doesn't appear in an HP-Outer Header Field value, then the sender is effectively asserting it was not set on the outside of the message's Cryptographic Envelope by the original message sender at the time the message was injected into the mail system. Gillmor, et al. Expires 29 December 2024 [Page 20] Internet-Draft Cryptographic MIME Header Protection June 2024 See Section 6.2 and Section 6.3 for how to insert HP-Outer Header Fields into an encrypted message. See Section 5.3 for how to determine the end-to-end confidentiality of a given Header Field from an encrypted message with Header Protection using HP-Outer. See Section 5.4 for how an MUA can safely reply to (or forward) an encrypted message without leaking confidential Header Fields by default. 2.2.1. HP-Outer Header Field Definition The syntax of this Header Field is defined using the following ABNF [RFC5234], where field-name, WSP, VCHAR, and FWS are defined in [RFC5322]: hp-outer = "HP-Outer:" [FWS] field-name ": " hp-outer-value CRLF hp-outer-value = (*([FWS] VCHAR) *WSP) Note that hp-outer-value is the same as unstructured from [RFC5322], but without the obsolete obs-unstructured option. 3. Header Confidentiality Policy An MUA composing an encrypted message according to this specification may make any given Header Field confidential by removing it from Header Section outside the Cryptographic Envelope, or by obscuring it by rewriting it to a different value in that outer Header Section. The composing MUA faces a choice for any new message: which Header Fields should be made confidential, and how? This section defines the "Header Confidentiality Policy" (or HCP) as a well-defined abstraction to encourage MUA developers to consider, document, and share reasonable policies across the community. It establishes a registry of known HCPs, defines a small number of simple HCPs in that registry, and makes a recommendation for a reasonable default. Note that such a policy is only needed when the end-to-end protections include encryption (confidentiality). No comparable policy is needed for other end-to-end cryptographic protections (integrity and authenticity), as they are simply uniformly applied so that all Header Fields known by the sender have these protections. This asymmetry is a consequence of complexities in existing message delivery systems, some of which may reject, drop, or delay messages where all Header Fields are removed from the top-level MIME object. Gillmor, et al. Expires 29 December 2024 [Page 21] Internet-Draft Cryptographic MIME Header Protection June 2024 Note that no representation of the HCP itself ever appears "on the wire". However, the consumer of the encrypted message can see the decisions that were made by the sender's HCP via the HP-Outer Header Fields (see Section 2.2). 3.1. HCP Definition In this document, we represent that Header Confidentiality Policy as a function hcp: * hcp(name, val_in) → val_out: this function takes a non-structural Header Field identified by name with initial value val_in as arguments, and returns a replacement header value val_out. If val_out is the special value null, it means that the Header Field in question should be removed from the set of Header Fields visible outside the Cryptographic Envelope. In the pseudocode descriptions of various choices of HCP in this document, any comparison with the name input is done case- insensitively. This is appropriate for Header Field names, as described in [RFC5322]. Note that hcp is only applied to non-structural Header Fields. When composing a message, Structural Header Fields are dealt with separately, as described in Section 6.2 and Section 6.3. As an example, an MUA that obscures the Subject Header Field by replacing it with the literal string "[...]", hides all Cc'ed recipients, and does not offer confidentiality to any other Header Fields would be represented as (in pseudocode): hcp_example_hide_cc(name, val_in) → val_out: if lower(name) is 'subject': return '[...]' else if lower(name) is 'cc': return null else: return val_in For alignment with common practice as well as the ABNF in Section 2.2.1 for HP-Outer, val_out MUST be one of the following: * identical to val_in, or * the special value null (meaning that the Header Field will be removed from the outside of the message), or Gillmor, et al. Expires 29 December 2024 [Page 22] Internet-Draft Cryptographic MIME Header Protection June 2024 * a sequence of printable and whitespace (that is, space or tab) 7-bit clean ASCII characters (of course, non-ASCII text can be encoded as ASCII using the encoded-word construct from [RFC2047]) The HCP can compute val_out using any technique describable in pseudocode, such as copying a fixed string or invocations of other pseudocode functions. If it alters the value, it MUST NOT include control or NUL characters in val_out. val_out SHOULD match the expected ABNF for the Header Field identified by name. 3.2. Initial Registered HCPs This document formally defines three Header Confidentiality Policies with known and reasonably well-understood characteristics as a way to compare and contrast different possible behavioral choices for a composing MUA. These definitions are not meant to preclude the creation of other HCPs. (The example hypothetical HCP described in Section 3.1 above, hcp_example_hide_cc, is deliberately not formally registered, as it has not been evaluated in practice.) 3.2.1. Baseline Header Confidentiality Policy The most conservative recommended Header Confidentiality Policy only provides confidentiality for Informational Fields, as defined in Section 3.6.5 of [RFC5322]. These fields are "only human-readable content" and thus their content should not be relevant to transport agents. Since most Internet messages today do have a Subject Header Field, and some filtering engines might object to a message without a Subject, this policy is conservative and merely obscures that Header Field by replacing it with a fixed string [...]. By contrast, Comments and Keywords are comparatively rare, so these fields are removed entirely from the Outer Header Section. hcp_baseline(name, val_in) → val_out: if lower(name) is 'subject': return '[...]' else if lower(name) is in ['comments', 'keywords']: return null else: return val_in hcp_baseline is the recommended default HCP for a new implementation, as it provides meaningful confidentiality protections and is unlikely to cause deliverability or usability problems. Gillmor, et al. Expires 29 December 2024 [Page 23] Internet-Draft Cryptographic MIME Header Protection June 2024 3.2.2. Strong Header Confidentiality Policy Alternately, a more ambitious (and therefore more privacy-preserving) Header Confidentiality Policy only leaks a handful of fields whose absence is known to increase rates of delivery failure: hcp_strong(name, val_in) → val_out: if lower(name) in ['from', 'to', 'cc', 'date', 'message-id']: return val_in else if lower(name) is 'subject': return '[...]' else: return null hcp_strong is known to cause usability problems with message threading for many Legacy MUAs (as it removes References and In- Reply-To header fields), and is not recommended as a default HCP for new implementations. 3.2.3. No Header Confidentiality Policy Legacy MUAs can be conceptualized as offering a "No Header Confidentiality" Policy, which offers no confidentiality protection to any Header Field: hcp_no_confidentiality(name, val_in) → val_out: return val_in A conformant MUA that is not modified by local policy or configuration MUST NOT use hcp_no_confidentiality by default. 3.3. Default Header Confidentiality Policy An MUA MUST have a default Header Confidentiality Policy that offers confidentiality for the Subject Header Field at least. Local policy and configuration may alter this default, but the MUA SHOULD NOT require the user to select an HCP. hcp_baseline provides confidentiality for the Subject Header Field by replacing it with the literal string "[...]". It also provides confidentiality for the other less common Informational Header Fields (Comments and Keywords) by removing them entirely from the outer Header Section. This is a sensible default because most users treat the Informational Fields of a message (particularly the Subject) the same way that they treat the body, and they are surprised to find that the Subject of an encrypted message is visible. Gillmor, et al. Expires 29 December 2024 [Page 24] Internet-Draft Cryptographic MIME Header Protection June 2024 3.4. HCP Evolution This document does not mandate any particular Header Confidentiality Policy, though it offers guidance for MUA implementers in selecting one in Section 3.3. Future documents may recommend or mandate such a policy for an MUA with specific needs. Such a recommendation might be motivated by descriptions of metadata-derived attacks, or stem from research about message deliverability, or describe new signalling mechanisms, but these topics are out of scope for this document. 3.4.1. Offering More Ambitious Header Confidentiality An MUA MAY offer even more ambitious confidentiality for Header Fields of an encrypted message than described in Section 3.2.2. For example, it might implement an HCP that partially obscures the From Header Field by removing the [RFC5322] display-name, removes the Cc Header Field entirely, or ensures Date is represented in UTC (obscuring the local time zone). The authors of this document hope that implementers with deployment experience will document their chosen Header Confidentiality Policy and the rationale behind their choice. 3.4.2. Expert Guidance for Registering Header Confidentiality Policies There is no formal syntax specified for the Header Confidentiality Policy, but any attempt to specify an HCP for inclusion in the registry needs to provide: * a stable reference document clearly indicating the distinct name for the proposed HCP * pseudocode that other implementers can clearly and unambiguously interpret * a clear explanation of why this HCP is different from all other registered HCPs * any relevant considerations related to deployment of the HCP (for example, known or expected deliverability, rendering, or privacy challenges and possible mitigations) When the proposed HCP produces any non-null output for a given Header Field name, val_out SHOULD match the expected ABNF for that Header Field. If the proposed HCP does not match the expected ABNF for that Header Field, the documentation should explicitly identify the relevant circumstances and provide a justification for the deviation. Gillmor, et al. Expires 29 December 2024 [Page 25] Internet-Draft Cryptographic MIME Header Protection June 2024 An entry should not be marked as "Recommended" unless it has been shown to offer confidentiality or privacy improvements over the status quo and have minimal or mitigatable negative impact on messages to which it is applied, considering factors such as message deliverability and security. Only one entry in the table (hcp_baseline) is initially marked as "Recommended". In the future, more than one entry may be marked as "Recommended". 4. Two Header Protection Schemes As mentioned in Section 1.1, this document describes two ways to provide end-to-end cryptographic protection for an e-mail message that includes all Header Fields known to the sender at message composition time. When composing a message with end-to-end cryptographic protections, an MUA SHOULD apply Header Protection. A sending MUA MUST be able to generate the Injected Headers scheme (Section 6.2), and MAY generate the Wrapped Message scheme (Section 6.3). The MUA implementer can choose between the two schemes (see Section 10.3). A compatible MUA SHOULD use Injected Headers when composing a new message with end-to-end cryptographic protections, since a message structured with Injected Headers is more likely to be usable by both legacy and compatible MUAs. A receiving MUA MUST be able to handle both Header Protection schemes, as described in Section 5. 4.1. Injected Headers Scheme A message that uses the Injected Headers scheme has protected Header Fields in the Header Section of the Cryptographic Payload. For an encrypted message that has at least one User-Facing Header Field (see Section 1.1.2 of [I-D.ietf-lamps-e2e-mail-guidance]) removed or obscured outside of the Cryptographic Payload, those Header Fields MAY be duplicated into decorative copies in the Main Body MIME part of the Cryptographic Payload itself. These decorative copies within the message are known as "Legacy Display Elements". Such a Legacy Display Element enables users of a Legacy receiving MUA -- that doesn't yet understand how to interpret or display the Injected Headers scheme -- to view the removed/obscured Header Fields. See Section 9.1 for more details about how the ecosystem could shift so that a sending MUA could avoid the need to generate any Legacy Display Element. Gillmor, et al. Expires 29 December 2024 [Page 26] Internet-Draft Cryptographic MIME Header Protection June 2024 Composing a message with the Injected Headers scheme is described in Section 6.2. Rendering such a message is described in Section 5.5. Example message composition and reply can be seen in Appendix D. Example message rendering which strips Legacy Display Elements can be seen in Appendix E. 4.2. Wrapped Message Scheme A message that uses the Wrapped Message scheme has a Cryptographic Payload of a single message/rfc822 (or message/global) MIME object, which itself contains the original message (including the protected Header Section). The Wrapped Message Header Protection scheme is very similar to that described in Section 3.1 of [RFC8551]. The main augmentations this document provides to that scheme are: * an explicit discussion of how to obscure or remove Header Fields, * an additional hp="clear" or hp="cipher" parameter to the Content- Type Header Field of the Cryptographic Payload to indicate the explicit intent, * an additional hp-scheme="wrapped" parameter to the same Content- Type Header Field to indicate the specific scheme in use, * a recommendation to mark such a Wrapped Message as "Content- Disposition: inline" to encourage Legacy MUAs to render the inner message directly rather than treating it as an attachment, and * a mechanism the recipient of an encrypted message can use to explicitly derive what Header Fields were removed or obscured by the sender (the HP-Outer mechanism). Composing a message with the Wrapped Message scheme is described in Section 6.3. Rendering such a message is described in Section 5.6. 5. Receiving Guidance An MUA that receives a cryptographically protected e-mail will render it for the user. The receiving MUA will render the message body, a selected subset of Header Fields, and (as described in Section 3 of [I-D.ietf-lamps-e2e-mail-guidance]) provide a summary of the cryptographic properties of the message. Gillmor, et al. Expires 29 December 2024 [Page 27] Internet-Draft Cryptographic MIME Header Protection June 2024 Most MUAs only render a subset of Header Fields by default. For example, most MUAs render From, To, Cc, Date, and Subject to the user, but few render Message-Id or Received. An MUA that knows how to handle a message with Header Protection makes the following three changes to its behavior when rendering a message: * If the MUA detects that an incoming message has protected Header Fields: - For a Header Field that is present in the protected Header Section, the MUA MUST render that value, and ignore any unprotected counterparts that may be present. - For a Header Field that is present only in the unprotected Header Section, the MUA SHOULD NOT render that value. If it does render the value, the MUA SHOULD indicate that the rendered value is unprotected. For an exception to this, see Section 8 for a discussion of some specific Header Fields that are known to be added in transit, and therefore are not expected to have end-to-end cryptographic protections. * The MUA SHOULD include information in the message's Cryptographic Summary to indicate the types of protection that applied to each rendered Header Field (if any). * When replying to a message with confidential Header Fields, the replying MUA avoids leaking into the cleartext of the reply any Header Fields which were confidential in the original. It does this even if its own Header Confidentiality Policy would not have treated those Header Fields as confidential. See Section 7 for more details. Note that an MUA that handles a message with Header Protection does _not_ need to render any new Header Fields that it did not render before. 5.1. Identifying that a Message has Header Protection An incoming message can be identified as having Header Protection based on one of two signals: * The Cryptographic Payload has Content-Type: message/rfc822 or Content-Type: message/global and the parameter hp has a value of clear or cipher, and the hp-scheme has a value of wrapped. See Section 5.6 for rendering guidance. Gillmor, et al. Expires 29 December 2024 [Page 28] Internet-Draft Cryptographic MIME Header Protection June 2024 * The Cryptographic Payload has some other Content-Type and it has parameter hp set to clear or cipher. See Section 5.5 for rendering guidance. Messages of both types exist in the wild, and a compliant MUA MUST be able to handle them both. They provide the same semantics and the same meaning. When consuming a message, an MUA MUST ignore the hp parameter to Content-Type when it encounters it anywhere other than the root of the message's Cryptographic Payload. 5.2. Extracting Protected and Unprotected ("Outer") Header Fields When a message is encrypted and it uses Header Protection, an MUA may need to extract a list of protected Header Fields (names and values), as well as a list of Header Fields that were added by the original message sender in unprotected form to the outside of the message's Cryptographic Envelope. The following algorithm takes an reference message refmsg as input, which is encrypted with Header Protection as described in this document (that is, the Cryptographic Envelope includes a Cryptographic Layer that provides encryption, and the hp parameter for the Content-Type Header Field of the Cryptographic Payload is cipher). It produces as output a pair of lists of (h,v) Header Fields. 5.2.1. HeaderSetsFromMessage Method Signature: HeaderSetsFromMessage(refmsg) → (refouter, refprotected) Procedure: 1. When refmsg uses the Injected Headers scheme (that is, when there is no hp-scheme parameter for the Content-Type Header Field of the Cryptographic Payload): i. Let refheaders be the list of (h,v) protected Header Fields found in the root of the Cryptographic Payload 2. When refmsg uses the Wrapped Message scheme (that is, when the hp-scheme parameter for the Content-Type Header Field of the top- level message/rfc822 Cryptographic Payload is wrapped): Gillmor, et al. Expires 29 December 2024 [Page 29] Internet-Draft Cryptographic MIME Header Protection June 2024 i. Let refheaders be the list of (h,v) protected Header Fields found in the immediate child of the root of the Cryptographic Payload (recall that the root is a message/rfc822) 3. Let refouter be an empty list of Header Field names and values 4. Let refprotected be an empty list of Header Field names and values 5. For each (h,v) in refheaders: i. If h is HP-Outer: a. Split v into (h1,v1) on the first colon (:) followed by any amount of whitespace. b. Append (h1,v1) to refouter ii. Else: a. Append (h,v) to refprotected 6. Return refouter, refprotected Note that this algorithm is independent of the unprotected Header Fields. It derives its output only from the normal Header Fields and the HP-Outer Header Fields, both contained inside the Cryptographic Payload. 5.3. Updating the Cryptographic Summary Regardless of whether a cryptographically protected message has protected Header Fields, the Cryptographic Summary of the message should be modified to indicate what protections the Header Fields have. This field-by-field status is complex and isn't necessarily intended to be presented in full to the user. Rather, it represents the state of the message internally within the MUA, and may be used to influence behavior like replying to the message (see Section 7.1). Each Header Field individually has exactly one of the following protection states: * unprotected (has no Header Protection) * signed-only (bound into the same validated signature as the enclosing message, but also visible in transit) Gillmor, et al. Expires 29 December 2024 [Page 30] Internet-Draft Cryptographic MIME Header Protection June 2024 * encrypted-only (only appears within the Cryptographic Payload; the corresponding external Header Field was either removed or obscured) * signed-and-encrypted (same as encrypted-only, but additionally is under a validated signature) If the message does not have Header Protection (as determined by Section 5.1), then all of the Header Fields are by definition unprotected. If the message has Header Protection, an MUA SHOULD use the following algorithm to compute the protection state of a protected Header Field (h,v) (i.e., an element of refprotected from Section 5.2): 5.3.1. HeaderFieldProtection Method signature: HeaderFieldProtection(msg, h, v) → protection_state Procedure: 1. Let ct be the Content-Type of the root of the Cryptographic Payload of msg. 2. Compute (refouter, refprotected) from HeaderSetsFromMessage(msg). 3. If (h, v) is not in refprotected): i. Abort, v is not a valid value for header h 4. Let is_sig_valid be false 5. If the message is signed: i. Let is_sig_valid be the result of validating the signature 6. If the message is encrypted, and if ct has a parameter hp="cipher", and if (h,v) is not in refouter: i. Return signed-and-encrypted if is_sig_valid otherwise encrypted-only 7. Return signed-only if is_sig_valid otherwise unprotected Note that: Gillmor, et al. Expires 29 December 2024 [Page 31] Internet-Draft Cryptographic MIME Header Protection June 2024 * This algorithm is independent of the unprotected Header Fields. It derives the protection state only from (h,v) and the set of HP- Outer Header Fields, both of which are inside the Cryptographic Envelope. * If the signature fails validation, the MUA lowers the affected state to unprotected or encrypted-only without warning the user, as specified by Section 3.1 of [I-D.ietf-lamps-e2e-mail-guidance]. * Data from signed-and-encrypted and encrypted-only Header Fields may still not be fully private (see Section 12.2). * Encryption may have been added in transit to an originally signed- only message. Thus only consider Header Fields to be confidential if the sender indicates it with the hp="cipher" parameter. * The protection state of a Header Field may be weaker than that of the message body. For example, a message body can be signed-and- encrypted, but a Header Field that is copied unmodified to the unprotected Header Section is signed-only. If the message has Header Protection, Header Fields that are not in refprotected (e.g., because they were added in transit), are unprotected. Rendering the cryptographic status of each Header Field is likely to be complex and messy --- users may not understand it. It is beyond the scope of this document to suggest any specific graphical affordances or user experience. Future work should include examples of successful rendering of this information. 5.4. Header Confidentiality for Referenced Encrypted Messages (Replies, Forwarding) An MUA might create a new message in response to another message. For example, the user of an MUA viewing any given message might take an action like "Reply", "Reply All", "Forward", or some comparable action to start the composition of a new message. The new message created this way effectively references the original message that was viewed at the time. Gillmor, et al. Expires 29 December 2024 [Page 32] Internet-Draft Cryptographic MIME Header Protection June 2024 When the referenced message was itself encrypted with Header Protection, and some of its Header Fields had been obscured or removed, the replying MUA needs to make sure that the new message does not leak previously confidential header material. This section describes a method to produce a list of Header Fields that should be obscured or removed in the new message even if the sender's choice of Header Confidentiality Policy wouldn't normally remove or obscure the Header Field in question. It takes two items as input: * A single referenced message refmsg, and * A built-in MUA function respond associated with the user's action. respond takes as input a list of headers from a referenced message and generates a list of initial candidate message Header Field names and values that are used to populate the message composition interface. Something like this function already exists in most MUAs, though it may differ across responsive actions. For example, the respond function that implements "Reply All" is likely to be a different from the respond that implements "Reply". As output, we produce an ephemeral single-use Header Confidentiality Policy, specific to this kind of response to this specific message. 5.4.1. ReferenceHCP Method signature: ReferenceHCP(refmsg, respond) → ephemeral_hcp Procedure: 1. If refmsg is not encrypted with Header Protection: i. Return hcp_no_confidentiality (there is no header confidentiality in the reference message that needs protection) 2. Extract refouter, refprotected from refmsg as described in Section 5.2 3. Let genprotected be a list of (h,v) pairs generated by respond(refprotected) 4. Let genouter be a list of (h,v) pairs generated by respond(refouter) Gillmor, et al. Expires 29 December 2024 [Page 33] Internet-Draft Cryptographic MIME Header Protection June 2024 5. For each (h,v) in genprotected: i. If (h,v) is in genouter: a. Remove (h,v) from both genprotected and genouter (this Header Field does not need additional confidentiality) 6. Let confmap be a mapping from a Header Field name and value (h,v) to either a string or the special value null (this mapping is initially empty) 7. For each (h,v) remaining in genprotected: i. Set result to the special value null ii. For each (h1,v1) in genouter: a. If h1 is h: I. Set result to v1 iii. Insert (h,v) -> result into confmap 8. Return a new HCP from confmap that tests whether (name,val_in) are in confmap; if so, return confmap[(name,val_in)]; otherwise, return val_in Note that the key idea here is to reuse the MUA's existing respond function. The algorithm simulates how the MUA would pre-populate a reply to two traditional messages whose Header Fields have the values refouter and refprotected respectively (independent of any cryptographic protections). Then it uses the difference to derive a one-time HCP. This HCP takes into account both the referenced message's sender's preferences and the derivations that can happen to Header Field values when responding. Note that while some of these derivations are straight forward (e.g., In-Reply-To is usually derived from Message-ID), others are non-trivial. For example, From may be derived from To, Cc, or from the MUA's local address preference (especially when the MUA received the referenced message via Bcc). Similarly, To may be derived from To, From, and/or Cc depending on the MUA implementation and depending on whether the user clicked "Reply", "Reply All", "Forward", or any other action that generates a response to a message. Reusing the MUA's existing respond function incorporates these nuances without requiring any extra configuration choices or additional maintenance burden. Gillmor, et al. Expires 29 December 2024 [Page 34] Internet-Draft Cryptographic MIME Header Protection June 2024 5.5. Rendering a Message with Injected Headers When the Cryptographic Payload does not have a Content-Type of message/rfc822 or message/global, and the parameter hp is set to clear or cipher, the values of the protected Header Fields are drawn from the Header Fields of the Cryptographic Payload, and the body that is rendered is the Cryptographic Payload itself. 5.5.1. Example Signed-only Message with Injected Headers Consider a message with this structure, where the MUA is able to validate the cryptographic signature: A └─╴application/pkcs7-mime; smime-type="signed-data" ⇩ (unwraps to) B └┬╴multipart/alternative [Cryptographic Payload + Rendered Body] C ├─╴text/plain D └─╴text/html The message body should be rendered the same way as this message: B └┬╴multipart/alternative C ├─╴text/plain D └─╴text/html The MUA should render Header Fields taken from part B. Its Cryptographic Summary should indicate that the message was signed and all rendered Header Fields were included in the signature. Because this message is signed-only, none of its parts will have a Legacy Display Element. The MUA should ignore Header Fields from part A for the purposes of rendering. 5.5.2. Example Signed-and-Encrypted Message with Injected Headers Consider a message with this structure, where the MUA is able to validate the cryptographic signature: E └─╴application/pkcs7-mime; smime-type="enveloped-data" ↧ (decrypts to) F └─╴application/pkcs7-mime; smime-type="signed-data" ⇩ (unwraps to) G └┬╴multipart/alternative [Cryptographic Payload + Rendered Body] H ├─╴text/plain I └─╴text/html Gillmor, et al. Expires 29 December 2024 [Page 35] Internet-Draft Cryptographic MIME Header Protection June 2024 The message body should be rendered the same way as this message: G └┬╴multipart/alternative H ├─╴text/plain I └─╴text/html It should render Header Fields taken from part G. Its Cryptographic Summary should indicate that the message is signed- and-encrypted. When rendering the Cryptographic Status of a Header Field and when composing a reply, each Header Field found in G should be considered against all HP-Outer Header Fields found in G. If an HP-Outer Header Field is found that matches both the name and value, the Header Field's Cryptographic Status is just signed-only, even though the message itself is signed-and-encrypted. If no matching HP-Outer Header Field is found, the Header Field's Cryptographic Status is signed-and-encrypted, like the rest of the message. If any of the User-Facing Header Fields are removed or obscured, the composer of this message may have placed Legacy Display Elements in parts H and I. The MUA should ignore Header Fields from part E for the purposes of rendering. 5.5.3. Do Not Render Legacy Display Elements As described in Section 2.1.3, a message with cryptographic confidentiality protection MAY include Legacy Display Elements for backward-compatibility with Legacy MUAs. These Legacy Display Elements are strictly decorative, unambiguously identifiable, and will be discarded by compliant implementations. The receiving MUA MUST avoid rendering the identified Legacy Display Elements to the user at all, since it is aware of Header Protection and can render the actual protected Header Fields. If a text/html or text/plain part within the Cryptographic Envelope is identified as containing Legacy Display Elements, those elements MUST be hidden when rendering and MUST be dropped when generating a draft reply or inline forwarded message. Whenever a Message or MIME subtree is exported, downloaded, or otherwise further processed, if there is no need to retain a valid cryptographic signature, the implementer MAY drop the Legacy Display Elements. Gillmor, et al. Expires 29 December 2024 [Page 36] Internet-Draft Cryptographic MIME Header Protection June 2024 5.5.3.1. Identifying a Part with Legacy Display Elements A receiving MUA acting on a message that contains an encrypting Cryptographic Layer identifies a MIME subpart within the Cryptographic Payload as containing Legacy Display Elements based on the Content-Type of the subpart. The subpart's Content-Type: * contains a parameter hp-legacy-display with value set to 1, and * is either text/html (see Section 5.5.3.3) or text/plain (see Section 5.5.3.2). Note that the term "subpart" above is used in the general sense: if the Cryptographic Payload is a single part, that part itself may contain a Legacy Display Element if it is marked with the hp-legacy- display=1 parameter. 5.5.3.2. Omitting Legacy Display Elements from text/plain If a text/plain part within the Cryptographic Payload has the Content-Type parameter hp-legacy-display="1", it should be processed before rendering in the following fashion: * Discard the leading lines of the body of the part up to and including the first entirely blank line. Note that implementing this strategy is dependent on the charset used by the MIME part. See Appendix E.1 for an example. 5.5.3.3. Omitting Legacy Display Elements from text/html If a text/html part within the Cryptographic Payload has the Content- Type parameter hp-legacy-display="1", it should be processed before rendering in the following fashion: * If any element of the HTML is a
with class attribute header-protection-legacy-display, that entire element should be omitted. This cleanup could be done, for example, as a custom rule in the MUA's HTML sanitizer, if one exists. Another implementation strategy for an HTML-capable MUA would be to add an entry to the [CSS] stylesheet for such a part: body div.header-protection-legacy-display { display: none; } Gillmor, et al. Expires 29 December 2024 [Page 37] Internet-Draft Cryptographic MIME Header Protection June 2024 5.6. Rendering a Wrapped Message When the Cryptographic Payload has Content-Type of message/rfc822 or message/global, and the parameter hp is set to clear or cipher, and the parameter hp-scheme is set to wrapped, the values of the protected Header Fields are drawn from the Header Fields of the Cryptographic Payload, and the body that is rendered is the body of the Cryptographic Payload. 5.6.1. Example Signed-Only Wrapped Message Consider a message with this structure, where the MUA is able to validate the cryptographic signature: J └─╴application/pkcs7-mime; smime-type="signed-data" ⇩ (unwraps to) K └┬╴message/rfc822 [Cryptographic Payload] L └┬╴multipart/alternative [Rendered Body] M ├─╴text/plain N └─╴text/html The message body should be rendered the same way as this message: L └┬╴multipart/alternative M ├─╴text/plain N └─╴text/html It should render Header Fields taken from part K. Its Cryptographic Summary should indicate that the message was signed and all rendered Header Fields were included in the signature. The MUA should ignore Header Fields from part J for the purposes of rendering. 5.6.2. Example Signed-and-Encrypted Wrapped Message Consider a message with this structure, where the MUA is able to validate the cryptographic signature: O └─╴application/pkcs7-mime; smime-type="enveloped-data" ↧ (decrypts to) P └─╴application/pkcs7-mime; smime-type="signed-data" ⇩ (unwraps to) Q └┬╴message/rfc822 [Cryptographic Payload] R └┬╴multipart/alternative [Rendered Body] S ├─╴text/plain T └─╴text/html Gillmor, et al. Expires 29 December 2024 [Page 38] Internet-Draft Cryptographic MIME Header Protection June 2024 The message body should be rendered the same way as this message: R └┬╴multipart/alternative S ├─╴text/plain T └─╴text/html It should render Header Fields taken from part Q. Its Cryptographic Summary should indicate that the message is signed- and-encrypted. When rendering the Cryptographic Status of a Header Field and when composing a reply, each Header Field found in Q should be considered against all HP-Outer Header Fields found in Q. If an HP-Outer Header Field is found that matches both the name and value, the Header Field's Cryptographic Status is just signed-only, even though the message itself is signed-and-encrypted. If no matching HP-Outer Header Field is found, the Header Field's Cryptographic Status is signed-and-encrypted, like the rest of the message. The MUA should ignore Header Fields from part O for the purposes of rendering. 5.7. Implicitly rendered Header Fields While From, To, Cc, Subject, and Date are often explicitly rendered to the user, some Header Fields do affect message display, without being explicitly rendered. For example, Message-Id, References, and In-Reply-To Header Fields may collectively be used to place a message in a "thread" or series of messages. In another example, Section 7.2 observes that the value of the Reply- To field can influence the draft reply message. So while the user may never see the Reply-To Header Field directly, it is implicitly "rendered" when the user interacts with the message by replying to it. An MUA that depends on any implicitly rendered Header Field in a message with Header Protection MUST use the value from the protected Header Field, and SHOULD NOT use any value found outside the cryptographic protection unless it is known to be a Header Field added in transit, as specified in Section 8. Gillmor, et al. Expires 29 December 2024 [Page 39] Internet-Draft Cryptographic MIME Header Protection June 2024 5.8. Handling Undecryptable Messages An MUA might receive an apparently encrypted message that it cannot currently decrypt. For example, when an MUA does not have regular access to the secret key material needed for decryption, it cannot know the cryptographically protected Header Fields or even whether the message has any cryptographically protected Header Fields. Such an undecrypted message will be rendered by the MUA as a message without any Header Protection. This means that the message summary may well change how it is rendered when the user is finally able to supply the secret key. For example, the rendering of the Subject Header Field in a mailbox summary might change from [...] to the real message subject when the message is decrypted. Or the message's placement in a message thread might change if, say, References or In-Reply-To have been removed or obscured (see Section 5.7). Additionally, if the MUA does not retain access to the decrypting secret key, and it drops the decrypted form of a message, the message's rendering may revert to the encrypted form. For example, if an MUA follows this behavior, the Subject Header Field in a mailbox summary might change from the real message subject back to [...]. Or the message might be yanked out of its current thread if the MUA loses access to a removed References or In-Reply-To header. These behaviors are likely to surprise the user. However, an MUA has several possible ways of reducing or avoiding all of these surprises, including: * Ensuring that the MUA always has access to decryption-capable secret key material. * Rendering undecrypted messages in a special quarantine view until the decryption-capable secret key material is available. To reduce or avoid the surprises associated with a decrypted message with removed or obscured Header Fields becoming undecryptable, the MUA could also: * Securely cache metadata from a decrypted message's protected Header Fields so that its rendering doesn't change after the first decryption. Gillmor, et al. Expires 29 December 2024 [Page 40] Internet-Draft Cryptographic MIME Header Protection June 2024 * Securely store the session key associated with a decrypted message, so that attempts to read the message when the long-term secret key are unavailable can proceed using only the session key itself. See, for example, the discussion about stashing session keys in Section 9.1 of [I-D.ietf-lamps-e2e-mail-guidance]. 5.9. Guidance for Automated Message Handling Some automated systems have a control channel that is operated by e-mail. For example, an incoming e-mail message could subscribe someone to a mailing list, initiate the purchase of a specific product, approve another message for redistribution, or adjust the state of some shared object. To the extent that such a system depends on end-to-end cryptographic guarantees about the e-mail control message, Header Protection as described in this document should improve the system's security. This section provides some specific guidance for systems that use e-mail messages as a control channel that want to benefit from these security improvements. 5.9.1. Interpret Only Protected Header Fields Consider the situation where an e-mail-based control channel depends on the message's cryptographic signature and the action taken depends on some Header Field of the message. In this case, the automated system MUST rely on information from the Header Field that is protected by the mechanism described in this document. It MUST NOT rely on any Header Field found outside the Cryptographic Payload. For example, consider an administrative interface for a mailing list manager that only accepts control messages that are signed by one of its administrators. When an inbound message for the list arrives, it is queued (waiting for administrative approval) and the system generates and listens for two distinct e-mail addresses related to the queued message -- one that approves the message, and one that rejects it. If an administrator sends a signed control message to the approval address, the mailing list verifies that the protected To Header Field of the signed control message contains the approval address before approving the queued message for redistribution. If the protected To Header Field does not contain that address, or there is no protected To Header Field, then the mailing list logs or reports the error and does not act on that control message. Gillmor, et al. Expires 29 December 2024 [Page 41] Internet-Draft Cryptographic MIME Header Protection June 2024 5.9.2. Ignore Legacy Display Elements Consider the situation where an e-mail-based control channel expects to receive an end-to-end encrypted message -- for example, where the control messages need confidentiality guarantees -- and where the action taken depends on the contents of some MIME part within the message body. In this case, the automated system that decrypts the incoming messages and scans the relevant MIME part MUST identify when the MIME part contains a Legacy Display Element (see Section 5.5.3.1), and it MUST parse the relevant MIME part with the Legacy Display Element removed. For example, consider an administrative interface of a confidential issue tracking software. An authorized user can confidentially adjust the status of a tracked issue by a specially formatted first line of the message body (for example, severity #183 serious). When the user's MUA encrypts a plain text control message to this issue tracker, depending on the MUA's HCP and its choice of legacy value, it may add a Legacy Display Element. If it does so, then the first line of the message body will contain a decorative copy of the confidential Subject Header Field. The issue tracking software decrypts the incoming control message, identifies that there is a Legacy Display Element in the part (see Section 5.5.3.1), strips the lines comprising the Legacy Display Element (including the first blank line), and only then parses the remaining top line to look for the expected special formatting. 5.10. Affordances for Debugging and Troubleshooting Note that advanced users of an MUA may need access to the original message, for example to troubleshoot problems with the rendering MUA itself, or problems with the SMTP transport path taken by the message. An MUA that applies these rendering guidelines SHOULD ensure that the full original source of the message as it was received remains available to such a user for debugging and troubleshooting. If a troubleshooting scenario demands information about the cryptographically protected values of Header Fields, and the message is encrypted, the debugging interface SHOULD also provide a "source" view of the Cryptographic Payload itself, alongside the full original source of the message as received. Gillmor, et al. Expires 29 December 2024 [Page 42] Internet-Draft Cryptographic MIME Header Protection June 2024 5.11. Rendering Other Schemes Other MUAs may have generated different structures of messages that aim to offer end-to-end cryptographic protections that include Header Protection. This document is not normative for those schemes, and it is NOT RECOMMENDED to generate these other schemes, as they can either have structural flaws or simply render poorly on Legacy MUAs. A conformant MUA MAY attempt to infer Header Protection when rendering an existing message that appears to use some other scheme not documented here. Pointers to some known other schemes can be found in Appendix F. 6. Sending Guidance This section describes the process an MUA should use to apply cryptographic protection to an e-mail message with Header Protection. When composing a message with end-to-end cryptographic protections, an MUA SHOULD apply Header Protection. When generating such a message, an MUA MUST add the hp parameter (see Section 2.1.1) only to the Content-Type Header Field at the root of the message's Cryptographic Payload. The value of the parameter MUST indicate whether the Cryptographic Envelope contains a layer that provides encryption. 6.1. Composing a Cryptographically Protected Message Without Header Protection For contrast, we first consider the typical message composition process of a Legacy Crypto MUA which does not provide any Header Protection. This process is described in Section 5.1 of [I-D.ietf-lamps-e2e-mail-guidance]. We replicate it here for reference. The inputs to the algorithm are: * origbody: the traditional unprotected message body as a well- formed MIME tree (possibly just a single MIME leaf part). As a well-formed MIME tree, origbody already has structural Header Fields (Content-*) present. Gillmor, et al. Expires 29 December 2024 [Page 43] Internet-Draft Cryptographic MIME Header Protection June 2024 * origheaders: the intended non-structural Header Fields for the message, represented here as a list of (h,v) pairs, where h is a Header Field name and v is the associated value. Note that these are Header Fields that the MUA intends to be visible to the recipient of the message. In particular, if the MUA uses the Bcc Header Field during composition, but plans to omit it from the message (see Section 3.6.3 of [RFC5322]), it will not be in origheaders. * crypto: The series of cryptographic protections to apply (for example, "sign with the secret key corresponding to X.509 certificate X, then encrypt to X.509 certificates X and Y"). This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resultant MIME tree as output. The algorithm returns a MIME object that is ready to be injected into the mail system. 6.1.1. ComposeNoHeaderProtection Method Signature: ComposeNoHeaderProtection(origbody, origheaders, crypto) → mime_message Procedure: 1. Apply crypto to MIME part origbody, producing MIME tree output 2. For each Header Field name and value (h,v) in origheaders: i. Add Header Field h to output with value v 3. Return output 6.2. Composing with "Injected Headers" Header Protection To compose a message using "Injected Headers" Header Protection, the composing MUA uses the following inputs: * All the inputs described in Section 6.1 * hcp: a Header Confidentiality Policy, as defined in Section 3 Gillmor, et al. Expires 29 December 2024 [Page 44] Internet-Draft Cryptographic MIME Header Protection June 2024 * response: if the new message is a response to another message (e.g., "Reply", "Reply All", "Forward", etc), the MUA function corresponding to the user's action (see Section 5.4), otherwise null * refmsg: if the new message is a response to another message, the message being responded to, otherwise null * legacy: a boolean value, indicating whether any recipient of the message is believed to have a Legacy MUA. If all recipients are known to implement this document, legacy should be set to false. (How an MUA determines the value of legacy is out of scope for this document; an initial implementation can simply set it to true) To enable visibility of User-Facing but now removed/obscured Header Fields for decryption-capable Legacy MUAs, the Header Fields are included as a decorative Legacy Display Element in specially marked parts of the message (see Section 2.1.3). This document recommends two mechanisms for such a decorative adjustment: one for a text/html Main Body Part of the e-mail message, and one for a text/plain Main Body Part. This document does not recommend adding a Legacy Display Element to any other part. Please see Section 7.1 of [I-D.ietf-lamps-e2e-mail-guidance] for guidance on identifying the parts of a message that are a Main Body Part. 6.2.1. ComposeInjectedHeaders Method Signature: ComposeInjectedHeaders(origbody, origheaders, crypto, hcp, response, refmsg, legacy) → mime_message Procedure: 1. Let newbody be a copy of origbody 2. If crypto contains encryption, and legacy is true: i. Create ldlist, an empty list of (header, value) pairs ii. For each Header Field name and value (h,v) in origheaders: a. If h is User-Facing (see Section 1.1.2 of [I-D.ietf-lamps-e2e-mail-guidance]): Gillmor, et al. Expires 29 December 2024 [Page 45] Internet-Draft Cryptographic MIME Header Protection June 2024 I. If hcp(h,v) is not v: A. Add (h,v) to ldlist iii. If ldlist is not empty: a. Identify each leaf MIME part of newbody that represents the "main body" of the message. b. For each "Main Body Part" bodypart of type text/plain or text/html: I. Adjust bodypart by inserting a Legacy Display Element header list ldlist into its content, and adding a Content-Type parameter hp-legacy-display with value 1 (see Section 6.2.2 for text/plain and Section 6.2.3 for text/html) 3. For each Header Field name and value (h,v) in origheaders: i. Add Header Field h to MIME part newbody with value v 4. If crypto does not contain encryption: i. Set the hp parameter on the Content-Type of MIME part newbody to clear ii. Let newheaders be a copy of origheaders 5. Else (if crypto contains encryption): i. Set the hp parameter on the Content-Type of MIME part newbody to cipher ii. If refmsg is not null, response is not null, and refmsg itself is encrypted with header protection: a. Let response_hcp be a single-use HCP derived from response and refmsg (see Section 5.4) iii. Else (if this is not a response to an encrypted, header- protected message): a. Set response_hcp to hcp_no_confidentiality iv. Create new empty list of Header Field names and values newheaders Gillmor, et al. Expires 29 December 2024 [Page 46] Internet-Draft Cryptographic MIME Header Protection June 2024 v. For each Header Field name and value (h,v) in origheaders: a. Let newval be hcp(h,v) b. If newval is v: I. Let newval be response_hcp(h,v) c. If newval is not null): I. Add (h,newval) to newheaders vi. For each Header Field name and value (h,v) in newheaders: a. Let string record be the concatenation of h, a literal ": " (ASCII colon (0x3A) followed by ASCII space (0x20)), and v b. Add Header Field "HP-Outer" to MIME part newbody with value record 6. Apply crypto to MIME part newbody, producing MIME tree output 7. For each Header Field name and value (h,v) in newheaders: i. Add Header Field h to output with value v 8. Return output Note that both new parameters (hcp and legacy) are effectively ignored if crypto does not contain encryption. This is by design, because they are irrelevant for signed-only cryptographic protections. 6.2.2. Adding a Legacy Display Element to a text/plain Part For a list of obscured and removed User-Facing Header Fields represented as (header, value) pairs, concatenate them as a set of lines, with one newline at the end of each pair. Add an additional trailing newline after the resultant text, and prepend the entire list to the body of the text/plain part. The MUA MUST also add a Content-Type parameter of hp-legacy-display with value 1 to the MIME part to indicate that a Legacy Display Element was added. Gillmor, et al. Expires 29 December 2024 [Page 47] Internet-Draft Cryptographic MIME Header Protection June 2024 For example, if the list of obscured Header Fields was [("Cc", "alice@example.net"), ("Subject", "Thursday's meeting")], then a text/plain Main Body Part that originally looked like this: Content-Type: text/plain; charset=UTF-8 I think we should skip the meeting. Would become: Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1 Subject: Thursday's meeting Cc: alice@example.net I think we should skip the meeting. Note that the Legacy Display Element (the lines beginning with Subject: and Cc:) are part of the body of the MIME part in question. This example assumes that the Main Body Part in question is not the root of the Cryptographic Payload. For instance, it could be a leaf of a multipart/alternative Cryptographic Payload. This is why no additional Header Fields have been injected into the MIME part in this example. 6.2.3. Adding a Legacy Display Element to a text/html Part Adding a Legacy Display Element to a text/html part is similar to how it is added to a text/plain part (see Section 6.2.2). Instead of adding the obscured or removed User-Facing Header Fields to a block of text delimited by a blank line, the composing MUA injects them in an HTML
element annotated with a class attribute of header- protection-legacy-display. The content and formatting of this decorative
have no strict requirements, but they MUST represent all the obscured and removed User-Facing Header Fields in a readable fashion. A simple approach is to assemble the text in the same way as Section 6.2.2, wrap it in a verbatim 
 element, and put that element in the annotated
   
.

   The annotated 
 should be placed as close to the start of the
    as possible, where it will be visible when viewed with a
   standard HTML renderer.






Gillmor, et al.         Expires 29 December 2024               [Page 48]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The MUA MUST also add a Content-Type parameter of hp-legacy-display
   with value 1 to the MIME part to indicate that a Legacy Display
   Element was added.

   For example, if the list of obscured Header Fields was [("Cc",
   "alice@example.net"), ("Subject", "Thursday's meeting")], then a
   text/html Main Body Part that originally looked like this:

   Content-Type: text/html; charset=UTF-8

   
   
I think we should skip the meeting.

   

   Would become:

   Content-Type: text/html; charset=UTF-8; hp-legacy-display=1

   
   

   
Subject: Thursday's meeting
   Cc: alice@example.net

   
I think we should skip the meeting.

   

   This example assumes that the Main Body Part in question is not the
   root of the Cryptographic Payload.  For instance, it could be a leaf
   of a multipart/alternative Cryptographic Payload.  This is why no
   additional Header Fields have been injected into the MIME part in
   this example.

6.2.3.1.  Step-by-step Example for Inserting Legacy Display Element to
          text/html

   A composing MUA MAY insert the Legacy Display Element anywhere
   reasonable within the message as long as it prioritizes visibility
   for the reader using a Legacy decryption-capable MUA.  This decision
   may take into account special message-specific HTML formatting
   expectations if the MUA is aware of them.  However, some MUAs may not
   have any special insight into the user's preferred HTML formatting,
   and still want to insert a Legacy Display Element.  This section
   offers a non-normative, simple, and minimal step-by-step approach for
   a composing MUA that has no other information or preferences to fall
   back on.

   The process below assumes that the MUA already has the full HTML
   object that it intends to send, including all of the text supplied by
   the user.



Gillmor, et al.         Expires 29 December 2024               [Page 49]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   1.  Assemble the text exactly as specified for text/plain (see
       Section 6.2.2).

   2.  Wrap that text in a verbatim 
 element.

   3.  Wrap that 
 element in a 
 element annotated with the
       class header-protection-legacy-display.

   4.  Find the  element of the full HTML object.

   5.  Insert the 
 element as the first child of the 
       element.

6.2.4.  Only Add a Legacy Display Element to Main Body Parts

   Some messages may contain a text/plain or text/html subpart that is
   _not_ a Main Body Part.  For example, an e-mail message might contain
   an attached text file or a downloaded webpage.  Attached documents
   need to be preserved as intended in the transmission, without
   modification.

   The composing MUA MUST NOT add a Legacy Display Element to any part
   of the message that is not a Main Body Part.  In particular, if a
   part is annotated with Content-Disposition: attachment, or if it does
   not descend via the first child of any of its multipart/mixed or
   multipart/related ancestors, it is not a Main Body Part, and MUST NOT
   be modified.

   See Section 7.1 of [I-D.ietf-lamps-e2e-mail-guidance] for more
   guidance about common ways to distinguish Main Body Parts from other
   MIME parts in a message.

6.2.5.  Do Not Add a Legacy Display Element to Other Content-Types

   The purpose of injecting a Legacy Display Element into each Main Body
   MIME part is to enable rendering of otherwise obscured Header Fields
   in Legacy MUAs that are capable of message decryption, but don't know
   how to follow the rest of the guidance in this document.

   The authors are unaware of any Legacy MUA that would render any MIME
   part type other than text/plain and text/html as the Main Body.  A
   generating MUA SHOULD NOT add a Legacy Display Element to any MIME
   part with any other Content-Type.

6.3.  Composing with "Wrapped Message" Header Protection

   To compose a message using "Wrapped Message" Header Protection, the
   composing MUA uses the following inputs:



Gillmor, et al.         Expires 29 December 2024               [Page 50]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  All the inputs described in Section 6.1

   *  hcp: a Header Confidentiality Policy, as defined in Section 3

   *  response: if the new message is a response to another message
      (e.g., "Reply", "Reply All", "Forward", etc), the MUA function
      corresponding to the user's action (see Section 5.4), otherwise
      null

   *  refmsg: if the new message is a response to another message, the
      message being responded to, otherwise null

6.3.1.  ComposeWrappedMessage

   Method Signature:

   ComposeWrappedMessage(origbody, origheaders, crypto hcp, response,
   refmsg) → mime_message

   Procedure:

   1.   Let newbody be a copy of origbody

   2.   For each Header Field name and value (h,v) in origheaders:

        i.  Add Header Field h to MIME part newbody with value v

   3.   If crypto does not contain encryption:

        i.  Let newheaders be a copy of origheaders

   4.   Else (if crypto contains encryption):

        i.    If refmsg is not null, response is not null, and refmsg
              itself is encrypted with header protection:

              a.  Let response_hcp be a single-use HCP derived from
                  response and refmsg (see Section 5.4)

        ii.   Else (if this is not a response to an encrypted, header-
              protected message):

              a.  Set response_hcp to hcp_no_confidentiality

        iii.  Create new empty list of Header Field names and values
              newheaders

        iv.   For each Header Field name and value (h,v) in origheaders:



Gillmor, et al.         Expires 29 December 2024               [Page 51]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


              a.  Let newval be hcp(h,v)

              b.  If newval is v:

                  I.  Let newval be response_hcp(h,v)

              c.  If newval is not null:

                  I.  Add (h,newval) to newheaders

        v.    For each Header Field name and value (h,v) in newheaders:

              a.  Let string record be the concatenation of h, a literal
                  ": " (ASCII colon (0x3A) followed by ASCII space
                  (0x20)), and v

              b.  Add Header Field "HP-Outer" to MIME part newbody with
                  value record

   5.   If any of the Header Fields in MIME part newbody, including
        Header Fields in the nested internal MIME structure, contain any
        8-bit UTF-8 characters (see Section 3.7 of [RFC6532]):

        i.  Let payload be a new MIME part with one Header Field:
            Content-Type: message/global

   6.   Else:

        i.  Let payload be a new MIME part with one Header Field:
            Content-Type: message/rfc822

   7.   If crypto contains encryption:

        i.  Add a parameter hp="cipher" to the Content-Type Header Field
            of payload

   8.   Else (if crypto does not contain encryption):

        i.  Add a parameter hp="clear" to the Content-Type Header Field
            of payload

   9.   Add a parameter hp-scheme="wrapped" to the Content-Type Header
        Field of payload

   10.  Set the body of payload to newbody.

   11.  Add a Content-Disposition Header Field to MIME part payload with
        value inline



Gillmor, et al.         Expires 29 December 2024               [Page 52]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   12.  Apply crypto to MIME part payload, producing MIME tree output

   13.  For each Header Field name and value (h,v) in newheaders:

        i.  Add Header Field h to output with value v

   14.  Return output

   Note that the Header Confidentiality Policy hcp parameter is
   effectively ignored if crypto does not contain encryption.  This is
   by design, because a signed-only message cannot provide
   confidentiality.

7.  Replying and Forwarding Guidance

   When composing a reply to a message with Header Protection, the MUA
   is acting both as a receiving MUA and as a sending MUA.  For
   encrypted messages, special guidance applies, because information can
   leak in at least two ways: leaking previously confidential Header
   Fields, and leaking the entire message by replying to the wrong
   party.  Many MUAs also offer "Forward Message" functionality which
   has the potential to leak previously confidential Header Fields.

7.1.  Avoid Leaking Encrypted Header Fields in Replies and Forwards

   As noted in Section 5.4 of [I-D.ietf-lamps-e2e-mail-guidance], an MUA
   in this position MUST NOT leak previously encrypted content in the
   clear in a follow-up message.  The same is true for protected Header
   Fields.

   Values from any Header Field that was identified as either encrypted-
   only or signed-and-encrypted based on the steps outlined above MUST
   NOT be placed in cleartext output when generating a message.

   In particular, if Subject was encrypted, and it is copied into the
   draft encrypted reply, the replying MUA MUST obscure the unprotected
   (cleartext) Subject Header Field as described above.

   When crafting the Header Fields for a reply or forwarded message, the
   composing MUA SHOULD make use of the HP-Outer Header Fields from
   within the Cryptographic Envelope of the reference message to ensure
   that Header Fields derived from the reference message do not leak in
   the reply.  See Section 5.4 for an explicit algorithm to handle this
   cleanly.

   Consider a Header Field in a reply message that is generated by
   derivation from a Header Field in the reference message.  For
   example, the To Header Field is typically derived from the reference



Gillmor, et al.         Expires 29 December 2024               [Page 53]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   message's Reply-To or From Header Fields.  When generating the outer
   copy of the Header Field, the composing MUA first applies its own
   Header Confidentiality Policy.  If the Header Field's value is
   changed by the HCP, then it is applied to the outside header.  If the
   Header Field's value is unchanged, the composing MUA re-generates the
   Header Field using the Header Fields that had been on the outside of
   the original message at sending time.  These can be inferred from the
   HP-Outer Header Fields located within the Cryptographic Payload of
   the referenced message.  If that value is itself different than the
   protected value, then it is applied to the outside header.  If the
   value is the same as the protected value, then it is simply copied to
   the outside header directly.  Whether it was changed or not, it is
   noted in the protected Header Section using HP-Outer, as described in
   Section 2.2.1.

   See Appendix D.2 for a simple worked example of this process.

7.2.  Avoid Misdirected Replies

   When replying to a message, the Composing MUA typically decides who
   to send the reply to based on:

   *  the Reply-To, Mail-Followup-To, or From Header Fields

   *  optionally, the other To or Cc Header Fields (if the user chose to
      "reply all")

   When a message has Header Protection, the replying MUA MUST populate
   the destination fields of the draft message using the protected
   Header Fields, and ignore any unprotected Header Fields.

   This mitigates against an attack where Mallory gets a copy of an
   encrypted message from Alice to Bob, and then replays the message to
   Bob with an additional Cc to Mallory's own e-mail address in the
   message's outer (unprotected) Header Section.

   If Bob knows Mallory's certificate already, and he replies to such a
   message without following the guidance in this section, it's likely
   that his MUA will encrypt the cleartext of the message directly to
   Mallory.

8.  Unprotected Header Fields Added in Transit

   Some Header Fields are legitimately added in transit and could not
   have been known to the sender at message composition time.






Gillmor, et al.         Expires 29 December 2024               [Page 54]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The most common of these Header Fields are Received and DKIM-
   Signature, neither of which are typically rendered, either explicitly
   or implicitly.

   If a receiving MUA has specific knowledge about a given Header Field,
   including that:

   *  the Header Field would not have been known to the original sender,
      and

   *  the Header Field might be rendered explicitly or implicitly,

   then the MUA MAY decide to operate on the value of that Header Field
   from the unprotected Header Section, even though the message has
   Header Protection.

   The MUA MAY prefer to verify that the Header Fields in question have
   additional transit-derived cryptographic protections before rendering
   or acting on them.  For example, the MUA could verify whether these
   Header Fields are covered by an appropriate and valid ARC-
   Authentication-Results (see [RFC8617]) or DKIM-Signature (see
   [RFC6376]) Header Field.

   Specific examples of user-meaningful Header Fields commonly added by
   transport agents appear below.

8.1.  Mailing list Header Fields: List-* and Archived-At

   If the message arrives through a mailing list, the list manager
   itself may inject Header Fields (most have a List- prefix) in the
   message:

   *  List-Archive

   *  List-Subscribe

   *  List-Unsubscribe

   *  List-Id

   *  List-Help

   *  List-Post

   *  Archived-At






Gillmor, et al.         Expires 29 December 2024               [Page 55]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   For some MUAs, these Header Fields are implicitly rendered, by
   providing buttons for actions like "Subscribe", "View Archived
   Version", "Reply List", "List Info", etc.

   An MUA that receives a message with Header Protection that contains
   these Header Fields in the unprotected section, and that has reason
   to believe the message is coming through a mailing list MAY decide to
   render them to the user (explicitly or implicitly) even though they
   are not protected.

9.  E-mail Ecosystem Evolution

   This document is intended to offer tooling needed to improve the
   state of the e-mail ecosystem in a way that can be deployed without
   significant disruption.  Some elements of this specification are
   present for transitional purposes, but would not exist if the system
   were designed from scratch.

   This section describes these transitional mechanisms, as well as some
   suggestions for how they might eventually be phased out.

9.1.  Dropping Legacy Display Elements

   Any decorative Legacy Display Element added to an encrypted message
   that uses the Injected Header scheme is present strictly for enabling
   Header Field visibility (most importantly, the Subject Header Field)
   when the message is viewed with a decryption-capable Legacy MUA.

   Eventually, the hope is that most decryption-capable MUAs will
   conform to this specification, and there will be no need for
   injection of Legacy Display Elements in the message body.  A survey
   of widely used decryption-capable MUAs might be able to establish
   when most of them do support this specification.

   At that point, a composing MUA could set the legacy parameter
   described in Section 6.2 to false by default or could even hard-code
   it to false, yielding a much simpler message construction set.

   Until that point, an end user might want to signal that their
   receiving MUAs are conformant to this document so that a peer
   composing a message to them can set legacy to false.  A signal
   indicating capability of handling messages with Header Protection
   might be placed in the user's cryptographic certificate, or in
   outbound messages.

   This document does not attempt to define the syntax or semantics of
   such a signal.




Gillmor, et al.         Expires 29 December 2024               [Page 56]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


9.2.  More Ambitious Default Header Confidentiality Policy

   This document defines a few different forms of Header Confidentiality
   Policy.  An MUA implementing an HCP for the first time SHOULD deploy
   hcp_baseline as recommended in Section 3.3.  This HCP offers the most
   commonly expected protection (obscuring the Subject Header Field)
   without risking deliverability or rendering issues.

   The HCPs proposed in this document are relatively conservative and
   still leak a significant amount of metadata for encrypted messages.
   This is largely done to ensure deliverability (see Section 1.4.2) and
   usability, as messages without some critical Header Fields are more
   likely to not reach their intended recipient.

   In the future, some mail transport systems may accept and deliver
   messages with even less publicly visible metadata.  Many MTA
   operators today would ask for additional guarantees about such a
   message to limit the risks associated with abusive or spammy mail.

   This specification offers the HCP formalism itself as a way for MUA
   developers and MTA operators to describe their expectations around
   message deliverability.  MUA developers can propose a more ambitious
   default HCP, and ask MTA operators (or simply test) whether their
   MTAs would be likely to deliver or reject encrypted mail with that
   HCP applied.  Proponents of a more ambitious HCP should explicitly
   document the HCP and name it clearly and unambiguously to facilitate
   this kind of interoperability discussion.

   Reaching widespread consensus around a more ambitious global default
   HCP is a challenging problem of coordinating many different actors.
   A piecemeal approach might be more feasible, where some signalling
   mechanism allows a message recipient, MTA operator, or third-party
   clearinghouse to announce what kinds of HCPs are likely to be
   deliverable for a given recipient.  In such a situation, the default
   HCP for an MUA might involve consulting the signalled acceptable HCPs
   for all recipients, and combining them (along with a default for when
   no signal is present) in some way.

   If such a signal were to reach widespread use, it could also be used
   to guide reasonable statistical default HCP choices for recipients
   with no signal.

   This document does not attempt to define the syntax or semantics of
   such a signal.







Gillmor, et al.         Expires 29 December 2024               [Page 57]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


9.3.  Deprecation of Messages Without Header Protection

   At some point, when the majority of MUA clients that can generate
   cryptographically protected messages with Header Protection, it
   should be possible to deprecate any cryptographically protected
   message that does not have Header Protection.

   For example, as noted in Section 10.1, it's possible for an MUA to
   render a signed-only message that has no Header Protection the same
   as an unprotected message.  And a signed-and-encrypted message
   without Header Protection could likewise be marked as not fully
   protected.

   These stricter rules could be adopted immediately for all messages.
   Or an MUA developer could roll them out immediately for any new
   message, but still treat an old message (based on the Date Header
   Field and cryptographic signature timestamp) more leniently.

   A decision like this by any popular receiving MUA could drive
   adoption of this standard for sending MUAs.

10.  Usability Considerations

   This section describes concerns for MUAs that are interested in easy
   adoption of Header Protection by normal users.

   While they are not protocol-level artifacts, these concerns motivate
   the protocol features described in this document.

   See also the Usability commentary in Section 2 of
   [I-D.ietf-lamps-e2e-mail-guidance].

10.1.  Mixed Protections Within a Message Are Hard To Understand

   When rendering a message to the user, the ideal circumstance is to
   present a single cryptographic status for any given message.
   However, when message Header Fields are present, some message Header
   Fields do not have the same cryptographic protections as the main
   message.

   Representing such a mixed set of protection statuses is very
   difficult to do in a way that a Ordinary User can understand.  There
   are at least three scenarios that are likely to be common, and poorly
   understood:

   *  A signed message with no Header Protection.

   *  A signed-and-encrypted message with no Header Protection.



Gillmor, et al.         Expires 29 December 2024               [Page 58]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  A signed-and-encrypted message with Header Protection as described
      in this document, where some User-Facing Header Fields have
      confidentiality but some do not.

   An MUA should have a reasonable strategy for clearly communicating
   each of these scenarios to the user.  For example, an MUA operating
   in an environment where it expects most cryptographically protected
   messages to have Header Protection could use the following rendering
   strategy:

   *  When rendering a message with signed-only cryptographic status but
      no Header Protection, an MUA may decline to indicate a positive
      security status overall, and only indicate the cryptographic
      status to a user in a message properties or diagnostic view.  That
      is, the message may appear identical to an unsigned message except
      if a user verifies the properties through a menu option.

   *  When rendering a message with signed-and-encrypted or encrypted-
      only cryptographic status but no Header Protection, overlay a
      warning flag on the typical cryptographic status indicator.  That
      is, if a typical signed-and-encrypted message displays a lock
      icon, display a lock icon with a warning sign (e.g., an
      exclamation point in a triangle) overlaid.  See, for example, the
      graphics in [chrome-indicators].

   *  When rendering a message with signed-and-encrypted or encrypted-
      only cryptographic status, with Header Protection, but where the
      Subject Header Field has not been removed or obscured, place a
      warning sign on the Subject line.

   Other simple rendering strategies could also be reasonable.

10.2.  Users Should Not Have To Choose a Header Confidentiality Policy

   This document defines the abstraction of a Header Confidentiality
   Policy object for the sake of communication between implementers and
   deployments.

   Most e-mail users are unlikely to understand the tradeoffs between
   different policies.  In particular, the potential negative side
   effects (e.g., poor deliverability) may not be easily attributable by
   a normal user to a particular HCP.

   Therefore, MUA implementers should be conservative in their choice of
   default HCP, and should not require the Ordinary User to make an
   incomprehensible choice that could cause unfixable, undiagnosable
   problems.  The safest option is for the MUA developer to select a
   known, stable HCP (this document recommends hcp_baseline in



Gillmor, et al.         Expires 29 December 2024               [Page 59]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Section 3.3) on the user's behalf.  An MUA should not expose the
   Ordinary User to a configuration option where they are expected to
   manually select (let alone define) an HCP.

10.3.  Users Should Not Have To Choose a Header Protection Scheme

   This document describes two Header Protection schemes: Injected
   Headers (Section 4.1) and Wrapped Messages (Section 4.2).

   These distinct schemes are described for the sake of implementers who
   may have to deal with messages found in the wild, but their intended
   semantics are identical.  They represent different tradeoffs in terms
   of rendering and user experience on the recipient's side, which an
   Ordinary User writing a message is not prepared to select.

   When composing a message with cryptographic protections, the Ordinary
   User should not be confronted with any choices about which Header
   Protection scheme to use.  Rather, the MUA developer should use a
   single scheme for all outbound cryptographically protected messages.
   This document recommends the Injected Headers scheme (see Section 2).

11.  Security Considerations

   Header Protection improves the security of cryptographically
   protected e-mail messages.  Following the guidance in this document
   improves security for users by more directly aligning the underlying
   messages with user expectations about confidentiality, authenticity,
   and integrity.

   Nevertheless, helping the user distinguish between cryptographic
   protections of various messages remains a security challenge for
   MUAs.  This is exarcebated by the fact that many existing messages
   with cryptographic protections do not employ Header Protection.  MUAs
   encountering these messages (e.g., in an archive) will need to handle
   older forms (without Header Protection) for quite some time, possibly
   forever.

   The security considerations from Section 6 of [RFC8551] continue to
   apply for any MUA that offers S/MIME cryptographic protections, as
   well as Section 3 of [RFC5083] (Authenticated-Enveloped-Data in CMS)
   and Section 14 of [RFC5652] (CMS more broadly).  Likewise, the
   security considerations from Section 8 of [RFC3156] continue to apply
   for any MUA that offers PGP/MIME cryptographic protections, as well
   as Section 13 of [I-D.ietf-openpgp-crypto-refresh-13] (OpenPGP
   itself).  In addition, these underlying security considerations are
   now also applicable to the contents of the message header, not just
   the message body.




Gillmor, et al.         Expires 29 December 2024               [Page 60]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


11.1.  Avoid Cryptographic Summary Confusion from hp Parameter

   When parsing a message, the recipient MUA infers the message's
   Cryptographic Status from the Cryptographic Layers, as described in
   Section 4.6 of [I-D.ietf-lamps-e2e-mail-guidance].

   The Cryptographic Layers that make up the Cryptographic Envelope
   describe an ordered list of cryptographic properties as present in
   the message after it has been delivered.  By contrast, the hp
   parameter to the Content-Type Header Field contains a simpler
   indication: whether the sender originally tried to encrypt the
   message or not.  In particular, for a message with Header Protection,
   the Cryptographic Payload should have a hp parameter of cipher if the
   message is encrypted (in addition to signed), and clear if no
   encryption is present (that is, the message is signed-only).

   As noted in Section 2.1.1, the receiving implementation should not
   inflate its estimation of the confidentiality of the message or its
   Header Fields based on the sender's intent, if it can see that the
   message was not actually encrypted.  A signed-only message that
   happens to have an hp parameter of cipher is still signed-only.

   Conversely, since the encrypting Cryptographic Layer is typically
   outside the signature layer (see Section 5.2 of
   [I-D.ietf-lamps-e2e-mail-guidance]), an originally signed-only
   message could have been wrapped in an encryption layer by an
   intervening party before receipt, to appear encrypted.

   If a message appears to be wrapped in an encryption layer, and the hp
   parameter is present but is not set to cipher, then it is likely that
   the encryption layer was not added by the original sender.  For such
   a message, the lack of any HP-Outer Header Field in the Header
   Section of the Cryptographic Payload MUST NOT be used to infer that
   all Header Fields were removed from the message by the original
   sender.  In such a case, the receiving MUA SHOULD treat every Header
   Field as though it was not confidential.

11.2.  Caution about Composing with Legacy Display Elements

   When composing a message, it's possible for a Legacy Display Element
   to contain risky data that could trigger errors in a rendering
   client.

   For example, if the value for a Header Field to be included in a
   Legacy Display Element within a given body part contains folding
   whitespace, it should be "unfolded" before generating the Legacy
   Display Element: all contiguous folding whitespace should be replaced
   with a single space character.  Likewise, if the header value was



Gillmor, et al.         Expires 29 December 2024               [Page 61]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   originally encoded with [RFC2047], it should be decoded first to a
   standard string and re-encoded using the charset appropriate to the
   target part.

   When including a Legacy Display Element in a text/plain part (see
   Section 6.2.2), if the decoded Subject Header Field contains a pair
   of newlines (e.g., if it is broken across multiple lines by encoded
   newlines), any newline MUST be stripped from the Legacy Display
   Element.  If the pair of newlines is not stripped, a receiving MUA
   that follows the guidance in Section 5.5.3.2 might leave the later
   part of the Legacy Display Element in the rendered message.

   When including a Legacy Display Element in a text/html part (see
   Section 6.2.3), any material in the header values should be
   explicitly HTML escaped to avoid being rendered as part of the HTML.
   At a minimum, the characters <, >, and & should be escaped to <,
   >, and &, respectively (see for example [HTML-ESCAPES]).  If
   unescaped characters from removed or obscured header values end up in
   the Legacy Display Element, a receiving MUA that follows the guidance
   in Section 5.5.3.3 might fail to identify the boundaries of the
   Legacy Display Element, cutting out more than it should, or leaving
   remnants visible.  And a Legacy MUA parsing such a message might
   misrender the entire HTML stream, depending on the content of the
   removed or obscured header values.

   The Legacy Display Element is a decorative addition solely to enable
   visibility of obscured or removed Header Fields in decryption-capable
   Legacy MUAs.  When it is produced, it should be generated minimally
   and strictly, as described above, to avoid damaging the rest of the
   message.

11.3.  Plaintext Attacks

   An encrypted e-mail message using S/MIME or PGP/MIME tends to have
   some amount of predictable plaintext.  For example, the standard MIME
   headers of the Cryptographic Payload of a message are often a
   predictable sequence of bytes, even without Header Protection, when
   they only include the Structural Header Fields MIME-Version and
   Content-Type.  This is a potential risk for known-plaintext attacks.

   Including protected Header Fields as described in this document
   increases the amount of known plaintext.  Since some of those headers
   in a reply will be derived from the message being replied to, this
   also creates a potential risk for chosen-plaintext attacks, in
   addition to known-plaintext attacks.






Gillmor, et al.         Expires 29 December 2024               [Page 62]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Modern message encryption mechanisms are expected to be secure
   against both known-plaintext attacks and chosen-plaintext attacks.
   An MUA composing an encrypted message should ensure that it is using
   such a mechanism, regardless of whether it does Header Protection.

12.  Privacy Considerations

12.1.  Leaks When Replying

   The encrypted Header Fields of a message may accidentally leak when
   replying to the message.  See the guidance in Section 7.

12.2.  Encrypted Header Fields Are Not Always Private

   For encrypted messages, depending on the sender's HCP, some Header
   Fields may appear both within the Cryptographic Envelope and on the
   outside of the message (e.g., Date might exist identically in both
   places).  Section 5.3 identifies such a Header Field as signed-only.
   These Header Fields are clearly _not_ private at all, despite a copy
   being inside the Cryptographic Envelope.

   A Header Field whose name and value are not matched verbatim by any
   HP-Outer Header Field from the same part will have encrypted-only or
   signed-and-encrypted status.  But even Header Fields with these
   stronger levels of cryptographic confidentiality protection might not
   be as private as the user would like.

   See the examples below.

   This concern is true for any encrypted data, including the body of
   the message, not just the Header Fields: if the sender isn't careful,
   the message contents or session keys can leak in many ways that are
   beyond the scope of this document.  The message recipient has no way
   in principle to tell whether the apparent confidentiality of any
   given piece of encrypted content has been broken via channels that
   they cannot perceive.  Additionally, an active intermediary aware of
   the recipient's public key can always encrypt a cleartext message in
   transit to give the recipient a false sense of security.

12.2.1.  Encrypted Header Fields Can Leak Unwanted Information to the
         Recipient

   For encrypted messages, even with an ambitious HCP that successfully
   obscures most Header Fields from all transport agents, Header Fields
   will be ultimately visible to all intended recipients.  This can be
   especially problematic for Header Fields that are not user-facing,
   which the sender may not expect to be injected by their MUA.
   Consider the three following examples:



Gillmor, et al.         Expires 29 December 2024               [Page 63]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  The MUA may inject a User-Agent Header Field that describes itself
      to every recipient, even though the sender may not want the
      recipient to know the exact version of their OS, hardware
      platform, or MUA.

   *  The MUA may have an idiosyncratic way of generating a Message-ID
      header, which could embed the choice of MUA, a time zone, a
      hostname, or other subtle information to a knowledgeable
      recipient.

   *  The MUA may erroneously include a Bcc Header Field in the
      origheaders of a copy of a message sent to the named recipient,
      defeating the purpose of using Bcc instead of Cc (see Section 12.4
      for more details about risks related to Bcc).

   Clearly, no end-to-end cryptographic protection of any Header Field
   as described in this document will hide such a sensitive field from
   the intended recipient.  Instead, the composing MUA MUST populate the
   origheaders list for any outbound message with only information the
   recipient should have access to.  This is true for messages without
   any cryptographic protection as well, of course, and it is even worse
   there: such a leak is exposed to the transport agents as well as the
   recipient.  An encrypted message with Header Protection and a more
   ambitious Header Confidentiality Policy avoid these leaks exposing
   information to the transport agents but cannot defend against such a
   leak to the recipient.

12.2.2.  Encrypted Header Fields Can Be Inferred From External or
         Internal Metadata

   For example, if the To and Cc Header Fields are removed from the
   unprotected Header Section, the values in those fields might still be
   inferred with high probability by an adversary who looks at the
   message either in transit or at rest.  If the message is found in, or
   being delivered to a mailbox for bob@example.org, it's likely that
   Bob was in either To or Cc.  Furthermore, encrypted message
   ciphertext may hint at the recipients: for S/MIME messages, the
   RecipientInfo, and for PGP/MIME messages the key ID in the Public Key
   Encrypted Session Key (PKESK) packets will all hint at a specific set
   of recipients.  Additionally, an MTA that handles the message may add
   a Received Header Field (or some other custom Header Field) that
   leaks some information about the nature of the delivery.









Gillmor, et al.         Expires 29 December 2024               [Page 64]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


12.2.3.  Encrypted Header Fields May Not Be Fully Masked by HCP

   In another example, if the HCP modifies the Date header to mask out
   high-resolution time stamps (e.g., rounding to the most recent hour)
   and to convert the local time zone to UTC, some information about the
   date of delivery will still be attached to the e-mail.  At the very
   least, the low resolution, global version of the date will be present
   on the message.  Additionally, Header Fields like Received that are
   added during message delivery might include higher-resolution
   timestamps.  And if the message lands in a mailbox that is ordered by
   time of receipt, even its placement in the mailbox and the non-
   obscured Date Header Fields of the surrounding messages could leak
   this information.

   Some Header Fields like From may be impossible to fully obscure, as
   many modern message delivery systems depend on at least domain
   information in the From Header Field for determining whether a
   message is coming from a domain with "good reputation" (that is, from
   a domain that is not known for leaking spam).  So even if an
   ambitious HCP opts to remove the human-readable part from any From
   Header Field, and to standardize/genericize the local part of the
   From address, the domain will still leak.

12.3.  A Naive Recipient May Overestimate the Cryptographic Status of a
       Header Field in an Encrypted Message

   When an encrypted (or signed-and-encrypted) message is in transit, an
   active intermediary can strip or tamper with any Header Field that
   appears outside the Cryptographic Envelope.  A receiving MUA that
   naively infers cryptographic status from differences between the
   external Header Fields and those found in the Cryptographic Envelope
   could be tricked into overestimating the protections afforded to some
   Header Fields.

   For example, if the original sender's HCP passes through the Cc
   Header Field unchanged, a cleanly delivered message would indicate
   that the Cc Header Field has a cryptographic status of signed.  But
   if an intermediary attacker simply removes the Header Field from the
   unprotected Header Section before forwarding the message, then the
   naive recipient might believe that the field has a cryptographic
   status of signed-and-encrypted.

   This document offers protection against such an attack by way of the
   HP-Outer Header Fields that can be found on the Cryptographic
   Payload.  If a Header Field appears to have been obscured by
   inspection of the outer message, but an HP-Outer Header Field matches
   it exactly, the receiving MUA can indicate to the user that the
   Header Field in question may not have been confidential.



Gillmor, et al.         Expires 29 December 2024               [Page 65]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   In such a case, a cautious MUA may render the Header Field in
   question as signed (because the sender did not hide it), but still
   treat it as signed-and-encrypted during reply, to avoid accidental
   leakage of the cleartext value in the reply message, as described in
   Section 7.1.

12.4.  Privacy and Deliverability Risks with Bcc and Encrypted Messages

   As noted in Section 9.3 of [I-D.ietf-lamps-e2e-mail-guidance],
   handling Bcc when generating an encrypted e-mail message can be
   particularly tricky.  With Header Protection, there is an additional
   wrinkle.  When an encrypted e-mail message with Header Protection has
   a Bcc'ed recipient, and the composing MUA explicitly includes the
   Bcc'ed recipient's address in their copy of the message (see the
   "second method" in Section 3.6.3 of [RFC5322]), that Bcc Header Field
   will always be visible to the Bcc'ed recipient.

   In this scenario, though, the composing MUA has one additional
   choice: whether to hide the Bcc Header Field from intervening message
   transport agents, by returning null when the HCP is invoked for Bcc.
   If the composing MUA's rationale for including an explicit Bcc in the
   copy of the message sent to the Bcc recipient is to ensure
   deliverability via a message transport agent that inspects message
   Header Fields, then stripping the Bcc field during encryption may
   cause the intervening transport agent to drop the message entirely.
   This is why Bcc is not explicitly stripped in hcp_baseline.

   If, on the other hand, deliverability to a Bcc'ed recipient is not a
   concern, the most privacy-preserving option is to simply omit the Bcc
   Header Field from the protected Header Section in the first place.
   An MUA that is capable of receiving and processing such a message can
   infer that since their user's address was not mentioned in any To or
   Cc Header Field, they were likely a Bcc recipient.

   Please also see Section 9.3 of [I-D.ietf-lamps-e2e-mail-guidance] for
   more discussion about Bcc and encrypted messages.

13.  IANA Considerations

   This document registers an e-mail Header Field, describes parameters
   for the Content-Type Header Field, and establishes a registry for
   Header Confidentiality Policies to facilitate HCP evolution.

13.1.  Register the HP-Outer Header Field

   This document requests IANA to register the following Header Field in
   the "Permanent Message Header Field Names" registry within "Message
   Headers" in accordance with [RFC3864].



Gillmor, et al.         Expires 29 December 2024               [Page 66]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      +============+==========+==========+==========+===============+
      | Header     | Template | Protocol | Status   | Reference     |
      | Field Name |          |          |          |               |
      +============+==========+==========+==========+===============+
      | HP-Outer   |          | mail     | standard | Section 2.2.1 |
      |            |          |          |          | of RFCXXXX    |
      +------------+----------+----------+----------+---------------+

           Table 3: Additions to 'Permanent Message Header Field
                              Names' registry

   The Author/Change Controller of these two entries (Section 4.5 of
   [RFC3864]) should be the IETF itself.

13.2.  Update Reference for Content-Type Header Field due to hp, hp-
       scheme, and hp-legacy-display Parameters

   This document also defines the Content-Type parameters known as hp
   (in Section 2.1.1), hp-scheme (in Section 2.1.2), and hp-legacy-
   display (in Section 2.1.3).  Consequently, the Content-Type row in
   the "Permanent Message Header Field Names" registry should add a
   reference to this RFC to its "References" column.

   That is, the current row:

     +===================+==========+==========+========+===========+
     | Header Field Name | Template | Protocol | Status | Reference |
     +===================+==========+==========+========+===========+
     | Content-Type      |          | MIME     |        | [RFC4021] |
     +-------------------+----------+----------+--------+-----------+

         Table 4: Existing row in 'Permanent Message Header Field
                             Names' registry

   Should be updated to have the following values:

     +===================+==========+==========+========+===========+
     | Header Field Name | Template | Protocol | Status | Reference |
     +===================+==========+==========+========+===========+
     | Content-Type      |          | MIME     |        | [RFC4021] |
     |                   |          |          |        | [RFCXXXX] |
     +-------------------+----------+----------+--------+-----------+

       Table 5: Replacement row in 'Permanent Message Header Field
                             Names' registry






Gillmor, et al.         Expires 29 December 2024               [Page 67]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


13.3.  New Registry: Mail Header Confidentiality Policies

   This document also requests IANA to create a new registry in the
   "Mail Parameters" protocol group (https://www.iana.org/assignments/
   mail-parameters/) titled Mail Header Confidentiality Policies with
   the following content:

   +========================+=================+=========+=============+
   | Header Confidentiality | Description     |Reference| Recommended |
   | Policy Name            |                 |         |             |
   +========================+=================+=========+=============+
   | hcp_no_confidentiality | No header       |Section  | N           |
   |                        | confidentiality |3.2.3 of |             |
   |                        |                 |RFCXXX   |             |
   |                        |                 |(this    |             |
   |                        |                 |document)|             |
   +------------------------+-----------------+---------+-------------+
   | hcp_baseline           | Subject Header  |Section  | Y           |
   |                        | Field is        |3.2.1 of |             |
   |                        | obscured        |RFCXXX   |             |
   |                        |                 |(this    |             |
   |                        |                 |document)|             |
   +------------------------+-----------------+---------+-------------+
   | hcp_strong             | Remove or       |Section  | N           |
   |                        | obscure         |3.2.2 of |             |
   |                        | everything but  |RFCXXX   |             |
   |                        | From, Date, To, |(this    |             |
   |                        | Cc and Message- |document)|             |
   |                        | ID              |         |             |
   +------------------------+-----------------+---------+-------------+

          Table 6: Mail Header Confidentiality Policies registry

   hcp_example_hide_cc is mooted as an example in Section 3 but is not
   formally registered by this document.

   Please add the following textual note to this registry:

      The Header Confidentiality Policy Name never appears on the wire.
      This registry merely tracks stable references to implementable
      descriptions of distinct policies.  Any addition to this registry
      should be governed by guidance in Section 3.4.2 of RFC XXX (this
      document).

   Adding an entry to this registry with an N in the "Recommended"
   column follows the registration policy of SPECIFICATION REQUIRED.
   Adding an entry to this registry with a Y in the "Recommended" column
   or changing the "Recommended" column in an existing entry (from N to



Gillmor, et al.         Expires 29 December 2024               [Page 68]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Y or vice versa) requires IETF REVIEW.  During IETF REVIEW, the
   designated expert must also be consulted.  Guidance for the
   designated expert can be found in Section 3.4.2.

14.  Acknowledgments

   Thore Göbel identified significant gaps in earlier versions of this
   document, and proposed concrete and substantial improvements.  Thanks
   to his contributions, the document is clearer, and the protocols
   described herein are more useful.

   Additionally, the authors would like to thank the following people
   who have provided helpful comments and suggestions for this document:
   Berna Alp, Bernhard E. Reiter, Carl Wallace, Claudio Luck, David
   Wilson, Hernani Marques, juga, Krista Bennett, Kelly Bristol, Lars
   Rohwedder, Michael StJohns, Nicolas Lidzborski, Peter Yee, Phillip
   Tao, Robert Williams, Rohan Mahy, Roman Danyliw, Russ Housley, Sofia
   Balicka, Steve Kille, Volker Birk, and Wei Chuang.

15.  References

15.1.  Normative References

   [I-D.ietf-lamps-e2e-mail-guidance]
              Gillmor, D. K., Hoeneisen, B., and A. Melnikov, "Guidance
              on End-to-End E-mail Security", Work in Progress,
              Internet-Draft, draft-ietf-lamps-e2e-mail-guidance-16, 16
              March 2024, .

   [I-D.ietf-openpgp-crypto-refresh-13]
              Wouters, P., Huigens, D., Winter, J., and N. Yutaka,
              "OpenPGP", Work in Progress, Internet-Draft, draft-ietf-
              openpgp-crypto-refresh-13, 4 January 2024,
              .

   [RFC2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part One: Format of Internet Message
              Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
              .

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              .





Gillmor, et al.         Expires 29 December 2024               [Page 69]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              DOI 10.17487/RFC3864, September 2004,
              .

   [RFC5083]  Housley, R., "Cryptographic Message Syntax (CMS)
              Authenticated-Enveloped-Data Content Type", RFC 5083,
              DOI 10.17487/RFC5083, November 2007,
              .

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              .

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              .

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              .

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              .

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, .

   [RFC8551]  Schaad, J., Ramsdell, B., and S. Turner, "Secure/
              Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
              Message Specification", RFC 8551, DOI 10.17487/RFC8551,
              April 2019, .

15.2.  Informative References

   [chrome-indicators]
              Schechter, E., "Evolving Chrome's security indicators",
              May 2018, .

   [CSS]      World Wide Web Consortium, "Cascading Style Sheets Level 2
              Revision 2 (CSS 2.2) Specification", 12 April 2016,
              .




Gillmor, et al.         Expires 29 December 2024               [Page 70]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   [HTML-ESCAPES]
              W3C, "Using character escapes in markup and CSS", n.d.,
              .

   [I-D.autocrypt-lamps-protected-headers]
              Einarsson, B. R., "juga", and D. K. Gillmor, "Protected
              Headers for Cryptographic E-mail", Work in Progress,
              Internet-Draft, draft-autocrypt-lamps-protected-headers-
              02, 20 December 2019,
              .

   [I-D.pep-email]
              Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp):
              Email Formats and Protocols", Work in Progress, Internet-
              Draft, draft-pep-email-02, 16 December 2022,
              .

   [I-D.pep-general]
              Birk, V., Marques, H., and B. Hoeneisen, "pretty Easy
              privacy (pEp): Privacy by Default", Work in Progress,
              Internet-Draft, draft-pep-general-02, 16 December 2022,
              .

   [PGPCONTROL]
              UUNET Technologies, Inc., "Authentication of Usenet Group
              Changes", 27 October 2016,
              .

   [PGPVERIFY-FORMAT]
              Lawrence, D. C., "Signing Control Messages, Verifying
              Control Messages", n.d.,
              .

   [RFC2047]  Moore, K., "MIME (Multipurpose Internet Mail Extensions)
              Part Three: Message Header Extensions for Non-ASCII Text",
              RFC 2047, DOI 10.17487/RFC2047, November 1996,
              .

   [RFC2049]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Five: Conformance Criteria and
              Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996,
              .





Gillmor, et al.         Expires 29 December 2024               [Page 71]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   [RFC3156]  Elkins, M., Del Torto, D., Levien, R., and T. Roessler,
              "MIME Security with OpenPGP", RFC 3156,
              DOI 10.17487/RFC3156, August 2001,
              .

   [RFC3851]  Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail
              Extensions (S/MIME) Version 3.1 Message Specification",
              RFC 3851, DOI 10.17487/RFC3851, July 2004,
              .

   [RFC4021]  Klyne, G. and J. Palme, "Registration of Mail and MIME
              Header Fields", RFC 4021, DOI 10.17487/RFC4021, March
              2005, .

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, DOI 10.17487/RFC5751, January
              2010, .

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              .

   [RFC6532]  Yang, A., Steele, S., and N. Freed, "Internationalized
              Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
              2012, .

   [RFC7489]  Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
              Message Authentication, Reporting, and Conformance
              (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
              .

   [RFC8617]  Andersen, K., Long, B., Ed., Blank, S., Ed., and M.
              Kucherawy, Ed., "The Authenticated Received Chain (ARC)
              Protocol", RFC 8617, DOI 10.17487/RFC8617, July 2019,
              .

   [RFC9216]  Gillmor, D. K., Ed., "S/MIME Example Keys and
              Certificates", RFC 9216, DOI 10.17487/RFC9216, April 2022,
              .

Appendix A.  Table of Pseudocode Listings

   This document contains guidance with pseudocode descriptions.  Each
   algorithm is listed here for easy reference.





Gillmor, et al.         Expires 29 December 2024               [Page 72]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   +===========================+======================================+
   | Method Name               | Description                          |
   +===========================+======================================+
   | HeaderSetsFromMessage     | Derive "outer" and "protected" sets  |
   |                           | of Header Fields from a given        |
   |                           | message                              |
   +---------------------------+--------------------------------------+
   | HeaderFieldProtection     | Calculate cryptographic protections  |
   |                           | for a Header Field in a given        |
   |                           | message                              |
   +---------------------------+--------------------------------------+
   | ReferenceHCP              | Produce an ephemeral HCP to use when |
   |                           | responding to a given message        |
   +---------------------------+--------------------------------------+
   | ComposeNoHeaderProtection | Legacy message composition with end- |
   |                           | to-end cryptographic protections     |
   |                           | (but no header protection)           |
   +---------------------------+--------------------------------------+
   | ComposeInjectedHeaders    | Compose a message with end-to-end    |
   |                           | cryptographic protections including  |
   |                           | header protection, using the         |
   |                           | Injected Headers scheme              |
   +---------------------------+--------------------------------------+
   | ComposeWrappedMessage     | Compose a message with end-to-end    |
   |                           | cryptographic protections including  |
   |                           | header protection, using the Wrapped |
   |                           | Message scheme                       |
   +---------------------------+--------------------------------------+

                  Table 7: Table of Pseudocode Listings

Appendix B.  Possible Problems with Legacy MUAs

   When an e-mail message with end-to-end cryptographic protection is
   received by a mail user agent, the user might experience many
   different possible problematic interactions.  A message with Header
   Protection may introduce new forms of user experience failure.

   In this section, the authors enumerate different kinds of failures we
   have observed when reviewing, rendering, and replying to messages
   with different forms of Header Protection in different Legacy MUAs.
   Different Legacy MUAs demonstrate different subsets of these
   problems.

   A conformant MUA would not exhibit any of these problems.  An
   implementer updating their Legacy MUA to be compliant with this
   specification should consider these concerns and try to avoid them.




Gillmor, et al.         Expires 29 December 2024               [Page 73]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Recall that "protected" refers to the "inner" values, e.g., the real
   Subject, and "unprotected" refers to the "outer" values, e.g., the
   dummy Subject.

B.1.  Problems Viewing Messages in a List View

   *  Unprotected Subject, Date, From, To are visible (instead of being
      replaced by protected values)

   *  Threading is not visible

B.2.  Problems when Rendering a Message

   *  Unprotected Subject is visible

   *  Protected Subject (on its own) is visible in the body

   *  Protected Subject, Date, From, and To visible in the body

   *  User interaction needed to view whole message

   *  User interaction needed to view message body

   *  User interaction needed to view protected subject

   *  Impossible to view protected Subject

   *  Nuisance alarms during user interaction

   *  Impossible to view message body

   *  Appears as a forwarded message

   *  Appears as an attachment

   *  Security indicators not visible

   *  Security indicators do not identify protection status of Header
      Fields

   *  User has multiple different methods to reply (e.g., reply to
      outer, reply to inner)

   *  User sees English "Subject:" in body despite message itself being
      in non-English

   *  Security indicators do not identify protection status of Header
      Fields



Gillmor, et al.         Expires 29 December 2024               [Page 74]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  Header Fields in body render with local Header Field names (e.g.,
      showing "Betreff" instead of "Subject") and dates (TZ, locale)

B.3.  Problems when Replying to a Message

   Note that the use case here is:

   *  User views message, to the point where they can read it

   *  User then replies to message, and they are shown a message
      composition window, which has some UI elements

   *  If the MUA has multiple different methods to reply to a message,
      each way may need to be evaluated separately

   This section also uses the shorthand UI:x to mean "the UI element
   that the user can edit that they think of as x."

   *  Unprotected Subject is in UI:subject (instead of the protected
      Subject)

   *  Protected Subject is quoted in UI:body (from Legacy Display
      Element)

   *  Protected Subject leaks when the reply is serialised into MIME

   *  Protected Subject is not anywhere in UI

   *  Message body is _not_ visible/quoted in UI:body

   *  User cannot reply while viewing protected message

   *  Reply is not encrypted by default (but is for legacy signed-and-
      encrypted messages without Header Protection)

   *  Unprotected From or Reply-To is in UI:To (instead of the protected
      From or Reply-To)

   *  User's locale (lang, TZ) leaks in quoted body

   *  Header Fields not protected (and in particular, Subject is not
      obscured) by default









Gillmor, et al.         Expires 29 December 2024               [Page 75]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


Appendix C.  Test Vectors

   This section contains sample messages using the different schemes
   described in this document.  Each sample contains a MIME object, a
   textual and diagrammatic view of its structure, and examples of how
   an MUA might render it.

   The cryptographic protections used in this document use the S/MIME
   standard, and keying material and certificates come from [RFC9216].

   These messages should be accessible to any IMAP client at
   imap://bob@header-protection.cmrg.net/ (any password should
   authenticate to this read-only IMAP mailbox).

   You can also download copies of these test vectors separately at
   https://header-protection.cmrg.net.

   If any of the messages downloaded differ from those offered here,
   this document is the canonical source.

C.1.  Baseline Messages

   These messages offer no header protection at all, and can be used as
   a baseline.  They are provided in this document as a counterexample.
   An MUA implementer can use these messages to verify that the reported
   cryptographic summary of the message indicates no header protection.

C.1.1.  No Cryptographic Protections Over a Simple Message

   This message uses no cryptographic protection at all.  Its body is a
   text/plain message.

   It has the following structure:

   └─╴text/plain 152 bytes

   Its contents are:














Gillmor, et al.         Expires 29 December 2024               [Page 76]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: no-crypto
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:00:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the
   no-crypto
   message.

   This message uses no cryptographic protection at all.  Its body
   is a text/plain message.

   --
   Alice
   alice@smime.example

C.1.2.  S/MIME Signed-only signedData Over a Simple Message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 3856 bytes
    ⇩ (unwraps to)
    └─╴text/plain 206 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:01:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIILGQYJKoZIhvcNAQcCoIILCjCCCwYCAQExDTALBglghkgBZQMEAgEwggFCBgkq
   hkiG9w0BBwGgggEzBIIBL01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F



Gillmor, et al.         Expires 29 December 2024               [Page 77]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtb25lLXBhcnQNCm1l
   c3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2
   aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQgaXMgYSB0ZXh0L3Bs
   YWluIG1lc3NhZ2UuIEl0IHVzZXMgbm8gaGVhZGVyIHByb3RlY3Rpb24uDQoNCi0t
   IA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgEC
   AhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIw
   NTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB
   DwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D
   9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs
   165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZu
   TtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDH
   dZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy
   6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/
   BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VA
   c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMC
   BSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEw
   jnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBak
   DKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdao
   x644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Na
   r2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtl
   uLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK
   49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vR
   hZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG
   9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8G
   A1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAg
   Fw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVU
   RjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTk
   fCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DI
   Ls7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TC
   NO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7
   ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTM
   SiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwID
   AQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
   MB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYB
   BQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDT
   IGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0B
   AQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3Bj
   JOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIj
   So27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9
   cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4P
   GHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+u
   CDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UE
   ChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1Q
   UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6a



Gillmor, et al.         Expires 29 December 2024               [Page 78]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   qdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq
   hkiG9w0BCQUxDxcNMjEwMjIwMTUwMTAyWjAvBgkqhkiG9w0BCQQxIgQgrhyFjywc
   FLYzlCbb/xsgb5+a0sgYLUg094upq1ZXLWswDQYJKoZIhvcNAQEBBQAEggEABOi5
   kcjRmMF4LK94svcfl92padnfUTSyjJtrIf6R6C7xy87VzsmPOPCmHgZOmTCuvY2D
   iKuMId6WPVdjuRUaW6xkgYtgYjPDhy80NY0a9wXEQtjn448G0UHdM21cJyu9LTAg
   orSzcT2pwEuGzNdsHW8LB5GtJKYct3RS0+jlbSr7WpZFY1mUrwpsm2r8za2KoOcy
   t/E7Qz/8hT4HU52Na7pS1ZnxrasLr5prSjDSSKs4QK3ncJR8jhF9by0pDCoYgswy
   zYaeJt0N+8uv7ab/kBaE3wfZlipMSFRJIlh+QeXCkIHo5fW5bn/REZHxMMdMfdPh
   bqYT1i46156CSOqyxA==

C.1.2.1.  S/MIME Signed-only signedData Over a Simple Message, No Header
          Protection, Unwrapped

   The S/MIME signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit

   This is the
   smime-one-part
   message.

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message. It uses no header protection.

   --
   Alice
   alice@smime.example

C.1.3.  S/MIME Signed-only multipart/signed Over a Simple Message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses no
   header protection.

   It has the following structure:

   └┬╴multipart/signed 4187 bytes
    ├─╴text/plain 224 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:







Gillmor, et al.         Expires 29 December 2024               [Page 79]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="253";
    micalg="sha-256"
   Subject: smime-multipart
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:02:02 -0500
   User-Agent: Sample MUA Version 1.0

   --253
   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit

   This is the
   smime-multipart
   message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses no header protection.

   --
   Alice
   alice@smime.example

   --253
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI



Gillmor, et al.         Expires 29 December 2024               [Page 80]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCAB+IATfw3+2kO9hwjUYxzW+Z12sfFp2dTb1pmXGS+7
   DzANBgkqhkiG9w0BAQEFAASCAQANJdfU8DtOpINW4FeIWpdexndYvHYy7jFg5ICy
   wIkh1DcqmbdvB4PXcksbJ0zKSVjdjXPdYQYRS4E5ClAEevEe+OkFd16UoGaadoaq
   OjyGnuiEJJbRG2UUZZWMyJW2g8OZRAGZjYgEgvbVflmxqRjFRaeLGUorHaHoxk40
   LomKSVRTUG11eEhmRmxIY4wKhwc0U9PKjCQFrhu3t1ZkGSfPn9jvdNTJkg85WUpk
   WqmOyrup6DH4Gb84By+0IMk3vflrOyAw3kbsj6Ij+zymAlH61YypnAvddFBIuZPL
   2LYdIHPLmq8KGrzcgjkjP+Y58hf9U+6gp0KPuS8DAGOvxYs0

   --253--

C.1.4.  S/MIME Encrypted and Signed Over a Simple Message, No Header
        Protection

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses no header protection.

   It has the following structure:



Gillmor, et al.         Expires 29 December 2024               [Page 81]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 6720 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 3966 bytes
     ⇩ (unwraps to)
     └─╴text/plain 242 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:03:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIITXAYJKoZIhvcNAQcDoIITTTCCE0kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADIBD818nNlepwqeI2cJmgD1E+A8coBs/BXr
   FGaMZQELJBixXR/LI5fKL5qSZnGXbt7wAYwebjtw79sgvXRlBIkbFy8DV+IT1o/q
   08/5LCJwS6E+tHDLb1M1/S5oAxR+ESDzfOgzD9CoaF7BeR948PFLXMX3a451TJ2K
   zLwBNZneXWtLfz3mMztmrGdKMXcNPFP5prl4eNcZvJJqKRf5Zdk2ALDCi0xG4eHd
   ODtArvGywVw2nF15njL7HTy7F1YJ9q7PlIDa6xapx7RjGorecVykj8ETWwMpjEfJ
   83k+UzY2VcVLdkrQiBAatg3ZtFwGbaIBZ+ss7mXNNkEIxtgsEqowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAQynbJk0fDqKrGKQeF8/vQTyt
   XrTM+1JXH8bDVI3RL/osK6UeuF/c1++ZyUqNkHwit34WjXH9rlCYZO/rKe6gmm+C
   3nZocxrzAFlJ+CYP3u3tIjie0qF+LEwxT9+J3jK3VOZGKmmDPN6HgWPcJPpRVrXr
   Rfr2GbZ7XKqCX6zdC8Wf5ucBEtwuPupNlAORr6GGl5x1ET00YKWm0X6gi2MsTMt2
   DgjLXIkB/2c9J+mUVb8IE6Wsu3fYnjfPxq7v4D25NI8gfvleMnmJoEfzs3BxRYC1
   Px3aoWR2c0AQMpD+YyDNRTsEHjdbvp2uew+XajyRg5iPW79lFjud0f1XEh1/ATCC
   EC4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECUo2nYA/G7A4T5sbYnptlGAghAA
   jpLd/cO/M1CD/iZws6S8EHUjHDG4fiYo9XJ4B5qA+VhLWIM/ZgJA385qAdltYRqN
   G/I0nGU9IHW+CeqcD6BsbsbGEhRUVFusfKSk3pJXnYlYUo6gfvNwSP7viEQ8/oYp
   HNTINQQKWLHi7KRNF9pXXw68+k9UhTkzzIp8awvuMXnM5ua+vCoP8x2wjrhGBYre
   PrX0Ro/GqCk10zKpVEbu9Fbv4oTeDrflLqD31EyPfFVHzEI5+h6CPya82VZTMLpP
   Y3r8iimhYJnrCbijpxuyE6U63pn2IvL+oQnfTkhhIKQy+BU8MdIbti0fgjCjxTx5
   QcAMGzAF8ze1PK1MaMWvCdSmWv3nn8l1MWii1rBzGep042XTyI0ikC1ZTAW6q0IF
   KlbLN8U/Yml0Sq8gydT+o+irFOMRWorvIgBoyeI6wd8+EtIfaFD1dG8XuoA1IDUk
   vOmM2R6nmQO7qy8abB7+1OgxQOu+3WSoGS7kmwfv5zp8YamhcqB6zAB43+vneaI/
   fGhiFdIGzx+ARFdur2+TOBEkrdEawahV3aBl+W9gSn616xjIe7lBGGiOL4irlbeQ
   QzElj/7MpOpmwXrate0wnG6VgcvGTOyvqQRHVrgIyEm4wAuLTqUIQqpBHTtDDAc6
   ZcD4LVa/gR0H6b/ofGpx4+2DT6cq9i7+LmzEDEDSdg4Is9v/Kg/p0jc50EjVl83p
   toFTBZDtUuSo+QSmLM3oYZh2Re4A9BC3WNtS5IZTW2LP2ziONm6Dj0Z64vbslAVD



Gillmor, et al.         Expires 29 December 2024               [Page 82]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   kCADZZxYwiCL0ct/o4pTPfw7odKQpH3uaQaPtK2kIm4YtWESEQCMmh0mSiAUpNPH
   92Lj8VdwpPx36EsO4+vfzbYqZ4Zd4MqRkRKZxvuNsFssZBh3sfmuAwniYttDIlOE
   26OMVPT6h7upDLJvgBb3TOno/xhD2m3QM649A4zJcQhBjeaWaYxeOTIyyN8uRaY+
   am7igSXfjjHSibvX64xxx5kjPBuhZVLbVzIsH1Iiac75YPavHBCJtZ6y3c6RXm3S
   pCuglA9ygGauUzuSG8A1UWLO4Z9cqKzskPI6KnA183BndO3zDm9BbUqqZbCrpPvg
   cqYD+T4lxW+cDQbDBdwlj8wo+iFYrKy9SZfUlHvlV3ubfd/FytPukj6tZvs99G7h
   cvEQAvyX+DHkLQziual7kKzPOmJ5+aKr6I+/vhCiXKUFjITtm+SAb8p1zoPUvipG
   VE2qO2FfRT0OumieqTjNnGvq+tdhFEgoPI2F2DQ4DumrhVfpz3WUvd62zYPYkg2E
   XxO39ot0f4IS7IAdqlrMlWZ5QS4oncVYU2jBPeIDeNlDG7G2ccqMuUdtajhpR1be
   yfQhExf3/PqgekJD3WdIiyk7Mc3vT70WKz1G+83y+I4KUiKpMqRXkhSdCJk1zILz
   6Td8KUQ8avpN01Ppk9UdQRWSOAwumIKAQ2YT8oMSMLvOGsEzs9Pqhn2E14dVPhWE
   Nrgoh7PCNbyKt+JgWXSXm1T1mIF5khxjeRsmq2dMqtw8MmPyG4AulBSbOH7CXCij
   jEcRcEcaKtAk+Fp0Ws9bY4AtrOhd8r7NupZK7v7o0UBKh/WqLCk5uaTFc4DhY4lf
   o6V/ldyXwaGTJHT2g/hw+Oyj7g9NF6ZnAUZPKARhbJSkH5i2/1UTgcevX4mAc+hW
   V0M+QCSC2dfhQwHZ8ViamyBVT72IcO1v/0mcYdJNQtVIpGqvC8FedcB9rAo1QENW
   yk3qBl4asdmZKZdXhp5NRi9Ga5l7ZyPGWb+Spqu+5M992sqU21o6oWs+p105Tb8r
   7XZYhIyT1A3h9ZNy3NkYFD+MnYRcQkDRUjSu0cEo3a1SAJHr6P5P9Zdc16cmMsGR
   yJXIL8bv+rXCs2koIcvOPtpFScnf/Kbq7RZzkWdQGbq9WpJYa/OCV+ZUK/1clFu9
   NEiSI4juKVTP0zzaJuow4WDtrbdBjf1khX6XtBjNu9NUSbzgCzQwQZMLuo34Dv/1
   fc0mm78dHlyiVwYmzIwlIwfDAI//AGFnARzn1j6Ilzr+iRX80zMyd5NFyDBG1L0J
   +O9NYRdcf7EnHtD0Qv60iW+N/MwGBj/VMkuRsW90MS1xyvG2K8nXniEbJc483E57
   AFTwkBNbKnlf7tenTuOJxE5sDO5TuCz3aBgofBQL6szj4dJOrE/hbgp/WDNHjGYB
   sqQrhZ3mNFOuN5zM1k/f/PmuRQ/jpBEgHtk6egi/qvhjGBhnqUhINxqvwf+CdhxS
   VbtF0WToiwwldLxGWvSOIBNFY9Vvyx4Gn41tfD7mjvmdoSM1k3os8+4TeufS6w+m
   gIIhZm13MeCzL6+qWhBazxTZ6ymBISb/AK901bSNRWbsC2xEtzTvU+M2MOI14u97
   m+ACVDzIgayrRjmffDgYrTwvE5DYFYJvjpRgWjztJ88kk65ADC5QgTbzVjwhypda
   IUgNCDYID3JVmQls3VsdOLFEUBVWHTvMHuFgsu7qbioiGP6BfUNFfryTscNCVpvo
   kvNFCFvZWprK9C+8z0F3UfAYFm8UjIFHkaOu/Cm/K2uC4PYeIrrMVy3YTNcQUpYa
   OKr4H2C45/pv5QE1fMzTYVzj9bSs1L1SD/7v2CMVBeFATGfCVEfdUzRmGz6zVVby
   yQjT07UWzeHlIugBr4KLJLN/46DtITrAL8JXUFj1pMvJ+24mY2dccxJr9nBlpBVf
   WUaLMpa2UYUvBa0EdColkE9y7YKrMwANOmrdRjR5XjVSvqe+pa2CcIDZpW5wPIs6
   oE6EsQMy7UiWBF95w4y2SQtUVW/bOKSn6HTKccmo93VGHSGKPumoHhu45izIsC5I
   H8cspPfZQOw6KEK3GMUk2POOIE/v0zYZ4OJvcE9cFul8ot6M6AWnsKWWg/cY0VrA
   KDN39Qx0XDu46iRM4X3X1nl6864GCOlceP31U6H00RwL/LsS/10MEA/e/0WiHwwO
   7XgsjOvepopExNww1pWnA+F5mD4RJYNV7d/DfeF/9uD3TbePYjnmzflqx2uZtO4J
   62gzQnElLXO1z8y0kwTs4iuFyMvF6a6GkfKcoYAtjIKU/+kVjERPPW8+o+S2EhG4
   nrKbGXKqKjyiEHL9EMXZlbxKaEqr4hEu4gmaQjTgXBA9XGao/4yTWbDtaAhtHZy6
   mK0hbV6Wj4cK7N5Q4bNQuKwxBgNAYdhApZUMul1lym0p95bUvmRXbae8fZUi/x/V
   EWGFQsboysjMKBvSta2OXhngSpJqqKc2ZG8+4DUDLQvt2yW713BltqgaD7W9Qzde
   L3pt0oE27Es1MAmxsDBK9XcuFDdV8VA39+znsTtYWuyCfy6KFQBC8MQKvcwM6jh2
   mnv7Gj4EJpdFWDD7yZt9mUn38claQqbSLudeaMs8CoK36FJBAnaXMl8EYUP0N9GE
   AMhMxmZ0R0kJFmDhAYlsMYc37rMHpYKCujGkXOHr9lZK05MhBvDYnBLfnti1WXXl
   WbyN5MY4AKqPSCnClpLRB3+IRE7uKPuDC2nOKK5Pul6Vn8n081JnPwJrKEEA1x41
   sFmLomG0W4hvLPBMVOnIvQEMKMqhDcqIoeF1BY1PztoLP5jEEMOjtRWA+VWmffr9
   telJ28cUMpBRqvrAGPoGxNmd3/xzVKPAV4DmdE86fEOxIKOiggaAQckZI1oyDvG6
   epRAQdACGysmJZ7q6672A6duBf6Js1BLAYxDJ9xvTISdsueAnaFOX+KeRCTUnCgH
   HqNHnWEYDhQUTNIdqQXe33Yzf7/HLwIeD1y7QgnoMj3y30lPKFfZbRVuj/9xrpmO
   Hf7LZzxTiK93fmuepNotQBp3gq3P4oLdzGa7NQVs5G3BCqeX7mDqq8UurYYj+wXd



Gillmor, et al.         Expires 29 December 2024               [Page 83]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   BpKoLTGZmctjJjd2lFuNdQRduwP5yq99mTxonZ+GKzWtP5SkH6KEad0zamdaD6pl
   uTlBA754mTbLAzZMtsxBviGw8Ek8gD/IL1LZmd3uBIwZlc6vvjxSGHSJgtGPEs9p
   V6nV6Eny5ZRm6sAoanYnzTuq+9uC2QbLdf3tyTOlkeABKsbAe0x457sQJZSptFuY
   pQ7Ipfih0v3kCyk8qC52QcErrn2Lz6gVCd74pJO6isPPezbe+BOEUjaKREpxr2be
   Hv1wBT5zYYOlKNQ4gGlkCzMwnOJIR938JywRwRObbc5lWIGoERRpGB4aebdCA7rF
   GrhamIGL8xmYUStlbVkbHg0IdY1rh0IRXfg05GhubbspqXPSrznPNjKothPsOEvq
   VIu/VrQSSg9F5OKGTSndPoYiajQzOc/BzH3jlu1MFWLk9SA7uLzzg5YJlogUT9n1
   uNehTf6J5ARzvfSAxsiDgcQKFXu9MAiFus9sGGy0f88rslW20qbw0snjnjLQHilQ
   xbuM8wh7jdbYxFqH8qBMUS1N4dusDBlOEKPgcBoBrHw7V+yK7XXr7JKWbTahjeOR
   aUbf1knWDVA32HvM5slCpATQAYxSUmfjadM4OkHAs4fbDwzk/Z9ojronADCyahS8
   6xypStx5FkEOmEq7m/rUBSX6fcBNIeU6VzIu+KBigowCRKOd565NLlRMLWut2tuS
   JlbfsLka1WEHqzlL8i1/MWW4Li0E3uha93m+5IgJ6TIjqh4zeJ70Spr6OM0gsKs8
   SFWtvRN8Wz7//krq+17pgtNnmqUSn42nmxCXrLPIVvJokgEx5clBKvHbt3F1NCx0
   UROlc6GSscG0+N4ZyBhyZw6qeclGadxnpaDabhlcnRfvqOWu8pLPT+kxh3lCnA4H
   uu8PIlBSnk0HKoRpogNB5VrZz9NaLD3JsdnGO5ZGL/SaB4Gt++cPiCLQHlmhwZn0
   TsZglWo4NafVGLOzna23MWbXkuEddFEHdNgvICfCXA7nxNCkgxWgqkSJyb+vTxiw
   3Dbxak2f7t39ksHXVwImQaxYfW8QgrNG/jD/1uXiBos1ldTlGOlMN71fpWMHK9Hd
   RgG83K1o2dJq+jZhjqakWiHftRMEG6jgtUalpR775qL2LIn0IekVmReOtRhUdCvA
   KvHtty3OdRWapKa7WzX8B2GpzTIpXCtWXH5+gTEHxFBXuDRfB9VOVZyt3yiOtvj4
   19TNatCIJ23Szujv4B9WpPE9tsxJGWdOl/tWGHM0SHc3RCfInS6X7y0psM2aAVkD
   JToN/qb4wGSNPTVZaAp1Ook+tS6S2vOqEDD4yypSC5nTlNgJ32XQ6TycJQgTzd9H
   I9JqtQRyaT4iXpuKmJ1HVWKdpDucZM/eHpj5Jw7cl2mVi1hOZo8uaxoJKS6E6QWb
   M1GupNOSa6qQjhTwKhtZDDM72BHpDR7nOJSk3R1b0x0kP6I9sFoicbgACv16585n
   OBaBpERtAGiM4ceCstETF0neQ+uT6TE4DclkyC+RCTyS+Hk+2s5miB6MlJvaav60
   lHCgs21bpBDuymiuWVpjyQ6iqdLDpqZTGPEIwMkoEs5yx37UbjQwsR+UT9Z5ymoG
   qMjovLHHJ168AwwYTi/Xaw==

C.1.4.1.  S/MIME Encrypted and Signed Over a Simple Message, No Header
          Protection, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIILPQYJKoZIhvcNAQcCoIILLjCCCyoCAQExDTALBglghkgBZQMEAgEwggFmBgkq
   hkiG9w0BBwGgggFXBIIBU01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F
   bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtZW5jLXNpZ25lZA0K
   bWVzc2FnZS4NCg0KVGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01J
   TUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNp
   Z25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhIHRleHQvcGxhaW4NCm1lc3NhZ2Uu
   IEl0IHVzZXMgbm8gaGVhZGVyIHByb3RlY3Rpb24uDQoNCi0tIA0KQWxpY2UNCmFs
   aWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5C
   VIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNV
   BAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmlj
   YXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4



Gillmor, et al.         Expires 29 December 2024               [Page 84]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMO
   QWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa
   lSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHy
   A5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflH
   UjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn
   9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K
   7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksC
   AWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAE
   EDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBs
   ZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYE
   FKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYa
   ZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPk
   fXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS
   7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy6
   6K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0
   mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK8
   0lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCC
   AregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0w
   CwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxl
   IExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0
   MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMI
   TEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZ
   bJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZla
   V5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD
   9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjec
   F1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSe
   wbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwG
   A1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWB
   E2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0P
   AQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSME
   GDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4mi
   NqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c28
   4VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKh
   DbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjP
   Qg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9
   E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fg
   KieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8G
   A1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlm
   aWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUD
   BAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
   MjEwMjIwMTUwMzAyWjAvBgkqhkiG9w0BCQQxIgQgOaIo9gniTGpem1eCbfouobxm
   u5PauFDZN8OH0+72cWIwDQYJKoZIhvcNAQEBBQAEggEArVib6i8eMz5lcmH/qXhd
   zEse7v9OwST2+Ive0hbZuj/qNb2B1jkkWMClfmEpAITBM/p2yEp+iyOIwVynRvG4
   GDAqLMHlCjS+az81u2PkmTtoD6P2ZEZvDVpmWBs/kiE1oY3UZApfpUArmxsYWBHw
   HiQGvONhDOMtUYY8Ixjf79EaljGVsTn1MLG3iVKihDEqnX/4vOgiUzGScRT6xOeJ
   FgDZI5FwmC9zItIxEZuWMCKYYGTPKcVv8OI9H3ygJoY+VjaT4U20UIOBaOL0zKzN
   IKP9PZ9Bes1LnPsAmB/LrB+ZYDpVXlthPnHimsuieo/aLxwG7RR37+JVU/genEU3



Gillmor, et al.         Expires 29 December 2024               [Page 85]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   AQ==

C.1.4.2.  S/MIME Encrypted and Signed Over a Simple Message, No Header
          Protection, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses no header protection.

   --
   Alice
   alice@smime.example

C.1.5.  No Cryptographic Protections Over a Complex Message

   This message uses no cryptographic protection at all.  Its body is a
   multipart/alternative message with an inline image/png attachment.

   It has the following structure:

   └┬╴multipart/mixed 1402 bytes
    ├┬╴multipart/alternative 794 bytes
    │├─╴text/plain 206 bytes
    │└─╴text/html 304 bytes
    └─╴image/png inline 232 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="e68"
   Subject: no-crypto-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:00:02 -0500
   User-Agent: Sample MUA Version 1.0

   --e68



Gillmor, et al.         Expires 29 December 2024               [Page 86]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="f70"

   --f70
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   no-crypto-complex
   message.

   This message uses no cryptographic protection at all.  Its body
   is a multipart/alternative message with an inline image/png
   attachment.

   --
   Alice
   alice@smime.example
   --f70
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   no-crypto-complex
   message.

   
This message uses no cryptographic protection at all.  Its body
   is a multipart/alternative message with an inline image/png
   attachment.

   
-- 
Alice
alice@smime.example

   --f70--

   --e68
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --e68--






Gillmor, et al.         Expires 29 December 2024               [Page 87]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.1.6.  S/MIME Signed-only signedData Over a Complex Message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5253 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1288 bytes
     ├┬╴multipart/alternative 882 bytes
     │├─╴text/plain 260 bytes
     │└─╴text/html 355 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:01:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIPIwYJKoZIhvcNAQcCoIIPFDCCDxACAQExDTALBglghkgBZQMEAgEwggVMBgkq
   hkiG9w0BBwGgggU9BIIFOU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjUzMyINCg0KLS01MzMNCk1JTUUt
   VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
   ZTsgYm91bmRhcnk9IjkzMSINCg0KLS05MzENCkNvbnRlbnQtVHlwZTogdGV4dC9w
   bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21p
   bWUtb25lLXBhcnQtY29tcGxleA0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhIHNpZ25l
   ZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRo
   ZQ0KcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdp
   dGggYW4gaW5saW5lDQppbWFnZS9wbmcgYXR0YWNobWVudC4gSXQgdXNlcyBubyBo
   ZWFkZXIgcHJvdGVjdGlvbi4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhh
   bXBsZQ0KLS05MzENCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PSJ1
   cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVu
   Y29kaW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVh
   ZD48Ym9keT4NCjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1vbmUtcGFydC1jb21w
   bGV4PC9iPg0KbWVzc2FnZS48L3A+DQo8cD5UaGlzIGlzIGEgc2lnbmVkLW9ubHkg
   Uy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXls
   b2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBp



Gillmor, et al.         Expires 29 December 2024               [Page 88]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   bmxpbmUNCmltYWdlL3BuZyBhdHRhY2htZW50LiBJdCB1c2VzIG5vIGhlYWRlciBw
   cm90ZWN0aW9uLjwvcD4NCjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBz
   bWltZS5leGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4NCi0tOTMxLS0NCg0K
   LS01MzMNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVy
   LUVuY29kaW5nOiBiYXNlNjQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0K
   DQppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFB
   QUFjRWxFUVZSNDJ1VlRPeGJBDQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95
   d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1w
   TDJqbzA0NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldS
   V00vdWxpDQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0K
   LS01MzMtLQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQw
   DQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMg
   V0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRo
   b3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3Zl
   bGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gB
   UCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXP
   mrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEF
   XgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41ko
   aZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX
   +TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iP
   sIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZI
   AWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQM
   MAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkV
   fAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJ
   KoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtK
   tl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3M
   RsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0
   LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXw
   fDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyu
   OfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3
   QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNB
   IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIw
   OTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEX
   MBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
   ggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo
   7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+95
   0MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYW
   Tut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfC
   n+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9
   COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIw
   ADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21p
   bWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAw
   HQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwH
   Fwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4K
   kkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30Uxf
   yrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HV



Gillmor, et al.         Expires 29 December 2024               [Page 89]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   X524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP
   0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+
   JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSz
   NnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1
   dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkq
   hkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAx
   MDJaMC8GCSqGSIb3DQEJBDEiBCDw/DGldVr1aM/U2iIYH8C6YHSKLUihv8FIEUZC
   JPECvDANBgkqhkiG9w0BAQEFAASCAQA/sn8ReNdvJH8O3Ejzs7eF6tBy6DYD5dFE
   aLVxB6o3G6qHcupmwvHvL6zouALUoh+zkYRxuWNcPQGfbUqXoAC2cQ6ejwtz3Qnm
   4L6amZZQC3NnwFfytOrIvGrMdT1M/39igmep2ZUq9BQS7vq0mYQzSgkGm148yOfI
   QDeuJZGcw1EcFZuFUZPX4J9kvUu5twvDQoPnTitPVGJ9C2lB6PRkYjKW7JAmNtBL
   qRbwZbtOjbrhAszzkRG5P8jR+35FIkG6abSF8hwYix0fJokUn3YnU7G6pRM7DSGg
   S9MtDUy34GTkdUQ7OXFlLa5kpQfUFBbQ5qflKUvIrBsYX6qjWAVs

C.1.6.1.  S/MIME Signed-only signedData Over a Complex Message, No
          Header Protection, Unwrapped

   The S/MIME signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="533"

   --533
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="931"

   --931
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-one-part-complex
   message.

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline
   image/png attachment. It uses no header protection.

   --
   Alice
   alice@smime.example
   --931
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit




Gillmor, et al.         Expires 29 December 2024               [Page 90]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   
   
This is the
   smime-one-part-complex
   message.

   
This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline
   image/png attachment. It uses no header protection.

   
-- 
Alice
alice@smime.example

   --931--

   --533
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --533--

C.1.7.  S/MIME Signed-only multipart/signed Over a Complex Message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses no header protection.

   It has the following structure:

   └┬╴multipart/signed 5230 bytes
    ├┬╴multipart/mixed 1344 bytes
    │├┬╴multipart/alternative 938 bytes
    ││├─╴text/plain 278 bytes
    ││└─╴text/html 376 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="4e5";
    micalg="sha-256"
   Subject: smime-multipart-complex
   Message-ID: 
   From: Alice 



Gillmor, et al.         Expires 29 December 2024               [Page 91]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   To: Bob 
   Date: Sat, 20 Feb 2021 12:02:02 -0500
   User-Agent: Sample MUA Version 1.0

   --4e5
   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="0be"

   --0be
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="cb6"

   --cb6
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-multipart-complex
   message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   --
   Alice
   alice@smime.example
   --cb6
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-multipart-complex
   message.

   
This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   
-- 
Alice
alice@smime.example

   --cb6--

   --0be
   Content-Type: image/png
   Content-Transfer-Encoding: base64



Gillmor, et al.         Expires 29 December 2024               [Page 92]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --0be--

   --4e5
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD



Gillmor, et al.         Expires 29 December 2024               [Page 93]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCDQTcb+2QaMhBSlslOnLpojyHSnq4gNzFYU45gwqAHj
   7jANBgkqhkiG9w0BAQEFAASCAQCYM1/HD0Ka4aZwwLS4xMGoyFzGn5G2C3ph0jKS
   mCVbpfAxeHnsnuFjdCYzgN/mdBCOQs4P2/rBGWy3DpDHnKdaB+Q2/IZmI1UgyRTM
   oclbWWQfTLX1BuI/mJKqHBhJn0y17UXCUAnvSoYGFhjmqTQStR3k4PsdJod78pEa
   9+Yx6lBGVyznuhHaGuB7lh/S9pxAYtoJFUuIVq+frSN5xhmisPXluFHC3UPu3Hyb
   3w6gm+bTL4NDNWwXXSn5wfm9Ru05b3eAEv9pADPZ2TKZPxzrfe4wPNzArgYwdn3k
   6NdLvgw4mZmSSiOyOlfKo3cgo4rZuN6CeLCgqZ0GjIJS43v+

   --4e5--

C.1.8.  S/MIME Encrypted and Signed Over a Complex Message, No Header
        Protection

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses no
   header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8710 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5434 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1358 bytes
      ├┬╴multipart/alternative 952 bytes
      │├─╴text/plain 296 bytes
      │└─╴text/html 391 bytes
      └─╴image/png inline 236 bytes

   Its contents are:









Gillmor, et al.         Expires 29 December 2024               [Page 94]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:03:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIZHAYJKoZIhvcNAQcDoIIZDTCCGQkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAB+h41dWWKj0UhPNy7TcldhXjjhstnd0rkKE
   324mh3jHlxfX+1jgPO+ZrGAbGuQ0NWlKGeQPuZBYScW7TrG10aK+h+E2hEkjDGOU
   jR/LN+V+TqN+TV8lv93c2KnDBZccGf02m1xP2U9qePKqNJVyR8oKC/iOTc66b1iL
   AefLAvS2tqIv+faKbsvRC6OZSO1EoESKuJFiUyfNcnjTTgcPk3rkU5mbxktlezA1
   qKEGFaP1btBdNFR1apYVbLG5iMPN/pEoGMsVdUK96ZjlttVoqkjP5/6iluN0lTPu
   9atUJzQfgTC5qpHY/dkpZ6FSqcfXwQaY7t3Wbwe8URabzte30EEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAEeb00vJH2UhWW4E2Ws6vLqk0
   R4YsrHEvzZ6sxwHBy3MabpBBnC7kNpGzf9HIZpna3f/vAAaxrVgnNkK2AjHtIeW1
   kpKP1plgo6jSWhC3XDIWDRN6JDYfDIdJM6TMWChuVxqV0i/Qbtmi3DN9f0R1tcGN
   jC5NSbntfSe6NBHgIrSB2wgSp1F9jwjsQsy2QnH1bXZSsuKWgOb5F/5Bq5wPGtbT
   m1lqw+RXC+b+CLPUUnLt3GYPXwq7apVCYZKyP6xGjepQ/+eYUKgcmRqtaTQqa852
   4TXnr5ddNDaTaZ4NYNMNTGFfjPFErxOXZSCYQnRmrzsgLVdf8Z0zE+rSL9r7WTCC
   Fe4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEIbYUldN9TCKXpVFn9VKefiAghXA
   SlSPlQPaW+bBtGdgA93FoSoDRp+08wkZUwmYo3MXPh+neaSFw0M2ESJ/4WctXxyX
   XGFnDqDyYtZeaXShLEDkILvYMPryqwWE+hdM7b4IPRdQ0I34mFnxbQp42gBtrCAy
   Rqv1ywdId8cXkIWlrQpqT1i5DacPHZsjaKse9tM7JhzsYOfgGfEpb7K27dGKB6zn
   jS6Er0MFnqzsiy9B6kd4jnnCcEx2YDEQGNsCNi6+xa2iH2xi685L6NLCBw0aNs+A
   03r5ktIShK6/uORMUuHSIoLCTgADPByiGeV+1Q9x4yEs/mnzSevz+XDmtzPqh7oE
   57DuKjJT3cxdo+mNcrCMHXCNIBk3LevgPWZzk/B31fvETMhk+xFgHmSy5wFP8bub
   KsTHB3+cBtEI9bM5IJIavCT9mzs9L8jbxUoga74sr4G0hG6GGopV+6Q8QxRSnYpr
   /XAdba8ICcLo/o1wb5hlDQQfQK4lGZMPhNHg4E26yPY3hI6fYi7yexDoNUrxO6lq
   tae6YOl2QxNPVdZjuwp4B6JRpB4O+0mNKD1K4vXOm5c1LGZHo852MUTo3g2xFPwy
   z+nLFORzVuGk98zQqGpAkw+S4K3KwQH9SufjgrKYrRbU4m88SPFRhk/y9vqvboSB
   Kd42Q+Bl4UJCQDcGnEHLDmg3MfW2t+yGFmVrGO5FFPZdiyw63W04umwn0mdDvhvj
   QuTS6fhXwIJjWhGhM92Ho63oZ2qPcu2alWnYWsQe2Qel1jh8vYodPFO17lrqKRVU
   5boKPaBFfNVnUEl6IdRbe6sRylf4N4WI6Slk/e3mPeromY4ZSfqKxC08yAe4ipRt
   XpsNcS5ekRn65ZJYCK4g28hcQ6l8ywSn8FBLveG8bI6k2XNSe12I1vj7Jn29cQYc
   VKA6VU0X180T2wdIjWrM93h1NyyMJihPMN9VhspwOOt4NJceG0lg9wNpoRvsJWmp
   iculWP+Je7zyWN/5rMGPKnhzELeTNHs+ltE0Hyo8brDLpOb+sLa1qclr5PPdFV8p
   U4KJpXurk2UCqqRb4kIvVEH8uvEidw3umloG86YadXf+CMjgGJmFvHlKumPKb8x7
   WPd6EbY9+5fIzsfaD7auyMdPp2JOIjllmE/9hCqnloMr6Il/aki37nI3OC9dHKMi
   f2M21m0rMSu5y9t3IHF/26RC++g0uTJ4P+Tti5CylA0ndclTssDTQsFoUj3z6NVZ
   pUyPPwj/r3Rkh7T++oRjxiixyfEeDZ6RdcuuYZrZ/VGc2MxlevmkD4tsoFbDlpoy



Gillmor, et al.         Expires 29 December 2024               [Page 95]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   QD/JdOC5hn1hWrRm38MwGxIY49edLQjZdLjXSCybohjyIsjjE5jC4YVUGrrojgmA
   KsFJJToDwena8rSiiMILYOnbsc0M7VBu20eCtlL0580VcNlbSiqWyFUJApPg4IYn
   yAoNlTkWq73M19wqvczNLOQoKeGQXpSQrG12gh7N3JdPJHj5c2YqmTCm7Si44FF7
   uOOdADQc/DSF8eolM6D4GIU7gwDkCpcLAJK42jBUTvgIgjWwZ6F8uI1IfD2ZrjOa
   I7gAVB3dkO4M8mZYUcN5KDWMZOpcxJbBS5iq/Kupxyf/zTwwwZFpXOv10bpaInXm
   DDUwqkxAoGFDnXt1XDVQmHxmodVSGIaNONzXajpufgcjyZDWBz6PjO5pR0+Oeihb
   X2TvmrqNo9RXm9/Vuq5RefXOUgGuqlqEncu4wEZQBIfu4pNSBcA+V9Si41VIT8Q8
   Z4iyKHwe2Bv9b5limtsuKNAPSDlgBKFG4anPvuhyvHlVbzIS2aPjtLmXa5o55+RP
   C907Q6ZddTLvlTv72HrCVN79z2Q6Z4dgsv3X/vqzKN9nVUa1XhqvdX8XAGSfcMM8
   ZsGuSsG5osigSdJQbs4D2ugekkuI8xyI3z4NqDWVIUAD1oS8c9nI8GZZ8xYy0rMB
   a/GM0vQFdWh1NdvWutP9xV4qBOoIp1go6nmXCrkNqsdb/gDCqwv1vl/b/csc+pbs
   +WMzqklb9djIbJAP+eFNsbXJ/2IJXmKJ/wiUIAauoc2MXi5pZsPaKt1GoWR0jMhM
   PU8NWoj2BnUodB3QrcqcHd4DpHyBWV1Mmrs6luNy2MldgkrRBSJshUCI9RFhZdri
   81xERWWUw0MM1iMk91loWWDc3ERsfPJXMUG9b+ejAH5wnWBFaE8Ds2KcYnAvvDL2
   7XtdbHb1E3PaiFJqxHnmI1Ww9hGZLkPvD7K1W0BNbIPWECrTZKgpPOQG0i6noaHh
   PpDVpaRRtS5utXKI/cb4cNCuUO8F12LSOPzhHTAmeSLfPsxAJioX7sAGjyZ4TqKG
   +uxm7REOIt3fjkIAovaUzzXHJ1nAeuMRT7xkGceTBOIH4OlS7305M894WpAOv3Qs
   PxVsS6psJGXnNNkRm1tNJ9AP6k+33OfE0p0uIuHgzTCyNznKsDxmimojghtFMLhC
   Uh+W2n4zErMRkRiMbhqOaUJKM4m+IkMBfm8vyf4003U3wkzpG5I8awliOl0s0Xv2
   QMxEDtan9glYDSR1vScrSbVLnwYA0dSpW9z3VygLPywCcEKgNQUVw5Q+OSd5SWpe
   /peAWHdPlkwhVFJLmFnN+ruFmO22UGTGe93UPlaLP9nqOyZYt/GVSmp8uvadzjh7
   rJ32/0IVKjLGBH2jPhK9XBBBIex/CMk/OCYD4gEKdGJYiA7v85CoWOTL7qGI9hHs
   x9rEaC1lP8Twf6h7fjEIbKQtevtWRgSWd5zasQOCfWazTAce6e9Mdhl1JTZRO06q
   5JAkgJ1fZFeE6OpKJpbEFSiAQSnLZJnbW/xiQfFJRZGv2zdQZB5+tLD8B6TywABs
   hh/D5qPf4VAoYjADbFcJ5zjxzcbconCJiijx/HGKNCmzkK94v7gk8BRJtSW6Zkcv
   knagto7UX8M29JUHjFj60YyPjvVEX5x8+NMM3jifFJY45zjDPeO1mLfNzWipt6XB
   2hSJEQHx4txyedJEB9Rvx6wglCLCWZPbIy2PBAhf/k7mkHRBOho8OhN6JWSNtVPK
   uMx+nmKsY5Q61e6H/ab+pObDA+dEL1p0IqS41FmYPsAazDvkp6ktS8GkTePLHUjp
   n/QENZLiv82rw7ytIV/GQSbdtILexHfQNSsVZDsKDHGzZWkJ811c7wglnbLMAACl
   1IvUii07bQ1MGTOzzDEINULLnSh2ia4eU9ps+wqjoqI5RbtYCjBv7l5sZWuXuXFy
   +IlAx/wvKDfxRZyFmQf9TrBiMcmn8cbLt0OdtprbH386HAEs6AzOmsL4FjH0hmYf
   YU+dHfouhf1AvV1eSKCLnJk8kKrhSti0Ic2UaW+0svDe1AdQmsMwHe1623AyXyzq
   jHplRG9fqGHhvX1GAtZ9hhS1SvRg4w3c6ncMxxUNT3zf4xp2zPUzRXww61f4Q1HD
   RyYgeMEdbAJD1r+yRlcB6KbHy02nD1NCKEDuqNRBnWO5sSrI+HTlJ2wD7kW48NIq
   3/GbXl+QtTzJDkqK7obVcoXka1Ku+uNEwcg+HpEFcocmDe3RMDeePeUIhmamrXrI
   LvLHi+sRMe2tzuXPYmaJKA6iA3cE+ZlnRFL2MpxYHepy/HKAJOzdM/rBPh8UARN7
   iQNQiLb8x33waJmFlOX/0ucmGSK6wIS3Y/9U2+qVeHAOOXnYEHSov7mU3SGTbCDs
   vKtYASZKBn8GidZMfCxLXFmbo7RUfTZuIAkgx5U9NAsNOtchPVzyVdg8/CTUGArJ
   ullWg1nfiZ1cj5cMhEd+xx8hZN5qgGMk/2StNWnaMqIg1rLWbEockge7BSTcP4cR
   QbMF+R+e4w899KTgPCcHfyocxG42CZvoha/i1UVHLhmBWVIMZsYWKq86GpZODImk
   OR0lTyGtfgKU31jfNEjoZvXgydNjETQHRjReMnwvI4LTW7cJSTGkxEgWargQsmXr
   u5wpU1yuWrW59drUt6a2iUYQh8+m0labe4AWNMcPhQ7psOH75vzaHkL3WT5vYTQy
   B6BSrfbLDgKgiQDd/ZVqoCif+3hXGkVyifeB6Ep0R8EayeOyzEzRImDxwO9Yw/wW
   X1r0utyaCprv6RcAbqHLjr2via9k/+V7d33hypdomQZTtzz5n6aFoA/1xzLGMilx
   Jo3rnDRAz+grqQzheXgqz+r/0BRUV3X5RSaWqljcVOag/lO3dagYivzwxmeCdwu1
   Z4WYjUjTqSowz/LDcU1NXz+qtXqOTVD+j9dgxzNwLUvQc9OoZK0GoCxnx4sZ7oL3
   bnrpfPrpFBH3Q++CPlfwKUrkgkhhQgLVA0uGqBUz5NgkjGmtLt0vDyhLT83zVpiv
   zy6FNh5FddtT2s7XYhJ3JY4Ar/Z60uIyKgsmPM/mrx7dhECRa3K1LcC+TDKH5HSD



Gillmor, et al.         Expires 29 December 2024               [Page 96]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Bg54oBMH2BzW0OR5A5fp/E2z7rEVnw/SXRGQhr8iih+6qQPw69x8PHs8Zm3ge1lu
   Pj5sF4Jl3WdfF20QfAWwWxSfSMf5XhcrR85+s/e6ML/ymkazaje25JqvEHKqQT1G
   hKaRPA3jXqB3v6LCOeCwiAO65dxBQLd8babH4uqkDZU7cyipK2/eutD29FP7zCMM
   P5ZMhKIIXWUQta5iE6ngUfU5/UhE9NXTKuJBVuUZkWvwkr/7QA9k29Mr7dvuQcwR
   KtENe0L5Z9LNJTLw/IufQQtYd2dc4qosUZhkEi7egyTs4S2dlNT5W19O5dR78ojX
   7ECgMYTXhSlK08n+B7AsDlzsWgWSKh9YpQb4OgCBhvqd5YC7BUzAa+iK8ALe+456
   xvl0TsUBaxf9fBE9Rg7xRoYCceGPCq5lY4rBShzZcWy6Eia5EBhcTR+KsjRMpqT/
   +IdIBte67uTrJAy/vj0t9lPRSn4jcFQyMfeMLgTo3udQm8A+TqZcSf4YgMWfZxSf
   +4Ze18Uq2y9/InMewe4T0Emvq+CNM8v7MmRme6byLzLrmyDHBwoCuq/PUH65QzAp
   gNb1DANrH7HyiM0fLeQJt4yRLQwsV0E5Wf4sgTi4FqZAVoHvDoNdrYtfqfGtTHRc
   h3uPzYg56TChUxkYx5x5G5KJDupcE7guyUFJmZcIYY2oSii0tc2IEWPUrUX5MCpR
   PeSdqYQYR1CNG6IlxhVPBuIeXAcAIUA4QEXugwPaBmNFAJG9ji9hEi91q+dtFPmL
   8/8Wt9D8/JvMGpIVmJuQniTW/Nk2dFTU+4C2TS4ZmHAIJG4TTjMQCMD4yOf3z5wr
   C3BJea2t1fyCsurOLIlSyEDwRYmKlQ2z4L/7IvixiclNIWkI246/uY+D2DU0p381
   Q2BwYfhj6q/yqLH9SJ6PEur7zFAW6D35ESjTU4uTwIF88+wbLfKVYig5WlEvyS9U
   STaCakbA3ADJUIq2rNzy+aRvvUapwkS0Dg9kMjjwXXKWyMyjZ9DhMa09+kZgpUPY
   P/5c68hN2JvIES1rL3SNdhZYRQ8ExLPSorQuN6gRlse63QAk9FQ/rukniVzyqvC0
   jkqA3AC7yLMLCl94bAVmYjoVJOhqqlmSB5yO2s6lHwLFITpotlvZjwVtFheXKH/h
   a/qSnIaeZoY+7Q/WCC6sRQLCMRzw4GogVF783pCy8I1HxlAr/kbEjFFzbUjUd36D
   8fEiCrwcQDqE8Ls9lFxNTwcA9UIZ/K1w2rCJcNbIOGtv9OxSCMqRCYfC20ZSZdpt
   EilDeHLMkeIgBcU47WVxIkcKM7wovhtFpFttEQ1GnnKCVIsiUIhIqlPSeyoqo2Pf
   Clh3O3K4Umz3iBe5SHU5SQG3kjuBRqMObMW/7Z/O2S7bTuNe9eQc8MwwCyltoPci
   ZePFx34jj1vz1OpsPhx7BkG3DfmuqMygfIH5bnqGqWYUl3HZxUXOm8c0FZmah0Gj
   FziGno6VnxZwwrjMTIeEg5b26U1g+O6ylSgW/k/2t8p4KFpgIIhoyGkzBOWrAiMP
   3ryOfn3jxL3gejALeJz4yMD4fekqXiLvJutB034Up0mmPOMct6Y6UfQ1UBPOyTrl
   1xSuIoZH1b9QqHWHcD5/o4G5CoxuaoUgLyCn8T9MCSRjzoyj3jms2uSaX6qY4nEQ
   WzQQgZvRRFDZrGsD36mTw1VZkWU9eOjosrX1PRMy1LtZrGdhrlsO13YTtwKVFdqt
   go6Slis4SSePeqD7N32iXfKvtJUYjBEwHNjoYY+mUegw5J9a5dxLeRKp0rK/Rh70
   3MOD8X0S+nH7H8x6UPhq8coToILCPlG7I6TgoLGMmlMPhjMbx6WWl42lQ1ZDs3Yg
   vPAtgjJyCkVLPUUV0RIsBlUgVybyAyjjgkxnIfJSq2u0gcxRb7R+qfwtVID6MVhB
   PjptmOBSFznWQSbUhkdxRM5NTkWY4waoVUo+6ZWysrSC9jZyAe08xlSNpSVWDDI9
   ntwid+3FbPwgoxi2oh0S2YmkG68moL6dodA9iCtCgR8j4xuOWqUyTZ2PR66H27d0
   Uhh8qiYiIrHvZL3LTJX9/dtXGmXVqDuvw1Qg/afaEBRJbmdmOqgC23WC2jnJc55u
   hCbJ4XO135209agOCaJ0I9Xtfp3n4Thxrs+8HmTpciMuSTCy9kZf79ygHJ0uHQ6m
   ZkG5rXMwzy4GJ4ABSb3nPxN57gxOjDx/ClD1eXX8vLmQCsK4b7bsUicSzN0wXoAL
   B2xkuJ9KxZljry/LrchOjFPpz7dQG4FpbOP1unPx80Qt2dSMsTfIqE9b3jJef4z6
   ai0GAowgJElKM9teaDPsBOqazxS2Wv3qcomeRU6B5kXaW5/bgVlAqtWBvyxBIwxw
   2v8eyIM64X8ceuPBZMR2h/yOGkTJRO8l8g0UjJmrX4h85m+RwUjrWzhLtqbzX294
   31Pal8ZdWkAhZvruL5lxiLd0et/BvVy09WRfSgf5Ql7BFXVDluUyQMsQrPyc7XTQ
   r68tizRQRSxec/YNyaAU5qvssrVbOHsq6YVid1UeqC/njaPjiyy5QWmmKjnkeBS9
   Jsc/cK20r3Zr5jYGj/+Js1/9zqipVovX/FxdUZREcKQbKF3gErlPPLxAcLSzW8m2
   S9wJAqdh4sHMpylYzRdPG6+gtSgnA2nt1sUQVBejfWyPq+FpfvFyc5w1pKL/wxcL
   R8FeXnbLPDLrmTa5UcYLSc3JgVM/QM0BphYR5FTs8NE/9C9uooEWXw82i8WbEvD4
   ZCmWzC4EncwP+Hgkm8hA2uxyAcTLhKKDR8ieeWgrhqkIHoLiYezdqcgGmbkwhZBD
   GkwmxgpewTfeA21Jy9ZE976x7RJU2oKIvqrq+ZSR8TiOBHUNOPshZz9b7U74vGmc
   Ujnyji/k2dOd1jsDiDjS9QOjXujcSqymdXR3K8+ITb4q3aZXkaPujizDxKPEVXLw
   /DojhCEotKw9LvRVqDuN85Q4K7bZcM9qzceFyPQGclO/Humwfv7k9Uq8B566QMOU
   JV5pkSYVuHuqivMGkB32plP6wvYabp0Ez6BUzg84A97nfPY4a9EWv3b7kv5ZJs+q



Gillmor, et al.         Expires 29 December 2024               [Page 97]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.1.8.1.  S/MIME Encrypted and Signed Over a Complex Message, No Header
          Protection, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIPawYJKoZIhvcNAQcCoIIPXDCCD1gCAQExDTALBglghkgBZQMEAgEwggWUBgkq
   hkiG9w0BBwGgggWFBIIFgU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9ImFjZCINCg0KLS1hY2QNCk1JTUUt
   VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
   ZTsgYm91bmRhcnk9ImIwOCINCg0KLS1iMDgNCkNvbnRlbnQtVHlwZTogdGV4dC9w
   bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21p
   bWUtZW5jLXNpZ25lZC1jb21wbGV4DQptZXNzYWdlLg0KDQpUaGlzIGlzIGFuIGVu
   Y3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0K
   ZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlz
   IGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5l
   IGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyBubyBoZWFkZXIgcHJvdGVj
   dGlvbi4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS1iMDgN
   CkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1J
   TUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0
   DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4NCjxw
   PlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1lbmMtc2lnbmVkLWNvbXBsZXg8L2I+DQpt
   ZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWduZWQg
   Uy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3Vu
   ZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlwYXJ0L2FsdGVy
   bmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRhY2ht
   ZW50LiBJdCB1c2VzIG5vIGhlYWRlciBwcm90ZWN0aW9uLjwvcD4NCjxwPjx0dD4t
   LSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90dD48L3A+PC9i
   b2R5PjwvaHRtbD4NCi0tYjA4LS0NCg0KLS1hY2QNCkNvbnRlbnQtVHlwZTogaW1h
   Z2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQNCkNvbnRl
   bnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFOU1VoRVVn
   QUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJBDQpNQWdT
   NzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0
   OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0lo
   QWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtERDl4cHBk
   OHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS1hY2QtLQ0KoIIHpjCCA88wggK3oAMC
   AQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UE
   ChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1Q
   UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgP
   MjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQAD
   ggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpM
   LcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7Y
   OqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF



Gillmor, et al.         Expires 29 December 2024               [Page 98]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEH
   AMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z
   5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMB
   Af8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGlj
   ZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQE
   AwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAU
   kTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKc
   FqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN
   1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMT
   g1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYx
   W2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIe
   Morj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCv
   i9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqG
   SIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEw
   LwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2Uw
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijS
   NOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX
   4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4D
   xMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3Cz
   WruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog891
   9MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7
   AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
   MAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr
   BgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQ
   ENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3
   DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doiz
   cGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4
   ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf
   8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+
   Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI
   364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExB
   TVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phq
   zpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
   CSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAzMDJaMC8GCSqGSIb3DQEJBDEiBCCUt4MY
   Pt5UnqJv/nK8ibbNTc2fU+WPIDFsvQOoeAWUuTANBgkqhkiG9w0BAQEFAASCAQBg
   sfMYEtCpA3WTfKL1q6ZQI2UipllDq98Jg7SfZxpKjq2gBeqwwBiAHvLrOSvJ/eHV
   ox6yqltX5iQKbrRqSk7O7hHpuyKoM3iSyEFrL+Sx0ZW0NbuKo9HJBgN4tQK07OMG
   E+KMByy2VT734GAvNcDVHKZH1XANtsglHSGorXNgcyeNXpVcFuUD+9pph9KNXDlj
   av9De2P4XNuie3Uissh4AqUHQeL3y8P/DE7c33NAIZsrRl/hQS8JPPn4pozAcrgZ
   TLRda9UAZpG7pBQXDvrQ3kZiFPyC0V5vLgUSlYFavZlXKrpTKYVqUw4eb3pANPCf
   m/rW/XrgVe1RNMzuK5qo







Gillmor, et al.         Expires 29 December 2024               [Page 99]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.1.8.2.  S/MIME Encrypted and Signed Over a Complex Message, No Header
          Protection, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="acd"

   --acd
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="b08"

   --b08
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   --
   Alice
   alice@smime.example
   --b08
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   
-- 
Alice
alice@smime.example

   --b08--

   --acd
   Content-Type: image/png
   Content-Transfer-Encoding: base64



Gillmor, et al.         Expires 29 December 2024              [Page 100]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --acd--

C.2.  Signed-only Messages

   These messages are signed-only, using different schemes of header
   protection and different S/MIME structure.  The use no Header
   Confidentiality Policy because the hcp is only relevant when a
   message is encrypted.

C.2.1.  S/MIME Signed-only signedData Over a Simple Message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Wrapped Message header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4319 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 inline 642 bytes
     └─╴text/plain 228 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIMcAYJKoZIhvcNAQcCoIIMYTCCDF0CAQExDTALBglghkgBZQMEAgEwggKZBgkq
   hkiG9w0BBwGgggKKBIIChk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2xlYXIiOyBocC1zY2hlbWU9IndyYXBwZWQi
   DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KTUlNRS1WZXJzaW9uOiAx
   LjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCIKQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdApTdWJqZWN0OiBzbWltZS1vbmUt



Gillmor, et al.         Expires 29 December 2024              [Page 101]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   cGFydC13cmFwcGVkCk1lc3NhZ2UtSUQ6IDxzbWltZS1vbmUtcGFydC13cmFwcGVk
   QGV4YW1wbGU+CkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpUbzog
   Qm9iIDxib2JAc21pbWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAx
   MDowNDowMiAtMDUwMApVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4w
   CgpUaGlzIGlzIHRoZQpzbWltZS1vbmUtcGFydC13cmFwcGVkCm1lc3NhZ2UuCgpU
   aGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1MjNyBz
   aWduZWREYXRhLiAgVGhlCnBheWxvYWQgaXMgYSB0ZXh0L3BsYWluIG1lc3NhZ2Uu
   IEl0IHVzZXMgdGhlIFdyYXBwZWQgTWVzc2FnZQpoZWFkZXIgcHJvdGVjdGlvbiBz
   Y2hlbWUuCgotLSAKQWxpY2UKYWxpY2VAc21pbWUuZXhhbXBsZQqgggemMIIDzzCC
   AregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0w
   CwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxl
   IExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0
   MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMI
   TEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeN
   SiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+Ithj
   LeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/N
   kug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSw
   qpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQ
   ury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwG
   A1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWB
   E2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0P
   AQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSME
   GDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4
   oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIu
   s8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2
   AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gz
   nbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqH
   rg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RH
   NrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcw
   DQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMg
   V0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRo
   b3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3Zl
   bGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/
   T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5G
   Otz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnf
   itOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjG
   sgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/
   N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ
   45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZI
   AWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQM
   MAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIc
   l64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJ
   KoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xii
   dfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2
   lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh
   2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2I



Gillmor, et al.         Expires 29 December 2024              [Page 102]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   JCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcB
   VyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUx
   DTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1w
   bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/Qqmi
   XDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
   BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MDQwMlowLwYJKoZIhvcNAQkEMSIE
   IGM0Bb/AGqJ5NJRsFKV2xMzUHlwsjDaM+g+RBZzqCz88MA0GCSqGSIb3DQEBAQUA
   BIIBACy007weU8sMT9biCVk7tlLpLIah7tXNxl4sCBB8464hK9kfLdmzankb/HBA
   g7WoxFwunFT4i3REIuqBUrDFBs1+aFUp/C3htaOgnmrLCaqfAgjEgVo4FnpfoJRb
   4AbiNv696+tQwPhfyrcwiTDEaNgrv4sR+faCsWvnz8HFMwW1ILt+fdc3jWkaYHQN
   GtRCL0oFQ5BJ7tBGJYq8g0dXk5i9MA4iTz+U4TUiDIwXgOrrvPCMz9IPz0fQcGLy
   Dox+z+yYFvw2TwFR4ZT35ynyP+l/JJIWYu6aSlNwXPQ7ZBrEDR1wTCjqCbPazqDH
   xtYLYzVCSVyoW9icq1+0b8XiY/4=

C.2.1.1.  S/MIME Signed-only signedData Over a Simple Message, Wrapped
          Message, Unwrapped

   The S/MIME signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="clear"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-one-part-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the
   smime-one-part-wrapped
   message.

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message. It uses the Wrapped Message
   header protection scheme.

   --
   Alice
   alice@smime.example







Gillmor, et al.         Expires 29 December 2024              [Page 103]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.2.2.  S/MIME Signed-only multipart/signed Over a Simple Message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Wrapped Message header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4558 bytes
    ├┬╴message/rfc822 inline 672 bytes
    │└─╴text/plain 256 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="353";
    micalg="sha-256"
   Subject: smime-multipart-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --353
   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="clear"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the
   smime-multipart-wrapped
   message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain



Gillmor, et al.         Expires 29 December 2024              [Page 104]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   message. It uses the Wrapped Message header protection scheme.

   --
   Alice
   alice@smime.example

   --353
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl



Gillmor, et al.         Expires 29 December 2024              [Page 105]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCCpj3Xd0qosB54D5xd/VDcMmmcfDfTDeou5u88ZPjHl
   XTANBgkqhkiG9w0BAQEFAASCAQB1cQA+hSutghUjwp6xoMsPpdb0QTOm6f6gG2kJ
   UDCcMhtCAUR6udXrWzZTM9h0SJgXEFET5K5uVpSedJOlKvhYfTrmvLixfdoO+3Ny
   gX0NwAnUb5iCm+9Irud37UOa4ghlt2HnxY/brdnnctCSAkEjK+ecolnIJhrg6xp4
   UPbYqZdG4E172HCcT+esM/5J4NvnvupQn6qDwr5O0rfjvIJw57OApwa9FnX0znK7
   AZ9ikQkW6XTyeiYO0NdOjvBqCazaGUiDthCdsLG3cZSEqMc3OqNVxi5cEBrBSzMj
   3pYjjSybBptlrvEvZIe8n9Roxzb8vG0CbdlpcDsCDMB9E3nh

   --353--

C.2.3.  S/MIME Signed-only signedData Over a Simple Message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Injected Headers header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4217 bytes
    ⇩ (unwraps to)
    └─╴text/plain 241 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:06:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIMJAYJKoZIhvcNAQcCoIIMFTCCDBECAQExDTALBglghkgBZQMEAgEwggJNBgkq
   hkiG9w0BBwGgggI+BIICOk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1pbmpl
   Y3RlZA0KTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LWluamVjdGVkQGV4YW1w
   bGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2Ig



Gillmor, et al.         Expires 29 December 2024              [Page 106]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   PGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDow
   NjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0K
   Q29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCI7IGhwPSJj
   bGVhciINCg0KVGhpcyBpcyB0aGUNCnNtaW1lLW9uZS1wYXJ0LWluamVjdGVkDQpt
   ZXNzYWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2Ug
   dmlhIFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgdGV4dC9w
   bGFpbiBtZXNzYWdlLiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzDQpoZWFk
   ZXIgcHJvdGVjdGlvbiBzY2hlbWUuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1l
   LmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0
   MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0
   aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92
   ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/o
   AVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnV
   z5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEB
   BV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZ
   KGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaU
   l/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Y
   j7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCG
   SAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUE
   DDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIAp
   FXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0G
   CSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7
   SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmd
   zEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj
   9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal
   8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7s
   rjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgIT
   N0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJT
   QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
   MDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7Aj
   aO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPv
   edDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGm
   Fk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnH
   wp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvb
   vQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQC
   MAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNt
   aW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbA
   MB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58
   BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+
   CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FM
   X8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x
   1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpM
   z9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa



Gillmor, et al.         Expires 29 December 2024              [Page 107]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   /iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzU
   szZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFN
   UFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBB
   dXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJ
   KoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUw
   NjAyWjAvBgkqhkiG9w0BCQQxIgQgv3UJkDYplWRye8usQovVEnIaeF5+LEs04bQt
   pwFmCGowDQYJKoZIhvcNAQEBBQAEggEAN0wwwoWtTq57uPIBWpM9jqTolZyCgy1F
   e0vk5JV3XV2JtY3zGvjTjsaVD4X7vzst7fgkib5e0BwS1tQD1xYw7bdtSU2Qn8xd
   4eoQta+IlxnQ/PGZ9zb8bSTwnyOmy0kZlgRUnVGc15yRkZ3DPv18PjjMwfD57PnD
   rfzm7j++1KGFPmV4VPPcq1xixvt1bNjreNZSqje+612Nf4IrBQTDHK2gzFMV4+w/
   nhGVToOoJvDpJUvA9P0XgJOOS297/bkhMrPm7VgMxDo9aWPwzOkrd9OeQuHXA91o
   +n4x2V8fg9DJNl8Lw/25kjE9ykdBuXb89ySLTjAchmoAR4Ai81hOgA==

C.2.3.1.  S/MIME Signed-only signedData Over a Simple Message, Injected
          Headers, Unwrapped

   The S/MIME signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-one-part-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:06:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: text/plain; charset="utf-8"; hp="clear"

   This is the
   smime-one-part-injected
   message.

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message. It uses the Injected Headers
   header protection scheme.

   --
   Alice
   alice@smime.example

C.2.4.  S/MIME Signed-only multipart/signed Over a Simple Message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Injected Headers header protection scheme.

   It has the following structure:



Gillmor, et al.         Expires 29 December 2024              [Page 108]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └┬╴multipart/signed 4467 bytes
    ├─╴text/plain 258 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="3c5";
    micalg="sha-256"
   Subject: smime-multipart-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   User-Agent: Sample MUA Version 1.0

   --3c5
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: text/plain; charset="utf-8"; hp="clear"

   This is the
   smime-multipart-injected
   message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme.

   --
   Alice
   alice@smime.example

   --3c5
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp



Gillmor, et al.         Expires 29 December 2024              [Page 109]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCDen2rV4PhomRzPEOfsB3NumwAaaP45WBSx22e8VOoX
   9zANBgkqhkiG9w0BAQEFAASCAQAz4Xe62DcUakuoRj/F63aOt77yPddjUdnAOnw5
   hnEiq3T4Fxopep5HEpR+oe4NpOpMVeNuaByvFeEUeByLyorGcyq7F7kekm8J+fP0
   Wv5QMHzsfhd45IynGEp//bW7GweEmIDflrKe7A+yr6bJnLprWEx2mL3aJJgFQoBM
   vG83XOfEXnhJA6RN99xBCPXX/1fputWIWNpc7hSCKpoA8BwsjUhFQfIZvh+Q/0Co
   Nn4cBlROj+VFAY8Z5tsfOcFzS/8FQr7AEgtoqNIoKAZbyPrLDUIx3TShOWSpyofE



Gillmor, et al.         Expires 29 December 2024              [Page 110]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   h39VF7jR/go4RDAsgKqLUYFM91CYC7CG0wFoFuRyidiAPhGM

   --3c5--

C.2.5.  S/MIME Signed-only signedData Over a Complex Message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Wrapped Message header protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5737 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 inline 1689 bytes
     └┬╴multipart/mixed 1580 bytes
      ├┬╴multipart/alternative 946 bytes
      │├─╴text/plain 282 bytes
      │└─╴text/html 380 bytes
      └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIQhwYJKoZIhvcNAQcCoIIQeDCCEHQCAQExDTALBglghkgBZQMEAgEwggawBgkq
   hkiG9w0BBwGgggahBIIGnU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2xlYXIiOyBocC1zY2hlbWU9IndyYXBwZWQi
   DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KTUlNRS1WZXJzaW9uOiAx
   LjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PSIxNjci
   ClN1YmplY3Q6IHNtaW1lLW9uZS1wYXJ0LWNvbXBsZXgtd3JhcHBlZApNZXNzYWdl
   LUlEOiA8c21pbWUtb25lLXBhcnQtY29tcGxleC13cmFwcGVkQGV4YW1wbGU+CkZy
   b206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpUbzogQm9iIDxib2JAc21p
   bWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjowNDowMiAtMDUw
   MApVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wCgotLTE2NwpNSU1F
   LVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
   ZTsgYm91bmRhcnk9IjBlMyIKCi0tMGUzCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFp
   bjsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQt
   VHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKClRoaXMgaXMgdGhlCnNtaW1lLW9uZS1w



Gillmor, et al.         Expires 29 December 2024              [Page 111]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   YXJ0LWNvbXBsZXgtd3JhcHBlZAptZXNzYWdlLgoKVGhpcyBpcyBhIHNpZ25lZC1v
   bmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQpw
   YXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBh
   biBpbmxpbmUKaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIFdyYXBw
   ZWQgTWVzc2FnZSBoZWFkZXIKcHJvdGVjdGlvbiBzY2hlbWUuCgotLSAKQWxpY2UK
   YWxpY2VAc21pbWUuZXhhbXBsZQotLTBlMwpDb250ZW50LVR5cGU6IHRleHQvaHRt
   bDsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQt
   VHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1sPjxoZWFkPjx0aXRsZT48L3Rp
   dGxlPjwvaGVhZD48Ym9keT4KPHA+VGhpcyBpcyB0aGUKPGI+c21pbWUtb25lLXBh
   cnQtY29tcGxleC13cmFwcGVkPC9iPgptZXNzYWdlLjwvcD4KPHA+VGhpcyBpcyBh
   IHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0
   YS4gIFRoZQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3Nh
   Z2Ugd2l0aCBhbiBpbmxpbmUKaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMg
   dGhlIFdyYXBwZWQgTWVzc2FnZSBoZWFkZXIKcHJvdGVjdGlvbiBzY2hlbWUuPC9w
   Pgo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwv
   dHQ+PC9wPjwvYm9keT48L2h0bWw+Ci0tMGUzLS0KCi0tMTY3CkNvbnRlbnQtVHlw
   ZTogaW1hZ2UvcG5nCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NApD
   b250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUKCmlWQk9SdzBLR2dvQUFBQU5TVWhF
   VWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkEKTUFn
   UzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6
   dDljaWRrRSs2S3drWgpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0lo
   QWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpCnZkUGYxUVoya0REOXhwcGQ4
   d0FBQUFCSlJVNUVya0pnZ2c9PQoKLS0xNjctLQqgggemMIIDzzCCAregAwIBAgIT
   Dy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJT
   QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
   MDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cx
   Qq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeu
   Xq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7T
   HNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3We
   ag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukg
   n+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQC
   MAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNt
   aW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUg
   MB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58
   BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAyl
   OvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeu
   OA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9o
   pwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4
   oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPf
   qmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY
   1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcN
   AQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNV
   BAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcN
   MTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIw



Gillmor, et al.         Expires 29 December 2024              [Page 112]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr
   +E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7O
   xsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTt
   dg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZ
   DQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj
   0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEA
   AaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAe
   BgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUF
   BwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
   ZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQEN
   BQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTn
   euK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qN
   uz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt
   9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh5
   2MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4
   DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX
   MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
   hvcNAQkFMQ8XDTIxMDIyMDE3MDQwMlowLwYJKoZIhvcNAQkEMSIEIPE8iIYhg4If
   f6iki1+GXBXe8oAq/bjjfGZ+6J5/+p/yMA0GCSqGSIb3DQEBAQUABIIBACFs29h7
   F+6794bhGGFlfIzWECoqqRX9jCslzYU1bzGDgN5fbu34RgxzzwzUKP69ySu3kJbr
   eZ9V9mH3bt39m49XOlahem6hMOsnmYLHHPxLmlL6u+Hd6dK5LRTSlOyxiNxNRqYA
   /2ZT/XXHHueUxxvUe0aWQjw/MJXR6dYxnFmgzExmguWNNY9UDJWzrXk2L7w9lZSi
   RRS2215nlsZtnZuTUKZjCeh5LGQOuYy/ja9IrF1/hInWAPOpDrvyDGpFFbCTX4Ea
   1hUW+/iD7Zc18y++BAJLG0wpYzloMgBMc5BBpzj4xCTvPacgE5uuZ7ZpVytvc5TK
   o31UkQULn4eK38M=

C.2.5.1.  S/MIME Signed-only signedData Over a Complex Message, Wrapped
          Message, Unwrapped

   The S/MIME signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="clear"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="167"
   Subject: smime-one-part-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   --167
   MIME-Version: 1.0



Gillmor, et al.         Expires 29 December 2024              [Page 113]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Type: multipart/alternative; boundary="0e3"

   --0e3
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-one-part-complex-wrapped
   message.

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline
   image/png attachment. It uses the Wrapped Message header
   protection scheme.

   --
   Alice
   alice@smime.example
   --0e3
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-one-part-complex-wrapped
   message.

   
This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline
   image/png attachment. It uses the Wrapped Message header
   protection scheme.

   
-- 
Alice
alice@smime.example

   --0e3--

   --167
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --167--





Gillmor, et al.         Expires 29 December 2024              [Page 114]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.2.6.  S/MIME Signed-only multipart/signed Over a Complex Message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Wrapped Message
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5649 bytes
    ├┬╴message/rfc822 inline 1747 bytes
    │└┬╴multipart/mixed 1638 bytes
    │ ├┬╴multipart/alternative 1002 bytes
    │ │├─╴text/plain 310 bytes
    │ │└─╴text/html 408 bytes
    │ └─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="fba";
    micalg="sha-256"
   Subject: smime-multipart-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --fba
   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="clear"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="66d"
   Subject: smime-multipart-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --66d
   MIME-Version: 1.0



Gillmor, et al.         Expires 29 December 2024              [Page 115]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Type: multipart/alternative; boundary="409"

   --409
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-multipart-complex-wrapped
   message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection
   scheme.

   --
   Alice
   alice@smime.example
   --409
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-multipart-complex-wrapped
   message.

   
This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection
   scheme.

   
-- 
Alice
alice@smime.example

   --409--

   --66d
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --66d--



Gillmor, et al.         Expires 29 December 2024              [Page 116]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   --fba
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv



Gillmor, et al.         Expires 29 December 2024              [Page 117]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCCvq1PYf6raBZ3V518T9jDOSbNzj5xwnk8Pv+s8DWFa
   gTANBgkqhkiG9w0BAQEFAASCAQAA1/GZ7lnKoPvtqOTA8B4WjgroLMdP47t5f+EJ
   68yslEAdueFofQ9L8RBpxAa9szhiUVTEMfmFI3jpjVNeVmJQ0ItCPJdKgn5gSjm5
   uTEWyTd9NyQdFOxs+Vi//UPQtEMCwxYoMOi+r3Eeq0YoG4Qpsssb2dATnA21Hn++
   bLaL0C3RW5las6lbPe5DzqfCZUoLJP+MmjTx9QrfFjrn/Ti3hfA9VhFC6gNQaOwx
   mRbmQat+a1CEjDepU6x/fwxO70Hb8dXUvU/3FgbGjAU6AwyPqZQUVbpSgSVbKynA
   dKlEs54Pl6X/E2dIbPScCFm5/nmpLymagI92TIt3usU8LH/h

   --fba--

C.2.7.  S/MIME Signed-only signedData Over a Complex Message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Injected Headers header protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5684 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1598 bytes
     ├┬╴multipart/alternative 950 bytes
     │├─╴text/plain 295 bytes
     │└─╴text/html 390 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:06:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIQYQYJKoZIhvcNAQcCoIIQUjCCEE4CAQExDTALBglghkgBZQMEAgEwggaKBgkq
   hkiG9w0BBwGgggZ7BIIGd01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4LWluamVjdGVkDQpNZXNzYWdlLUlEOiA8c21pbWUt
   b25lLXBhcnQtY29tcGxleC1pbmplY3RlZEBleGFtcGxlPg0KRnJvbTogQWxpY2Ug
   PGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBs
   ZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MDY6MDIgLTA1MDANClVzZXIt
   QWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkNvbnRlbnQtVHlwZTogbXVs



Gillmor, et al.         Expires 29 December 2024              [Page 118]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   dGlwYXJ0L21peGVkOyBib3VuZGFyeT0iOGYzIjsgaHA9ImNsZWFyIg0KDQotLThm
   Mw0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2Fs
   dGVybmF0aXZlOyBib3VuZGFyeT0iYTIxIg0KDQotLWEyMQ0KQ29udGVudC1UeXBl
   OiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjog
   MS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNClRoaXMgaXMg
   dGhlDQpzbWltZS1vbmUtcGFydC1jb21wbGV4LWluamVjdGVkDQptZXNzYWdlLg0K
   DQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1Mj
   NyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVy
   bmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUNCmltYWdlL3BuZyBhdHRhY2ht
   ZW50LiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRlcg0KcHJvdGVj
   dGlvbiBzY2hlbWUuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUN
   Ci0tYTIxDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNj
   aWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGlu
   ZzogN2JpdA0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+PGJv
   ZHk+DQo8cD5UaGlzIGlzIHRoZQ0KPGI+c21pbWUtb25lLXBhcnQtY29tcGxleC1p
   bmplY3RlZDwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1v
   bmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQ0K
   cGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGgg
   YW4gaW5saW5lDQppbWFnZS9wbmcgYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSW5q
   ZWN0ZWQgSGVhZGVycyBoZWFkZXINCnByb3RlY3Rpb24gc2NoZW1lLjwvcD4NCjxw
   Pjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90dD48
   L3A+PC9ib2R5PjwvaHRtbD4NCi0tYTIxLS0NCg0KLS04ZjMNCkNvbnRlbnQtVHlw
   ZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQN
   CkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFO
   U1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJB
   DQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZz
   cWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytP
   bkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtE
   RDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS04ZjMtLQ0KoIIHpjCCA88w
   ggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTEN
   MAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBs
   ZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1
   NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
   AQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3
   jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLY
   Yy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dP
   zZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5k
   sKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5Deo
   ULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAM
   BgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAV
   gRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1Ud
   DwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0j
   BBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJ
   eKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30i
   LrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc
   9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94
   M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCq



Gillmor, et al.         Expires 29 December 2024              [Page 119]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   h64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOU
   Rza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnX
   MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0
   aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92
   ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2a
   f0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwO
   Rjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z
   34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4
   xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3
   vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3
   SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCG
   SAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUE
   DDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYS
   HJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0G
   CSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sY
   onX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3p
   dpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqD
   IdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9
   iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyH
   AVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBV
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2Ft
   cGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kp
   olw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
   AQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA2MDJaMC8GCSqGSIb3DQEJBDEi
   BCC4TDBqWfbor78DZQBRpT1G4g6JBSqRKPcg0+lJPpS0rDANBgkqhkiG9w0BAQEF
   AASCAQAcgz2I5ySoBfTI4k/i1h05qmHNrRawE8IyHaP7uCDfNqU4InBF1icec7oL
   O2IxgWRRK+0jVHgg9ZlFGiE+35nBwKxjDTCkq9NfSeeJGs3rmpxtlS2XL3Co6o5c
   X8TKqQp9JJnA78TIonWLMZZlpFFAu/zKxaRAWDhfjctgb8WqMQfwD4FxfylfRNVN
   of+xnxr2MWYcmTBdbVnmJNO64hHoM2rWLcFJWVDcGfDmWfXTNbEyPt2S9Mr+2zwk
   HvOFSx+b6MAv0O8rc5aeDp7oiP7DWHhtzxtU3g+fRhVpCoh3MjfJX2BNaSACAevX
   ZexzJNnpX1G65DfFJxBE4+zSV8Pl

C.2.7.1.  S/MIME Signed-only signedData Over a Complex Message, Injected
          Headers, Unwrapped

   The S/MIME signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-one-part-complex-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:06:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: multipart/mixed; boundary="8f3"; hp="clear"




Gillmor, et al.         Expires 29 December 2024              [Page 120]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   --8f3
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="a21"

   --a21
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-one-part-complex-injected
   message.

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline
   image/png attachment. It uses the Injected Headers header
   protection scheme.

   --
   Alice
   alice@smime.example
   --a21
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-one-part-complex-injected
   message.

   
This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline
   image/png attachment. It uses the Injected Headers header
   protection scheme.

   
-- 
Alice
alice@smime.example

   --a21--

   --8f3
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --8f3--



Gillmor, et al.         Expires 29 December 2024              [Page 121]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.2.8.  S/MIME Signed-only multipart/signed Over a Complex Message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Injected Headers
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5560 bytes
    ├┬╴multipart/mixed 1656 bytes
    │├┬╴multipart/alternative 1006 bytes
    ││├─╴text/plain 312 bytes
    ││└─╴text/html 410 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="6a9";
    micalg="sha-256"
   Subject: smime-multipart-complex-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   User-Agent: Sample MUA Version 1.0

   --6a9
   MIME-Version: 1.0
   Subject: smime-multipart-complex-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: multipart/mixed; boundary="c46"; hp="clear"

   --c46
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="d7b"

   --d7b
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0



Gillmor, et al.         Expires 29 December 2024              [Page 122]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: 7bit

   This is the
   smime-multipart-complex-injected
   message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme.

   --
   Alice
   alice@smime.example
   --d7b
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-multipart-complex-injected
   message.

   
This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme.

   
-- 
Alice
alice@smime.example

   --d7b--

   --c46
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --c46--

   --6a9
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"




Gillmor, et al.         Expires 29 December 2024              [Page 123]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCBYtFNxGFoXzYRUUwnDFPV+O5xYKM9Sfmpq+alkuA82
   kDANBgkqhkiG9w0BAQEFAASCAQCLmUZVuksQB9kEgcWER5601p8B4njEUrG5sBDE



Gillmor, et al.         Expires 29 December 2024              [Page 124]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ZZogwSIOhpo7QVrKzOVdKH01vvT8bEvP6kzgrRzlQ+uz0t34nlwKVJYdrjiMjl9B
   oD6VGKVAsiNCXB6M+RRXU9bqsWh7AdgLQMlJoYbCEJ1n5R9ZSCDYmsNXJ7M0Blpi
   NYDoAxO5eumYr8Vdt0II0OIrutLV9+IBckNseaQ6uBw0pPo3ekMurIa9cIKAaMCF
   QvhaQkgPC1LSuswhyVGkznl7E9JohHyLaYR7iF4ooua1Vb8N8TKwULV20UMY5MCU
   iBXbkheWffpZt53CcJ100eZ1lPZEw97+OnlY32IFWleuJ9gF

   --6a9--

C.3.  Encrypted-and-signed Messages

   These messages are encrypted and signed.  They use PKCS#7 signedData
   inside envelopedData, with different header protection schemes and
   different Header Confidentiality Policies.

C.3.1.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
        Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7995 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4910 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1022 bytes
      └─╴text/plain 322 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:08:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIXDAYJKoZIhvcNAQcDoIIW/TCCFvkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADCaiPSuzfmfPxJHHTulO7oLJvQyJDAM7HYr
   pgL/gHHGZOjD2WlZUYrQ3jbT6NanMp5dT26oQSDgQzJ9mqx7H1LiKfI315Kqfv+R



Gillmor, et al.         Expires 29 December 2024              [Page 125]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   cDjpTWnV2dqkKzixr4DgTWvJNKJYGxQVCcHOVse3G6/cD58ALxPaTTv2ad/I6alo
   D04x2lYG7rLvsIT/Ai4yJuUAt8zY7n2RiNqt+8e1g99YLLyicDUUGMLwkJidXptN
   KSvU302CtVLV76dXaK1FaH9YZYJXtH7G/RPb7mFdDSL1Yy02XmD8jT7u1dZvqNY6
   SShZVBz5p8+ltnr66PNK6v4oQeB1FhGV1ZRbl2vLqq4h0i6D4WwwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhRUTtmhXHiD0ZhoG9+e4WExV
   W4XoqY2TL+JVv0D82MeMJD7VIk0sgSM/36BkwHk4CVnWJcsNPGZVlu7z5o6CLeun
   LQlt8U8hNZoaeN9r9+nhPo1EHvJYZOKRHX2cyUUaNBiotyOsRkyqOdJwqsNU+sKs
   +j/PlvWzDYSSmYqQzeMooaN09Z5sAvOIZZtfkIm3XwGiH6Qf17YkGnr9S/C4vupV
   Tf4jDFFlDLj61luiLlzrnxq1+mRo2zm11+GdIzsNc6msFbMsJqc5eXcGQE4exOIa
   qMGmlDxPFW91cr4Gmh5CkxvoxcXY/vbGteA76en6JoLIAwY9ng786B4k4O4nfDCC
   E94GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPaC2AZwutvV9/u0uB4nirOAghOw
   FQe3FbdU7TQzyfP1mUGudnLGlgozuZahjJWb82Kpsaop0yHy2pGmqfPKVHV6cVNj
   uJqVVJzbpsN29cVq+qEb2sLUNytak5P5SQeKNpDY/040I572CL7iHyiNrnAnBHT+
   O+zPwGmo3Ose4NBVBesNzQ1iEnN/a+at36mINXaHMhIzxuZChJgo3ayrujAy8euK
   fyRjsWNO8MUm2tVGm6YWvrNLBqxb9m+Z4lMxkKZG/QLQjFQhMNhw+ow7FDfqAakQ
   uT4mFa+d8wcmbYXLTl+gLDEFlRyboNsatN7cAZZnUxGE1WLgPnTfi+c/6HA9DANB
   o/cZVte3NGMWJM1O8hB7CWnY5GEmLq7Jd2RAwFadYu6qZezf3cw2qxy5XtZRfuvi
   u5wpcueG1zWc42UoxMXbfQ4UzNJ5yKlXLDJXBH2AbiE/7DW9JG/ruhs6ZlaA1jLB
   oL2bhmRJrrQSjcF/gZfAh3JI7Rl/ZNshTjoOxFJn/P+7hDG9JNHF5mVfGExpvZsv
   xIH+0UpchlEtkn3tIfhBJY6CdUQxsnYEGoiz9QrRbEnF/DqRx6dpTi2wtKbrBXy4
   RBaYMkTzskzEG2QemriuvfsYmYOFe0kSYED0FSpkNSWGVRMA99svPo5c2wQ0+NvW
   a+nybNvwrHkUiTwNBLPFtFHyJO7S6sqvixwTirqP08rm1aoYaq6cJ8VOa5qHQTHX
   6P8xzMXdIKV67/kr+UmCJKwfGcZrIYhjHEGPISTEKFu1SX+T3KfpNeUR7UioDtrV
   zprjueEOQbNd341iYq6Rjx0Oisrj5K3qEbZsOyCVFAN2cpdMvdaVU4JAJdNTtNKO
   /zhkEFHsAUmL6+WpvNPdAPvNQuR7kVAcsish2HcMvoKgQ1mcwQLC6RBnoBM4Zv48
   zJ39tji1cIe9cGA82k4KerMQxpCmrRpMSlADEAHZmR+3OSOFVy3F4MIxrhXs1wvJ
   kyiALsIhffB/xcUwmQhlzOGsbImF3rcZuu8xepZLFBo9Oi4IYRT/tqnPCppoDiD+
   LgqqSlh5h/GkSDMz01V6e6Zzt/swPEUvHI/AQ4RaSvLR774+1AuvLjnnnVIAKEP5
   0eucEd/n8oxT6nj/4ig6fYQZCwMqxVjMWu37Ukaa99Q/PhAFFgqp+fMC1YiszWjU
   ix2O3TAGp2N/8CEDnm+JPVIQaX3kSS/mUpAjOQHZEMGjy4MJcYDlhMo2mJKfwjsx
   3gE81LuSNnt4UbDax+wFNedCKgvXxfYwWyyG7uV8lAbWj9ID4xf2SSdcnFB8PxRh
   cFNrgIps1NF5ddPzdQOeoh1+j5Pedn4CnaMJxtFAq3bpkrv46XDxHSPpINFvlmsb
   kKRiB+w04KsEILa5CiYhZqO/SVV5IMql8sXrfA22b8wpGcprhrh1LK3oA64g0BaV
   YtOrFjTqGBRMefhu8oGlCXPB504NAPkuOlFwhb0FsvanLmCzrNLNg8+77NYKx5kr
   YPy/G7JwaQoTRtie/D34CaDBKgd5tHUIILvGOsPINIOPPm/2zJr9kGaaomM6Tmj8
   9wqDrPnIcwXYqGroCLMasHRz6ZHMrhShR+tf+rMNmnkeD7Za/GjOXXjvTU7nfxr6
   P3iHiGeiC5ho5hf8qcyHAcF8OEnS+6dhqTbzlonnnECNyk6uwRieHeglcVPV4LeM
   IVq9Kf40mGKinU/qiskhfoR5LERy+JV8QbfPrJr/fvWnlHCPcsBVhqs7HhKRlmUd
   /YSx9gmGNRftgc2fCeoxnWvx082qqc7jrj2dn093Fx9FOi0VwrLoMnx6+wyGP/8z
   xX4KN5+I6zXD4B6+KhK3CGdC3uL8ZEr27RIXKFN+DvonfBnEHZgKhIquNs7pcOFB
   zo07c+CN/QC9K305zrd8FIPrILXvcUUeSYVd12DUzqxXmbYM5Dk8oTiFJUjo4Qqb
   /FlVFAxNbJ8GVXgRSeUhI64mEeT8ev1nzdqTv3aQmEXsYxXLsJjhQDix0ozghjl7
   k7gZ5zxfTwGZSaLpr+LDnjhj9gNjPORKVFppuqsW68GE7Ysj8XGkkCjVOyhXk400
   MqM41mLjl38kVSlhzxi57ls0NR1kVZZJz3NWNYUQVRfyuk8qP2k+F/cKBaX6iCDc
   rzhYDGFQ/kj2cJ5ytZ1l3/yCEjC3cuq1LeLGizlj94zHJqTd6bO+1kMmaXh3GF9x
   NiKIKD40ktFSTpQZL4bf7eoEq9StrcSh+BWfZoh99/9G/9fFSoEN4PMsgY7oh/tm



Gillmor, et al.         Expires 29 December 2024              [Page 126]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   8wHGRFUaHKX1PS/G+WT//wbTVQm4kf8Pr3cS3/DtNblcieU2Mpx2ZiFQ/f0thFMm
   /ar2bD9zF64QP2QsPWQVMPGm2/r/uB7Cxq/6Ofl+hJl1QZ5VSKdrNEj+0a0l1O7E
   DHyuhJ35dE63RbiWi70fYTir+6GGneKIyvfrujtPxbq43bhV0/ZKjNZzh2oGU7XQ
   Wgv6AxDp0KHCe0zTE/gW9qNeI4lUMpd8u8Py3Ph6xFHZEQs1oQ3ENlzcfHp/52b1
   QtJSFyJ2ZPsgR2i+JbzSgSeW+iTBUbCIBZoMy+6uR++RxOMAtpYgQHF8TMFDQNex
   /PPdj5pAvssHzXTnx7pUVgWo9yORYYAdvwVSTA27Tuu7a97l4wnZqgt6OTIxNDME
   BgqLHvmTJhDhMoOieLmjve2jCbquINkjXmztx7g76Rza9d2xVP88QcdAKRW7xGiN
   tU0kES2XBKrv6ptb0/BhRwqakGhn6oeAv75YyWdQZhspg1yiDjvziNHzsJfNSTLF
   GXGYqt+wO7tJ1Blsl3t6gAraXrekZFqVPVEmIx9a4bPNEVSwT0S4VTC2Y6hjyDxZ
   ySz7ZnB3qHsnDQXIARl4vXGWJ/gW4n63ELdoOjJepy7e2KqUew8jvFN4K8H2z7h9
   CDJUoI5OTBPOjVai7ErDApcZ27zuf+LUHm0w6WHRIxBJ7M/XFL6aVUPwLuc27LKI
   1mYCJFSCBVWAWh47wC9Jd1vcyZBOH8j4JHzYOHunkp7VU6IVJkL2IiO+ByQ2meMm
   uLo1Dh4NKlVoEsS4IpZWDJ7iUmT55WIc9iYj1vsqNCWgX6VMJKqE/g5TCMkwnOim
   u47Q5b9DnRV3sp1rvJnZgsXro5PDBw8DvgvmZRQnjZAR5gJ+ODCjw6C80dYBaaow
   PbaLKqGIpMB6HuG9ToLQxQ4BNSns1goHeLCRocEZHPtw+6W+VQuJEA+3j4ClkwNG
   YTzCyPienFwr+dNzczbemiN2Cc54FvXGQ3hbEnngH/Dc3RgZidl6+ABzzxFfFVIz
   b3VlWUPfRwmdgwz+wIh8sQzrVCqS6hpzFJlCR2t2fS23PWbCzYs2qsjal9LqaKn4
   A37ajjkboDQb7qXJHeJQCgZdG3w29fbNPm8NrNyVD1Z0urOO4JMBf3wwaMZbe7VR
   cEsYmex4ly9d1gPaKHOb4QkalN48BldD6h1250M4e2m/iyp+12Y2XglSePIzaMek
   5O76Nz2jCO2UItnBn2tbCUyfjiZVsAdu2SetgbDrEWJIMo06eMQFJISRgbOsfYJe
   Ci8B9CWDc+VNxurjW3uzDZ/0RruSyhoedalTrTbyqkc3huQXL4YIZPWdKBC8Qj5I
   rnwZR4hS/8xfvQyx10cTiKM1ZxzoDJIC9rJh+Nd/rTqOXqbuLOzZ9S5NfqstmTOG
   QROSGRC9nKQw1C9trt4++YigwOBNIqbPCHAPD+y6p4/O2GpJ5ZzXLPXLb2GvXZOs
   /0aGqs/rg8UZRBjJVNi1TnP1cDA5TxWNfzOB8lwuEC8IFfPduYhvBKybqaD7fE+3
   H2JmakJvkiNItjAN8upDaPOos25zpJVl0LWr1EtrJ7M4gP/TclnaLG7cqaagVqbJ
   S+UC79lkzoVmg2AZZb9eI6t2ANUWoLUBI/3FEiVamuYKAMUGENr6+ZvwQF+mgGTZ
   gwqSn2MAETR4DGCYO5cchhPv6uztU8te38hLx3S5EJbroDKDK6An/RoAPtxe39Zj
   L7MhH0hBla0b70juY7Z6zv1dPh78ORf0HONMIaDcqzl8mR/VY7EGTA40HGpU/2oj
   /ildG9tp2Gpb95anrztXlsU/JvtdWtOO9p/1LkLVYeRuoUq14Rr6HH4j37hdct/2
   sYMBprbbLMv1RIHWZiI85PZDzVdM/Wgx9/wB9W8jteNhV3NLf6utn4Nicl0+i9SJ
   EIWw3HTrTMqkS3wcwB7bg20MSwrlYdjGf9H9cMpxQQUersR602a0RJwSXrhYTw9F
   m9F4VyNfUtqaTdQIhEhyg5XWFhorU3HYBNJQzf5H6IfL4AmV09uYH99UWT4usNI9
   NTwW2deeXy1g1JlSbbmYiAcsoII3DjvJ/GvbtboGbzBBhb0DU79yy6C2MQ7x40qW
   B9sv5gcugCoMjbuf1UvunaFk7CpV2UnRIKgMULiQxDCGq19lDVhE19zS6Qo4Dyqn
   nczUJWRO3lIo/EnvnL8opxINioRa+2Bkt24xF87ydIsn9Yr872t8BAt04+Yp4Mv+
   SJ6Evt1n2wpJU6nNXehNA2OYDC6Ff+ZJJjW4YP27yyR2Jd19siqNG2LtK4+nWBup
   WKHHy0ddd3pgO5yL/xpWUEssuolm4otLk3dFqjjqSP4oqA/Ez/G+TaDg1hHCdIW3
   FacPreiGUKdzMetpnuyfkgUcYz6Okyis8CVDp7Nx6u31vF60KDjqp2oX8m5kYMty
   rAeEkWeO4xMSMhYkmTk6jU3NCyqAvDM8FYzf5eC4tcAmE4D2Sd77Zd4QFYIwjf9Z
   BSEJ4NFASjynx/jQQ6BvZJu+JkZ5IvpRop42oRhL7gch23BnPSX104KphO7MRR66
   gUY6scTIQyVhC+OjxJVFcUyHBaGwqI/B47fcOZ74oPPkXuxe3ffYoa+mpcFiGiaP
   1Fq0FIj8O+cPVH53yMXicmIXjshA6B3GFF9/SfUgpnZsi9MggJmLiNvJObaTuAV3
   xXpdUHEUZUxYydqrAUi9cypdZJEHGCgvJJbcIE9GpI4T0WZxV6XsTgrbiBZ0Ghqh
   oRA5BdZflsZmkGRGm/erdKeQ19U1T5m9Vkz1BzTkAXGmNwlNh3mXURYfjjOey2O6
   ij3UjCbPbRQqxtFWgLFD24cKm+7Z/RZT7E32YLPic0bSi0s28SJ1X0u30a1UpWO3
   YiCt/bv0Sv/RqFOOgCDVaP6MBWtfXL851SO2pHxub+BaxfU7cGpaH+YKcZ6qiYgA
   mYaFiaD3VOrjzvIB4qktw3Q2oQb4ypG7uxMSh6wQ6aGpUrxdx/q9geTGmIWJwph1
   ATeIK2GnBF1G8ORJ06fcrJnZ6Y9MS2Uj3HtUpaT+INkv8bavPbwSbTQ84TDPFWkq



Gillmor, et al.         Expires 29 December 2024              [Page 127]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   g6Hl+aGDTiio7wXfxY/oAjU43iDfPAqtsRHcup9uHhCqMBHjoBfDYFAQ8w11hMG4
   29MtdAjF8r4vy4rOvKILL0Ur1x//kH35OwD/c3OID7dZV7hX7unMUn0yNTxAJ8o4
   Itz1XcrecZWG3pM9F8ZbCFfSidl4jgkkuV8f/F0LJ5x4EsrQfnrvxARcNM6ROpR1
   nI4WmjzaT7bsQwWuuzZqNvbX17icgwJonk9/b1Z/nbirlF49aveY4PXX7X4zHeEn
   lclssUxL22Uyl8OkSqrhNV18MTUxvCs2Iqu1BY4Vs2qgiH0RZGwt7X5ux+K+fJPj
   mXfzJlFCMKLp8Z+IqaQjwBaiasnDEm1BJeaA3F+TVp/f/mncBI50o/G+ul8ipUV1
   bOjcqVDZjnYGEb5cyzyLF3EPLUWYGF7XasZzzExDyD1WV4xrFPN8L8HYgX5Lxm8Y
   QYEg+sqO6rUxK9OH2yAN88iQ1e2L7zBdtOIHLMJ4O6ztf38LvA/6Os38BCZKGLzL
   5YKGjANEntUvL9NclhW3/mKST2twUX99VM2GGmfiPBNW0i53dQuuSUIaR7lXyxDF
   VPW3MU1TELFCAM2N8zNiTcAr7weSJqFtoAsUgq8cdKmK23w2w7jVQokMTrozBQTM
   7ZhKwfflD06/vqgZzq1lvhHSqUdkSy9xYG0yrOVOAuRzM4OyMSOhLR3Mru0g0OeS
   0Plu/6enhdWNQUGgsZ8yeAp8fEdCSBs1fUmyDtxjR85sF1LnZPytrrF2pFPVrenL
   IMgFx1e4pFmDfQjw3nwQaj116yWzGwXwYnSwXkemKY+xy22nO5RXbOkQwiukcgxt
   S3bhRv53qCUeWJS5FZcjXstFVTIdTC14UZtgUz3NBBwz5+/tx+or4hcnTnFKFDvm
   bYuokckYhG6K9G9O/qvVaNoA/3Z17J1ECwe4qDbDh25q1atCAcmLA/LFMWRNhk1t
   jlnpYbyVabg0/hF5oJfElhgTBTfmrZBOqDVmcteT+d4HjdkhTmotseXTvALHVxg7
   C26y0olXcGfp3xpeXMpZ6mHrh0hQNUCesM1vdb1crJPBci4ksr0g8U3uOD1vsIua
   gAD83O8E8rn/0QWe+IsS4UMqkl9LyYoh2kds82JZKJOKsmm5UEHpqz4O7nyznJ44
   b5fAT8ui/nneKDrP4swXsKSb1+mj/IuAEHzaf+RBgoZaLzHlv4IEsRk1xfrHvo1f
   XDT86lbedaLupR7GPjTT5oQcx9vdATX4z019GW5uZnksXGpHciTttlO7JkkaQgPM
   zjVV9Wj/vmP2eNKxWnnDZIHdUUkYJYByHPEy5kOeEmMbKq4qO1mNW+sY9YwrTqth
   vcGB7kMEaCcx/O0s3fvaV6lcxU9JARHKX0bmGmFOoPwmk1JiBwb1FnDaGFAJz84S

C.3.1.1.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
          Message With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIN7AYJKoZIhvcNAQcCoIIN3TCCDdkCAQExDTALBglghkgBZQMEAgEwggQVBgkq
   hkiG9w0BBwGgggQGBIIEAk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiCkNv
   bnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKU3ViamVjdDogc21pbWUtZW5j
   LXNpZ25lZC13cmFwcGVkLW1pbmltYWwKTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1z
   aWduZWQtd3JhcHBlZC1taW5pbWFsQGV4YW1wbGU+CkZyb206IEFsaWNlIDxhbGlj
   ZUBzbWltZS5leGFtcGxlPgpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4KRGF0
   ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDowODowMiAtMDUwMApVc2VyLUFnZW50OiBT
   YW1wbGUgTVVBIFZlcnNpb24gMS4wCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQpI
   UC1PdXRlcjogTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1zaWduZWQtd3JhcHBlZC1t
   aW5pbWFsQGV4YW1wbGU+CkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21p
   bWUuZXhhbXBsZT4KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxl
   PgpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDowODowMiAtMDUw
   MApIUC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMAoK



Gillmor, et al.         Expires 29 December 2024              [Page 128]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   VGhpcyBpcyB0aGUKc21pbWUtZW5jLXNpZ25lZC13cmFwcGVkLW1pbmltYWwKbWVz
   c2FnZS4KClRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWduZWQgUy9NSU1FIG1l
   c3NhZ2UgdXNpbmcgUEtDUyM3CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERh
   dGEuICBUaGUgcGF5bG9hZCBpcyBhIHRleHQvcGxhaW4KbWVzc2FnZS4gSXQgdXNl
   cyB0aGUgV3JhcHBlZCBNZXNzYWdlIGhlYWRlciBwcm90ZWN0aW9uIHNjaGVtZQp3
   aXRoIHRoZSBoY3BfbWluaW1hbCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGlj
   eS4KCi0tIApBbGljZQphbGljZUBzbWltZS5leGFtcGxlCqCCB6YwggPPMIICt6AD
   AgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
   DzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUA
   A4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVa
   TC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse
   2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgC
   ReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqh
   BwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/P
   GeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0T
   AQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxp
   Y2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8E
   BAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaA
   FJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEy
   nBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZV
   jdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4z
   E4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2
   MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YS
   HjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpA
   r4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkq
   hkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNl
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo
   0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQW
   l+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+
   A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtw
   s1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPP
   dfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJL
   OwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
   ATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYI
   KwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilq
   kBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG
   9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naI
   s3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4
   eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXR
   n/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59
   fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtB
   iN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsG



Gillmor, et al.         Expires 29 December 2024              [Page 129]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBM
   QU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4
   as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
   BgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUwODAyWjAvBgkqhkiG9w0BCQQxIgQgXqCH
   Vw4cVCtB305DBaPPOZFQTL4/b+hqqMqbbcEoRIUwDQYJKoZIhvcNAQEBBQAEggEA
   lBq5L0qW+YobV6m5OeKkPV/+0s9dpZlC9yCLq4uQeABVCqzoig73hE9UqlD6QqAN
   Du44/r7eGxu1ifZC2yspbHEA9vdGU3acQeEjESPkMh0S9W/QFvThH0n9ah411ewt
   W7ByS87La4JtRBIAMZaLRKxBmfU1HEyr/LyWXslhCxeSlDZt99KCfCE8qM4r336X
   6ey7jtR47Rjlk0lDHAv77OyUJyjWLdd3yOnc63uOsV77YcpstKAxJRM466FdiAP6
   5sZn7Kxar8mfhN3dvYoZaKkdKW81uLOBfO0pQVbp3mXTWlXZMzSD7ETauut5kHhq
   ggUYOAqvUvYTJBRpg6INQQ==

C.3.1.2.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
          Message With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:



































Gillmor, et al.         Expires 29 December 2024              [Page 130]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-wrapped-minimal
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:08:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:08:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0

   This is the
   smime-enc-signed-wrapped-minimal
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Wrapped Message header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7865 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4818 bytes
     ⇩ (unwraps to)
     └─╴text/plain 336 bytes



Gillmor, et al.         Expires 29 December 2024              [Page 131]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:09:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIWrAYJKoZIhvcNAQcDoIIWnTCCFpkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAA3dT2phNyUaCSYNYOtjREx0cVvMCa+ZQkyT
   6hIOSZSwS1o5APJ3kkJ5dkYlIMRue5jOEGZcddj60tvCMeCxOLYTXwBiGS1h/+rH
   P3KYpm2mdUPF50mQ8ittYDseUvluSrKHbvSYrFPx5qVBOzUCZAzZyizQ6Aft/9km
   oM3aHUSfqdDeGOI+qoHRB2mQj/9zDVJueULPFi/U8GuXV6/2b9p1MXlcqW7N2eZX
   lzcUJ2V4qvmT0lf3tatxB5qH9Td1h7ziBONJTlwm/Nh0vULJGkTe3/23039Ohott
   sSJMxTxziqYKWbfWY5F3ScyZzJfVeDDwgfWtXEs+1k+8wafzhl4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEARWvNkhaz1QXTpso6DYCmRaDu
   lo4YtkkX7v1GCNSZMB3haBj89fjkfHcoD8THFCYeCWpzSIXkq4n/DxgPUIXDbhOs
   0jKE3/itGJy++bohc1M8sSlEQ+Yn9269gXtrBQ4OIHFTjivjHau3EGLfV+O1Dr6F
   PHKkbTZNSWf3w+HFVgkMjz54bQh1UXnHwkuLz5jZrdJGnn+A8+9gAaQTCxwH6Kwc
   GOLb3K4//jihoyz/1vyCfYXwRSAHoMAQLzYjMn6bST9+6kUA21NGzcseB27UjYPK
   Njd5YuJkJQmpvjEDtWxCOe8VuEYRbP1+FfASn6r9cHDVjIFhdghLnSON5iqYFTCC
   E34GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGQpw5L1+kHivdYX8V3nRhCAghNQ
   VPjifrejfoGz+7rFAPCAdAP7h4DcSQ8pYdNhIPErkv5h86pGTMM7+XLQ2h5fgi0Q
   LdZok/qNz6hlEOPZz2kxMBtASUU+RPM70VxmZzWLgQEgulg7sxV9rkHE3c2G1Om2
   f7UhFXfSSBD433MMeGnoZk4va12kxk0AsF5LB7BjxNCZ43ShKHxeI/vWMONcmsUY
   GUz8cXtThyAaQva6l3raGNFWRReM2IFBlG7IPOU+329zXfJO+tNVZ5AWwwIwqvNp
   Vzyr12j20ynuhSQIG0FNTtB/D4qWVvO//0FmK5GbpJIT8LWeDgy6EsZ4UHjlKHqo
   hbJzCCqi3RYrPmB71mEPRJkBMzUJ6a6hJ5YaXOAlDmcJESsVCIK3fknPyYUeRHO7
   Sc+nrnwFg7Le++fno487YPXrHMsXJ0VGYCVxvl4cxOEZN1Y158A2falAgoUAdpTL
   JR3dfhUMjgHmvjJi2F+l1nevXk62XxTsEFPs0mHGI2LjUFkbuUrevmMH7590y9K7
   wdf6HRoxS5Nr7Ukdz8gNn9OGkwH6g8uqrsEK0Mw8njVTzFHo/nu98M+OsSD+3MFS
   24pCHRI6PB7Kz8K09rgUXv1kvEkWaKeFFhPgoL5h2OgFeE5Wo3xo8QeT/LrbMApc
   BcesFZ+g5V+TL54MpEvrEFeKtwbtKHFgEK0wy8PGjh5TFbvfKQinBCVsdMSlG4ZD
   D8zhPIpyQY+xjY1bJqpzoai6qmtrp4CWlVMtCpMEW1AwB221DzmT7gYgyy5pHZ9e
   Gm1SFAvRdEM/caNmHOT9j0JC/kWGtnBe6vJJ79bQQZJ3A87QdDhOchIVweNlIf3+
   YmvjnlX7VCJv+CNVtloVvpqhKPn9P+665RDk98EPX2bb0ZqpeC/opZu+9+nVaoqV
   vfe6NIDVcxMgInBgPr4dfbVhv1V+5RA+/bjCMjvdpZjIpNAMNG5f10kJMGZIP3Us
   PEce80+/GKSMWRgbyI+HRT8ENwus8nW8z+yzazQHXi2mgATVUlwVHN9IfLUd6sBa
   a3FAt/Tg/+sATlcB4h/12EFFFOn3EMQaSMSAuYN/EwrXzFOT3V620XXo4BcCGSWS
   1qFpXXxK5FOoXowd34eTOyQgAQUwDhq2N3/dv7JJQ6dy6MQgpFMg6OKDsruVWunT



Gillmor, et al.         Expires 29 December 2024              [Page 132]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   1M5qvAF/iI1VyoQ3NhNpn/iR/mu2CzRZG7/2qCxKxHrDgVQYkQg7rOv8ZG4lLIem
   vx12REt/hWEXsnFD8P8nVE3Okr92zYBLFdm3JEhEHul8oJlasoSb3d5hbWE+ZYlB
   MjjuGdgNRiXmPZ+5MdxjPzf+pZ9Ch0MFOvX9pbGlA0F4CPWDKPHSOvu0SCowW38E
   +GJXKQteLBHrOHVYBFEB1uf87YersbqRtbAgUF+u1DvfmW0Ap4+dhuL/PWKw2aAQ
   ZWQtfON+LhsXb8cfjRQNVsjBzdZ51QHzOMafzQN2+ez3vHdXiZyPoilHvH5FAMdG
   /qtAiEszQAB4pDejmxw0K2kw5ZRPPWr3qEv+UTTAi6z6AkffGC4xjMwSNDja7HV/
   9yeop6JGEEfnPFUrCBGD5cNi1sQkKTEHhGJwN8t9EaGqbuTMurTXkjIl5hYedG7W
   hs6z+phg77yIHftSNQqNJnrdahxz669pUQ12WlrU3BuIRL7765Kxof1kSCrptQbn
   4bRV+6CoQ9CxwhYaxFWZY7iSnXrd5H/N/PjQUu3R9AHErRj43UIMelt88Xn4ahUf
   a/ZxdEmLM3nWuyl2emtRKrCIN5Fr8GsuGmfqE43DwtjCw+ZskIn9ufFvs01snw1Q
   8oQWIou0m6VivjzVxScnFcBENYYKarvoVVQBmO65DTSvwI/8tKBIFWQcGrlUo2YB
   0JdI6i5DYL00ssG07uUQ9gUfARtpaLtawvfor+ENwlldEfWGihXuGMQ0Gt5CACGp
   myHb0oqlyn+h15eZBw+ZyksBUSvYJjGfcIKwp1ssFcfI4VES/h6tPI90zYatRKk7
   NVM5F7c+ddFRUof2mek7/TFl1PsQZz1aZeZgOQcW7pVqNKKzlfZbCLCFIJP3ex5j
   vtIp18zvD4OSOyjw81sjTvyr7M8QLA5Auc/bH6clxbRm6hE/KanyqOtUiQ0djyU1
   g5MVvo8XMVLmMOKIYxKHrAdnCS2ct+soAbpHXfxpIB/CRJBbUUqxfo/a2qmLXJtO
   lZxX666zHIETZ039lJTEE0mR1541pHL9qzHD+7o6byWfZZjs2PRWxL+4mR4Lztfz
   Vf5KnD/ZuEdRLzMeH8DFWiBRxiFHdv3tUt2KZxISrcKfZYvcnJndVJbEgzTO7wIR
   F7Nd6d/vXfCkipWbnI41CFL9TeYkcVL43tfDchL6MydPrUS1oaeFzaF3H1Y68akp
   mt6skhB6tiLWR80YZOz9MkGvSYYqVxXOyAnkyvUTTOFPEkylT2TVnD3381oAhArl
   rjH04WM2HGOFOEGe18BN2m8oBYoKtxdrd8PWvtKmCmSpbpMxs+Hn8Fr+B3qqPA55
   yOflUofr33SlRhE7yydOfXieJxg6KnBcthOVuy+/fNId+m/3UUsiYP6go2Q2AspV
   iAw8SNhLKD2a3ND+65D/QeVkLPxd6YbIiEMc8sPCrrvQq65nDOc1GvlPN6gtJ60y
   uchuenRszqN0X7Wb7+SCFb6bJ9SMcU5xIQwWG12HEp4UeE0ZGXozNYRC7d1VMY/O
   9qwJha83u+AQPGUXbP9hOQWC1uLTkDNdY1Wz8tFZBW7a++rTM+glksTwED7+DdxS
   wHKsb45RG+3x6i3sPNIdgMqK+O/EOUPKnbPiTENwdEWMt9mEfEnFLOlWhReI21PN
   nzx/V8Rz32pcTblRy+9um3KBQ8Z9nAZzZOLmNQOSLMG3ZYPNRTV3E+yDnRSqjFTL
   CwkZa5sKtwdeJYUw0RqqXd6EdGP/AOlIiIzZYCLFmRHicWvpx75SO801Ak/fZO5L
   osJAT15f/qMt98kWR8TfXPE1WxADvaad+zPzlZXGMxrT+n5l37Zo4CQJGqTveqCu
   sUyOBkcdPfdgA01Wh9BmaDtu2q3xiilE0ynrC9HhtIanMsRfSsE7HNDXZ8Kijt5P
   Lhm4F2W/1v8YGOEs1MjnPd00RrJPRquNdQ4YDW8ePzqp+0GBy3YBElXvktx/r5Wh
   gVficOUmWlD1MYUIciO7LC2o2zYLQhE6xxJ2QPoIBfxHjTdrLI+UpBJ+aHqMjh7K
   DRW9Kf1labigvIqFA3nLt+1RzMLuQZZf0NiK7i10i2WkCH7mvHaWXq3TqPxa75dx
   JUcgBTGXhpMhnEWZTpjCsi51hAh6iFo8UPgBRj8XUjQ8s1EYeA8fDlhi0uPbE42s
   6WNhuEum/zC3mDRoaOIT5uLqJGsaJjvHotAGr58o3wetQ61OHoMQsrqJ0LcmACMj
   1Ev7ofCPltc8AV/tIDdF4HExeRXL5wFrmPeE5pKii/B4QO6qjUlP/x2omgLwXhoR
   nmxY5kPDUoO159xUbuZ2cypmZtoUV8zbFPPA0pLgoYkjX+eC7NPZJWRBePWpYF46
   9eGB1JZFU6iaIJUlorlLmNVilb6MgSS1TqAVDqQ2RvNh3Hj+vWkJZkQlnvfw+0hF
   le/bHX8BaB0/qkV8LeIEsHh6aaxiSGEAUBF6AYAS4HgJNmY655CU/nD6h7Xts8QE
   EL0u/7izZG581BGgISh8ozw+4slbG3l0x/3h7MVW8JQRwVW4CMP6vQSjOGkuGSjo
   qUkA+EuEpYyr36byu7u6Hf+U0mk//EzLf2MQgVCZcspmICvx06M8M4BKdzVnePlP
   3fR6acBPreFKeQRMvc+D9HF0mMF7i8lyN+wZIHfWQODDEVn9DFcDupXtk2dLO+T5
   3oflXj5NN6CwhZiXRYcynVjSe5v73bh63EXQucPz9QKm/XJDIAjTiUI4RC2k7N8S
   Y2dIqzz/EunUxCcnBOzWvj+nJO2noalo4YUkgRDnKmT/744WvElp4lPv6qsHhy6N
   Zs17JxuJ0Bf9ApXJtUKBzciiZkoKBAy/r6BtD/X14WsjQI7+xhbVB/POwSZQNxng
   Z8mu58RT9rshDr/q2+SvYEgUBzeHwvyo1J/SuArkm9baDKU4g8aCBu6Az0qY++Qe
   IrJT18C1MCEN9aU5rbK28lyeg38cDBOF3o99pyyYVmJWfp7s3KpsTRazyPieuFLL
   SaBCf57X+Aa7Fz2Oy99P9LCJlMn349Y7uCGs3haWp4UBVujVjBOwQ+OSCX/B46y+



Gillmor, et al.         Expires 29 December 2024              [Page 133]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   BYub0Pzv1H49a/wWI/H1Im2Nb5IusZ0GijZcdZ8LqkdaEGXP7LNSzqDTdf0J8Xvu
   Mg2w7ii3ZJEvUw47I8rTAspLTtmotJXJMK2izgOtsU/LO4Y/JxpJkEYPcHY5Jdll
   AD5ikA+Ks6wP45Z5Ut5pUkpulfqcXj9tJBceTg/6FhWXa8ndNmtHsS+tPo1p4M/f
   VTsz709/uu2UgLuUNW6nw3RQCEnzEr/q44mwCOhUA2OlxtkxlMgJtQOWi6QAOF+w
   hDotC3gqyqoddQ873G9RfuX6LhqbePaK5BozAJ2WolGt2HUUXPFutex+ZRySe/Mj
   ceWvq6BQ6okkCFUQqadupBnTvN4odb2Fb9QPCTNYRI4uLCasFjlwfQRRoYfo5IW3
   oKfSyfp7Yao14RoGRsKtFwHdHrFZqku047TF3rGXAM/nAmB09A0kkxg2Ln7xUege
   oZ3V7jeVzaBEmx/LrR8N8XYgpiinmeqCC90keo5pCkRnr0gw+cyFWKmK6in9Nol+
   1AAVTxaM9oDe42lMoD4tMr7tWl1zZJcjlmuwAnhgff2pTFjHcX/p6ffhDy2uXkl2
   WRFE90E9Rnz6QtR8l0/hqO1I9bObcEOF+eEGKo/BPYIXCB6dSu4+HxDmxkTp+UGj
   p870mFG4dquWmcPjf2PTCrnILxh92N3bR+ioG3d8WVo0NUbIAyspndURTHXyHOqg
   zzvr/SYhZKP3sZ7piQGOTb/OUz1D6Spt+HHhZPpg2/YPGrLaYABE6PfYwGHLKBUD
   PF2iOaNARRpBxAsKwemFxvOhlPd0V164YxrWX7R5McKypFgYj2D5dXtMTkm/YfjB
   y9ILCWfvNzkTnxJFJcfjbnv+2tE7AS5u4TH3bVfx0AS545rJ0cOoAaDLhSerjICo
   fG2c+qWalmYqCf4aBH+WQAKMVlCNcuyZnB6ZaqqzWYEN4IlHve6C7N3ST3/8HxPb
   0mHHRYPMFYXi+yI7MieZH4X3EWjRO54hlkPue8tDUEBf2qa/tCFo6dQv8NbjINYK
   SHT6zoCIvXYYXsexNUVyxzvgP+9cEysIMLPyDqT6Hr07eBOISL8CSeAsJkBaRVgv
   M+X/MWXKISubBUi23dJFHUNxwY+sN7ObclItgagX4/Yc/lSQtseNjk+IteycessZ
   FXJsiaD7lyBNia1U40SUDH7PODbXrK6Es9abbGmaiWCkp5U03owaIQ+ZBp/J0n5q
   aj4yUZu/iMX5GMvQ66zwnLCDwn0pnGzMYEen9yq2OUbyWYErX803+YkkWoxXf24P
   JYcKuVrU+0vhXg5VsEI9mkcezqk3sXWF7iCRdqXKF/+UKsCi3TbyeCfe7EgsuOB+
   irvbCXhw5wwWCmec3vU8b4IYCRGgRNyVrKHFhJ+2FW6+mm8HzmuQN4anStztxW4D
   PrP3clIaXZS7WjlWb9I2099qxNEXU5naEkxDhFR4rSRy19r7HjaIMMZFaJKusxzk
   SPIV2oKRcdkWZVyAUUag2QSKASZqeppUKrzmU8RM7GxlQKZg2k7k6o/aIB3FTTi2
   Iv93bv80DO2U/Bxj9AC2mb19kppTC2fgUWls8L6WjWoICD/SA3OWX8g+5/1oBIk9
   1OlXFLNuuyVo6nBkB59an9SlAH1fZs8naMoGQrfQNRVGWH5Ff2RKp2cgbm5+toUy
   QwXb2c+zw0noe6+9hskMNUIz9XC4Lami188Vk1wviSoC6He0EtunrfSRLiXXkD8g
   x4UiIv5/CweFkj7of9USRqcp2aBhZqyViRG4yy3160Bar07rjwc/tCP0k4fKVvW2
   al8DaXMS9AhXUwCsXcAEXWArtzTwgBlWdjfx2jeX6+b9Q2WqfS7OybNPlRc8z+ls
   2NmnK/MRZz9qHa5EvP7BRZl1WB3BZ9voHa6rzi9NSU7chkYHKZWhZg4o4zlJvEA+
   oPb68YGgW3Nb6V6G5qn0ay84LO9u+epr9C9nXpvpcXFq2W39zreiklvDCVnqk0ql
   Llz2Dgjtq5E6sm0WgZkCTN1JyyNiRp4knECUP+OasM9x/FmEBv8Ebbg1tR+uJz9Z
   pY5pSNDqIwItrp4k45BqhWALBzt+UlVK5kUMWxsghaMaDUsK6qGp7yfI3sWZdlef
   7egtLKX/ff/8lkz8Ss5VQUFwD6nXrXXrpCHKpYv1UKBaht4yu/7jTbhT4dwGUWXo
   a+48lBJ/+tAT+gFORnuUg1CA/nYGoFrzARnUZjD1vYdypmH5qeLWx5ZS7mCrdp7U
   NVJ7ba3x39jct9ZBZFNEyACz8Sy6i6iyZOGrtYFXvCGywf4iALPlQQAGoS4d2mij
   To1yRHYJ7n+O0c+lzHDcivieCMy9b3wQs/IMZby2qXt65RLkBEp3fGjQ7wtFYcFr

C.3.2.1.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:









Gillmor, et al.         Expires 29 December 2024              [Page 134]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIINqgYJKoZIhvcNAQcCoIINmzCCDZcCAQExDTALBglghkgBZQMEAgEwggPTBgkq
   hkiG9w0BBwGgggPEBIIDwE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLW1pbmltYWwNCk1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLW1pbmltYWxAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWlt
   ZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBT
   YXQsIDIwIEZlYiAyMDIxIDEwOjA5OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1w
   bGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQ
   LU91dGVyOg0KIE1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2lnbmVkLWluamVjdGVk
   LW1pbmltYWxAZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VA
   c21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhh
   bXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjA5OjAy
   IC0wNTAwDQpIUC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9u
   IDEuMA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCI7
   IGhwPSJjaXBoZXIiDQoNClRoaXMgaXMgdGhlDQpzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLW1pbmltYWwNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYW4gZW5jcnlwdGVk
   IGFuZCBzaWduZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9w
   ZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYSB0ZXh0
   L3BsYWluDQptZXNzYWdlLiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhl
   YWRlciBwcm90ZWN0aW9uIHNjaGVtZQ0Kd2l0aCB0aGUgaGNwX21pbmltYWwgSGVh
   ZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kuDQoNCi0tIA0KQWxpY2UNCmFsaWNl
   QHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh
   7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRp
   b24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxp
   Y2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6
   i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf
   8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjUR
   ca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZL
   hOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cO
   NxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb
   +MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAO
   MAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTAT
   BgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJT
   QdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxo
   dvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQ
   Lgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q
   94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l
   +D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBo
   lg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1
   M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAreg
   AwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExB



Gillmor, et al.         Expires 29 December 2024              [Page 135]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   TVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MTha
   GA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFN
   UFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEF
   AAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOA
   Er0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hc
   UqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc
   8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJ
   FhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWX
   LJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1Ud
   EwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2Fs
   aWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/
   BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAW
   gBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfO
   qaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284Vvy
   VXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdb
   EcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+
   DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zw
   lc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieU
   Hx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UE
   CxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNh
   dGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIB
   oGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEw
   MjIwMTUwOTAyWjAvBgkqhkiG9w0BCQQxIgQgnhRFm9nOgaC9227M083Y7ATM3ExN
   XTPt9Z4vMFVNUhQwDQYJKoZIhvcNAQEBBQAEggEAYgu+zND7NaTugRGh7Mb/pCJL
   HY8EEzwO2BZRq0Y4tfmpBC7qOfXLs/zDKW7+fs5AIoX0BesntIBEjh8jLVbeB8+T
   IRZSEXv8aavTeagzmP4KQOj2GmnBwGPheEqoXFsSue8kxPLvqaPF6yM7Xnijb82I
   qrVdLwOk96UTrF5A4VHaHHfoZSMZeaWxC0GMUt7bV5B7kwcq00MQVGoQjKoRvhew
   Bh9DySHgx06VH2JFoW5y9WdRmK3tTCJ8DqLFiQt6irjIivAzBnQPINbvrLZugyhg
   8vn/iVSkOs+VKTY9RNW75F7UF8Ld8TWwfovgfx3A5BdV5FyZyh32ZOXfi6WM3Q==

C.3.2.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

















Gillmor, et al.         Expires 29 December 2024              [Page 136]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-minimal
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:09:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:09:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   Content-Type: text/plain; charset="utf-8"; hp="cipher"

   This is the
   smime-enc-signed-injected-minimal
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.3.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8125 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5004 bytes
     ⇩ (unwraps to)
     └─╴text/plain 426 bytes

   Its contents are:



Gillmor, et al.         Expires 29 December 2024              [Page 137]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:10:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIXbAYJKoZIhvcNAQcDoIIXXTCCF1kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAGgfzcHH9hRFHqF0TJ2uToDwl32GdCFRsueN
   hOnBTnnRmwwbcdkzkHAyjFumabQ69K+U8Z2xpIp69FucxI/LNdQFnzorJCWP5vde
   zYWRMwhvkIpBdXG035u6a6+rcpWTIgczsvS8n5M2+N7K2qXWC7OUC0E5FonNCcg5
   UrFy2nU1+agN2xGkuQfJewv9EXphcznxLsNnkuUfgzeYyabzujbMb9wUog8C4CQ7
   WqTuip5DJhxO+aOLYUFzGDZiTJztzD2ec4hUwkZfkWwY2pLhR0RhfHQJbq+vJQWN
   7wtwK4t3LOXO8AI8sd7e/agVIEnfeRg2VMslUnqm+eUgiPgrg2owggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEATu+QrNqgnYrw9BsyTf2ydFDI
   WJrcJM15eNhfRP0fHAovqiajUIg0s824vzTYdHQoaxbnDRFnlQx4YU3QbN9g9q73
   7PbsedSVO/gTSpwf/cvjrBWRe+6Nhdzj53LtJXLMJBiTVcNrp6ivTX8QPWgQviL/
   iMVbGRKL0uGrnf/DCUr1CDgvAxEaKusU/Dj2vAfLlH9OnFo3ue+5bCrYhjfD8lHF
   btwvrMbifJmL4rJRsNgg4JML0XGiMprdvGtugsbWHoJQsbzfaunsk1m9+yHvrvoN
   kxi+mricbqwR+xHUQF8yOOkwdTrfK6D3BXw7nrpam9CWHSnlKm5+2wY9ZZ/dKjCC
   FD4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEHP4fazWHJBFT2LpRi2RZnqAghQQ
   V0Z+bvJYJz7GBLNKehneeRNUxC7bU+V9NtWhjMSXZ3gmRdL/ABdcvWp0ZwGWAb10
   h92OrpB9YpFT3trbGzeqFXjyOL4PNPzyuFmo5lrDPYaYF2/VKWXbuxi45DhCtrZs
   SIgAFVuBqdo54qvN7mvq4QzzsXu5CI6ZMq/Hde/rle5xCftQbiOIFiIYFGddlffl
   /AvwlCAoZh30TUvoKVbjFg3DcVbduAdSMM9sYZdt5vnXDVczDR3KkRUmeq1O461X
   OySxDEWMosOArXGGBWOTpWXvXgluru2t1ABoFMlk6EAR2Ecy0gOE5MAbARrq3pUk
   r5qIBk5xXlRofo5G1mqed2LMM2M+vYrpwua+9ng81QWX9CV4eAK5P8e8yF1qq4bI
   dvTQqX42P18wItPhdzG5cRQCT04beMlS+6X+EAM5AyaN3NrEw0lbqQzt09YxaKLb
   zdMELzYS6QJ4sKeTRGh07UyX4XtYsi1V8Okuh8D315TzBYeOGK18zQchXAM3FVJ5
   RlNHTNvhwh6q9O5SQQ14NEiyG//FAa/K9Ic4KF+js42pXGU+4WfounjU6E8l5CI6
   LUmM+U0CHdbHZtMF7lBOeDRKO8Zu2GQD7X8j3ZXED3AUCAKPjQywGuUDd130S73t
   zBw+up80LZ0xb0VN4Wb46trPIfpiZbWI811RA6JLWeKYe7qh2iAdSyZmbpprMaYH
   vUKZAEYfijFQSl/UVq5j+SLp2bQMkpnRaZzYX4me1LzW1RS3z3Go8NrrkeBfDObL
   KkmM9/+sl4PcuOL+qyg0bCpQCAWuEdMaNkq/0x0HHGWAZgiSNr6eUNLtKED+O2hg
   YM0OxUvL52f9ARRSMdJ2vpzlFhLa6bIAMw8LRGE/2wmpQ2C9JqIhuVIuTAma1le1
   MNQaWeEt0MLDQ46ExRgSvBhSaL5JaccCKQ6qs83ZzFTNmYO+P1nMQd0/gj/A9VKC
   66FWn4WSYjCnFnQCkr1r8Y6aYf13remPkooljxh74cTh35Dk71d+Wp+TlK3XdIhS
   LQDOR1wNW4OBz78rI+S5595bDKjqiMbkJ7lHFV0J0HriSlCxi7RzJg/iiUQRMPEx
   9rHwQGPQR+dwR5doFgkIlwC9vx04fEj8ZXbrrAxSitZ1DJwkcrCyFMU7eqlLqOA5
   326kDUAjzQiTL588zaE2N0PDYtrMe5CJBOc5JOfN47y8+Pd56/IuTEpr+UGaKexB
   3n5/5rvqirCRHSjJ2qVNLr3dEFXCxzVjZXvyG6nrDL79lhbYgTBAg/FETIbxIc/h



Gillmor, et al.         Expires 29 December 2024              [Page 138]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   V85i6HHsQRoBBqcfa+ZimiuDsx/U+xeP9GmgC45SW7U7AxYoVYxfdRt4Dl4Q5Hqr
   KFqUUGmwFMMzAMICDv4QBBZtOBSIqFD6Cb15DQDDAw6d9OQ8rhzajTVTMxsbdBp/
   09nlDvs1cMNX8ZJ5ORt6B8EN1j1BiK9nkFkEkHek+f8c1iVG0tXin6JRzw9QwQtz
   oPk2IyHQhs4ptN77+FN2rkjdm52Gadp4FZlfxDTOsk2CkEk43Ts5kJHdSGf1vtoW
   ATYzbPcbE+fjuyeD34t+5Zay+sJUpYQAzzgIwvGtpWTt7BaHp3jeifxkKISIAOrA
   KExE2kd17821dW5lNAqDflJI1f5ak0L9YMoGn0dYdLuLumrACdKav1m3pq4hqi7I
   3ZeRAn2mF9JfAgluIDNslVIoWYLf1Sd9jagR5DtXVjh50i8SK6aFFMXs8M+qfDOv
   uMVMdHmMHor8TIiQrk8WOssMRXX75gMekE72GoimUz1DxSPu13R5Sj3x9VbgWIfY
   P0jxXOn4l2bKlLuUCenfKwUNfca12xzWA4i9VLR40HX627a4eymhrsnEJO5mlmU2
   I8kgrItFgAAsxizxrvxnhEUy0g9wvoIbvex/xSFY4nOj1iaGRdE6iI6XnKnReJa7
   PRP5d47MfAqur399GRp7Mvc+fl++SACauCvUST6YNSiffuhDMRzHqxuVS7/k5YVX
   65m7e3hurRQyGXGnrZyrAcZRwjDiqRJAIw+/SX3VT8/yB7S8NqgWOc0JM9jqHIge
   yctUyFN49Tu5k3FhzxByfaAAB/MiAWTgItARcZKJi3MGkbChXiRlmIMYJxe5PyNY
   HxlJE0hFE9+lFuD8opHuTTGLm3VTMGnbojUze5vCA7sQ9vo9qMgEquFQ/zAEfv3J
   X0RNfVBP9YF2m8FcETbJlR2h3rx9k5QO54iVT9NZVuEBVwwhDumuZf1VqWIpn7iC
   0eELzs4dvs/FdqrwAiZW59nGJ1sZsUfvtVd0+V8orOZ6gWizeY7Xm8Gwa1sRTAmO
   wS462hnyAw84wTLuT8usmWwiAg8eVX7WGivJ0gTczVKoJcJFt4PT+exbJ+BCbhLo
   nXscOK6V59c4EdevXtxpOi+zwPi0mBNXklzw259xz+NcULVWxt6f2amBMJgGxx0S
   xpo0Pt3JdgizT8EMMmQVllrxqiicFMkj0H3Uu752kVBsaBNFvTX3y7Gg8mwi62lx
   NRYrBcqcpPoGxZd9SU2xvGh5Bl0rRpV6AR8teLt8xsIUs5GnL9GdvETCeKqwJChC
   +Cv9jMNgZQSba+IOpSWDITFRkwZI15AfMqQfLDwBJLebSDHT8U7FoxzkKZqN9Gar
   4FKn/KVFh/4R85Ge0Eq5IaCT/qKutmBLExuSj4dY8fcTDKK93/cpwp+xgoKcZatY
   3U8wATdUhIF3I2e2XmbQQtrQk8RLNXztwOyjKGmyBb/jfN4vO8bNBIn1edt2Soa9
   gsCRzNx0sZhiQ3afF2Ugc+B2nKP3SUCphGlwJqa6NuVQTVlM+M3rEngcN2eSE4PR
   to21xeAzv/xH0Y4MRYmwiGZce0BSbK3B8c0otXHV+YC1i4kpxJbh7zviW3T7R9LV
   f7m6JckiR4BrDcFX7RPqbEHtSmy6q/MXm2KBzjo/fcoZboUG6kzndPPXtEqWa9bt
   AL9za/S+bz30vZNdzpoI48UtS8T1q5qE8FVOvEjjfGJet3kYftsiSle12EKYajIN
   fJRAAV6oCtf7j4g/REHoLhOyBCU5kWWRopz+iPFctHpU/4yDPxBclWZOurooB5Pu
   En7jhaZpxObzpBWb5gbEb2iNzU7lytjS0Nf3C0NR843Z2EYuUSRl+646kT/bvx3I
   qpBKRP1nvXi7Tz5qhP0TfVKOb2jXzdunuKn3/dElN6CQJRcsNm2ZTqU8UN+s3YUQ
   MlrKM0CssLd5YeVPprDpPCxK3QHL3l25M8WkNaDpSWMALpIvL0CHA3gd13q6p61t
   s/WEwwzbXHuzDfQsPAVqxvmsAtCPHRWlrjIHY4rQkX7rCD2/yOoBXedJ5ToTKkpq
   AGH6YJJ9JQLcNVXVNfta1S/kpm9gi+DQ+uxs5+F/JoQzidzEB/P+HIuv3W/LIMRM
   bqLsPtf6v/XVtsO61ha1i7hml8/RchSuTCJ6vS7sX/9xJjL50qy1U9dsgDZHoCQd
   e828Wujr+4HCDRIKakCPWh1yxUDQ1/d3su5KsMAdVJJMdJDDKsymigNJsrsygQS6
   AkqRoKD6dRCvbsUBHXt/BN8qKeOvsndPhowudZ5hkz2fopWOTGUk0QpCtTUxtEJb
   ddQ+CHEl7MO7jXCgvJZIMlflwe/kQjXLM+ZmiMtRBv7smdj4bm6w6nn8OxUHnfTf
   /38zEwm7V+IlqQRxK1+u2v4dJIJQaK9IkHMeQywNirplaubTi20/IjbXHgy7LMup
   P5Op7GDqqI61QhdZ/L95qF492rrMQGkC21P6tXdgSrsUzrHtCO0NyIpfLyE8PI8i
   HdIY9Oxyr4xR9Yu5LwcPpRhXcT+ximX6//o8PtTa8WKLThutLmtnblCfeatv5KhK
   ObSYR5k5AAanYUO/c/Ix+2r3DqabdFJ9wWTkSPL5wdE90CoJJzb1kAiPpCESGHYk
   6aMZFHMlS2xX3YmZv8awrEJm7QJDRrU+AN5jN83Cxf0IN6oTsDm0UugvZOc9L0Za
   WVkCuqGsg/PI3daJhJEV4FuzZSYvoQT0q1ssbt4uqn88sfQthdsfikeDr0eKXuX2
   iuEXy7dm35GqcCBQYXjzEJEDOO/BF2At97C44JyfIB7+DaiSLd5IWi8rfeKK1AAt
   dWAcZ051NIXkdJ75uuATUFYSX2TRJchh2oAxAqn4BNrsyfc+VCmFgGg038dCh7E1
   S80zvQljOLV/TKjop4cs/L4RXvQJFaXoyRUUg0wbJHb+ULms2mNEnZwVMe08v2/f
   TXFtGNLVdGqbpkJXh2Pz72IDLqhZgOpyS06JgyRGSlA05/rG9Rkjkw5zeSN5uOLN
   suTqF+mBjIJW8JdhUTdIyxd4lOjnRsBE7UK5XMidbda5s1Yf2vvgjAVFNBDXw0Z7



Gillmor, et al.         Expires 29 December 2024              [Page 139]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ILn0ZVD4C9Tl0U+vAIQFs5tgSZKyfjvXwAZIH15q3CsLea3ekobaHwF0EzfynwnR
   FYHLcF1SQ/VIUe6LgSXlgnaK2ilbiMoRrfoeENUoOqxiz3G7VSgl2Nv1ip647nT/
   ukAKjGoUSlX6uexfUe7jtZVaE4Og6FyxIhV/26CDesI747v+GO7pS4vg43HrbrzK
   CqBBVPxcHOjp2If9buRtKpuLNUiYuYACjtO22cEDkjNERor9B1fjqK33bFjdxi+9
   /TOX4/isGcgXwcUx6H5grIbuGvaLYgqXipSasBwqJRjnfPaJ024A4s0W55HIC4CQ
   vXfZo1WTNGZDPP2vm4AQZT8HVPrCbiDrPMNKEf4LuyioBJCi9oraLmkChnULpk9c
   kcsWjDfaihX+lMMTptl9Zox3giPpvvkAvHpW3pdRMROZNmHfI/3NF9ZkPTN1DyJ0
   9q4ELNtLPlDfkKdScv/MiX3ZzeCNhRVzP//8PLLllg9JyJ75BlRmHwcRV1CtP8yL
   TKKYqNzgrTvLphUC5qNyMDzMHRj8yGW66vjxDpjlT0ez6URhMrDE6WyWhmZrklCJ
   hXGa90qXDTDXY7x2K5fmBVCo62vT+cjBzB3Nnu/v+ERtN829lYAh1XxpZVmiXXwa
   UCj1IZAwR/PfgtOMtoWqyqFEkWcYlyfS59UpGYybcEEJ1baZ9v9w4wiMb1wqOM9f
   xFrYXZhz3gkzmlKRfGyw6O1oQVP4xV8Eetx5Sn8NDWIWnKnlngxAnIaCLpn14r95
   jbhkkDMbkqeI8VnmFSw/MHdas5JeoDg7bymIv7+OHRdQCG7ksdx8Vh80ACB4UUpb
   zFqfiJLkkDgAdOYDhxjxjKE5vWBcFhxVqK9jUJJUGe/HqrM0fIzU5kP3g8n3GNg+
   S+kvi7FDf8j2wpkHM6SywxABCEQ8MZ/fEgsvVPXSdKXQIwkTj+6rHGhuT0KRbiJ7
   qC3YdF19juhv8bs7dYH4njZ0BgMWp+md/STsHW1gWOYLBf1kYRRnNALwo0OFfh4N
   5Zh4X83twwO2sc5Ry9QqkyxT4ISvZ+cUrzWEQyfh/XgeXvuABg/NJZYBH6L4evrX
   xbmQmqCgbM2UzVdvh7BBjFztl5SaOghW9E/zOz5DrJsKA55JNkhAGakAgpr821FD
   nrRgW+4Rkk1ClMqxwtCqoJa5xdSMebXIw6mDotOJ82FqK1HMXDXyhCnUV8deStmZ
   +AGgs+aGmjcddTkJc5bbXTHBMHyPf4tv5IhCj3iCIX2UTyDBZm/Uwye8k1LcA0en
   AsFI9OYAzt2VXvxcecZJzwXlgucqW4MaoqEUs5OMLM4dSbhOH9IU6JSpHkygs16M
   AWL0+DSTl3ihc9t6va2uY5O9HS/aAYhzE/yTpi4v0e0Y79nATogpyJGpyM7CySz7
   yns1s2fz2MO6sVwZkhqTBhUCs0xJO+6mrjBOjmq3VnZfXBljULbb3L34nr/zq0bX
   cDpeVShCVOFLnTEMGOrkYy0Um2rV1WnSPb6S4hT+ZnQkdZLtIMOAHkJmvcm0DarR
   KZO0xHGNpj5HY8cTt9VcsMVLcDbQTkLK04ekT2qm+L7q7Bj4RRHvWLXPtXFqNYCl
   BpzFjRJF/0Vw9uz06jVMEocgrNTM9zKKcTaUC4RQlyOh2tVBoEYFau6nmL7hrYf9
   1xbe6vpFBdAZ7mvKzhQ79GCLvIQa7BR0iZmt0J7E3yer0+a2nGQtaC4juTMFwyb6
   VGY6Fcp2LUiPqPVGLKcGURNJZyhhvctY0ptf4kCv/znmWjDTvALoaNfYPK85TFVJ
   NipDLjISwC4BnjLptDZ3wSkH8fkpj5BOF2tytzA8GqOidVS90zfZlmt62c2z23nc
   /fgtp94EwJdrrVr0CZMjlm5BQOrNyjwu1RbT2fblsEV1VyFo3dHZdcjsbcQJ/n4Y
   RMXbjPubIbr30yDfkE81UfD9sbaJ2+hYPwN4YENDrFBDVe+eqny8ESYTt7FN6Fxs
   4kr80LI95mtKsqk9vFyoD0IlQS/MHG2gwTNDkwXDoYmkoCrW+dhSK1qpZ16hlu30
   A9S/S1qjY0VCs3qvivVFWe94av76DILMuOVOQCqyfLnW2A+pVZWD9Gk8I9Vp6H4G
   e1nC36RCUWsbXxY4X4xiafckSzVK9/nW5dAdRA5UGNtHc4se1GFtNba8711ojSFW
   IM2QN5hK5XFb3jVQFkB2xOKT6Dfmglel8yJMt5EqFE+ZR/SpWlw4qyOWZhDKMTtO
   t8I4msRTpj9uOKVHIBHrIM6XJ3ULCgsIrDecoQQK26H0PQylBnF4Leg3U4H7kZav
   Dcjn7/hc644WrYSweyRxuoOaeqBAIeBWvMhS2iQ5ZCTOTOg91J/6RFvz77g7IjJv
   10An+hy+K6A6VuZmxwT0WpCoYJmWrYziAqDeoHWyoUMiMMkQ/hqNaR9cS/r6Y3xi
   6JD8tEj6e+DeDtAfJ0EqRmJb9Kaei4GkgiTx8NETz/reVRYqMtuBXm3uC02V9+4o

C.3.3.1.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_minimal (+ Legacy Display), Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:







Gillmor, et al.         Expires 29 December 2024              [Page 140]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIOMgYJKoZIhvcNAQcCoIIOIzCCDh8CAQExDTALBglghkgBZQMEAgEwggRbBgkq
   hkiG9w0BBwGgggRMBIIESE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLW1pbmltYWwtbGVnYWN5DQpNZXNzYWdlLUlEOiA8c21pbWUtZW5jLXNp
   Z25lZC1pbmplY3RlZC1taW5pbWFsLWxlZ2FjeUBleGFtcGxlPg0KRnJvbTogQWxp
   Y2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhh
   bXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTA6MDIgLTA1MDANClVz
   ZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBTdWJq
   ZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6DQogTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1z
   aWduZWQtaW5qZWN0ZWQtbWluaW1hbC1sZWdhY3lAZXhhbXBsZT4NCkhQLU91dGVy
   OiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBU
   bzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQs
   IDIwIEZlYiAyMDIxIDEwOjEwOjAyIC0wNTAwDQpIUC1PdXRlcjogVXNlci1BZ2Vu
   dDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KQ29udGVudC1UeXBlOiB0ZXh0L3Bs
   YWluOyBjaGFyc2V0PSJ1dGYtOCI7DQogaHAtbGVnYWN5LWRpc3BsYXk9IjEiOyBo
   cD0iY2lwaGVyIg0KDQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWluamVjdGVk
   LW1pbmltYWwtbGVnYWN5DQoNClRoaXMgaXMgdGhlDQpzbWltZS1lbmMtc2lnbmVk
   LWluamVjdGVkLW1pbmltYWwtbGVnYWN5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGFu
   IGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1Mj
   Nw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2Fk
   IGlzIGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyB0aGUgSW5qZWN0ZWQg
   SGVhZGVycyBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUNCndpdGggdGhlIGhjcF9t
   aW5pbWFsIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5IHdpdGggYQ0KIkxl
   Z2FjeSBEaXNwbGF5IiBwYXJ0Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWltZS5l
   eGFtcGxlDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDAN
   BgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UE
   ChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVs
   YWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQ
   J+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+a
   uzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVe
   A5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShp
   lcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5
   NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+w
   hUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgB
   ZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
   CgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8
   ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkq
   hkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2
   XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxG
   wy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/Qs
   hlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8
   PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K45



Gillmor, et al.         Expires 29 December 2024              [Page 141]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   9CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdB
   BXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVU
   RjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0Eg
   Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5
   MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcw
   FQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
   AQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2ju
   wdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQ
   wXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO
   63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf
   4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I
   6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAA
   MBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWlt
   ZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAd
   BgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcX
   DKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqS
   Q4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/K
   tmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVf
   nbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/R
   CGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4k
   m3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2
   cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0
   aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqG
   SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTAw
   MlowLwYJKoZIhvcNAQkEMSIEIGWs9gV/QuaugrUGnH9XPHSTaYsVGz67wo36lLeH
   bXWVMA0GCSqGSIb3DQEBAQUABIIBAKB2tUkLdlI9F5Qa3JCiLK/6CdSUxchU91O6
   bEOsfdOoWwI5LkLFHQRhfXoPSSWQ5nsvBTI7AlLEo7sv6BKC4sMlB8zhz0jQrAGz
   OGhFGUQyM+MvB6CMLO5t4+e9eUEYl3bpviUqaCY5vvJes4a/YMitXrwqSO1jP215
   2UkU6VxOPw1bR8LG5Z6xLbyxVS5g3a+4xt+O5h1QgZ6NfeIMZw9bMnuseY+FKrq8
   aQCGKsGvNXxZ7Je+D0/EzKDfrG+cJmy4j6IK7bT5M4Tdt0ACJz/Mh/AMyTBpV2pZ
   fl2468IivtgP2XONRG8vWjtwQH4K/CdDiZ92og2FgnrTzXZj6fQ=

C.3.3.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_minimal (+ Legacy Display), Decrypted and
          Unwrapped

   The inner signed-data layer unwraps to:













Gillmor, et al.         Expires 29 December 2024              [Page 142]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-minimal-legacy
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:10:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:10:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   Content-Type: text/plain; charset="utf-8";
    hp-legacy-display="1"; hp="cipher"

   Subject: smime-enc-signed-injected-minimal-legacy

   This is the
   smime-enc-signed-injected-minimal-legacy
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_minimal Header Confidentiality Policy with a
   "Legacy Display" part.

   --
   Alice
   alice@smime.example

C.3.4.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
        Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:








Gillmor, et al.         Expires 29 December 2024              [Page 143]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 7910 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4840 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 972 bytes
      └─╴text/plain 320 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:11:02 -0500

   MIIWzAYJKoZIhvcNAQcDoIIWvTCCFrkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHyjHHlwzp1wvAGnGKS7xWECWH2C5kgZxkH3
   PyNFQu241MFBi3F+HFDmQkeyWuPmBv1CkxoGbGTaWHd/MtoXek1MUehaqFue+Erk
   +GMt9lwybJdVaaDzccyY1OFBfLJ8kO3RnqqroCILGjWdP2Nvjs285pCqnNzrlJV9
   rBj2JC/DkAWIU71ol5S65bR3FY7REU4XoQgXpz9JXwR5CzbXyjWcBnnSmjtrQ4r/
   aucrTqYJsilmZMqY5cRyyEIWUdNW5xd4JZsiXiTFt7F2IhO73XcffwYET0TnPhNC
   NKKviev5y37enVnKo24/bwnRUFrFrZVYZqH/8/YYdHpU9omUZbEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAnl8cK1bTcwpFR7BpG+LN/tm4
   Jc1KnEvxvOWaW6KrFxifwQaE/kkbsfSQ2GsO0AhYLKCyhd9bMKSNfpV2GGALjLjO
   7VjKBBBoGh1dgWJc6TjVdP6DpdjaIRvnQOC0PplYnaEjOoDc6kvZO5hg3pKcLkmP
   jY8gYKdpdlr7pYyeZOQnj9D73vp8zr6eEV4FIl9oc21ZLXgXTYPw2uFX3TPS2TFU
   BRSQxZ/3dTjZEOl6C053rW5MmkrMS5s9Q4BycsrTiNjIKJvhcA3hCARUM/uLPOv9
   zoo/v+P3vCyuyFvnlQ7f6BEqTvXr05FCuKIrjvUJ4zvn1bsKNPQOuoSTDlEcbDCC
   E54GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEENtaAOPfEJnw3pPj+aCqQ+AghNw
   3wj/UQwYegC5zVwoQb8keNKs3w7C4XN7KKVO/ygXKN9n9XF3eJ8vteyyIYqALXAp
   X4lRJ1UGcJDNMpKu14sf7DSpRGpSJox65ZSV6jTUnGW8WGWnnNm5otWNgM7hCGOR
   z3U9aLGWSphQgMrQ3WJFpmJM2oYXNKsSZFFjyd9odlPwSUwLhcyMuBO6ovkeB38t
   HMd75uBV7xFd1d5BtZjgD8zdNWfak/dBYA4+FCNuYwzOM7LuLClVT0MDT3iew2Cv
   qGL/l0nzCT141THez68ihJSox6tUTicN1Pc8AkGgWtmweGx865Qj0PS0tZN16Us3
   DG3ouipMXgo7xMYR7jiyaxthzUg2U+l5qMbbFJo/3gxZpks1kJ+GJRbtEhI59xnz
   5ZT0DbEl+shYBswKf+YqE3+bfJkBy7RSN0pOEzW69nFy4i1B0pf7kMxzEzbbTrwj
   KO07yIm/+mqdzDoaoFOX2Nbf1MKXcNgzwhWO/Te0uLOIekQ5hjz/9skkPJxL0wRh
   fQeCx94fh37+xpevfL6WN/6+bBfUYD1y4r+16zQ2SyRi4b2Hx/xgwrqXb0mQwSq3
   9xlxiVda2AMN/REqZNvTW82xbEQOw1kO6D5SSTS/+RExkXC3EYPlYRCCJcQlENRn
   KMiIkVwXqa93s0qAoy5mhxDFO5RbFMgvBCZYcr/tKNPirnf2MmXprPttNf1o3EED
   tB6iwvCCEshvS446j/0WZ6RKpSlsZLXuuOIA4InKUC3DD5zuL0P6Nwaw4kmiBk98



Gillmor, et al.         Expires 29 December 2024              [Page 144]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   fS+zmvfME5y006xHJLXUysMyzWh60DzagLazx4hrH6AmAaoVhr0mK+2koSR3HfWc
   CJ/RYxa0wjUvUOdyCVEUW/45FQC7yuMgjh8cXoP+tqqL9NC3YVx/c5BkNKk3vIVN
   nuxuOg4DT486vgaPpljNk4vc0npeWiblEwyDUxsyg/wUoGWuYxv0xQyIjJsbN5Qc
   ETOjz4veb8XlysdVCB1eeCiHNCboVQzlxHdQwq3DvH+img8WGcoXIV7s7F9ke/i9
   lNpJXPgKhZJrZBbA6WkpKB3/ZImarXBrWz2TnChgUlU9OgwCi7ae8oIVUv4M6Cw7
   R0TghdX4li3BzrpnphQK95nRjHL62rTtdF2sjYd5Bc+1O0C7gzG6svPe9ot8OMS3
   vP4n1762C6WWDIRylUmR+FjqV3qCOJv2lbYqGvoid/LJ8ox02YetiGxGkK/ZKo8l
   KipTwF2prhWZh5OovhZtD9WHjT0dx5o2VSonquQklUoNZpplmdmokdOwo/KB/6wI
   7ppjzny/mxJ6mc+84gsl139sez616INLaFRGHGM1OhOhRon17Xs7fs35aACHjTlB
   FK+ZMtobPW+kw3g451XLF/uA1GZkNOsHvcTOVt1aVl24C81hIgHzR5dqKHdiXZ4C
   7onWy98TtGq8PlSwH2CG99TySctKdp0y06zx8LAbJ5W7JLMAHwIQBfIGlu33Sj1i
   1EzSj5h0nE/Chk4YuXdEvkdRaOquvK3mupnnEVUP2bmTCmfI9v0yeTi7DKAbQLJ6
   ZG2ICXDtfvxwOJO4K3Znyi6oij0NCX1w5Q3JGTiLesdM+xZw4QL8WJmy+DbDf2Fl
   Ri6y39seOhSB5KeWzAJ1vEzlDW4NzgB/zaMV5dKvOuNbMQ0XbuTjS47vBY+j4eg5
   3ro+7z/VrMcffhDgajk4ggJeO+WoSCRC934+Dd7RwP+rqseNTEb3Yy/gx3REOEXT
   sEQbQUo/y9mNNdn3w5Hxpq/x564rJkMp00bl3vsLHg6VGYdQiyN+Vbd+cMuxBifg
   xk+NYx/3HyyVzG0QsCIFqTedhFLySR4cl2z3EduA9TC0oC5wFs2dy/fTn4jxBxhp
   jGxoRlPhSik0i6pZs6ir/G+bD1xlUI/6YkixmUVmhY4AlvYscxob6wcV69EEW2KA
   YwElt8kGc+IwNO88YqlsNFvJMszqzh0e36M3zCfvPdXhsjdhp2LTj+U6CL9HU82y
   95VvAKn/zn7YmzVBhHJGhvg7VY76w0rwWlZbsOkMVBfKkQ1HDlrizJZKXiXNE+9Q
   4MoihNLFuluPpZi8p6NGo7d0J9XtpnHrsondbEsq9Y0itPuDctX1DDUZWMxm4Q3S
   CmHa/7rgUadeqHjtn5Yd7qyxCXBamTPSr//uhg2toCwXBGuEO3mqN8I9YPnVymMP
   YptN/18uC5VwsfS2YBdP88oAJ0t980taoUEY7uPHSN3hcm9nO4T9UVCgxgoKico6
   O/tdhVrjyH8o4a1U9SXKatH1GdA0wcga66UYfIwdRecBWqkVN+vkmq6f6EIxbh8h
   GGVm958U5U4fRTrQqzSl8RV13c0aoql+Mng1CyryGDHKu5k7WTjuWWvEsA5rU/Kk
   2uZbekDaBBej728IsdiiIKf7ojytkE+wcRn10HrZyvmWyUJGXzWCu3IVXt2v5+xu
   UHAhTFgwLpJzVpmNFyJKgp2ATsKbRoEQrmqh54Q9u/BJU3G8jUmtwvEd6rUUaU5c
   xrbwx9IwabLuW4r2fPYXaHFQJIQ9aaVunZvGMhTNqZPW5VPM9ubBZPg7t4Ftq8hJ
   vqZhXecAl3Ls6eXqcxI+srvIXiBXtGfe8l4howJ4m/iASBwReNkos9/xLeR8Drp2
   qwPQP546FJM+EO1UkKotO89ot4d64u1uHnB1rld3rUvpUv3tEbE+LAawGShQSBKC
   P34MmK2YWHzgwj17VzZahRZdJz6E2vEx/09Vrs4uhAB2zFlcZqaNcYQQYVVj23pO
   7FLNNuyP6V6qTEx3zuOIjKs/wmQ7ecBypadk3m7iMqSDSkXdDEkpGLApRXOJtv+X
   EuiUwXT/9oA/cMq+ybQjT6u3MkNlfQ/D1LsL+EdK1iOVNUmPzNZ9Q88MCwEfDJMX
   XOQwAk2je08LV/mhtR5fblAG4nWwlEcv6TCpf9ZkWYeICfA2Gx6xoOYhDX+hE761
   cpSwt4cCr3Ir0CqFfDJF7qjf4/X+CSkHRKBAtPnJsB5n1e+aMm7Bd1nDgovPtd7a
   +oH2kNr4anb2/msm+jiYhCq3tb/vK7U1t1qrUuo5vq41i1/Yy/MhrtWSO6FnCYg6
   8kO6+Yt2IxPJRgyJG77Q9cnLuVXRHnueOF9bsATwEmzsYYscas41e/0lqYoOvres
   +KKi0THFnbqy546W5oelBVjrDF2tlVzOtnVAK7jQvu8JqFJklBeM7vO6G3VsQhH4
   yGO4zfmC9ghYHs1kTS0KntZs7wx27Gw51NL0QEEaw/v3Tx/3E+N3hTURavo6uWwf
   Z0ndX5cbZLM60ibw3YOldl2KkViY+LsQK8Qv5uyRc38MTI6D6y7JJyCl8RTS1UjY
   MbtfsriyoJH0PvpeKY1y3nPeDJzp9z7zxYn6p1VP3Q4VGeXRz5TgIpQYDu1GyQfr
   zjEAGF24nT62U3aPMgIWChClACSA5jLQn1AlidsucaAxF+4QNfnMHNtvzx52zw0p
   4ZIWi/SrBXOAilrMruYdTI66KTP9eCczddAhDp4lrw/e+8UmEK5t+WEo9Tzdkhbk
   BWIvnzB6ijBFuJpULoAYD6xXHoN6AfFqKAUlP3goupB4WyZ3W6I4UTr3NvdgAYp4
   Kni7yjESzgWq+xPZ5erKtzpeufO3LEyXdjnSxavLKlzRDTr5GHB+1eOe+7AK9VXL
   DeVIWMXhzMC5+79mYQwgGhhIcfKN6z5vHcs12eQej5ftiZiPBAUfS3NncDWhXZOO
   uMTM//nWB4lMhNNo9QlcjW7cvJ6Wd1bwLS7pw5bjndeF/b5RjPJ9XFoHbjvl3uWe
   tUt+zaQvOmXDz+HFhYKce2WbkjnYPPpEpPuL1f592zRLAq7N1VoTl0RcjCDL45E2



Gillmor, et al.         Expires 29 December 2024              [Page 145]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   naAgzN3cUKexR0TCFPFlSaNYebB+KNR0CIvEGZp42KGTTLgL0ywYrxKcf003hM03
   EOXJC5n5btH5PB0omYAw5SytkDvkHDz1O7q4sva/gU+dp4xxqJ/1Bmkfe4CiHiFz
   IMXyrdHBOxyyqlo0ucEW2pt2TctZjISdzST8f7f5KsW+hoyJQYynHKGM9AaC1dt9
   LgCyI1CumM7RjXD5pFRymt78fKyyl3ATZVSP7l43GGCCwthyOKKmJcBDENQhQ2F2
   rXoBmWArgV3m4tmRKvum7mEuvdCQ3k1cDCgJWWZGYwaIQHQKu012dZBm2taIEJc9
   Xf/4KUMVoNljPEyH+0FaXcJt1DpLX+PhHy586FU98KwXMe6pcIVfUP9KPZy5fdeh
   2xHElif2eUWhvBDbmtuobstN+LvHkmL7BQTqLhYF001nHWqsG9SezjFx7bagZ/KT
   3xhZn0F2W8ua4oGTr2h4bmhkC+PhWsjhIxfCJtTQ19wwudXsJXRLG66Pz8vt1m7p
   yx53V9TjDOhKXkGPZxl+QI485ycIOXmf19CmvG9U0sul4psSeckFiphRZNhMjBU6
   wLAJKZBvVLKk36M4s2FyAng4Bng6G6L30qF924ae1DuZbVhe9Bo3RinSZ9g9JYR2
   mqqc4EhcSCHvpDaFgA3LXb6Q/JFw6Cdt+ZQWqQnFlyqU5Kpi99E+pboUiNsENpLt
   osqlKJr12vBcEZb7IdsKH7669i/D0d8JChZwFEAuoQ5tpHD9hXTZXV3i2MTtokoT
   Du7FY7ysWVqEek23w98I+DY65r2Ly6qvp87Q609nBgU4aCZs9+3BQ0/LTa0dWfSW
   b+2Zctys+IlIl0z6f+9LbLrgU8f5j9Q23Oz2INIkrajdmvU0ShdaG2CemkRJl4BW
   23Can84/5O9nY0IyUP0yPh6vE+/FwmYx286Blg/ag3p1axeyLqqukqwHRsgDBz54
   AOLVpTaVSttp5RpHy+QCNpB5iHiB/3aRPDKteKG3uyWSPkFuVzX5cbBR3FObI9NU
   hJGBJ2h7milBveBnqPKBX/MR7zrrVOYLsBSbhIMHdDYoOjpH4HjWvRsXoYSNXLx2
   CnSEVaiYNScnhtSacA9Rrx7G37csqGSV2ViRPkwTVpXYotX7ULZux300Ga3EYgg7
   iYp4RBURGogsWR9TDAeEGqsRuCD3WyfzaXhtjPuDLmHWnH3GibXDsYSv+30G8M/P
   H3wkvzSRWNXIbaY44IDAfv0/0mQnMscZgSTQ8y6yokwio3Tjf0JFv0309EYc42wr
   2RFdCg1RV7XhlzguekNOjTH3o5NH/e5HxDf1rmGO2lGflYYqzss5IsRPXQ2TP7Od
   DYJGlju5wP4e889RRX23Q63VEIvlK8h3VWSnv6uJN8jEdWM89tABrvzjT4TWQctn
   PlQT3bn/cyUnrmJcoLzEukQT9hUOUdjzaWbeRT3BDxYV0BWZI1wO8BLdi53yjwcV
   gSISOLh+CJkYu/n3p9ths5WUPu20JtWAr60kgsSu0KFtzzwG0x/FAhwmA6wBjthJ
   xC0UC3S6NUl7/FNVrpIQIoKJUN7wLW4oKdTmJgt0YkkBpt5AL+WC9LTMok92uOx4
   Wxk2YFNvJaJylIIfoz4ZEuUSejOpIbxpOxPsbRaiZMrN/CWkovKDKTEuAhBpZJlP
   2yebWaod7yM9gdpoEJmTLuHO+JvZWHbH09a0mZmdT1SQRAZzd7g0Hbw7e9LsLTax
   q4vDma8peQI/eHPueRzY6ymcGKKkcYqVg7SnZSnTur8QXy14dGfUTHCLaZl0m/QE
   Bcrh+YvabYmbuU3gJjyceOTKS2CrDl0+9mWpz48rp+t03vmvs/raJqA17HlG0zZj
   UzcAwKfFTyj1N+fgZh1CFL3oAwfANCwtaJpKv+KF3gXcoyFkqdDaX3vsfIjFOIXr
   CT294z/F1Rb6jO5JK83qROyXrI0RfJXkGGhj8wG05Dv0ejcIVxmgC/MDgd6Z+RVd
   5sn5rbQ9DDND1MRBJAJP7kUfpNc3aKG0QMyCXVGD6bs2lLwtzmCvD22jul+8p/aB
   laBySdxssGvkNoxI9iqtsmC8VvPpcYMPmucDQl0bob0+XNlO2TR/aRBdNG78hXoq
   XKoZdtyVAyDla6HL3J8yDKOj8uxbtKAdMvGIlvPOQQWNvNbYOL0l1MqwFWghw4HW
   +EkW3hKakqv+PsJ84aHqFcAYHfujfguMHsSjmnhm+y6TzXJb+huOrmLfD0dnbpMw
   acOufXQU5JzITIhrgLR7d8PZn8mFvnTIo/oxyFtrB/x2oorkARyANCv5euw3yswg
   N0ZtPV0NJTKkK2pjhwAymkCRV8y4JOmEc29x1ClgNehDv1iusyQwVNpiTKRAI8qs
   WZ5Z/9jTc23enMFt9KKWqI29TGFUZVfSVo1rR7bF1Wft1rJgR/ac9JBQobbPcx5l
   q6xoE759cEM7ghZHL5vfGoQE4PolbbG+3H7He/8tyI/KY/1vw9xHmd4soCca4csu
   S+Asr9b0OORl6zmmdCTsYS/F/UZ/SXMrIaSiKxmWCx9Lc6Ozjkf5OuDaqDPeHEm4
   nPYNjasVofNXQXhgEoXwcf5amgVU4WnJjgm48kq9F+mD05DoETvoqgDAYLH2MKvu
   rM9WXS29QbMowC0Ks4cWEJahmtm3tk6hkl68d7zVnG95SBQybAvP3JTvViUdNRUF
   eMxHCxDefRc8Y78caXhNOnd+8SidzLSQmSI7l+cjOWyIe5r7zQ5YCNCsKSzg/Cv8
   ohDT2rImWfqhZ3BpN8HJ8FFJNepIo2MRkgWXB+30fng=







Gillmor, et al.         Expires 29 December 2024              [Page 146]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.4.1.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
          Message With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIINugYJKoZIhvcNAQcCoIINqzCCDacCAQExDTALBglghkgBZQMEAgEwggPjBgkq
   hkiG9w0BBwGgggPUBIID0E1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiCkNv
   bnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKU3ViamVjdDogc21pbWUtZW5j
   LXNpZ25lZC13cmFwcGVkLXN0cm9uZwpNZXNzYWdlLUlEOiA8c21pbWUtZW5jLXNp
   Z25lZC13cmFwcGVkLXN0cm9uZ0BleGFtcGxlPgpGcm9tOiBBbGljZSA8YWxpY2VA
   c21pbWUuZXhhbXBsZT4KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+CkRhdGU6
   IFNhdCwgMjAgRmViIDIwMjEgMTA6MTE6MDIgLTA1MDAKVXNlci1BZ2VudDogU2Ft
   cGxlIE1VQSBWZXJzaW9uIDEuMApIUC1PdXRlcjogU3ViamVjdDogWy4uLl0KSFAt
   T3V0ZXI6IE1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2lnbmVkLXdyYXBwZWQtc3Ry
   b25nQGV4YW1wbGU+CkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUu
   ZXhhbXBsZT4KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPgpI
   UC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxMTowMiAtMDUwMAoK
   VGhpcyBpcyB0aGUKc21pbWUtZW5jLXNpZ25lZC13cmFwcGVkLXN0cm9uZwptZXNz
   YWdlLgoKVGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVz
   c2FnZSB1c2luZyBQS0NTIzcKZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0
   YS4gIFRoZSBwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbgptZXNzYWdlLiBJdCB1c2Vz
   IHRoZSBXcmFwcGVkIE1lc3NhZ2UgaGVhZGVyIHByb3RlY3Rpb24gc2NoZW1lCndp
   dGggdGhlIGhjcF9zdHJvbmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3ku
   CgotLSAKQWxpY2UKYWxpY2VAc21pbWUuZXhhbXBsZQqgggemMIIDzzCCAregAwIB
   AgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQK
   EwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBT
   IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8y
   MDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMg
   V0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOC
   AQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwt
   w/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6
   rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXm
   bk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcA
   x3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnl
   sukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB
   /wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNl
   QHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQD
   AgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSR
   MI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwW
   pAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3W
   qMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxOD



Gillmor, et al.         Expires 29 December 2024              [Page 147]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Wq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFb
   Zbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4y
   iuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L
   0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZI
   hvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAv
   BgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
   IBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCC
   ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI0
   5Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0Fpfg
   yC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPE
   wjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNa
   u5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
   zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsC
   AwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
   ATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsG
   AQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ
   0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcN
   AQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNw
   YyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhy
   I0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/w
   vXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5O
   Dxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjf
   rgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrO
   mqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
   KoZIhvcNAQkFMQ8XDTIxMDIyMDE1MTEwMlowLwYJKoZIhvcNAQkEMSIEIKf/wri/
   4eq8zfmhxRsyB4DVmnTTFiuZFrhaLhmMmui3MA0GCSqGSIb3DQEBAQUABIIBAHSF
   HqBeNZPrn3x3cNcjk8pfOzvN3lZwnwfGVzMr5jjZSjj1psvFXoxTspkizofGGedX
   VxUcISvQpHrTTb0OKFggrskZpRSH/XwZQPchIsOCzSML8TT/Kxn6Mvh4eQrCVZYV
   8QYAOiGVPxQQLdkS19l4+tzNEHCqwDEIwM8vWMvLCfbyBe9iTq79i6swU4G6YW1v
   SCGpehn8IQUjBQta71Imn0yTLByoI8DZGBDXv0mYQf6zpB3IoWcxtQ2yPEkK35YV
   FJL1h1oRmbnt9PseV8GoPjTIZUrokOStRiRfaA06pb3n+vQFleFpK6Fe0ZApQETH
   3ChaFAL+9V8b9PF4cpA=

C.3.4.2.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
          Message With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:











Gillmor, et al.         Expires 29 December 2024              [Page 148]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-wrapped-strong
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:11:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:11:02 -0500

   This is the
   smime-enc-signed-wrapped-strong
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Wrapped Message header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.5.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7780 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4744 bytes
     ⇩ (unwraps to)
     └─╴text/plain 334 bytes




Gillmor, et al.         Expires 29 December 2024              [Page 149]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:12:02 -0500

   MIIWbAYJKoZIhvcNAQcDoIIWXTCCFlkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADiZYmFEiVHQskX3vvJL5z5mh6DVOaCsLo6U
   0oQSXzNBPjp6PX74Qw9ojOgZQsigQJzFBg15e2LorvG4O7xtPOfPbbIDXB0PYiWH
   F+u9Xa1+Qq919dExJRRILz3Pu38h0tTJbTk3kHdfU6Qa/jMewAAur5lkb/LtaA9/
   +AW8RQDSKIulLTKivpPfZuEbG8KVOXMxrzk/I58rzhUOlqefg37lgvR1WpqbLPfv
   CMTdCoplr/vWPGscd9cwjuWaj94QQNIhBwVj8oNWVlgNMrfy3MEJBieuJvoYlphj
   fJxHLdNsNtD7YWkIU8JiIJds6eaq795WXvaKxLv0G1kTPW3gnkowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAqKNJ00JoWcJTK6imDaxQfbN8
   ua5uAN97Su+u+qk3Hy40vVzc2q3YA43OhyL9N2DE7mRAvbtSjJ2fEjXKwd2YwBCT
   AWKPSlra0F9ZEj3i7Pjr90++4/FZlUgOEGflLSdQTJ4zXfkGYd+PzCP4ZDzoq61K
   f+OTh5dMHFG5fyHj7DtG+ehUdXVSRNBlkHLQL3u8KXlMzWdqk+V/Q4+ZlXLWL5KT
   hejtsUVagM6/MwIssd0qzRKfBJhWpfyCP6XAuoktFNQHxY4FX9VSKdbVe+TR1W2N
   8WfFeyAmas2O6MONZ2cwLD9cOeCv5l5ezALaV5y31PImWYzReyoFN8opO+odojCC
   Ez4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEELUTGd2CCtV4A3TI7/kfCXWAghMQ
   IM7+Cdvp94Xf0/eOF/HE7pZ3ZTffSVniDirlVihkyuNl9FqGzKXvRhkV1i35s1k+
   kCSyElIs2sR8PMkbYtjsUZw870VAa4IoQdFC4ETo5chCc6JtZZH72qsUKUc54qaA
   59wRpM7libQDl1WSPFT56b0HtA+cskOrmvkTqfO12UApZ48lTdeoCx9emwd1sGoL
   lqe9nftyRqRRcQn94R+IyhRrN7TjqP05kIHUEgX0xQYYh75l7bIgNzTNQZt/noWT
   RVbifmSzr6vJXmTfwZF4D9KZ8vuMZfQFm+Rp2PufEdyq4RvbJ5KKXOYdkGt+9EF3
   XTZC4dc+ri5c4v3Fa7cjyjFFEXFeE4rp/P8o4TT59OO09fWrTWRcWt10kmKrQV3a
   fLVes5Z/qSh/L+hWKXS4olXyXhitfMnklNiPtGN6CrLE1R/pU3W6JM2P7D2elQBR
   GgolSoH0IYQkdIfwylCGjP0SMVeBchK97AOCVzXm0vhh+asrvZBpUNkeT+yH8n3C
   A7xudEHfnh5A1O1Jg7GM9j/M7Fwzxtb21EkOQ8/0U2lcipobEElnEcfbkNzQ7+tC
   1FN4Crc+qhUtUnU65T+k8pwzoxZ+YW3ATE6qPC9h2xFvZi17l5Ot8n/xcaUt4EOi
   Wx59bz7P5mfKmOX6c38rLpNGzUZOe8FGnAFeXWQ25Twzga4QMH+L6GyW0nis/K39
   R/3GY7+UM/YDzuBNxEa3Akhckgn9wqz4UNP5rBI9E/3bhz+5FXtc/yP91E4Du4ZG
   OjRlWNcl3kPWtu/plfqk3rI/uc0KhOE07xJeXTH0Mmmoz3TjUBmfLn66udXcJcM8
   ESm6yr3KwlkSRrTA1cQp1/dGyTRsery+YrdTV4ODiMCwx2IPudHqhGRMc6+WiYJX
   2BikavHg4+72bHCb8AYTevbbXFfEDBJDRoI3bVm52HpoOCWOS87oVYmSoHxcp9Jr
   ZABkfKonHdckhZQDA+WEHquXwQ2qyRS+KkIrQn68TGEjS2vZIRfDYdrRHDc6yqvX
   qm1EGolt5ZqjZYrYmDKPGKbcxuzgqZTF7/ifNMqEELVHkP/AbTupeNSON4yBmHmr
   RPQpoGwz3pTTrVqlsVrdjJlp+sjGWbSUkBfnMWERfsq6jpTHjGpWnpw7DnM4gmGp
   140Qj+4g1B22LRns2WQI0HHprlRAKf8e3FxmephnA3z3cgXSwGpyxx27anT1Bf0f



Gillmor, et al.         Expires 29 December 2024              [Page 150]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   OppD9B0FB6Gppkx9b4rDwKBVw/+iAEBrcK5hQ5y26w204QhXsaXJgH4cX/9e7zDF
   tMH+Qzn6fygfzpnAFSw1UW3xFjPxJqIr2nPdg14nSNjk8BtXAscl9yEilEy4h6Y2
   SvQ965ZHisunmWIeS39PM6jItG7UjsetpZB7kj7V1yTGtz1UDdAhj+qrQiU40ABi
   Sq84Ix9/v6PIfeb3snveHDAutV4IVl72nTpcEL63T96pI3aeQS3RSjo9zkYACCU4
   jJHQthVxMZ8sEzCJC+qgxIldUnGI5Foykqj3F33upKGq0mgddxxEqcSdPQGQGY6b
   heSjhGnQ0W7QYrbGztPLzqUEj0E/o0Gd5NOMYDcB8AoZh99cD8DMbzkDOUe1QuzR
   YEzElg8RMrkPRT38P+QE8o8VcmcFtzZXITXy12mnRE0eQO8L+QrHuay38dRWuqUr
   YQyUQZJqAvTEM7YNfUj+bSePVUPdJpGPiqtp8/EKjd7FUSWw4shT5aQRgK5HUsGS
   5lvDd/STztPdbEbXNvKcecwNjYoIUofMapu1kUqQDwCE7UR5eF0qiqzWHPOJRr2P
   QV3AGj2mQHT/c/6kuImEjzwvDIvTF4/EmXGsNihWUMn0FnU15X0qdZh++b8bBtvd
   p9bpWrDbGOfnzOPJN9ukCQcina+d3p08Db42/WW+EHegZM7cad86G6QDlBuAwEFO
   XlWGPp0K6tvOsbQjR2VHi5hlz+A5bhbfAm6eiF/pg9McWOOqXr82VWBMJAxq6kE6
   gVl09GOiO9tCN/uU/dIMq9Po/aKbsDWIdsH6qNlWUd2dcfVLeBLE9cZzZraCUl64
   1lNVrlxAz1NzhfRcjUZA3QdFCTiqz9yulK11BiGqMXl5YAhVDwSQAcg4Ui2hqwur
   EkAPC6iEL3eLAadGAE+gi+OkS39fWUwwKmC8liDBLehCEdMvhB0ivlJKsRHOVVIW
   lM4Qw64fCKbgx5BticzSzqoApjrKADOCPT7J74CsoVw5Hx4p7qRw5Ul3jWSLSJk6
   lz93udANnqL2pj3QNn6Wm5h2hkOCpiuUFBeKyOJ69peMRsP94ASruvioecrMw2MC
   OVhw+jB1vDAy1BtNGu2Uh2Aie7cxmIhfTV0m13FjsNKUmoxP/7fsXG8QcIvlt8hb
   7OkyYb43dmu7kwrFPqTBHTMY6JvuRLWnBKeAUGr6DssXRFEkVUY9kg9RidBW/54k
   bQU1CKUbUmC+ibmqPuBrkM/uHpJ63rQVvWhL38vLBmGVq/j0Zu7tZ9ZhJEyN2qfw
   xmgYyu4xT4LBNO4wbok5amZlq76sKt4yPClyqrbLsCq5WDmW9/P0vqFmFtZ1IzpQ
   0AFzb962p4UImU5olTfa2S0kOqiELjlBMG7AJaO5PY6zXVcXSseMU/mGz5DSAb9N
   lvh5uZrPYuzx8BvY6vWDmScviWlw20nsipXiPrtLqtbKdBsaD1sugiqmCqLK9hg4
   JlD65lqBQnr/ZkRPUT7QHfdM10Ys+mOR/vQyGyd+m8J7HamytkdMtrR45TpA1936
   Nv1WRotlAXuqyW3WDuloMA80uHWVDz8hHpCTVyoXejCkjrmB6KSrRrPhczl1C5J+
   1duLYgQ/at4Xop0R4cczSHc6aZQHLmyzP20OV150hz99h1meZCBlT648NlZnivZb
   OYdinbQYGUZcIqVAPDi0sIrD2g2LJUGWnMMl3H9mwhM/QtcjgA7rIAslzNElGqc9
   N1DLOB5F4y7cGdxfnOBppr69aq9DI7vcTGHUmZQNJmAHDaPtNuDXe2xwWICk2S3e
   oepoa0XijXpNHd3VBwapRxvL+BAsMJQpeueEtFYmCqpB3YOl1Tf/E7T9bVAxd1+H
   KJFjHMFiTvrPmO3cQiYcLNO2EQU9hg/jlpPsoZLIVpeCwuAK64AaF931b11H/n4Z
   fN8V26qYhtxECpFwr9wWWC1iz73JO6CLUr7kxsPQlSLsLypCtWEICANCUYDPPnkd
   sce8pIk9my0n/LOCe+S55dVb5TStyhOFNlegFbnniA9Oz9scBV4uHQsE4MtMSdSy
   eTr4Khi9S+u6y2hhZm+42ZDbNtZsdRNHXIaFqsqPdAmeQApgiRz9e4mmORjcHeSj
   sA2VxInJZHPyjtamPgssCrAe+Wwdtf8synwu8iuPdxq+tg12uOPjLqYEriY7PCbA
   BRyG8vd0i6I0dcBM0aU+dRbiK6dgxBw+WS9xrc5t7HGDc3A0bU9AQoj5eHiUbM4X
   mZPEoNwwUgiU4hd4iwX82v7QWgJNhVysMSwWtw4y6idKS8Z8I148EJUmxjbB74KU
   uANm+D1r8nCtMpn0vFNwLlAOakbyiJ+6X/zs0ey1v3dXra0NXz4BxJY1ytN6cSM7
   5tmW8c7xAvia76bbcY91RLdkDfevP2m/GHJU7wazIFwAFQbp4apIyqAqJjt1UId/
   TfBkcU0Co9Sq3FONwXPdhbJumesRbNkCBc1eW5YaWZHCTC2GMWKSqcdYnbXwhCGF
   gwyv99gv6JxWiBWKbWO2BUWOiQtP9arkEXEZ0IOQOeOQnnRXKgxZQfJx/gn8HjPp
   kiqHmaRH+yYK5sF5PdkWY+H0Tgrn35k6n0mkWtie76G8MaEIy7rFDygSSsuClqQ6
   S8/Ow6v5uqQdFyIi/bJszAm1GQqXyRWCUSpaGa28SYC51Q2vcuNmq0buYGJeh3en
   DeYimZqJieIISIkcONnh7DvM8vinaJFjdrj+l7i9o1eMd5vvF6dqqWk7uALjEBKV
   AVGoV3+ohre051I1gzXQmgctP/xZqfIf5xHdfW+HvpsPBxPHqwwgAn4v3o4z31iL
   WSSNXT/9ojVKLH+Fu96uJ7hMvrnob/8+g5v34N2+TtDmSou8/ddncBwIhcsAm8mC
   AJP/2ZQ0TbIITRjCromTYw4PpTrefgq0KpJhFNZjvyaYeNVsWICq2XCcoFYo8XmC
   cHxeujdRgssrFvNtvuBSclRawYn1l0AxOchlLxlEk3amBVng8+hUrwhkX34q0PP7
   9pf4b3Hf3aZuIIeEJS7Vh19Ey34Ssgk4HMX12G/JcJgVTGwkUCw2LJcKQNLG8N3G



Gillmor, et al.         Expires 29 December 2024              [Page 151]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   AvisjrAuBSrnXdJZsu/TlqPYHhNEIXbEc74eqAcUlnLj0tvv7gf6F5we6C6nSBP1
   lp3yYmj3WOGMjRBapxFqooTC7aCXBiMaeTfvDKtGxmsdzbN9Zp/Px3ZcPZBxnS4z
   mTL7pukXN9cOMLG4VlhpJSn6D4rTDw0kFWOoPfhT7pJMHyvjwfQKmlkUQUUk/KA0
   aEc7uXEqpiQayR48QhCysS88NOGWvQFFjO5wfQ7WgSv+TPxTUkSOJycSqi1Ed9+0
   BuQdY3IvJT6EmiqA9AXwEB2HVSkP0Bp2cy2Xq2r6LKfWmj0q9T5i/21myNZkaxYP
   WJP/1TYTc/RClB+nXypLW/RrvVsXWdfPSUSWkiHE9zLpYirzSL42l+DTT5qegtXX
   KC4fx1v4pJojHy1Kw2UEUZsswGEA/M3l+xhRONFHT0jPH/+H3LSxAo1Zbxbqg2WS
   BM+AZ3R+aQFWCXW7ZemQHI8+mxR9KIc4YFK8IV/HI82UyQILkmifUrKPT1c0uWp2
   +4s6p4Ds36laZDElk2jnyIUqdw/d59N6emtq9na6hiZuYEDL5bZnEwmW/cExpWAR
   Ha4Nhb8FMiU5dTzRVHFWgNHoUBlSZ9KZGM5ghmXiOx4xuMVnsf3jwBkeavHECdbi
   NjtjLbBp6OQYTWRG5aSdeAex9p4gsBY70yDRbdIdDc3ZpoSXxK0/vOUFM5rYAd8L
   aA8mby1kcsl5U5RfRfiwVaMFod/qFy4xpynCAZAco2wVQWVWDme093vVS//HlXDz
   qxagAfdH9xl2yhrOrVb1zuCFZe+7ZOvviYP/p00tv4lx1TRZVQnFM8iclmNc0Flt
   MAOaA4x1YPj+8VYfwWKSK6u20TJKIlYznu2NzOE6ktWenODpUYQ1lKtbIzGbUJJg
   ahJ2EPsXUdPhK8MBzZUj1yiYsW2vOu+xBFKoA+mJU8gF+KF3PKNfUPRr/7lTaAV0
   25bsQjIfjBOaF+jG1KBbWAicwIdZxCskhIkUwtPP3xuFL9zh4S658aaNfomVle1N
   WN7AfGPdxjilb+anrwPvUhmst5QagvI44q4JghKw3cBcvXUzMsIP2SMgC6WB2Y2R
   XOFZ09lzF8+LjIuYQ7zBLztxzVcaUBnaY56EB+RxFPwzYlEGOZXSJXlGux3XpsV8
   kw9zn5dpV+amQlVpI/5LHXaSlNNdesm9WpPESSS+6d1gMaxG5PgUxIPFX3TcnwdQ
   lR/WsXT/fWu82LX5Z5LRYE/HqyEJsI6I2sdIKRxPGJro86Un6133hVGWszCJlMye
   IYzUqLCxJQCY9bGABN2iiup4Ht3Xbn6OEOHQImq3LnVQ4XFpx5zQCuV9HH37xtQ7
   3yDi43UkYqBX1chQoOBey+A+n/JHkOGiQThKMtmBzeLcO57+2XKIiqNTM43igNo6
   PeKrxEDvCKZTRTaXVf3j6QcfUCdbHT6a2a61svr6/n+Jc53Z5RcU2U/O5HHZVVk+
   3J9qHJTdsfXALrxscEaOhXN1RVwrNw1bExoftWXB1WwQ87RqJ7/o6V/AOLAbbYmN
   YuB8gEYoLwjm37R8DT5AHZ2iwdpC1ZYSBLbkMOn3J130bHdgaeW3rq03fX86LybR
   C8C1kjU8Rv94OTkP0pJ469ca2OgX6RxxF/GeeZLxwcryGKRrkyz0TXP3wqQs7AVf
   /W/oMbKAtXD4ddzDAKEq4gFU04k+1NjYeyof9jOhY3v5Qv0pnds2TP1/bmqnlXcy
   dumk5AbAXPAehYpAgU3L7cgNo+pCPAHFi1tNHAB+Rpchq8PZRDAGc28ATwQyQACu
   YG06FH3xoAzEgjT9hq0KTbmG+TIMw0a6OxktP2SO5SlUi3HMPNMJInWjDB+9ocib
   Vmmnx+PESxRdXR/V4SmMRfCbHP3UZpjZT/sa0GTyw2VKeXFjGOIgK6gb4GeWiQj/
   uwct7Aw3TnRVeGltLsNTudb49uelWm+BraSbKPLMsQJ5iwBfmF0A2DpUovL28exG
   Cig80cf7klU6imSDGWyDcOIHz7Sgud0AxC5IPTGv/18kST6C4Mn+9MMCIHl1OPi9
   ggok7WygdLbveKAay/G88IwItiPra779B2gGZ/OcsdpZmgk3CPxVTlk4WbgrR1fy
   2zolYiQEMzcTbxpFoL9TtXigZz1Kc/rEiRpLOv6jIzg35v2bUH7k8oqsfXAUNiEa
   BXbWDCKVnwCG7Wwntr93Nmn0UsKZkmxLeE4WCkkX1XY=

C.3.5.1.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIINdQYJKoZIhvcNAQcCoIINZjCCDWICAQExDTALBglghkgBZQMEAgEwggOeBgkq
   hkiG9w0BBwGgggOPBIIDi01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu



Gillmor, et al.         Expires 29 December 2024              [Page 152]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   amVjdGVkLXN0cm9uZw0KTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1zaWduZWQtaW5q
   ZWN0ZWQtc3Ryb25nQGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUu
   ZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0
   LCAyMCBGZWIgMjAyMSAxMDoxMjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxl
   IE1VQSBWZXJzaW9uIDEuMA0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1P
   dXRlcjogTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtc3Ry
   b25nQGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1l
   LmV4YW1wbGU+DQpIUC1PdXRlcjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+
   DQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxMjowMiAtMDUw
   MA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCI7IGhw
   PSJjaXBoZXIiDQoNClRoaXMgaXMgdGhlDQpzbWltZS1lbmMtc2lnbmVkLWluamVj
   dGVkLXN0cm9uZw0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5k
   IHNpZ25lZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERh
   dGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhIHRleHQvcGxh
   aW4NCm1lc3NhZ2UuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVy
   IHByb3RlY3Rpb24gc2NoZW1lDQp3aXRoIHRoZSBoY3Bfc3Ryb25nIEhlYWRlciBD
   b25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNlDQphbGljZUBzbWlt
   ZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaK
   tDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1
   dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExv
   dmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP
   6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp
   1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6h
   AQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXj
   WShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2
   lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/
   WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpg
   hkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0l
   BAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyA
   KRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTAN
   BgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1
   u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZ
   ncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fF
   o/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmG
   pfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO
   7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQIC
   EzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBS
   U0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1
   MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdH
   MRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEP
   ADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
   I2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD
   73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aR
   phZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65
   x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL



Gillmor, et al.         Expires 29 December 2024              [Page 153]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8E
   AjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBz
   bWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIG
   wDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCO
   fAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3
   /gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffR
   TF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9v
   sdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkK
   TM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4G
   Wv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s
   1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExB
   TVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24g
   QXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgG
   CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1
   MTIwMlowLwYJKoZIhvcNAQkEMSIEIAQnF4PppplKSOO8i7fj1dMsjzgZv4ZfwxaL
   ZGFapoo6MA0GCSqGSIb3DQEBAQUABIIBAFktym4lF2xqGlPIGC53Dk4bg5zYOyU0
   U0nZyl9uZ3bnGXZMRObUPWXEtlUqUTZluH8i5jGu7pFiUnM3xplMEShuh5mtfDP0
   Neoc8k8aUghbkhZbmR7L3Dd+LnkrzQZy0UCmvps2PTMW5iIbL4JVrmLfpvB0cFOJ
   /0gjWC0yxAOW1rHO3GTla1IZta3ulsW/Pv/NXkUjio/sR5hAtdJ/cUlMa+q0sFp2
   2kOiPkfjtqBNm5HWd+xtGoc/b88/ROROIbVfxqZzBezX7IH0jWSUrpovp/bCaiKE
   IFKB0O69SM/KKZTb/SaUF8lP+z264FXu/iYgiYwh1xN06D4ae0wan6c=

C.3.5.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

























Gillmor, et al.         Expires 29 December 2024              [Page 154]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-strong
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:12:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:12:02 -0500
   Content-Type: text/plain; charset="utf-8"; hp="cipher"

   This is the
   smime-enc-signed-injected-strong
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.6.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8020 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4934 bytes
     ⇩ (unwraps to)
     └─╴text/plain 423 bytes

   Its contents are:





Gillmor, et al.         Expires 29 December 2024              [Page 155]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:13:02 -0500

   MIIXHAYJKoZIhvcNAQcDoIIXDTCCFwkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABUnjmX8F+S5sIVYKVE1TM5eKHgGg9Grx02v
   RpACI9IXe22WwpqpefT+Lu3+kO9EgzCLtfSXbdG1lKnvXT52AKLOTobbthJaeoOo
   7wtvIha3hTPWBc8YVn/6nQmLizbfPj8+pbdQD0q4kEVcrLaPdm33RruKMTsilxRe
   Nz9rOGOtJW/MKZlGbqR77TWkGe7DgBsgWwlLXBEshMZxSMk/mg2sGExiOp7TTmdp
   LbWmTo1uK2coeCKIQelRk6zckJ0uPktFAxR0pplBwAk5rD1d4A9CTrMKX/iVwLTp
   RhM3i8DJcnet8pxCiQeBmpo3Es7UFCQM4f0bNxlFxPxbUnPA8RYwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEANFWjK3BRfD+QnQDNUFuUaQRB
   zXJwARSO5YPR/dWfM3z4tCwA/awDuykFWPwb3QJF4ZosGSQelzHi8u5NoF3Gr0U2
   FdwPl/yudoF02+XUwWa36UFP4Ic89yv1tYLf38ZaNF6QzO9J8ocz11HTRk57JojS
   BxRXZJ0Alm13ryPkoiAgYViswm/RH3qsVYObb9GZ61bB2+xSgzR1wqbXKAVFV2nL
   8Duxzwhi9bT/8Zt526v8ZjGfH4IqTzPnlVnNJYo9tWQ0j3jcXR+CBFJkEMyqg7wm
   78xD8dl1vRiZdGOw8nQHGz/OrrWFcKBZ6DkwSfJF3NPTImi3DeyxCcex4LVAKTCC
   E+4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECFs+domnyfX1X+NOdiuJFaAghPA
   KWJ9CCr0LmhShz4MSRaZEPBc4vQuH8sFNTTGeG4GrnpdHbYb0gFDqjXPBldj/CHC
   NW1o9MrHXGpukpmX1Itp84iA9NecWofYCm8bL8Ft7C3teBvClZroPTKKJeBV/CEK
   yb5h0L95WwrxqwOzv98GybDRCTs5NKGigHUoHmJVjyZqp0DxUjhkkXQo5u+qtF9P
   QqNqUk0oApUOh0NBV06+hc4ihrgIqnO3LSt2plHT98uMD8fYX4HX2VZU+OHGUXqX
   15plLQxx+IcdQvUJAo5sHFuaEhbVXU9bCFJvYSPh4iHnrCFwPq+nGqyhFs8rWuPe
   ochMIUX1CxVzc2IMGL77isi+QsYldNbh1JN4O5S7F/kk398l1aoy8Hd5mw2miBcG
   jzVPF32nvWG7VJV/0bWTef5V1p03jV4O51DrjXeha78e4/XegTL/2jbIjIM/OHN+
   67ar/JMpTqprA1qLhUD1bxVtF1s9ezXvUlgsy72IJGWYtC07TNb0FiAjaQ+kU+6+
   l8hg45z0Q2A/oDrtHqaxCOy7nWkGuoeqLJqDAQoRdGUttCSIIAhaSgMh8omFe55q
   n8i9wKXPSdbxp2y1C10GAKtNAkwW8acNOZgb1Z+XglNmSa1X6m/94szXpMcnaJut
   ds1FOrvals4Nbq5knqtE5YFJOs1hwsfPjCq/+9biAfzhxW8JscSjE0O6q5eAoazq
   128U1vFKunpWn4ef3iQ3VjFW3FEyFrLZPR1EY4yO4FsfpKl7hchzYxeMx9byAGFh
   ukJeLWurGWArQnK4SQ4IS8CAthkMX886WTQIvCxHsPYxhS9O3JQ1MeChVlXZdZ6L
   2czH7t33l8+J8dicb0vB6s6gW8E7BtqISqET1K7jd8rfR+HX2cAhB0DOEMHD30Kd
   yhIBI4X3iZawftmRcmtI1X0wTOEn3zK4tmAmWjS2wbmV/9bd7mywtkmW+fOte4RO
   DNLHl/IEQZm/6aMTKsY6xStox27qi+vJrDPe6gQd4g7hmBV4YLnbOyOgElYcV7ki
   MNP3O4s6h8ow/8yZak2xgThznGBwOPfODe5BIHeHUbgC2WyIpPYv/2q3rFq4vohy
   2xSAzlGLFIM51N0H3NVQjei+qC41WzTScQY24mNfnGpKrgJn5jpKaIp7uSTrZnWg
   58BF4bxE2FN/MtKvHxnrPmYZwHWyt95kIxN5HP8djPlubpZXcw3Pl2ho89ffwPGc
   z0iWNCN0DupQvxA77V+TJkxFlprsMNmFGzZfViRLkoILEnG/y9LpkbOlc4Cn1OF5
   QhGQzI/oaneJKkycTvfhNT4uJKhxX1Z/vYr3e8/ZQIdEfw8tAysEOPFcurEr7kVS



Gillmor, et al.         Expires 29 December 2024              [Page 156]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   IqUE3CxZCQJnnBLsOw/8WpQuAiEfvOOGHM0uhumM3h5OgrGQzmEIiMB+vZVbHFef
   W0Tv+51Kj/Po3P+wexIMWPjaBjKm9fn+gk0xSG9/vpqIDhI4mouUk1adHkyVaKkQ
   nB3ah+3dcrdGQgYXu50XBDETVUwSQ3QWVyD4iYRtiHA1VIHMgZWLlWZsq2nNy/x8
   prmjD6WvoIOjCF4TbfCnwkiW9b12FcEqWpAfU9B+DdWavB8jk7NTgcqk0p7UeQck
   LjOkZlZvEAHr7bSyeRELW8cuwIjsoAcaaD75aClqgTMfgcOfoqRgDT4f7o9/sirM
   siXInzVfbUd6VNSqHz7V+yhj9d7+JWwuSb7Bi7VxQpnsN1qhWYVOpNQx4h8EFkJR
   /wItNXPpuOfI90hZsPkEdifKFWZP8GJHaNBH3I6mOpJgSBKmuj6jNi0VzbbAA66/
   /c373Ed6p+O3DmIlIqzrmB3FFDBtXtVX8FoakndXMJyj2WH0dHmrnzefxGZI5xDW
   3BEtqk0u6kkjXNJu87CBcgGgw4kFP4ADFpv4PCFFWn7+mqbLgDAh9h8sk7mkwCZA
   I+qFg6OmMbX2xQGZ0gh0qnM/pZ944XK+AP+JlbWWIW9gYhTTycg4WEh8L13wMtMN
   DNJGifmrX7x5epUV2Vx6ZTDdN3tDld49X/IN30hR0BQSSsm0+v3YqHxvv4gg7Z9L
   nmXC1fXiLz3ddwRlEk1tsaPRsx+a7qI4ZhmEBaWTqubMiIC7YWBUj4doqT+MfQu+
   OEeCj92Vjz5MsHziMSDmUrpDO6HsErFUfWA9v0BCUS6Pr1HKRBcmhLEA1ppArYui
   8II44cQMSDxEqQO61u/CDrc5PVa8hM6YsbBZoKwWJBMytCJkalds7w2HXVKah/EG
   Y1UFfWhHouPYJo1SoRvuveK6IUmYftCrqcaij6k+J/epw9JjidamRAD0nDPkVNFs
   JvyczKP6y66sBLG9rgJhMGkntg+jgaoxb/FguzrgRWvY/A+r7jolHaEP5FnBf9HW
   GkGKEzEb4GR7C2JMOBu1I6Ef76INJgF14OkaPwt3Hsye9lomcA1G8q014t17DFJq
   6Ly9QL2IrVsb5hcbeGAb06FXAX+8z0J2qgsUQO6JkG32MYeJLoZLxTFsW/9RQAtN
   VRZXHOuoNc9bk1wgAFG9cIXM73eSvpHDicpgzyI5V8rh3Bdg0qnZwvAiYc+ZzlMY
   rOwJsTQivCtAEh25m2E9m2fSWRAIOQEBlIUbBgQuK5p1HBm+sLoebmE1ZXpdjl1e
   8wQuI+wpYCXGVlt27HjteN/Eb4/9v1fUw+ehHfOgGklqPIXqHH8kwNCus0hpk1hW
   OvldeajnVYU2l7GpahoAp8r/bihzomaSq7Xev6H+p+pkPiEWCjEIbypbLkUPyR89
   Oh9U663ZlSAULVEt+SBdPSV5jyrzKbi6ShGfYb+P49ha0yNEUwtH4rjKDn9W1rZN
   nBpqGtLkAdLuIAWSlHbTsjiEEhYb7f1LhQDUSfWQ5pOd8ciZAGXIcMd1VrViPuDt
   petT/nTEfIGLuZoiv6Fn9svEI5aQ6o6qhai9NFNYSzuCH61xlB6h4l4NRdIz3MYU
   WB8IboeXawhVQ0zDXLUnmSvZH3UpvEPc5B0F5CTOAK+v/k+Uef2Pfeh99SY+7e5p
   Y9nrR9XWLkR+zWr6tdCZW88fVpPxkGeWLwEaIhUqu0VREiBzMw5l9XUGOudz3Snh
   4WHBlZNan4mf9NrbV6VsVoRdHZfW1wP6tOL8dkRkZr+OdZTDeDT8fSOxvLjxG5Nk
   zGp1rWNgrkTthPH7ixTjNeDOxDAN/p2fYG1EoFf9IY9xEBRrztbGOKY74WLxcLJv
   okRTRXtccx4Jp4rPwpmztIeaqgoBquRI59gRBEKMc36wMEFdZty8hvxnzvrrNMI7
   LtKSOdvOSJCVyuu8hiAWyHHrNV04Z4G61gLnjEkiWo94xR2WY6PuPVJ99K6Y1Fog
   dZxcPfuiAvyWWak5s/J3rg+TDwUhZowUt+GxHw/CMDIWNWmOYBD/LcpVOy9BB8kE
   2vMfmFHabc9YqZ0x8bjppFcuNcqV64RVoFRrCj/TpUK71pODrgljMCKAT60fpHIz
   NkgvWeedaOKWF9IfuUNJsxLZcyBQ6rKHG+/2+EgqYrWCXESnpzHwt16CdBh3Iv7B
   iSJ8GQVSPPrTy1xozaDPfgbXbNdusq0rhqP+s/8uIL/Xei+yG+ZsVUL7YqQkDMrR
   pkO6Yxc1CemDg8DGNP5sT8f/s+OKdOJlT1ylh7+Fsme0wJfhQ9jHG3Ko+R+2bwSr
   gv2GRk2pBuoML06iMnq2tpbEYEC0SMTANI/YRhmf/vnd3N/W0FSaR9sbEhZnZc7j
   ikFNqrPVN8vLDz1h7NXzRugy+cM2P7twIVkcNCw1RN9basliJkRyE41MP5gRSAZU
   q40N/z8lKYlOEEvcEcgUAIyacya3FOpDhKvuZys2f5Nbx6M5QUhoKcoRm7+Z+s84
   yqRLZYzlZ3ioSPo+XZKoHGWKmVsMEj98bfpY6gl0CqDKXFZdv6+Gjq+D9McLfDkG
   zzKlQOodQGkcQl7h6FaIWEeqvJ1MsUJApq00G83tT/iu7WpbJt0uUD03GAfYvJQI
   zGA54s7TGapoIDB3+Lo+8YlYJCOnMBi0VVFHl1GHhp9+MyH2Gb4X3G8Q9a9QYbNN
   dPPl7LbXwCnapOBgIpHGDEOrsdQBOV+ERbNha7a+2xHn/L1L/k2Aj/dnqmW+zdHi
   1ykkJhs4a3CkFKO//sbovcXClag4C0jFyMRm4juBRv19ZqlYmqHPpWl5dhjnCuyc
   QtjllFwnE8p7IvbkdGlmphGtm2EjoJRG1NUJMVdrGU4mFq5us+Duce1X7PkbS+im
   y+Sb5peMh0CWLjjzkQFHI7rn1IdS4HorhQ8IKwbYG3xTof4BUqs7fs2WvFMgEZpn
   DzRDjKEiprOxYnENLOuJizjHseUp2fb1AKrZq39IdTtw+LrDhvN57s8SxK1MWEQx
   iequcg862fzYe3GA8AZvUuhqsS4D1+NK+zFH/MW+JeRyKCwL/gMQlv7bmbVEbJef



Gillmor, et al.         Expires 29 December 2024              [Page 157]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   oVUykinoP/6Eky8PnDTrqnU///jif+phoJ5m1htjyE2cqHG9bjuXarHb1vkuRvUb
   vD/GixvIOyqFxZEfPDiFvGnyFFTbfIcON9Htk0kxwrcgzB1uhEdCv83TqCCnAUP3
   FkNyxNsxW8jLs/Uws3NQsAFgqb7TWjCB9aAtYifgZb2ArvB3LVZPkjKqpDw4pdHx
   KeHKkPVuJZ4GzwNB8s3fog4RP0FGPcdH1Hl4mhQdrucwZcQ5w23H3XLGEtHcHiyH
   A+Y8CLsz1fQ8s3APkch4OU8pQBgQvu3ZzQC4EWg/TjibwpCTAxrHthzJ41qJw/A0
   xgUKzfi1X7t0bbPn0f0G9+ZMNX6blQ5Ja/rSGmQHPLgebRRLn4hw8p2uhwWBBppi
   sHYkhNGdFdEyOcdFhhFiKDv8wwtAEKajDaYqc03B/8bVeW61Op5ryvQDDBk7xp5O
   9JhDrTuAfPth3iMisYpilSFXbE/ARqf8tWhNAcU+wrwELObN9aOmn2M003jp2FaY
   53ZUXK2R0cNcxUIsAcrprt9lVO3EUjVyxudI9h8xTU1h6KUPQCM44PIudSaFUxH/
   PPkMIAegIMcQC0Qx2v0hCGN4JJuR3HiD6avqr++dZYIEGRsJpKpoKUMX00U6mGIj
   /BhySSYagEwS0mr4aINcalxETtUlGV+br+otPzPCEe/QOFVyTMp4fIYH1oKi4go9
   y3B4n9lR3DICRzv+HiAUsGxe2ZbB6hb6H1gorYwY8dj8vsQD5w/osOb8ftPzjpAz
   Y7HWpI6H4lfY9ssKrqlTsXG4dmDShQE1V+th4Dxlvhyo1JSHog8zi6tNI6qh1N7i
   beAMr1wYl9BOwHBklMBud9enwOCyY3Zr6pbtSFEIo3oZvtgvtLgtpK0CJiXkSb5Z
   v/pMM0VpHW8XHy2s54p0DPuQQ1h7+T0yeDW7t2JlDqxvIlav9domHHkix4m/vN3m
   3GJgCh60dq5OJ556LSU8avm5ByRgB0XDz1yvHcpe3xEpt3tMr4r62BgYOSUoZLz6
   XRMyC8dOHYIeME/LuE9tU64geHI7PoAPKWBEaj0QN2kN9+rdX5FbYWXxx89q7Z+7
   6rqiB7USsQCwgAAA8I0XNwAmxrcr/bg9uEKf9sMp9AUBNW0afde1Yyxvk/DEyeMa
   6prGLmYQ0/FUEXfT7uq1Pjf3XudVrI9z7N5JpiCNifZQL2vON8tkZP59N+Q9FdJg
   ksDHgJG1qdgFE9y/h+CoHKYhem6Hd+NdR37YmA7E2u8bMZrY0RL43QU1fY3LC1Mt
   IlPRn+IVtqoYnws1DYwpIas+pZaunqgHi6JxVnW3q7Rr+ElUxMXDCqqtUoJ2k5YG
   j8k6FZLklgd087Md4fwGhgDkAIZjWNQPuQcHEaUAmLe4m+7wZ08afGjY43QQaVvY
   jpYRfHXLldRZzKwp0ZvSZ/6MdpgxTXYi0x8gGb//dAoD+UM9vyXn0yLBYu0v5h/Z
   BUS30G8S8YqzKuG16P5nZNdyClAbhx7ZHCZ4N+YcNSkHFHZBmFaUrm//5zUNUJYq
   /6fDUg4uCezQ7TCBiR5P5Ut1+mjJ3dIS11UZ2aQojxhnL1mQ/qxLx4AHI+N3pgYu
   0RNhFKkt3NeX1NjnM8qEVXKXx2+mfOkUIFUHVfOuYXi0gasLSWs7Hxu0th7Bxqbk
   GAx75VF7UViktHvKkxbUNLS2i8Sfx7ZOWP/GKsMsurjgg9W0msV/VqlPyRVwZnvo
   w2TFs3q90lvYcrRRwS6eNOg+zr4c6j5R/berIzqLO3rqcKVkeh39ppAhyV57X69y
   FgxSEpaS8SElXluoO04ZrogjNyS7G2wkx+SXTPkndXo3y+hrCaMIm9SjP/Z6NboG
   PJ+bQTVrUKWw1RfSmfpdOXTqdg16C/2Qoxm7g7kK6f6gRLzK4FjNnBc9bzgSlWfb
   gNlqUWXaHuucBRq9/uauD6oRrLX+tPiBF5ENxGw1TGZxlUv95mjQ58X4NL8kDlGA
   +nbsLam+C7U9c50e2LAZGyMHOJoD+utSn7SYRx88CKnq5YUAbjt9HlWk0DZ7ByXe
   +fGZD/jHZfjnrUNFqfFi5ANWU8kiMCuWP0xiVLesWCQrDll9Xzw7YVi5HFs7/Tjd
   Yk9hqAFZXdxfpDMCrCro+pLaQYl+/VfMX3qC/CyusphkBsE9bejGkLlN5umlAfoy
   oWSBFWnzJVc4dmnAgMaP1zf2WO6TJzC2xkUfG5VrVtQotLo3MMhN7exq2wwbTLKB
   ObSp92O4ctyvZGeWAx4DLMd3QyaLwxmb8oGcQU2worYLmGVmSV0vqPSOyDCymUg2
   LmC5xvc/uycxt4oQRP/gaw==

C.3.6.1.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_strong (+ Legacy Display), Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:









Gillmor, et al.         Expires 29 December 2024              [Page 158]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIN/gYJKoZIhvcNAQcCoIIN7zCCDesCAQExDTALBglghkgBZQMEAgEwggQnBgkq
   hkiG9w0BBwGgggQYBIIEFE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLXN0cm9uZy1sZWdhY3kNCk1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2ln
   bmVkLWluamVjdGVkLXN0cm9uZy1sZWdhY3lAZXhhbXBsZT4NCkZyb206IEFsaWNl
   IDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1w
   bGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjEzOjAyIC0wNTAwDQpVc2Vy
   LUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjogU3ViamVj
   dDogWy4uLl0NCkhQLU91dGVyOg0KIE1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2ln
   bmVkLWluamVjdGVkLXN0cm9uZy1sZWdhY3lAZXhhbXBsZT4NCkhQLU91dGVyOiBG
   cm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBUbzog
   Qm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQsIDIw
   IEZlYiAyMDIxIDEwOjEzOjAyIC0wNTAwDQpDb250ZW50LVR5cGU6IHRleHQvcGxh
   aW47IGNoYXJzZXQ9InV0Zi04IjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSI7IGhw
   PSJjaXBoZXIiDQoNClN1YmplY3Q6IHNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQt
   c3Ryb25nLWxlZ2FjeQ0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtZW5jLXNpZ25lZC1p
   bmplY3RlZC1zdHJvbmctbGVnYWN5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGFuIGVu
   Y3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0K
   ZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlz
   IGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyB0aGUgSW5qZWN0ZWQgSGVh
   ZGVycyBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUNCndpdGggdGhlIGhjcF9zdHJv
   bmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kgd2l0aCBhICJMZWdhY3kN
   CkRpc3BsYXkiIHBhcnQuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1w
   bGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqG
   SIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEw
   LwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2Uw
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnC
   k4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8on
   Zm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZ
   p8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeV
   y+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swds
   zUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1
   AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
   MAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr
   BgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dn
   jq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3
   DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5I
   EcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9
   sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1p
   pMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANH
   pyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpu
   ob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11



Gillmor, et al.         Expires 29 December 2024              [Page 159]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREw
   DwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0
   aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2
   NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNV
   BAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
   AQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuM
   UFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3r
   z4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8
   gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGq
   qaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpE
   YlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYD
   VR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4
   YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1Ud
   DgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJ
   KGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtu
   Z2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQM
   xH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGym
   WtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6a
   CHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczis
   qckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGC
   AgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcN
   AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxMzAyWjAv
   BgkqhkiG9w0BCQQxIgQgsePhCi7sObTokgqdebEdibowlJjqm/Fs1TjyFzEI+80w
   DQYJKoZIhvcNAQEBBQAEggEAcAMaTTkbHrP4iZjcMNlP5RgpXRFnmboBxG2eSctE
   URN14Phkswf2Ao9gz+d7UX9bFEVLP7TnEyFOTcPf1wpDon4EuvUYu4eE+KN57uG7
   JLgbNJbg74AHmrFiQIdl6ZtrHQqFkqbaRGVyc+euBrkqb8oTnT9fS7QPAdodYsPg
   Y+tJQvhAJbAeIs0Y/MqzxyWJlj6kvR4sEMn0wdTz2HPGX1fJ+Oj8taOvR5ac6dIF
   QLLvbnf67Yl5fkpLdGJIBQIAFf0ZCzGiTyVmiBHXvu3CIH7p+iOM3OMwB5FClRUL
   Ki/jRyhQo3RWQ+pul4nGq2X+Z2j35ne3FAqVV8FXbdulyA==

C.3.6.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
          Headers With hcp_strong (+ Legacy Display), Decrypted and
          Unwrapped

   The inner signed-data layer unwraps to:














Gillmor, et al.         Expires 29 December 2024              [Page 160]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-strong-legacy
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:13:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:13:02 -0500
   Content-Type: text/plain; charset="utf-8";
    hp-legacy-display="1"; hp="cipher"

   Subject: smime-enc-signed-injected-strong-legacy

   This is the
   smime-enc-signed-injected-strong-legacy
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_strong Header Confidentiality Policy with a "Legacy
   Display" part.

   --
   Alice
   alice@smime.example

C.3.7.  S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped
        Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:









Gillmor, et al.         Expires 29 December 2024              [Page 161]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 8495 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5276 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1292 bytes
      └─╴text/plain 328 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIYfAYJKoZIhvcNAQcDoIIYbTCCGGkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAGKSEhnzbHKOGTEJRGXMBJk/VIrIGXapazVh
   YqA+Tuwlsyt4YY5oUD+vpbLVos28hkY0PF8o1ielAoJ+tIT3eHmmeqjqa27KByIR
   4gfxiM8sXkSWr1y3y7iXu9NSbpeyA6vLjbQ3G6hioCqRyG/M5oazNGVxqV+rqtVK
   aXs7yjhjUqQSrOSfPe0v94ci1hSNfyeGw34NLqFe8g7eO2xBtOD+bK/btSUskPxu
   H79qbQf36pDy0Okyn0GWepkhC8RIHRgX3noL92akuKjvifZth1Z5dJpgWNs5StgJ
   LpiiiIH7OzbZxHTdLLWiKFSLkaStKeoezlWFH6YBb13yr6pr1p4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAJyw2hu/EsFHxeeK/iZsZGcrL
   sJFSc2np0mcaW4eRTF38FQAarlhAqLFSiUQyZr7mrLIGgoakb8zPgF4HX63xED6m
   50A+Vxz84IdqF9YYC4oiGHACAS3obXFuYrY00d3YTwvk82vilFcaP0HyLgYaE+hR
   GEQH/6tu3uWBixwGrYRFcEviuFq7sQE+hW5ShnYwQYeDpPxRCVCmiQ2dEKUDmQ06
   2VSQyK4i1GJGNsG0cm/F9c8aNU0NozMjVxGyrhZMqXYfmdGxGrqRxnMi6Ann1lb0
   AU3HFooxNp0v/NWK+mR7xl0OtscEeXayvZKZcBPTJxPzaAJAeJpAlFQ4FD+gfzCC
   FU4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGsaaTMeNA9TQboaMPVX9EKAghUg
   Y9j0cBotrfYAcUnHwDbb4R/j+Ga22tzJpZ3zq9TqNYzDjLpUJ6jOtRSJ8badr5eA
   kIgKS56Vtc9OSHhHVC1rbHRMFwNmwqSi3Mkb3mtmgSErciPMN0jQqW/7sY3CX4gL
   h1k9VBy/3Ur3YQESMLEmXvqV6O6zlJokPyeefPzLRnFQBbS2508pmAhFQhS2EWZg
   fkWfLxFkbexXk6QJD5W3Ct+IcvU04hfgjZn/rFpdNIwQaQKuLdXGAuSkvWWlY5Kj
   pg6g+kUJN+5aIc5DYcBL7mRPFerXCSNfRG+U/66WGCz8qxU7Wb9XXF2civJAUoVU
   gyceIwukATZoOVRDVSFHeewBBbKK5lsyDCtG7k//tFhq/NqvImtIJXchcEeNnTQe
   xceVG9tUZArRLdPz+NBSuhOieywLvEnXjcti1EmKv0XEbYhnzmoU6nUFfezRj0Xb
   yVUtii9DlYXQfOXPKXi/w2dNu1bSmxmzn2vbjYqLoUywR4z1BKL0h1TvI0+pSF4c
   SXojikkRHuRmgKKIKNC1q0/7UxKY4rrt7pvkWcrlpMTZtrgTatdNTXm4J+7buhAU



Gillmor, et al.         Expires 29 December 2024              [Page 162]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   +CtC3LkAqwWDnY2mncoBVmBooepqhuMuR1mFr5wm7v55vjEcHDkdDstgLXP86lYV
   jqzoUOHru2VdvDmHTw2RyerO1ICUMtDoMT9ixX/gR7voRGvuHdjdPNCHvrduckMv
   Em7tjZ4rmZRtHwBLNlGDgupTj0KUoUhAlJxky4rL7HQrtNyrt3RpsimEKTNmcGec
   12tu5OzvHT56v201i3kAwsbyHpYZftu7nONHs353HVFa2heji2r8VOJASWYoPyjw
   UzB+O6rJFjNBUDZCMlMhPD6eCmqJN7kDth5OUv95IuQArkwPtcPrSbwOV0HoTH0i
   BF3/4szzV+cne7d3ZZiAtmsaBTuzb8ULFg1PFt3T0g09Px8gPZtwyP7Ujm5ApTYz
   tniglkPD5fGstIB94BFyN+GoCD30KQR4J7K20FHjr963fGkcN7GwO6INWfdfF6eZ
   YQfQwqsZdaXLPIQb8zuP+ZNgfCjSx0IDwOl/Y3EtHL1afeJ2ML2qsRxHDDhs+2lZ
   eUlVLJoCm8u5eeiNGhJOR9beB90ZouJQ5ub9S8yrpVXE4lRRJMg3T+8HoAwITbdH
   rRdIz8ssEE0e6MMkW6O+Sw3JLvCFwteAJb7PY0ojJeJsSnwynopSgw2130sxO4MJ
   ScOdgKCuDyOENl+LJR7JzxfvGjWSMmURQmGbT/ZHrWmc7816VSv1M5I7nbtCu9WH
   p6Oi/uGnMXLU4cmgQ+T3Xm0oYsDVMEDXabbeQBrjR8UgOzgiAf+b7CmIrnWtXbo5
   UDOmhrrmsHJpEbJcbdDUOBhn8tKWpo8nzoPM3o0GXl3AVt9jcku+KD9wpr9lop7M
   QB5q1CCQiFWpk761JJlHFm/uPKXhyDdHcNgxFJ3DbZeImeNOKrmA8DBqb0+V/ixe
   QIDGrXt8gvy36QIEKSUBQBmM4F8GZgbqSqPbtm+pi4epz6dSuRoUZy7L1eI0BF0j
   VBUBeeklB6f7CINW22oZxkcqhmbj2VAMVPcTnZNGyruoYGwXPpIJc1DalMrVUFHF
   f7q47PmlwNIQ+vD8yT1icN3m4SRRJfSnN/FC1Khsue2wwg0bKqio9+wGB9gt5hor
   7HFLxV3OfFzJzJ6CjRlaGreTGTvmHl4qN4T1RDQM8ZF2nrjbiTx6H8R3HlqYDgOf
   xAUvoNuMS8wib7be8Dm2zCMgjmQyPLSQ97LuY2mfnNxBPJY3sB+hJWBj2cMAdwoy
   mOH9acilANmH0FWB22jaQ2yoG4X/mzZC0R5FVK9EAK5MTq4hV7BE8SWy6Kou/dEI
   blLkK8scK5Km0FmLrQRbn9yRBhrN8TFwTcCjAxWQh7VBRjWzPKG4p4NSBuqO2onJ
   7MqqTEAClheIE8SFPG1naPmdquPQscHtFy0N2XxvAGtN22IRulRaGK6b32L47QKe
   GR8M9/uMdA4Ujrv+XELV63bEVbF4Yy3KosHSb0vSMu3KnIl/th99MpfiLssyU9up
   /DtNfRjFM6pClE5Fwb0fShFB5qPHbk/hj9+UoAyZtTQqjzqzgpAz99jxsK3eFVQP
   BmTh8Fie8B0Q3DFMcUBTbb2/XbIHHbvTQiRFP06Oeye4jrx0QE1TSsmrnbIJf6KH
   d7E2jeV7+HAJi+C7wHEf3z6C3XgolyYWy24tA2UJYI4hGFqDqy4/D8avBtV3gOx/
   EUeavOWFDQ9UzWjIvU5SfXJ5mGUW6AWXc7cx1jbOybd/PnRiZVMtiCg/V5ZBl1C9
   TsTvsYaSCHXCty/HT6HVQda9X5P7b53gPKSbZlsrv5k1fUotM73FFZTWA1Tu7X0q
   rMo/ZVvrTHU9DLbt/MFQITLhdj+AoUDzmVv9eIKJYdLhwfXuQhQ3EoBgxGf67/HR
   +2u6+i0vhPgA+U8Wc9DYGPPlIuP4aKT/6LRFYaLTk1V1niJdDzxedyprhx+oCKBl
   xpYH4LcfM5+ozlU6T6U2rW4xHdJ+bf6tyBlBkuuRzjTMDMfCbPSjZd2KV03XV6EF
   RUTjmUF5y68SqBmqrADYuKJ7e+r+O4wdc0uYSdvqSaiL70oRaYyGTuWd0Lepb0ly
   PpC0I/S/Jci259bAEhf0egUrx7udEhhT576TuN7Jk3muwvai9VHhduEixahw6kSq
   AUrOPyvFxhHJhknl789/BPIqQw4xeC7zKteHcXChClOg6qcLfps1KyWxAFpgDTy+
   IuZigqRADrVL9fuVYynIB6APRAZAlq/BAhFN2W3gVCk3BjlE8RTNcBv4oWDXOUIR
   GQrgxvJUysQQtJY5YG5kYqKJiX5eqAMgyWRdBOB4Odje8/vkNGDZnu/wQXx6nKCh
   A5P9Wj7+uldPQQBfscCeBuluxYaf3ZLRdeepV/5Wo/tkgd5m9PiakPPQQ4sssEDj
   wO69zn8ouapknS2qFRdtDAAkfaM84bBuIUF+8aOwetDEv/dIPGZLaA2bToTQI59k
   D0QcKfee5woDns7zSV4jvw8j98Ddqi7NF4wGUSxpNGvJ+F9GZiREV4UIGKA2HClG
   olYDRSX1EPSAjiWqgsAi87KAh3kfUtFEy0uUFbAR36SLT/vm7LR2RikAau37N51j
   lwVNNMoKUmk0uhHjDrMtnWfqzY7TGd+RPhLq2KYPJndJwZmLBGgfEzK564D0zdEp
   tzuwC4kIXJvU31fjieCzf3YfrD6AxXun7/jwbWZKfpsTyUsS+kdKuaBYVgZH8TD/
   VsLVqBxMF9UtBOdI5nubc2ua5M0jkh2xbxPvlLRfjgOE3ajAZlSE/bjYMfvYHUhm
   ZxKdmeBgm6lkwhWBk8v3SrFXe+EmdOmAPlxGXSvU8D5G8qEltDWu/ewqyvEXHRHl
   YTt+prnq+Fd/thYXggd8FO+Aalc+snBtGku1UqkV9TRnl1ZcS/R1qBO96Nvb9JOG
   6KFFPVlTr97PXOmm5Q+yI2dD5NwQxjtPNyo9h5pfPUK5607jhShej/2qA/swfzdm
   yvKO5WiHDPvbkNgfrvZuWU/PWVGhCBYc7a/A2jFjCDr8oDTksIHiwuOBN2p+kjx2
   7FCLD7pd0B9JmmMxSVfiYtV+IC/rlItlBqEdPs4esXQLjodh7veAFzvAvEjKiTee



Gillmor, et al.         Expires 29 December 2024              [Page 163]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ELZXLplewdNE80oxqXr9TnPiY7D9mVw+5WayWiOHdGk626yCVeumThr4eVexnSDA
   dX+KiyyP6p+vEspkRg9dQ3v2PilZV9BM7kzqaFlSPSJT00jX9P6Rsyh6S0GdxmfC
   rEDwlElqI2a4C3jwpRSxU0V51zATmB+Gc5KmnuNe646jysm4KlNpTlqL0c7rxTQ/
   OISRcwotvSKZw9Fq0lrSh8RyoUuvAXf/soo3hrkECXGYk/OTm+HGGiWNybI9007+
   FISBiyGOFF5cQdXA34LjoSJEZ4RuDfhm/BdvlkbavIsigfCq0MaENElMQvzjQzTn
   YKEPvjAVm7f8tDmnlVX8t+NKy4Rbfaf/lb+Bhmm5wW52fobtKExNe+4Zx7PsKN9s
   KjW+4rVSIwLaZkI5s4gFLWWk9Xl+iY55Nu5vkOONzbLxp/a8f8Wy1AJ1TJDxw5mq
   9Ft5TZNXRUbcsCY6AxiJcLoHvifI/o+T0A3CecEyAa6sEPdatJVM2SO3VlxbOx84
   4Z9ErhbZI1H+j+0N2nkVX0tuw2e29fWr/hlZ3cMyoxo4K58F0rnIAUCJ3ArySEpE
   SkuN6dMguXlpCvlMmGpSdYH3VrT/H/82qZNzXEjBCDtasqzVrY6NS9fk1Qlx51qZ
   v+7L2DMIgKbY+l3vxm7ajrlOPiteAAhYLWjHP8p3JWKampEMSM8kVAOSn1jbc2jr
   QMDtwEA2Jox8RlvQLdanUEYa/mYUxbLB2uNkGFdkh6xtWwcrc6iUVddyS2/f/XP9
   bSdEsh8ItfpA4LhADCGCkltmhnPKGDr35mIqXgKoO0u5NFtGcHKfTLQLwgZ3MqAL
   FWpK9btWHKKzhlle/BrPAaBZFGZKYbPvvnFO8as/X5tRgLfjZrYqXjTcJmiIaOc6
   28NOosMG4UWsNplMJ+GTSBVUQ7c4wrxlycIWAyj76ICT+DVLmm4JjOSPB0mn0/V+
   flEab2d1fY89145vjfePEjfIo6IyuwsDIdhy67DgJnDrWMipHEQVfeoMex8+siiu
   qBsUzYPd0cfjjjartxbRb+/W2Gw8XVrygZL/eBD1xNKs3xrvmjQY+8FUnPxY0haj
   oHMoqNqYLkdW+E9CoTt6He0JKrus8+jAMUGzxEyeOAH0voT5ZkpE3TQ7lTtePhUM
   xJp/e8T6fe6MgWOEzXfNwzFxmT/WG38S9MCwFKfnAYG7jw7NWlUDQJLNeA+L9iYO
   y4WzpIYzsku2OH7sp/Ay92thEhEo8c9Bp4uMqNqKhzCOcL9uzaObjz7jwBtEm6oJ
   OeT6xn8fSNu37FTkW7rbj+JLqJjDxlART1iI47Oe41Hh5QF1I0givonkn9hko0iD
   7Q3+U2ROapU5g2cuEytorUd91zSmxhVVLlRCTRMALlcuIUmOjOxYTBilP1NuxDQ9
   0iT4+yzaFWKBKnFqJAH6aIry7qAeiCPMcMxMrE6G9uwh0ZMeJMY615KwHExun+6g
   8unTzbFeAvBLDZbgguOYwgPhEz2RyKkdeM5uLANM7ztPijxOlT6BQF8Fw6d4cdhS
   bJZQQTT1pNEtQZfVt49iBkHmfOHC3Fp0UBds/OO+AmUJE7xAzQdHQ+Shb2Y/rCyc
   bu1vwfc+ou7aWnEHHoz/hlBCy1cUGmpd2gpXqWjQC+rRIqoybbK35yCZqv0P3Cp6
   GTaSVZrHhvLIkd5KZ+zJkvrOxOIErLONCz+2aQ/eLXbzEzfiCbvPF9paaRI69WTz
   5dihzrNSD42O1rCsPv3elXbB1VnlKl93bdDkpMiluGhuEuiIZl+MGdbFqj1Fsc4H
   9sF3hrcEJvN52cEwWgwlH79SmB3JY6ql0a1pvsoqUxCE+mqaRCbRVipfiqVjXqVH
   vrjR7xUb5nP8YVWVZJ4m8HeEaPcSMjFXBPQiJy7HFj1M6hfE3FTvTdGk/EDQ8kR/
   ur4nV9h1jS1NrwhSJPCB2LulaT4tvzFxF1H2l2vz1/N3LyKcMv/LCTId5Qk6ugqb
   9xhPS+y+fcB32rPnlvLGEFUg3XrmtZhlsAsGCW3PNaEQMs8z+6sWfDOBBPTgPAdi
   fWOhZl1MRWavoY5R8wIJ280AF78+fbeQFjRK5u1vcSU5GAftsiznWT/GeOjiyKKG
   k9IRtpbxSct6hUoSqJL1IQ/Tsxb2g8l0NVldrPEzXutUH/IbDuRgq+MZaQEL+yPq
   Gni4CMfW5KxxXRnBkQcT4C2Odk+3YsyqPfVN5wKyRwtohY/rGS9ZqS/4PuY9/jj/
   CORoRLjzdMME4g3VnfIVDEPYVwrXfDzXpxaMG6umkteMhgQRDk2r0Z2DUgNJ5DqJ
   Abnuv8kGq2H6mse825z3HG1GuRHNx6dJXadFT8LpVvtOq3MZvpIphQ3qkvc5xI9K
   lmqHTJikqOSCwj9iKnXcX6ushcI4EBpm+cBDkstkIcO2nr5y6vGATY7qtC6i1Uap
   8cvYLR6eQ8RPVirJ4IHjauqxyhPo8Kr7APJ90Hi8D+/Kjbk+J+/B2JlQFTuTOz0q
   qCO8kxcjN2kxHspmpZQx9IrH2byzn4UBVb7cR3FOBFpO7aRUQxR9m8lMZIZJseG1
   YRTXkhcX4pNRUkbpxY2haapZyMmITxmX/Y/fUnYv1gfJOejgcW+pq3Ff9v2JA8Ns
   l+RHjlfB885nkmccKjIx16sLOvsc7HiveuKHwvkJe8nmpYuSJi3Wqi4hGb7pHiw3
   w+kIH3cS4tbsqF2Vcuxz6oCVtyYGMQjxVIrr2Feb2m+BYMJxlEfy8TPfL3l0lKW+
   EuFbpGF11KFPEawlVhvLUzKpwZmO11kpRFqpc9H5q21+0zbkW42Yett912Bwe7bJ
   0DOQ4BSsC152FQFCpeDejiTk7mu/9nxx+6Yq2Ex/6sOMPhwRSotEigIvCbW93FmB
   xCxinwdBmd5tdLupXWHZPrN2G6rJQqPZsVaB99oq8FMMBS3E58Q96fO05qBOA5wX
   jEGCVkGNfLyWsyAuvmSMEW87rS0XR6SQp8ndokfTQeN8xsFTdUbUiWdXrkgKlPOD
   WoqAHZDjeEuxwcRsmsnDZDt+pdhQcS2BYyAk9x4/8z3wVm9jsc/z2om17fIrBfv7



Gillmor, et al.         Expires 29 December 2024              [Page 164]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   EyfxzcZ9K8flyuFdDrY8WkqfMKA4H8JjKIIgCWCL2oXUjpsZLeQZOCwFstiM2iIU
   4qChsn8HCjERThUHJum+ufG3IILgNbDKlGd3sqDBU/47Y+VlucgoPM7ua7MylK6c
   JDgr7qhb9F+POQFEQtsQk8H8pEuNwAY7AdUHm4mjyFRBHFzCYa4q4DTfO8tTtdOc
   wiACXoPTJt7+rzuk7fsQtdBV4f9C/aHC64LlClDcFmM3uFBat6dbwGqnE52rYp3o
   lBOpVK4W1jbY4lhoE7X3bf343ZwcCh44+APDvwJXV4+7xLk/M0HoRCehJ+zPDqWR
   TcEU12SQPCgQUIELyYXTpRSgRpjKpYA4R22l+fbjRPUIMgnGkK5C3KDHbR3QuJKQ
   NiJ93dT0GAGG6U05kN0/B2K8DaXZ4gQrY+C1kFKBuHf6wINQveQx4YUZnpbpsClD
   nLbXWR9uaJnOIeC45MMu9jgThwJP7zYm9LyYmNOgLg8=

C.3.7.1.  S/MIME Encrypted and Signed Reply Over a Simple Message,
          Wrapped Message With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIO+AYJKoZIhvcNAQcCoIIO6TCCDuUCAQExDTALBglghkgBZQMEAgEwggUhBgkq
   hkiG9w0BBwGgggUSBIIFDk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiCkNv
   bnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKU3ViamVjdDogc21pbWUtZW5j
   LXNpZ25lZC13cmFwcGVkLW1pbmltYWwtcmVwbHkKTWVzc2FnZS1JRDogPHNtaW1l
   LWVuYy1zaWduZWQtd3JhcHBlZC1taW5pbWFsLXJlcGx5QGV4YW1wbGU+CkZyb206
   IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpUbzogQm9iIDxib2JAc21pbWUu
   ZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxNDowMiAtMDUwMApV
   c2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wCkluLVJlcGx5LVRvOiA8
   c21pbWUtZW5jLXNpZ25lZC13cmFwcGVkLW1pbmltYWxAZXhhbXBsZT4KUmVmZXJl
   bmNlczogPHNtaW1lLWVuYy1zaWduZWQtd3JhcHBlZC1taW5pbWFsQGV4YW1wbGU+
   CkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQpIUC1PdXRlcjoKIE1lc3NhZ2UtSUQ6
   IDxzbWltZS1lbmMtc2lnbmVkLXdyYXBwZWQtbWluaW1hbC1yZXBseUBleGFtcGxl
   PgpIUC1PdXRlcjogRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+CkhQ
   LU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4KSFAtT3V0ZXI6IERh
   dGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTQ6MDIgLTA1MDAKSFAtT3V0ZXI6IFVz
   ZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjAKSFAtT3V0ZXI6CiBJbi1S
   ZXBseS1UbzogPHNtaW1lLWVuYy1zaWduZWQtd3JhcHBlZC1taW5pbWFsQGV4YW1w
   bGU+CkhQLU91dGVyOiBSZWZlcmVuY2VzOiA8c21pbWUtZW5jLXNpZ25lZC13cmFw
   cGVkLW1pbmltYWxAZXhhbXBsZT4KClRoaXMgaXMgdGhlCnNtaW1lLWVuYy1zaWdu
   ZWQtd3JhcHBlZC1taW5pbWFsLXJlcGx5Cm1lc3NhZ2UuCgpUaGlzIGlzIGFuIGVu
   Y3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNwpl
   bnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMg
   YSB0ZXh0L3BsYWluCm1lc3NhZ2UuIEl0IHVzZXMgdGhlIFdyYXBwZWQgTWVzc2Fn
   ZSBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUKd2l0aCB0aGUgaGNwX21pbmltYWwg
   SGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kuCgotLSAKQWxpY2UKYWxpY2VA
   c21pbWUuZXhhbXBsZQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49
   NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhM



Gillmor, et al.         Expires 29 December 2024              [Page 165]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   QU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9u
   IEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzEN
   MAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNl
   IExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovB
   ouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CV
   t2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt
   8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4Tg
   DqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcY
   bwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA
   /EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAM
   BgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYD
   VR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HV
   RDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0
   WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4M
   uxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveE
   RRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/
   m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYO
   nUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPU
   XTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMC
   AQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UE
   ChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1Q
   UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgP
   MjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQAD
   ggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9
   LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKl
   QHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKa
   w7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV
   +I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyX
   t1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMB
   Af8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGlj
   ZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQE
   AwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAU
   kTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmg
   aSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1
   iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHG
   Vy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6m
   rYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXN
   QC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f
   7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRp
   b24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBp
   MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIy
   MDE1MTQwMlowLwYJKoZIhvcNAQkEMSIEIMFfyyMf5l/s5cPAanguRyiS2PErs/BJ
   hBeKxEit9FyLMA0GCSqGSIb3DQEBAQUABIIBAHfAUkjezu/0ef4322p23YJsfeQP
   ZHON/2cg5IJ2osVqGWQc3qaCW0YHZMEzgN0vvSNs2Scvcz7FtDVlFQKJKR6Q5eVo
   W1tFBZ8a4HBuH+m2Ge5YzmXV0KatJMdB6MRxYzD6GQMxrImV/SquqVcU+nbCpt0v
   AFD+C0C3aBTAL5IV+IXjYsit0cBF+U0vABx48P5A0Yqh2O5M3Sq8A/rz04gtgUbA



Gillmor, et al.         Expires 29 December 2024              [Page 166]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   2qJyOnGhOsjByiTplfnK6XGyEUMqQrJtA1BDtlt8Qj00w83dYRaH1wKQ8392Ox1I
   nqp1Z0zQHKwvVKxKGtJOQkZgyDAlbs6a2B0CUYwnnqyHiOsL32Ow22EFy8s=

C.3.7.2.  S/MIME Encrypted and Signed Reply Over a Simple Message,
          Wrapped Message With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-wrapped-minimal-reply
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:14:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   HP-Outer:
    In-Reply-To: 
   HP-Outer: References: 

   This is the
   smime-enc-signed-wrapped-minimal-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Wrapped Message header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example





Gillmor, et al.         Expires 29 December 2024              [Page 167]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.8.  S/MIME Encrypted and Signed Reply Over a Simple Message,
        Injected Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8385 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5198 bytes
     ⇩ (unwraps to)
     └─╴text/plain 342 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIYLAYJKoZIhvcNAQcDoIIYHTCCGBkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJdtyAZqztspc5n/+SKp6jT+yxf1cNlbXct6
   jOJBm4DpKXtTLCAqOKs1PcpYZSi87Bl3OR8nbcUv2Dg+JWljfKIPlFB7G8pCQ9hR
   15uNzH76328HZdSu3536Ehnz3B3y8Aq3l6sM4Csk8yibJIupL0rtARAI74hMQem6
   sW3YOIHdMBeqwfmuVMD1uPTpysMnaV9qRyNbNLqE8BY+UlB1wKAh0EZYfBBsZ6/C
   BBMNNA2xa8m9i4rd42xVy2vQnl2N2hYD+ql0P7DPBzFgeYSg8AWBuU+VPIc+wyTb
   mJpUZf/MLc33HYrN5jfgR5qO+LDiuusx4roqfdbHojjs2N3/E4QwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEANhN3GL0d5fTAeLcZVW94Solf
   tY76IETkd20FbZhXBhuYEU3cw9sCEvAFI0cyGuzgdOKYE9b5mn3hW7U8/9lsHH6w
   SNoIDZs0W6iASEbj9V7O8vRtTn0MVYftqJuTn1JP2Iusgi8UbokqtpaA8PYY2HlW
   f7HNHuviYIEiPeH8/T1WZoHFtWzqr+TcibFXg34Ae6PTre4UtDZllKTkxnI0QSuZ
   kYlY3GGUdTUFyHU6Fncx4LbPFLPsvMuv+N33z6hW3Oye9ezO6Mc2BAqH7ewaYQL6
   85BIVAKiIhXTM6xvdvc8glTi2y84zXExC+2zuwcbgK7C+sUksvdfpkzIepdAATCC
   FP4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPhL6QKT4IFfsnVdSly17JCAghTQ



Gillmor, et al.         Expires 29 December 2024              [Page 168]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   5DUNaR3+B8p0vl/r0eV+lCp2rs2SJSotpZd5Tbg2Ta3dwbGwxvHfvtpAgmGQpP9d
   fVHYCuGYh9B2lqMhBbMP4I1UoyVCFT75haL8gsJ5MEGCoUt/mlFFh1Yc84sSBQhS
   hVsaxcVf5WN1Oq1wf3AalBuAHcv6SSaDSPuLnVbyWcm0PRgeec8xbdmYvUtt2CjW
   E8pz0Ib2KrNB46O2FKK3Qi8ViO7MCYxoVhZZjx+OjljTMGNexg9EOMGxVwcWBiEY
   FL0qiPFTS7Ir6KBtIh057sAHLUAedryuAwAnf0IMfcQLo7+YdJcznKhXF1u8vPki
   sGLa7Xw94kpHveyMyfJlawfAMMy/wIddd7jiiodpOTlimyBzZnZXxfmDMic9OQNU
   ucr4F+3FFGsHLQSTTiE7n+eT3mDaSvzhOls30kAGvDnV9N3Sbly4Q8CL4S7PoVaG
   pzLt0Cge4NrxlIwD22rSbDWYnJUPUDj7PrEtrinzZFTjI8o2vT6TwPTunH0NKBUS
   uGGOImE3q7FTxHR+CXhWY3XP0HS72u3EZZbSMoDjm8BRTHCa8QT0TT7IYnfKLqIr
   qKawB5Bedja1Q+VkeTB8r+W1k1Z9JrAP5rhI7IgQtn8XNkv3jNf6U3f22E+Riy1S
   0fDAH798AJaXMoVJgPuvhwB+TL0HHbNmVeJy/3008yPNWrWGGbYvMc+0ChSKAafK
   iXwHE90D5aGZxujQK4EaCHJ4ifz3GQ6w+6ktKCvuA/FOESRQdVxL+zrHyNp0Oa2D
   dN9tmNtRG0aHC0rgJySiTwsy+UGbnqg3oElghRQZX878AIS+D+tL+I2VcsbStzmO
   iGlJArSl8Tetx2SICimWhgsItjXDhTq7bxDnM/x4+jD+guLQp+mIM6HDaL3NHfhM
   3mq03DjADfjoma+v7DxlMM5jlP/oeJwTF9B7WRjEbvLvTHeRilqHcLYG2XuJ8j9q
   VoyBk6elVI69R8ghMN+Okq1WMpqJp0d4NXFyjFsM7w4nJ08QA5LSF3xgqdgXy1D3
   FejNZTL6d8aZH370ZA7eYqRm1E/5H6nR0n0rBH6PfqZezPFLshLIoBXhyEof8OZm
   /mz+Z+Kap7VGRox/JN9rpm9JSG2gbzOIbDIwyP+SR5v9Xo7gGFq6FicL0qfSGtNR
   1x1NfvOUDhJyiAHhEGlYuoR9Qct9LicqytsR+2WrBUc8+jURTQ5FCJVPj7bJAq02
   oTCK1uT0jyXjY6qycEWU/jJG4ccO5/NZv/Z/Bf/Rwe7mLMD5ftxHmX1maUYFWfkc
   yBmwnDYaJnk2aFM/PCu8Ez1dZdcyhs/Xa8Ru117OmW1jvv/Yz10btqcKLHnUE85C
   w90I9HK7sRwAqcZa8gneIW6MPhiT3kaPU5KLILqcnVhHoPMB8Vv9cA5fyFOAooPr
   k3qMk9pFfiLeoRrvOuGNEjSKyqMWHcqVeNSbiqOxmDlzMWS3V291vMgp6ML9KQUL
   OOLcLiiBAoo+1rfgvtikXWtvF5WIo7PXHQI7u5x13S7spSP9abQzkbfphzZXoa/W
   MBgkJ1sevI//VVdXJI2/cIcvLG1psPZWcuB8AIziSuuF3RFHtY6IHt6uljLafim8
   BdUf123TxWyF6U9mXIANYhfIQ4+3hxZ7R11f3MZ+dQEk20blYmFmbRwQeDCiQkY5
   zV56L5iGPZQx2aziBl+sHfF+4URApk5+yYlYDPPUiGMDwbsMaYprwz9vZ5/djWdl
   bs//ge35A4K+ghfBIBehz7Iul/a35RLQkwMSzMbAzJoxqM2WN29aO1RLj9peqpYa
   F6O5br0xV3DUD+kSGZjs8Vk8zru6aCqVl8G6HdbFS4vQIhJZpB0y+ati2Q0TGLF9
   ef5K9EbA8RoN+EXlriDFC/FcmFD4W6hA6gvfL8f/C89v+g3VD1aP5numsGrq7JHr
   hEiz6Fdc5LF6oWrFnOTJS5UfO/0Uq5ut1Ae2uP3WQOUT0vWSUDPu/6O5hwg15o+7
   MQCulRFNoCfVBJzVqvT41uOffask1a9wnZuBdvAie75Ycr2ipWEkXsdhRyeHEDUO
   tXGnBKdriGzc8eXMxpYQD5K/Kf5ZtFfDcthMFTA6NLOGeg3oq8Xgy9g04cpk3Qqo
   1SEu42nt0fysoCW2UDUntjg7Xvq3J3j3wly8OSJtUeJsYB8vVVXbzehp1Maxj0Z8
   VGEF9reZDoiwnk6ia5cz1ouQxg/j2Kt17hyzvZGtyEwWo0lRduuOGCjCTNcjcswt
   rxItmf+jHA+nkDcY53ryYagG1cxundqIGDH/GCmXCUAcZI+39Twxy8bxVNiRirP0
   /obmR4Nix4DWaibIxkXBvdeqvlkiqNZL6Ww3YSaqTk9Gqpm1eUEP+c4/52dQ8lwh
   44vppGW1q9zAyYgROxZkM31/UI03oSf+fkZCRHd1G0UZZT1dww3TCumJEowx9V8o
   UfX7V6Cv6Az5enoMMKpsoffWG2ONm732xhkq6nZi7wM/JeVpq82ABVIVIRSLDW0i
   bxG8UCRjbIP1hNFonT4YR+zyoH/8IQuXiXy+2m1lpzBVZNpA0vDlWeTVLntiTfy8
   MPMPcmyBJm6rXvAu/CdPOx7iQPpLckjJ0RRTy8qNDYf/p/tLCWI9wVsccnLQKgqv
   CKRGlCqLblKYhajoeQ1q/7k3+2DqtsqD16Seo7wPYhDDyn/1XnCm/TuY7zk4GIvz
   cljKBxKld7r7z4/B1QF2fwidJZMLjlTFURbWguHWFhgGvr+h+Z2AWkpHzPrIZ+7q
   BNtWmBesqglSfLoTnNeD4vKhlRHkCD2izJBMOPhzR47FDKRo/IFOzb66W2elIlWJ
   c78F9A19gyXbG0FIYn/uqMMqmdeipZittxbehi4M2pjg+ar7EKhDn59A8KWDurhA
   SVs5BqYIJEgTjPPHiDRlLlqJviMbmqAmA2LasMa1D2HnmMvsVVtdgUBFU0V9uLBL
   b1dANPkkZYBpsPKdaceTesS+y5q8DVouO7ICX/ptJMndfUtI7qNSA5IAklfJWV2f
   i1hR/dEiZuTN1wRbX7Gb6l59puGaKhzhoLjbFEASWz4utbgQ0arVllaMHZ2kILMD



Gillmor, et al.         Expires 29 December 2024              [Page 169]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Fv+96SxSKFbOenpdfJQoRLNFGXOITIzzrxcNjLTphqW0VPZXM0thbKwn+hNMIvoB
   exzwzC54Yl1/PVj+BY8yjCdOVgDBVHBDERVGowymlS+lkFhn3p1xwOxEQHTVc0p7
   lUt2dUnQ2FN+beylVc9BkCSHVbxrmZ/+ashzJf8qyURl3LOINXtIEMm4eFr+QZuV
   N4eVTigKm973qpoHcLuAan8De98HlhGrSFSk51O9FiiEdUpyzpMjtX5pRCuAHyZB
   KQhTMLlTLoaVd9pP7963pb0F5OSur6OvYkcgpgyZ4XffKfY+ILX/Ri8JDDxJA4As
   8CAZScAGdaSP1HPeFnP2wC/H+9zudGwvAcigWd6rFRGt6DQtOfZYLIESCGsxnp+t
   bGoUkIr1cPzhvjlx8S4sSQP4wcA8+IswI3mNZpm8daHFgmEzJLNOGLKcMgVA/HQu
   g0yuQ4lUcM4b7LiwItHCALSN0YHeGVxCmMukFE0aeFh6fsZU1YEMmVmL8Iw88KZ+
   SXuEWgw5Y5SSIP+tCMCy4ZGjovciKzivcL6k18XZ8PLPJnP5lyPX6DB8dgTVgapr
   3k66pXsVF/Zl5rtO9iecoLXzJY+FUpJZ/raYNSD1iH1hZF4rCTnnYmHyF8i+eprN
   OwWMMfjvPHUYfzkUEXk/fjR4OgcradPUjMKtBfRGrSfdFOawu3hR7vZGKNUkgnVb
   iT1MZlo1WSWP5HtCHMU7vsEONrPo9oPEQp+08TVqGthgfk9HNFtVQ7SoGCrsUox3
   65utQ0WkLLDjUwENFVBeNQ7405sRQHJ301+iKi75idJyOB+WWWUb5JV4L20YwmwM
   jCP0AgzSHABNtb0hOaRU9fhIVDfQGZbYmPK3Q/wgfTGYnjlUSyK+cIKh5yaRd7l2
   oPis3vLirgTvy81Soj8HjmDRLOcjiyuTHwxYAqJ+lAcjRYrc8PS1ZuOVOI7gnoh7
   rSmbgsSiWFOpYDK0/ahc3EiFf3aFgmV57X7MxngosJ5XDx0Z30PyGrMInV+xnrhL
   +onUfJ4WZmd3OgDcL9FvmrwpBkbnznYKA68Cg8rbvJqWF3nVrX8RIsy4AjGs6l+y
   /DyatF5tfCRS5fDz4Y1lfpNpRC6OrtFFQgyMhKKdaBYrE584puiUhbbabYi23ZF6
   5uoihK12hqh3uHb67W6mIfckjbBPvHB+YZLjajOQhhsXKZAcsk9oK7ioJGHT5SkM
   EgFp/N00rtvkX/CEixlinyDpDcJ06bA6fpBEu1ELGqxlGXtUKW513H3tjskkEMb7
   4izM196MFOcUzZMKHCZATDDLkNHpcX3KVUVmW6ZarBxumdRaOwwOlww/nI+7CJCb
   RlaInaRtSKqtCEP+mbI3tl2hJ0qlw8rQ1DdaDZJxHT7WVUfwPdsbyxwLf4g4a9Tn
   lpMwEtdBMuhz7h5XVLC1qyds/3f1PYWAfsgkSjrCILEQXaFgt2VNzm/sOYb65TDL
   F3zbgXWNY6q6QJmYEMJtV2SKhf5oVRdwEROGj2s8u3eEdA/Htr6i9sxFivUp7DhA
   XMSQ2pK8LMA9dUxcP1LVfZkCUP28YHs18gmSZKm1VVdGfWm+Wnv7MnwUmSTrYs/1
   qf5UEFnoxdtoErZTUM4CvKTac1aPlz1Usp8Cez9ZSeEp5JwVoh+ojVb3dq1ZLkLI
   35E0ekqlr7wesxFW0aBTgsxwl8l74+wFbDPNBhIpibkHLALEIW2hCvnVIzf6f4kN
   Oc1F0R69449anIPok+m3gigz4x6IXg99k8SEWPTxDHbGj3YQ3s6xXiRNjQ1tEUW3
   +CHCvq/SUC73U+vzws3MlIOkoai3L1TWmhFOIedlpdZ+37A6D4KP6n98oD5etIee
   oOnCkH9wvD0prq5WDcXRpUZCw0kAsH4r+IFe+j8D1oz1aCPlknJjpaR0s3SO0tWg
   c8TB+7oNnlUo3OxGBeG6Vpt3hme9TzWwVuE9TFNMBweTOtUd+BSXdsYYsGWXxLoi
   G4T6C1EvuRFxLEq48ZeWa7blthkA/cW8UxIY3lTi4AJny/KlHXu+jEqUtQaTmvgR
   AwplZAJuOlfp+1bNhm4UZK2j8zJvKhw0xW+pklJsrVjTa4iHcRRI3m9APeIa1tSj
   xOAZd3M4Q1JOIhiPI5vjDlHVOcRYuhPo0F3HUFWC0SzZjsuq+ingEcjF4Xnywd+m
   jrUc0K8DRdWEVV7CjkZE0B0Gfp23FRXrqpN1va2DrFa43ofRvJyjQ6/YIxjLz+HQ
   tZbnorPdsQSimhVZMJnViqbD0S05ZWN0TUdyIUekXAxGBa+AJu72W5O5DY56WzI7
   AAa6IFwhonLgV63lt8E/GWN0Rl4vpXBjlt60JXvNs+drLXWql7LUtgH3Z4onTgsj
   DhC2vxtfO0zN2BSYmhLJaB0a10WcXaM0DdSZ/rDdoKbMZtq/IFLqzSj1n/eifcyh
   VySd4aHuVRSht5lXXpeyFKHNF4CFnA+Vl744uPYJNLAvS0n7SlW7N48Q5LOkHORA
   MFklrR6W0PlKZESBTvD3tBEY8ANApvAu/6SDb1/FEQtTekSXnnPg5odRQFUG1L1Y
   0If5j8xeZkfxYm9UzYQOSJ1eoDIz11qn37YnOF+blftc4clr/35osle2Pe6xN+W4
   rKdX9D4XPbkNXn5b6axcU4TEghuZiUCGsFawEqyWLnNzTS0sLpw11QLwFjQgBl08
   ge3ytiwJ75Ookxn9G15ueZy7Db3wut0T75gF/oew75hHN0Yo5etAsQ5vxUOyShpj
   hXvn6lrAD+FsStiA40GeoGMZxvW0D6wPbKcXjky4/prBYPyeuaHzBov/9w27ZtXk
   3WKdMW1uDDrHcn8lTyWb1q8kBLKYNtBR9zinUXMxVPlCnjqbXfSyYGsOd0hLIObv
   QEMJFJQxEtnyO0Y3FLEa//9X87ccLz4bbeTJIAx3+xEX+NxO0BD8a02ZHDpP6xnT
   jJkoXx80FC1t1mu1h/WVkwoz7HA+WSW9fnsSjJ3jTKs3h4KBO9TC0rKENPO1KYOD
   J0n1DPdl4QCfizovskd7+D/8qUlSBmfQO9OqnIEZ01cK1AA2u5228qCIJy+Wnaps



Gillmor, et al.         Expires 29 December 2024              [Page 170]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ZZOpd1cAt3uJKQZykxMsoo0eLpH2XjUYE2P7dTI9iEkEkeu7ewRJQuMudHKQf0lm
   fefUfiuh4czajkfyBqrH8StwfcFanHhmrLswR8txKJIL6kOOcFzb9Wuv2fmrIiRV
   v9PHPb0GhsEpKn9abIJT+m0EOhWX9Rlxje4JpJMHcwQ5MYF0hfwSqMVZP4a5Ltsg
   JGl4XXsoxF/PN09FUP+QyrEZrCEQ2VLeZ7mppaOGv8Jf2OEWN2Ldgp7pHksi+kJH
   RScgUsn7YvB2tvnJSAyS4xf/lWDRQ7bvm8h8rH41DqY6UCLVkZRTdKzEuu8bftTE
   7g2tBTKcwloMARhY2y2ppBfsvUP0FvPgdD0Zu24aQCdPt9rG5sL7prLCozKrJ8Bo
   UY17JpBTH/9vQSnkKotCTRe6zPou9XYKfS/dxU4XIh55n3+RD7PVfwIyia2fcQo/
   6ZbIvW0ycgOkZN4uZuwAiZ0+B8C5rEVjfC3rnQ36kKpsMaTh1o586YFBptVTHqdP
   b5qMrtESurIqlxzQw9L0BE8iZkMcZn+ld9SwGVO4NLHF0nnQx/LpF2SHTLkufcdq
   2s6R3BjbW48TacrrDmVG+LfOZuwAuTw66KZuWqQ/0p24F1lZb2lWyIYvjo+/SYKO
   6R8ivcgaJ3CW7vQai/m/R2eVHP2/IAE0jrTI5BHIixLXg504KQOMdwDfJrSoIQqp
   hl73yMVUCgQNNg3JuBMG9qblfBLGAP+ltIXAs5BNECDbstqRiv7cs6oED1D5SNnf
   TGhNwcUQVg5gaMsIc80UozBlIzuR7R0RAAuMUdib1cqW12E+27LF1mM+odiAdwcc
   AUiCf6wRH/iJco9ilDCJsZtLX+pg82f5Yk0L3f4uNzb4Am04yGycnfQR+963a/72
   n/dUl0uzn/rIDKzwgu6ohlbs3ZbTL5cd/DkY9OlEQKS3M+z3AxpnYLksH3ssQid6

C.3.8.1.  S/MIME Encrypted and Signed Reply Over a Simple Message,
          Injected Headers With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIOwAYJKoZIhvcNAQcCoIIOsTCCDq0CAQExDTALBglghkgBZQMEAgEwggTpBgkq
   hkiG9w0BBwGgggTaBIIE1k1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLW1pbmltYWwtcmVwbHkNCk1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2ln
   bmVkLWluamVjdGVkLW1pbmltYWwtcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNl
   IDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1w
   bGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEwOjE1OjAyIC0wNTAwDQpVc2Vy
   LUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzogPHNt
   aW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtbWluaW1hbEBleGFtcGxlPg0KUmVmZXJl
   bmNlczogPHNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtbWluaW1hbEBleGFtcGxl
   Pg0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjoNCiBNZXNzYWdl
   LUlEOiA8c21pbWUtZW5jLXNpZ25lZC1pbmplY3RlZC1taW5pbWFsLXJlcGx5QGV4
   YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1w
   bGU+DQpIUC1PdXRlcjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpIUC1P
   dXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxNTowMiAtMDUwMA0KSFAt
   T3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91
   dGVyOg0KIEluLVJlcGx5LVRvOiA8c21pbWUtZW5jLXNpZ25lZC1pbmplY3RlZC1t
   aW5pbWFsQGV4YW1wbGU+DQpIUC1PdXRlcjoNCiBSZWZlcmVuY2VzOiA8c21pbWUt
   ZW5jLXNpZ25lZC1pbmplY3RlZC1taW5pbWFsQGV4YW1wbGU+DQpDb250ZW50LVR5
   cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsgaHA9ImNpcGhlciINCg0K
   VGhpcyBpcyB0aGUNCnNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtbWluaW1hbC1y
   ZXBseQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25l
   ZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJv



Gillmor, et al.         Expires 29 December 2024              [Page 171]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   dW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhIHRleHQvcGxhaW4NCm1l
   c3NhZ2UuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyIHByb3Rl
   Y3Rpb24gc2NoZW1lDQp3aXRoIHRoZSBoY3BfbWluaW1hbCBIZWFkZXIgQ29uZmlk
   ZW50aWFsaXR5IFBvbGljeS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhh
   bXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG



Gillmor, et al.         Expires 29 December 2024              [Page 172]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTE1MDJa
   MC8GCSqGSIb3DQEJBDEiBCDs+6PEP7Onuv6ZtLRJ7a/+wdOIeU7katH07zwM0CJX
   6TANBgkqhkiG9w0BAQEFAASCAQCoqpoe1ejf8kQ6sGejdMKNwFe9+6k8yi+7cCNR
   LEKBIYUUf4YYjCxNGXXWC1ufSBskfxdCmrD33Aj4PCte4m1Fy3Fw9gun36tv4f7O
   CPeve5PSY034IvUCkNe7mjEeLZ9kJlviTOsa519RuIxJHwwdqgr7gqKVZZ6JpMgx
   jyugVKwuHCXiD3tqrL93urN+oVaK/1qnE3vxYs54GS3jaeVElj259OlSjLleg6zt
   awntxCVW6YY4ECzMppGdTbQLPK0tYeXaYBymqHN3yZyqJge3X9b2uLbrF/NjDfTd
   sksuo/pXVQYWFYMKqFo1yCmm50z9Xq91JMJSJKCTaTWCVW0S

C.3.8.2.  S/MIME Encrypted and Signed Reply Over a Simple Message,
          Injected Headers With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:






































Gillmor, et al.         Expires 29 December 2024              [Page 173]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-minimal-reply
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:15:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   HP-Outer:
    In-Reply-To: 
   HP-Outer:
    References: 
   Content-Type: text/plain; charset="utf-8"; hp="cipher"

   This is the
   smime-enc-signed-injected-minimal-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.9.  S/MIME Encrypted and Signed Reply Over a Simple Message,
        Injected Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:





Gillmor, et al.         Expires 29 December 2024              [Page 174]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 8710 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5438 bytes
     ⇩ (unwraps to)
     └─╴text/plain 438 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIZHAYJKoZIhvcNAQcDoIIZDTCCGQkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABg8nhpiInyKcYQ5cLuez4QaLUOm3O+SpNSE
   ULUIB+xmbgidHBGd/fLz2LCyNudgtdS79wvwbXnqVCGe7+A9iNZCw8dbl6oFHfaC
   15IZtIwMNXxL6kgsclfV1HfELyVpJtoq/QvF1RejnC5vC80qUWiMnR79gv/AdEgb
   GeY1j6tb5xA/U+klrVGIVOSLdm/gwHxB9dcvh/ZqYgHOLX2p8J71J58h9dqDA7jb
   lddz0L3UkQT8PSKX1QupYJytSSLF6JHy+Lo7q//sbt0g4EfxAIEUL3Q4hfHRbLxl
   qOl2Wr8bCeT7XlY2si/IQ9NfCnGSKy2NZAinD1RgvmHuAcTXcNcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAYep6SmjjYOSSjQEQaS+/4617
   sGG+A7FD0zYWNV2AJxh6ZHOAdv9ZaeT/aH/+d0PJtP2qAHyrVuloVZMzqrQh2NMF
   euCchD4KAER6A/p6TKfFlOW7A2oHLkRHJFEzBnTRz2ipDr8e8eMSNmvdqoS5mexT
   EjwcNKaSjZbvDwh0UxjniOd9VVZygYHDtw6m1vq7aQ6j+0qMBd51oqJTY1AS9FV1
   aTqjuZDh/Cf4b7+TzPANhzhRNQKHFx+yBd5M4jObzjDeIhZb0TQFVIq1C4EUsW3e
   3RmrV9e6HtmFwc/KJPm0yZfTb0fKgVV27DihE7YD6o4mAKOSluVO3gV4juHsrDCC
   Fe4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEMeZrjzph2ECLSEYHuSV7jyAghXA
   Tm9fW41DSFgrcI07Ggoe/Ni+3l3NwFP6+RNAjq67UB0WHUk8a7U9gfUHa7ZdQIbF
   +93uK/tRtRjjCybwxQFYXyB8BjXLT03Nof/nxh9hy7UnV/x7MXUXwNwWSmuc6/DI
   RSyH/58ZtnJNQDL+GJHEQwCuRcLDwVzx+H0voq1W7w9X8C7GddiJrDPr3lrAeyK5
   9MdMiJ4M1mDZrt0H+ys/Zf/E6LaPShrEn8/Z9sQQJAp5zW00iaW4JDFrZ//V7ghb
   YL1eNGM8qfnCEOk+5TCsI8gc5JZV2339puaNpeo3ema6L+c3/G8uz38oZtig01CI
   JxwZ7lMEBxt0YQWr4MNLJBkRKd+JGLDlJoU6RAFHkeul7mfsDq0lBedLxVRx+ADO
   HzjBNTnyZWJ7wjsnofCf2Cer8LnbH34t7QF67lU8bRDN1EyRdrI98A+X7hrapAdH
   7TI1LQVz4tP06rrgjWw5XCBvnFLZJl+eJ1CZMpScrOlSJTxNgyN0NR5TnRb/95Gi
   D9QLibrGfuXFm28PXy44D7oPBokR1YypR8Led/8FcFnVUf1Ki4pbZ26gucDEqCSD



Gillmor, et al.         Expires 29 December 2024              [Page 175]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   iD9wYZgFdA2bympZzADKcg10g71dQamZ9paV/+Cnw/X6RrhsrBULb7G6exZsukQp
   AApyD4yyQzGqBw/t/i1QehhI2XiqLP2SXhwMxVBxPuNiyIZdlzmirYtXXlBsbduk
   XWDGxq4MdOUfZxzAjRWiwnOEHrfrRyaYV0RsGEvHXhPM8CCK5IqsjPX9hTfKAyxC
   Bjo4hIOj/ZK51FphA2wGU7yRbXT8rs+xBWQ8L2/OO7P0NZhPIg3kV6GuG2eI0TF7
   F/NiFeHT5QobNVvDJf9hN7Q9TN9/pov6hsfFmuiVgfe4zeAT2NKBalGeVC/Mckc0
   FlCW6o9cn4ta+OKUGt5HA3z1hMg4oQWs7OGAg6+sSjsggNGuLuadBUm7RI4K+SpS
   8bJpZCKCgTpLyw/BLvb2VNDyoKEnxiLrOdNUSd2Y5+7R8k1uc7ATICpGM41pCRcT
   mnnQ2urh66vYkGbKNLv6wopPivMgGdO0AZ13HXCR/6vh+phNJ4i0jQPDsLoobQOX
   r5Lre15/QAiIOJWNHMortbV3eitiCoo91CT8sq26dQM/0V0S/2iVjU8WzR2RYMBs
   fQRdNDoxrX96wxilrIj/GQPRdVDn5nTL6RdeY3z10ulFDQEe0VkCrjgLIZ6UH+sF
   nZrYEWjjRbFFsXAKyCpP4IVtZhja2wecW7TsJrHjY4cM70xf3j2GiB/Et/nn9Li8
   AjVIO7cMyT98W27WUmp5GnSEyLKAUmCn+1xd8woUiBrTzR53oanc/+U3XOQx2t2L
   yM+zwejaXfz9OEWdlYyQsPlTjD2gqItsw8x80r/EGbIdS5vuG9NY4VK/pGlsJ8dY
   uwGoFXO8Q1GraauGwgdHdZs40QsxjMUjz6vZADdem1oh6tT/RRoTlCgz/4n7HxVd
   l1XNhSYCRi/JybbTSvTY1ejgeYraIu55o5inQw+1yPt925fHahBqs9+0VRUnsDjp
   JaqIz5l41ti9m1O0u0Ah0FmfTYcmvG5MGHOC/lAtCxz8sThHBb3y7D+elgg5wY34
   xKb8oJlniN3SuS8gUuHvqgY79fjDXcpsYM0GZN4yDbCeqPBMb4GKCdp6r02q1iPd
   7YSx55q7tOzLHuta7xA3WqVWEVO4zYmgKKcVm91UP/1l6H2X5yMwS6H3egmaw91M
   Exq/ReYd4UpuLWzep++LYQlubxRNqkflf6WYf66TPS7f8Bc5tlaq3lcMojBrl6GE
   s95tZoLcZHVFnGAzgxX6Rv3hAH5eP0w+h2Kmlq3Guodyj7GfPcD1xi/ruuwXAYNG
   Vi1B1TQBZ/QD/Nb6YB/6rU7EPqjy3ew7jZH4qoxE1frTcHbrU1ueS8jj+VJJbMN5
   muCrH78CJwsMEobZMHxH8N3fgCnMU3r3z3MNMK459/D/3UzMaiFrs9GhwAzL/RHC
   QsdQZypeGUukKSyChzeuZaBt11yhXN/7itKulafi10n/qfT/gFQP/65mAwRBCcBr
   x9PD0uB4Qmb5xJN226aLnLMA5WpXeZbgvknU6GuOSfmL8nerAv+qXI4qhXiImeLA
   NKb862/nfKt4p5IJXdJ3pRyxCz5Zu8wUJJe8DoJo+bVaGEPAkgvMxcRtpQ+9oJV1
   QtFXYOXeeEqDQ4VAmuL4nAOU6vdaO5c38GuqILGnnEJZvq6cZgH9g/LtNzJbire/
   33l6pSXD0H6wn2HN/fI/NLm1joCOsL/2tbkt5UFLZHhg0t1JGU5xTeCpiTUomsju
   X4EbwkMIx/EsjiQ2rweCdjJAziKP2WbX/cCh+CPG1gw99PcKY7wwZi0zrG9v4sj/
   WEaIa5eFS3QRpmz06cqSA7f5aqhrE2dA0PwOGIVpcFPC+tINAkZPbbKYmkqvJ8Yg
   9/7Y4TBpx336Ih7BUJwg4Z5EUF3/g/Xj+caIhL4DAsVZ7Y3KRWPW2LpH0nFLAE9n
   z+BdBaa4SNE+RdMxGcZdJV1ZdU2B0UhCctRHMEQ2obQ3OVGftTt4hn3iA4gbNRqA
   7rkH6nI2x+c10j2cUehdXEtMaE3IsUtsYWNgidGshOblfbn24nKqIOoaDsJn2hT2
   axy0SScekm2wnWUcBfiMplcVCopX4u6zwahefqVYI029xP3Rjkr2WmRoojOmL+8K
   91sf/zJYbT77jbQWgoTxhDIU5jrI9JBzSjZ7156YnxlPMzrY71l8sEODCDPxF46U
   4BtyFlwnMr0Csg2sJJOSVXTfVKdfE3LnWpomMBU8E7flL7PFWGh2iObyl5MBikeN
   2jd4Rtw+idCJs2Uu3j3JgTEZib0BbL8cWfdDhHLQDNGPH2OwBlPQFowzWMN8ng5x
   b8QQLO/N8BBt/13DnlLspZs4nbXtNBChtoi+TWSQYXoTX79NDPHO4syzEtQt0CAi
   TfKA1AJ1uXNGYOPhui0N2/JCMb/C7w71h0m7RaNumQWPsLbq0ZlNP3l8BjDIAkb/
   clYbjH/xBfgTDpYQwfrAnV5FW6ydqf7tZpQmZuuTadfy+aLsu2SlOE23k8RUIz9O
   dni6Qf05ipS9cXIKvEKLZuNbFUREskQCJSrGgsH1gqROJ5u3TFOuEC1x17kf0T6n
   Z/BSOyDraCEzvurBVQzUjlDtPsnZzXjrbY+b/daBvRPng42Cpr2d9Jh8pjjSyMyc
   Y6c/s6ts1e7nTyhVdRPXe3R0wYkBd3WSIvtsdmVt24qG/OqAsIh+33D4K6X5j0qI
   vYYgIWG91lln7isgZTWIdRkeVCWqaFrSorWR7oB+sic7K4FJ713bB9HiEpJvn7SD
   wDRabMsPVyedFHeP9rWkpT+1NEfN7PVs8ZHcVlZG2lRH0MnFvu5JibMrXFlL8d43
   VDmWrXDwXes4mk9UF/+0vFZirDFpilgenohyb5EtWPDqedfKLxrLJuLRuVbf6y57
   iYsdS7Elw+ZsN4la11KRLFzkt6Fih/TVr43jpUPc931T/GhWRHluHyESv/FIBtzt
   d6HhPz12eKZUm2jnuLyUql/Wf4K5kefdfclVVpekR1Y/eI0T3WztOeUhjtaJHyGQ
   RGdcC2Ss/sCl5cRyDj+QQnv14ybTg/PmjHjdSuohFVKpBBNUoglQJSqWpSMEyYYD



Gillmor, et al.         Expires 29 December 2024              [Page 176]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   vAwTrWwoKYSWOluPFanKF+lEujkSEqlwTSxT2Ex1KpJIKgVmOGPc3IPsd1/aC4u6
   4l/n0O11h5bWA3r7mvLGNQzutFgTmKFuNXg2jAatQCrGqM7vW9khVavHL9W+aPdV
   sax0Q4jFoWLvBncfxfGyZye3QEjk8N+Hxr1pqjW7thhZoSUHkJuqGF7dXMjeb+SM
   GraYtXX+cvO04vA5RyiQrqwuURD2UFixwJ74UuPjSRFVGx1u9uQh9YwAlGkF5bP6
   OyTGnHRu+DGyLLoO87T/Ne6CGZMPrHu123r2fmVRcH1MZHp3hCTN+9U9GixlL7QN
   K86unuO1yevAi5NeywAIPElY+o9kUHdE8cBzGu4yrk9cNBp+0WZ9otv06/YM+7yi
   TH1IUbt3lobmEAWE/95mgYEBBnp9PiDWe+Z/HfH+t/OEQgeagYlpwb3zuGmsUOuS
   YGeTsh/cSBZlP5ni+5lvBoCXzOFlLC5zwFba1wJfoEL+OQ0sky4xi3uh9TM66QNV
   Oii2LKSAHw62JKq///ymXLdj+lnSN3cea7Hd9VUAvaJClCNfYOljBCSLhU7e/qNw
   p1SXPhyFaWnVakDCIPqW3mo3U2P1OkXTrHFkd0Ww5A7G/WMJ9gU6pWszMDwseFaZ
   Z14qqNa3m2X0XFtRilx818hDRwqDL8t+bSuhHUVh/Qvqq9EfgftrrSVRrb28wSEG
   c/nrlIaY++ElTdwFGMBoN6aI9Y6QLFkv5BnYghsBHP4LNT1sncDM1NHpEjhZH89d
   D+j0d10Sz3wMCNwqaGxwF0xOWQX5+vbgiXAZd131u525opG5rLZed34Rq+ejPtYW
   AWBezTRai2kEgpciAN8CuPPfr4JL3W88nd/9dD+SdNS5fg2jip89bkMJWJjgiR0o
   Ts8u7jdnCS3bSsaofjExigLVK4Kfm8PZETzX0eiTC0At3M9zon8Uvfy16fwC6DEh
   W8PmVQLVHLuWBIvzqVXfeFK77drIQFS5hgOznb79p0ay3TaicpOEHRx50iahfCBN
   FyIRaSxfJOsbfKQOmy1sHO/CVxAXvrQB7SmYYm/iT8r4kbhONn8FGHCd2wl5clXu
   wCMOcnL3Aq/hmWINwCZBicHIY+zN2/6OYZK44bODceD0nLJj0g2EpertBmgIR+1o
   QYQLnfRbfe2C22vZu/BvcCA+eczABCjW76jZbWAko5IzZ7DSoC/MSbh4yirjgVLI
   h/XT2yRYQ38KjeWV1sjm3FypiUN1bpDfZWDf12edf6dOSFWerWrGt16yssq/X2bQ
   gXlw+hlgiYuiU5WSQLpl0rosNPE+rJdSHj7NPI9pcV6JNwHuCi+upMvUUDO1kElt
   mLSFSztZ1WxvhBq6itkhYYBO3dISo9e1rCOyvcfs5Ttej6dicsqn1VvaTozh5aZf
   D7NUFyr3o11agOfE2HVF097M1w3N+PzVSyAnl6DJIlSJr+8Tce3P2z3z9/8kVFU0
   czeYggfbguVknOy+iVO0XLxj446G5Wv9q58bse+ZRp/4VvjC5IZgSRjawYBbLcjK
   pfnrtU6cWpY8Em7SB8Neho7ZU06hmymZz0pyacRqMoREgh1Z2xxhs/5BAqrD8kfK
   FvpJQmmg08OmQqE9lzZoXQdtOHusY+lwEcaXb/awVoPo2Ynf61TSU6lbuXZ5Tj8i
   zJmrzMxLKDo8ME5itqTwWtmDFLIzV80pBAEL6gdDC0FOV8zUKsrxLhKk0J8bAOH5
   xJgv33UXIwqgCFMcvZvpAdKSe8cY7MjEZvpXlKilRc7mcwomzDbkx+n22azXPP6B
   4Wadf6iDzGGZfeYFxB+nTodnuMG7ngmy9zYQXSgmrbI1/xTiZITZWMHG9XoETHgD
   5g+E/5R9S3bncsoWSR1R+dWgU5z644sTs+UgXExHAo0JSVtjvDmJOvGJsEg0b+VF
   92dKAsJDQaExFJj7ffKaJyCS8DVF58mm/6sE7M3WKu/hPLnNTtGN3AJFvR86ECPs
   RLs+DNbyhS2TS716FLhF2Zn1/fByzGtMopxdzdhe7UIrsPvpbs/ZZOfcwJNRTfaN
   btwXn9bHRYPI9vZnXPpLjgBZb2E+8YZYJaVH6Ncx6kTxZ7N0PhdzyxIYlHbDWClX
   80R/XXa5rMgqIEeITaAzrH+foFn3qTnMwXdL2NHbPPGtpm8hkqoOU98XhSLbGyRy
   lBZUuN9xsV9F7OJ6nD6U3qNKZD/lSt3UVdbix/NTH94g2L+Zel0nBeZ5zj6mf37Q
   lFyU98Vm59I3hymUuul1wazKgaWWEMIWb2mkb+aZ6FgVKgRZ2+c7iex/+M6j7tnB
   xxj06CA2xiLfpe1rGLKwQymgU9+1jO41tSlpWtWdOJmYeS2a29YUVIP7VoqWSfWp
   jKlsBwT+CtYZLREAPQLNHoEbFv0f9O6c+B805kNU8m4JO1Jr+iWJ2YkXB9Z7i2j6
   470Cts+FXdnc80a95cT+paVLBeNPncDZgDXO6TdonTSt1L1nUlI3ahJEHUKWulDS
   ypqFsWja/Df1zCZ0cqBKQ9BrWaXgBhgfxkqqpsKnuU3qPbK3BHtQ/tHCkBjIBqyu
   JnZboNwvNMwj5h7zdbf6nDT92ArwiQ0PDzLSWgZjVuU1MKadq9gZU0KsiP/LMEh4
   0uK6LXOfMVvojlAnb2pbO5+tj7Gga+Zi5/4IFoZUfqkb9Tj7ExZ6EI+HiZfPsWdJ
   KrvidI0hfoRvG9DHrjWTrK9DPL03xRBHyAu1MLzmyBGKvLPM+hZuXFMzfA5X39Py
   V8Hvf4H72gsaaW7MXEnls3Y+GMk9dfkx8hZCKEs4WfHbvZvR8rraKjHZYXyWeZjZ
   3WF/TczcRH4sTOpA0UO5EWuHhLZusPS5YM0AohWGMGI5v41xDAp9eubyHuqIgm4f
   2a6zByA7jwbAdWagV5Xq6KkW1jaJm+VjaoEn37Z3b/PHUZUIdySBAbLFGOqpbMqN
   yjP+yW6QRmeqhJM6QfsY/wn3oyHakLB4gxs6HRcRNl52obkXinVZ+4fU7ZPIWQ2A
   UWUPN2Mi+STkKX9YVN9b8IP9vqdLd3uICPPnl+8wBvqevAeObVJpFnXGAh/KbFsJ



Gillmor, et al.         Expires 29 December 2024              [Page 177]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   55hn7gKuXauxMwsf8Jm0oyhXqzw+IK1fYrDnVF38keHwjQBrvScab6fHihEI2rb6
   dtuUytnbJxklFlfWEwSBrOcA9bY/v5+ic4wbrS7tSmOriO3hRswQ8jwmBWx+9QKB
   oucyyvpsHCLWx20MlIWqiPUiG5VcBylBSxK1ioT243ZceUngRCG7ht/Pvu4zEwwg
   q6z99PR8knkLCMiyHECTe/2WkA5QKNf+bGx579BaeK+8ZD7lWwAC02tlB3LOR0Q/
   AyrIaqSsueIPD4ozHnEGOhL5NrgOVDmitD2S8TtmdoxtsYBnesel86oEM4wcgC12
   V/9luTzlL30nRl8k/PPO8BGG8bowRsyJ5R5nhld2ez5XDniZYaZo2D/pPptkbrHk
   H4JzotqgdKrJOJv86asN1fkl+HezXL01kgRWcFOEo5FxU0jPmLomd0gE3FZfQwz6
   TKBkDV/xBN4+x6+/oxoGrDLfMB8jYKXhVKSjTa7inf27jTCH2z3Vf4gP/9ihG7tv
   QDEPh5Zg4a4B+MY3k2S8fqMAFd7HM6mFh0cah4QogFGz0ptyHK75QZM2Nnj3Fqud
   V4shzQ+onVqkk6kd2dEDfHae5S2uQzvLHTSS1mdSX4TxFE1Ogm5RIPMLYrFyssjH
   UKs7UvR97IkPgbSMxBHmha93uxH8I+gsUDLQQOkUpKWbprLMDv9UVfiEg/0sT5F9

C.3.9.1.  S/MIME Encrypted and Signed Reply Over a Simple Message,
          Injected Headers With hcp_minimal (+ Legacy Display),
          Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIPbAYJKoZIhvcNAQcCoIIPXTCCD1kCAQExDTALBglghkgBZQMEAgEwggWVBgkq
   hkiG9w0BBwGgggWGBIIFgk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLW1pbmltYWwtbGVnYWN5LXJlcGx5DQpNZXNzYWdlLUlEOg0KIDxzbWlt
   ZS1lbmMtc2lnbmVkLWluamVjdGVkLW1pbmltYWwtbGVnYWN5LXJlcGx5QGV4YW1w
   bGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2Ig
   PGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDox
   NjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0K
   SW4tUmVwbHktVG86IDxzbWltZS1lbmMtc2lnbmVkLWluamVjdGVkLW1pbmltYWwt
   bGVnYWN5QGV4YW1wbGU+DQpSZWZlcmVuY2VzOiA8c21pbWUtZW5jLXNpZ25lZC1p
   bmplY3RlZC1taW5pbWFsLWxlZ2FjeUBleGFtcGxlPg0KSFAtT3V0ZXI6IFN1Ympl
   Y3Q6IFsuLi5dDQpIUC1PdXRlcjogTWVzc2FnZS1JRDoNCiA8c21pbWUtZW5jLXNp
   Z25lZC1pbmplY3RlZC1taW5pbWFsLWxlZ2FjeS1yZXBseUBleGFtcGxlPg0KSFAt
   T3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KSFAtT3V0
   ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IERhdGU6
   IFNhdCwgMjAgRmViIDIwMjEgMTA6MTY6MDIgLTA1MDANCkhQLU91dGVyOiBVc2Vy
   LUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjoNCiBJbi1S
   ZXBseS1UbzogPHNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtbWluaW1hbC1sZWdh
   Y3lAZXhhbXBsZT4NCkhQLU91dGVyOg0KIFJlZmVyZW5jZXM6IDxzbWltZS1lbmMt
   c2lnbmVkLWluamVjdGVkLW1pbmltYWwtbGVnYWN5QGV4YW1wbGU+DQpDb250ZW50
   LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IjsNCiBocC1sZWdhY3kt
   ZGlzcGxheT0iMSI7IGhwPSJjaXBoZXIiDQoNClN1YmplY3Q6IHNtaW1lLWVuYy1z
   aWduZWQtaW5qZWN0ZWQtbWluaW1hbC1sZWdhY3ktcmVwbHkNCg0KVGhpcyBpcyB0
   aGUNCnNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtbWluaW1hbC1sZWdhY3ktcmVw
   bHkNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWduZWQg
   Uy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3Vu



Gillmor, et al.         Expires 29 December 2024              [Page 178]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYSB0ZXh0L3BsYWluDQptZXNz
   YWdlLiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRlciBwcm90ZWN0
   aW9uIHNjaGVtZQ0Kd2l0aCB0aGUgaGNwX21pbmltYWwgSGVhZGVyIENvbmZpZGVu
   dGlhbGl0eSBQb2xpY3kgd2l0aCBhDQoiTGVnYWN5IERpc3BsYXkiIHBhcnQuDQoN
   Ci0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6AD
   AgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
   DzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUA
   A4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVa
   TC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse
   2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgC
   ReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqh
   BwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/P
   GeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0T
   AQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxp
   Y2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8E
   BAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaA
   FJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEy
   nBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZV
   jdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4z
   E4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2
   MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YS
   HjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpA
   r4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkq
   hkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNl
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo
   0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQW
   l+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+
   A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtw
   s1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPP
   dfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJL
   OwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
   ATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYI
   KwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilq
   kBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG
   9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naI
   s3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4
   eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXR
   n/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59
   fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtB
   iN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBM
   QU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4



Gillmor, et al.         Expires 29 December 2024              [Page 179]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
   BgkqhkiG9w0BCQUxDxcNMjEwMjIwMTUxNjAyWjAvBgkqhkiG9w0BCQQxIgQgCAaT
   PYEnSQj9VdOYdNHkm51sA5hALN86e2yLMYKQ6I0wDQYJKoZIhvcNAQEBBQAEggEA
   YoGrT/UPVhqjg8LzyWYqxqwfV2sHz3/ND71LYPTJJp66xIwfm5x+AuQ90tk7MM5C
   bbocxsitQKt9kXLIai4T9tAsKJ4EmlJvkqc4/JpjzaTHSrvc72yXYPN+imkH//Ad
   rr1ov49Fak+rTru/JTnfDbSM/cgMROp3WshiAsDPvv6KpTqjMLqL/ZPlxlvtf3ly
   szrgQjf7BXqZUT4CEdEi+c3doXi7BeVq4LZXnGxXhxHZpKfc7rEccDMSxfKhcqfk
   D2dTRArfHeAAAsCxiYSeEf1sy/5tYmKli4I4JLGl0CQ7mS0+zDCJpYHRHvf5IRpJ
   BuCbZpkZTWeWKN5TbHqHcw==

C.3.9.2.  S/MIME Encrypted and Signed Reply Over a Simple Message,
          Injected Headers With hcp_minimal (+ Legacy Display),
          Decrypted and Unwrapped

   The inner signed-data layer unwraps to:




































Gillmor, et al.         Expires 29 December 2024              [Page 180]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-minimal-legacy-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:16:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   HP-Outer:
    In-Reply-To: 
   HP-Outer:
    References: 
   Content-Type: text/plain; charset="utf-8";
    hp-legacy-display="1"; hp="cipher"

   Subject: smime-enc-signed-injected-minimal-legacy-reply

   This is the
   smime-enc-signed-injected-minimal-legacy-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_minimal Header Confidentiality Policy with a
   "Legacy Display" part.

   --
   Alice
   alice@smime.example

C.3.10.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Wrapped Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.



Gillmor, et al.         Expires 29 December 2024              [Page 181]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8150 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5026 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1107 bytes
      └─╴text/plain 326 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:17:02 -0500

   MIIXfAYJKoZIhvcNAQcDoIIXbTCCF2kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFuacLR7HmqYdaa9OKvnsTHHx38/WDFaTa3K
   EnYaIRMpx/PqqUAet3KDuQVxQfPlVRBvWIO0/Gxah3Ua3mxb69DuJ7ga199Rejcr
   H7LDIoSLRYEWcGbjxghsRzbLHVuQJYvAyKVcjgLYHE8FLxnx5pEopPfh2Wf7sxjo
   900Jre4SfEymyI9qo/tHK+BB020xpKxrA+Y6f36ZXoLr6NEZyyqPGNNIV4ktJ5kl
   zNL8g8q+QKjXpUMGy55Hmzbc1S7T8cY7qKWjYVzv//IXnc+PqqFddPPs29wp09gL
   y59h3e9NAbfLWgzA5/dp8NtOttWA5bXtGfBU9LvBCD+4dkngUewwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAPl545Yea69g67ppXELT1GE4n
   VbyBi4Fy9a17D875Xiv33jpJjZMCCQopNrwdnHZYU+AdS2PGpRXUajuDsm03rUh1
   FRUzqModa9QdXAuQz/3GcUcvUoQBt171hdWgVFXqSNT/13rcZKxlhSjv90hbMy/5
   Iz27r1xl0XIKcgghaUJLBRXPvXYu8uZ+jNjOwrNsrvzGsF6Ic4Txwd9B87LGm639
   zCowx9Imt26/u4Z178gp067fnJbZm1hhpxjPjgEwbYWj4fIupsmcH2NZwIqmVuv7
   L5c421SoDQ40YbgSzZLUhqJKVhuuxGMNdi7dIBT8xDFVdyY4llaUMSd+TKJaBTCC
   FE4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENcXGXiQCdf1jfEpCQzTf6iAghQg
   LuJ1YsQAADDbRxNV/4TAKHjWiz5S1Lh0ZCjcqjJpK9hNUeMwLt+2Z8y3nrN0On7W
   oxGmZe/AQXXsoDp2jrXTSTqlVaSA3q0nqZC0jb7f3nD/sUhl7k7hZYoH90QRkDOI
   caj4Utwj6GX6Kz1cUjusoxHLul1scfJFs77LheeKrFgKtnLPRnkVSvgiEkEO8M5E
   jrH5K3VwGVSLE4pRM0DTfqAFuQN5jGwu51tOMxW8ytNpamLKAKbjMu8PEnQtmsul
   sKs3vy9rU1Iztd82nkuS2jjdUqpiLSf5hvjVjnxydW8Hjsgwb5FOmKjTwzPx/LtP
   PuCiGP/kw5toT0tt/FQhMm0KemIvdLB2kFDxAJjk4ecOs8nHMJMmKb1/ExHNoJ35
   eZnv3jnNgNmvWYJjh4wKxroZzz8k1D/DHMmrjT1SylFUW/w5RUDvS/Gg42NpFN5v
   mFaIKmOd34SFJh1lXQw3J18tQExEtiGNi5sLyPFzGCvzG8BpVx64Xg5OMDttMRZn
   O+kvNLKJ5k0ocuxoPZAg8WtphSzRqSE6dNL+qnGP7P8P0C5GqOv8MJ3upzg/Jngr
   cQxlhDXC9rwzclTGZoCALNeNWIyvFL6FvbCXbpQTx/qPn3FgrHZEV4wtNfJZK5HB



Gillmor, et al.         Expires 29 December 2024              [Page 182]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   kb4CfQ+G4CmqhziOf5k7IX68nfNnRumylOjUpGTBgCyzNXClvS0bIMsDNjPaxQaj
   dT35IWS0bqgxufNHMTAcX+uKxRtBLHPWp7lVR0r2K8FzY3BEgTDy01j/skkeLPBz
   uKGaBopZpkdy/oHIDWxOTj17kZDbti/Ayh9hOhR175BjDwVpBAyJE0+dsD5ACQZ1
   vwMekyePK2SSB9MfYisK5k0iT5F9hpKU5qxacHbhP59AQDQRnQMfhrR/Iwsp0wux
   kRh/6nIJ/nYdb95ORFcY5lmGAF2m445Tnf9HnJHbDpWeGt0C2zVjdnESyg2yftbe
   4taYBGLyIlgXPkPsJm2UR35lYsFDz+dlEC8OFKEJk4RUa9lu8+TBqSoXw8NJCPVA
   BGgogQF8sQcrl9Q1Gv14+dX5xGZTRc+FQEEagcuM/dIl/PV0H+kNeczNFiZbG5ZJ
   64tpuCu1EZpZQFGZmqnRgWOeWC0JBSS23aWYT9tOnnAtNBkPa8RhqAj+aRd3WdGF
   O+cnu9Mow57+pI+b/d8UelvNrAQUxcJSV/V6BkBRAKXEesI5EGZFvajZ4p5pC6AF
   RXMLPfyqLl8QQ9fdxG/WD+LxPKb+6S4eai5x34v2j+Ispfc9bqxQUAUm9TsLJBd+
   gf3ciCY6h8vWpVAAGz3vgAyDdkksR/vGPJlNYx9pbCldfjaAV5RgPUokJhKro/gP
   KmjIziyvPNnRlteaJ2jlIbuEe040LCy1gv4EwRFFovvHifrd4MkShYs5BD9KJsHz
   pLlnzDTb/yF1UEJIdcbAR+1KoK9rCHbqYIJZc2hT06QE+CzNKf+Ppmc6pw31JVTC
   tH0loQ+wcX/OcoYObOAiJ0UL9g7g41c9bIPn7B4nQqMNcf5soPRtjncweTI563m9
   H2VdwUeK+JK5g9x6BZkp/8SDLjvdfwG8OF2yjTLGwFetoZw9DL4G8kNWWu4whce3
   XKSYOGRZaTTo74XUiCA8+hmIgINsLDenqyGQIr+JpTTgv4MEcg1wTALAxSPHXtJO
   xHwtz/O1aqtZM7LX8WNyH0ENtVImMKK+20RsoxiSjNQXrY0qPxkX5s4dQXv9pVhw
   ZpM+LPjJFNG3pGT9sddivhLwzcILYskWnmR44BD65MfamrLveduhvTN9eR/P7tL9
   z3enlr3+ZuN10LxvS/xyle4g/sLCVxF9LfpdFuQ3DkRBDjUu9R4xw8+1HI4pFZ1T
   KntG21UltSGa0FeklcM1m/fmribNYSSV6MKClhLTFrKB1bOQAhtAiKgAbSgKtTQ7
   Lj6JK3EYV+rWmd5ehOpdPX+YR+0wxld1/FGLCqxEhxoWkxliQ5SbLh6KiXAGBMwt
   NOSkGfmkrzw8VElNvVTlZJ24VwCYAYoOZ7jyPAe23YJo1sJuJJr1OEJ3IuKOvPVa
   H8yAiFKi4oOMFl2cshVoIgL8N4YPjEiiEODg1hNBvW1tT7an/DDhi8xhN4hlBO/Z
   x9HiRNBdpwrWrwkipcwne+2c6jBoQS4EHC7JmQbvJC2ux4wroQ1+VLXKsdyogJKP
   7kPboTjg6JDJnLpECW7DXQQhCOKnHyQVj8Uf/WpTr0owq8QBSXqIM7R9cttrdfux
   zPTGBt9U1XfZtN49T1w5EGLYTMPL49cHjjn0MMswKo5cFuu3cIv1mHTFpMoc1oGW
   yKB6iX0QLruKeltnBkgnmO3nzp/5X5hlwCKXQ6q0BmjiyKgwYH/MM30QHV75Thw/
   9hW0I3x7tUc1rDB/Ymlp1Qnv4r08Qd4A+vEMwI3+ARxNoHGxfwNKhr2mOtFhrUpk
   CAS6n0vw0SIBQepXqYmjmUG88XsEeF6lfJY6T4p4u/9E90wZ9aYBioqMhElO1b2I
   cKz6lAzJbja+Ej8n56zN+nARHlQ/tH6D+bh0ot1awtPzNBGSGWQZhNx+ujOFGRFK
   Zcez4U72fDn7o16ub1+PBO87qscx3pcgUEG0zVYl2PFQKT31XlpKz+BLxMJceEN7
   oNnidFYkmWTeObNLlLHKbviVgUJ9QpAB2W2JLgtFSmaq4+3aCP8Ch+ef083/9ZKa
   doxcOPg2HjyRtdvIQInGmL+VwzFpWeslhadQJotHptTNVEMVL6lFz9EU5udqRqfA
   7nO17NpWbRdq24rlekD4CDf5r1Wj3Cb06c9gWvWk6CstHglX+2BMLo29oOFUeVbV
   skcIYt1R8UviCjASNs1Jn2TA1v4bqBi4K0eXTwdrxa8XLUgMiJ74mWReq8dKwnKS
   oxS9V9TMyiehm6odHUVoKWvki/+XXVYvBZTFhEwRnXWt+08CKdE/ICUF7HRKMISi
   3YQNaARdhs80md89r8yO07A24gtNDJ2lRxBlasvgal3/ND/kunEIWd+kVXsgIE/e
   Tnn6DA+bkGC+O37Btz/mQUhuIzbSLm9nN8AQyB3mFoOACSXmNndzimg4CU9uVEKI
   n/sj1eQQ5Mu3EGeZ7ct9jlgs/7oIOcBJansdQv9pL6bNvM8GgGxnj61v3QGUEwOu
   SKtbyhJrlBuzkyShEJuGibtZzQNcIWR9ahSXKmcnx8R+teuM9Mwv/4wE2NJVaw1M
   RxWblbTt0a6kb0vjBaop5UCZ/OmfMZD0VL+iF5dH63PSblbjXrRrAs89xMpGOvr2
   sMkrsnr0ACPI5bhSJzeZHm8ZVr9NgWZk1+c5JgZFDCT32BTzRjUhKH7rni9RJk4I
   FI6uQviujl1Uej07kAL44OMKbgfG6aSvU09Wkmd1SjujkUGDjGLbY9g+BWLYX9H2
   zG/PwZeGuX5Qe72/jQ1T2/tA47zFSe39ozJ+VFd5nwU15GShMS4lFnfWsqoif6rf
   qfHr6HiX7yNfDlrLcwqDVc1gmopuLRpYF4TlAJoQECHFAHlWgb2+kx5rVZ3EYJDw
   ZhFr5bkcAWtLeBNKdweh151mcWDbC7IJBkEK3NeGbcNHifBHx48ynD+Wscsx3jgi
   nz5oB1+v2U6JMK6kdQlm8rG3PNAor9v3Zozwm/hVpyi1htcmL1bjaDZQY0mlt8Eq
   yzPk2ztJf1cxYAU39p3G0i/Q/t93wSVFZhUc6s0e55oc7koP0qe4E0ZZ/P2a/HiF



Gillmor, et al.         Expires 29 December 2024              [Page 183]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   UDB0eD2amCYPse4dQLjB5CfTsqAHHabBy6if5SCMbR8NNu941Q69/VT7ydliL81i
   EiuMK7UoWCdtH67ES2UVczrM1eZCJm/2/Evkp40yUa4BEiEjREM5CjSaxamFkFC7
   88fQZsGFSCfulNUAhp0ViE6OtsopGF0T2bG2S9EFyhImsUWxIaSWWhz29bpep+VF
   43Mr+fjlZv+99nDt91OJ11RwU8ci/vXCSHDDJR6pOYPjS3h3H3oAB2V2nNYZarz5
   oaZ36XdtYQn1d3qP1M1q87IwDtfYaZVA15ukS3A7b0S/FQgWR9wTTscCPIKjbvWU
   LIBWi+H6kkW2S12NPCHNIWcaE0Nd6GeIf/DR4dMDL3DrvGtNJRLgnN4iY6oYmeew
   EsFbOWdBbBFrAZwgajLVsEe5iPfb0Ygq625u+GJfPKQVIhtCcC+o0ADeXnHFlySB
   q0JU/0PsQJK9E5d4UpqvRJjJV26w0I1oFYKFhBN4I/VplY/GdlfvvodJ/6gBgGL3
   xRYfzKIT769sdfTES1uUdijUKI84LVKq4WkQOk+91g5j5KMSSx0tKHHSDrHBaohf
   Wrk3WtFJVLVbsJnlpznriG2wemrN6VYdgv7jc7pLvq/GPhgxPZEwj1bDZGGhSnaL
   5D0iJ84AORfajCJnkcfR2ik29/GU5VFD4hWprmlVfPOQCGN3Gxlv2ye6JZy6jJ+f
   /dEslrZ+rqXQg+ZO11gPvpr7Pl1onRwd9Nvxup1TNKFx0Y8y85jI88bB6qkvpXzU
   Y3shyPTPJ/4B3rrM33azJex2Dc3420CiSj+uG1eTN5rg5vXtYh3oZQHmGPr2yEMV
   3Z9Twd1b9pD92CByLsQa42XZHID90U3CEhVaMO7XaUz0FchU8IU67zOWWFOXNyAT
   eFRtL7nv0/UQbG7BQnfB232dLoqX+wLNZAjRFMh+YkV9XiYQsEnFlom6UpSPqrsH
   370gnz1hR07KJELOIsUoBdB6kKfG7rQJ47OQoEbAhDMOYXaXfMEsNWunUuwDS+iM
   ith2tyWMLEmimoJxmDr5UhKq9oIMFgR02PzKrJ52HMtttpU9S/sIwkC98OfKUOGC
   E9iPU7eQM5O5DeQLzZHpzPKl0b3rFfUCt3A+p/VB7KuB+5Gh572HcHzyzHgg3eFH
   x5/IxujQaKsGKZmLlZd9MUzfJrO3G7YAlurNDvgYQEJCCyeUzYgiVTwmR0kGuyBe
   cwFtISn0T+4nuo0eMn3fkfjHyGP5mCGYRZ2uqY67poYWJmkCm4eaC6bWX9ElGBdY
   pYUqFKiup4Q4bIUYjRqtYoTobFae1U+4GOWYmnK7fQeEIuAgPBTi+f3HIFrY8970
   I82l+B5b6KBkBRL0MxYq5+28/5dI3ywvgGZIvESUTIF62WNFd4yaIbHvDdgLcN2V
   dnrb64dyc3Dw9ikXNXluAps5mnJm61MRW7NMJzwwGylyhPo5YF3X8RB+vGMGBIJ5
   YqaiOIdkuahhG1Hr/s7rUHTgGAUS0pgh2z0XizFVQwLZ/d/fxdHthsAb/ePGDjZv
   2H88/6uagKvYpov4c6TpCDOfcW3S+3NPCo1sItMa1tzD4ez740q89vaqRU58XI7d
   596NGqkPIdXjLjOfoj8qfpEs/pNVrd2daCdEit5GYBlsZyX5b9nfPX2xnhJ+SfQk
   RxD2ut44CVWqwsb0tdQw37QhFvENwtSYQFxBz8IZO1OBt4l1ez/M2owmRtSKdcO3
   zM9MDLGDJLJimyR4wt3Txc2bf8dChtBAa7HmSC2vw+Kxjb7svpcDC7BXtxUHdFgI
   kRpVigiE9YF57RM63QPk8sZzQWeh9LLsIHHtmIr8UjynLMsKtAlzBGQewFDTvmGQ
   QLJElICdEPBM6+R9Q1Qacob+N316ant4WgqmzycotozLQJ0Y7P42ENY9P5CwTso1
   TtBrUWaUUroBfvveKtgfLTr5hWZLq8s6wjWi8olYlIbx65Zj1OoNfxFEsmGonWU8
   gogBMbzJ2LsONPJMWD/QO3hJVcdCSIDtwD5RMIYFEI+iKyzY/Y+b4/hPgkxT6mAC
   bqimhGuvrXYK/N1WHYyvjexeib7JDKP91JiO+pLxulYy5/N2B2UVDS67T6Jd2GMd
   5FSTE5hZZxiyGdYPG9g017UbYqiDNCt0pZ4P+71+YTkfcEg8HO8FCUstDfqHNgX6
   mBoVxGNA2GUwnfE3VOkTxHFxvO6jA0joUCPh2rW2l0eVPuQQWYjqFKvlHMasnmti
   k0TpnjPfDs/ytM6LsSMFpoglNn/NcrI+mkDDUzqOk0fs5MOAGyxepFyXxqHtgaA9
   3dV15n5EXeFsGCzK72I1mWEQZigg+NZE+vdGoDQUS1Cf6troNXJhFrSoS1JJF/cB
   YgrHx8WjQc88t3+cgE6KYO7aI6j/2DPpjylCTe8NE+zUvTIHOKG0oykcrI3QBAMj
   OoJocqIm+3pdyCEPeMW7ozrHUItYqsf6UaomglPETuh7MKvfvulh4Q+5g8QB2uQI
   dfkbU5GAmIVYzIgO1Z2aWtKS4+nRSKhBsJtSbsNXRaMWQ//M+Rq4q9BqG2LiUAqr
   UUJ5RhlocuadeuXKZqdCbedLv48ZFdvVY9YPVLycLHMam8Afr4lcAbYWUa7Pf9/4
   cNvzH4QieC0sP/jx+YUAIRtoEHyL6RNpQqkfpj2KR2uTjSNXCWl4366/2R4wspi5
   ux/gVX7a9darS/cEsh7YKsNg7XEVHYYla8nNmmZUkev8oVSQeoQlOmQlnNR059VB
   QsQpCJPfBCVoIZIJeaJbbqbvuC6kEApt9k2Jh9HFfoIos0pMnSSAQLiUwgikFb4d
   w03HFAHfIvck9leOsA4oDGxmmz7ei/E8LMXcbVkIIQ3FZd7BZMBHWcLoJCEWYNz5
   j89+/eMhd/ab2lXptWGnQeYV15osyc+XOUNHAkqHJFvYxBYOhL2IbFWRZgZEm06b
   Q9Eo2rl2A+ErFjVm7hwK+CUx+kHiuYHwEo1HCdJ/rD3CxJ1tXXH+1FZbgLT8D/Ol
   bqEF8JgJfcCuTIZ12Ci7H8Hu09iF0gnzdnmD0YDlecxSrZo3aYebzkqKWXLPjtQZ



Gillmor, et al.         Expires 29 December 2024              [Page 184]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   duqoW4js8H1Gnmn8GOV5gR9k/SxXb2slhFrAtzk8yqsjwHLfBmSX6gU37G8RpP3P
   CIRZ2PeQ+YHLYMhWpzghhQ==

C.3.10.1.  S/MIME Encrypted and Signed Reply Over a Simple Message,
           Wrapped Message With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIOQAYJKoZIhvcNAQcCoIIOMTCCDi0CAQExDTALBglghkgBZQMEAgEwggRpBgkq
   hkiG9w0BBwGgggRaBIIEVk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiCkNv
   bnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKU3ViamVjdDogc21pbWUtZW5j
   LXNpZ25lZC13cmFwcGVkLXN0cm9uZy1yZXBseQpNZXNzYWdlLUlEOiA8c21pbWUt
   ZW5jLXNpZ25lZC13cmFwcGVkLXN0cm9uZy1yZXBseUBleGFtcGxlPgpGcm9tOiBB
   bGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4KVG86IEJvYiA8Ym9iQHNtaW1lLmV4
   YW1wbGU+CkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTc6MDIgLTA1MDAKVXNl
   ci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMApJbi1SZXBseS1UbzogPHNt
   aW1lLWVuYy1zaWduZWQtd3JhcHBlZC1zdHJvbmdAZXhhbXBsZT4KUmVmZXJlbmNl
   czogPHNtaW1lLWVuYy1zaWduZWQtd3JhcHBlZC1zdHJvbmdAZXhhbXBsZT4KSFAt
   T3V0ZXI6IFN1YmplY3Q6IFsuLi5dCkhQLU91dGVyOgogTWVzc2FnZS1JRDogPHNt
   aW1lLWVuYy1zaWduZWQtd3JhcHBlZC1zdHJvbmctcmVwbHlAZXhhbXBsZT4KSFAt
   T3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpIUC1PdXRl
   cjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+CkhQLU91dGVyOiBEYXRlOiBT
   YXQsIDIwIEZlYiAyMDIxIDEwOjE3OjAyIC0wNTAwCgpUaGlzIGlzIHRoZQpzbWlt
   ZS1lbmMtc2lnbmVkLXdyYXBwZWQtc3Ryb25nLXJlcGx5Cm1lc3NhZ2UuCgpUaGlz
   IGlzIGFuIGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5n
   IFBLQ1MjNwplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBh
   eWxvYWQgaXMgYSB0ZXh0L3BsYWluCm1lc3NhZ2UuIEl0IHVzZXMgdGhlIFdyYXBw
   ZWQgTWVzc2FnZSBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUKd2l0aCB0aGUgaGNw
   X3N0cm9uZyBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS4KCi0tIApBbGlj
   ZQphbGljZUBzbWltZS5leGFtcGxlCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmX
   Ss5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAP
   BgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRp
   ZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1
   NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UE
   AxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
   AQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9
   ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NL
   FflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQ
   lqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX
   1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AO
   EksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNV



Gillmor, et al.         Expires 29 December 2024              [Page 185]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhh
   bXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0O
   BBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8Qko
   ZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyX
   WAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP
   4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6R
   GDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GU
   Tkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ
   +mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIID
   zzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBV
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2Ft
   cGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAw
   NjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UE
   CxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG
   9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/
   KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhY
   dZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP
   4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5I
   CjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZ
   wLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGs
   MAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQX
   MBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYD
   VR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNV
   HSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEA
   c4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp
   +c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oA
   JKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x
   0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6
   zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTb
   Y4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2Vy
   dGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZI
   AWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
   DxcNMjEwMjIwMTUxNzAyWjAvBgkqhkiG9w0BCQQxIgQgH3Bh4ghOIwB1hf8JhZqX
   ahbjyjx+yx29f9cdYg8Vi1YwDQYJKoZIhvcNAQEBBQAEggEACO7hs7jry2F2Qon/
   QTLZy7K5gV81gNh9GwdxXsVr8XLfBXOEq841pjXjh6V33QgpRJEXK5CopXoLC0h4
   EDl1+15+PqTTgfJe8qQmmM739xwlJdNuCKVtu2GQ4lFyNIYzr9/6tJt9IPOn21Vt
   a6GueA0HszuuJbcgRPLE4pOtZ9jO6W5jVi0FCN8s1JQWOKWfZg6eMeOtjcIn9vg5
   ieY8rONL8pCRNHuNQubDuaM8vZNmSoHN8PorJxw8DNaqFXufvLFwdnXGVXTAa5qk
   A0WJkllgq6ZQoET4wEj5oumKVLt4LGxYpzOiSnOvsEw/XC2WY16owJlU3blSaztN
   RhMmZQ==

C.3.10.2.  S/MIME Encrypted and Signed Reply Over a Simple Message,
           Wrapped Message With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:





Gillmor, et al.         Expires 29 December 2024              [Page 186]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-wrapped-strong-reply
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:17:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:17:02 -0500

   This is the
   smime-enc-signed-wrapped-strong-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Wrapped Message header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.11.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Injected Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:







Gillmor, et al.         Expires 29 December 2024              [Page 187]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 8020 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4934 bytes
     ⇩ (unwraps to)
     └─╴text/plain 340 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:18:02 -0500

   MIIXHAYJKoZIhvcNAQcDoIIXDTCCFwkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABpTLM3fNCZJdFnwUDA9MmNXRLEzjO2/K7N3
   FI+PpNBKoc1DjhqFEfqKRYM49iNBDppZO7pZ7vs1rvD7gD+UvRxc24+qUztqd6Mr
   spiqVuLxAfNNLoViXBC7qayN2qFwL3yEOwSiEMW6Q6TlXzPShOcZ3JhN+A6pVTCh
   6GoaHgMtwd8E5tSU8z7gU6QyTkMLnJUNZeFSjysJ4LrhzdUef/vrxFZc3cAAcQvJ
   de8VO4FRETLVipCLAGsRhDAhYK6wCW09qa1cPsC89vOD2hZqUcHckndVuEZneVQ0
   TL9n4zWBknx39xdDKzKvf2c/BshiA8bgsNQ/QLOMxw+DQ5WAK5QwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAdrk9+8+GZE2VHuNm+vuO8AHj
   Tu7nR4GaQe5bh/MS4hXBd2NjSJKUekzx633lWm54ETHLVA8h1eYGcVtLVDjeyEdI
   BdFVCn0/o6qCCqYmINqq/zVTd06vTznmm+T2vCZwup2g8wv7t0L7Giha0VPBrZXq
   wb0Q28dKFNwWrp9J0J9l4BDedxt8aRdhy3YjJeXIHhltxJ7cRiohLtG67O+8y2Ve
   ttT1Cx5qgCwxlOxoYEKOoXpQZT1shvZXT3DNnSOjwUzsqq7Zzbz+AX94z0c+J+ud
   qYJrrJua4iZJcCeqVO7jmAh5u2j+t/oYvuI3R2zJ+ZOPcVj34o9o/sUing41ezCC
   E+4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEELcfz9geRRRsUJScRAWxzHCAghPA
   AVIv2Hva32JSWFvBK44HioPmPLo4Q7n4O2DAMiT4J/VAy4red3m67vmWotRUcIPU
   Pv7fvXi4cld3ZMcB15OdlPDMNs79ZoeUkg4BvJN855pPg2Xe+h+ElU/pR+8i3QW4
   Gw05XByisivc6xz5IOpY4gDpS9rr4L3/K+6ANZryw6g8GOEIwHTiosS/a/HVHS8O
   FnIX58U6VY3PeBDMYrQIk+vFpTW2cRIbl7Ekxuy8NcEzkct5EYkxxboC+dwskFkk
   OeGEbD7OdJxiirXteLhdDSqEkjaOp4l13EQ0Rr+QbkcGwBE2rkRZ2oytOS5zW80Z
   kGPBLF/usIPCFNe7qVHdQqnfq3RJ8HKP9lIVSLDB5plYx5jFCq/rnw+AvS0I02tV
   NWIs/B9XsP8XMiRrh8FGNXsHjlCrqozhBgY5nI8j9k87OHcYZjOTXM85kthn9D5Z
   4JpPSSebQ1gmhlNXK3cjeKcFWkfwxTGjTz89ovx2AnBXRqY0+I3rkqMTreoIsPOL
   r8ENbX1bTWeka7vvNW6WLCTfVDHSUvxnzU3GaBiK1GqQ9lUbNUqhl9AqRfQeYt4m
   zFOsrMa9cerRNi6i8r5rfXKIw6oj5GLTkQQWd3h7DQHCICmjqqYWzTC1vUHjWBaN
   0kdGWd7CUQGvTOBIQw2cjh/j84oVbkbjYWFvAmSXm40VvdvAyZEonblI5JSZjlMc
   1+3jNDyFubBm0Dle6l/t6c31/KMfcadfaHS6mAZVWMVlp9HT5geYtYl3eGomOF93
   W3BhbaxEihhAMnVzjAqE8iDyZvSgP9SZO5CO1wE12yl0/09EU/8DGYcIGkKwjISO



Gillmor, et al.         Expires 29 December 2024              [Page 188]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   KuznykSwxN25FSaQzx0eAb0ebD/3RPxSn4EUjimktrszfJH565rAwXOlo42J8Ev9
   9dxO5n+3LgUtwHKFs/2ogL3Elzo0AnKiPz06pkednACfNsTuX5xbtOGh54TUEVQ6
   0feXC+8W49f8BarcKAKzhrEyDrPAkO5UlBPduzeAN2DkNEvn4UFwRd++yMSugBJg
   3WJRu7/ZBNJYo/3NudeHC5QOHexyRNiIOwIHJPoitT/2QYvnQUuheK5gvnAoEWPL
   +HjU5Bli1wdwyn874jeyjxhVrlckv/0ndYI4sKwv+TfAjvZZ5id+2MLGbbrAfCfs
   C2NxSWLtqXGPMdbgC+Lo82XCTLIpY8ujwf+KVHT50VPz7f5ZY+tZGnWhO0eDyLQ1
   F3mE1cPci9VDGQqIObYYU+P0COAsUJnlEzOv6FN5OTS5IVkd3H3q2dkZcRefJmsq
   RIj5L8+r7F2J2yxAKIpTPTSstrolB4/QiBU/AWWZao/ieFxGBpB5gIW80cPpe+nl
   4d1UsGYTeJ2AYmafVTNTg4OIAIaUc9m/aBiuc3wj0DAljWHxIXfxX/skrhbw6Es8
   +YgmVtrM9dSu0nTyfihWEu5XdCnP5oido95b3DD1F70XyGJpOa2UHWH3rvfiBsLV
   AwWXk/30Fgji3p0vmtPwDwXH5D0Ld6OeE0IIlBQyogs2ELsndth7ho3WvqmrjwxE
   G38k7KmKF2cMVQwLYl085dQTRCPk5lq52amOQ6JnQ8k2MRQssMXPtTuIAp9yBnbC
   KQXoZNCKf7sZynnOCNtIqbYM81z8I/L58tj+JpGymDRD0bU2gUYPbhS3tFP17iOm
   o3u9RluIy+1w63iaPOmaHpf15YVSES7jCo/dWe7Bvfp1TiLM9ucODAQiyxsu4vMz
   PST9IYbKy2kYvKqUZ6W77v+UZoGZr4vkGQRo266ycoK8U2uplVWyd0Wo03lyQGbA
   jcOtkfCX86g8Yxu+p6lUDwXY2S6RX34IbGOSjgKnG5KB+n5q5bz+JvqzNux16Zjq
   IdujDuqp+jgmyMuBUUzMZrfIqRCQqWUM5W9+Dvl9KuaQ1dvh6NYFWXN9czKwWOqb
   s8dzapa9W8q27hDDhEO4EfrtStPwZe/D1H+1Z8P2K9uB9eKcpTPs2ni0kMR+lPb6
   /7uNQDF/oiQ8S9Oi/KGdM0c1DQ9oBQJhEGLzeRia6L8RP755gbkeI7OBusQTi5aW
   OKXRyFs+s8Gu5YyQlinMtj+c4VFkK2oQk+HwISr10kFmXa9A6NKv7J4WoTwOzigk
   Pn4NGWcWp0VSqKVN8vVT1GhVFcyVK6PjfPQM6dhOYrrg/8a5PQ3N6eOpRRvWk1m7
   cD7NxfrD2kAyxt5GHSzCv3R7AypIz0UfaX/xePodn/++FAHD83v9+W7Wxs5KM6dI
   5n5XnZBGA37Rexqq+rJVGLAFEnT1ONm4s30cwvXRZCpAc8KZLy0GmLO9+/AA5Dtr
   nf7cq/DA1J51FzrCOthbij5EJoexgA113XRTam3k8ZJsHp8y4aB/FC4iufNqfXyW
   sX0IbZ4y3MeJ5xD1b3y9jO1RjBNWnF2Sxnpu+jed4I6XPEGcZFR/AW3TAhGHej5u
   b3foR0TwyK0445A1cT9pKmEh83yHck4BfyFzm4Ro3LQhMZWGBhrmoHqRT6JszLpd
   WKgl3ddofMaMGphEYl11fD/qdr6t6LP2iSq5rRsmR6sFR/tXtxzEnvj5J1qHuIIc
   ql+IvWMfmCimiQnEbS59G5ndDNS12lQNyemev82ZwI2zCDqwZfyM0JgNmbYl4Bd/
   rDlaPbd8gZVY2vWql0mUYo8DzLpIy9SWyhGVtBnjKD/JYOh3Kn9dOQUKXq6KpQdT
   MfIY5ECKzmjeI/Z9iF2VGhNRur2tzb8orLkI1VUBZmd2l1gjV1/dcNLUzyxyPcCm
   awphB2jy4FK08ZZ1ClnCxci64ljOs0aMfsCbYqnGuU3zj9qb2aBHUuz2y/MhiWGH
   FYBeUKERiXlPcZZS5l0yPJOcVEi14o4N0oB2QDkbbrk7fB1phCarnCdX2c0VN1hi
   22s+13gEPbfrTr021YebW6nJWL3A4NHrvSC8uNAShF5DYp3mky//D/vy1eX3xeb/
   3NbvAJCqjuSQbqBqsHpLLrPtp7UDif8GjhBgq/Y3/gxqdeiWEPtscO11Dgcml16m
   HZ+7lIqtddQ+9LuV1p79z6xGW4d5ee1lu994n6D3NqON9l2ReKzEZVC4uPAUAqek
   qUg82xSV9TUqgvL5K4ufUI2XXq/Whqrx+8SspAxdxEodgvvxtsZEFCrVebMIYjbQ
   pPKwlBNPJkMMcun2DfDMU1O0XbzCHo2eC4Vr+nFs1LuK/aVc380t4Roi9TsrCF6x
   SMV22Ndtfk/gmywKk3M61sEiz9zm8q92qd9DAkhslM0uVwU+9L9rLSX3ZIOO78Ga
   eLhJHqT1BYXSiLDHaNWAxOBge0XU1BPKSMSq4Pg3vCRwCzJucSaNSA8aMUVvBdVR
   46seGw6j2E1z48nGH39py95UCRfjQrDqQw9877UtT6L1s847AUcBdeMCuWtf1UD3
   jzpGsMlYn3aaw6Y8VdjkfU/uq9WfLFjTOu4Ql3ksxQB0vqoEff/SFHBkbHs9kd9o
   238V11q/Fk94L2CK7LEG+G8J5hvNfr9jl4gpvhvHCMtrXk8SEcdAsY/Dcqe33LzI
   j1eF0Y2QaUqlbQH2OUanudGCQ88l/UTRgjwYuBapL4y8KHfiEPfrsnEsrpySje+G
   SDhS1ucqUOdmSnuGYBn1l9oYYIjyFjRFwNkOwIqtkt8KwhWKKPanUblccukL81cI
   3DGUZdzhOoZ/ogR77xOdlvPB7y9seYME+z6Xe+rKOBnXUQORbKIW6IFXsSYw2rYz
   F0xQ2Z2f/+blbhbp1PBgJH+jD6Ki7HiKs+C8YO+iVdF5QWALp1aCWwYY/DrOLyM5
   fhs4ZpaltkkrX08I7RrC+JvrbrUQOQtkrqubae0W+VxvZn/Kuh1/+msAjsut+FJ3
   h2O5YvHnZKasunjduKHZsMuWoyabwp//k7nEX6shFY6oViKA8MVmsp7V6X2MoDXh



Gillmor, et al.         Expires 29 December 2024              [Page 189]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   YKaAP2lgkRMZPCkEN1knoptV82IvqKFzSL4lZqK499rHV87Ze1Q58NZI/HR5y3M9
   xvEPRsRUMnq+iqRVaogxgcsBNpCgVoVYU6nGf0VxDwR/MyLCXE2bFkVL2rz9w1Dj
   d91vhmXFiyAqZE7lFKr9nv68unkCf4KGBH1JKL0SrlU9pMoGRFH88otzUd/AUcEM
   A0szszsVG++P4H01sCIHXoYLKpRncRwkpAWfHtK8Xzos1fG4XZqyQDpswUDjFSzl
   QbgP9p+Sly14MdOionPLm1fGFjRYokjrVdA1+dLSUmd9Q5MbR+T4rx9y01NRHRLz
   jv0NEkGvKEEtUoLlaVXXxhva18LduFWpvkvTEq2sCw+TuDwTJhIYUgiqtcLKKTmz
   kvzBnTNZV1aRzkkE3a/q9mVGbRiroLWOHgDv6QU1J8gHauUUrlge5dE+L7kY6a1G
   IhFBf3sKbHq+Z7O2cFfZu+tVHapTYA9QfZ5buZam82Mo8si4fQYuib3WSPSu6TuE
   SBuADMCIGXs5gBI/2spnEEcs2INwhKQ7w3xTdbjL02SXBVoPtYUt6WKrvf3stfUb
   IKH4ee9MJ+pEX/URG1yBuaztkgCcwfjiu4+Nw3UQxTiuo1Lf40haok6ET91807KI
   iq62CjkzQ0BtYNIilNpZJwW+3nT5AR/mwP338pi7FDmQLckjE7B+PrXXcSj5r/i5
   cK7Hg8xaPIFTINAqqCTvVfD+E6gGTC/2tiwndi9J5miiaynWBtZpxdcfdwukwkm9
   H6ia81gx/PQVKgd/mG3E52vDP7FPoClTZahvvTXszPzOKxEFb14L7P909+PbC2PW
   84iwEofB13xP2+z85nVORM7XjkfZskm9pgUYzraazVOqgzIgsCkqq7p3tHIkA6OB
   j1vKbptkKDTcv3dujyRXsJhKb2ctEDGfE9U0OR7CcUWVzQGnwCTyg/ZhRZlgEkA8
   rjkk65nxuWySIswAuBMjbMejQIBcCV/Z0ooVusEUdr3JhhNWbhvW092cCerFjfAM
   3pMJJXicTt2EijZKwCAQiLU8miU05jE+UW+mDoGFsl+JypQljLRdjD3Bel+1ObB2
   2a0tXq/i3Bhhntf2WIra3eRpbT/9TiubiQsRrFRIpkXIlUO+BxI4HAiIzo8PFBm9
   dB7GktBP+gR0qQgOkLOx4LypKGlaJdZKnrI5t94Z3Tuxq3DjApKs2RHe+IyJr/J0
   QNGTwYY/mgtbs6Dmpaw73gWCBieqNd27yNBsGSW5gtDbcGEK5HKyEMxR7Dysv5kN
   +pO5Bc2BEC2QshXK/out4xU+xpmiou3GWkIcKIR2oWIFux9tA0Lg0BTcPs7eM72E
   qnes27DdMkMBbcGt9jHhMrFRUOagTbVXmJ2Y/RTWTkqnJK8+jnN+vMkrTlNvbF7n
   DW6dDIrG9rmAhcykvhu8kTPkk39CnxK9UiNMD28+Wu74B7J01yhGBhJ8OFSYvtBN
   ZZa2+OXnuYTYSHw4KWJaAlSHow+sw1Lm3KCW7LlkgudbdFow+p9Yo4AsJB48wjJ9
   MbOsY6OWmOYYaBjkK8osKMUIRsC03WKb806c8WE+C+TIs20BLt13yrJ4IxGS4f0u
   3agKgWC6u7GttEqdevRlM8RU58DK+KUNutVt9y/f6igc+eYmYsp3O1wrLyGeiDzf
   kFwzJZhLIpwv+WeicXBYpkf7GwWmfsdKQNGDOgs6HlLEB77Z812L5iQuRfiMsgcA
   9ckOeDZPravf2E8Pfy8CI6LLe7CCDhuMU298QUL1BqlpY+nlGdwKnIfNccZq8AA4
   QJpYu034CDibyoA6c3WFemwAeDf5MuKqovCRZNS4DnQge1ew1RyDcaiNVQjBReCf
   fneSA0yiAfiAPJPryuTFWuP0ZRR8Az5oJyzq1CvjCWNoxC6tqKoTW5cwsqCEim/a
   lfw1ZYuiuTWFbchGJtu8T91NcxkswuWLZQ7FOIXkX8wHTmoBn7oC8vtWZJThElRM
   iHYcXCUKlbKM6+woWt0QaO7JBn3HB+H9p+iQzjprSV4EEtakI58y1cXbOHz4bR53
   6enJ+B3FfQM9sR1Md0BamtZShR/Kycnal2vdzSuUkZxBacUG45ZtM3roVQjYbgFn
   gm+mhK12VdCvl9o9IcQXmWI+MNlBc8+QLUxDxP5CbgFkN+gTwiUPjPRoM71oSrkw
   9yC08nTGJOkCyvVAeKuh13Bon4nX3yRNQdtCMo2502H8cbdTPdQCmJKqAO6i5Z+j
   h8+ADiHz3Y+fKTS2FiFKN9oOGgt5tuG4pfsGOfSceGcrFsETwAsdiILAlsRWFEqs
   dnCgd+Z9/dZ5G8FOHFZEAeCNj1t3NTXmxW93QJRWr/IMHhmxKk6TR/Bsu1SXHD+c
   jDxqVAcDf31rC3nDStF1U3dxLHZZ6F4m3hFJ/ZZggzx5MAn9yquW/2hxIB3ARiKz
   hGcLw091STBsJhumyBEu3D+cX7sIlvFIxrJvjAbTnpObYJs84rHhfcVF6bTByujU
   jrCgJ4/oXO6GTJA4EkZblNIDnZmttHx+6MtthN1Mk/zxjoEB4zqmnGEqFoevkIzx
   vfq0dk3s51xRCwwtUsaxUTiryVImsCApgIEXhEmVM+gyu6K3sfl5uyrswdjQrVwY
   CJwr82VLwG6hKFqeNIa/GxiUZ0MsRXWwihzrzeFPX8gLSrBNl/yMqqQewvvsZddq
   TigGWFLJB/GgVYAewdbQtmja1B8JM3MbKZdTi7jO7Nw+VPJXRZR3VFiwItq7CFdP
   qeLh6d8z7UjSKovXpC4HxWrlnVdbt5hFvqWAL/nCBe1f4voB5YMzvYnQnhDxv5ey
   l9fxBzWV6lPnQXh2eqvN/A==






Gillmor, et al.         Expires 29 December 2024              [Page 190]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.11.1.  S/MIME Encrypted and Signed Reply Over a Simple Message,
           Injected Headers With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIOAAYJKoZIhvcNAQcCoIIN8TCCDe0CAQExDTALBglghkgBZQMEAgEwggQpBgkq
   hkiG9w0BBwGgggQaBIIEFk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLXN0cm9uZy1yZXBseQ0KTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1zaWdu
   ZWQtaW5qZWN0ZWQtc3Ryb25nLXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8
   YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxl
   Pg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMDoxODowMiAtMDUwMA0KVXNlci1B
   Z2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KSW4tUmVwbHktVG86IDxzbWlt
   ZS1lbmMtc2lnbmVkLWluamVjdGVkLXN0cm9uZ0BleGFtcGxlPg0KUmVmZXJlbmNl
   czogPHNtaW1lLWVuYy1zaWduZWQtaW5qZWN0ZWQtc3Ryb25nQGV4YW1wbGU+DQpI
   UC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQLU91dGVyOg0KIE1lc3NhZ2UtSUQ6
   IDxzbWltZS1lbmMtc2lnbmVkLWluamVjdGVkLXN0cm9uZy1yZXBseUBleGFtcGxl
   Pg0KSFAtT3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0K
   SFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6
   IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTg6MDIgLTA1MDANCkNvbnRlbnQt
   VHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiOyBocD0iY2lwaGVyIg0K
   DQpUaGlzIGlzIHRoZQ0Kc21pbWUtZW5jLXNpZ25lZC1pbmplY3RlZC1zdHJvbmct
   cmVwbHkNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWdu
   ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFy
   b3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYSB0ZXh0L3BsYWluDQpt
   ZXNzYWdlLiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRlciBwcm90
   ZWN0aW9uIHNjaGVtZQ0Kd2l0aCB0aGUgaGNwX3N0cm9uZyBIZWFkZXIgQ29uZmlk
   ZW50aWFsaXR5IFBvbGljeS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhh
   bXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F



Gillmor, et al.         Expires 29 December 2024              [Page 191]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTE4MDJa
   MC8GCSqGSIb3DQEJBDEiBCAZPLTackTzEJOh5YCJltNzMxlUjDy1djkUJYrBeWeP
   +DANBgkqhkiG9w0BAQEFAASCAQBCB58/f4fboWwBZQ3QAmjIkpuXzhC2h+NGOmR3
   u+NQDFmakyQwT1pQqawI/oK+gyEnkun1rruKojJ+4vG2iu181pIqULXPEzO6FH/8
   WE96gEeEYVgc3cWqhg4oO3ktYJzUp8G7hHsqbEIP/qNWnIMC7YZyzl32Adg7ONZU
   GwHGBR9At4kCrGdvSDrvW31w/mT1s+zp4yR8lAGtwgYl6D9vLV9SFtGOu7vjGRxt
   sDnNonatzTZ7gHYkGDfl2NIP9QS4wPuctTswvjmub9/6BDP+t7ScJvB5eFgQNl9S
   rDKQnk8H1WwcuM3W5tm1xe5yd/ldH6iUmOtE1x3fqf0dB1eK

C.3.11.2.  S/MIME Encrypted and Signed Reply Over a Simple Message,
           Injected Headers With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:










Gillmor, et al.         Expires 29 December 2024              [Page 192]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-strong-reply
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:18:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:18:02 -0500
   Content-Type: text/plain; charset="utf-8"; hp="cipher"

   This is the
   smime-enc-signed-injected-strong-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example

C.3.12.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Injected Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8320 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5154 bytes
     ⇩ (unwraps to)
     └─╴text/plain 435 bytes




Gillmor, et al.         Expires 29 December 2024              [Page 193]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:19:02 -0500

   MIIX/AYJKoZIhvcNAQcDoIIX7TCCF+kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAInXaHbT93RcMsd+HSesA8d4+h7brGT7KkEX
   1lgZnmsXMfqBZDPF8UK5WGFH9TO9R8YrvP64TZaON7Q5qU3iV8FoE2YofBvb8dsV
   +6du2i6h5uq4sqsABtaOiZcMCgswc7qcdctJz2+zHSYN0BGkt7jeFr8chDl22hjG
   2vqSjDXhBk6sXjPXFvqZfJcvbBr2fBakREcvWHdWkiFK/uFwyntAXXcPQ6kqz1vq
   Wmm4O/cP7Vlgbe5LmAQC0xOzuLVSobqHDybme2xO8LtyoFuTwpQdVqt8qB6ZZkmC
   fV4iA0YUtxjWIkPN2oKZqJ3oAkg1MGsmZByi2K+HkP5TjEGVyhowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAfJChxcI03Ds/+aMkM+Bdrkc0
   ++2drULQUxt2bP4ykiODH9Ox1oMqGx3b+TwN6xUOm2C16KI8fp5a8F3b19Wy29Cw
   lU/rgSirNLyvBk5QQVlfsuA/5fgigvgTNXCPTH+gC00ePfGf/qowOCOay2SSsJDF
   dm5se15RM+dv5rOhqiH1G45MMa/Nngf2i7Ex20pVeEBeujLrJI1Qty2O4HQnLEs2
   LGaCr9F9RKquOfk1km1mT1Qiz6MAv4XgNlArtDLHPg0ka5QDNxvfmW5y925JGSPz
   4sT1TYTJBNBHQ3uzCSKyQ8lfe8mWNVQQ/QpyehAqRkvTkMahQx2+uxR+bhozkTCC
   FM4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEEfDHaAC+lREqKnMbYFc7nyAghSg
   BWRMUB07f9L5HqYp+G2+getQEjCr88Xv8IRSue33kMrvIt++kZNP0T8Ji3UwF5Mf
   dQYcXsCSZRCWKu/aJAJB+kDZXmTYZtF5If4G8sKcKDU3BXk6EKEW7Ya2R1HpCqkq
   fstWTS+ps0tZwponCcXjn3C03eu47vskP6PFHBXXO7U0cSPIwYVLVPr2NfUnIgOd
   gUHdFFM7B8SHdXaZc1YHwym7keFb3oJdZlsnrKR5HM+GoBKpzWsI3FoJ/7NxJN+h
   8L5VmLYVHOQv5D1IdEYme35BQ5cS25JzywGUj/K+xVZE7Y4QVLcWLOE3o2DRAaqc
   lcOytths9oN+W5AfPxtErNJj6xG2yHsGifMn7nLDBMB61ACpouUukqhCAu1lNS38
   Po/PP65ng/myIax2YpEJeJa9qKh2SFVp0ySXch3IYVG1dw2xodyhxCS5QsmcqMYN
   +4qq+3+rGBjiivzIwjD+IykBm9tWmaISKHwHw2iJn3B96PqoZSoIyHdFts22L4U0
   H5fRGpXxCROJBuA5vsfJAic19yk543xwocT3AKdsnZGMKAk0F+McJv51DxZ6Hnp0
   q43fbHx/x3lHaNYxItIXRb+RUH0Ju6YtNX0qd6Q+kUSwAoH+mI60dXINucX5d71v
   iPGZhL7mzzGxalasJlo4lrxjDos5WYcjxZXIE2oxlXX6wDw6qr1gX7eUoDmU48Sz
   N4jBiC2W1iSWzW9Lsc6GUmqhBywB0Xb/EssLruvoX/9CY4mJO2FBv8t6ykD3lOa3
   z5Bk1cOk7SzIpzExU9ZImo7hz2srUl3eYMgRDil6e3Bsua1Iy2Itj7nHCx2ewa/4
   azqd8hLHL1U1g+BXHxKMa2oS2Zq1YBkbVuY4qpKZ7ak+R/WLDMZFidtw7ccBYzOh
   oNJ/shJqcCWkKKNwIn2AAtHSKXRkXBEgOh+Ff3Ir9SzsxFw7nV7v+VllxImaDSiH
   eL+wV1uyutsJAZcPyToWM/OJRYpQ0i4GwponsrCIjAcc/lq+xgsOUtpim64U50Kp
   3zag5jW2h/uhCe43+UDaaSZ2CNr2AsbMH9SapHYG0rRY8OXJrbw1V6OlwnyVNCqx
   tor7FXnE5dUk5/wkFQGUrWY6WtwM3Az8xiVL95uNyUMV/lt+HAqPmgu/LfCfqO38



Gillmor, et al.         Expires 29 December 2024              [Page 194]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   XaLt//vP6D55q7PtJKAmMbNzEbFYEu5oyNrJ4icrVQAlEINbz5qAdFSUnc8Pt+1W
   IH1x2EORZG/c0OWRTOZRQEBMRNPMFSlPouAUChxYtgNYHevkJRtggxXsRCmgRXBy
   f/s0+maaVmB/e2vaoTgKWIt/WHWjEPKKG1HvigleLYojel7NDfYKxmycmZSgTr95
   3pPa7jrRwaHWS7RGpZk6+KHckXsdrlmIUXLL05QIwu793ohqNjz9XeD5SPpqX2SZ
   UpOQ2OpBzn7wPCCDNCAa+i0NqkIExh9TufNfC2nj+WfW09wYzUYyWZAgyGqH7+rM
   XhUFkW+xrhSWq7iZOCvJBVPH6JsAbYGeUfcA31TEjLsJyv0ixJiED1VwVrJeYFdS
   2RxWahwF8lKK1Q5a4fg0aMfa3dqVy7B3ZRwaD684dsBPwUlNXAOV/NMnvHZxQx7V
   RAF61uzfjm8yN+bNluJYjCV08qhfx22YywabZwIUY63t4oHMtqXRloH1xtX3cxQf
   2pvCviCe1E9mOIUKbkP19YOOCg9RIq8XfQlUtIoKWYWZDHlZ36XqOsJ75P5IlAMB
   pHMx6bsACmNNpkvPiLc/WFDim6fY7+TYhlZGmLGXgGxpII6beCiEy3ENfI9n/SM8
   Z57z/jkXU7GFhTjlp1sr52Lv92N3cqyoWTQmM3BTn/TH5nJ06rz+LODb8+CF7hKi
   j4ZMIU/ruPustPGQnGS2EBMTDcWZkZ+Y4fI+bDRGvCbccNmLRagr4uyRsWVcKFb4
   Jcn1WRS3jdsJHhFQYe0bS6YsLOW0zj9Ro2kfhjDRAhovcNqPX7A2iid7Jw6KjLtz
   lpC4U4ehFnkkjCKPQZmvmftHSaottgk1lDW3tIW0X7/NKM7I1DWPt2/FBzIekOfn
   aboe3UWyZ8JEyVn+lK5GP5gb1Zt1HidGZDyUBin5YA1lX40QpWk4iV60wnqukhH8
   pfGBu4kl9RsOW/En+/HwXjWqQbqBvzvai5TxJtLvnFB+Tos1JVldRj1X4zMj58Un
   53ndsjLQR0wpxaMBRME32emYoIfa4qE/CMtjVH8eArCRHAL2YW+qoBo2enMoafVH
   JzT79LGVwX2wodQ9ECp81SHsqen0egJhq+dsmyDsFp3rJqfu+zTOlkpxsPQqL86t
   AXG9KatOReVnKb9qT2pZ5HOPxKj84N1VPoSkklI1oo2EpCph/9fLLms1VxnGGwk2
   /EVHIDQcnUykjt+SbrwNcIcewkMWlNTDIwVRvcTmjP13dk1fjvJzm+YS9kU65fNZ
   NX9ipWy+qvSg16x2/N5QrWY91MmTE4trsV145itgYSmVuPM5dc/mjKzZ57NSspWm
   kXTGLRxX4wli9gS5WWWQZE4HkmquJn+2f8DHmlAepx0WG/cx9CpmYYB5wqudlDLL
   qNdZq3ibwl+81/CNnfniZEKuKfCSxLNvdLoE4olpjITbsdnpdzqFUTcJlin5JqtG
   pWQ2J4IVUsm5+uiVT5IHDY3KUp1hHzwkomHiEMCvQSjnb6JjwTVYCi+Sqn05D4xm
   Xa5ysLEDFzkViTkv7uZZ2BtenL1g5e76uOuAZEzWJDfsKFuqZOYrzRUCIma5wl7Y
   xW0kBh24ln+JEmTqxbFlb2kmgjU0B+sWyFpQOmpcCSFDe1lds5/XNh+F+FZurumk
   5oieGn62RptQ2Q05PF9xmj2QfzuclhKtGv4rFjwdbpH5ZQIwaAbM2DNLKOsXmycE
   1o8BRieCpGwtZKs5B4022zELd+3mybGjt25aEawEfapN3To5DU/QG0yiNwZ0FA2h
   XaHnvtbQlq6KLR2qgb0CDNBBx24YDwdA8zC4NToxf28lDwNw9Dc2VEQW4vNg+OWA
   4D9f6cbjnK60vynZfud7yXRgRrqaEf+QX0KcnET+oGTE4WttpSIePInXbG7xo4Yt
   s3GG+2qnOkxgrZfM4i4iIsAN8K6kGhAby13IJ/DdbKWFg5nHg6xIgiFR+E4iA0ul
   +QX+SAGfmR/TZTtJHAADFitsjRuywEKUzy3z3YuQIg6u53bt12SD0/rfoTJgKmjZ
   wBOQEbMPTOQZigiNe0Il1J79oba6LNnUHDDtIQMy0qgnvxcpVnXABTBhVOBQlyGI
   bCaCDHCLkfrThLKDBheCnZ1Tl5Pf1DG8R2XjEhKoJ2oGN6dLXnXI6Uirsfb9I/ws
   sEfNY+Tl137pw7Rn1tJJc4pxjk/RO06pzaHe2ZPWDKTuxOIJ5tfEerblTN4j9ECz
   BW8z5cfx5v4G0OsyYmfJ9JJjoq8SRFV9Kinil+Nb7layi64mz6Vut9jX5CkZKXMM
   ENLYjRBaO4rsJpZrJmcVlOWLy9cAFRL8R40E/n9tNYQ1+Uu4bwesvAfbeJ65Sxv1
   Pr/pAkkDL7j35/Q2pWvjLUGb8bVv3HUL9xEQ1kyCdc+9GFN+4yvHT1KhK5vhjB9P
   kqn66mW/KoIt6o/9ChpSfJIeZiey9IqvRIAsJdcvyswIMUHEuiwN0zybC56ena0r
   4j1Qt3fne9KGBD3RnexswDmUd9KgaXiTdlQj+G4kSMAD39dx97GrXHtHwfYxOBY7
   qqOk4NT9UAsD9+cZ8Ld31n4BZJxA1tUm9eVxa4034kHLnYPDK7bUhAvuAXNu6Ccq
   Qke1Y04mY7D4aqWWMzAvPwWPRco7RKGsitrq/OSk23v2biSZXJMBG2FdeJXnYdwf
   EtNdbGMoh5h6TtioCiael//LayJzF3+BWuGyIV7x7npYTd0U4afZBuhfTuMtpJcp
   JHc9WLH2gPkHTmuQqhXDsVuA6U7cJJ3+2gDFyNxqNH/nBTvPmxOa1b9ywYwvSg79
   8dcS8NQFvsOcOqiDfklPhkIG/lFbOGFz9XT9Jw7tPwTMqa7REDtbVWqHhlBF/DmM
   /4uMAFfLt4JNzl5cHH4ORq0HdPECRhmew8Zm7itnHr+S3C4EQ3Bq/quk8KkRw2KE
   4G1R/pcVCL6Yc44d8rLPwHeRKt6tSUwga7j4zYOcDJyDUO0bN3Uzn0sUjuxs3vXT
   zayTuKeIVI3v6Pp1z9/A6lC8DqflEiyWvRTALqKRmoSkHrmSJsQKWseSUvpSlZpo



Gillmor, et al.         Expires 29 December 2024              [Page 195]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   K6b+cxKkv/Sa3EhlMDfb8WM1FiOEvQa8FlD/c6VvQ7n7rG4qV7NJG5VQ+PX8T/Yq
   CdJVyomEmShndjRwgCUFoeSDYQO9vXqGbyPnKbw5IvbBM0O3+gCrftf5Y6jPkfBh
   rHAT9qPd5Fb5r+n9yAKLTHG2VGQJwW6ETwKlSAXyiqoyS5YCXBbIyA4AUDXhrcd4
   9UNEY/KrWdfXhvIqVJoN+uNehEa3VVzBFPbc0ERh9MrWSUfiGSLiocofFgCY7T7i
   4hIKbnj0SdShDwqHq4X+SRyGe2y8pSaidrqG6/GlWAwtDbAIFl7kjaxtfHKP4T/B
   xziMdAmjjoZkSOS+Z0SEE4stpkPA/xrbWn68RMK4l0D14hZ88FfYSfradTJEnu19
   9kAnyw9unFKBLRGPxwwJzsyp22gcE3j3NUw1XHj2mHAYNKVJnnQL6eVLrAv3y8f9
   oO7z8OOEHgRbQPb8O5oSMSwem/K+5gtPHUAoEMpR7kSJ5jo15SNsheDdd7mNSJ3a
   gvcQRlomAdI63hK9fm5jOYl6SQ0rKfr1Hoc1g6FU15+dB7A1m/jPdeUck1JkbCjy
   AIcP+J3ue4QrtnJ36LbH/UJoG93tI61FkQrUEBVcx+TwEXuxxwFNpMFe3T6GJ7G1
   UvFSVv4+mWvZ3J0yODh/J3YkdAAXsznoRPE1NS1kxx3jSKkaoEYCtqjzQSDCnYmS
   Imj+xMfmX66qzG0P3R7rdIJuxLQfkXoRdjcpy4LTYGd8i6RllDdvvnRLDbstS4I4
   agu+QrUaaMLpEtwmJWJIOcJqIrPjL3Yax16sXLPrtz1IJO12SIpCQb3FVxn0HMMQ
   t0PeRxZw777v5bZouH46do/s0AaAg//CyxzqbJn32u0GAe/6puhyLSG7FTJceTuo
   UPs/ofWMQmEMA2hZKx0mGamPXoX1d6buMNiAeWtKIxbqwjs2NIhqqSG+cKmGDyx8
   0w3Sw/nDG4sTIzkH+zsdL3e1EdiVuBmdZBL8XVAVnlZp5XKQ6OXdrUxMoVbmjO8z
   IwU3+LtT4vczEtSs7XJV41r8RAgPA5dq61350G3KGNFkOskQsjUaIzr3zC8WdxYn
   KqC7RNdqWj31kw6cp2oOma9D82RkyCkgT8ng8qAlIaL+BCtaW+zOVibhRKowGHJo
   E6DHnb2aDC1mn1XePggx6R2z5l8h3v+4pe0X6uHNVb83sszt6/mg9TjQ72fJ9QqY
   gWxlATKRGPO9PIUZU1JuCy/fCQkDd7fy2Uayxsg4/JD17ecrnhlWlKRrA6Ct7Aac
   0PWYYKSIk28rqjXBbrxvoXqAnSfeQwpnRcLXRAmU+FA5fi4s+A7b0XCr+arPNeKc
   9kuVDnmbAie/gzNw8HVREnEPPoJO/aPftruN9SJeDNIIEHsOXmc+LtTEgkhCzWre
   tR2oRs6tDtr3vo6nK2wwokFJelcIDiNREYTmIzbeTdAg6E+O5ImKK/W6qI5l/x3v
   vAVnDbo9+ohOPi2Ze1i/FGYm2IZ60de+LoMCFGSF7+mITDg4XcrCzXfochD+Djep
   AoGwRm0dwbsK+tQS8tBuHAwBtZ6hiY+agKi2Jc9drfQWW3FvcBhS06DyF7kzABYh
   pGdkDyqPXI8IpslY6BTBLafXmfXzmBAwtcc/XYGePGejVL/NxOjppuA8L9pA8yFK
   89USg6qZLFyMOxmlpLIAXyYtRQBlgO5WFWwXF3HtnYnKaIg9cpAoqam7vRcB6aZo
   UCjVNbrWNZGeabxfXyZ3AWy92zFNSeqp2CucKNf7kI/k4CCrZS/MfHOoULepucVz
   sf6DQ/UzY3RCNH98roKS+2Bmsv5XbDtxQwEBF8Q+4tD27AP+CAFMNHdYMjm5f4jN
   P4Z9pRSzpvGxsNrnmbZeVMK3o5nravhHE98DNuw0Iv5+7IMki5bATAxzInypQaxG
   668UtdUBbIyM/uMu+UMtFObM14xxMi7secNLSAduf3CiwkI/mXuCpxlbkzd3e6BD
   +qYa97inkbNK8pNpzpR/iXV8A5MuQfcuryCVow9quy8C2p829fhVjTcmkqjL6NLr
   MY9A/d+hbcrW9OrSMwbyKn4qX27C13n3Vq+Qf7oLaopJXaMQeD4SLE+lffC+oxZ2
   ppkV+tUOQWMAHgCmaPRhnzbfmmqVfnz7DKoL7vYEiKh1KE80FNSKMhrz0RvYi43M
   VpSp1X1MG6sszw2mSRE9O08glVz4UqfWRo/P/IeicidNKj0FY+HOChnH2ZMhFiAB
   L38brAU+mbsGT0LKakvVMWG7ii1Tg+Q7fLcrcuIZm8TDIs1RqfIKkksCk4KPsCsS
   jiIgDHXfvJP7uXGIEWp+XHPs90eArV0LO6RddsYKC+rcf+sa758gT5V4Uk8I48zZ
   oFOG7xAzztbDP5xpeWcsQeNeHeBFRMY387F5q680SIvwU4bgXL/beG99ox1WeONb
   I3jizKZj5K1Uv52PpBdlRawkM/HV3/ZtMH7j9WXQ26VTjzTdY00vh1Rw3JI2cp0+
   GHmvH16gAZhDxy74LuLPz3aUoXREWBC0pFEhmbVjwHCe+tlFJYtngWcBesLw8A/i
   RnylQAitLYq2nY3MnsQsGw6QiU28j/o8wteYlSBJF0XsUrh9HuiY1Rbt+aSVCiBs
   E1Jl2QxXa51Gof2wYJEuF+KX764MIvqqXJVtZkCAGsTcTiibz9ZVmKovcjfXg+CV
   cRmCP4r5C1PEE1h4eZsb0J+XUCGkVnLrjfo5jwwL06MiuPaF5lTNfEWYqOUYPhQv
   q9gRDQ16NkWXGBsiUxo676h4gEaOtxkKCY2gNFFFQ8q9QvPVrRbVxG1EB5jAkPwr







Gillmor, et al.         Expires 29 December 2024              [Page 196]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.12.1.  S/MIME Encrypted and Signed Reply Over a Simple Message,
           Injected Headers With hcp_strong (+ Legacy Display),
           Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIOnQYJKoZIhvcNAQcCoIIOjjCCDooCAQExDTALBglghkgBZQMEAgEwggTGBgkq
   hkiG9w0BBwGgggS3BIIEs01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWlu
   amVjdGVkLXN0cm9uZy1sZWdhY3ktcmVwbHkNCk1lc3NhZ2UtSUQ6DQogPHNtaW1l
   LWVuYy1zaWduZWQtaW5qZWN0ZWQtc3Ryb25nLWxlZ2FjeS1yZXBseUBleGFtcGxl
   Pg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9iIDxi
   b2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTA6MTk6
   MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCklu
   LVJlcGx5LVRvOiA8c21pbWUtZW5jLXNpZ25lZC1pbmplY3RlZC1zdHJvbmctbGVn
   YWN5QGV4YW1wbGU+DQpSZWZlcmVuY2VzOiA8c21pbWUtZW5jLXNpZ25lZC1pbmpl
   Y3RlZC1zdHJvbmctbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogU3ViamVjdDog
   Wy4uLl0NCkhQLU91dGVyOiBNZXNzYWdlLUlEOg0KIDxzbWltZS1lbmMtc2lnbmVk
   LWluamVjdGVkLXN0cm9uZy1sZWdhY3ktcmVwbHlAZXhhbXBsZT4NCkhQLU91dGVy
   OiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBU
   bzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91dGVyOiBEYXRlOiBTYXQs
   IDIwIEZlYiAyMDIxIDEwOjE5OjAyIC0wNTAwDQpDb250ZW50LVR5cGU6IHRleHQv
   cGxhaW47IGNoYXJzZXQ9InV0Zi04IjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSI7
   IGhwPSJjaXBoZXIiDQoNClN1YmplY3Q6IHNtaW1lLWVuYy1zaWduZWQtaW5qZWN0
   ZWQtc3Ryb25nLWxlZ2FjeS1yZXBseQ0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtZW5j
   LXNpZ25lZC1pbmplY3RlZC1zdHJvbmctbGVnYWN5LXJlcGx5DQptZXNzYWdlLg0K
   DQpUaGlzIGlzIGFuIGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdl
   IHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4g
   IFRoZSBwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbg0KbWVzc2FnZS4gSXQgdXNlcyB0
   aGUgSW5qZWN0ZWQgSGVhZGVycyBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUNCndp
   dGggdGhlIGhjcF9zdHJvbmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kg
   d2l0aCBhICJMZWdhY3kNCkRpc3BsYXkiIHBhcnQuDQoNCi0tIA0KQWxpY2UNCmFs
   aWNlQHNtaW1lLmV4YW1wbGUNCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5C
   VIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNV
   BAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmlj
   YXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4
   WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMO
   QWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCa
   lSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHy
   A5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflH
   UjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn
   9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K
   7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksC
   AWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAE



Gillmor, et al.         Expires 29 December 2024              [Page 197]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   EDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBs
   ZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYE
   FKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYa
   ZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPk
   fXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS
   7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy6
   6K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0
   mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK8
   0lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCC
   AregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0w
   CwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxl
   IExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0
   MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMI
   TEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZ
   bJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZla
   V5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD
   9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjec
   F1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSe
   wbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwG
   A1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWB
   E2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0P
   AQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSME
   GDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4mi
   NqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c28
   4VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKh
   DbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjP
   Qg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9
   E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fg
   KieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8G
   A1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlm
   aWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUD
   BAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
   MjEwMjIwMTUxOTAyWjAvBgkqhkiG9w0BCQQxIgQgUmbnijC7/i1QImcskP/EUdul
   4PFv5Z6HjNW3rAmmfEAwDQYJKoZIhvcNAQEBBQAEggEAOrD0v7qSEGNBAN1DaV7B
   rZqamV7mD0eMJ88k7mB1KGvmuh3x8mhFncdBSV/OGiWYbJnUkjq2Wt4cW4ihip5V
   +y18teEWa7Zz6kGJuWjUuaowvzGrI7ASvMAk5I/b9+kuulsF4xn5oNDuK86RD4OO
   1Vt7/d70KFgY0GyLFENdPKiJf20AGgqR0JFbjrLQ4AbmGYVcqhwe+A5K/uneY0w6
   qbhTKEgbkNnm4GwWb43jNNZHQH0X5nV4q+NhBHjTCbDjpPdrqFDuUZldSSHNAFgx
   jALPbhqlbWYNo2vvJcZKgFqjOCe86YWt4vCs1F7Ulr95x8qK4CwsiESqxvprKkbi
   HA==

C.3.12.2.  S/MIME Encrypted and Signed Reply Over a Simple Message,
           Injected Headers With hcp_strong (+ Legacy Display),
           Decrypted and Unwrapped

   The inner signed-data layer unwraps to:




Gillmor, et al.         Expires 29 December 2024              [Page 198]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-enc-signed-injected-strong-legacy-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:19:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 10:19:02 -0500
   Content-Type: text/plain; charset="utf-8";
    hp-legacy-display="1"; hp="cipher"

   Subject: smime-enc-signed-injected-strong-legacy-reply

   This is the
   smime-enc-signed-injected-strong-legacy-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme
   with the hcp_strong Header Confidentiality Policy with a "Legacy
   Display" part.

   --
   Alice
   alice@smime.example

C.3.13.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
         Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:





Gillmor, et al.         Expires 29 December 2024              [Page 199]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 10140 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6490 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2173 bytes
      └┬╴multipart/mixed 2063 bytes
       ├┬╴multipart/alternative 1134 bytes
       │├─╴text/plain 376 bytes
       │└─╴text/html 474 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:08:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIdPAYJKoZIhvcNAQcDoIIdLTCCHSkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFnOBF62Jd/5iD+4GlWHNEXp0kpS7i4JNzBO
   LtZb2TFS5bNInagZRASOmpdaz8QfvZ0y07jgjG5CLwU8PZMxqb41ZfHizbBH2z9d
   UeO51fbbd4okNgyXFBj8Ojse+6R7gYtCxiZ8Ly749NCXoXPcel7HGKsO1mIgUkiS
   qFQGNM+yuzXR5yKTwSYEm71OScDCl71+UIIRmOJP7SwMOPGlDim4D2Y2w9lcmr6s
   b82Rl0adcFfW7wFgPI2tbw5wR1mxLwvqsKB0slUBEf8Pumxj+lbV+Z68MiDbQQwH
   7UJmz/Rnr0bLiBhhBzhLja8QSvTRUjQaEw5CbH7Q1RYdH9I5dIcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAM8S8M8VLxQZu65b8P2U7rK+0
   OtZkaYwH5S/JEIZ//lIIKGuyaRrcGrUkCGAbHChCL9Zx/8cOHDXVVsa9q/UG6gIi
   ZDmhAo0jLt7b4LGJyzwKLDnl+cVgF4bbSu/049oLJZyUajOFxNw1LiUgqseURElY
   5efyXqIyfxXEJX1bnSfB29kETTOAID81zRh9k+6hUBctTnewlI8zwvUBa0dyQSU1
   p2fMKGb1gbQ7R2ZzMxKR2/ClJEHGAGwVQDa0VrVziYaRJTbXIpSXEhSS6rKCE5ex
   nBMafRHdu3ZqbK5Rd+RRP2vIs3KupCNIK3JlhDmmsPArY1NfQ3v5jgxhi3fDFDCC
   Gg4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECWwmPNX5o0neaqGeTqa8seAghng
   Ld4uC9A3cswVeBlZp4+dY/PmrjyquOH5GV6tjE7F5i0NUcQaJlLqATbZx34wBi+6
   dOwNSh6udyzsMForbJr+tTk7hLB9DK1WCymEj33wrVDdV8WLhIcL3PdwJ6cKcNs0
   sR9eEaYSYzLQgoQ0Mr3KkcAum+4hB+ZClReOtmkhzECbU7wmsYa9qBEpalMN1mpt
   ZXmXYRe0TC/PMtZyd3yi8IiTS6TiSaZLHSxOTkvxPHyXHk0qiFjOBVUUyD/7wdzx
   Iuaqq8AOP7jooofNnTrb9+XKPw82qE1Drzogavx6KR+kbnPip1Vx7N5F7SkSpkIK
   8ecgnyH+o7FZI39w7Wscat1+IQIsqCbzVmiTmq3eO7l5EBd4HRcPV2m79cF0vL8E
   INpMZQjZdib2I2k6XQfrjkX+V/gQrZNOUqaqkI19O4iSEAfxPaCSFyv0Tak21PYU



Gillmor, et al.         Expires 29 December 2024              [Page 200]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   9NiBo/M/003RgyTAbhd/cyqd37fccFbLVXjbnDvrZTMtqGpENVKI/qyR9FBgdHly
   j5NY1ZCmtyz2MbKlbz3w0vQdReUpdVwJnTBdrTjgRxKlepHBB40ALU+v6ZZmRMO1
   Ya0HCe/qjsl5l6CeJ4Mv9Szl4PiCABrZQ5ietFigVlxHPdXidJwVTlJUrw87jyT9
   fRsmGDdWv9x4VR4RiOUfdWK7MGCWoT2sUk0fQmVelNFdIt0MKlwMe1biaaxDyx0g
   7KdoEvij1l5a5CqLssSCr0plN/OFAY6VvKsyDjzL2zws1Opf21uGPIKh+V+hAG4p
   vn1mRtmbuh+vAGUwjEKQFAqSCGRTIM3BfQj6esEmzkWP2map0ANpX2W+NVpSzGIZ
   5aAyw7ReKHod/ZN436Il3BWhra6FA3oJradNSrw+kUo3sucHeTrCIbgXr7kwPjBl
   Q5RbLvENaHY3xJCC55Y4/TejBqbC6JBYobpCWadMi/oJRQodf2p9r+iIAs5oijPB
   UTYyMtWXzmIPwOfHFuuoxyGLl++jowkWyo6uc+xJ0Apm1c++ruQSzJhNq4ALalL2
   IOq0ex8GM1z8eRscVezKT0+RriIhkYvGJRrzrbtV2J0ZI8ShWnjVXm00lUS2bNsY
   X5tfhej92KDkzN4GPOCifxKQuVAnrbzpo0RnKYOeDoZ7eyTMGCkzy+VcpsyiQ939
   8udqYqbonhmG7uf6BpQDqSoBruphLUXKP8IQ1spzXFUAxv9HIcXDljhuNnlTUZde
   YGeW/FSWvpq1473AFZrSxdOoaI5inwJTg4GLkhqpK+6rRrDfpIFZmGDyT0b5W5Al
   6CsGes5PZpMOxXZQ1dTY4CSkb5Fk/TyOS83qrg479j+BuFvIXGktZpLhCBK+qhNT
   Kjm78xx+WggDi4OSofK2UmoTsPiQ9/SdHXKbhX7N/f9VpU5Rjlt68PSP4OyynCbL
   /dkT3DIq+88JgOjeNeVBgX1GDFbysIBol89IMJAKKVPetYKweClZ6h+eNg6VqgfU
   f7fT+ZVn9PJYYnSefDK5MbTaowVDDIR3tGOhXWFUrgUgKLcZF3nGkUkGralowxa5
   obt/R3KrfMxFMedazgPXc3Nz+um1dIVDW+fsdhqyoZmbCzYdL80ipPiKqGHJovvj
   /Iw05Efk4QcpHOxbmwnr0jJkRxp5fxlMwEB3Uk7yGy9si4mx3SCkzv81IdiKfEkq
   IkW1xAag/q30P0y9VTYCyEantYTUruWQOWfScCKBc0nRNdLT7xDoQ8KA1ioFUvZ/
   0uDCMKVkQzxAWo1VTNv1n09KnAwqD0NG5Wdh4QFYdM9kQ+SIXlzihw4dWvgP5dGH
   ae0SrH3E5xhSzRwnf1vmupiScENyJBLHJVYR5LyUrR4e3LJgeqecYqy6WcxIZFta
   fVVN9Lb4Fh+X+cV14ybgco2EeUzBtaQKdN39OMXQOgcHOp74/uedqioej2RtqsGf
   HGP93NBtWiyV8bZOaZ4x9gd0DcxjjiQ9l0c4nMq3AaQDf5ZCeYxruQsZJUyTCn6E
   w3wNzqwIegE6SNhAFxn7/8VE1DB6Q+gpAgBuNOhtdNpkL7CrnKqSHusGhJqj8Ehn
   YGxr2Yb7FSd+VGzjnKXTxpjWumQ2LIm4diSj093Dm40aV2Iv7U8yfD9Nef4b2acA
   QPoamHP6QN5k1vEghIvIdcNTV8lt2brESNK0bEjpSTKYe9QwzjTcSVXMf85NE3+M
   GayVeTz+G5mpqwjQXj/qhN7IbCEUwH3qXqcziHRp0wwLVeYbdWaXp7VL6SOxkHp9
   9VcmZaio0rQqc15deIV5swSPiwSYn0Hf68QYdSY6JgDGZnxs88ZZBr6bL8X14CWu
   3iNBBg50IpfAvepz6yxwZnq9wMe/Wk8RtqSZLjh+8ttqkfn+GjymYW1C4k9VJB6q
   GY0e+HbCVbIYKDo2VQ/6lTvUmbSlXxdECyRS1SxcjXlu3SRKgY2BziqIZg77xpeb
   vcqD7L5WD8b9ReIn02A14pG/pMzgepOT6v1ZoRRBU7ac8A+8HIKCx7YJ0GqviL+0
   H0/qdJ51G1gPBRMTwNJzqnEzR8mF+NjBIX6JXQvcqTgRNRbHy8+J5SbqdfH3fr67
   +PIksIEM8YspH3Z6s4P2BdTzpgjYOvEPkzV1IlJUMbctgp7D5w/Ldnao/6OME/w0
   aEG8ov6Zelg5sKDMVRbiz/0Aa8y0NKA7gRsDn3KFytiUnRBL3XWFUE6+29UzppQi
   beescOalfPL0Yx/1Pym2D4cvmP5nvFQjoPgZPIY7iN9+XotmYg1bPmIYtfkJh+6A
   rBPApmlVCDtvvavwbkXWpYYv2YEpkD0jnEjfdlaNHrIcVEn6RedoBQk9oq4Izakn
   1rJulLbUTTiyDVm8JQwBuSkxwqOh+DWuveE841ctUyFDqJHCbvPT3NygWrlIO0ie
   taoIZZsKhKfMAp+j0lrbf3yZSCiPCH+xzveAWPDCUXANC+1eoGbCFEVs8gv+jt5G
   k9Qdgsr5DFY0t8MNSqObDIHrvWu7dUvWDv5fNNqw5x9fSvZk/xOfb93OWDsFWOlz
   DM0LIUnz0jyiCWPRtE3e5Sz/9u7eOFHo4GbZzQf5ZpdP+2FsabUGflyhvuh0XmSl
   ebz4bay0vPHin8HicpPYCudBs8VxKks9RICGPuEi2K3Q8Vh6RT1tbxtIyC5oAwJH
   OveeLgrWzd8gzElyK4d1U5/Kb/U2g92AUtw64LTziUyFfePJBgf/XHCAWpKKYinz
   C9e4Rg/TP4K2mZR+22fWjs7blEK/x0FLDuz4kfIRlvneZ4ctXhf326plwSul8rfz
   OYkC/FjoY6A9MlHdglE0EUqGVLuBVVKkdXty2Rudf3qRjKgB1BsF36ZmiJUFCty9
   ej63LLmNdtPYqcUA68/kosjf+o6OVP/i7/Q3k0EwmgCK64gHBvVc79S01eA0crs9
   Dv742V1/aMzDuDO1OjTkPMFlt5P0QbxZ7eo7hihjLM3aCBfO0b7DOx3sYLkSMTlL
   +H4FPSpjipeT3FUPZyseXUpKP48LyD/0ys1TLN5xPK1mIjo6tPJwzna7Bk2diaqA



Gillmor, et al.         Expires 29 December 2024              [Page 201]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Opl+7W57C5EgHWjI0V4wyow1jm1CkZsgqSES7dcEBGmeuiP6wum9P65eJIIo8PWs
   xxYykRlp8JI4tSJiEUE0N3mYaSkgVDYlH8BkISgXKak9fG3uI4Xcu9E0kFrR6wMb
   feAvCfnhguOzRLFpSH4uZyXk8eZ6H97yf259xBSRyJetlba05DFXXhmnQfHM52zu
   SYqorxO1DknjA2wHpvz08seCAmJRqZUFht8tcA8E6wh0Y1gaZ+lXGO7KHz48I6WS
   gf39LGgyZWc+1aN49JT8V7I60Mg/8J5rezOqO+w8V7dZvkrfs3loRONDoralkWeH
   4NKNlXEVxXbzxKekC6rhstv+ac16ULDggQpYn1fVZy6CIIICLnP9wEh0P3wZ3pO+
   C2aV8C7f0CNYjSvaNC04kwTc7shtMu50KRjqor5DtVu9Otb0h0z9TvUJPvukpQ4I
   UJKrF0Rn2z+rXoU4zU1ZdBz5kLcUYCr/DQRiYLShZAyj9QGs9SdnhDrIIG/gaUWx
   G4EsnJB2wVYf8NrejNcb6XjP5KJM+7vuPn/SmFvqagwzYYISIxSIkFY7qgZz5DQh
   +cbM7sg2aMBtstcYYQ4NAs7P7lsjfoSMpVHIG1DtCzcBT2zRWVjlVztpBKRaXOr1
   JB749S7HFKRhyc2S48EMdFhP8CyFUFnozcHb8L/3yDRhRQH8qCTHhM4ppDkxbTyT
   OSaDoyEtNrgizCSK+3vihtnCbI79VsuRS+jCK+38cgoDaSvWIchCRj581n0SfEBo
   6a911A94Ye+yRU8SIhCJ9bWP0tL8dRKonrLBI4Nv/fZIAmFmPxX4rVPNlUQtnCFI
   P3JQ15P4UlE/jsXiQQxeimIMbhj7mchBGNIk9rZjS96Xeqt9cHlUMU/uke4bGS4d
   kEJWR1VDtzEjfsF4kO5N8jzisEo76QCFahXefiJLsWRIfXHdkgxqPvVrGv9goo54
   YLtE8WxxNKHTVLas7yopDPHaqGCEJrDuU/CbhJjAIgR+DLfAVLsg3ilSg875JcbG
   hfvdHhcGuJ/sLcFcXTqp8cg2N4qEWQ17d0ZnY5+4Ur18MQEwQ2/zBiGMlA9sb2N6
   V2cWt5H3lGrhfIN4Zg/7mug85QqG1Oq3/5Aeot+gG4SMHv3baALvHAbiRktYEzS2
   lxtQu9LEssXwsGOJQfXnVX6eLZDaIylkC3xW/rUnmfmi1UxA2xTkTjNGYpjomH3/
   K526PnY+dtst88PzKLj6L9fNZj+ViyZYDFeVrG8u4rpg1ecxrw1TsxsSO7G2i3V+
   bZdarQXBNXFA/4oScVTv+ISfTK2Af4ObyrJRGc4+3u4U+TEr5O02KReBx/MWzGTc
   cWHUZEWUESENKaEdU3JO43ZDMoZcl/tBCLToqJXSHRwTYPSv434L2gAn691SxytI
   LQtDH9fnJnS6UK04wPUhAVkBPMAzvYdeYzvpd8tJpe1lqW/xdym1G5NgT9zx9EUw
   QwdT5bunumwriBAuWIzOfJmaPjWduuUS7mKo1megYH+1i8Chs6WXUD3Pqr3C/1S4
   VM5EVnQ7CjGINOJQ46YLgkND2gT2XL2GdKBu2Qm7SST+2l8LRgLhOrqMeDV66TW5
   /NeNg6vWjRTpO9IPXRM5sNhbLpYPhMlHjBKdrbquHDG5EIhMrANrqC5GC+G+vK1F
   NHUg+OvhBo+0+hGTSKmTQMSAX+2eQk+rppTe8D2ncNmNSHVQrvUzIRTRKgHjVMBy
   zhYg+ja0XEuF2c1ctvKo27KzEe9xxszUg7Qa2qD+gsLcHziTecMKUL00MeFXWd/O
   bf2UKtQ0uaR238yzTVqmFaM0V4cEEt1EWr2vi0gXcsAg/O5XWaGiYZmA+x6ESY+W
   8w2OJnjDxT2XOijJBe8tR+HZdnWFusfwwTdWIJUg6LD0xEICHzSEAm6kElcJ5UdU
   YDmAsQzHjm0on1Fwhe8VxMAG9iPQ0ditDaDkfhJZBwcLcK5M9L6h7oI+dusjYC/S
   /q0DXKcrW2/OLUgUhuNaVSC3Z6ypQdtlNb7hhw8mExp32HEHGb7i5rS3DJdX3k9Q
   E3QE/gek9oTUTKe/yR/r0xG+5p59kxZ/HcMlVzWvWzx0dwSfATUkTiegbZPGGRFU
   5p9zfH7yfM4DilSgm3ekkLsr8NYAQYFqxI3j/ZyyXMze3W8d/BSOJsFEJuNQNw+0
   pW5kVk3IkZ0UjdcFmzX03gH9n6bdg2+dU1yk1WbSZ0ySkteqSMvi063EjcQRCxVv
   xGiUyfkhYvh8SRYxoM0GkmFnDdt/spX9Y+LsVI+sFbpqyXOQP8EkC0T7zg2E5uHX
   qkkEJMSJUhyXg04J+o9+Nl3TKqfqEjy33o7nKS3hJq++WbFi7IupatN8NFhdlag+
   eItJ9B1LXXzAwlUX5MwQvnfcD6fdj+zybTBxTf+nAVYxtSROaheC79vFegWfkgc+
   rKlFMOb4jbn4pVvmR2YWJh47w/pRZtcLdDcV5ZEfokTloWISzqLuDtEIK44A9Rvx
   09mW/zGD2NeDeDFWdY0a5Zp1GwYldgYFOGG1vMrhBdT7tZSOSTky2UOgd3RPJRiu
   bIzy5C4EkD2Dp8yibcDvNaocwJBypvj51BGtmyTCc0jEfmpzFw5aAM1aYFxlyRFP
   WSN6yedNMX9lIkdbuUCsLjFu0+DHJMez1SpqijSfITGd8jRcyJJfI2fJzq5G0KnH
   t8cISm8TwcXkfKRkR8yNUgVeF9JbGTeWA09jfUfG5q10nLDkjKaaeXCg6CUdvgHD
   4rJaVvat7UjKBiyTrEpRWWb1YBXHPwQ1FlcMQJMwGFBa2XmuCYDHjrcaEG8uYS3R
   9E6CsbOcXbwz8vygXQ1uKaxsOFlEpLd5KKmP1KMerWvwiG3SmBVqfzytMAjfrbn1
   txr1ccDhfzf0brVmReMHmu1r1YhknUR/9flpMcOlcDcOSno6elFyU4i3l2I26nwC
   mPHQPyr3qgDtoqLdn8vARvxYe72vB28ib4RR+Jhm+zT3+lVRidYV0F46ypt2kqjp
   m3rqwLhFxdKhn1LvFqFNvPr5DifJCVHyCD95CKzemZL+xWWkDa9q43Heo/g43n3Y



Gillmor, et al.         Expires 29 December 2024              [Page 202]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   np31v851o2oI8wkEwvLcWukcH4Wi435wpDncUbyk414ZQwSVp1UTDDuBytAe/+4D
   4cGEo6yeiDUO5QQ8L5QwmlzG9iovaRur3+M+S1FVC5nCBeA6U2bEA4qZazcvL94+
   P6b8f+JTeS11bbSirjpIS/zgy0BtmU5+jXStq+tTCcJ5OBg9zYAiOlFK4ItF6pMJ
   NMEnOF7cbxtv2lZShKfMPx3GjC68eAIpxX5PBbDvwktE+uI3iTiXtYOqx8hh7GBK
   DU6GBtrT4cIm5Z2r1RBCFNtHsu3SP1b4qMQbou0Ak/GhkLAkWfdwJMu0Tm8Gn/r5
   yL9tjLXjdhojuFRdXC2g8Mb+KEaV+5alEMckbPapYsC74N9dPzHvM5cMyw5NZzHd
   RnPJxqqaStos2n4f8UhfJr32vv+EzN7ApH7rEPFNxiZzLg18rjTcnUNZMfZAaoFd
   U6oKswdLrL/ZPezOyhKnoV3tXEBU3x9XUItBlK3YRoPnfUt6/ZBQlRkfGb08d4bQ
   uEdXE70SFm+bPMq3+Q/81vAkXu6/NNoKhnyjKxiOI1jQh7GI7XndV8c7sXhJznth
   xVO7GITai2JT0GP0ZaC9nxrKOcnBwId3U6WSu9FnbynYMLkVgCDoXH7Uq9KuLJHJ
   y1PplWp9i6+uoKrYAGW723WuUwquBNdFRnwRBD+Or4FGQouAKiaT2fUBGdOJbtG6
   Kfk3dQxdDed//faN05ZolUpegJt0bBX7lvXsYq4M3hYaCOgp8gqLXEGgE/oUOrdm
   bi1Ou6+ls9zY1ZG7cNBdKikoCsAccX9Fvhi7qwwvYpD9U5dB1KpZyzWvN0b+JRnd
   SNrOa3yB/rCateWlEBbizTkGzZRbsASxoLC4Gtq7tVa1WyHYZIAQsm/r9tkrngan
   GfG/k0bA4XP0AO44wTK1UJCUu7j8Cka0FwTkI44ocV9RNe8cA2G3fNIHbM0+ATJ/
   lY/vfAKPa71JtaRB4l4jYqe8B6S+1YCCJhmoirJ4g/VF+p34iqRrhzYgVF4ToWy3
   aBCP0lHuP2fAHiS/qGSPqTsAFE60rPQA6JFtDY+q7vlHhwN5NryAsNDo2Fm7bARs
   yaFcQnlxj1jYT+ktqNAVwMS7OVCCENSAGXj33pfDOhnOWg8/dqwjRmJ56DA58HIK
   jkji7OHHoXHSDS47juwD3TrBHP1YEOMizzAErSPAaNnH/Kj1rvsu/quhJkT6WmRv
   dNZ6zo47wXIMRLf5vGqk/v/JRRxk3sQVrqWHDwAhFLHJAUpNQJTBh8HrRoUDKYTP
   bjVpDTi5N2TvhdQ9LjF0SkUG7LkdkDNz7/01SPW2iyjt00ir6sgCq30OtYG5ZtB5
   PQafZjfU/WHkSaxCby69UsrI/Gm4/DEuCSh/9SANYlC+NFbj4XlS6szGaq5rq9DO
   WR3cMaaAeW6j0F5Fd/R2r6kIWXn5t5KjhLq5eWLWBge3VUnZyRhYQd/gR+R7nuRh
   7AGzewsuXAPqExYOQQGrbbW0DQdkFZT3+Age1bGvdh2pxPciVnbE9v8BBzvSTLQ4
   Rg2Wdddq5M3I2JgzZk9UZs3G/VvKTIHSUz4yO6FN5S3O6OCErMoMJPqMkpsRcqHe
   egY22tWUic+mbiAYV3/29tYppFLGdAshbKXCFNWWSxUPWNoHoB8tYjcDN+XjdU8T
   lnCDDuw5QIS89ZgV/Ld+QXBjy6jWWLoTM4KfFTjJfzySN4uQ5nAUWupskohY9Rxq
   Qwj7mQanG5GSogZP6+Q3aiLifnlPpsUm9mIQMbUER/OgbNk4yzEY0IJcDM/EUidl
   SpZ9qfWlbhpmONQpJnzfBDniWEQpYvgrJtQH/PcYPMHfZ9wumyHpBN7u7dJlausE
   dcfw43rhyRlPkGS9/2vN9yk9ziTQs4pmsNAkMkHeq5HS+mWhib/RF/aCWDx4DcoK
   aZ/IqQj1AWNlQUogKjtXfMoSXIJVz/noKeQjeErP75S2vSHGLX4XXvMETEhXAFCj
   bwnvNH3b5PpeiY1+NVGXaKyydmysITgFmb0kAgL1Z12A26hK615MjAcF82XNNUj3
   RNCIMQ3CjAHQHy96zllHDaHmfvxTkZLrmmP1CRq9kN5++zdsG1UQFwFV1YRrw1/U
   I4vCClBUSUqPJZZTptO3ufWZhZh36MW8n5wp/DPFSvkHZsBU4/3aoKdsepcQdEpO
   QqmP2MaKhCgwWoh0Lz9APJbUDTnx3P5Yqz9EGbAeh25uFR5lEo5EBBCG4+QTs6GO

C.3.13.1.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
           Message With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIISagYJKoZIhvcNAQcCoIISWzCCElcCAQExDTALBglghkgBZQMEAgEwggiTBgkq
   hkiG9w0BBwGgggiEBIIIgE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk



Gillmor, et al.         Expires 29 December 2024              [Page 203]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iNDQ1
   IgpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1taW5p
   bWFsCk1lc3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBl
   ZC1taW5pbWFsQGV4YW1wbGU+CkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFt
   cGxlPgpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBG
   ZWIgMjAyMSAxMjowODowMiAtMDUwMApVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZl
   cnNpb24gMS4wCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQpIUC1PdXRlcjoKIE1l
   c3NhZ2UtSUQ6IDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1taW5p
   bWFsQGV4YW1wbGU+CkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUu
   ZXhhbXBsZT4KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPgpI
   UC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjowODowMiAtMDUwMApI
   UC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMAoKLS00
   NDUKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0
   ZXJuYXRpdmU7IGJvdW5kYXJ5PSI4ZmUiCgotLThmZQpDb250ZW50LVR5cGU6IHRl
   eHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApD
   b250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgpUaGlzIGlzIHRoZQpzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1taW5pbWFsCm1lc3NhZ2UuCgpU
   aGlzIGlzIGFuIGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVz
   aW5nIFBLQ1MjNwplbnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhl
   IHBheWxvYWQgaXMgYQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRo
   IGFuIGlubGluZSBpbWFnZS9wbmcKYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgV3Jh
   cHBlZCBNZXNzYWdlIGhlYWRlciBwcm90ZWN0aW9uIHNjaGVtZQp3aXRoIHRoZSBo
   Y3BfbWluaW1hbCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS4KCi0tIApB
   bGljZQphbGljZUBzbWltZS5leGFtcGxlCi0tOGZlCkNvbnRlbnQtVHlwZTogdGV4
   dC9odG1sOyBjaGFyc2V0PSJ1cy1hc2NpaSIKTUlNRS1WZXJzaW9uOiAxLjAKQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKPGh0bWw+PGhlYWQ+PHRpdGxl
   PjwvdGl0bGU+PC9oZWFkPjxib2R5Pgo8cD5UaGlzIGlzIHRoZQo8Yj5zbWltZS1l
   bmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1taW5pbWFsPC9iPgptZXNzYWdlLjwv
   cD4KPHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVz
   c2FnZSB1c2luZyBQS0NTIzcKZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0
   YS4gIFRoZSBwYXlsb2FkIGlzIGEKbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3Nh
   Z2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nCmF0dGFjaG1lbnQuIEl0IHVzZXMg
   dGhlIFdyYXBwZWQgTWVzc2FnZSBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUKd2l0
   aCB0aGUgaGNwX21pbmltYWwgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3ku
   PC9wPgo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBs
   ZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+Ci0tOGZlLS0KCi0tNDQ1CkNvbnRlbnQt
   VHlwZTogaW1hZ2UvcG5nCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2
   NApDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUKCmlWQk9SdzBLR2dvQUFBQU5T
   VWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkEK
   TUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3Fs
   VCt6dDljaWRrRSs2S3drWgpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpI
   a0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpCnZkUGYxUVoya0REOXhw
   cGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQoKLS00NDUtLQqgggemMIIDzzCCAregAwIB
   AgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQK
   EwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBT
   IFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8y
   MDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMg



Gillmor, et al.         Expires 29 December 2024              [Page 204]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   V0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOC
   AQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwt
   w/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6
   rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXm
   bk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcA
   x3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnl
   sukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB
   /wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNl
   QHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQD
   AgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSR
   MI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwW
   pAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3W
   qMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxOD
   Wq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFb
   Zbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4y
   iuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L
   0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZI
   hvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAv
   BgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
   IBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCC
   ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI0
   5Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0Fpfg
   yC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPE
   wjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNa
   u5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
   zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsC
   AwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
   ATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsG
   AQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ
   0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcN
   AQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNw
   YyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhy
   I0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/w
   vXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5O
   Dxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjf
   rgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrO
   mqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ
   KoZIhvcNAQkFMQ8XDTIxMDIyMDE3MDgwMlowLwYJKoZIhvcNAQkEMSIEIJ28ol3q
   l3rJQb8E33lRkhRXp7f6MiflBlmSVD/ed+8QMA0GCSqGSIb3DQEBAQUABIIBAGiS
   w+vzf+n185ROCyZOzkM5JM7D3n+dOO42Zan8xgAjIEwzc5ejfh5Z3UC6V0V8RIAG
   9A+U/uF88JgX1mOmjEzKUZL965yNDcZ3NCOzFl/WqaFqHiBQC9Pr91AdTCKj5lvI
   uAlj+XVuICitCcIerNtRWYEJVB9mMxh8DaSpl3sq+KAZ9Ch1cr7WxhHI9UZrO0x6
   bhT9Zu9oouVhjgHiX26cIxdQLWs9yB5Y0bX2iVnBkzh8huZDS/mhTN+gHNLBRQcP
   TWa1dDHF73RApiqcEdw296D9TVrBEbJF/eROXZBu1fNkYLGuKSgNU8qrEurS/c9L
   WL88ykR3132/CB2HxpY=



Gillmor, et al.         Expires 29 December 2024              [Page 205]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.13.2.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
           Message With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="445"
   Subject: smime-enc-signed-complex-wrapped-minimal
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:08:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:08:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0

   --445
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="8fe"

   --8fe
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-wrapped-minimal
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --8fe



Gillmor, et al.         Expires 29 December 2024              [Page 206]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-wrapped-minimal
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --8fe--

   --445
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --445--

C.3.14.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10075 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6452 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2083 bytes
      ├┬╴multipart/alternative 1138 bytes
      │├─╴text/plain 390 bytes
      │└─╴text/html 485 bytes
      └─╴image/png inline 236 bytes



Gillmor, et al.         Expires 29 December 2024              [Page 207]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:09:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIdDAYJKoZIhvcNAQcDoIIc/TCCHPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFBmUFj5A3XTaViADTdEzM1xvguWWYVimplV
   M0MNhkdXqntYz/3JDmYnNPv/PlqeGfTMITSKk7xIAQwxr6lE25EhgH0BPeeIoSIx
   bxZif9UPcbRfIrhtfVAphPm3LNLipglZx1eHk8Gs7G7rujGIW3HDtSqqba5XrSO0
   A17+bda6WTdlgikAgSogIjiAxEW6kBmIaOSrjyH2oyf5wTmXF0HH+PKaKIGyuuL3
   elOtdwgxigUazRJkeL2ayeOcfldVpHdCEy4to89rHJPtPrYDiEdxPLUdvcy7Mf82
   GCWJkm1EzIpnI3eQyOAuQ1SoYmsRtcwwJP1oOLTtSSKeARxJGS4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAchsWz5C5+RfqXNKZHCww20iv
   bJHBCBqWhukl1uY11Wa97kqyHJqDgKkIJtGqnc7pWEWcdHU0JiAlcPYe1t2fpndZ
   gRMsxK+8hFIAj2LfLFO4k91FbiZqPd87tSjNlLjNeaoWNmRRPQuME1dHm++3Syt1
   ta40bumnFPOfA92ObVMEqtR0kjuigh5rJqCg46wjmA32XVbsQSfgmGGbuy6TmjVG
   bAWPIPEb4Qv4dESxyQ/Ux6qT2yXjBkK9spzRANdJhFpbxl8DDYYll/wXCdBL984+
   +rWgFyIrf+g5n9fWVsiNFxhoKDyCvBO6d6twreEz3LnYbmQ90B7mobmIuFgFJzCC
   Gd4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGYE2wOpbo93BzPOeYl8aWGAghmw
   HZHvOQXwnF7IcXKRfeHmWlgqDdpRhJsJlOGCzLHTi23RdXjr5DQh5PEo7MBGEzFh
   KaTJPMEXic8ytve5IgAHeYCdAyfIAyjL4Dv8b5ZfpxSEeuX59JfLUqIOAGtsY+UE
   aYHskoOj5SyDCw7I6RcjAF5NuHKR2PTXIL9hj5v77rAATSMDzdD5MCy7/fbEc+9u
   JSNFRUV3wVlb2jPTjBToMNMei4YrpxZ60Ru005s/VZhzk95E4xmpLhY4e5fdouTj
   9zQVWmjZYrdTWEMI77Kc6ZcuGRpNncdKVfpMTd08qOIbr8uHW4jrNqIdr0Su0jGM
   FjLMGz5hxM5adSp1tdJumH1m7KZDGYVT9sLF5JlccpmIEeR9uKTUDy7ePX6E5eUp
   j3MbU1yq9+WI4WIFgMOsc9rDumsSVceT8Vr6+ln/239o9MvdzlzEsIjfHx8t+GNd
   yz2cZI0G37fKy8ON1epDd8Qz0sLollVs6ogtodnw+fT6Mt2UIzfa65ydiKl93tAN
   yUmKDmqZWLOeH9ehtH6OUGbibR8yv0n0TmB67RI/38GPsDGQ0H+VcUgwIxUqLC6A
   W5M8cfHl3GC5F09Yw17dGQES0bQ9z1zpaPaYF9eXRWA0GQFI0eXJPLZ70DJFYf+M
   hzrfsPSvbpbHGMAW3AQbUxaWv/WTBCFGPl+yCmB4rtx0Tt7lhU4VucfHvu/J7vH3
   GIvIWtKEU+v7h+rsmfWFYVNz9AjmvS2OUjNoVOsOfr1QLG40pvm9nUm3hoazN9og
   m50nExCcoH4fsK7bbKENsvGOxnI0yIYfN37+PWCYgmLGb+nknWRIk2yjCWHHdtrV
   Gosm+GI4cdxQbHf69fJrCSkFng9KWMbqG8uF5OZM9pJn0F1jFim3ykOm7ZwQETQR
   oTIkcNFALoMOe9L7NW4a4PcoJSPTpAirT7zgy1DpN7s5WPO+GEIQw3I28CXcHNIC
   PZm5LC02XOZI4z8cYlYi6AU519Y5tWrtQDF/SJSmTggRV2Xy8bdemUaldkoFmCFh
   CQ1GF9frTbb9ztk4BFIgBQmnqLfZKAY1gch2IVePwgn+KCIV2jouppssWveZfBJt
   XoIFgC1yUPWHHDxDL5PIS8r5yHEGirjuAtWmcE/KY8gkH8jttNXtBaeiFRiXMa43



Gillmor, et al.         Expires 29 December 2024              [Page 208]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   o3KkWcNL1ijZSi+dId6+j+4Pbsw3Sr3re4m0yuClb29S12INCafJS8NfQVC0Op2c
   9oAcWgqlU4FU5ea1Nltf7T6jZP2LqYxcorrhSh2b+wdj3EnnOfOPE2J1WDRUDIN4
   KlzfuOdtdZevtLqsisr5Yj4LXdB9XwPCvW6BA6IU3zJxTGGNWJU3P9vSy1EH6GQf
   xmswnFDKdbtCZdQ79+ohfnUOB/g+fRPx/TGEa33CSO3SPHdnUvdsjQ49qmuGoTdH
   r1qBLrAEM2FATaxGkBNV5BPfjdPNZZ5YE8+Yc0rhn1zSRoJxNi9khEkLRyThh+9T
   cEm/dqSXOSSLNHhHfRpXZX+5SwpKUQUI3ijBW17qjlTevddigWBE7O4bimPgZ378
   LwcWTo2UUHW/bPT9UEvnHKvWA9OeOphEFZyiu9aTR4GwCmGdkM421+3cIrY2w5CT
   X0KwLc9dqR59TnL3sYjL7syh3VUKEmYR8C1GHY1g1EFITcZcDydRSzacrhma9Ycm
   zlQ12i6QlzEGaI2T3OH0/qUUgXaQnzw24MNpBgwt/ibuz9k5FwY/Y3V7xeUf6flE
   mnrZNaOjZSjLrFA6meFnIzDdRKDhh/VJkqqnlnZ1HcnswdbH3S6HlF3QQ+kZaedK
   +PobT5Rw70cwERUa3B+RlWgbW5iFyZnoFWcrtv4TI+qnmSZcpdlqYV8YsPnaETl6
   p70xc23LkG+k+6Mo9GpNITyJXPDygFyRV43gnUONAMXedt9txQ4dUZDwfOV/zS/o
   aBNU0L+5c7rm/mi+2JOQbYqKv9nX3S3mPr7sRIxb2rIR6HjP3Yv5afeiC/clzesF
   N+ZxojppSW2BX+nCzwLbYSGtsFMTSIWP2gcIabqWiiABpRwyuXE+XmOlSSUsg8pZ
   pzE6goVuPw8oC7kRq9sd4thCkNXWZZfsFFP+roirYmDh01JrkQc31miEkZVM+AfC
   E9k9+KRaocdElt0l73/0NNjrgO203uF2dl+nLPo7tjPLyZVHylPdsmOXsGTB/Ftj
   h6LH4wngzzOEchopQz8TqAyDkU9OiV3+AauNegS5hGFWgcBWsXTNnvB1V7qsjWP3
   nxcPUuWsWZq3MuAGb9GZONg/uwPYavG6eh7jl0dHGmxaMYb/6JyxuyK8hnmT6xli
   hqVEiBJcc6uQRCs0DsfdNlfMqElcvWNahJO1QMN9MOwpYKTxIUHT1Li65Io5FNed
   C7QlTyKJ07R30ZHx0x5PYoGy973/16wF7OXOpHDoZvf0LpecAhSir+5qXRZXB1TB
   Wj3Xr7GqNlTrETz5qsrdYdS0WC2UwvmDt5PcCVANkKL9ZIbWaaGaeIv/h8K6+u0D
   qplKVW3aG5Y2OFfE1SFyEmLdT4sHzDFXXDzJuXSnH1oxZRZHWT3L/0N0b8bszvv1
   yx5yaK5Uy6UB+NIsEa8bmBxk4+5+n3RoWjjlw+t9ByNJeKZj8n9e08soI8ZIHRBR
   T6C98YBGg3Pxj8vKB/lNDSqkKGflau3sGgT0bxyRJn7I0Cx+wrbtaNExEFyrLneo
   0vcFmAaEAgGZCBkhFTAatmYANT95MhJUNa1I4IU20ENWOTaA5l8a4N9vTcY9b1LB
   LnrPncjDn/E3tifjtpZXwOVZOUvI2q4UNUnNmVqJiCoscNp1MHYFIZh9ewnvRm3+
   mWKB2qL5aAj5+k0Iqar2mwEyIiyZwHqbymMD3UqH6kLx4RBIjdXUAtL5I0ncUG1u
   3Cje9CvzI1ubUupH0LSDjsNgwF1i0n25R0bgNFV7GEaCwPuLHe7WIiSGjRiv1S/G
   FQmCSMhKeDTu+SMSwqFVT0HR+ln6qjjCBhXmgCyUve7aSP9TWLpjmbKenJH2pNQH
   zegukZYHOjE/eUcUpGmNYpC6pHQLUurJLlfehyOdibQo8bqMMU6B0XIJrsJiMl0g
   7PkidQDrBBlz106CcyvtAoCCPXKR2oaiza1ZO5QLdToEMkg+S2DmseDQsvxFrQ6q
   IsqObgox+o03CfyRBvWwLFRJOjmaNB4CW7DZjZ4Lq6R8v+3ANIcsKP3sppyKFWlN
   W1BJezsMtvOGD+VTxsjVMMn1ffliWWHB+fnKk2yLmybTNZWqq3427FKcrU3GgfXw
   fCAM8YeaDgDDyTzcuRu1TNFSVwoHiNkyFpUUCJHRzlE4w7vjmZ4txCUaOy5FaAb1
   0C4W9utc9+7GS+JOC8GeYlDEimlQSbLecs6CHOGyUkFeYyQoLMrVyARQIEEbx/jt
   /uMiKvzrB10vrvg3PfVT7yUTUUf3GjVcmgePNuUMxZnwW/hOf6ee3wSw+iLrpkZg
   jXByzD1vsPXWwATJzaoWAbwQaFEezAYOpkeeaLfcIPSRyHpW42EuDNdVg1EUqTPI
   oxx9oCRB2HadtpshR4T0YsMqQLIXVcEvh4x9oDsQW4+ABwiS6sD4Iyqht+0+nuGp
   W0B3ztZ+WthpHVuKmnHyKitiwTPmgN+/g3AN7X/Fb4p+JUByhjSu+U4VEUiYm0x+
   +Yt7lOwlxqDBCmkYkvrgfD7XarKoNLv11pmFKH46YHFFR8MkcoIagC8nnG2AHPYi
   KjuDvbqj34fIrBBxANb7D8pCSVw8Jd3CfLiacWGRkPBxTypI3DJD79+R3wzK+r7m
   MFHk+/mnxrgaIJqOUn2Kui4snWmrh3UrJLpaU7Tof4iK6oSXq1Ck1QMVmuTeq1sm
   kF/iZQqUmCqH4cLlsQJaXVGJQAUtpmyjKuo52xM2XWA3Q4oIWUiWMg5Q16+psgZU
   xPDfLDGWt3J0cg+VEQjfw5WS+zOar+nwlNd/QysuT/MWxAalxTijDJNL9GWcG06a
   y5ZWntwuoFHe8cpfYqYr31lx0kpuSCmJdDpDjJQBYIGpnayQ35Zj3bwwGIH37pnj
   Tp/xcc2mV4tgjod8K+C6JdPLQ4mRgQOWrk1Q/yh/Oujy7bGnQaBck/MApbLUCSt3
   fqmgtTEqxPySpzU7s64PtNe5KIEx2bficJip/OmQs1G2dk9eM92TYLH208EVqoWT
   Tc4/V5MBjjRJoyNR6b9zLZ9AAyHeKPw9Eic2IwGWqmQK5mtuNWRz2SIrdzn2w7eO



Gillmor, et al.         Expires 29 December 2024              [Page 209]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Ec4aXmjXcO0L3h+y/y9SNOyFIKVZORk+Gjb7k0FeqkKQNC4QbK/C/uRD1Tw3nXOy
   pzjRdeaRZ5DTjFfK0Avrpeu4rAcofF861l6kUHeahinH+MRaUEmRNWDnfOtw4KdI
   QriGt5q8m3mxFe5Y6Fa2MIKkv/2PvEpeDyH4husIqrcE2iGXwP9Dd0QNAKoKtVs+
   XRR1rTpWLTT3sJifBF42jD0ZXHhJJHU7kQzPhKzNDbAxA6hclr5CIeK3fTV7+1vD
   HdPq9kO5Kz0Ad1hUjonAtVNtMEV2qUvSk60exlmxkUnvTrG94nZgGs+T+2eTx0oo
   rYrPTC1nO2wsC3lCD7bUXw/lEmkJa6VrxRxilrclpqDU5U/S76Qvl4IGkhI5g4kM
   6NAlNjnWdM3RcQ+Sb+B0dGXyp0oREFX82RjZi5sAVomVpP8VjU70yGFX5l30AxDI
   JVNNz0o4Sj/NBYCiP4gM4Sk6vMXe6d+lp710OfEnXr+pEqT8iYM/AEXEMaB7ybMr
   6tS2XX1+2H+Pr+g60NOXDtq2DjByN1SZNyro15K9zTW+f8AbDkiGTdSVAfsuEJkY
   /sBwa7sR4S0R4hopG65UW7MKkMI69/GKSKIVWTPBaiRaJnmjkBoE3YXOOzXJhznR
   uMaiWRMJygEfsq5XmphA+/Z6s2Rb7Muh/Y1goEUatXD5DzzH8v2BdEob+Mqp/KEA
   FD/wQBcB5VV1qKpYEFmZlql63TyGltQ+vV8Gaz7cnbtomS2RKfzS1u7FuX0VMCx1
   DhkXeaIy+Osa2ejQaaarkD26lc1V5tOZf77k1KnovqBnf7R7/LJHxgslK+Kf099Q
   58wDhljLyHzRnLhFVoPxYvzF7CA4cTgwivtqArrsY6NCQxLvThLfNG5vhsWxtQEI
   jOUa40oY75uY0L1sKgBpStVdEUQWOT6dEcZ57CU7JGmtX/wmTTporrGLrXPDIauU
   BVKP0E8AXGx8GtcLhC5IOF6EufgdbQNJ7qtGHO0HHiU7IHG/db6Sq29iH8ba/u3p
   wk28/2Xz4LBkU6FVtAnnZwECR9GVnCNjdEjOzaUoPnDEIaGLVWxCWBhP4TJaP+Iv
   8nj4iLnHqxlFqahHU2qwD/Uwoi9mEs8TiQtbRnwpHLFZVjc3zZeh71CAM1AO7NNp
   MvTkrH2yFeukyqpZEcfg9qqXbWo79DTAFxizHUAxCCJRZHyAICjnMUarwtkLueVS
   8wB33BF+FYPxN9BVPpxkoTxUTNLxwwN8YXrmlYZkXbaWbFd5mwONNpjck7O1/F6u
   A/ju5F5j3JdRBETFdQo9kcCLvcNS+MB7A+icUL2gSSucz03+78C5uz3Y/9m7c75g
   pe0FuF5TJeX12syQh/OlNpGiXxOMFUx4F/Szxyfh2/hDWonw5+ExdxRcmtmbSIyW
   K06SI6IU/XdzhwbFUYf7Z27mp7kyKxP6IXpx0NZ7ouxRlN2kN9ojC2dKphrLMFNj
   xIIrT2L90MNzT+pKm1nwL36m+lUdDzul4awi/rGe+LPwFiEvtGn5UUe2Bl92+Qyy
   brdQwSiOpLpxtPrcyLUdh2ZmnLKTmQTbjUm7O5ZRVq0bQevbzBUUZO5bPYyBbyJ7
   N+lWn3WBG5UOom2J2P3yRT1+ymQBQbcA/V1pYhritE8pS1CcWL0+BL03SEJC+x4k
   8DYK4dVcFUFvRltuZEN954Omq6ym7chVzVzaTl2C25rjo/9yqAah4rPQ3mE6wX+P
   NQus+44JBq8oizB20JEOr2EsX+E5MsLn9dYRWIc2QYbBcNMTOVpv4NWU1KCWkqNs
   +R1Ydbfvkrc66Qq/SV+HImJkZFlhgpO6EFY6yO+Ps9mgMFFTl7jnVzpCk3s5SpSV
   bORGLn4Er7oGqJiye1i/fa+11SfC4sqAwCR8vnCtqzOyjhQUtkY6hdaNKM3B0+nv
   3M3FhXl9Gaai2DBdchau3h2b6T6JvxxaTu7Zae1Op6HbU5OxcbjI/p9rQnDKbu0/
   pK6Vg4+EGKNd9l+exFXRUJ7RYOYz11N2G7/v9eZTELFZzy8eCJ6gjPsTxBu75nLn
   WuV3xPTTS/cyne/uhbUZAq5X4lgNeTiF3NOeTqO/xGsW+ctKe0/yF06lIgmOEMc5
   U8rwagGJOqgCicx/sK2uh68jJ4WFPwytDk/GGD/s4C8o8Sk1e1QydQb0yN5S/IRI
   tjDGkUYjFUMDviR+PcSypJcFC6rydn1Ou1m3gOhKwL+krzD81f0MgA8ISpCcLkWL
   Tt1y9ngRdBbRvj4G69QaYqp4Mvhf1JxE8QnTWhhkBqC1pT9oKoc7CgWBhqDDPfOR
   /YmKqqg8ImQlKkkV8DQzlFsUp2aj4TVyFIWRz1FEqk/MSXPAb1DDnvBCMk/hOn8v
   QujlsNoBuX8MOXmIxOh6zBt2XlZfSpKka3N1teYnw20h16TJNpwR/RPi8EeyoTME
   wYjP8zH+A0D3c/nwG9orOExzn68pFn9pbA4eggkKkiMcSKv82CHGfVYup5/0ylXx
   bbxSLlQmN+qmD4yv4cOB4OZkHhXICDaVlTTejGZxJ8wyM9ifqCAl/FsadDuWGJLo
   wmOpGKdE+QvZNX6ELNTrcou4BWYbl7Ke75XUirOiSALQTs/f2Wo1SFRmUWbymvR/
   +xUtwR7aPTg4c247RXZm16fGVw9Wj+6VSo5O0tkxhb5D8KX69kPcHGS6j5Y4eOVQ
   vCcSUXIo/PgyHr6DOAfu6YD3tT6pdu8P+U2xwDqEXbeZ14zc6ucIy3KO04LBkFPJ
   qXfOGTlJOfzCAJp9bHhFmv4sUyqaBWnJzL63EJT3XojJrQUWJOxMJp4Hd5Jyj/T7
   3IYrenTzxq+Z5YBSROUEIgdVM1VJ6WqtHwEkcRLBYVwflUrqHK8+BmKkzXAJw5BN
   96z+6NnLKxBZEjdIdbVOwFeIDd3Cp+LtebhYp5NbR2Xt18BtiKfIV5XXOnj2kJtV
   bw5gN+oKFYUvQnm6ynXc1LD8ufR7Bdb8dBfbMt1I+3vGgTrXrBtwMaT1RCGBdDKa
   kbPaPLnvbqta3aocfYZisp+iv813iyrTPdws+p/IvAs5n2qEMAjO9LeubZgo2eVq



Gillmor, et al.         Expires 29 December 2024              [Page 210]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   5X0S+3M+FtjLYhQhkFl0CLCwjSSJOpOAT6GDg6n05TMAC0tSobRY0aSFwJL+NjUb
   RtNdqaeOLiywDoT0YBZzFhYoC4mkItdbwFFPHlmymcpXmMlayr8HRfBX8U4Zsc7n
   Ov8jLk1z0abuoKxQ67piWac1qL256UD9DDccc7yBR7MCFsZxj9B0IvYZfCQQVDsd
   ne+RWzkQPgEeQFjuohHSDIJ0nDyIP2q0Ag009FvhfaODbu6NmJXgowrLrJAN3Aep
   FAvHEJ6EdmXP0PliORm6ffR9r8s4Jn4BWgjHaSFSVTDITrKjHFHv3sEqO8Vfskky
   H5oixbpFQNPvKG/75eQCqoDJ2OS+rfA8DZcLOBGl6mOz4Kk7ZRdES/EaHZ9itTIA
   gzRmUzBqEhNm99cVGhrWBOgab7bRYSTRSG1h8aa3e9H2zWNzJnxkC6qudZ/nS6gt
   Wh8ouq3jVGEh0T5DKSPAubmuGZafbFVHmqWAK+tzj9+LQ7vmujI+6QsyZY7u6HBy
   PB/ACzN4QxPVwrTba9awEGcM5jz8PNkkhBi0Q5EclFjCKQ/H1Wyyx5PTdtr3nlnJ
   EuBk+R13N7CtsQnG6A9coEMuXuGqJDrkAVp7t2KicWgqHFGipz/lgFBln5vF3LgN
   59ySh+UldMbRzl0aklNepeXuK+y9Gp3eAjAKDWsUa/uZe23U8cz20ZaOCpT9s+lm
   U8iH3gmcs/xCIJiZTQNUBfYigl09UupcjFhn6RFJaq6FJlA5NRb3QXSMrbFcj1wF
   D+Vsn5CcPr7j8WkdArMF11xi8cRMiaIWxbvekjLN0Edz+DN96HLeKYaxwCGtoh7S
   Tw4dToyLn/cnlo3vvKRF0GjeMwxkuxTvjVAkPFCxbqGkBSYSfMZEPOKhMKIUSTKY
   EbvuCcolT3/KGcu0NPIk/025j0AaZ+5Pqnp5JequzXhMilnDkYXQY3OL7SCJ5S+2
   330JFiALMzBCtolGzPzGkjAGoxYnhvfHEht6/94H9+Byw3GOkCM7gkThJztFn2Jl
   cX8nE+jozsVJzSQ5r9Eq82sF1bMREdK1eOBaWNToTqgiCHI/quGvIXPALjg2OtVw
   W53DEhP11rnT++3xQejORcvneyHROB5UZ+5CqXt1NPcAK1CLoCYQAZbG/lDs0Ur1
   PaT2HaUJwUs/QWQJ/0650T+fcaLDcx8LFgylf3AAZ8sJAmyGSkl+adHwKAUUFQYf
   A12BLJ5o71BEOjaqX+g/aZAqNulIQyzwyxPFfxgZH+EI+ut6a5xJxtz9V5YPr4hu
   c7hPo9I+zHZX0qt563m5rpYHFPZh+0SqwvF9xmUrhJ9SAHoJalFNWOgNlAldCYY4
   0/0WjzCwSH0ZWN7MFD6CyL6LhFkU/HM++MLtpYn/O0kXdiO1Mx1jVot44dgFYqM2
   yh7KozWolPdh2lEg9Sc5xDpGKB1HGPuZ+DxRNoWatM/PDCs5Ga3aNZVkS4oWN1q/

C.3.14.1.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIISTgYJKoZIhvcNAQcCoIISPzCCEjsCAQExDTALBglghkgBZQMEAgEwggh3Bgkq
   hkiG9w0BBwGggghoBIIIZE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWluaW1hbA0KTWVzc2FnZS1J
   RDogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFsQGV4
   YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4NClRvOiBC
   b2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAx
   MjowOTowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEu
   MA0KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjoNCiBNZXNzYWdl
   LUlEOiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLW1pbmltYWxA
   ZXhhbXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhh
   bXBsZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQ
   LU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA5OjAyIC0wNTAwDQpI
   UC1PdXRlcjogVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMA0KQ29u
   dGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PSI0NzQiOyBocD0i
   Y2lwaGVyIg0KDQotLTQ3NA0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlw



Gillmor, et al.         Expires 29 December 2024              [Page 211]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iYThlIg0KDQotLWE4
   ZQ0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSIN
   Ck1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3
   Yml0DQoNClRoaXMgaXMgdGhlDQpzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5q
   ZWN0ZWQtbWluaW1hbA0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhbiBlbmNyeXB0ZWQg
   YW5kIHNpZ25lZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3Bl
   ZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0
   aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9w
   bmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVh
   ZGVyIHByb3RlY3Rpb24NCnNjaGVtZSB3aXRoIHRoZSBoY3BfbWluaW1hbCBIZWFk
   ZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VA
   c21pbWUuZXhhbXBsZQ0KLS1hOGUNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBj
   aGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRy
   YW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3Rp
   dGxlPjwvaGVhZD48Ym9keT4NCjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1lbmMt
   c2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWluaW1hbDwvYj4NCm1lc3NhZ2UuPC9w
   Pg0KPHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVz
   c2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERh
   dGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVz
   c2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVz
   ZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyIHByb3RlY3Rpb24NCnNjaGVt
   ZSB3aXRoIHRoZSBoY3BfbWluaW1hbCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBv
   bGljeS48L3A+DQo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUu
   ZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLWE4ZS0tDQoNCi0tNDc0
   DQpDb250ZW50LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNv
   ZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZC
   T1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0Vs
   RVFWUjQydVZUT3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1lu
   Q3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8w
   NDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3Vs
   aQ0KdmRQZjFRWjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tNDc0
   LS0NCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqG
   SIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEw
   LwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2Uw
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnC
   k4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8on
   Zm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZ
   p8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeV
   y+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swds
   zUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1
   AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
   MAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr
   BgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dn
   jq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3
   DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5I
   EcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9



Gillmor, et al.         Expires 29 December 2024              [Page 212]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1p
   pMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANH
   pyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpu
   ob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11
   f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREw
   DwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0
   aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2
   NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNV
   BAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
   AQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuM
   UFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3r
   z4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8
   gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGq
   qaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpE
   YlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYD
   VR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4
   YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1Ud
   DgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJ
   KGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtu
   Z2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQM
   xH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGym
   WtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6a
   CHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczis
   qckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGC
   AgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcN
   AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcwOTAyWjAv
   BgkqhkiG9w0BCQQxIgQgs+PAkmBxjBKkPIRiT6micozFiQKAvvSZhTkYgfm3koAw
   DQYJKoZIhvcNAQEBBQAEggEAVsp6o9N8H91WRUIBcneVBlUPuD8z5VmhW2CIQygw
   ikGTkPD05UAH3d8iWsV1Tp9CuClEM58G5zCDqoIM3gFzpAmLrx8/IyR2EWCIlecV
   hmxDDvQGfFj/f4B3PIgX2jZ4QrZ8zx9RzoUXyFd4vR+VM/h28Rme25kA9izmIVKo
   Kl0cJ/QcEHeKvN89dc3bQ6fGbLtQZYTcGuxRg2Lm28xlnK+xLUslcKH+1xvrYIzs
   UyFDI/mT0Cd9mCBWqtvxc92JtszY51gn2IrmsAGl3XjzncDk7XrncyE44FRnEYvv
   hAfInyeb4PGJMTz0/z8NqPujStUIUX5Fx04MzXjwx8x5YQ==

C.3.14.2.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-minimal
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:09:02 -0500
   User-Agent: Sample MUA Version 1.0



Gillmor, et al.         Expires 29 December 2024              [Page 213]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:09:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   Content-Type: multipart/mixed; boundary="474"; hp="cipher"

   --474
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="a8e"

   --a8e
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-injected-minimal
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --a8e
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-injected-minimal
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --a8e--




Gillmor, et al.         Expires 29 December 2024              [Page 214]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   --474
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --474--

C.3.15.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10705 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6910 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2406 bytes
      ├┬╴multipart/alternative 1439 bytes
      │├─╴text/plain 488 bytes
      │└─╴text/html 648 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:10:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIe3AYJKoZIhvcNAQcDoIIezTCCHskCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN



Gillmor, et al.         Expires 29 December 2024              [Page 215]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAE7nxLZK/s05dfUq5p0/u2f6SM9p2UR3TtvB
   KF8TaONGyN7lTA4i0/ELq+dGLfTcNvij0elToH/QJo6BfoMuJkOQ0m/7i87+9Lql
   3ie/jZCIdQQ4+49Xc66NvvEfA8eOXb17vxlRwUfsoTSfYfGGiNO5xTt6cGVReGjY
   QhiMntKi+CAJTQPxku4EbPPRpDpdnqQs2r3ZmH/UcMmDHB12Dj2Q4At98oJuGNOZ
   ep/ftjexgomxkGKPd6Rc3aIfJsBq0/zyiXS6LZ73igtWP7oFv/+gf64ukdTPOuHY
   vQA+SFvevrRCRqvcl0JXX6LUbt5uDGxzOx6ePELwxRpVVOb9bNIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEANXZcEvRpKBuPoYOK9/59LEgH
   I+fFFgj2be3AQWCTPGarUYz8l+oNtumqotsEdWuVns9XclOW+tiNNqHCRvKg17Q7
   bBfLI3pK3WPN3cGMVxPZTaGSvmqd8Vi3l2wogV3opZge2Y49WLPU2atmR3Kt1Axg
   uZkUUCtstHlT3DNgKE9UFooogE6WITgTnrIuAmAAvRsBbn+i8btVuYugeFHJ3XuF
   CspCu3120gRoFkkiDScYzNXW2uQoOSa2+HbQEL4eVLMOhOobtRWLt6vE5g6Ozk8S
   GrHzOYRchYjay5QI1lo4oIWCME+s0OedoiqMlqwb2JnsY1RGAHQDAoGU+SeRtzCC
   G64GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEK2sdxcPwLCfr9SFm7QUmB+AghuA
   QjbCZFKJGKf0giz8UC23y0cwDf1tG8TgxFhOuqlLf7W1x+ux+apWbuH6yq66VNtZ
   5n/RwhHw7HoUumEfgRfc93BHo+esiFTdg6PRkadNrDPmHr9V19QmUt4/E5MFprYn
   wHRXRttJPeQRpW8UZixKBHWZpVAjoldJuolMWLQIq7iDXX0NaGBSx7XRYvHxexLc
   G5XupeK1foIJ/AeY/xPqyQhfqK4nmDO2mU1h5VK5zlUzz7YKbAS3oIMeMivyJnOG
   8ZG5XIZ+Ruj4qMP2d9VfqX1c8I5dOO8Hu4tJuEa6ftmaFMGaTByFcnL4XTOrGeGF
   RGwJYqOPrsBVTd0z3BNtrgbiUwLWn6OEOKPkMuT9994PxiCi7gD71Q2dF431YJBH
   o32pM5wPSum6O5l0k5YtkQ+uFb6zwTrblhi1pC0zy+pcFlCMeafS8IMVLnFIkGyy
   C+qgeesYgvEBN/D0m0nAQfhdBvMQCmTT/xXkywhO8VPbKcLECCqVwKJ1cBvHkrNV
   FgSiEIkYpSJNnudj0GiZ6vyVSwIdirkgFB9C4EcaQJGyHtDqy1+nkm4EW+gXhrL+
   P8FysL1DVR+bYfebshtJpp8DH74/GqubWapja+l9oSK+Ia8fHVBKTbCE8vhfdowj
   iCt1MJ6xqpTTizvMdpbec78deEu6May/vtV7YxObPFa3zq7HEHueZg1woM/4W8dT
   7fqQypZlVbZUpZWlQ6Rr60OavhEMmDAMLJqLZO5/XBFt8ZNDaFE/NZ7uYpJYk6ai
   D/Xw31eMo1LjpHg/abiYcAlu6/J7qdav0xRj8URT4d15fEAwi2DjLJj7OqYFLEhd
   VoAQUyyUe09ocHJYopKi7gmCbe6gqEry+31v0RdvW/XhiRKrVonMDIWtaAAWjeuv
   Q5Z0QB5PT4/4eWBY8S+tvDwfy4LV+c/bb6ePES4dV9BDMc/2HtAYWwXZ5H8echNN
   upxO5O1Lot5gU8F3LcZYdPD5Xt9KIIJ5q9XbgtwQ3w3gx1+WPLHq6k26469lt1cD
   Z7bNTwYWKDLFyoM+qzobtD/H8+m7HZ5axXxFiMFw/pQ1T9zxzaGTIoIDpkhmTJlR
   jPad7VFsZs9Zpq+s6ZkJXxPdnoYIyy5/CdAxz15Ouy3j/FJ2GCNejwH7ulyxc7N4
   col6uodHBj9k6SLLQ96ZBRbSdpHv2Hyy3hGKGS99SS1Jv8kWQRFk9hdjqvKxbJo3
   aMMjefScoW+K5tLtcQXJDAbQEtkvEy8bmxHbqa1d2JxTmnXWXVyisAVTl81QFay9
   dgzTMMOsUq72Ng4rmPMfHWcPQassvp6PS7M9B1mhdjO9q3+a8gqlY2rNgeMEcxYp
   XLRrC8nyJVGODVk2ypIi/A4NWq2Ad2rbLnoh0duBIpStLC1aYBiRXQuFuBB38NXU
   TBZKBQCQpRkDKeT3sy8Osygp5ouEZDfcxlK6b6vIX2ABMA/yu87lFqq3PVrtBK3l
   DX3aRSwc7YRCmFtrF1OXzU27B9p3RDzq0XGhTmz1aBkTgbYGJbSAuJI2PbpTJh3v
   N9zdIWObu9gEBIo9etYEEUCIUhl45RitYS35h+kjpDp5JhsCojd8OOmO+USiGu3i
   dp64R/AKsNc1WdZUZl+XGYlRc5pytrd3wMkgDYIWnWXfigb9uVKxnQun8DW2WwhW
   FfeD3KE3JuV2y2kDqO6uH5d3WMSwBMKiHkM46JpiidyBcJdInf8E+9w2mpiYqwCJ
   CLFbcSg4Ep+twz+ybjX73B6OvEtS2sBAOpxYLfWWKeOWxP0gnhZi2Pt2ho4OrZS8
   PaBBNHh8Q4oKwegXe1spQh01fuCzGdMy+U6agtQL6gIdRBP0CAl/iP6kRDhMcCzb
   4LOb+Ag8LTFP2+Yh8Md5aiH9OOCgGT3p04w1xNj35FcEQX3Y/zAYWqJ0/b+r1hJP
   SRs4uaCx1MnyVjDEP3LY/jgwIp6+2AVmi3Tm42Rq3yGiKu/k3tJiR8laR5oRd2+A
   zHDsoDRNxUxYrjXNSbbQeQmYp/44LdaG5bBsIrSVcPl4GuLr7gJ3sA6XLoLIMgb4



Gillmor, et al.         Expires 29 December 2024              [Page 216]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   8MRNU1KQsulHDh4t57lHn6br4JBesNKhwrIgrm71CAE4ZCmDSc9rkIpTGOJxQEl+
   riMRXbNuNVeFN6y4Aw35+kI77n9G57jXUc7+QcsCuwNLH4EvVL92GCiri99bft+W
   bEGazQjI+9+v1JgWQsAPsVFSF0RlNhDzUN1NQ6KRGo6l5AsTQK+VjZBD7jCPQyIw
   Cuk4nnS9I+hWjBLJraaFPe9swHjuQcxY5Vq/GFAAT1MWqmhqQVm7VWfioCeizvRX
   P4WPmF9oq3ALgaWPTJM36NjXcHUrzi0mmqP5B+hV2FZdoXHKPm4dx1p5x15IWcMZ
   x7ll/OJ464YoUTsbgY+OoOF7B/lTCOghVKKTkQ1o+rXtIzFrlC6PHMQHfa7Q2RKz
   IPikM/dXk3qQYGmBGQrzDo3aBps1XSN7ZyjyHuVyLjJj0NwfQiOAJvgn3zs1k/vu
   EyXsUwxKBioKS0EBv1GeRmmPUWN8nk49kcjCJ0W0Po4yGdJ9RBQbL7K2Ns+1B2T2
   3is0DOAUlW3lmqOW3xyMgvhkDueKxyjk2eLdU6ZXz2qb79MQwo8ALj54/MsH3AWl
   89RU1du+ONmO8kP87cPRq+sayYhRt7lAhik6g+fm/nzBf+HjrSj5gfoRg7E2cnU5
   m/Zcr6ZKLXBbk3uwtWMm6un4Cyr1BHRmeYTcUZtlxANPdalKOUXg5hlQeSOIBY/n
   v/1opJ2KrssYqqF9IIFQZ6sOh4s6L/HZin7xNgemE/MnTkvZgWTfF2FM3tcFIDVR
   rbxP+iRg4KGRZoDks6wl36VaGoDITg8Tnow/Z2flHWoW01EqQWvYGPvGBu9xZ3hR
   MrL+bCOHQnGMXpkzICcVjOUFRduLqqz3PrIz5stMbkYbhqNxl6u7SzGI1DKUv5z6
   ECisYnWNVyuD3IQ6wS+KwTA0JKTmEAfa/VrW4srjgDrRU7NZ8uvcDcTzFTvk7YZw
   Liy5ZF6t7nJ0BNgPkZAIaLCO19Mt0RV/JS5gfDXcOLjBBaXTUA/8weatjNjmxtFk
   +tvQQD186a6oigjKcyA54cjdiED1rjYIP4O7nb3gEb8QOsxazTdI1IcNxAvPI6Jg
   uewa1JYenMLsjGxZ8egHzCtpu7mKlDbae6vDLm+jEFmkzFHbImhNnFgK/bhuj3CH
   WXJ0LP1ZptGua3/V7kOzOGxAxQ+DNlT8VU8Gxo1FwjOF52MWLRLyZv5+F6qBVLbY
   pnt6k7ILMNp2r9tJKFEVwfJRLvnD+15Qsew8h+a/VmF7h+EisWjI1uPcPP5IQuxp
   QNHlTDpfGC32yRNDbillni7gMt92VT42qOBA1LJpUEvhDgB6tkKUVH4Raiuf5OSo
   IbWCK/zLNh1jENTTveNhTviMQaXggOxIlIlmZW5do9RdvH+uNIy4TRPYPeaZzhJT
   QmCPfTs+oKg7AxSgErVOsdK30JFfIPNMYrZy+/ol0PiSdCBAJw/ICrywtD1vLGPP
   26Z3rR4QhSPdKzjIgKYDiHE4fVK1iUR6aLxIUVYcku3xjs8zcHFNSrRdZr0/Fhzp
   QiTINHwQ2kSQoFjVl6SW5PignXIK7W8kptCcG7C3scUli4eOZnr77TRryJC+p/1e
   /+IYmN1ijtH6Tdgd5ru98Ovs+0nRAlN6JJR9+wYpskFVl3Jwag3uUrhDS0hdgnpt
   4FLpNc9VdNsqzAdqge8cSVRl5knGtRt2hfviJ+4yNTswyq6096I2NaWlHHZ7Js6H
   wBvYMgohaRdDwLS7qw/GuBJaBmUMVtK43VlWcG3m8v9bfe6LXkJpq92QIbnAnb3q
   CAnpxxl0+sSHiobJYeRnx1rf97ybU5zZm/9T5kYaoLn8komaL07sMvGBPDW2D6SS
   2gFWFw0SpLuBVrpMJwlyK7RrOEGbY4nEsIVv38jbxZyP9pCHhOLCWHNfr3MJPAoB
   8iVJFtt4N7dVX4Bs/6FpSCcb3dDKCHNBMxmd9ctNxs9NWiggdxQ2TuCTz8LucZv4
   1gl/ACYiMOgFQmvsNHfSpHrTFll7hPqO3rBOQm/bLeIXRcbip2PtfMWsNgFLtKjk
   D19oHVn8Tv2nrL8RV/Uke9tezT3KEfr/Y9j4UE8v+a+92LxWbTN1kho3werolj3M
   uiDclG0R49Xr49cShelmKOY6+4ek4boDEgAX2mQAdIU503q0U6k2X/YrAv3O4kER
   acJPoLjaX5zFTrtxQKorhntlpf3Mbo/VP1ENO9vg/e9i36WLcrgANNe0NugI7Jxf
   auK66OP3qcYXLDdaIOFYdHJy6qxmej2Wzdf6S7zTxAg64yZORzHgqCrBOjSa+6NJ
   073YNmdOckNjnD7MBHtK8VJLwf1gec09fc58bRFqhl5PfxN9bZhw9/JoeZrGjSDV
   IdS1tD1S335cg/VVbV3Zb4d3BByLmDkT+bp+0L8eOx9JcZ44dqBBfBE01KFFyh33
   DWAQgeB+iCi7SPAMJTnlNaVPoMHnsGETLh3kwNgfVKTegthK5yjWhN/lUfuvs8BI
   yi+0D+dlxeWI5x9ZImlVgiqgsDVONCGjwBaVLGR/o28AVJw5wzgkLsBc4CpOpoyb
   0aKd4Rclg/w9AlxG0liItoHZHVXLDeElCdyid5v7DTck3KYuVWCCcHMukq/rug76
   QLWknimm/KHrzociFUsAnSDChsCLVXxS9GneMo0zg5TejrV6PFbSfCR4LLmS/Ybj
   0/dqzv3lBCwYWogh+it/thwRid3dcJP0DgQlgpb4zwc1bDigNbpixnpOEqO7Taxt
   2h8d4XlN6Jvvtirllo+1dKYekzFtO/kfvHDlGND9URRN+R5mE6VdvEuzDs00UnT/
   S1nD/D2tDhK/o/Ws/VIHteB5OMkOgz/psayf0UCcu19koenzR7Z7ue3/YD8EmFwh
   mzqskUICkxFjrsXPF8e/5vaYAtGhi8pZVbMQXq0jeIXwDDQg8c5shnKDb327GT4S
   VsfySUlR95F87CtqpcznYPx+eORvhGvuh481EU1qjwuCbMttEdPjKoYzuIi4bCJr
   dP//fBL5oMmvZ69YqPSbngdznFrXfi4DaK67xahOQKrukBP3rRvBXyMKgOfDkd3i



Gillmor, et al.         Expires 29 December 2024              [Page 217]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   oZEQ+JKNOdVEbdKRUeRelYc+ExZ70RCt+V8WUsxIH83Eaq0ywDi3GNob5C7qx+c7
   iF0vzWeEKSiTaaKtavCOOZ/DAqPkGkwmUi3yt3p+3Szyr7wgE86LZK/npibQtecQ
   4p7frM+wgfVqINbdau/GRX5IGM5BMnC5IzvuXvuKjAV9P3xHaHYGkR04UKBUkZ3+
   kKCU3Z1C+jwCA6itATxJ40zVs8UOka8RIpRUBF+BNf/xTeYm83h60o3J4D0TEge6
   WFn3GVWRSY8cQb+xN0htvSmWhcUjbKYPD0PgW6nbZm/93dOZZ3/6bAW3flg+Vynz
   bIySWB2CRm84HBl0vtQBnfyiq9nomkW/P4Nqe/Xfin8wWpYljEVpjvJ0Mk3JSeTO
   6WUEdI7J0hmFNHdbo+QyWS8/NWsHrnl0HC1wiU3YTeO/svhFlWn0+wUVUF2uNKuJ
   LskIbIgVIxPVSqZdwEqwApN7Qrf1mW7SopnCj3Rje/BBQwRkX2r9iTdObqQFpzcd
   xxC+RhW9vxG/EaoDXVpOC1IRGj5BemINWLAWFgVbL3ZY1xRSeWXnPt2/XOD0pZDr
   e7k05yxUsGBy5uK3ZKXRWSuZmzS+r8euBnULQ8filA5Kl0S5fxeNqHRdeKw3DVae
   DLhBjrkeQDFjF/n3j+9W1H7qrpH3kkcfK5f8UHAzznQXY5idx/6nDq6WHw7rdB98
   wga0yyUVMd7tBcYh/sAB8SA9WQLoMGHE02VipgCA4g1gXniKj5yB7bnpG0jr9QLy
   gEQxeh9VIkQdTaQuni7DM2k75wZx7T7Ur0n/4fQx9H+2PXC5pwYNQnAHe81IDROc
   aXi4Rr/imgAC0AXzZ/Hv3HzwDzrrmspVBljW8Pe78HRevjhMNzJ2JhwyACsWi3Ps
   zELkzZ8SLOaoURBlsDhgVHFOttaZw3hmXRUUeqxkQeG/ovR9YuTTDtD8weRHvNbH
   UUxZkAciCMW14U9jfsXtjGV6VNnUOGj57Vhhk3jJI1TmNKwQGwxgjM3aKU1ctbpG
   zUSvPviuk7SM23FOIQ9yz3lOjzAMpGbkp9XRGpLsX02sawuSATPLMJtEx28lvD+J
   Fu3vgjVIM5x1mX7zEyBa9qFPAtgPK0nAWmxNILte6aIn3dv0ijQtDMiPdHz19UWO
   ILEA8SrA40pv877QR3pzTSaEHruS6GkBS3yL0VsxVvodRmTE0ddj6ijdFunn53pu
   q8ffqfG/E3V6xb6DHTFWQWfJmyswO0ZBmKV57LTalyY8uwOaLlOlMpRNOe1F5uDj
   CZovZY09LFSXD16vqJpNdOh5HwgcQbkqWvbhMY765bjs1dAsuCfg5PDgFzK139T5
   UaaM2UESqH4OOz5nH59j/EwW4nG8v48z2hR43mxc+iZD0YIb6+EIprd/d4iqf7fC
   zswq5Ro0k53E04YP5FalOic437zb93tb2FMAzqSnZSFGX72LpLIxnrQcrE2ILbjR
   oxmc+sH3OPcopzWOi6pnQEcTI5P0pKYeYfAu4JJoF60nt5ZFgqGHkL7rmEcMNpjT
   ryh3vPN5uQm/sKTJuJXueFsn3tRCa5XU3wKCx3+42hVEpS2ry03aR2rAL2iE4+tQ
   XX+CtdMh3MlVI/qfIRFrKvAcIM/CWvefkKt06kRRDYh0ZUpuedF+LYegT3mHlPuP
   S9PMieNCuiWviRajaonug/dOVCnfOj6jZRelpn0yFKuAH03s70rsYDW67AEJvcP3
   DzzJUrKjzSolyMufMRvMwdWUAX3k/3wQ5HXH3atpUI6fk2s8R8iSBZjzGRul2jWH
   tGmSOLVSXO7KG2uLxIxwYrAUbgLbBszQSqs/aIn4gYv6NBbd2SAyHvRPpa7LZH1O
   MbwlvxW6av/ETk4FbMxKzx7cUpz/u9/rDDp26ZHLejM3hyVxB8bXmDJ8nQynrwz8
   uKDZ+l4jdkbXzGsWo1LBfH5YN8YWXS9iWXNAOjJaqxKql3cvfQdfIPwFcTqHEy4z
   kjga4O1Rfm7PX/jvKYBBAcRykHpoaJ/muQuGq+doiOQAzqre8Pviad/Q+C26gHF0
   amZu6XGgAADtOKeKIE4Fqz0vee7uCVzWuTHsCaH4K/tkj1PvF8ERQabh2f94+dEN
   ONRv8t48cpyuucz5BSeXWk0RBUhCNUcJRKYgrKF1wG2wLUmMfF8tH9+JjNKG0vIA
   DUmmlZZaPf7DLUkGFfj5z1gwzmJtaTvKw8Uokp8M88Z6nxe+e9Z3kiN0AHfoA8Fa
   uBwKXPfmE8CUFEdg+HxhfAPNQ2Fi3gXQaNdaoiS849+vYc7jy70nD4j6Wr+suS24
   vQsnuh1ns67/y1/GQygs7XkbJbIseT0MAnWhPWQ2i+PQmqMeGqiHARJfmAZlQzdu
   TUEu8RNQ1FXkH4Mdiw7hXwRXoiscl4TtOFcBYhwTDKF5zGYX/DUs4Ph38/KQQSw5
   H2wzpNl7779wdvzaCGBwb/R3O+sODVg2Z8BoBlYTFDhuverhuWsYl7rM+ygnPRDK
   hh0+hKSNSA/pVoN1H8HrnA4jVeGbMjjbyYmGw8EktyC5SG16PtW4soawgR9x6HZb
   7XUkwpmqThmAUb45kyxhSsX9bjEejRx/l74aJlNHHnRDi7Iiy52Qv/AB0HaB+oH6
   adfyPZW0pnwb8sQPmRP3Ss749jeEFe76ZlLC8kdkL489ORewwVvAEHOEMfEAA9M4
   T36GP1RFMGHOT+VX1UPHMxa+Mwav6YbwRpGhQeI98Fb17xcxVXMOXLcRUW4wmCgq
   H9SZxXbi/k2Hz/cOuxKuDM1CiQJ+gOLtNgrn0VmBmcMRsXlCUzJz7wC0PEuBxKNL
   dOylcOqpS0U+ZjWnYJWlSzzdvs09uhYfFTKrP+HwXLANmieM4hurnqRYyiUCAL+h
   5w8eF3IaV2X0mCCCIe9UR09/ePYFMFi3jCAn+idqkoI/l86yOIDiUME5wYUrTZYe
   avlJHVQp3UFUuZsTrn4cS0YktPcMOIV9ioYkydTLqBwvWgVv2LEXREQJ8pOsjeAj
   VRaIr2TMSucN1IyBn6bDsUgLZ9XiirUtOmq7unnNLP1PGoicKRPll3r8OamlIX8v



Gillmor, et al.         Expires 29 December 2024              [Page 218]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Bogf8tPr/jxqlbNphEg2h/mxbj+Huwf8jtIgz6Ffm36RgxMmj1r2Bb5RZBz8YDn/
   T4IiWQL/VNtRkAdfgvMFDil7kfs7F62gH+NoicguXM7ZArYl9l/7+e7smIgzaP2t
   bDPaGxqCFBqMkCn73WJnlmvOYWFOePEo6FhO7DaAGGBhGh50uY4ELN8iscCqRk0z
   WFSjwpg5B/ca3/gp/2TRFENfMFsfu/wlLNvDAMp8MDN+xCu+yYZA+LZMv0GIhlJP
   wQ1H5AScnSxowBpOhgB8SMTxaV80AXZ/XtuP8Rh6M8h5ZSJOOFrhvuD6O4MBh/wf
   HpzFQ627n2b1u7Uu+nLUWWmOseIkvAm8DM3SFTjfEZBiHT/6PZaxR6y8tUuspaZE
   J98EMjuHv3f1eTZQc8e56LDG1/thJIYP4kmtm+Sc/XLbNGqveycQxJmgf4Q47dVp
   ojswWZgizstIE7b7wpiUysJMB2cxwr88buVxQbg3sgKwmAzQ2dt38W8A2qSvzTCj
   dTcvvJ9EYmm0ZpZhm/QNB1zZjQhAA/BJPk2qset9JuMojsXchrWvnVuFBLWovBTi
   MrQR1of26uxc8iOPfD9o+pP0QEBnVA8MFBVqsyDX5tJ9aY6tSMZSDNXtgQgBhgcN
   oclIB12wxYumvUltkUfH4qZbtRRE/eSWx5RhkdZi4T2n+CPxFsyBlaDyOSTX9TUL
   bJyHyklllDG50us82BUZrjYpDZ1NB4ZnDHWUk0xsVo8SkXKYmW9stobYTQaui55L
   Q5cMaRYchnENgQzv39XjsaZka+oY06G1dBdWHtjCg/zG8ZCGq2fWQ4znGRYwnM+B
   Wi0YfPSZYvS777AV9LI5e8LgVwUKd8sfCCDy3S1WsgPgmFP+rWvBJ+Fc1UwmyTst
   qDXeVp34+0K25lKtDEP8SGbv5LdNpcGHpF9SjW0vfTGWkdUGs+VmLb4R4o8vw0Nl
   JGuNzJXTSWbZTLimXJG8vKcsf3LNiLtAH1NB8CUD7OltMHZuYpL+s5esTRjoEkUw
   czP1ZGFZVWxvgbMMLJ5A7rzXxz4UWUbCJul5yaSFCm0gdiTsS4owi+GCPd07OXdM
   nfesrkSnJlRG/fyvUAkSILcvSLafXkx7joKWpE4uKnNlKxpAutm1qr22nLLkdiA3
   rhxDzNQPTsYsh1WrGrNsyIKGTcsj9HoJ/kQ/sRbk2Ic=

C.3.15.1.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_minimal (+ Legacy Display), Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIITnAYJKoZIhvcNAQcCoIITjTCCE4kCAQExDTALBglghkgBZQMEAgEwggnFBgkq
   hkiG9w0BBwGgggm2BIIJsk1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWluaW1hbC1sZWdhY3kNCk1l
   c3NhZ2UtSUQ6DQogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1t
   aW5pbWFsLWxlZ2FjeUBleGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1l
   LmV4YW1wbGU+DQpUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNh
   dCwgMjAgRmViIDIwMjEgMTI6MTA6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBs
   ZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAt
   T3V0ZXI6IE1lc3NhZ2UtSUQ6DQogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1p
   bmplY3RlZC1taW5pbWFsLWxlZ2FjeUBleGFtcGxlPg0KSFAtT3V0ZXI6IEZyb206
   IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IFRvOiBCb2Ig
   PGJvYkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmVi
   IDIwMjEgMTI6MTA6MDIgLTA1MDANCkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1w
   bGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhl
   ZDsgYm91bmRhcnk9IjEwNSI7IGhwPSJjaXBoZXIiDQoNCi0tMTA1DQpNSU1FLVZl
   cnNpb246IDEuMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7
   IGJvdW5kYXJ5PSIyY2MiDQoNCi0tMmNjDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KQ29udGVudC1UeXBlOiB0ZXh0
   L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSI7DQogaHAtbGVnYWN5LWRpc3BsYXk9



Gillmor, et al.         Expires 29 December 2024              [Page 219]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   IjEiDQoNClN1YmplY3Q6IHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3Rl
   ZC1taW5pbWFsLWxlZ2FjeQ0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtZW5jLXNpZ25l
   ZC1jb21wbGV4LWluamVjdGVkLW1pbmltYWwtbGVnYWN5DQptZXNzYWdlLg0KDQpU
   aGlzIGlzIGFuIGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVz
   aW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRo
   ZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdp
   dGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUg
   SW5qZWN0ZWQgSGVhZGVycyBoZWFkZXIgcHJvdGVjdGlvbg0Kc2NoZW1lIHdpdGgg
   dGhlIGhjcF9taW5pbWFsIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5IHdp
   dGggYQ0KIkxlZ2FjeSBEaXNwbGF5IiBwYXJ0Lg0KDQotLSANCkFsaWNlDQphbGlj
   ZUBzbWltZS5leGFtcGxlDQotLTJjYw0KTUlNRS1WZXJzaW9uOiAxLjANCkNvbnRl
   bnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCkNvbnRlbnQtVHlwZTogdGV4dC9o
   dG1sOyBjaGFyc2V0PSJ1cy1hc2NpaSI7DQogaHAtbGVnYWN5LWRpc3BsYXk9IjEi
   DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4NCjxk
   aXYgY2xhc3M9ImhlYWRlci1wcm90ZWN0aW9uLWxlZ2FjeS1kaXNwbGF5Ij4NCjxw
   cmU+DQpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQt
   bWluaW1hbC1sZWdhY3kNCjwvcHJlPg0KPC9kaXY+PHA+VGhpcyBpcyB0aGUNCjxi
   PnNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFsLWxlZ2Fj
   eTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5k
   IHNpZ25lZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERh
   dGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBh
   cnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcN
   CmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVy
   IHByb3RlY3Rpb24NCnNjaGVtZSB3aXRoIHRoZSBoY3BfbWluaW1hbCBIZWFkZXIg
   Q29uZmlkZW50aWFsaXR5IFBvbGljeSB3aXRoIGENCiJMZWdhY3kgRGlzcGxheSIg
   cGFydC48L3A+DQo8cD48dHQ+LS0gPGJyPkFsaWNlPGJyPmFsaWNlQHNtaW1lLmV4
   YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS0yY2MtLQ0KDQotLTEwNQ0K
   Q29udGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rp
   bmc6IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlWQk9S
   dzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVR
   VlI0MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0
   a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpvMDQ0
   N2dZRHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkN
   CnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTEwNS0t
   DQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG
   9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8G
   A1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAg
   Fw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVU
   RjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpOD
   xxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu
   5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afH
   g4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvv
   BZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1L
   Y4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQID
   AQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATAB
   MB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYB
   BQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546v



Gillmor, et al.         Expires 29 December 2024              [Page 220]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   zfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0B
   AQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI
   6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1
   Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTD
   VEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6ch
   MZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+
   sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9C
   qaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8G
   A1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlm
   aWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0
   MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQD
   Ew5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
   ALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBS
   Xkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
   /3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp
   4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmj
   V3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJW
   iQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1Ud
   IAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFt
   cGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4E
   FgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShl
   NhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj
   /R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/
   sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrW
   g9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghx
   wYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJ
   Dd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIA
   MIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEw
   LwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
   AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJ
   AzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MTAwMlowLwYJ
   KoZIhvcNAQkEMSIEIHSYbWFdDDAPhYUWM56apuUijfVOo+PifhU5zx6c+C9sMA0G
   CSqGSIb3DQEBAQUABIIBAKMPtesRfTkEQB+oNH7Q3UXQ8ocwDb65grg8QC2zhq1n
   pyxiT8RfLyXsjNF1uSunZeGuqYq3uTDVhN/bGlMle5mDeXC4QmsY1QqZz2qy5Ub9
   KGgMYBS6LxlRmtXw8zg1HU6YDCEeMaf6GK8swyXh/3YHcdU9nW9/jhz1g5i/bYqk
   U2iElzDMLmdtRo+Gr3rjzAqUwkTA+c1qQMJa1cHhX9YxwtoORT2JSamibQzYyynL
   cOIklTF/bS0se4Ztaske2TNOa0PmPI+K9zni/hUURMaGn5Xr6Q5BqySfib6K0Syk
   ZWhUa6Wuun6cJaHc6ESITn9GTKVJAXE7gnpoq+9ElwU=

C.3.15.2.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_minimal (+ Legacy Display), Decrypted and
           Unwrapped

   The inner signed-data layer unwraps to:







Gillmor, et al.         Expires 29 December 2024              [Page 221]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-minimal-legacy
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:10:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:10:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   Content-Type: multipart/mixed; boundary="105"; hp="cipher"

   --105
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="2cc"

   --2cc
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/plain; charset="us-ascii";
    hp-legacy-display="1"

   Subject: smime-enc-signed-complex-injected-minimal-legacy

   This is the
   smime-enc-signed-complex-injected-minimal-legacy
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy with a
   "Legacy Display" part.

   --
   Alice
   alice@smime.example
   --2cc
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/html; charset="us-ascii";
    hp-legacy-display="1"



Gillmor, et al.         Expires 29 December 2024              [Page 222]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   
   

   
   Subject: smime-enc-signed-complex-injected-minimal-legacy
   

   
This is the
   smime-enc-signed-complex-injected-minimal-legacy
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy with a
   "Legacy Display" part.

   
-- 
Alice
alice@smime.example

   --2cc--

   --105
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --105--

C.3.16.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
         Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:












Gillmor, et al.         Expires 29 December 2024              [Page 223]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 10035 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6420 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2121 bytes
      └┬╴multipart/mixed 2011 bytes
       ├┬╴multipart/alternative 1130 bytes
       │├─╴text/plain 374 bytes
       │└─╴text/html 472 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:11:02 -0500

   MIIc7AYJKoZIhvcNAQcDoIIc3TCCHNkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACTMUsGCtAtX6syPNy+FoyPdn7ZClFybHpwG
   B3SLcQ44hIyLA70scwBrb+IlMrKK89YrOiEiIXWg27aeYWgH0ZM0rYDEfzxKFeY2
   XebiL8uxI4BqAH9UfWCXgpJfwLJx8bIL7bPbn/iCtFyXIuN4vKH9EQiUltm3aa+A
   4daqrj/k8smPX6FQN19BrgiyeR6aWI/vjSNJZ1DRRylolBwm/dVwd3xHW5vClu0w
   f++YVM4GWTl5rOi91CPQezEq7a0K/HKd0pS5n6rBTqm4EAB871UUqmku4hmex5T3
   8bSpxPVadFcLxZm+NOnWV3SPO4VRMYfqia7g88lIhoVEt8zZqmkwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhMzKfyQ50nKJl956aj9bQvZR
   B985em4kKO/qrgbRQu3z+nRivXio8IxEsqry+vaRWIc9QV70RPGpQI5l5Al/q2Ub
   HneSm/rp0X1wFs95eu2nbebsY/h4Ooz9LjrVt0LgR58cXa6fbhwR5gHxIelJnWIX
   NhKq6GuE2XdZ22D98WqqzU698F80O5kZ/BlgmWHkqaGkRRoA5cpyPC43eSj4OkbI
   zBfmb7wCHYKnORy7cowfyy723apnQN3ceAyK9gqmoUadMRSJdezWWwVBV+7J95Cp
   Kc4ew4tfFg79MXiLWLOvX8F4c8MruW2DQBYGj94RRzWhgVf13F/+SaKj3FH+rzCC
   Gb4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEJZZJb8eHhkVp9CXXyDAraeAghmQ
   vHu7+64+/bYk+1XDkPJd1Xk+y+Qp1/X2L0aYCjNYUQ/txB6wYxTvomYQb1gIN9TK
   8tCFpT9EgyT9XQKUneRf0lgv53V5CvBXLy0aADS6iSAthS+NFaUsC08r10m5yTxU
   iIFDRxhtNCLc21UMdtENQGJ1k2nkfwMYA8oLioLaPp4cNAlR9r12TEKHh7ARvVo4
   x0aQEbs/UKKD+NSiG9IUCzQ+fwZAj10MzEra/9RkSZal6Cav9Nldrb82m+px/DRl
   IOjft64TH2ncAfZUj0858QJOXz2Hqk5rqXF3DvbjTEI9SQDrnBdCk7tHNhdky62j
   zaxfv/PTphJILtCpFk/naoh7dwGlqD7HiX7JuO/tQA9BwNfMQObti40qVOJ94XN8
   ARx7pMSdmnnYgnfgng4j07SRbtoI0IMvYCzPB44NzWTTNVY69g4MgLzobDSMXCYv
   Xg5eKCs4ShFdbdF/uMFQ6GdbC+cKkGfG3YPK7T/YqPvtPRV2fyqYC6XJluTQQfcI



Gillmor, et al.         Expires 29 December 2024              [Page 224]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   VuwzQhh0IlJOB0JDAbEdCgP0eEqhlfUoj55Q3t6n3JC+vyDpvpgpOEJE8E1IGBXb
   s/vOx1q1iPvbRW7IaA4qBA3Ijc0jA2E+tX5cV56ijKG26bxVYHu97q+DaR03Qegg
   FAdN0YkKzBAJzd95jngJQxDq45eGtlFIVDVOlMdfvA5a08O6lKVhMZVHjfErshDr
   AuBHyvkwS428xkGDqr4hATbLcgqgEU8XUrwj5xdIpeLUMcFL7qs1764jSNxtGTNO
   JZb9ChvSoO37NlO/iQD8zMTBUuA1dBxvy+oabX/uqpAXgOH18ZjizAqlEB/35ZQh
   njzprUb/YW1MEQANijCuc/+dq97sBXOFCRqDpZwRQZdX2pbIWa0lpAa3NeLg+xkI
   rJrPKgMJtvOL1BuWjLBz7EdEAJaKLB1kMivvaOuI5mRg9oyx4VkHTN1UYYciuhlB
   uVeGEjwCDM1l/2YadmZGIBFYEHfwa8dIyTfptKOyNGgnXnWqlZWUumbql5d6FqmK
   kXL9VK4BRJQ8Ls1KZ+xqa0bPsmWDkrO5C7bLWbzgEP8aeuKQYJIac331+yJhkfQZ
   5R1maW7jC4+Plg/jtTKsKozPoPaUVv4ie7SIr5I2mIbPj729CcV0vivZ/uNKTTji
   g0+/77dPwQC0RzCWmrl47L8AnqafFoMh2Y6N8WL7y9ICQmP4QWyl8tER/Z1ylntY
   QuY3UiGB5cV1ym/gHF0nbsQoYcqz1Z/0MGzMRqGv9VRezyL3x5KeUb3yxqtkW+BO
   PVIuWEN00COg1Z8HkwgtagScpkLKQYuMVXHm6Nn7vVgL9YKwZQ7XvbEKsP1OYZTv
   twJEuXvzDrFqdbqkPy8aRQ+uCN2yACpFgsUkPV+cmpcRSnWu5HHic7w6oFelxkUR
   ieNpYssWu3bjVDfF0NDdi6BVIV7/WxfmsQQD1tvDHcD9DQ2ce6xjtzjbmlov2ddO
   BL1WHzABxKuND0duo1iJDVP5m/F65F2ZWzB/M8/J7dqDrfb2CC5lDmb5R+tK4WY6
   OttOcM01cfmU3V09DtcMi8o+W01VG8BU8Bxle7C4OSz4DPSdG/+D45EoktpIY2qN
   ZYAsgxWwStVzzMCgugQmGDqDRfLqVRgZuUGjJ1ewtA/aW2HvFinIrgJ2USsbLpCP
   2N69lxYoxqFwojI+WLmojxBLFU4jmoaH39lW5mhIXApdFOm7FUO5xlFXl7LnFeoy
   /9DFqWXU9j8TkybJ/cJ7e8z5kFpjhDERoxmBckpFaGaBFoLfe2UmMZCAoLkkIRSw
   XdOSWBh7gNlqUUacKnNpIMFeeWoVNdrMQGvxnXEJM9EEBA4wEFpYxUIQtG5OI159
   OcV5dB6wtV06xn/zapz5jTfjeUcDtucSOvTPoKCnrp/2SktE4UwhUbrx1mhbpiNp
   w3/HwqBSebB1oVUWwmlsDqpsQhXz5Xh8+2MnAdG3r2pBhVNUbG9EHxPbCohCVzht
   mYHJEx5aMhhmuh+2LroULgK4nlfFKeeXoKeDg45xctgrUE3MTSr6S98boFsXS5UA
   ttGfia+qJdkRGKyirMnUGrqkifnEPp/Me4IaiW8xGMxemxlEB6zzsK1YARLPcggH
   LIUUW61pKq+Dvv9xyQeZ7/SyzFeMHkb0KlaDZjPadCwRJWsPN0L+f2kwJSxCmfLi
   CJOdYDypKW/jfdHwB7LpsryMwR3fSMOMb3gUD4hL0qxtp8zsj/UPmJIW6/5DZy0G
   xPnzDJ1/uke7Pu1E1Arp2UJLvYJ0vt5Dfy9707ZDv8DhO8/KUIqePxEY6pDW8vai
   bL6TygHnIhAApMpK4/wO9fP+V/dkzCGhqM0C+pJrszcdISUry5ph9csA3LlQusfl
   9sR8RX81jmjb3/wmnXfRty0E9M8dOlbruyj6nVx0bPddGF1AG8CIlvcyhudH7LBh
   vApTXxro2qAyzASc833EeBZZjKCUmv926coI9ZzINWNAvXlIqgdUmBkk6hev5JrZ
   dmT+aMfRaVlvqlX0jVBZYim9mNJNcIxTcovUsEUZU6rwSIhRCVI1Xp0fYgoF51r3
   Yitnfetz4SJAUBaQvrl56Dt0XSNaRd6Nvr181TG6OKTAq7lMsEXCDWdYmreX9Qur
   y4GcawgiHWdHLdu1YbXNxLRwEKSXAnMbzqV7jZP9AKppZdgTHzjBEsUCWaPt2UW1
   MisFQiZ/IfhFMlROlc4iccIFucKvviWQqcAeXaLba3o1MICIUJK5CyaQziXY6S87
   r/4FydQBM2L/AdsdnAqISj9CuPAwaXLx/Awek8TcMpU2FcRpjXyKohjDQpo3rAsy
   mZid7Sa7C2jDV9qe0j/bNJthC9pG/RKLAcviO3wRMf4xXtZtdi/+qVoD4RSPpva0
   CcQyAnNoipAN+3SuprooOT/InDOIkhacXbekt5Btd42ZbFHjSdJpizE+H4woS/tA
   wS0aylP5vzH7osKtZ8Mm/iJf8JjC3UewFsyR/GkLETySHAg2HTPdrRonkgOZAMDz
   6HVY2eV+QkQ0L6W5ADKpxPFvY4ELzt4LcmN6VA47FOiYahrR7rzy7Z8HIycOS/dW
   Wh4Ufz0M3S3N/gHwYZ4//zCASY6/3tWuI1KWds4EY3bXM2P5twE2euEcFV7i9H3/
   KqbN8jeL+ymV28M3XaatfglJnRhGzwMxIO3sCtCWJABLsJXGcY1uKmClr1slusCN
   Kj9bla2KAYTHoVUru9VPD/cnSzn8eyky+gLxehl2CLdmYGztB6vxHabqZqhoQblr
   ZFilgVp0Nf/B/RRFoKh6jwYsvqfPtMxMvR38zBn8VvHcXFIuL3l/Pxz7rTheQWr4
   gcfI775K9HGzab4IP1f3s7rzwUuyDCIG4Oel06EL2v4Plr/0GrL9vuOuX0G2jikJ
   JA/I4Y+pGdwuW35LUGRwo6tbebv4iFbKyz/KM5XOXWCk5MCirTM6bPzPDW7mPPmz
   ywaUqRgYUcmz8tE3VEZAbnKw1EeyiqToddJz/CELPO2hhksi6Ib8wQcKfHTk8mB6
   BkiPQNcS7h6WGMO4PaNccF+Ei83HJHV45gyBofcyS8N/hh+6U4s9jfBSOdMyshKY



Gillmor, et al.         Expires 29 December 2024              [Page 225]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   7YNAIQKrnnSIrStzjkJ6SK4+BLXCFcJpEXXMHn/z6hKbTpQDir+ejI+Z6Pbm9yBV
   qyjtzfe4Rt1ewa8ze7pqmnubxvzM5I2rj2yLgznU42cdJ69z5ukaycjaA2Ad+t3d
   jLedM2PzhDKHpmRM5b4jnVPUJHh22eH++iyiO4/fYNe1KjiZdISmBxttgVtAZ3q5
   CouCaIeBnuFj/L1bx8ZGLu72aJLrjko77AHYZnMcTPRfemL/CQXHTa7SkR4KeBgR
   RNQLmYaJUhw3KsvpaA8tglmiHjtOibdu5ZfoHeNCGICISXlew/XJMnjjBfv8Y9dt
   OyQd/iSWezQymNR1HGSKHOqqRfukbYzX1qBdK41hzP7EMVqfwDj4u5RgZ/LLbXoC
   o556bFxmH0XR8LkOgGb046pIeS+HeC6/If0rWwwzAETzpkF8GtwEXo4urYLSK+DJ
   G9e+cm1Tp25R/y2uDWNinQlAauW5ibNg9Df/DelO9TGPSJo+EBO2v7Vf3zxHtyxN
   +yo1eRJMw6bqEPdYOWoGmAXBL+DYS6wK5cRgZwMCyoDozedzbjrDRlXpTfrbnJlN
   Vax1itYmc/SO0qruzelORMmsjs8bruhqH7m+0Qn2Ag3lp+oxOb941eJyi8tfAyfR
   r0YqVBuyQYp/K7IQMZm0rYRhbhTKIet49++k6QfOeKtY1XTSssXfA7m9Vs2vvHQU
   ERFl3kIJVblDaLeLz055Z/lrQqCc6GkhAh1l05J8k2ebSbHHbhktbYzHbk41MMWa
   /DzB+oN7m0lPgeeW69SAFOmhfZGQt+NaLekZxf/ZYppumFrsXqNGawgBkT4RXBZy
   HnjLBs/nt/jdZtE5QWvopBrb1iGAZTUWu380VGk8cx7XmvCJOXBWtmSVOEzxJp/F
   VXyLFvfnFebUxce8sdDZ/o8hZ9+UMwdf7Yxii92IvHJHjgSGUYJ0pSUNqEdnqvDq
   oBEv3uyVziGlDYYUlXizCtybylHFtp9w4w4FC8n29OIaFZ91ernOjXaX72O/MSSs
   rqy8ncECh9ANnt3o+/KzL0uW8HlBhkRlnd3Ke+oNVdpQtfi4GPsJjEvs0yEpK5+B
   UWHu2kyw9lUHWkW9YjTda6ISGIXnvnfqyaR2nWCtSZD6IYpHFaZ0rtrJYWBhdydN
   CZRlcdZtosjJiSriKh45HmlKuAXUSJsXYXPbgstjw2rfMLiknJDOhhY2juh9Py98
   i1YAuDLnmu7ky9Dvre8gU0IaMrbp1KgOQMoILPh1fTieqT/0S2B5MlEmsOYzkinW
   p6bY+bpJkX8Tz0SP6hupHXnoiFSyYMBsMr6+Wi8HYSR3DqoZIfTFjJFGltSAxcc5
   ERvs2Vs2EfeSQoKuOSoRl0MslD3OpaSSf3znm/4R2fFI8fwnpZPk6t3I+CrT0t1V
   MrkLHqFFC9qTMIaTAjoc5o67TkVuB4Wg2RTHy/A8QfHwHWxy27YGJFOD5+pVPiIm
   fkyPAZBUCP8nongCjhrdGq4FothBfnrYplTvcWXyweyAnvP5bpIyI2TBaSTguc3m
   2ns/eJJzssDebZgi1hRG08L+7LghrGY5RczCX6J5UDpInL3S1PPLDR/5XP78Sm4v
   t5OKqf8HFB26XHF/7VsoF44friJG9TALxLWg5CSNgg3lv5IxmjcVDrlxVgfVea4t
   l1q99P2ZJtZmhciWSk+apF1LHnj1BYJrTycDt7tCpa7SIXzV3M7i5iBeH9NT201W
   +DLXtpYJgjgHbqgW0Y3Dry6px3U/5lTWIqKyakhlXQ6yy8QiJDIw57061Bj/5fpq
   F1P5pCWB12zxAoGNgBgiyy21x3GIXt4BN+WjuJxY8NZeDRYCza74YHcrVaSXbgup
   CLyvcLbLqAjOiy6Lbgr04rO9KtRuU0Yhid60lqokoAyBu6xuSRQ8FU00UU0tFt2t
   antrz8bCvaOPqNTXJMJrEc/3bx5swvSImuDa7KFd5AfAGfHGCQl2boAAw0zEv2Or
   d7OcMqocQqluFwGtVM/u1NLy9MNC359K+fdfnqRRDRRdmozj9hLwftgEg5327TI0
   hAs0k3ZJiTa8bzmq2L9py0VfowUxvXUkgEFkmJmpw4Jm4/EbA1kK04Hl9zicoVyf
   uUnCefWWpmft47I9CI6j2RbMwiK7Cg0O9Yme3h710wyNnDhSrZVhOOZmsDIAJmPt
   bZNBuT0aBiHsD+JP1Ai2tklJzDp3n0Pm+QH30UjqgIoOLMWZ6w6S0W5ZgjiHwFOP
   Uw4GqDDKFnJi4++mcNwk3WtB8JJ771mg2jHl/dhUqQC2uEZDCkvBv+zplfXdrG72
   A4QzP2ju2JBsKh/TbwTG7idfI1v15ojTKuHsjiaNJWCMYZ2GB6NGqTtqeJEF0T5O
   VjUJepsXzq1gYHslUX33+UDdNNXzO8GXKkRr1GpBHlCZHkAQ9Q1aNU3ooNtkjcVr
   Y/5cIF07KmfOFX5wfbDE1BDxc/6x/usJ+dLwPc/hpw7yTe7RwDP4FHUykkcEIvpt
   W+aXpqGHrWXtEKJ6YEhOkLUFm1mbl90TnBaN4HI6mUFrPq6k4dWzyaRLt38ATWzW
   A9M5/hXY56D93MGJDqCqZAhNlsX6u7gwTFjIrDqnHkVDbdmW1l1AawLKnEtOk0wl
   pc83fdyV+qCub9OADOZcBd4bh9Q7scakZzSAXU8dIrAUkGrQqQlFWVTCXq0ShzfE
   oNtF/adWi8uMzqIfqqFwrkuoRzVhKKQbgLloBihzAyqeyjqwqsKeNA8O9NWyHtFG
   cTWAWZVIuQofzynihBcgnrIHqRCtpQFnmT8MrKhHGgqbpxlT1M4a32WhvWjYXQYp
   FSrnprHlGZKuj8IxOhKnvXgN4707jbhEKxO2KrNGOyqABWAW3HRuyRJiMydFW/wl
   ED7gO5x2wD5ZDIMzPcjM//wQIMPv5MaehwCyAqH2wqjshtlQfnLPjDF0eCWzHoNG
   Xo9D2jbGbcmmzA0SxqrmxolmNZO/vISRC93yefI9io37w6Pj7E+llUKAJ/R52TBR
   LqWjyVavOubVUeerqUHIB2acJNyAgLC6LAvUPI+oQS2ut2seJd8J7Ze3IDSrAfuO



Gillmor, et al.         Expires 29 December 2024              [Page 226]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   eHEv6cePBa/8lX+oXsBzcRgEkFx/6UV4qdm8RRYBaUOkHk3pOF0hLVeimwX77gz9
   fkIbn+j2jQApWuWyuH5Vhvhgw5QlkfV5/kyGpBfEyVy196rp6qacC/TFh+GEtH/3
   3T0YTdTAJcrGGevQpWGg+07UBXUxJYR8NkoVTrkB8Jd6i6UEa8UVYlIc6vdNhGXM
   rMS4TBPqD6TSh7moTMnT158LbY8JpmDNmBWIXyU4bvX21U7L0qGf/edXgP+iEG4I
   fsvEa10in6tplEtnsS9J5RlW2vqERJ3A+620iIWGsbwAKgXmaAnMH0N3jrDipTxO
   LEcLG/xi9GlZ+/fclDqWyoMJ0/rBpR/AM7wZwswjQQY/axPDEyEZTujKrN7Cl6Ly
   y5cNg0no7LNqlAvZMEtH0OWxAWe2Bnx1Co0heArJBUOL3VgmO2dCdowKvsupNhOO
   i7MiY2gZjVnEn5bpOmGuiGZUkJyd/xPiGCj0aRcDs8a5UquS/mLbG1JzK60SDG+9
   1QyM1HbUOa0mpfbQ95G8hw7shCVpFQfKgnP+IBxJY2o9lSqrXXyh5rBE25GirycT
   9XCWhjHdCnu3ARyB+ykx7piqIqrLioi0YHDRQ50G1PBSYa/7z8nJns/Zutpt2B5E
   DCyUi9Sl2xJbmpRX5bM1X6ugGgdsY/NN21Sl+Pc0MZC7s6HLdsH6OD0+5u94D+sn
   tBMuqRTtEZ+nbJ4BoX49yrpmJzcDIImoM9i4erVIzhT3YHw3PPfuouqyru+JrNv7
   XldDcB+yNAQ0dMDj/n2oVs48lJZWUzRliY5o4htkuLCPYeF3AMTeX9oFomH4z4GE
   Qhgubh/5xPJxKTrRmlrL3q6QjArrA0OiMq66Ca4bXlDHRoYvRGhH1EhQxddfissu
   MSBmR2L3cuL2zlo8NNrvt1CDypOfMbL9DvubCAJX3w8txgAXOc776NLepfifIqCd
   UfoUynGIBgg5De/2orQhcIiQg21r+VHPQXXABM1XktzRNsRtZaW0BSe71l1ORCXN
   OP4+2hbmLkXucu/POsiR2IaKaFJSoikCde7DobJxvXOeXl0Z91YfqW9/pilsSFMy
   V2DbkLq5WbmS0AdXFUGL6JI0STNyeNsgT+2vZqtGx5QAiR1FMkyKQBkvYd6v0JpZ
   3e8rABQYP+kgr3hV0V33lkhlvnjAmMyMxdKJ3lRR2YVRopztjj34JzPceAKoqUw2
   5K3GN0l3m2hQaD7wUEsnglK1LSsl760NNviXeUoKkFN/K1uj4GgvY8EvVpWVXu6f
   RJvNmhEyIwuAKk4wV4YuaD/Ih89lv+bxUxZQGb9foxI3kXRQd8lHFaSpjQKZpKCS
   yA5DSQ+edcQJIXwjD2AHxgPc3zS1y5qSkFW2mVM7azPFaj0LnkGQ84Mlpv/6s+m3
   MbLM3Y7v6T9NEBMuX8kGlLowTSEX7NJbUikIWQRWFLveTSDhAcRS/GTIbV+qNr9N
   rWFJJLN1mvQj5CKifeAR0ZKQ7/u/hwScWvjFc/yvPeUWTRApE76ybcCSaUyniJYc
   gaTKpkz1shHrRdGw1X+I8oaPl/5t/t3mNqbDwjrDpCyGBK2RvLyl/7MWJsPPL2zs
   hhC+rOLsTEsJyuW504qmVFLDRvUYngJWFVLgFrmiWN4xW5OvCHo7NosR7RVOb4ZU
   gYIDdriXE2mnbxDWFKbSuoBqEPv01n9STF6SJ5Y2C9WLUr9qUG7AAo2v6EnFXwZe
   imashz8Efpj/Dx1W7RKLtA5cue7E6kbb+fMrVC/LuWU7IJGUInvY3+pRaHcZIZ84
   zhKhcHOn+tuG673sXxkqYPY9i/2ro2lhzZbNhpDsms1YUePMuo3VDxuFjTWE9RJj
   BNOuEKXdCjx5eeYdBeZ9tV6oiSysCgXuW+UU7z5/TlB9SdfqYqk8ocMgY5WBvkxH
   2shVquE5v+GIqLYnRskIuK2gyR3ziQJ1lSjS58Jwwik66oI6I2XJONpbqsUH+uGC
   cGw4eve+jtjWi1UWI/rbaMRTN4SWiM90XuqhYjqI4gtdO884IP9x+dervito1WRk
   u48ECR7KQCoLX0mipx8OMg==

C.3.16.1.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
           Message With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIISNgYJKoZIhvcNAQcCoIISJzCCEiMCAQExDTALBglghkgBZQMEAgEwgghfBgkq
   hkiG9w0BBwGggghQBIIITE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iYjlk



Gillmor, et al.         Expires 29 December 2024              [Page 227]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   IgpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1zdHJv
   bmcKTWVzc2FnZS1JRDogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC13cmFwcGVk
   LXN0cm9uZ0BleGFtcGxlPgpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBs
   ZT4KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+CkRhdGU6IFNhdCwgMjAgRmVi
   IDIwMjEgMTI6MTE6MDIgLTA1MDAKVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJz
   aW9uIDEuMApIUC1PdXRlcjogU3ViamVjdDogWy4uLl0KSFAtT3V0ZXI6CiBNZXNz
   YWdlLUlEOiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXdyYXBwZWQtc3Ryb25n
   QGV4YW1wbGU+CkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhh
   bXBsZT4KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPgpIUC1P
   dXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxMTowMiAtMDUwMAoKLS1i
   OWQKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0
   ZXJuYXRpdmU7IGJvdW5kYXJ5PSJiOTEiCgotLWI5MQpDb250ZW50LVR5cGU6IHRl
   eHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApD
   b250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgpUaGlzIGlzIHRoZQpzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1zdHJvbmcKbWVzc2FnZS4KClRo
   aXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWduZWQgUy9NSU1FIG1lc3NhZ2UgdXNp
   bmcgUEtDUyM3CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUg
   cGF5bG9hZCBpcyBhCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGgg
   YW4gaW5saW5lIGltYWdlL3BuZwphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBXcmFw
   cGVkIE1lc3NhZ2UgaGVhZGVyIHByb3RlY3Rpb24gc2NoZW1lCndpdGggdGhlIGhj
   cF9zdHJvbmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kuCgotLSAKQWxp
   Y2UKYWxpY2VAc21pbWUuZXhhbXBsZQotLWI5MQpDb250ZW50LVR5cGU6IHRleHQv
   aHRtbDsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRl
   bnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1sPjxoZWFkPjx0aXRsZT48
   L3RpdGxlPjwvaGVhZD48Ym9keT4KPHA+VGhpcyBpcyB0aGUKPGI+c21pbWUtZW5j
   LXNpZ25lZC1jb21wbGV4LXdyYXBwZWQtc3Ryb25nPC9iPgptZXNzYWdlLjwvcD4K
   PHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVzc2Fn
   ZSB1c2luZyBQS0NTIzcKZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4g
   IFRoZSBwYXlsb2FkIGlzIGEKbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ug
   d2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhl
   IFdyYXBwZWQgTWVzc2FnZSBoZWFkZXIgcHJvdGVjdGlvbiBzY2hlbWUKd2l0aCB0
   aGUgaGNwX3N0cm9uZyBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS48L3A+
   CjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90
   dD48L3A+PC9ib2R5PjwvaHRtbD4KLS1iOTEtLQoKLS1iOWQKQ29udGVudC1UeXBl
   OiBpbWFnZS9wbmcKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0CkNv
   bnRlbnQtRGlzcG9zaXRpb246IGlubGluZQoKaVZCT1J3MEtHZ29BQUFBTlNVaEVV
   Z0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQpNQWdT
   NzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZzcWxUK3p0
   OWNpZGtFKzZLd2taCnNncnpmY3FWTXBMMmpvMDQ0N2dZRHBlQXJrK09uSkhrSWhB
   ZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkKdmRQZjFRWjJrREQ5eHBwZDh3
   QUFBQUJKUlU1RXJrSmdnZz09CgotLWI5ZC0tCqCCB6YwggPPMIICt6ADAgECAhMP
   LSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNB
   IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIw
   OTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEX
   MBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
   ggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFC
   rS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165e



Gillmor, et al.         Expires 29 December 2024              [Page 228]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   rnT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc
   1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5q
   DTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf
   58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIw
   ADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21p
   bWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAw
   HQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwH
   Fwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU6
   8ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644
   DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2in
   C0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLih
   ne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+q
   YC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjV
   D6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0B
   AQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UE
   AxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0x
   OTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjAN
   BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4
   TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7G
   xVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12
   DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkN
   BR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR
   +peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQAB
   o4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4G
   A1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUH
   AwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZm
   czAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0F
   AAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd6
   4roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27
   PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31
   wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnY
   xs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgN
   G/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBS
   U0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcw
   CwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG
   9w0BCQUxDxcNMjEwMjIwMTcxMTAyWjAvBgkqhkiG9w0BCQQxIgQg4/4MoPV5+SS3
   dMUwgSkDu9osXvW/VGfkdy8flM3qb8AwDQYJKoZIhvcNAQEBBQAEggEAmFU6zkp2
   o5OAWmgYj0d/5rz3OCI+vu7HVm/Uev7UAmN1hhq6lp+wDg7Okv7C+CaRf52+vCik
   ZUM8mwFOfvYsujHqXpQlagA05wvFM3cyD3TGXBJJLwqMlhvYqkInefB9zodHMYwb
   Q51CgSZ4XZ3xuW77dyoms7phK8IYV25z4VV5/KKzTZMkW6RKS1+Yq4veos4Uh0Av
   VK7vsyKjFmAE43qlAyeBLYrkbcL0OhqHy+ak1rNY6S/IqxF49RhgrygMyP/I4nQl
   +iyxSRGDXqj8crbTa6XxahM86ABXWm+wmizP5ZouQ9/jyxp/DJ8wN5jPAl9U3p5s
   p1ZWZhyBeXW6wQ==






Gillmor, et al.         Expires 29 December 2024              [Page 229]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.16.2.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
           Message With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="b9d"
   Subject: smime-enc-signed-complex-wrapped-strong
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:11:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:11:02 -0500

   --b9d
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="b91"

   --b91
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-wrapped-strong
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --b91
   Content-Type: text/html; charset="us-ascii"



Gillmor, et al.         Expires 29 December 2024              [Page 230]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-wrapped-strong
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --b91--

   --b9d
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --b9d--

C.3.17.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9990 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6378 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2031 bytes
      ├┬╴multipart/alternative 1134 bytes
      │├─╴text/plain 388 bytes
      │└─╴text/html 483 bytes
      └─╴image/png inline 236 bytes




Gillmor, et al.         Expires 29 December 2024              [Page 231]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:12:02 -0500

   MIIczAYJKoZIhvcNAQcDoIIcvTCCHLkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEyfTq6Uu5IvtmlefqcY2YVWFg7it4QKjA+c
   3D7o/2lzxEJEzuTDh2oV7U9sFeB/FGIbMOZhkjVlYbM8E1U7HHDOLoFK8QLE6QoF
   U+H0yW3u5m5WlwCqDfApumhH8UdVUGqK+LEWkoz3aX5qBYiSkFUURa+WDBtTtrY5
   LEtVTRyFH0aW/cKqj0qv3tPTQz4fv/m9766Rx0/Vy+zyumY0AgIxYTFHlNmindKk
   QPl8lcxYmBZ/a+Hv8py8tRRqZu9D40o4yS7bW9A+bDFh7l6oTvNIoR76WTuGh78l
   7TpuMuYxxGhMtAEP28eliqpT1Si7pHCL5QFEZU/Mz0nvts8Nr/8wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAOuOryrN7KallWSMZXi1vz7qm
   BjUC+wiqRf/JOKXYQHeu1bp2/tXw79LhfVCc+hS85gOjnPeUsiRiNbU3pfyvPt6L
   sv8SzF0EAPsE4jH/Y8Ytdk2Y4PuGcNxEnfxDY2N9nXCrkqPeICFtb/R/fLx6INRW
   ueInLsAlwzaIzPmjVp4hogGM7RsUM9aarYqy1EM6+13dLrn7eGNKShGVioQEqVLu
   KsJr344I67Rpg2i4X7Xed/Yw2A2Z3W6axksPsxod56wND30MkqnhNQJk0dlA8aCX
   nIROBHkWHSh/lbmoGjkqPLyNMM+JAfIIfdY1S6srz/GJc3XKbyfwyeQh3MNq1TCC
   GZ4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEOgTlHQBLbT0Q5kkDf1RkpWAghlw
   IINRo30galCWujahmVmI3uXUQRi8NbbLc3wH/E6QWKKflldtHhMNfD1Utu2J3hd9
   DNM78E2tXEyb0HM/VQyRrgk2zi/CMmTv/caC/FN1SOgC5FN++CanaDBpe4yBTqnm
   XLLiDvqN9S/dOvmEUhjA8ydhUUqLYbT1k9mMoeYB8xZt7y08Gtieffo+5ifSP2fJ
   3VdYyREJI2o6QrMTZ3rczHzBXYJny38/L23tOu5/uUkfxVeHkGs8lCA0EOQFAiEC
   0yBUL8gPCbVPjQ6ilsAHmDr5Sp8alhu0APledhJyaA47hXG2WVq47w87rsM04Cou
   xf4nZyfrefWdSwLVM+Rc4MdrZxEKd6UQqTvmP5I30JKgothGBBcXLQ5UiMJXFBNv
   HzLZgTIScbgOHY8f6NVLHxAbItg3nIiugebk8TpXkl86BsV8kszxkwEPmhOXXDHf
   Ozo6GD8r1eztNpDRcLNHaxPO+6SvUP2VZVu8a6lsZZQwlC1xNdVjbdhONgW+wktC
   NAXgd1PVI+HR+9+tFYXBRUZkKprL2OSb4NVAJh1Ph9Kfznw/qg8Mg+EkHrqkVsLt
   /lahIbZJgzFQgtsv88i0a8jOeUBrkIw1pQ3tkXPoVkj8jwPY1tyDCbuNLjwfVz5J
   XMm8QrzYg3AXAWesEM89bk9FrG37U+s5bQ7GSA+dS9aDy+VjoMmTSUSj/Xp2BrG6
   qgm+dP7NqvHHWoI0+QhTJEgSSpXrS6di80sEHpCFTbpp2PzlnNFRpo43mSjLx3QM
   Xx0y+BVnHmCspjexEpw0ebuFIQb13+8/6+3KwcPdSneCkVxY6/+ZYcV7dPRQ5D1A
   r8flrlVpxLhNvcFlYEOJO6YHNsHZ40ZvUR60E0lx9PBzV0c02keqHGxSwFxyVKFQ
   2Vjgaa8275lbtE0lchtx50SmALlIodSSsV0WhYXJn3vhlzfXTpIVV5R6opWwXOpX
   ZQQZjmknMZStKySESlCLZnrB5JEDs5N+c+g7KOdpJmxekcMjFZGn+WfB1sQzByMi
   V7+IvZoEYoc41oMEjI/rm6GEiRihO1Xd8/+omGVmB+xfifwlPuOBO2UayM6aHUjD
   HDiyByy4NVyiRiq5MLLjGrF2JEgNZG9awjYHGUTaZnMtUpCaFwDmI9boV2nZfgIG
   glvlxgsw3Ho+98kwakiRslPJZeQyk2PcY+c2jXcRM1w2sfPMt99qrzx9URJZCdB1



Gillmor, et al.         Expires 29 December 2024              [Page 232]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   yIWDxHc+k8T4mzTAwjVTgd+bF8SPVI9ynUHDy1PTp0JsBj7s16GOdQEy0fU4WpUC
   4JpB+HrZicgmBxroo+srlPWw4VEaRu/HeHumio6UrCChsH4rmNyJz62MTtsSpL0M
   BymdaCANCS4qjU3gBz9oj/WrY1nDLg+tU9jNvfQwFNJz63loD9R9XjAyoN/nFU1q
   GkSHN1Qwa6HUyOHgmwUS5ilhx5pNGuCeZ5V8XTveqijZczBinVytr9yW+xocKbAU
   BcbHk08K2ZPhZqnDWQ/hb3dUQAFbMZZ7Xlj7JYfUOriwF0OTmxB/rXQyMVXN4De4
   QcAPqNXQXP8Y7fdqkeyBtMLC9SgKoNMyqSrUuonL2re/TquajVdVSW6xwsk1TcL4
   gmdA1gta3vU9jgcmA3C1ki/o1aFKobWheGgi1GGQdWjW30ETfiAv2GuVAJ/Jv4YW
   NsM9TZR/hg2XjZzpPGssknJJzY2HB2TRPB7Z7n8YJV2HeQOzeE9hwSHgdbi5pokx
   cQYGRcJmuA/WyM4zsw3yZYZckMbfCKLtXqm6AxOtzjJWZCiKgbXlPMk7SOPyQNDA
   KQllVKEFr/JprD8vw5d0pb3EyjA7p5536vZnJ8lClq82b3MRY/Y9neOAYH6VyAK3
   1m20e2uI16HcKj+jDiEqVE1UIom8PbU9zh5Cn9G1q8RByDqLIGdvKBiwJ+IHomoC
   P56C3vRy8mz7pJD5ZpqcHeAy5KBNW/dLWBbvkw2AgjQe+6oVhC47jy0JZEEy122p
   ArZ980W6t3IuWSMS03n9Wvm95yL8PkT3vUWMrxhi/lnKvsVXodkzRWTP1TxTfDFA
   42mD1ncJIqu4ejBo1E4qcthtAfL8NM6/6BjUxT9IJYu2jLi+5hKWU3WSUPOj4mP7
   C1XMxy0jJORkdI1ue2ByceXttqqfN8u+EiBL/Ft6L8vALoidwDcPbKT5pKDkqW/N
   DapliWUT1w3vMoFSRdVh4qeIRnBlIoeQKmhqyGEV+Ar+katpwESRXD1+mGVSUdAJ
   fy3oMu1MjEf049eV99SlHZ9Zw980ogieNcpVmQT7BG8FnOoQ0xHQBYKG7toklPo6
   HvRzi5GA79nl3ms5xFVGZbdPfz/IWA29mJDaMTxFmBiIUvDrU20bYUtrojiwufhw
   0ruFJDnbz2tD9ukZELBX/agEY2ggLaih2sRES1nE7sekm1gHHqt3KFhQrDdBRfop
   a/9YzaSw0CUE+KTUMRSbvPfL5JcwGE6VAj4oybIhlDicElItI7LcH5j+Ra5jxx7a
   yK/8VUZTT0ydr5cvesqKM/AWskFF2pGuS5MckFE8cfwyJRNAIhNrZGFrwJnTfh5H
   05XVd4of9rMqU8QobjJWMwzLHT/6XSfKSe/duBd0mbxBu7nrZ2B3dMxIrqhZgZGu
   JOznudAalMvlbWO9b2hkOBCZLMZdvN+pjx4n0Xqdwdg+QjutLtzsrZlupkL0Btyu
   6oDTxfP1dwKfPIiyg0lGs/pu0Y5ayxL9u3K0+dTg86GChrGeOqoN98gaJKZPVP2O
   nb8EEEEiE9re0fiyshRT2XMlbzSEIXkMF6ZtrihpMc9lzo82vB3Wq+jxP8Q1qlb+
   kr0QkdTRP8JAJOnjyTTYzDThNTlaw8MzGOOMpZuxiv0Fvh4+kpLcX6CVeTkO9xaC
   zW8Vh1BOX3l3HtLdWFjyesU5qPtoCTDXJOGdL8xLiKmGNTZTMvNQIBCeQWgPYoSG
   zwrQ+8XLdf1rg07d5sxD1gqqowwpeSWQ/pnc/KgYE9Od4VQ92/gjHQIq4mNxhsDW
   i16VVC0kKGTA4Rf5vdrYtvYwY5DXtoYw/Fx29R7HNd9q0qeh9aexbD9/hVFGirDP
   5Qi0XLJQ+6+B70SgEczO7byDk7Jo14h1Npa3SKl078cKIAb2PH1YvQ+sNb773oQr
   Y6DENnAvgeHQNCjfAVbsLho8FBGG+VjskpGhnH5tHbRiUa6Nx23Zr0LWhSx8bHr6
   ydEBqskGe00P6sfAitDqWFGqhfLRpJbPQmJKj76N0hck6jIRX76DhcdsSbxS1gOB
   Fpocsy2BK5tylxRUwrweubkQpv6k6PVQoD1s/sJwRCVe9xPe1JrOqiX6iaAzPgZ2
   HOnBgiXdAw9domjxTbJqxuNfi0vKyE0Vi10onSlGGK+SKcRnfP8k2LFB2wli3gZi
   cCOxvHR+sY+xnIdiOBAMwvkMooZJxPwm1OQH2l0PfH1OpElJJmGKrK71YOjLj1oO
   R1RBaQvpKkHlVzv/a6eBWJh+7MGdRkkGrA2WaSAFoSUbj6bq21hcODTG+0wZNdhX
   1HJ8n7tYXo7KeERjofyNtTqbj0iRoOaJRKkk/ZvLZfvEgdDCCXgHecd08TUWfzf9
   aW13E5PV1pT1y63QvW/04whPCxY+hctnGqo2lYY5d4ZrWX/cZLit3tn06Uso6WdB
   6DYVbICCwpPTNvuOhoSl7Tg1rdQH3AiWaC4LNs7M6/FfunfY81F0NEykmtr4XcOE
   ANKEcUoSIsoNBKfTQayG4aRRQvDOat9ovHKOHNXHJN7IBhQie9WcwKlzs8N1wAa6
   MW1da9oLuLkmtVPrivhXIPYHPQJ51Ug5TilE6sqPi5PJoyl8flJXCGJ4mFdArk4u
   TLXsCkKr98DGtzpCz0vidK/FZ6hB01krLYTlvlbncFgMEq7GYNCbZpSuWx6eMucE
   PRHHA5YGiz3Wb3/n8W9i9XOaTx5pkJHZ7uTyLhWw+IpCY8cuqi5cmykrJ+r0axKr
   41xJn9Md7qXphcBuw7WEs+/L6flZpnekZR/bs10HMHveFuuYUINLngRFv5mIRvi4
   vfQI0EuRagKlX3kmHkno0R+IZL5zLPf+vtC3qlhW4l2MZCjFmsANGMLPIxiOxrm5
   2DslS39ujY2x1J/H8tQKhSWYhEelro4F31Bcb/c/eCBZ4BLDK7foQo0ZmsB+ulmu
   koGSMlQnYcMH0OgWu4x1wrd2CM7wXA19LphH7DVkOuIficA5tgslG0RgmuHx5/9y
   iHos5Lv3ej2Ks9Vpu6JgcxPN8SZJt7dChNXjn3oajE3hDJLFBTD3XwtxHh3ZM42Q



Gillmor, et al.         Expires 29 December 2024              [Page 233]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   GkoN0jwY5FQa4x/qT1yR95bsHdXeRC0u9+etyBMi+DAVjB4oMFn5OIPDWHv9VOS1
   uqa/tfoIhoXEzWhvlKpGM6/hEdbzDM5Q996Kg++Z5Kdf1u+hPJbKMU1t165wSJOV
   gedOkxNKNSfqY6EPWG109AQscjvvykTpoIwVFVzyXIowJLcMmmF576Fjqz52DFg/
   wonzZpdIxWTqmoB2fVzPZQxVXKxCfdKvaZRepSz1cgvzPBXKaoiiG3INf85Bjw2a
   7BO7Gp2nA/J25ixLu14sTsk9wpBXCjAxbCupnS4lzgeE5l/volxfzKfwqnZ3zhU1
   W1tvRvAQRv99fzLVoZ9B0YrGYmZHZnKCgS1i7Cglt/G9BbIbIEsoeF4DeajeQ/7q
   Na+kE4ytfN2ngkbnZtQZhxarZ3uixHf7dVRiNd9RWaH0xtxwidALuzbrCa5zTeN5
   FNjR+Hn7f19wDfIruN7tsANCcbz8jXboSdAStBCJiP4gCHoUWrb8HnAB77SUWfcy
   fYgIzd7MBAuCnDmlGW3D+MOqpaUh2huupnIOYIOI2GFsgJm3N5cSzjKQOTp2RGHj
   HVw6xaICYF7oXNw3gsWa9X9DKXv9HlipVNQ5FqTfFVap1XoZuGQ7fKBZnOq7sd2j
   oZNt/OvMOHt7WEyyQ7O+ubKkvSpH8td/hMTSue2PHhu82VUv8AATeZ+j/2DzjPfL
   AOoQvzSqz7pPHeTVqZST1Duc2KK2xLY81pIrL6OyayMdYssjUqxUmLQhxoq3Rakj
   vlPwArS4LaE7iaXUoVPdEMAKoneCquCUIxtbof44L1u1FPNZ2iTOlPee+S08UjqA
   mVMM3Z3M+e/LAgq/kLyh1nBitgccDYW1yuWmMOhfJjRFxjVtYeSDaBqSXYV2gkxd
   NMSrgL/4KgEU4zTWkEkQ5dyJeDmtnf2NL/cB+CtTteQPL+Jt0ty7b4eo/A6PhDdj
   Hf6kT0h+OK6DvC3aIYHtJ1g1+zxuTCPC5UoBBWbKxVMUFXzAj/V0iVxklwiqsRIy
   XzG35Elkm1MKDfm58VY2rnOrPX19IzX4EBj+Z4ouaurECg7sriIOQRC9sz5fIKMz
   vX9FlHTXjd4nDA9tCYbFUsoto47vcckh5zNDNDJLoYKDXiH/stEPTPgKu8NBuLem
   YWktbdebnOpFGFJDlNPce2HgZx3IxE/e7LdqrAzQ0y/1VHlX5c8Yl30X/1VhKolM
   faTR0RKrC+r87GN+2aZHba/oojv5wBKW47yR4D428IUWeD1et8KE07BMr7nryyQx
   DOLyu7cxAvtsMa7yPLVS9H8QkopYRDlEOOC896knaXmDEraqCaiayed9WmsJfKdG
   yiWsFhbnW7wKlC6+XgRHPD3p6KA9hBEssQtP1HLOD5Xz9UaeoPb2DD/uDtJyTOFJ
   AYZStFN9/ZPpfxlV9vLzad0KWxlkO5HPxrfttZUpbhSbUFeOOlyY9x5F8D1TSsOh
   POMir1Fku8V13ijdtrwKWnd0wcwNw3nF+SYWSKk5fFxHon8JGtIDRwrIwJOxTmm2
   nbwfe2vsD/rMlbxpUCuZNsLkKPZP2y8nJaX6WNyoQaNcVVWVF2mB/Ez1qA/TWClZ
   xPmrljocn6EJdrKFGTFL4VmKvRwU2zyNhnv3yp7w2eSMv25ruknflYpHr5GVqv54
   tOjkt91HtNBYow0/p+p2lQ/YyY77ZePA/LJgMaJJp+/4ycGWDW3C2wYhx1WzA4TN
   UTt4aro0BapiEbTC6ig6b+o7wlKcmwCKUu6eTW54a4Cwu6HOSS02ehEasBThqc78
   AkgejjXxMqlqu4wGDVghv/IQzkjxcn5u/yEeAY15fRSD+kM9sFr884zeQu/6hSUQ
   IeJpom1JV3XTObFnh1/lfGDP2T2lLzp5ZNWvA3XsG2tUYauWFKGMIiPcb6mpCV4r
   jW7HQHnLva9D/Ge/TpJB2ucXt40NggJ9Eqpgmui8UKKO7tfSn3J98z2K0oO/Rk2u
   QK+5rE4+o98Q8rJ5GxmUqaNY8p0dUd1U1NXR5AqZvHdYh1QJZpUjJzDm+lCYQh9V
   8rJUEpfmPjyLppXduBtUD31YsTsnzPv92rliIWeNaRLfeqLUkLoABFkf0yIQrorb
   hgVEB6ckKEg5yU6/PNFszEuLgmQTKfUjHHo0CyztPa+Ga0/RCeJwzp93cKpcG/wj
   LSF8SB61yr7TIDmmHmWi4Tn3De7eyjni9HaRBZsVQ9bgoIUN4yfroZshUqIfc8WJ
   K35SXDzzTKucfvHqaazQYrahD2Zql+lzaZL5Y14uqcjh8c9vxlDxcr2/MWvXCRxf
   8UqMsBiwMwtIvxQxkCs5j4nD/cP019przoKwT8b9jStahRsMnxZfdRH5zbs6h6/U
   M125oKWm9QUnvOJxoLkWi54nxE2rErjrXR6zjAgzIdFfLpPuKn/vf+eQHLq6HoLL
   2RzJxyACeH/XogMKKg4CWbkFf4MWnwuEL7aWPzHCMFg0427N0gyw65kLkea+q3XO
   IvIcG1bHntzIgFjonIhZHUDIdPEeZDR1GQnxYXLmpp5mXnp3q9uNC6NI/IV2hHlS
   iCjxKoe4HusikxteLgdVqEeArN7XpAsNC+3pUrg1b83Y4OH+QnOTvXBgFoTVp2Mv
   i3QzCeTjZzH5VczUkD+Pw1TqoBtgESCyap6KwPvkypLC4v0MafCggYGfThuD6tD+
   z/mrb7j+K7jXdu3IuyyiZS4aDlma/8hVduHQwimpiJJpBulkwMTgmq5mUX7tzQM7
   UBBj+SuYDX6PVShkhhbkzz2R1wFJoXYgn7TUmfdWD/qLAq1yR9aEzSwShYrpEi7m
   HsgI1lQNa5JJnC+GVN8gPXMlxhqpSMW6SDp+66/MVqwxldJuRTFZuTDPLQvCsaaZ
   ZqwwkfcbXzpZvID7gO+5MMcKW8AdhI+UPPmrJfn1kbjJa3Ot2GSms3t7keLHdP7I
   o0wmpNqEHSp2XAzOc1m64LfYOULYBklehwEvhvYEf5vCrizc3Xx3b3pAtsEqIwcc
   eJQtxEIV0ECIHHlSOJv5/b15aH1sShuvQAtOz6qRnQSt7WXMytT8geKXC/ds2kc0



Gillmor, et al.         Expires 29 December 2024              [Page 234]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ZB8cTlIBXj0pgQQWUKfeMsAPHJ5P7RNdU4on2UqpPNnICLQlhwbgSvr9tUcuIz+/
   0VyFeJMHKJi7DN9mrZ16Y3dJ5tMs5oJ72OcMx6Gq9tVLxa8rMPCm/U4bvaf4LX6d
   e0n3QxE8k3Pe2i/97QDBQXd+0fO0WFGNub07zvCOeTqBIUhdtaddbLddOPsFNiVS
   vB3CdwLzs5uzEO0jfCk5z73J9R/F4JEjJ+Q+jvxFg/1poSpiE+vivCkbg7gGW+QI
   QMxolbpNQyuhzCGBES0Y47wk0Ea67plHLfVfa4wId8zXxI40697pHhnZ/YGlaDCA
   GATW1245nKkS2vyC6YBl6LGHj2tr/4bHHGeObx9KtNOuV1PHVc+50IPnfbW190fQ
   jEu9ilFCK/7s3U/h6WrbH/Z8sscpf3Y/F73Z2Fndy5Kua3JzmyjSpzIRAuRxgaDT
   7kvP88WoUXwph9k1ro1zHFL9r7Wj1sKnj3eQGFa48WMrC0+DLE/n6DIfK+NNxjAB
   E07Iq42YpWj2UHR4KdIuO+w+/5ADEPNzxc57C2v96frWLZwSwPl4dMUEfSLIrWXs
   yf6xvnSWba/9PP1kKajKP9G1dgNucNod+8oG+DStJgaCaOloy2iqQfHDiUFM2RWB
   mWxP3DZkkTkOVn4n9+OnZXjh6q7YIvaR4jqMK0AGrw6pstwCjNQ9TOzlBhOQZ9ZW
   Gg8TPsuWxVjGRyObcAeCKeZx89zMDzUpT/iAPR1O+so7IGw2QAmOu7ClMqpwSlia
   hWX8qlOX/MAkWmqKCBZ2L6+kQItZUj3IjrBHcav0owgFGYheln3ivyAIa2xeu+mD
   zCkhiasQB75BmXRr36pgHjnh9bGKqzZRMw8veKm2zK0FASZpO54kQnSSjDJ6zPJA
   3Yz/sYRZU5gCduzJqY9kPQLbLyBZt7YisaJRAP/Aa0YJgPX3veXhnDlXXlUVgYPw
   W4Bt02hagHpDhjIXzSyGaD9HVxgQwOfS1ug3v6v3CDoyMlrmZOFVLD/Qnlq4PkPC
   hT5cPGfFLDWmyzFYs22DKA8+Z/QrNEhq/64DkPUIMnLCBP1R8qprvLUSz57LZHQu
   brteOD5OUby6D5NtV0OhH1bXBV2jyepVEi/zVrewAzzLag+JkyB8p70IAqbkC+aY
   tudvWua7sPy7PjCcGAgDIS6nMrPJp7KpQaVmw2WU3ztUz2HNtV5oPXSR3+hlNcRo
   eiFuM+Q4TDn5ZDf3n3HWlRN6WD18ac9goEaQN429I//942yWrLIpEzXWF5mG6PUt
   Jr+/xGb+Xpoqirquvn1HU7UB00Q85BdBZvvD/F10X0o=

C.3.17.1.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIISGQYJKoZIhvcNAQcCoIISCjCCEgYCAQExDTALBglghkgBZQMEAgEwgghCBgkq
   hkiG9w0BBwGggggzBIIIL01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nDQpNZXNzYWdlLUlE
   OiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLXN0cm9uZ0BleGFt
   cGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzogQm9i
   IDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6
   MTI6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjAN
   CkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6DQogTWVzc2FnZS1J
   RDogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1zdHJvbmdAZXhh
   bXBsZT4NCkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBs
   ZT4NCkhQLU91dGVyOiBUbzogQm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkhQLU91
   dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjEyOjAyIC0wNTAwDQpDb250
   ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9Ijc3MiI7IGhwPSJj
   aXBoZXIiDQoNCi0tNzcyDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBl
   OiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSJiNTUiDQoNCi0tYjU1
   DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIg0K
   TUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdi



Gillmor, et al.         Expires 29 December 2024              [Page 235]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   aXQNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmpl
   Y3RlZC1zdHJvbmcNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYW4gZW5jcnlwdGVkIGFu
   ZCBzaWduZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWRE
   YXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlw
   YXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5n
   DQphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRl
   ciBwcm90ZWN0aW9uDQpzY2hlbWUgd2l0aCB0aGUgaGNwX3N0cm9uZyBIZWFkZXIg
   Q29uZmlkZW50aWFsaXR5IFBvbGljeS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21p
   bWUuZXhhbXBsZQ0KLS1iNTUNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFy
   c2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxl
   PjwvaGVhZD48Ym9keT4NCjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1lbmMtc2ln
   bmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nPC9iPg0KbWVzc2FnZS48L3A+DQo8
   cD5UaGlzIGlzIGFuIGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdl
   IHVzaW5nIFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4g
   IFRoZSBwYXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdl
   IHdpdGggYW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0
   aGUgSW5qZWN0ZWQgSGVhZGVycyBoZWFkZXIgcHJvdGVjdGlvbg0Kc2NoZW1lIHdp
   dGggdGhlIGhjcF9zdHJvbmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3ku
   PC9wPg0KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1lLmV4YW1w
   bGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS1iNTUtLQ0KDQotLTc3Mg0KQ29u
   dGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6
   IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlWQk9SdzBL
   R2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0
   MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RL
   bmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpvMDQ0N2dZ
   RHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkNCnZk
   UGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTc3Mi0tDQqg
   ggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0B
   AQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UE
   AxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0x
   OTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjAN
   BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY
   60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6
   kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b9
   7enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMs
   wt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5
   chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQAB
   o4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4G
   A1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUH
   AwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3
   DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0F
   AAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX
   /4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U
   8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXs
   U4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZee
   gSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo



Gillmor, et al.         Expires 29 December 2024              [Page 236]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJc
   OvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UE
   CxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNh
   dGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MTha
   MDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5B
   bGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0
   iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7
   pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rB
   X7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQV
   tkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/
   2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVC
   CpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQ
   MA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxl
   MBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQU
   u/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpn
   HGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40
   BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeq
   AH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ
   2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYTo
   j1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6h
   noQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB
   /AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYD
   VQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3
   QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzEL
   BgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MTIwMlowLwYJKoZI
   hvcNAQkEMSIEIJ9XCfAStQqfADh506xxVkteU4f5aNyk2VNLWOc3PzZkMA0GCSqG
   SIb3DQEBAQUABIIBAG3rww7NxkeWT7qxiKHfqCH+rBn3+nq9hEd+ifdqkPGEfZKJ
   2GNVGbCQfVDgZFyOcbHpDECvgOJsRMennCU6gCSlMxD324RogHVuunQ10x/9Eelu
   /3tg/myxjl5K6dcD4WnI6i2SJOmgC8JPwVt6BBMM3kVJKnOAVDXrEVwSD6dfumso
   ZCR3L7AhLM9NCqaEbtTh+JIgfvs+sekjK3MOZsZqDY5hI5LNLWKiJb8C5TSHxQex
   uHv7BljdkqOtmViLMxi61XgQFcSrRRWUW7L/GXyHFUHmu2aFXfcwYbX72JVx2yzV
   D2T9AG/6I+FIlkFjqsLCxEbUwKbMuiL4MJFwajg=

C.3.17.2.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-strong
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:12:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer:
    Message-ID: 



Gillmor, et al.         Expires 29 December 2024              [Page 237]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:12:02 -0500
   Content-Type: multipart/mixed; boundary="772"; hp="cipher"

   --772
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="b55"

   --b55
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-injected-strong
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --b55
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-injected-strong
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --b55--

   --772
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline



Gillmor, et al.         Expires 29 December 2024              [Page 238]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --772--

C.3.18.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10595 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6836 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2352 bytes
      ├┬╴multipart/alternative 1433 bytes
      │├─╴text/plain 485 bytes
      │└─╴text/html 645 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:13:02 -0500

   MIIejAYJKoZIhvcNAQcDoIIefTCCHnkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAABMP1JZzkhbWfTPqYqST18noTXOEaR05mG5
   2trJ+ZJsXTP7mtinViusj+EmEW+5Q294MGsY2Ak8IOWadyc9dUSpQQDNvKiUmPbE
   eRR55QhrkljvjxCkSgnVOfeTY9lKWZh3KcnqeN5dNehg8dlHY9XdrPQr6SFPCQcx
   A4h5FlxJzv1y2SXZs+la0JM/QkxEV7HngcRo5rbil1SoY264dhHEflz2hgUtc9V2
   zVSGfRTFb/74PmDXdv/Yu9Xrx/unAJ1QmFn06IpA6DMmzrfpmoTXopBxCD1+LPp3



Gillmor, et al.         Expires 29 December 2024              [Page 239]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   KVNYRWYiUUMcy8txjLV/IEux9rQx5zZjYUPboKqG0RSpw19ajFUwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAiTpkpni7cd1ymS1NxWyIlv+6
   rEyhCFZeCGWXva8QRGoQjFn0tmLd6wNfZ8i2ERDutT1g/MDHDWao5XbXijCMD8C7
   fZg0Q/Llg7RkkNyQgkxFCqebF8ye4E5kY60TKW4LOZLAJ2f0qdDni1V6hvuTZdD4
   n2zUfHIvO5oWP9tuEIgJfFYX8QiUBx+SFbkR6Gnn0/saZ+1hmDNiYmM/OcKwu8MR
   PzF9cGvv146nwuekJS/QuhMaZPU3IHwe0+QltKwtHQjY4xmS57VrUyUbN6eX9Oeh
   XluTafTzorhOrQufqWxP/qm+wo3LzgnkaI1byATNF567UoDLgnR3+Q3DxVs0zDCC
   G14GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENV3RlyptGFZNNUKm+ud0ymAghsw
   601iOKcQxZTpQHztsRKDIKVSshEqy9BJkMWQzYVT78kpfP8FsaUKgdSsIKNxVmen
   dKXhYUZCDkh3HFegbzud/4F1AgOXttVs+KsUrNLI72b7IlEcM9GumayZpvKuHC9Q
   iQINFVZFiZM5BN9BcG1xl55BgCYN8zuee4SA6CBvwZwka9EOTMpv9mnGM8MvfebJ
   NIqQXoZ6gcWGcjqFL13zb433krqfENWTZlWdazpo0mlQA8ayF2BjhYiJZRbRnmIt
   CQWcJbMUnlp88d1WNcpVe/yAC5MhPN5oIiTziXiIz8rbRlidnAXKpxgg5GpCBq1V
   plDnf/K0rsNapjapyMgA+NADpSq2nuQqHXfQMSHV0Lbz1+zEWD1wFRe6MN4oG5Lj
   rdEGsNPUhgIQ4QBQC7Xr/mPTqMqi0Bt9JqZmJrbdMEsGWiURd0dZ7eyczdsX7i3X
   0r7K07t5UwtzCI1yEus+XbGmAP/a5kDffn+8+6BNtNL+sm9LL2N5A/R/NJYeiEbm
   7QdCUhFhqjSRqsVxfa6xivhLHukFYuC9qWf0PGhfNnHSeJDQjuGhyJ/7kdSC1ocU
   yIK/7acU0z6FX9KszwU4zG4iV8rWrI3fSV/NthvyRtwFeoPViIRE0EtZJszLp6C3
   uF5gjDjMqwDitlmZYtqAS8qH5+aO7X0wH+4wjZ5KDrpsLyD63B7+weRXkYsYOjxp
   tY3LFUW6P7pUUxRI21fhJ4ztFiWoVX0ElrP3+MP/Nm1LSWB8qetnqTjoR4GdwMV5
   wItyrulVleHZtNxNu2+VHuPPdCl3Hf9vzWQR52j1gsojaGpgRYFx1s4MCq1bL47Q
   TXP1hPcRgYNGIhcGOI0eclxti/H0J0cO01O7QhTp6UvDbPCnWLp8SYB2yS0e/B11
   Cb8LMp9f9kH1dJbETWDPeEBMGyFQlPe4auQV3ClO5hoUPbbN+ukQalmxuU0wAs2h
   gkPmxIPUC0uUhFp0WALSHLsPOJ6pXDVbd2QQg+SlSFNlsoCaCSCQiIIdpf5VgeMX
   uyRQrLFzCBAOuRseXa4cuaxn1aNhEFky+1mCVXfe1Ao0Z4stxlM3EV+DhlgmNaPK
   zK4QUr+baDF4TQ32cApmx4OW6Qry99Wb8zplU5VA/hPuCeHriZ1ZgMdIilyY94Ia
   k6Zx67rV7Yv+NCjHDemVa+M29+O1Budn43NPYE6uP7Gzz48Sl2Gv5QLtCrHOA2By
   wTH2DzZ8nISLhBkFizE3ybVEj/z/sDsqzSdIC5QOy0qMz6XRQdxeNulJ/dPWCu3g
   Xb+oHhVE7Pa8dlBtpuoH+MmTOmqEnwCKy2Jj0pnI7FFOIjYvw6hv3/8kMz/uKI3r
   G8Kbd+78sJhqaDW3nh0Cplz4zp9D7pNO/ZeuKfDAhi17mO271G1H8kiJAoCb3ByD
   wVTRmUcqusC5dPVD2Q8hPCeY8+CuCP1BT61AqUZsv/Mj1y3P88PCBzZHyO9R8DHg
   LVU/NgLJX35IIX76J09Wnmcbv84kTw7XGLdM+u22QGpRPnsT5gqi83YzHvrO+hFT
   0SPl+NIZ668PpG82kbOFoor3OHbCEDX3yksjkfmfQi7GEVYfpdkX6Ro2h53/l3cp
   8nUwoejl4LQud5gk8VmY2WvPfhtUnWjJV/BwpWaX6JzaVP1qsCCKxXsKddtWPuv/
   FzkAPAMjwy2YNAZhJi2+rB4u9vAEfDD0BQn4XHgcfBpotiJ6tZCB7c9V9zTEVMIH
   UC7xpUW+s/NPVMFQ5qzk3sX+q097Q4Ccdfl/yhaJ/0OxDbgYGSTOP1Dm5e9U7tLR
   yr7jRCPhVYUhTvGvRAI4TNhqjFDsMERH9q0HOTNILc1EnMixV93L3tq/xjMJcLeP
   pnaQuXq/Ndw5mN5xxNaWYQBKfdRdi5z/QteXQoAXqwyxkYv1x0/af8hq6ZiHe3iC
   iW3q9y9RCE5fK/ycZ5P2Y0FGwumGnkui4b4a0LOg97Y8TsmnjV3t1gHs7Xha53YQ
   SiqUg6MuT6VBSUxOc+EOT+jgqmN8cFGTxJ44/54+nzG9VQd43lMTqF+IJR+FNyj9
   d8X0rBJPHbTxKy0uHS0ITe36Aa8bCwUy+9jUGURQ8DnMkAHzysCu5PIJmKwaypNO
   d+DA3d4LFmqISw9kRLHCg+s3KptdCqGvPBemZ8tDNa9grp2KHy3hpaoTZ74ipcuX
   bBWaaMFVdypX3JwTwRxnh4ADXRNFqw6U+mlFCgdvPgX/QFDWqwa2udM7Cf+O/4Y3
   ODNYTkwgCOzTtKrw85ZbySSdYiKuHmfjnKwe4HCAT74A3lW4BccFod+jM0PBRxRK
   Agwu3jflMIX3ekSSdhMa+4EPql69x8z7JmtE7UI1hdzYoKmmi9UZDN7nrFye4GzN
   xhODOkRzMt+nZ1iabIF+VhFqkaAy4dYIoi1bWafJFuMO/qFmSM8dyzhtKrNgWsBD



Gillmor, et al.         Expires 29 December 2024              [Page 240]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Bm1auxPbp+BpLI3PnHfRo+Z34IZ3nkLbctLapBXhuFHRiBrBKTOs0m8PZcQBZY6E
   zoQ+e+k79DEh7JimwvJCBt/hO5mMcO1xPHxZKZLNGmk/4T/LBZn9d4UOHRw+VfwQ
   1wGgFh1+sMU6FzgOsrWGB/QaP/5t5AoCGpJkVPjNfgWBy0HgFGwAlI815XTuecMX
   5fl7SzoD6GurwBAStUwse3n++n+mViOyREcz4gY2cjUNQ1nfxuCF70qtBGTj6fTh
   kFsrXJR7LpSVXNB6e5lnfZUFPJOZK1q6jUc7JEmJ9wjWzdeVsrF4Sh9vYnPr0UdZ
   Fim1TpmIBajSslFk4LOdLtOVXdfUIEPmC8iVc8g0DN8KWWnEGdWxIpMHqzm/kU9p
   GQfA8kVcK4A0Y1tLZPL+QvEjzjQATI0rMQwHbh88yXObAQE9BEEOvpTxCe1xNknv
   8EQ91VsdpJQbcOz/ZEj2NW1Dh/TPgpiVGFMwBT8wk6ydc1ZahsQUrEZr0YeXRycK
   nWzsuH4L/cI3xt6b9VTgWIvGhdd3T4j50EN+7/V4O95fDNWLfjAb5Ze9K0X8K0Hh
   68oGbETHFHASubjVdCo34RhnNoB7ONrDzFavHlhNp1vutH0xjJMehMe3gFCkD5Bu
   Hx+BaFNtMGH2uH7K04Ji4KqnPWl0KuNr0X38iWn/VXNT2OtemZFRPknuazMHy8LF
   BK1rCxkIrJAAevuX9yZYUMrpnCb3Cux//FiJGtF4LYMx0UPLfRKA/J+DaRS6WZqP
   MoYaSYIhaQ16cuAa5yNU63TwklTMLYSXf2IZjx1WLHm7bzBz7B9UfR28MlaPecuV
   GXi2XoJdQ0Dpk3mHqYCjAolNQB68bQj34rbIlRtcz8AHhLsKPrNq+tlX3YoWHxbh
   q9mFlkr3SzaMYJ7YQ20x2oPoERP8YAjU35J9SwKIBuLIpjK0mALoAjJXBvaW0/wd
   wdfNZBtuMjfrfNsIJxYP0tVyKON5xuUJ+cRA0JLdU85898+l+4NGW7cN7ry58fgS
   igToasVppuf/j2EEpX3mHu7Ze21lEnLzccL0jXgQxQN6Y7ISHsoS6kwTI7ZNoHdY
   U/GjyZ1ExKeicvmo9xmOGWP/hC6HPXTg2ZgqAZ5HtLA7DP1nQ47Df45xKArixUz+
   Ctl3eUW8e1EjJER9FttSDzLkjJK3QW/6bOrpddndQi336XC0i8QWoiqIrY6OIB8g
   2HzbtLjLWGdssVzOJ4TARwcuXyid3zs8u/OASqUkQIYDW2ZL048ZGA29iL9JHMgZ
   EOPArO5qz/669GW11UtWwu8sd/NHbcxNzKeg1gOcE2wmDH13yQSNxVJoyrIJDoVH
   OrqguGGgJzF3KUt92whJevRPIZglKBB6WR5zy0BvjmSPaYolG8XFwI6VINDQossF
   i2frB4z+zgLlScRLsAnKSBZhwFZFDbAk80EKJut5yPP+bQvJ4uPPG2WXS2/rFfvn
   Iewi50DcpagPJdIdsfrhIEaWPyjOVgY3Q39xSn72eKtV5VCeSRp1P+c5zJHxoNEa
   YH8gSvGmlIMmK1Lv2sCDEYosdF0OVoqh/AfyTU75cTV6dQyEZ67qqLmpvMnt2KKJ
   zSDmThrHzZ3Z9MxUsphjtqfopHTheNPL9Crot73p5cOr1jQ/0sS4oKKZvlE4sBBc
   89YdL4QyISua41C0eHoUKchFZxGUkX+DJka8VS4QckbhURZ0tdLZt1JQa2rZS1sw
   9Q7sKPc/r4k735YwpmqO3V5u1EQ+aTVu/dEeET0hz/SJrDtUvL/SKnDbyzkXDnul
   WfLaGQCchEA/jcedJhaKJV8ufgtu2jlhmW7L3Z6VZrGchIXURFwogf6wzDCXQZT3
   OSCvHk0hef126FFv4sK4ACkqS4wuziMp5uQvaHEHrpvNAZwpMTf72iWNphMlzOd0
   X4bWc01Mnq7GUxa0k0NWyt49dQve24FJQWFyiuuXjcvO7RztrQcqVpzCHajbMgvQ
   6UPErPAEv4Wrc0NygF8HNHLI4Byp+kOoV7EyY31Jsua0VbCsEPwOeqUNBRav0SaE
   1PWebZRLqHXmN4wRkKop6fcKTsqTLIw+AuGPJDdxhdag8MT/hXRU4yf641OtSc5A
   DoxO/VgfJ2mZn+OUxWaG40cQA0awEAcJZJGakGaAEuKzLgbuwL5llJMTHNF15S2S
   MwOiBZOGmvVSqsHV87oHcIfzYsgwVOZ1b9/QF4kFBaOr80kJ6YYKL+8YtKHxWeUd
   zOAJK3jGFfBWs895NM6Rfs5EOzv/FNeG8z8bJMENqyoASVfVSZGvpRJ1dXItUoU1
   6fLo7NrQ0L/daebF/k2NOs8ad1Eq17EFngIjJlHzmZAM0NLd/QFbQZStXkKxaI2H
   lEo4qpRh29L7bh+udOvGI7Tueos9uUx9keoFYrRWYBeeA2YG8SCFnEIfNl26i3RX
   ldgHNYMz+g4OJBMCfYLrMnsvFFqnRQ8Kn48QiR/KdZB3bXpdq5hLAFq9E6lzf7px
   YAxu0XGNI66erDor7O1F8BgbiMJHP7R5XdGMDPEnsshpMZfTCaobMiduV25GNk5U
   ydKYgAP/bIfMMSFZbCPfMFGIMTr7i9fl/mmXGlsWvmkI+CeZ0kXC2+y4XPCAPe4B
   P2WFSMomif/N0LUL0dbnu3OM20LFmaUz/UhEXygw1FtkGnNlRsTbBBL9ag/bmJ+W
   dTkoLNgU7FwjKBfJx21NAtVPk6UzrFm+lpTFhbM/uXEIwl1Nk8RxFMH6Q0kvted+
   mlmYyGTLue45c0UwgzUGgYUdtEVQNOls0DGHq7apEESHayTVQHdmw0N/LG23kw2e
   jk8SbSLGa32+egtEIempkfJtScuuBUBKj+LiZLXD6ulQdvcmdWcYJfOLpjBQni2y
   sWV7I+ClCUvKIs6J8B99Ob+73T3CNK2+2gttCrZu4BHzziMrob3FDhEpAWqAsZgt
   48+gOlcmpwofvxrPYQEeiIyS67mc4G1UtTOCwZ37oGnimJe3+PXh8JCU4jefWyiQ
   dFN9T7sRpQInR7YXdebpj7ZXKfqj2+S0Y7JadNuKfLdSqTig83oRial9KcKVBChH



Gillmor, et al.         Expires 29 December 2024              [Page 241]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   UlzoAv8gwiyuLSRAOA2fXMjxkx4VrDGCtaWK24yFsQMcTwJD8waiOkCjczpgRtKG
   0vC4lONEHC0DF6s26abXLa8jbd9WtuB1L3DELVOGFOcaWXHu7gOsohbIwjS/VIG+
   KK1/tAtTb8B8fE9HgtfylSjP4vcceTIzymduec6EGSh4C2zMnrx4nIYxbEkOTGWn
   gmY5egiQF92rAdMTISvv+x79Ngxi8V2R5WT3f+nh9Fg+CgQWCSteup2gyLrVAn5V
   X+RBKIEbsglgSdiCMH5Jwb/SaKs/fwkUof9F7w4XlzKwdng+0dEt/CAHQbd9TCDy
   5nw8uHj4X3IbCc3BfW5ZkIypAgGVBzY+1SqWXXQ8xQnktUBn+Qkjdz6TkwdHBfaT
   07C2+yfPD4SBOlJkkVJKwm/5OmGCCdv4wvZVQF/09vEMmqpjdYU828qJva36KOKM
   QUttCv22P99/EHIdmafr9GAKjrOQOGTbRSev2eCgLMhv6k3+upz7L0ozC03KWZ/W
   W9gXmLMFwn90n/7hcpnY2f8LZCsijQCDw1K3eWFu4tJvAV9VQ2Op6yUuaCoHARYT
   FwFdeq/sZLXQ16ERgKiEzU6RitD9Jm/BABlVR5EGGs3qPLYlOWPiNfWF9/0Z52da
   6Gknu3sLXdLGWKMv/E9u+kROpYChUnOYDZwN9+0CwuLYBIe7rFCmMlyCug1irKnL
   3KKcK9IEpr01nuwYrFdQUTxQPfEwp8lWptEvaw745cklgZh3J9loBuq2g9/0VHLd
   q9UeewoVuPJcwjdzxGDUtJ1MoeMoZagU7KAogt5L/OYVvF8D1MPDzoD5teS0fJRE
   JBszYp3erYVmTIODc4pMWTilj2Hok1FGH2SyTWSI1MU1OacRurKOEVCypnVFKsfy
   8VyZVWxVxvboqxlzWHXCNHY8IhRChOvz1DBKBb8PRP8cmqYnD44l1s++3bi9S4EF
   AuF2qNTYTPykf5cDgGbqX3RwwQ+vvpYWMLZLldNVQe8ocezx8POBpU5ao6ykAYNE
   N2rHifrOK4ADb3IDqMhQhZHfOLdQrzYIT8DdrcP5pNusN+9TG1ZS3LP20tJpqohA
   7OX4SI6WjZK2gMuMxL3TsCOiLQ+vRlvsXLavdIBCaYUEYUgZtP336rl0K/3A+utu
   d8pw6j4UrIGmDYzCWKhktqM2L03NWKGgVlSsD0IhOfJAfH9T+ZzusK608ut4U0+S
   +f4Al9fS6yUkxX7NUPYcyxZhvPU1FO98Xo3SX7q9pZM5V5F0vQzB0fZhvZjUBsLD
   mWBoeru9HNEo0N09NWXwBWKd+hcScJYk1nL0BP8KtpdmMnmdaylSKFjKcAeEEhWD
   hOUwGiqF22B/cQZBEkcBwTAXQOIJvtAiPKOOaNssHoG+oMX6bDDbRoyTPIXOZASw
   7qcPiX6t0zHhE+LIYttevaU3rE+d0atX4Gcrrk95pUoerQ/13Dcj3/CwDBGpwC2t
   UKfWlTFOJ9f8l9SjnNbi2Nx9UdrHVmQ06TdFvTtp/t0QN8EkRmN520xC2Onlyjdp
   GGlNPuINr2uE6YbyHfkIDjr0p/j8yN+EBwryQCDDW+3tYHjzFzicFQatsi/Ad/mu
   VSlXIk4TrtVL06FfLdtuAc4Mjb+y6mzJtwArnhAl72H4hvQhg7Spx5f5IaKYYWhe
   kFQUO1KJ05JB+YLrcwp1jbeE9IJa04+OTlq9gQV4FR6EGsIj+tmkBltYTFKKrJzF
   QjDAMV0A2OoUAl/HovyFgSfesbL6tGBBR+GVV/VfE5Z4YzuFHMbY/DxKqU/a5UWD
   BhSQeJtmDookV1N5QFrKJj8FqxQSAaYm7EZfMY+m7JY/jGdxRhVBUbfFKPXRtgIn
   qjD4f/ATN9X9/fMJQBJ9KhcH2+r5ejGRiB2NfRIbw+lp2534p3asDB1syWVNKVrM
   Jh+dJtJro4Sk62tlPK7kjCePosJ9LiyVfChSyaCw/29Mvr6BICqhAVsHUa4CT2eD
   QvHBBto678EefRdc5p7ZGBGv/6A21VhFGfi/nRqhvc2wgUR6268wEgbRviED5AiB
   rOxdbsSEnunV36LXGSE3KZ3o2S64ghQD/t5L2oQMo2LU+8OSiQ3ze70c/3bzBzsb
   xQWoqk/DVWG0L4CiodsxpvELPlb8UdQWG8Y6r9rvP9PEW+to8NSzz9M+gG7NSQ4G
   o8JrekUzukc3FEqrgiViynNqj+0dWQfYDm32jz1d8b+U755LnDrSVIG55nD29qp0
   rEaprf8+/06rC8/wiI+8vhrs1gYxsPIyFgrCkJmoTrre7lmqbJosTxrn+uLy3Ir7
   nSfi8ykIs4NpfFNFP+LAl0XLoZx9eUmz1rzFv8opKree8HipWs301QMkpTWudnqT
   sCk222Ax4MNZZzy9p2OqglIWe90SdQOFc0T9igEgOGCe4pztrRJI7dkPFdTbTqIs
   U7fXYLFAW8TlZ3Wzan/ZlG89gqG8KGmng/JAvGDCE4daqG3Ql0RPzkuTHo2PyvPL
   5zuqi20wnzNDFegqqxICcQ8Z48lShBly78XfYeeOFUZmvaPgskKs/hNrBbb4rxVn
   pRjek3m9zKWdsZx35OVs0YK8gegRBah97ThDbyeYyERp7lbPDV305vL3M52wlwfh
   rP73rc56y/o7ghT8yi3u5jBX6HfIp2yRZ7sls1f4JRrnWoC7+Mwj6rDRfaGjOfPn
   haKbS7ZNA6ILLMbmYAAZ7uKi9WW/S1SU6qFHQaKJME1UxuA1oRglCV3/zoPK5i+T
   CQ+zqMclh80UBLuV/2+t8jDnNkf295HYvuBkr1il+dHXqeSPU04Tfx/+G96CCEkl
   DuLYKiksXvL7+U9scGKYGWKzGlWCnmziTZFnfHHHsygzJxsJBQ+/dR3X/7hCEq3B
   WBUyUfaQ0/nrZp6smeZyBwujs6fLdDtoqHWYurOtMBgqixYnyPF1eaLSwaSeDcHY
   17rAWivAlO3KNJgxs4zpgvbVWxS4KXusvmZpXl47lNIHeYSo2IHTJgHylvhvifEz
   9yE258CmBafMVFvYKcg25XkRShN4gbBhScsjqA9QRb0JaZWUYvmvI/wOcFpSeI0F



Gillmor, et al.         Expires 29 December 2024              [Page 242]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   1C365r5Vw7dMvhlrOtjM6G+TAwlzV8h9psaOckApVza6YgqdcgaEpWSA4sRw8Zjp
   dUSmE7ZEA9eBOMP0RPnRAnb19nPskBbbyifR+5pjXlYqRF+sxp+vvCY7rlf4jYCn
   +Ksq0PSkveT+IgHZ32w2Y5k+wRE4X5KNhGioZlcd5t/Z4nUwcQBnHNZ3cbE+8RZB
   ZuxyH+J0xgshDlj2mFLzH/PbcKsISYfjk+fM2n7CWGRmik+cE4I+xCM2G17+TTxw
   j1ZKcMAy1uw1Rxxep2aEFAqo0D7deq5Ys6PghmNg/CrpxEXlAATynh3uDcIedS7l
   uDDcL3MyJclPEmV658jk2OR/rUGOXVOUqhSsGNGQIl5Uus2+Iv6qNi4dVZki5yF1
   XtnHG50MMtJnyu0vBVrMBSK+Gbg3bIUt2ZLY/LG9/xC9SJ+uWL82zOCpO/GhYjmv
   MP4/dPzg5BsSkQ7QMF8SIiorFaTsidPPca3MgEep4BrAcPBZja89sb4L9w4k2bPc
   DBeYiZzhCczg5gcsJvzM93a6bpr4mTt5eg+Lnu/xELmE7fnUg0f69TyHq4n+LtYg
   QwvcxX38GVl1rhwWXgi6c4LWz4XbldhHiZIXQ4XsrkMEQrd+hNNKaf+LjPP3eZE2
   YAAgjePvQ535IJXUEdhvXVcFkW0uHwpv/QuKk7yZSiNqHhmCYXxtYB9xsuINBn6P

C.3.18.1.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_strong (+ Legacy Display), Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIITZQYJKoZIhvcNAQcCoIITVjCCE1ICAQExDTALBglghkgBZQMEAgEwggmOBgkq
   hkiG9w0BBwGgggl/BIIJe01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nLWxlZ2FjeQ0KTWVz
   c2FnZS1JRDoNCiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLXN0
   cm9uZy1sZWdhY3lAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5l
   eGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQs
   IDIwIEZlYiAyMDIxIDEyOjEzOjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUg
   TVVBIFZlcnNpb24gMS4wDQpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0NCkhQLU91
   dGVyOiBNZXNzYWdlLUlEOg0KIDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5q
   ZWN0ZWQtc3Ryb25nLWxlZ2FjeUBleGFtcGxlPg0KSFAtT3V0ZXI6IEZyb206IEFs
   aWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IFRvOiBCb2IgPGJv
   YkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIw
   MjEgMTI6MTM6MDIgLTA1MDANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVk
   OyBib3VuZGFyeT0iODM4IjsgaHA9ImNpcGhlciINCg0KLS04MzgNCk1JTUUtVmVy
   c2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsg
   Ym91bmRhcnk9IjQ5ZiINCg0KLS00OWYNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250
   ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQpDb250ZW50LVR5cGU6IHRleHQv
   cGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIjsNCiBocC1sZWdhY3ktZGlzcGxheT0i
   MSINCg0KU3ViamVjdDogc21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVk
   LXN0cm9uZy1sZWdhY3kNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLWVuYy1zaWduZWQt
   Y29tcGxleC1pbmplY3RlZC1zdHJvbmctbGVnYWN5DQptZXNzYWdlLg0KDQpUaGlz
   IGlzIGFuIGVuY3J5cHRlZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5n
   IFBLQ1MjNw0KZW52ZWxvcGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBw
   YXlsb2FkIGlzIGENCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGgg
   YW4gaW5saW5lIGltYWdlL3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSW5q
   ZWN0ZWQgSGVhZGVycyBoZWFkZXIgcHJvdGVjdGlvbg0Kc2NoZW1lIHdpdGggdGhl
   IGhjcF9zdHJvbmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kgd2l0aCBh



Gillmor, et al.         Expires 29 December 2024              [Page 243]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   DQoiTGVnYWN5IERpc3BsYXkiIHBhcnQuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNt
   aW1lLmV4YW1wbGUNCi0tNDlmDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1U
   cmFuc2Zlci1FbmNvZGluZzogN2JpdA0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7
   IGNoYXJzZXQ9InVzLWFzY2lpIjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSINCg0K
   PGh0bWw+PGhlYWQ+PHRpdGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPGRpdiBj
   bGFzcz0iaGVhZGVyLXByb3RlY3Rpb24tbGVnYWN5LWRpc3BsYXkiPg0KPHByZT4N
   ClN1YmplY3Q6IHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1zdHJv
   bmctbGVnYWN5DQo8L3ByZT4NCjwvZGl2PjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nLWxlZ2FjeTwvYj4N
   Cm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25l
   ZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJv
   dW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0
   ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFj
   aG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyIHByb3Rl
   Y3Rpb24NCnNjaGVtZSB3aXRoIHRoZSBoY3Bfc3Ryb25nIEhlYWRlciBDb25maWRl
   bnRpYWxpdHkgUG9saWN5IHdpdGggYQ0KIkxlZ2FjeSBEaXNwbGF5IiBwYXJ0Ljwv
   cD4NCjxwPjx0dD4tLSA8YnI+QWxpY2U8YnI+YWxpY2VAc21pbWUuZXhhbXBsZTwv
   dHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLTQ5Zi0tDQoNCi0tODM4DQpDb250ZW50
   LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFz
   ZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29B
   QUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZU
   T3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNM
   azY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVB
   cmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFR
   WjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tODM4LS0NCqCCB6Yw
   ggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUA
   MFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhT
   YW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEy
   MDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYD
   VQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqG
   SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWU
   nnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6F
   UH4i2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXy
   CjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/
   Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80
   RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8w
   gawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0R
   BBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAO
   BgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8G
   A1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IB
   AQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx
   /Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOO
   oHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3
   web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb
   744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWd
   NeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phq
   zpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhM
   QU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9u



Gillmor, et al.         Expires 29 December 2024              [Page 244]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   IEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzEN
   MAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNl
   IExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4
   Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNf
   CwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7
   QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAe
   LqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7
   QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1z
   Q1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAM
   BgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYD
   VR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syy
   LR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0
   WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6
   BdP7GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzco
   zmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukK
   Yr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IP
   kazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s
   16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEB
   MGwwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMT
   KFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXnt
   dX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqG
   SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcxMzAyWjAvBgkqhkiG9w0B
   CQQxIgQgdXpkUBkW662h/7bjcq98W6+pE7KHc7/Xj7ikZ7CBuwUwDQYJKoZIhvcN
   AQEBBQAEggEAbnJxbsrHmM8Bb95L8OUbG0QODN0okrB64vfVM0i1DmEQvSySWeST
   48IBOQsl19cZquno3UhBDsdHJn6fSOCT4mrjArqr5RGpPUkBL3vv0gZHz6pMKljX
   Qd35VKkg81xpUTjPos8beajEPe9/+2fhJSBfY94nj58X1BWGLMTQUu3ynNR06Tpj
   uOb7w+YUcfttup8nCfaGBvcmyr0WKlQOecWrbHR85G8eaaHsfx8idgYDvfuoKlRL
   G4/s0mhiX5Z9ODToEZg8FKtl3Fw9BDRVIqxZe8fpWuCP+soy9YdgG6Vp3P24kc33
   addRplMXgigvnNfDT+DT6kgpi31QvXbuRg==

C.3.18.2.  S/MIME Encrypted and Signed Over a Complex Message, Injected
           Headers With hcp_strong (+ Legacy Display), Decrypted and
           Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-strong-legacy
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:13:02 -0500
   User-Agent: Sample MUA Version 1.0
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 



Gillmor, et al.         Expires 29 December 2024              [Page 245]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:13:02 -0500
   Content-Type: multipart/mixed; boundary="838"; hp="cipher"

   --838
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="49f"

   --49f
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/plain; charset="us-ascii";
    hp-legacy-display="1"

   Subject: smime-enc-signed-complex-injected-strong-legacy

   This is the
   smime-enc-signed-complex-injected-strong-legacy
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy with a
   "Legacy Display" part.

   --
   Alice
   alice@smime.example
   --49f
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/html; charset="us-ascii";
    hp-legacy-display="1"

   
   

   
   Subject: smime-enc-signed-complex-injected-strong-legacy
   

   
This is the
   smime-enc-signed-complex-injected-strong-legacy
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection



Gillmor, et al.         Expires 29 December 2024              [Page 246]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   scheme with the hcp_strong Header Confidentiality Policy with a
   "Legacy Display" part.

   
-- 
Alice
alice@smime.example

   --49f--

   --838
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --838--

C.3.19.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Wrapped Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10705 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6910 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2482 bytes
      └┬╴multipart/mixed 2372 bytes
       ├┬╴multipart/alternative 1146 bytes
       │├─╴text/plain 382 bytes
       │└─╴text/html 480 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 



Gillmor, et al.         Expires 29 December 2024              [Page 247]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   To: Bob 
   Date: Sat, 20 Feb 2021 12:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIe3AYJKoZIhvcNAQcDoIIezTCCHskCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJRNvEcigh72oOJLXjEgxYpwmMd9BO0cIpwa
   OtjO5ohnv6GodttcjaRmafiWVWxazuZvPCJWoQJs1YsdTXFdpTg0sutvuti5Yhxl
   VGe775vfRavY4BieXoicQbwD9KX17NHsj4DKVs5U/dxTdS0tOxLjO3WGiN05yWG/
   fPODumqT0vvmriLlMsLKgU2vMok0zCGYOUrLignQiII+EXqpd8HyXf+wBmsMOex1
   eNkJshalnqwdnAg15qeEGNP0GhurdwEiD7MGuNZuGBxyP/pJulp+IgH4XJC40yIW
   YZzkyGLuUTlEdPT0+2k2VL8dkUph91yIDPJamU+D5C+pYO7I1SowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAlyXY+AyQgiW2kIjcb8VCg7qK
   E41kA+UC85VDPCH/W/boRlyi/bZrIq+rB1MFgrIEutwae0RpP0mCSGnd6MPosP0Y
   DdnMCmAPcDHElREfMJU+7k9QBeZcIY4a4jZchkL4QQVJpKAH5ABYtZDvWudeYkEW
   BA7A1bMuwbTfwXGxzvuuDvjbtd6il8BhlipCVHMtxdaZQBlmUGS4iGrx9hd0YCAy
   zoz41p7eXMhkxDGMV1BoeKdWwzRhEK3fbufmkKPUQncaUu2+IEPKUIgxpPCzDwE/
   ZERg6ginOUdFiDmRi0U1tmUJa+mNhG28pnaRS8M0z2CLj24YMnhpIT1kqAhmXjCC
   G64GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEHHst6PtsO3IoLJJ7jonI/GAghuA
   2RND2fp+YMl2YG2vxHe/dv2vIeEiy6xk4kadcx+ARKdsb0q/pcd/nnNRxc9mJFpV
   K9QneI0gq7+wYrQazNZMihAKiVBo3zvbyBbyD0jeimPQal5JU0ERWmkoLvg51bm8
   hsGCCQxtoz+YDGiJtTyGJaGVos4XbHC+rrYFyTLonRQWGfBsvdG38F8Ao4I+hdzg
   l0fPTnGT78afnz3QymMyDO8UbuFjHxF0KtzU2eW/wX6I9ncycq1JurZE1vRPN4EL
   w/5v8+lyfWxIG39SnT1HStNQOW6I9UiEvW+eQy3owoq+iFNiZ3AVtHqgMSFNUDWG
   tC5hZcHEqQx5pZ9nksiB/EORk4jze6q98EW3vZ3cnZmJruVZjwoy7eU3Rbl/p17o
   gdE8F/2EOUX1XwjMQOfvzXckdeuCJlVE0f/2sLgzz1X2yh+OEgQNxR5CkjmS8uOa
   pUOzmWQt9PgZMXmnnlD+FfLOh/aYKF7cN8uK9ZqdpxpwI8WBuVC6G+CEhW0MeGta
   VB6n8/bCsNAgNQ+XSoAmhGyTY+f5bCYxd9p/GdDg9zHO7MLYE9OuKgJu6QevP8ns
   M5yi3padgd0WQ4mtVsJq1H8N9ly5PVAuDrQhjih4i/sBy8lMLIKLZO7CmDsdCMvW
   GanFhIaD0DuXtkG7n8U89OpkkU7CyBCn0w7su5C1V5PJ22TSY9RYkp4iobsC9FCq
   t6BK+bQ6weCWHaGzF9up0vMIEIy4R7MfvsF8UN/e3UTbVjmQc72GJfXjpFZGG8IY
   ljsWbrNRcRgf+MlsNhbDMIW/daWJ0Dz7IIQf43mgiUalV6C4u4UbgsLI7f6i2RaV
   QPjWo5js+wqIl2iWBtDz2EcnmG3QfTl7CojrPD4gHJP0BKQQrTnThX77AF/JXOot
   Ex1kHJ3SC1vev9kninP1PDLFoXag/k7PPjVyXAXtAzS9rLMHHdlz72dEztoJiv4R
   57Kg/Cijy5vQv0NKWxRjxA4mXOErdWHdvrpNHvTI5BlbluD61S0coiXkyO4GoeN+
   iKQqZ32B/nJ6BBu553ul8XMVbRb4NuuU0ZRW8f7ELEuO/09ZK2Id5BTOY5a26V9B
   8RALHd6Oa9gn0pyUXRmSVC1R/5kE5heGwu2/jGI3Lwqr3v7pt1RqTkuLyz56qKW+
   67BrJhS8Bmb56ersKmgKO6Nnz3LT5D48vFHLQ7yY5AFUoekI/WQjnF1+muyxvr7n
   219vRRIF7btavqr64PMTApmc4mYvZI8Zej/PJXPXp5qu4HsxJx/xdnzwzN8z77r4
   nSC4UTOLwNiPfQr7RiAckG4iWWLS+OIFotwDf4ZTRvnFmf8agOn8baKwmVu7tXK9
   zRwXMHfKQPC+GrS0EIm8gaOUyNAMhm1oN+bq0uFE+J9777hpluJCJLj9fKPzvKhX
   MngALfQidQsq78AITKo4ZtT8unxgzy7WaRjc8UKHC5cmGPTuBHWGwosmldF2LcAU
   JIjuAc6IlqaoPYWsZGTGas3cyO0vsylNIsDe5AmndTe6UuqecOyfVYeDnjC92ElT



Gillmor, et al.         Expires 29 December 2024              [Page 248]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   5rZUUUtF+gZgXqC2aTVbxz4gdzVwuNMyt1lt60XKPzsN7QgbeGNq+ym0vAAURgtc
   tmM/C46d6fkYASzD8W2pg1ysc7Iu6S1Cxj//VrP4PjlDnsnvfeRDMs003l6vxA8Z
   3pnDY71Qkwz/IglZIgW/uomRfpfYQvDPTMDxgWMvetkozJjf1DtSQsWhlcbHbFw4
   ehSm8H9zR15P8iWnEjy9DiUbeCNlBvvGirZHV7KVxheMjKMb2bogNOQyx6Heo7Kr
   jrvzQGlCkvmhMhmYTL1mZs2ClQJTliMT8K2Fn1gT5Mq24PxAisMv/ZwodL1YQFc8
   b41lAfNZ6UOVexQxS0Ub3i8x3pz36Z0NyLyZ8UEchvoVTZr4ey+Py7yBk+mB7b4A
   7P5nMuSlNAXtcSm3LSPuKca1Yx9dzpMpvyiNHBaD+vnlqZDjJqpJZjgDLz+Mj3GM
   oKZzOmvcgqws+cF+//kIEQDKVFrp8Sz35KgNyicqraXNDru4M/+oFFCO6o7mNZQP
   4sN9zVq4YhFQID8RjRFBNNr7n09v2e/tGywb0dZEPT/5My0ENDqiq2yN0pCxMRRP
   nl69QVLoGydLJzg4YpXdXJtY9jHKoB60fS4Nfrdz80L0Rm1pRYBNTfP7N3MGLLTQ
   wbczYeVkYs+JX5dQGOvm2wEPKRKDe0sUGYZpDuZN1odirhWOnb9soEtUGFOc7tsS
   TZh91I4jgMOch75LR+kHDtjfQYfeRyYQfCq48A9OjacxYwO9F+yd//Npe8Apvess
   tyVXnOeAqSWIiZqN9+vS/mlXcCyRjTBD+B0WxHSvEx6NwEXi4IFN40mwGZzwr/KP
   h4lh4jLFDyr9FHDPDQX4m2cQMBEwCLB1a0rg9LQtqjAmlBkj8iJ2wLiDA5NO5mZn
   h/pHM6QuMeelL2dmFBAaIvb+MZi8g55QEfGraC4Cc+D/cjzne4JoU4tRiE5+TJy9
   qIsASjKW3PiSJ2mK66GrXeaSlbs91cTK+EF+eMrijHmF8z5yql28mrsicOCkRtcl
   bX+IOsyyoN1euB27qxPd9OeLi1EE7sKzVFaBhGCEHba8uYwbmdk7VGT3fsydmq5l
   CD22LhBJDDHUQ7sDb7h6ORaTniea3ckPZ6cfTpzxwAbT9sFwEGQh1j1wiekn0d+f
   ekkWomFBgQQoLfPRBSw0qm+6GDx4/9OXeOaBEdvnfMwLIeWWt1Yy9Fkjp/ISX4D4
   kJEnQkqeVXTTI0UE4FoAhhUSClHoexN3ztLYGsEdYPmHkt8Fu9kSK160AJM/Csyh
   CumHeZDEsq9tGMcjuAMGQaqQGyH1B4BWy9KMSXQt8mzRZZ6mjS2S240aIVZWLO/x
   Aobsti6OaG6zFo+7TcPsRy3oZQKSrxHCLC3fdAyMvIy4oZMWkObm24FHpcYjPz/s
   qljHfnfGAhWk4A4/xE45TnrTFn1NFzWGshQRFqGxlvMFTGjJUXSxJb25F/VkB5lv
   NmatEsoKMk7JjOdkmrtbPM5iYLk2QtqHyK9Mx1l7VUpFinTpEFo5lO7ZkE78u2TZ
   wsCAwo4bHcFmcqn0AiUS8x5BJhgzL2pLUWzyfNWYfbc+vi2hlIekk6gsb+9vIHBP
   XqLXVwnzj0eiNcltBRmK4ZK+h2Af0pyovreVXisilKAxk638XRUWG5QBgH0jUfNn
   XfkQKU/ffJPFK2CGOjCGCAsT+y8uSu2yx9qreKo7auG/fHvfzW2qrE0kNaIeRD8z
   VuxAVbHjBMRSxEIA8Boj5hOvaoTOtV8GpyuNq309JdXiajLvDxgF57RQF4TfgWFD
   RodaOGKwM56eqVsM8EfCRaDt254I3j9ddMrpJRJCtnGlicsOdzx9apZiD3KRg46j
   uzY7qJMiySJaL5kIhXh4+Fypfqqx8YWBl/8L6X5To1U2d4ON7X5aWhB9HR9WEjtA
   W9mikaXWPJTNDfk4tJqsJr00LLOrdSovhJLVB/KGu57pwC/m/HztWylJVftd0TwG
   MEfLHy7V52U86Ye2xCZW+qqKdusXFEzPa1sVqpxSZ8HWxKUe4S7fAMiJeNh/8x8g
   XYvPpED8RejYjTd7NPipBo27SBPi177wbg78tLeLxg7p1Pfun/gLRvRfFpdZwzYN
   aZz6fwKGEJ8cCh48BPkOD/bHUwWv6Hq8mFJ/7fTEeyCSaSyb5zC5Ec/TO6rWPe34
   Z63qqfuVukW6jI1BT3oHXdqPkWf/QFyh8YykAgZH7DytNbewXTxxwEDYZleRJiHK
   aYZNJHZM8Sg1VK8odWEFNBcuzJ9HoiLtLGjub7vcRogOR1sFIAocEVzKGIulo0dI
   XWLQ3bXhXRZGUgZdrdkPr2OhdcumoqDT+5m7kqSXlp9LZtvWcQeKnx7kvfFPvoYK
   Z4LsCnFZB+eR/r9S+zlnP+SUa83vlh4n5wB2qRDnSbMHKjfxIbi9ErXPONXxSXZx
   VDYjsy1KrIwiBrCB01m6aReEZwCr5ymOCQQUIjfmN0IU//6vEVLlW5tdHMNcralH
   3mqJGY5KOMaQcoM0qy/R2fgM5sN3aQ5iq3VC0c95HyIhLe7oUzxbYmjEPfl80UGz
   hpvI31hv/qPXs1kgUcjm7HL+3mchltVZnYoRhL8gGdaUdy2VDlDOr0a26phtmqgZ
   zX3Jfk2iO5CY4bpw46mwg2ND77AgQ8nOX6YHkCI6YwDRD6cqwkJW/t57GBWI25o6
   29ffzCPmYn+0PpMLFtPwTblKrRBfhziHmC1HezBExgFyBtog5kzNW9lbq4ro2Ee1
   TplNrlBzQrbB7JYqsrt5iJIk2E4Y+oDd3f/9lfqCW/iiVrSPJLJWo0G/tUdPcA5T
   FMFYBHYjUou2cVJ1NbJHoTgkiOwOhWewdbaS7DGIFaMvXDoY7que/RB6zcUdRNyu
   ZuRl7qcDJl3tEv4thzP/V/BGfiOiALrX0Ns/ipl9x1FCkB+CG0uJB/8+0gaaXUvn
   RmZRJ9BANLccfXp902pT7lSSME2rAjrshIsVWGNoM7YwrMlFGEXtYnUR6jYJYHnP
   wXBXu48mWzHPZX6P5uTfVzxZ9qIAsbsRpseG/vud6cbDnQtd0MkskgZN1pOS0bcf



Gillmor, et al.         Expires 29 December 2024              [Page 249]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   RAlTzws9SLhgUIwn3Y4f1tbswnh83LBOiNgkz5RE+D7gLM104mDRbMtlXwl1BIbs
   dCFzLZFCFe2bVbVIoXm6VupmXu7R+5V8H9oKJF1hH+Pg3csmdELioFL4ujWE4DNk
   lPV0e8o4m4BPNxBU23ifPhg7/dQSQJoWfT38oUTZKVgASiI5D20M8iXkyUw99Z/6
   h+y2VF6dq3U9T+BBW2kolzZLpoKsQGPFBhN4XN6FxzGwWUNCSCQGjUvoyWG2O82T
   ki/LFbaA+71KbcfIXackMvI6d5oi+J3DM3pGRjpZg6m9VceokabJ0hVI7v7pnx9L
   MRL9gqEv0oD/GhQTf1IWf74krAvEx9zFRPvnj1nb7bc7nYssTNbdXuf4Y+rdnrUh
   QDTc+s+Ae9VGX88HYti+NhWj5kAgZbGzU4/+Ya4O0+jMUYA/qn0ZRCf+jTOEBVkS
   /qTgg+ZTAEgQYk5duToOr5nb07danYra/+CITemCqXnWayQFF6R9CP/Ac2rJ+WJV
   es9CIYfD4BrGP0opQSgOk/yJUflMkLC2b06CbF4CVqkA5oiVvlKMvBU1Q/kWrfdT
   EIkpmxiDAsB045Ydg4HkDWxEXsCBPJa+fggTpC4OKxNlrbKq9rOMqs0tYnndwmw9
   ugI93I12GbJRE8EgtnrNzASmOpP4HLHCRJjuTjTqp85xtbdtpdB3z9frpDHTqi95
   iYMye1q09ZTfy8xj5+AqaovTZhseB2kAeCrniccPkGfoH7IB2Q5fpvxw3pYIA6bc
   FLgTXSL/2yhc6SYFkYxfbul2C4/Q5xhO93QTcRWwd40qLmbmbQOvAepDd1UYbBFA
   HFDFFD4X22vBd0qAvy3RG2tTdc5w6B3PYTaHTsdoDitvGX7fnnhRwIs6bhRPCYhi
   s2xJTGCpg9QiS0VDGwu141X3WWvG64JKNr2HWXNWHWIaCROSulwYOtHhW5Ip0Xqt
   Lwt/4tKEs7fykUI9flFzM1uRPoI++lwSrs+HY59EXiqOknSzxR9BcDSfMx8X/5rI
   9GO2fBIO+rSTFAq+IGJ+Y9qYMS09M8GW8ctFaePlX/28P/clBW6bZUcRrTKx04JN
   CPVIkxOrsAlX5/37ECJZZJ4fKkGT9c3+pGhUgmYpiq/TsSN+LTyoMo7BaYjJt+Ok
   X5pzEXYyGnVExGZZD/GC10z+n3ZJBnRtlqk5Sq4/vySOli/7L/PGDNiFXGm1tmLq
   2bgnObr2/T52abhQJvWo/Dh9ZpelfzJZ1Ta6gj85LgaZd7HE2Pj02sFaVhJn3isd
   O4TahsjMlDtKUnEiQaSQ5nFvKRa8RcGjyb7ShY1JtkYkqtoe4LVKjCKUMXxSbUt1
   xTAgJl/md4jQPdXGu91WYmNblDkPDMYXP3WVaoufjbhFVyjq1r2FJbE/WDb0mL0v
   iwdH1O20li0XQ+vnFTOyJdXIJ0S6lI6fbvFytX/fPxLUP/pImMybyKvULj4CGaO8
   GDGAuqLgrpmpt0diR/ZRxw/+YFkoLQA1oDrZuaYv7uS68oo5Hy+kzw48qhtzUWVE
   wJDnB4XE7jKh/53Ga7acRUKhkDvRr7nQjdKw88tnqM7zwc2kKgmBamcqzHBvKrjh
   Dpw6EpZOCErOPnA7zPekeQLnfsr7F4pAd8ir1TmTHmSeFxuqwseIPcfi4y9SbCoy
   ejYP4vTPdlyP3XH3ACsL93oEZD3CRLm9q50k2qDhNnEr4GlDpY208LBwuWHnCkMp
   Gpq7S4dVEHtOfi1A3OlX0TRpASEwDA7JSvPVNv0Lgcm77VajyYUK2Ekaty1geg7A
   mKJSE1mN4iMfHgRuCFVw4FDzB6U+xKdKKw15GWWynrfo1QQAL3toExiyTn4UtYF0
   2BusBqwUWXdMQeOYIdgkFBzaeKgdFN/RROzSugHfKjZWHTrA6pZGrm2XNZgjiIZz
   b7hs0Q0bXplKeOMP594oAVAfU5gZOIdUnmfQu8/iH3J/794nNwG6UjKiPkSDLNt+
   RobmKTwHFTMSu/PNhvJoI9bWPGTRZVQ3/FwETHUbxUm5bBD+ANFi/wCG48R7T93N
   9lZzo1rakOnd0VPJReRW5vzBjCadOS/C4b+vaYWRMmtl4Izw4xYwAo++aZx7pEz/
   wKuJeei9ghUMVOgmpua2s83FupexOeCvhUK1i7x1pHlUQCsMFRvOhbFs8rcEOjyb
   hMoIlHbg+3r7FflNaK3nbe/eu+zz4reTQdnuomCBls4p/YUWIYbfdIpQkAzB1Do+
   KMP11hhzwFbOCaionXB8cyWq2M1Dl1mAbqG4aZo6FWadF6RTnqVVc3Mr6Oye2kJR
   2QSLJ8sunBtHC7vg4sGlosn9LIZHvoAOJDDFncdjWoCMI8Z0qi24YsBAcgSDrTnt
   jFLoDKGWzvgBqvurqwXZ7Fx9Ej6SpU/4MEPjRW4U6Mq3nXRl2SYzg8n6ZdWFL4Vh
   C0HkR84WYQu8lOZCf2GyE2NeHpFlsNyBnmvr4joa5ONqMqSXH4Qd1QXxiuoIw0Bs
   Qm7v8VykNxJJsTiwEf5/BEKr8pylyAPUOYqeLVTjr961Fw0mysNCV6q+9SyHQihe
   pHC63Ec6nX05nCUIbpuLFLMUH7EJG1YYOuYorINoQtxTsn9NNEA9N/pgVkr8rg4B
   /BpByUTOjP96HK1pc4Y2qnHIGw2cTuW+UU9L4gs1MEL0I2K4aH7iPyWepeFOT38x
   Tx7yqDBLKufsrN/UylcojFcGd9tnVKRhcvaAM0o6FN8nJOXEbwMW5WrVy2HYny4x
   QVev8cq5JFs17TgqMjnSEzyQIjNvoQdjzOXHHB4Vm/2zpDxobKbeAKwVA3NLVVc7
   6I/1zYspVH/YHz/moFGFZiWombVGCgGB6kvyY2m/j7brH7BuJ1zXgPbnoLJIZtsy
   WaExUEi6divtnhdfqjyIh8M11UNDeZykHUJkliB5KG6cmHuJXAjaAVu6IKm9WS4Z
   rVoYThIJ2fLTKSgoeA+011JSCuFE2xq8ZJeiD8iV6mJyuI2mrkbtSrmVBRLte9Bm
   gHIrhZrUGXPU3AjQzyFo1o+iOI9C5bwdEkShEAPE2sy6CWbk6ojHqan6TjqK3R6e



Gillmor, et al.         Expires 29 December 2024              [Page 250]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   92QYEkUbZOb2dF3KQlSnrYbMVvBIojcfXozdoZdMqdiVCjIOjLFckOdCmiUIqBFO
   l6o2DG8EKy/N063L+5VNRDlEgPDpy/MCydDOQQwlgg2COxaN8thYDDsd1dIvvq3v
   HX+tJjyHWIbPihdjK0jb1WMoAA5+DsD8Zvi/1CoLI36pKIfM5zrQr9eqYiZ28Gxc
   5yJltlUNz6RXx3geHNYgKKjokWvDeCicDitKAGEJotldZCbYe4NFxfhuLfnz03Zb
   a/FB4BGsfh7egY0mc1Wx98VUbu+EoKyViiYLIwsNjpDcwN9VuY/tvQG5UTo2JAxc
   JxUweF9kN66W7u3PIMvob+MR8BJatxP8nXfc2RljCcrPvEdJA1fcq/H9EbU56tL+
   4ZNAJqBJYx5K7dTGDGysKyKpymFh1JXQA+YxQZv2Gx8hyK3BtO6l5wv4YCg/KrMs
   fI6TU17enVuoJlmqH2q24xaqxtHaP/bdWZNn2qdzFEp5Yejv8Dwf+9lnssDjMH/m
   bN2kvy34ROz95rSiy2jSHFFgZ9RsAkOcuUKeMSovKgep8DdyWtNuy5FOp/8zBufK
   fLwsn+onRFIB1/Tmq7j+sB5EEECUWZobJvQpCtRnTbFyjS7GvPPGDSduAedPKMic
   Dy04NN8KYpYWpjeSFB81ky42zd1QJnuzK13cs1p50yGzHBBMbLw7a0r8+d+lawi8
   w2TRoYvwOXsmiCUC5vuS7E2zTnyIrJYhaA8UL0xDgz9HdOcv3Dw09bkfxXNkFop3
   u6HMjVUBKXAyYmMv4NhHdbKOfehqUGhHdpACw/4j/jGsgCnOuk/prixrf3d4+cnS
   P5KlPychUdChPeqjiGGTeRS42ZFpdrbjUznDy1J7ojQZ24l5KukNz6ZyqF+lDFwW
   jY5dbiVsmEYWVWv790hCUWcTFTgUAhK2YSTwXq/zolRN1i2UXiWige08bAzKtmfH
   pzgm8wQD8wHhZXYw5FkY1q+yc945FvyNqgQlpcCHqU6dQ2jwUHbBn4HOec58TH8H
   2fQ27oYWESXgp1DMs/Qb96f29i78ZdiBduzw2YvCbUIsRgSVCh0327Kn81umTmEz
   E37rb3UPxxTouNQ20dfqQr9JpSQKC09Vf/Su2WI8Srs/KuKVpYHzbH7dYDMC4f0x
   AATIdkhjEOddyIrQL0Q5XRoJBJfIxD0kf8w/0UlRYOpAj/G77DD61n2kIQE+lfgG
   Eemllca5pdGXjCQAetKm1k13IkXV6FDCxg7u8n2vUot+l7wwupQhcPJmaxygKxY4
   H64SLfaSmOKwYCLCZBAHaOvqLmISCYpDOM3D9vSQTI74MPNz/poVCP/LSF4vm5nz
   fUCKjp+r824mJgMkQIH/kkgcf9Aw2YsqfLroit0fs+cBDGUy9cAMCm6iey/AyVSW
   Q04FKs8W9Wg+k9hly2hnbMJjboY8bN8IHJWJO+1b4Xkmk8dNa2jeyXbIAdfuKoha
   Q/jcC2MmXFL937yAmDTJyz4nAG95ZuOXTo0i1zWwgFdEwaY55xhZT7+HAXGRQtvK
   5VAFGHH4le42tYDcuN6+p+s5C1iZvwLcAvZ/Y3BoaJDhuVsnwBF4zuUM0t5xVhxN
   hi8jBmDtclxiKZYpoUeNmJSPXUTDBjV8eIjpa4+DMhaK2iB70O4q1pCS7O4b1rHG
   /18e1q41YbNAOdz/t/59EhgxkGNx6b+QBnICmUMvWy8=

C.3.19.1.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Wrapped Message With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIITnQYJKoZIhvcNAQcCoIITjjCCE4oCAQExDTALBglghkgBZQMEAgEwggnGBgkq
   hkiG9w0BBwGgggm3BIIJs01JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iZGM4
   IgpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1taW5p
   bWFsLXJlcGx5Ck1lc3NhZ2UtSUQ6CiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4
   LXdyYXBwZWQtbWluaW1hbC1yZXBseUBleGFtcGxlPgpGcm9tOiBBbGljZSA8YWxp
   Y2VAc21pbWUuZXhhbXBsZT4KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+CkRh
   dGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTQ6MDIgLTA1MDAKVXNlci1BZ2VudDog
   U2FtcGxlIE1VQSBWZXJzaW9uIDEuMApJbi1SZXBseS1UbzogPHNtaW1lLWVuYy1z



Gillmor, et al.         Expires 29 December 2024              [Page 251]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   aWduZWQtY29tcGxleC13cmFwcGVkLW1pbmltYWxAZXhhbXBsZT4KUmVmZXJlbmNl
   czogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC13cmFwcGVkLW1pbmltYWxAZXhh
   bXBsZT4KSFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dCkhQLU91dGVyOiBNZXNzYWdl
   LUlEOgogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC13cmFwcGVkLW1pbmltYWwt
   cmVwbHlAZXhhbXBsZT4KSFAtT3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWlt
   ZS5leGFtcGxlPgpIUC1PdXRlcjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+
   CkhQLU91dGVyOiBEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE0OjAyIC0wNTAw
   CkhQLU91dGVyOiBVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wCkhQ
   LU91dGVyOgogSW4tUmVwbHktVG86IDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgt
   d3JhcHBlZC1taW5pbWFsQGV4YW1wbGU+CkhQLU91dGVyOgogUmVmZXJlbmNlczog
   PHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC13cmFwcGVkLW1pbmltYWxAZXhhbXBs
   ZT4KCi0tZGM4Ck1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQtVHlwZTogbXVsdGlw
   YXJ0L2FsdGVybmF0aXZlOyBib3VuZGFyeT0iZDE4IgoKLS1kMTgKQ29udGVudC1U
   eXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1cy1hc2NpaSIKTUlNRS1WZXJzaW9u
   OiAxLjAKQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdAoKVGhpcyBpcyB0
   aGUKc21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXdyYXBwZWQtbWluaW1hbC1yZXBs
   eQptZXNzYWdlLgoKVGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01J
   TUUgbWVzc2FnZSB1c2luZyBQS0NTIzcKZW52ZWxvcGVkRGF0YSBhcm91bmQgc2ln
   bmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGEKbXVsdGlwYXJ0L2FsdGVybmF0aXZl
   IG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nCmF0dGFjaG1lbnQuIEl0
   IHVzZXMgdGhlIFdyYXBwZWQgTWVzc2FnZSBoZWFkZXIgcHJvdGVjdGlvbiBzY2hl
   bWUKd2l0aCB0aGUgaGNwX21pbmltYWwgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQ
   b2xpY3kuCgotLSAKQWxpY2UKYWxpY2VAc21pbWUuZXhhbXBsZQotLWQxOApDb250
   ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVy
   c2lvbjogMS4wCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1s
   PjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4KPHA+VGhpcyBpcyB0
   aGUKPGI+c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXdyYXBwZWQtbWluaW1hbC1y
   ZXBseTwvYj4KbWVzc2FnZS48L3A+CjxwPlRoaXMgaXMgYW4gZW5jcnlwdGVkIGFu
   ZCBzaWduZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3CmVudmVsb3BlZERh
   dGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhCm11bHRpcGFy
   dC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdlL3BuZwph
   dHRhY2htZW50LiBJdCB1c2VzIHRoZSBXcmFwcGVkIE1lc3NhZ2UgaGVhZGVyIHBy
   b3RlY3Rpb24gc2NoZW1lCndpdGggdGhlIGhjcF9taW5pbWFsIEhlYWRlciBDb25m
   aWRlbnRpYWxpdHkgUG9saWN5LjwvcD4KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIv
   PmFsaWNlQHNtaW1lLmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPgotLWQx
   OC0tCgotLWRjOApDb250ZW50LVR5cGU6IGltYWdlL3BuZwpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiBiYXNlNjQKQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5l
   CgppVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFB
   QUFjRWxFUVZSNDJ1VlRPeGJBCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3
   aXdZbkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oKc2dyemZjcVZNcEwy
   am8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldN
   L3VsaQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0KCi0tZGM4
   LS0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZI
   hvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAv
   BgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
   IBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCC
   ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKT



Gillmor, et al.         Expires 29 December 2024              [Page 252]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   g8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidm
   buZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmn
   x4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL
   7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zN
   S2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUC
   AwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
   ATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsG
   AQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeO
   r83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcN
   AQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgR
   yOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x
   9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmk
   w1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0en
   ITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6h
   vrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/
   QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAP
   BgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRp
   ZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1
   NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UE
   AxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
   AQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQ
   Ul5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evP
   gP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryC
   qeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqp
   o1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRi
   VokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNV
   HSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhh
   bXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0O
   BBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8Qko
   ZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25n
   Y/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzE
   f7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa
   1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poI
   ccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKyp
   yQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYIC
   ADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0B
   CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE0MDJaMC8G
   CSqGSIb3DQEJBDEiBCBA8yY3O8ynRCFxJl3J/YMY/XT8pE/0W4lK3u+3tqvdijAN
   BgkqhkiG9w0BAQEFAASCAQCKFPlDiBDnAW7HC5aJQ5TVJRRZTVXGY1BG2LCbc/O0
   cz1wVgReATj2EPKCTxeWw5TuCoMyM3FsDkSeBgsOpi2d5E9+wEsxz0cAivMwl8Pf
   cRFuQnhKhW5/KxQXY2g8TSutoZayOaHtEHINknQ/D8Qh/3h88/vHQoYtyR7dA2QH
   16tnimhKUcOjdzfOA2OSOiF9lOs73U/XoQSMucto9BS5qHidDIqzMjUOutRbY+sB
   zTnVDrKOqeHLtEy2NVlX6SqHoe5ER90ak9kyOtPYvv1zljRaj4DAz77sopw3Frfi
   QHAD9XmaJqmuo+K+lHngStIGXBY0zTUfrd64yQYayGGd





Gillmor, et al.         Expires 29 December 2024              [Page 253]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.19.2.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Wrapped Message With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="dc8"
   Subject: smime-enc-signed-complex-wrapped-minimal-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:14:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   HP-Outer:
    In-Reply-To: 
   HP-Outer:
    References: 

   --dc8
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="d18"

   --d18
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-wrapped-minimal-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png



Gillmor, et al.         Expires 29 December 2024              [Page 254]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --d18
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-wrapped-minimal-reply
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_minimal Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --d18--

   --dc8
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --dc8--

C.3.20.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:






Gillmor, et al.         Expires 29 December 2024              [Page 255]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 10685 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6890 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2395 bytes
      ├┬╴multipart/alternative 1150 bytes
      │├─╴text/plain 396 bytes
      │└─╴text/html 491 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIezAYJKoZIhvcNAQcDoIIevTCCHrkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJCA6jmyLuEhegQCxi/O6QEbEX5u83paN0Sn
   LAqt87TCt+dq050TtWy/8DV7G46tNqm9Hw2U8HTlsO/OMkCHAye4VSL0dndpjima
   dQjNRVQCcENPZXlUsrsumflqJ0k1P2R68mnq3tkdlEWNUn2uoTSIEIgh3fHeqZAW
   ABgNNnxL+Y8VAhd/Y42TixHsfEiQZn9z+SCWraMn8Fso0dTzB9Nw7ql1LuS80F1F
   IsJzysNZqtlml3BMm8w0I1d38mZx9RVx/AUfm5qRTFIx9XWUezO4aLUpV6z2RqWw
   NS8ILyTRb8sVPbDLLD8B67cHTEdU3/uRZzMbV6kawo57tWkmcpYwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAAXaEa1ByJzbhZxGxrFZ8ph1S
   YODV/B7JKDVQoU2rdBJE0ILIc+cZlJL+LiMkUWZRtKlYvwk1ebqf1l+yA5YO2aC3
   XQVh+5lh+qf8BGoJauS2aQKF3yd6OBvz7gYru7WX5kwiVREsjVVUO+EhYd61GhMX
   c3xApE1lkCR7H4v+ndcs4Jvif4HuoxFGeBdfVFBvOWXjb9tFeVmMNlah0nnJdxxa
   O7dbxW4KJeQEPo4vH7dy3L3nLZ1lpT+aFXI0BuUVLNmpQ6ZZRuNmRnDUKj4Ol9IW
   A8ubxODg0C/n466bFi2IYJDD/IOAPfWhZzq0k4EjN+v938UVy7VcpLGcW4CfDTCC
   G54GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEJKYFPsK7rprsBMOkl+8Y6WAghtw
   ohLT+5vAFU5H7hnggNj3jc9x/24554nDtzwphjxA5OjiotF8OYVIorUtSjBS9z85
   7374sTE39mRhxHjyLRi3FGGSfOp4SgigMBkyr/zY+PN7ghJWsQKWoJXduRtAl4ti
   h8Up04YIi9vBMzBwcLt2phzKeTLabhTXvP0NFW8MhYdn2Yl/isXm6dRPfkAbDz3e
   6jlmIZlgnMZh2BTcoQ4A1Fzosk2hJ+J5CRRJE5R5rjfmLqM9066Y/1iEJUDEZYlA
   ER7RO+s7aEqcl9FoJyl2N12gbrMEddRJv3szXaFYXZwsl0k7YQrX7GOFVhrIdxX0



Gillmor, et al.         Expires 29 December 2024              [Page 256]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ojeZ8GHQHHHT4znRUjiQSJLMci4Fh49lth6OkJ03Sbhs5A26uks4UEH8PJ6Q4Opk
   y28mPq4RyfudC7Ml2RQ2J7MwdLRyfOA/qR3+ZJd6CTmhXdyNsXwy2mrsZwmGH482
   yQlq/Btg9FhpSXqqedXfjBAMHrAJrolcC0GZA3xK5m7kwhuPkxJICHr/kDkLoprZ
   +l9f4JBWUr79yIVw5Xhbfn/K3IRxkwnLn4L7Mea01RQJWJd1mskEfLRx3duQr2Il
   dtoDGmDJSpF96nL9/fnKo1fJe7Hs1czErrY5e9qH4H0MM5zkyPmo3wI5NEmaLKiG
   MugpUDsFWC9L82Q+6XmJbPd8I5Flk7qDdCUG4iuFrKWGuI6hcvajW6izLwuWzthZ
   BxHHpYwMNIi/mn1mYDHsPsYMZBtqlj2qagHKI+895LnEAFwPrZYhfK6J7zhJlQHC
   NQy5pKj8P9wk6uX7AkM6YC72wIagaEvl+E+iZ6QSEu9G4evkLFXj36jMizqFvX+Q
   ZpJflplYOieSMoojBKEK9+BQ0bqa0pX5RB9U5yEHsBMyR22TkzCaUl8V4rT28r89
   J5M9enpIAbFVEw2rvwbw4uWLvBDYhDC4FnFBIGg+mq1qPLbvfpi+OVMx2EDeWim7
   1Adb8gyj13pvrcPEcGVHnBga4nKAJKji6J6pqJPIpLPxC7x6XzxFc3PcG4kgxB2F
   CwfP7Zq7jwFrxj2Rl3YZbKoNKQGXCMPT3Zp/oYlXvGOZ+HblwdifQA3UNfy/S7QR
   5F7GC9OjTs5HFZ1k2MPPR3NVOtS9XIRfFf1wnjzqP2HJeZnI4tGpF9+hTHCRmnN1
   79W6r1VtoLflir7mfUfLZhMzARmT4/OqZISFHM7K6KV/t9D/ckGaC/AtYTXHJrjw
   cYz5dUiS1vFxG2tnLmUs+4gF3DGVteYe7fifH7UV8x/y7WiWtCg5tGXZyyEo7UeN
   2aShHDJc5qFl6JsyVj3neM03C2IDCPD0PhUEelA/RCIQ1jFtLjQbC6I41JmM1XfB
   YdV/Jum5gRrVW3QSf95/XNQPOs3Wqaga76wPo1a6vvVyREoAwnH35ABvpEbEnd6k
   cOPBBTu1SCxPGJhXfeKVNGYmEGwtypz+tv56Tr8sH2NwM05rZYJ1F6E8QJdM7HVU
   9Z1A63PkJuB8aanVkQeI2G8Uv7CSfUEQS1LxhnexKDRqrrulyQspZcCTr4hT/crS
   QIl780zihYhI7mx+VnzR1VvDnvswSQcV2ZzPqYctvVT+41eerrcag4yKwD84X2NB
   GViRjhj1QMADP/NiuhvJOFbZdTYOCtsiOvGdDxQSasmlSDpRtNrBh2IcIjnZaoY7
   hwxCaV9+bVCKg5bYgMmz0SkNyoglENQHKz+FxpsJdM8XQjjYzvHTFMVyflM0VNT+
   I7hInkTvE+3aicbwZqVT8GwkJ1ptfqrxxc0vv/RhKNStWeRuy0WvqDIQDTJa53Z/
   7stKPwTv80wIdYu2g31BGWMkxNuLuPKaWTxCgItTfQk4h10SVyvzR0zAf5NCip5o
   wi2WBp63BRJ9CNO5yvan5pOK8fn8Y4a9gmH1YeCNHtTmedUIXQ9aT3p0bpYrVtvR
   2P1MTbh1Dy56lKOv2U9QB1RcU+DvfHkUYsz8NntY+ff9Xg2H/Ae/PIklOA+IBXaO
   eDUG+bYCzoZI1++fabgLY9Qx8OsTRm9/77ITgZsCAW33pjVZlUUsRZNVQxd0oDOK
   SX48O1GX6eaVPZTiHk3L3SzKBffQ+vUzA0Rm9X+Jf3c8NRGwlWV1znJnpnvbyHNd
   DBi6lc9e0Hz3RAmdRrgaANpzxIPjG0HbBNCZ+qtG025rX0VULNTIZF/FT1PwhU2C
   GOPf9LEpGbTCV3toOGZxdMuj+708Pma1OeqdiAA8mjRBUoWBuuj31v808ANZcuy7
   q+mQmBzn0F5K/22eDEb42omPE/Dp2qE2ixeHGbNipSpAC95I7MgKQQsPekMIHORz
   GPYeyAK/nqsvCw1I0O1Rrz/UCAWd7+t/Tm512zOHqzfPnSORMCBlBv/DtFns0VBB
   gPZmRwcM46e6/v1vl3PzeYDI0+FgV7QigIFdHzAhIrFz6LUwhXMHvEqcU79mgNwT
   yIUhULX8n7PljCuWNEG1rTq1PqQva3m/36d/SZVJhjIA3kH0LGgctYUrJ/MAaS6V
   ADINeIXzC2JlSvLvVpKZEfvmirw22sdhMhVYPD3LF8DiEFOQ03OhHkIikk4shiwS
   fDdfVV1/HDP+uPZsz+5FXTKhbOxshqPReKoOAx2K5u9zQrkQOr3HhDw6T/ALmzuj
   I4L3USxfJXabtS2OckUDaUrPjS93V5NniCQ60iRNVxZcP3Ert6LfsKbLrLxIwMJq
   SIm8h8J7juyZJHnVB0lwWlyVuWbww76suXmm9ApyvhvJUSG+5i78F2xAYdqExiuj
   QLFHJoQyNxXzXF6cVVBJckFUcigxWIC1/52Bo4c/JqKUmFqLmpG54EMnz2v7SNOc
   rHRPaMZuv5sVUx50DWYyydbKudN1ZzXSQBSkp5Zt1rvpuroOZXHPZ8CEgPTloBGl
   1DtP9mQ2iZLaDpcB06LpXpZ5W8vmtaLRcmkSGm0fbeEWjXrmYOHtbQYvjhgoQpRR
   SWX/yko15pf9NCzXRDui8cNmPpoeg8rCqvnPEM+lorCrngetlp+IYAQ5RzUW4lAk
   B/ZF7fOziHFvn8VJMpXQjgVzyRMwXcW8yVwQ2orymZUlaBbhvPcvPahe7l7Z4g1f
   9gldLouGYxvZCjA3vG+tPFgGzwIGvy9h5p7epbhIJ8Mla8ZdFheC7gRIIii/JQaR
   KCSs6WG5y9u6Ro/tzR/La4KO7TIHHH8MQFAZAqpqobQteXYn3wi4L6/RRnJKxCKl
   yxAudDP8DM1Hc9uj3lJu8zgkxcp6EJsoz4yGFXRL//mEKye+zWQX5dTXFsz7AIWX
   pIwk0lTioZ49qM5/5ZS48Yo8B4/UmbTVQb+KUBsixkMqon4ncRFQFzCBmIrMUOzf
   BwotfhLoFGrYonwkiBoK1KIqhwtxYoY1219sAgLRQD7Z+vWpJXWgQy+R9ZQTG4Fm



Gillmor, et al.         Expires 29 December 2024              [Page 257]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   wg8LOzqv3cmezOd8GDlzQHTKvYxgyeeDY/D0TDZiQTMNWRQ9XWnEP23Ho/giuwaB
   HQ0Hxo6yFq052Y3IBnf6ptVGRA56RzxF48T/wO8gKatNsd4wDkLOzfDspc6bEx3/
   WqJ7IZuzpDJ6r/N0tCYmudgZWM7vG2fuEeaHbxiYVprRGmDJeAzHpFK9/FZ+2LZL
   vV+LD+52t0PnnljzcrtsCXTUvXSOlTz2MzXM84N8Sm8hoy+PoDjdD1NysETERm3n
   4roRv38w7Qa4SjICgkJunjOT9ts2RqcDs2LGph+AMSfplaJI36v4CFK/XRDkx+9M
   O3+VBb+mvoG9e72KvFobGm43Y9q0w6RqCAGaNlkYcBngr0cv5H9IcYehj/oxXOhn
   KAuO2pspq9PNbQjSYGuT6i8cHEkIkJ9eyhKMukgYQqWrvPrEgc5bO2uFYXyNX1M+
   jVv1ga8GwfnN5k4I0zyLkoJkWbtZwd7pg3bmsPegU1cKAfEwz5LyaqhUvO9klIem
   2CPS+/jmDQUS5o4WDOpp5G94Ena22GE1P5wcKvizxYOXgT9jnheRHsUopjh7N+Rc
   mbOSkf+gso3oDuk7LuPodtjDnRovmSBVESQBWW6MeTx8BUHKfuHU1vqTmtWrHAKn
   xGWQ7AhEVsiFUZqzG1LeRygiLwWBFANwlKPcQXtXHad0fErQd1ENdcL4cbmo2PF0
   LE9znUHqPXI2oJMaHTuDupzAZWWS+85rb+OtNeDHuLL/VcqYS40/7/UYI8ZyjS+G
   mGxLr+FuAZ49uRL891CSQ0TKXCqzg8PFyC+/afFDShFl7QC2Z18ZVbwvrmIQs9/d
   q2UYXm/RrIkubqxtyjvQzu1A7c307PWPcMNxDZuWVgzKFz37uXbnR4vp1xsoG4Ib
   nxTv/IhGmlQCy4FmZyIwU5X3Mz7JUncceWG5yr4Dn4qVmr46VofPIT7zbWhFjM1q
   6OiJIkVrKJRneV40rcyGcB8iD+tA5ItQpYLibDxCxLyYY6ItLeLRDTdLYHsA2d5y
   Juj+iFDBrZLC8GyslklwBKQwA3XKdWfLdzsPtO4WRipQvNyll6Cqfwh3cyG25f4J
   13OiGZtmZYKTDACaDnlV3r+j5kXnW8608vhBunLc16iwcYbCMRHnNme6D9TkpiQZ
   a3D9g7Yz82neHDtwgCs3k9U/P5yHOp5Yp2OjmJhEBrrcOyx0mvr1ruKP+z0IpHQS
   ns2e6bhmnWazT++IBlzF7Hrw+Rv75MVnA93b9KuVRPmoJCdKE4h2Y0WghJoyBgYF
   mjOc8ixxtTwbvhA0ofPMkMkXIE5SdRrWK8on7OpXUDwdVyVp/IzHr27i8d/gN5Bo
   Y2y2UnKCZnZoEQWXIxEQlqBa+BfM1L+ernDhR09/+rPb5ZehsvysxG6xWZgT9TSc
   r1GttN553239iJqMvRojsm3PQcwdQwCFEkgeJeNKiytejUsjB2VKLbfC9Bq22795
   QtrPzQXtOw4EZD4oxUac/dL6e9zubGsaS8PKG+MG2RFOF32On6XBKV/UVsatj0Fm
   S1lC6rlyKTdbzcLzPv9DXacYP2ItB5uQGCUWypGC9X8TUJ4bTHER6h/iEgWKYxj7
   FF0NLgN848W95rbBwcbltIQIvOtvV/7Ld76/hIiIFLIFgV804lG2eC4xVbKTHHSI
   cqqdzuKJBjEu2B3ch2ULVExRNmK6TwULulx66lGbys1pc8rLa/ZAll+wnSr57PGe
   7z4tUU77AwfQgXKidNXXEl40522voi9+983GhcWUlTpVHZHiHMFs5pqWd14mpX6w
   bD6Mw+ewVjcmHbbnaouMujrhtyOe36Aj74GIM4kkDSBnZYC3U7u/8UkKaIqgTENH
   bO/P5O3MDaE1CpAJV1pfgKidx2X6UTQ2mGRe70vsCcAebwJK8xLlWZDhIx5vnW1z
   wnUqkoH5m4SlReyKxsw1fp9bwC8L+yJ9MBqOwYIfiPgAJRi/gJ2rAD0mBxH0259X
   J1oQNhdMNAqQjsGPvz0pwXH72RoTonYLuHZc+T1nLSnQjuhlv8m/oCW1OzsV2i4T
   1m0vW4r18Cg8tIxQoWOV1V599zjxc+f9OtctwoD7xKY+6KXp9sFdzpE2UxMpvBmE
   lGuCVfKoPC7YD/i+RejmfVIxL841cfUNV2eTRGJUQHN4UwoMQaY6kwvipb3wVyEO
   AfAPV4HK2pzSgVHX69cu+gsplhffe9fWWsRmPXG9XDVG1D53/3UxhDTzYTq9wKYc
   OvBYJuWEBC6Jmqvx8l/qIFDJalxBHyVGRNfaguKjOyV2DW5lYSE5J23i6F1os0vF
   UMWcW3pyB/OYwil35YLNguMypm6O0gL4pZ3u0Xmm2zfsTKgJIZYXDY8RZrq2bl/q
   +Dw7qN9cgOlrAFEfArhj5jdw1mIamP1NXVE239zvbPU2CTC4ZEfMW2xALVN4a6SO
   VtQ4OG4YBD8NNQdCShfTvrm6kjeyC0GiaE1NJQPGMwZ9kjWXmemhcdAlyjVeMRw7
   WfkfNTGP2LUin2s4kT5HG9Snc4ZI9mUChJXme7SMVT7QzzDAKzfpiUgvISDqOYG4
   31SH7pt32+QiCjClVKuwQ0l8Wg8We4Swm+GeeN/ZL3rqKrYv8Ct+MIMTuhzZ909D
   YQccu9BkFZVCIuVRyYKkhPe+GSNdRG8RSlcjgyJW8T2TJcE/Go6ObmzSjoquT1Bq
   CAK4JN3LrBwyfD/b4t+iWhEumq8j3duoFhs4/htqxbeEPxuqzR4c/TboZfGaZdXu
   fxdC2HRQBJEX0WNrgK0CSi+6IwUTQ2MQxuJdYd2iZgRtTfAe0/lUJ6EGQZdO9S6H
   KyeOrXsdarX04okagYv2MtoJ+T/P9aYMlrQzIKeN0vMG1xnnZGhsg/Y11paCkOsW
   xRKPcMAnqgSHkZhH9WreyACfq1xFWBB9vq+6BqFI0tWWhiI9PeGVYi0X9SG+fNjk
   F8DL373djWkgVEEQ1XR76mMJCL7e9B6+rsKUS/B+GtCPveC3gTqrPYSfer0vwNqm
   XMOkz7D/YjElqeK5b5iGR2bycTRWiWGu1xAHVi4lhMxO9TXx2/ZvUPegdbBP9PbK



Gillmor, et al.         Expires 29 December 2024              [Page 258]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   vjm0LJD9lOpNkH1AynhBNtOe/FUWz0dBS4Qq9D1Q5nAQ7NwjyOH6dJFTukwTNSC9
   z6Tup0mnsZdb5i0G5v5zx/lp5iNXwdxksZm1l691OahM9ws12zYT51xZjrqNhDuA
   qwotddJb3+2cObnvtcxNxeGkftT5+YfzjH45SYxlf0SN6yGOLVnSoNt/SSAyxQxK
   H2PJWxKnb9nFHN6M8Wdk99HFbw2u+wvhmrLVwQi5TqxWlybPTC5hOSJjLHy1TaLU
   LDuMHkZbRtOykn1ESwJ7lKpJ0OpRTPZBX1M8zEwBoyc+Htps2Njsfx3fVmK8QiDO
   yOhJnhHSIa048BU1c9lQMB50AEr0UHI72nccLQX88JGywGlbO11DQ3egDwK/72mn
   syCDIsQMsOEyw0PTGUFOfs6Tg4bs5yI+TYtEo01WMqEJDFU0IociZhZHUhIed/G7
   N9yaTA17pnikx7Jfwf6ZgbFcsHIU+tDeHhtpH5IB7inTIC4uor7DyI+68R/vLNNg
   6m8bYHD/sf374C2Y7GB4u/LQPSbjsQvgmVSxJjyi7bhFlGjaX5fhZWZ7Y63iLvK/
   cUH2aDlA5BAJKVUE6kNWmPY3vTMLerFliwvjVjBR4sRMeoeQ12kun1yJ2Smjh8X3
   YIff54HGdbTKMfGTQnsF20DwMBIlppimN0UsumJxJ1Z89xe7kirdvly/WsJe0A21
   7GJ50NKdq3sJnM2/+1YSDotFf96mWAdlSyfZKSyHtWim7JiKEOqWfNLRJpA/ybp9
   yYLoMvaIuPf0AJPZnkAOcaPnFm6Uf0wq8pik3icVHelieOI8QpThpgzxlOSQ+art
   DwJfqPT/CdNAvsHAsXkT88nlcsJCm7AQT+p5WS2OdzpEB5bYlSSMX9R42NQaH6N/
   HzdxkyYWfmr0Hh4wrJO22EYUeZhJXTqXpsZP/UmnYz6BVxpxptqsx60hC4LbN/Fg
   bOeZmag29vTivko6nVmnwT3YjpTrNelW2FLdZf2XuD2y6WnRHd59VNrUQ/M1jadM
   NpfGLbX/KQzL/vlDSy6k+/DRXGpvZGIGRfbqzg3ms7UguDO3jAckxchYotigrywM
   ziuXAxZNDjY0k4+zvls+kZv7KuzJFKHAWa3flmJ+B+WENm6cmCoCGzpHS1mg8KIU
   K8hA+i/OzEP0hQTQ48Cx5p+1iwf54JF+mU5KWqBjqK7DeLiKYAPK3RQYpwveMPNq
   97LeJo5KAsqDH5H0NAREk3Sdd+60GEvYX39XZqv85aUzD2J6qxWw7HfRvgfNDgYt
   1hHIcvPCMUsSDO3V/qNIrNyErbeFKHFQ+tZ+GfaGxsee3Gx5TMRDvu6v2kEQy3XL
   kno0TQcEGyXIMhkQ/is3i86mIHmZQ0g+BCpNO9VKEdbvrW/MYcZLE8O5xISs88sF
   dzZXfy2w+2vRCucSe8599EXL7XYwbMsRVZBEjc5aIRefycnBDu6LeyF0jRXZ3rY9
   XNcoLBvxf5vH+tZvqoKzLcC28YgVHWYTHQ5fPCQyIfKQ3PZvVLT8aoO0G0UvUDcC
   nyfieFrLcEz1WcLWWYH8mv+GF9nNri8q/3LONzzgzYyx5vcuoIaw8T7XS18ZH+tt
   ujGFRhD1rO65jLMFkvyechnSsqmtFuluk61KXB3isli/dLT3Q8d0k1PxQXgWgbFz
   URlOJI/aPM17/5l2PrtNNy8R0d4YEocGZVnkKPCST83V5/PuzLzhraBEqj4N3E1t
   9vZkN3WDmP3EmVYMuNnEyUDY3lc0UyiSDz43Cj3+tDvO9yxe9sJ0HWoqYom5yo8h
   7rbpCafSNGgPQX54uUo2rFLyV7QCZktmdgw/G8k03aU42DRJtzLsq7sSnP8/nKtF
   4KLmOqmgKFgPfXlYs1CS/xBykBGBwWy1L3IeFcll5Oi1Te4elKqZlYb438ot2EKj
   b85hOHVowFqOqrOeGHrqs4JoyohaTzJ/rtc8Mambih2KIuF6c+LU/CdqegqKZ8js
   YYB07isI9EQ5K8fR1P5ZXY2V1Sdzy9wm0/TF03Nwpqr57SOC5D5VVN1H/d8K7kJy
   Xi+poNzjOxQJwEiqaTZiLPy4HBykwhcDXp2U4aqqdCqTMk2FtaKBDTB45K0vrcSA
   o6J2tZ/mYehBg7giclp+HTN5/vEtm2awtKi7u+a41tRJaYdu8hlZOH0jIqsPOH0v
   pvZcznyJc6/kBvnMfRFx7VSEsExE54KpjULakSemRVhTTGugj+ozaSjJUsdUlqpj
   iEEnlCuXPvwROrvoI7bcQdUjXL59gY9oUbqDPuyyVKlU64p1kKnWOLaEi+WBZbJW
   YXqGv0dIf8nhR4fTwe3s/HZZlvL2so+nodxQPOQ09UEDRywCGNjGJmhgppMEvXT7
   liyaUuRKUq6+ygfDC5wWiHUBNeCOmyjgtVH73PViX28hNXcutU6hrIqg+0UGo1g3
   Ncw+IC9uY6OLo60VftqWaYGd+tHaCMKGQn4uex753m37R1qJF38s2zxMwuPmL0XZ
   41ny7yPFgXtKbj41s+pFt5IbhBzTIzb72Q1phkbctumpdgiBPZK61iJHtZb50FT3
   nWToJQN9/93WAniRb3obxqix711LqlyaWOXpRC4PATDm72vmxk40f71Pa4JYPvqa
   gEK6m4z2G6MNIhA7Jrtk+3b67gSaBuljnlJ6BfEuPvjGErO3xzl87iDujTlmb3+d
   PuNox9gfBIu7HYVgVATHh+/R9JjMu4p/4f2knEYGoEfTGpSROtS/gtGIxOgRl7NI
   ZbxHA4+0WcWCDZhzpbCzWn+/oPUmwR9Clrwty5QG1IrTn3oP2maAaSM/XkXcOrKi
   0YiQ1fr/nJJrZy+fbXQkeJBTpaVcLAhWbpJ7h5C9/PQta41iMZV2JUX/KlQp6u4P
   uvNIJyRz9zJleFWR0bhdQQ==





Gillmor, et al.         Expires 29 December 2024              [Page 259]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.20.1.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_minimal, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIITjAYJKoZIhvcNAQcCoIITfTCCE3kCAQExDTALBglghkgBZQMEAgEwggm1Bgkq
   hkiG9w0BBwGgggmmBIIJok1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWluaW1hbC1yZXBseQ0KTWVz
   c2FnZS1JRDoNCiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLW1p
   bmltYWwtcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5l
   eGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpEYXRlOiBTYXQs
   IDIwIEZlYiAyMDIxIDEyOjE1OjAyIC0wNTAwDQpVc2VyLUFnZW50OiBTYW1wbGUg
   TVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzogPHNtaW1lLWVuYy1zaWduZWQt
   Y29tcGxleC1pbmplY3RlZC1taW5pbWFsQGV4YW1wbGU+DQpSZWZlcmVuY2VzOiA8
   c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLW1pbmltYWxAZXhhbXBs
   ZT4NCkhQLU91dGVyOiBTdWJqZWN0OiBbLi4uXQ0KSFAtT3V0ZXI6IE1lc3NhZ2Ut
   SUQ6DQogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFs
   LXJlcGx5QGV4YW1wbGU+DQpIUC1PdXRlcjogRnJvbTogQWxpY2UgPGFsaWNlQHNt
   aW1lLmV4YW1wbGU+DQpIUC1PdXRlcjogVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1w
   bGU+DQpIUC1PdXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxNTowMiAt
   MDUwMA0KSFAtT3V0ZXI6IFVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAx
   LjANCkhQLU91dGVyOiBJbi1SZXBseS1UbzoNCiA8c21pbWUtZW5jLXNpZ25lZC1j
   b21wbGV4LWluamVjdGVkLW1pbmltYWxAZXhhbXBsZT4NCkhQLU91dGVyOg0KIFJl
   ZmVyZW5jZXM6IDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWlu
   aW1hbEBleGFtcGxlPg0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJv
   dW5kYXJ5PSI3MzMiOyBocD0iY2lwaGVyIg0KDQotLTczMw0KTUlNRS1WZXJzaW9u
   OiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZlOyBib3Vu
   ZGFyeT0iYzQxIg0KDQotLWM0MQ0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBj
   aGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRy
   YW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNClRoaXMgaXMgdGhlDQpzbWltZS1lbmMt
   c2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWluaW1hbC1yZXBseQ0KbWVzc2FnZS4N
   Cg0KVGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVzc2Fn
   ZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEu
   ICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2Fn
   ZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMg
   dGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyIHByb3RlY3Rpb24NCnNjaGVtZSB3
   aXRoIHRoZSBoY3BfbWluaW1hbCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGlj
   eS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KLS1jNDENCkNv
   bnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUt
   VmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoN
   CjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4NCjxwPlRo
   aXMgaXMgdGhlDQo8Yj5zbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQt
   bWluaW1hbC1yZXBseTwvYj4NCm1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhbiBl
   bmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcN



Gillmor, et al.         Expires 29 December 2024              [Page 260]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBp
   cyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGlu
   ZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhl
   YWRlcnMgaGVhZGVyIHByb3RlY3Rpb24NCnNjaGVtZSB3aXRoIHRoZSBoY3BfbWlu
   aW1hbCBIZWFkZXIgQ29uZmlkZW50aWFsaXR5IFBvbGljeS48L3A+DQo8cD48dHQ+
   LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwv
   Ym9keT48L2h0bWw+DQotLWM0MS0tDQoNCi0tNzMzDQpDb250ZW50LVR5cGU6IGlt
   YWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250
   ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFBTlNVaEVV
   Z0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQ0KTUFn
   UzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6
   dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJ
   aEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJrREQ5eHBw
   ZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tNzMzLS0NCqCCB6YwggPPMIICt6AD
   AgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
   DzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUA
   A4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVa
   TC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse
   2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgC
   ReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqh
   BwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/P
   GeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0T
   AQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxp
   Y2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8E
   BAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaA
   FJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEy
   nBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZV
   jdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4z
   E4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2
   MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YS
   HjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpA
   r4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkq
   hkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNl
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo
   0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQW
   l+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+
   A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtw
   s1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPP
   dfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJL
   OwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
   ATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYI
   KwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilq



Gillmor, et al.         Expires 29 December 2024              [Page 261]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   kBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG
   9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naI
   s3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4
   eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXR
   n/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59
   fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtB
   iN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBM
   QU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4
   as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
   BgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcxNTAyWjAvBgkqhkiG9w0BCQQxIgQg1LrD
   KFP1UyH7cPB4nNGB9WTP0Qf3RpTIHh6bXWUboGYwDQYJKoZIhvcNAQEBBQAEggEA
   KNKdgV7deVGMLwz1c7mylNoCuexazR5wKxAx66xbAeGfEHdcy5IpDiSdtxQ/Bupv
   FWr4QPC+KqszKDD2KHiWRnZo8tSxgCrvPqlEWY+tICRfdfMf5xq9+FGNzSh144NM
   VJw6+R3Bqr6/6WiIVqpwEI5O75prfM5qhPrkq6BovqQhiNemTtgrplQhkl52k5RB
   7VlQJscR8vpq5lYF0QjyPMAzIZKGI7E8CS698f9D8pXZh+NiVFhRnkkGbiIRQuEC
   msyMm3+F4O7PcI/TGIv9F94Ho2ok/1wgLoNR81QflvxekgKburTlQaFRINpW0Gmx
   JT06nYXT5t7uaFvfd45qkQ==

C.3.20.2.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_minimal, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-minimal-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:15:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   HP-Outer: In-Reply-To:
    
   HP-Outer:
    References: 
   Content-Type: multipart/mixed; boundary="733"; hp="cipher"

   --733



Gillmor, et al.         Expires 29 December 2024              [Page 262]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="c41"

   --c41
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-injected-minimal-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --c41
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-injected-minimal-reply
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --c41--

   --733
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==




Gillmor, et al.         Expires 29 December 2024              [Page 263]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   --733--

C.3.21.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 11310 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 7356 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2725 bytes
      ├┬╴multipart/alternative 1443 bytes
      │├─╴text/plain 490 bytes
      │└─╴text/html 650 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    
   References:
    

   MIIgnAYJKoZIhvcNAQcDoIIgjTCCIIkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAD4BPh4nns/OwI/nzL5ooMNHhIVU0t+cvJlE
   rIpvoi53CwPYYD/NKIKibmSgx5yQ+rQK25/y5rJcXeHxmS9czslS46vRMhO3aI2U
   V6LnwHrfSn/FpbfgVSPtwsHCmQ+P1/lTwKxdsS6EbBEr61C2Yq68NKOzUB25USj6
   UVtCyBDkIshFqFXVmykJMVb+ASQOUPOsEUtH3KZtqb85YV0+9WANQWf/mS3xSXM2
   xONCw6z6/0tb8IALTWaF8Bm0I1SIUpXohYCeUkB4Idb9BBbz5vL/lk9WA3KPyVaD



Gillmor, et al.         Expires 29 December 2024              [Page 264]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   fNz2yw6RRW3jCQ2DXE8v5IFiCEbKlVnRoKGnrN9JPxLTfbxpqgAwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAmtxpv7uKeuAfhsEb6GKvRlt7
   Rouf9bQ646sal5YY12V2ODjrf+uXz9I0uoCs2dZjCNADW+hmkWKSSa3s7sunMXxx
   piE1lYBXQS8sKsvaKDRg2Yj22hIMfnKRy9t0kkBgMzJxn5Brktx4DnV47iypv5fT
   Z9wmbd0kJJoN4KYIAfRGvgk3cnlRxDzyXW4vQV+298g+prLk1vGaJV6xi6/2Ihvg
   ky6NABVuq4R077ePoz5fWuDwRojCKWzyFRKyYL+EqaM/wnj3mtwu1ixwIfRAEnpm
   XxH9djEturLvcLzOX8Bsy43wBKdoNVD/BTP0RMWoc3ZOq02RJNaBK3zUSiN3YDCC
   HW4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEELrp9ItTefiyQyyIPoW4DJWAgh1A
   xbN4FMvAk/vLmopbtkYDYNS2ruA26neJtsAPr064LqTgNcQcAqgs3T7AMv2lboA1
   9xa8dEweJJe6pTA79ecD09AEy7j8WhN7Qk8Z2yqkyXRKITeoKNb9SZjxiZ5z0PbI
   8ngyZ4I3p40JUZN8MBmNOtKGhu9N+nwSF+yxNlOP/X0mKaarJz2ErqvntPkgnX8a
   JKUJrBvyMi0mro9C8LbQbX4wVKai2WNos3IBQjZg/ud7ycDt9zKznGAPQIfVQGcR
   5uzbqPGZDBmpYlFHs2Y6e2CW3k/j4quM4ccTBzlWKjc2Vxknwiq161RZMXQn6gzK
   OoJhKcYtKQr+VIhmqgmiLXeXXBem4AXRKoBGVmyB4BS2LqvSHgnTyMasrn5k465a
   8Dtdpwi3VYvIE/lK4znDafabF7v10ek1MbHAFSqyqb2Ca0eAJyCsEJLIveuXg0sG
   WtoGSo0lWJTAVG87k2VLJ6Ip4K5BPXDHdbu8j/14Lp6CY7e+1t/grtlGeltpaO8W
   AIlX58LSOZ0rV7AKwt6R+f89S94Rz4Gu+g+KJJHDWL3sFyl+N9HAoS8nd5cB00ue
   soC1OlQkINMFbedZi4DvyV0xaUk+McjNPn7RTZG8phSSM8KDTcj6pmqsV6AV+h8M
   sxl9nTf4mEMy8EHL7Mi/Wqu91wG80JvTYlBYTFMSsumrC6cCDSA0WVeIrH0bRXq1
   tHsxCDjER/pBGpzxPEcPB856DRtVoRZur/gxdlN5cKWsP6jQYeHIsexaqPD8XxsK
   1EOSlPjwBBURK5QUwgu9sq60cdC1kwK3wMs1LEHsL3fFJYqpvWCXBmF5rkT/KajX
   28QJ6YN+yL/F22uUgHTtu3U9mkJvD6EIaf9bLnkxqsigDJqd/U+PQA0w86hZxLid
   0helI0MarNp0WnmBJ8XdSD6swgYm5UuIEjNLqOkSr59dbdwrZUpZeX12LdWZzjf5
   8iLKTa7Bz/nP/hRbMwM46FiPE13dNjh2VETkLDrVkUFNmiKxFiJu38ErfLAKVx94
   /59abgm1w2gDc5TaI64i+Sp9EA3V+DgwH4BTVxU2DR+o8v2moBfpNNtrxpK+Kzdi
   fq8dwlSdPgdZZVOJj8wt+LH5SXsepRjx+kT+VurgYRoKT0b5h6uU6c+U8PfpTOHg
   OvDPXehIIVa3hEKL7AfNCvsbj7MJhBcCnxf+55QTpfDRmQ5bzA5xijGhtCMtmmxC
   IQNJhc7vZAdwXr4/706NBcr1FvaYB7EVMXAucwh4txG37qXHYu/MAhqv2Qz4kbUF
   ddfweZFvpE+eyv6/z4jvDqPnTlMlqrHC4tRd2au/3IZYK3mg91PR0NdbrA90JlAI
   bGUZJE+GoO3nHUAzKHHX6kxooawCmT1NTnMB8VLncbA0QjLPmmWUuq/DXyVMLXu+
   tzgcBkbhxjhSW0srHZEJtVKfLV3uy2vgDp9QCNdNLWK9PJ+/Tc24HMyhs7qCr0y9
   KgXsQyerFp8wnprNqKurkgDCIgSpQ+TFvW3bG8kknmbtMbBetqnWeXsjQinZg0Ds
   +D5GfmISbotwHzmIu3oI5aQTSGL8ZxJAbKSkW46IX5JtSvNlTwOcSqhq4JJKEsgr
   gzVaeH4uRnAbLSm6rLdAvPiiIelJr1zCjaM/Mxavk3pTwsQQOkcV4Ql92vOurN+h
   Md0WBjAz0FGt86zEbB/Ow0i5GW7BTdUIOcMsRMwpEyN9VOEyt5HIPgb8GighccOq
   sd5Bz6CUEbqfgpMSa2wxAfwwBF8fNs5EaMHIn9M7PXT8Kra1tN+XVudUxsliKZ9Z
   LfA1F4zYo8xQ7vVry7hRfP+WorHS+CpFRRCV1qQxSOJEaEWhI368EE1ZCaV4hgSw
   P/2Dw2UsPjvkwghlkvdvkIYfovplO+WFAx2GJUY+cCcaDWdz0jKGNKzDqmMQiWr4
   BLQbHkqGZRRGVUv+BHTl+DjwDNSL5YH70uaN7+YexVLSN788WaCY/nKXrIZO/1g/
   yqGdjZ6ZbT6d40t0gkmIwOU1lLq2VgoCee4gD81KVWrvo6xnYuNFQVjEA4CxHZKA
   hGWEjS9ReikWPJvuQDNai3715dCb7fpzaO3RPhzNQl5bXoDAKAk9R9rsACLmxySc
   NiXhHSlwDrqpTDvoEmSQsiso0V0jMz1yyttW9hx/U5mHgQQRDvPK+v599EG1zRUo
   YbeJE0NkJhk0hVQQsN4k87IXx2lqqq/p4hYUF1zCrW3XFqzZ6PDvcJpKkWZojKTC
   1DBfNYqn5NCN7hXoIXDr31XGzja5Ij/aF0K8Uqr5Z3arRJ1FzFunauZEN+l4CiXZ
   orR2wBD4sdetUNUag0O5I1Qp99+TEa+peYN9aWpKHAPSmX2YFtaK2UwkSHIwX1Mb
   WIzafWFTunp5mBfKbpEzmdmeCsApmpzTOrjCag3sQBChmbFvUb60T7cnBLj6Fhia



Gillmor, et al.         Expires 29 December 2024              [Page 265]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   tkS6L7LijzrcYNFPt+7oGYyvh7bGNW/ImjtLV1+E7/EdYuYoT3XYnd32O/NbpQDN
   vHWfvmQ9d9NPREX+wnQEbh6QNazTUbtv0vUDYNuONQbwcOwoC123NooZkWSTVKA1
   C87snmsRsinGD/Cr+amKDPw04s3NaGXX7sMUk4LykHlPxzvVrg7Frc00GPHsouT2
   q66f96HqXpuN3H2OFSU/Z1BTokIt/bpobUwOgI/e0iSfi+s5MjNvGLL/Duv2UXm0
   mrTLfgadT9ErEQtqwmTlC93BY3pGt0Rh6G9Acm0rRtNaIx26FB8nkqx4fApT7q42
   pexFJQubLK7TS8QedO+PEEclUHBguGBDLi0Dz/1OfF2M4WQpHXk0yabqSDXgHk9Q
   jlc17Oc9iMBiG4Okk0shgt6NY/Km0G+KmbFSm5fvjfBdgxH1kEWQ+xhhclOqFAsn
   CV+GEZfKsdlknXj1npAeOJ2dMmO6BwruZmkGA4njpOMcinDC6TZFdcsF57DSoH+X
   T5TkMP3MX4aQhi2DvmsUil0uU2yFMsaNFFKe4jqd2+3TMUqyegbVfWhxnwpZh316
   zgs9hJNpvMUo/KbhdDfv45A5qZmGf0yUi/st3vDlcZcu0xsC9rEbps9A5dF3vHAN
   Yk8t/230FQRT75mqjVXNBFdIsZ/h9I+XRfeQRLR7rl7jeTrIi7fM0NpGVlZ4SF4k
   jiy/js6DZtwISh9JD/ifGrBQqaYIpPpFWjz/frLUvHJMvYaVmx+NwhY/dJ9mDfdg
   BIABdKp9D6St3f+qUqoqu1VSrF8laiBHNX6h1yk5+ccYQsWcs6jyIh7xQZrNKj8N
   dCT+4U83By5K30zL/M6i21wlbqPbJM4dQhmviLBVjT5SZauFPraDeMsG1QbWNz36
   jGy4G1pIUFodGBUPKLgnq8sQlKFcOnglQUG7vZRYa5qcFJQo1gKeWh5Nv1g9PcPH
   jOmddpCVfiAGg3hB8jtD3+I8NM4Xraxj1JfrsVO0EqA122bo9ZrWh8ETlx73pA8D
   Vfu7X+clg6Cq754GIkFbPOzh0R8goyfwHOKc/hxMLB2oGnPiB2gT3hBr9l6uJHXy
   nzJA7ISqqH5ib5H2ziksFT/9kR/ecCE68FyfduHetddepFD9oK2f7et3bfTHJKUp
   0ZjZdLGfldk0+zZ5RdnNlmZOHF0dT528n+Jpr71lmMiYJZ00Y9NKa1xW4C8+lLFE
   jcly/b5Ixn8CYRREiraGUBD2/WWIIQYxPg9de1ZAnVk7BDcxs/ANbMOtgpZaIYLj
   x0lbtd5mFomfKJVfvwoOSCWGUTd0oPzryJZhMApqh5hUPpISCAttBcNzLXd1pQGh
   WjClsTEZUNFe7APaGaxBW83wrvtNqcGwWnjF2FJwqyGaiyMRh7iVhn57QV0Lz1ot
   la+/c1DeGJM+C/6tKEsxY/BrhNRRk/Weipz71TPad4IHU/G1TwKuMyfciH2qGWGs
   PgD4vIu+246MpLMbq+S9nb2yRUvs3ahMhQlxs7+I3uwqPYaXEBowSfveW2Ws6uVv
   QnyBWU59QT5yzgAKA+pQyylRWM5Rlyra4rgSlCqluAZaYB0uJougAuFC7QaFQSzY
   9AwdxXCaL4gFsPQ5YMVFmTV4Kjev1wSx6GK3e7b0hzxTQkcEeF7ISI+GATIPeH2s
   Wt0LDCFqOpjBFj0pE41JsOWICjE+X92xSfUZLwS/gMTCBt/iPeaW4MkjW7AGc5Ke
   dHDQ/wBxfpq+TZtFyAXzc2qgSMnUBXTx01CqViWrRRpG5/SnDGdUFt2NaJgWDkva
   xE4badgbkYobNPwoi4MrwclTlEN/SqXJgyf1/LLkp2sLYVN3E3GvZabp7UFkuiGB
   r/xmBr8Klymfp8wZXtxgy+tapkpPJKEHJ9SdHwjVyH1LF27IYxUAIqIqLUDHek7d
   amCB2y4G1rUmgJT34RF39dxMQTu0nt1IagadaNRE5XQxYiGBD+4gb8gZv3oPn7Gp
   5z1y+fHliQ7CjScTJ30t4CWWh9nQpoLP9oUslinY9blkjWtTvDFitsKksOI6HRCN
   aUzIwdiBCqCk+iGG5i6E8Gktxs8/t3oj7ck84msXV0ljQL698s7kN2SYgxyqEkpf
   NzxsK/Gh0Oq2kegSCLNa3SlrQXai2pHQBFfx0sxL/Kzw8YwNif9JQ02HVFssxcfg
   J/xBaCAAi8Jk1rJbrYL+ZrhfT2Ziqf6h/U9KUbIjY5FNQqAyOvukhyJc4i2+i813
   N5uiJmnHUpCY8hgScCL71AdzqdamWHf4s/EzzhBLgY0wlxvlENdqhk7PZgfbJZ2N
   ppoW9OGHnY+5PBhr6ivf/LpPDWNSNrff2iQRS4rA0Mn718pGy+7mo2Fn8Etq0zTt
   0y0wz868okZrV3XGXnRJPK4rAMIvnphqzHXhNzlBR6RsCm37ZyU+XWsgDwwoHWG0
   5iQjotCLBvKoO3mxW4vpFN5ZZ1OdaEHiIgFMN2eeIV+CFcvXTPJrHVuhfbe+0MW2
   XifSNHBc39ECB4N9+w5kOq2vyARF5UNK0zOS91XUKlsv/td8N1b/PuLwDOzs8HBE
   xjHb/qBItB2vdb8K1mQPXNTcCFBSDJJxBEvVc4YH5cqq7U4lfohiHvI/STf8eBnY
   LB2XNW0oOt/YwZGGL0Kf6GlMJJOvbUSF4Ax2yPZk/6ULc1V6Va3EYPPRVmYL+ToB
   O0M+fEuy7UaheUO2w9X40pg0QQKpWXTtiye+CPCBRwa6GiVI2NwykzeFPezQ2pM1
   pIwQxYI3EtOlOcBS4/QS0yeOuzP/X6uY3Ic09ohuomunaHa4nCF4nnSddqBdpK4F
   73J3fm6yTvgmQEinZ6hInizG2rEOeRfStTB9WXDlEsD15YtioiUTBKoQoyhNZUy6
   /IaAjEvbNmk2RBlZAWBcz/8dOP1sAX+7gi9cK+cXVLreVdz4lGjIf0Dg/gGEOJVp
   HGNuxNYDjjthLQb90Kcvd/oCQ6k0pA4xfdBBFBUNeqN8LEZ6gFeqAI0eSS1S/R/l
   pah0xP81lH3DoZSbdHeUXL21I4kRlGUEcUd/Y6AdQoyf9yv/tx+ppB93AgCjCS/b



Gillmor, et al.         Expires 29 December 2024              [Page 266]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Gxn6DC1SV0IidlwhaK2kHZEIcVnbhN7kvuGVmEGwDIQb30fwPZP2GNlmYf8fLje3
   qCm0qnK2rDn01fV2hDe99DCoKX5bK/BvUWjGy5AYsu6G7TNV5wPO3oSkngSDpbuv
   QPbMg9H0BEoUDpdGMVcFiBltJKDLqj0Sk0QqU37du1LAkkYLzG5XEaV+aUzdVvIn
   P+fszqU2ORgN276fgqfkO9HgM7Wpvmhi5hkL172SBS11PhLIpLFVOC8U2yhJnQaK
   c3Pl6goUg9AlDUIU3FpPUf4++lhsjgM9G9X4eQhTEhE15OvF5K79FtqIlZUD1xY4
   IYsrPry2nCfdbrbfVcYybX6kGLWnRV9H91k8Cz1WvxVyWaH7hxHn6xW0UzvOlFPc
   84svl5aQ8vbtBuRv9nR9lYkBoDGdGdA6KGH6a00InZZBSMkpEW/9EMR9pvneOym4
   Dv3E4Pvf+0f5/2JDmksptVmQWKWmDUgPPiYfUXyK9hPNkm4y/vui5R8KhNa5yNGv
   M2O9VEevBIdkdq9T3/kzlbtUle08E6nE8gs5yXHWCKREifvQejFPyjIY9mFu6evC
   ZlB3TKyjisHIwbfy3BDevJO584w4ZVllrv6Px+KsIYQaTd8czkcvqrLOt61ptO/M
   ITXGoSr/Fq5RFGUCMoPmi27U9RVoxNEW0IT0nbvjKEzXOPWeqDCsnzMtTKrHpRrd
   umWz5eFMux1CxKkjeYHBUK/Khpold6SbkiEJyYOdnKqcJmzYoqs4bxwMWpL+inbJ
   4BJ8COpLpNzHwuWenS8YWc+nXNUVm5re0YOGKfyFYVK7PnpB0z5JqeLAnqy6HtpU
   4THJhUNK3NaG+3d1BTH5mL7nUBjXwSC+fOKvg3Kfa+uBgt/4he1j0cZdrjit//nH
   7R+G54F5Doo26TJl4grmac/PZ436+b+JGxeFCRMR/bbGR5hTatsKkjI0VlTE9ZG8
   l46Clenc9u9yktZ6/MwJta1CKrS/AaebiGtm8zLe4+IU/fwJxAQBtFRsYrbBYgSp
   m7YnRSDOAyx5Ewo2JXjXHlHRO5cpxyFak63hW7Xyryur03T8rxpFungQzzGbR79F
   LTJxwhL4vSB0YcVNgrLLOdgXeHeWJNjqxsz61tOFEshO+ehhB9nSSqGIc5PVAeVx
   uEhl+pju+3J/CTkhIcffI7u18n9c7h1w6axGPE7BrE/hGxvPATvsCjU14UKQRw1y
   JOWFQwlkgwJoZEytDvhxdC+0Y+YfXl16Rosj2jPvkuFyoeMefqn91i1WlZ4DRxRR
   bkGMb87Pb6bLJOnggH4fp2p1v2uyKdi7gnNGwtRUoENUrNqgG7RwSbOEebDSRsTe
   4dsyC+ldXZWj2bOAWrbzhE3kGieXcrYadbGeE0k2D+ZwQ693T+muFtXSJ2U/dnG7
   k2E3Y0dKYcIOr40q3lR5LpjDomeDA3lUBE9QE9K8JNJoct1VJzBJrvdKsvJAZfK+
   nhgSPfLfEC4pWiphD9n8HsypkYt+MpKB34OX3d/MxNq/7fbXzlzQk2rHAOTFQ2c/
   K4M8v4o25qqZlWJ505aImXthWyURU17FwK0VOfZu9DVXYscvtS5yFuUDVAPHTMXZ
   WnUcIHT8tbkPY/fT4EYNKjDJ0wJ+yBBhiUMfDUW3rmNAfRYS4p22gL0al5hNRXbw
   hGP9Jz1kBbUqw3cXEp+Ksn43L9cmwmxToMjgadpAj3uyVpeBNmgCget4A09y6w0O
   6tGZMmrk5C9msk1i9pSdqp6Xw5HPqfLb90PYIhbh7hHZNDz/rlydAZXnxhJjwvP2
   XSc2bCO7yiOACRJHj9lYJ3ugYI/qE9Ko3kpIcxu4rgtqm2sYUTSj7KINYqA6Dupw
   ViJr8dUFKvs7ODrhCopoIxpxzqgN9vn+sYTq74TKRnp4w7oruOCdE2L8+jukMX8o
   x5o6Kjlg7aFQbx3ULj2Tw+IiKp41m82qwP5KPFp75HlMEReh/SA5+fPWpZ2lu4iN
   9Ppz/rtjHSlbyYwBde4g1eVsJk7GSkppDniQVUFMpK/ayhHdxigu1TF8H+GxcN2E
   Q0YBe2GGe0K+Yteq/yBOPHCrd8yjOhfX+f2PtBbhPGQ+uf4pxI8fb6XsIu2vvK1L
   EAmD/yQX5YKOL2QzzUp9deUORCr1SoEcZ53Hksea4E6/OygvXCe/8WywzpNKkqYx
   jX1iQ6kva5yE7JZTnXSwPhEHELGwtxsFZZe1Cad4Cm+7KQneAqYwp+Un4wqqlOtc
   GOdlAK1wY+LVvPU0Q6eAwL1Acdob6tx2XUXklp9QBw0jjuXzeKG4ZPVOG6aW9Aiz
   qbH98mwB8zfhmtK/3PMBAKWWYP3cLX+oO4S8F+Pq27NgHJXfDsgh9H5I6yrB96vM
   1nGNwc/DieKho97jUBr2wjw34EVcKVCdj6Q9sNq7ddc1xm61wrgfkdJTrsQ9xAfm
   QH9vBg6SyeFsu6y0T0+JnOKUAVUWKr6/2xszUmP4X9Lp5h9nKW1mgLUCcVrTWOcc
   Jrp0G3uA451gPu5YB2CK/Gb8qCjHif7b95HlCf84D+UwYluKVR4bwK9zjmqmsMyI
   pEQXHGsOLqxkd4agdAj8aPN9Y6qYE7P1oRtH7I2mZEYpC5XB1J1GR6vsDVj//Yof
   NB8wogfD9DB63xR0fQFFbiYpoZgQvU3b6hk1vzSSZr7EYdTFQeXnZIH5dXdzML87
   9oPkn8Smp0HNlkARP9+nrA9uuyB64ohB0GKNioqOUIE/IT7KG6SrXWkL2DlCeQ0D
   sEKsVWY1xfiTWdU8YglYrwmhJ6bOK2KiM8IRGs9I7z6mfsGGE8+mzd9CIudOaMzN
   EEwITEeyxqRDBnnPekQPJ2u1672TdabcQ7B+vY0nciGzdHtJDG56MFmUpx/Tsf3G
   H7lWNgN/kE2iXCFRbfVsg8K1cwT4oUl68e14fvD7NM6vu1ScEXopfUD8Z5N1b9aq
   OKWzEcItZsF/lQnBa8YSpQ8aiy9V9XZWw4XoKwSi8k3d5p4B1TCAOHs8mj2D0dXP
   TdDjlLTcuKqLfORUEXuez0s48x/f0uRAMViK4clbjEaLx+96U6OibMZHZ5LTYKvW



Gillmor, et al.         Expires 29 December 2024              [Page 267]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   2T5oD5rStSlLPzLSfSnR1paYDHp5XElt4Ub31W731/mH2juiloYni/ezMbvVxv+n
   rors2Coho/cp3qMmF7Ev3xUoxUaAMmqwSuk4x5iku5lM2LXRIaZw8ydyuOJn3C8O
   N0ZHaNsHJNL3WgjkHX+Mnpak5I4MszqL5J1rmZRZr+VN0bGm5ttjYODAORK9EPhl
   3h3/GD7moAEWpZeoF+ea0LRsuGc2m4wnHr2Xyhy2JsQKrQNgDcCr0Acw3Xch5XPO
   BMpDe7jjtZpkPeYbeJCc0kfkaRVno9lFamQoTX0qAeO2zAsqHhDmQ+PTSqXaJPeV
   g4+6GE9CCmbJgw2fcvBr5nRaCVB3x2C1w337rCTKHSKtjwOvQwQ0/Yfe+Z83PiNO
   RSg3dhz8H3J9JnheNP82CRRof4ZpHDSTyr+goXvD8IF4+E4xUrc77XjOvZvfUt8g
   ghVFPC2jvixN43502rK2ekqwy808wTniGk4Druq+SYMXeufbv5WduQ5Atul/JNxB
   uQyBvT5rc7QVADVhS0coZnNdRkT5lTe9zdQ2yAn3jq14TVj6jZx0TvUUvSjeeIkZ
   Bigkuza/6XkeOx0V+7oFZGayEQaV/WQzmT0ODvYG40ou2hrI4pAEC8BttSyfYoxO
   yCxsFt82xH2DSBJ3AGjlGFngRW7oKXFNhUsONPZT+PKaDnfxekwl6DaT95CIPa8z
   7My6eY6CtB8y4kholqH65L6oKeFO0fjyriObfmDpoqL6dQApTNGHQqql0BL0BW2W
   ssy0rb0h5EPLzI2GxWSYSnivPq4yBPVaF3rfGuwfk8Hivrat8Vrtiw/6vsI67QlD
   cvKqXvXiJxjuz8C12Q68ndWKdk8pD0psDt0BMi65TELiHinwsek04+M8wXD/pdCE
   lgM9lABLiQDfZpMnJgC/ozkFI/3/5QS3gu5+OPWdLckXPVViHDVIhj69f5hQ0cSj
   jRJ/CgIIF5Px87fmRyQ0+ktuwXYu532lHf18Wt6dXVBu2hJBU1wny+dsCP6Yu2Zh
   tCFrmv0iC6dXufu27Zz4/ieu5VO4UHTv+GLCsbC+gZb5YmXuWOVHEcjQRy3CV+p0
   QccPBgT9jNyaoskTEwJPFRJKEV70UU4VOKp+Tc1u931eVBEL/W5M0okFfBqyFuFu
   B//w2NQNhrfb636qE3gCV9ccNNabbHp8Gr77nY/tfD333Za5iWGq6f++NrIaUudC
   /8oRWCpy0bmuxwnYMMSgPUoF9G8WlUvjCP/AY82+dQ2r5TLeFTPswNi06EAjLxLu
   VDCfw9y6VSOYYm404LmKdx5QC+1h20jSg5ieE52EhGTEeY141y60vLPK+2/3O5TE
   bfni4LNh8k5umB8u06c/BzsYGknq0GUrKAoZMV/UtGk6Cf3i0UVl8PBn7yXg3hRG

C.3.21.1.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_minimal (+ Legacy Display),
           Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIU4QYJKoZIhvcNAQcCoIIU0jCCFM4CAQExDTALBglghkgBZQMEAgEwggsKBgkq
   hkiG9w0BBwGgggr7BIIK901JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtbWluaW1hbC1sZ2MtcnBsDQpN
   ZXNzYWdlLUlEOg0KIDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQt
   bWluaW1hbC1sZ2MtcnBsQGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21p
   bWUuZXhhbXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTog
   U2F0LCAyMCBGZWIgMjAyMSAxMjoxNjowMiAtMDUwMA0KVXNlci1BZ2VudDogU2Ft
   cGxlIE1VQSBWZXJzaW9uIDEuMA0KSW4tUmVwbHktVG86DQogPHNtaW1lLWVuYy1z
   aWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFsLWxlZ2FjeUBleGFtcGxlPg0K
   UmVmZXJlbmNlczoNCiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVk
   LW1pbmltYWwtbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogU3ViamVjdDogWy4u
   Ll0NCkhQLU91dGVyOiBNZXNzYWdlLUlEOg0KIDxzbWltZS1lbmMtc2lnbmVkLWNv
   bXBsZXgtaW5qZWN0ZWQtbWluaW1hbC1sZ2MtcnBsQGV4YW1wbGU+DQpIUC1PdXRl
   cjogRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpIUC1PdXRlcjog
   VG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+DQpIUC1PdXRlcjogRGF0ZTogU2F0



Gillmor, et al.         Expires 29 December 2024              [Page 268]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   LCAyMCBGZWIgMjAyMSAxMjoxNjowMiAtMDUwMA0KSFAtT3V0ZXI6IFVzZXItQWdl
   bnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAxLjANCkhQLU91dGVyOiBJbi1SZXBseS1U
   bzoNCiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLW1pbmltYWwt
   bGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogUmVmZXJlbmNlczoNCiA8c21pbWUt
   ZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLW1pbmltYWwtbGVnYWN5QGV4YW1w
   bGU+DQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9Ijlh
   YSI7IGhwPSJjaXBoZXIiDQoNCi0tOWFhDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJuYXRpdmU7IGJvdW5kYXJ5PSIyZjMi
   DQoNCi0tMmYzDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1F
   bmNvZGluZzogN2JpdA0KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0
   PSJ1cy1hc2NpaSI7DQogaHAtbGVnYWN5LWRpc3BsYXk9IjEiDQoNClN1YmplY3Q6
   IHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFsLWxnYy1y
   cGwNCg0KVGhpcyBpcyB0aGUNCnNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmpl
   Y3RlZC1taW5pbWFsLWxnYy1ycGwNCm1lc3NhZ2UuDQoNClRoaXMgaXMgYW4gZW5j
   cnlwdGVkIGFuZCBzaWduZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQpl
   bnZlbG9wZWREYXRhIGFyb3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMg
   YQ0KbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUg
   aW1hZ2UvcG5nDQphdHRhY2htZW50LiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFk
   ZXJzIGhlYWRlciBwcm90ZWN0aW9uDQpzY2hlbWUgd2l0aCB0aGUgaGNwX21pbmlt
   YWwgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kgd2l0aCBhDQoiTGVnYWN5
   IERpc3BsYXkiIHBhcnQuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1w
   bGUNCi0tMmYzDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1F
   bmNvZGluZzogN2JpdA0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9
   InVzLWFzY2lpIjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSINCg0KPGh0bWw+PGhl
   YWQ+PHRpdGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPGRpdiBjbGFzcz0iaGVh
   ZGVyLXByb3RlY3Rpb24tbGVnYWN5LWRpc3BsYXkiPg0KPHByZT4NClN1YmplY3Q6
   IHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFsLWxnYy1y
   cGwNCjwvcHJlPg0KPC9kaXY+PHA+VGhpcyBpcyB0aGUNCjxiPnNtaW1lLWVuYy1z
   aWduZWQtY29tcGxleC1pbmplY3RlZC1taW5pbWFsLWxnYy1ycGw8L2I+DQptZXNz
   YWdlLjwvcD4NCjxwPlRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWduZWQgUy9N
   SU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFyb3VuZCBz
   aWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlwYXJ0L2FsdGVybmF0
   aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRhY2htZW50
   LiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRlciBwcm90ZWN0aW9u
   DQpzY2hlbWUgd2l0aCB0aGUgaGNwX21pbmltYWwgSGVhZGVyIENvbmZpZGVudGlh
   bGl0eSBQb2xpY3kgd2l0aCBhDQoiTGVnYWN5IERpc3BsYXkiIHBhcnQuPC9wPg0K
   PHA+PHR0Pi0tIDxicj5BbGljZTxicj5hbGljZUBzbWltZS5leGFtcGxlPC90dD48
   L3A+PC9ib2R5PjwvaHRtbD4NCi0tMmYzLS0NCg0KLS05YWENCkNvbnRlbnQtVHlw
   ZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQN
   CkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFO
   U1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJB
   DQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZz
   cWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytP
   bkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtE
   RDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS05YWEtLQ0KoIIHpjCCA88w
   ggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTEN
   MAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBs
   ZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1



Gillmor, et al.         Expires 29 December 2024              [Page 269]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
   AQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3
   jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLY
   Yy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dP
   zZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5k
   sKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5Deo
   ULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAM
   BgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAV
   gRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1Ud
   DwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0j
   BBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJ
   eKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30i
   LrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc
   9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94
   M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCq
   h64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOU
   Rza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnX
   MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0
   aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92
   ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2a
   f0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwO
   Rjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z
   34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4
   xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3
   vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3
   SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCG
   SAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUE
   DDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYS
   HJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0G
   CSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sY
   onX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3p
   dpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqD
   IdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9
   iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyH
   AVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBV
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2Ft
   cGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kp
   olw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
   AQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzE2MDJaMC8GCSqGSIb3DQEJBDEi
   BCBRjes+Sq3Fo+aEDJAZ4AtCykBh2dTnuhw5Qlll5NdDcDANBgkqhkiG9w0BAQEF
   AASCAQCK+89Ka7ae4NVDdTvYwXbID8oaPTGt7234OGuH59NkM/fLhKcn2Kd+LtFk
   5nrEI3Tp3bXxj2I1wH19DFrzzAOV/I7h6L14HFiMvIdi471KmI/W7cJ3O5ouZxgy
   ZDO7nRDsdA5wkFyRh4dzEKiuEWJ5Xsw9wDEHDcq/ZG/L6J+8eoEXj9vJZSWPAgbk
   VHfv1OCF6PXrErSWTar4UpUvgqtGXHhb2WPjIsar606cBvZkqef7HU55zeiOf426
   +XEW5a+IG2b7xjffdDLY8eHfQ+N5ks4CB0El8bUewjlDUOQlrukO5qA6LW5T3gkn



Gillmor, et al.         Expires 29 December 2024              [Page 270]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Wf6oKm9gqdNhIxStvwihTii7HJL2

C.3.21.2.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_minimal (+ Legacy Display),
           Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-minimal-lgc-rpl
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    
   References:
    
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:16:02 -0500
   HP-Outer: User-Agent: Sample MUA Version 1.0
   HP-Outer: In-Reply-To:
    
   HP-Outer: References:
    
   Content-Type: multipart/mixed; boundary="9aa"; hp="cipher"

   --9aa
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="2f3"

   --2f3
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/plain; charset="us-ascii";
    hp-legacy-display="1"

   Subject: smime-enc-signed-complex-injected-minimal-lgc-rpl

   This is the
   smime-enc-signed-complex-injected-minimal-lgc-rpl
   message.



Gillmor, et al.         Expires 29 December 2024              [Page 271]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy with a
   "Legacy Display" part.

   --
   Alice
   alice@smime.example
   --2f3
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/html; charset="us-ascii";
    hp-legacy-display="1"

   
   

   
   Subject: smime-enc-signed-complex-injected-minimal-lgc-rpl
   

   
This is the
   smime-enc-signed-complex-injected-minimal-lgc-rpl
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_minimal Header Confidentiality Policy with a
   "Legacy Display" part.

   
-- 
Alice
alice@smime.example

   --2f3--

   --9aa
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --9aa--







Gillmor, et al.         Expires 29 December 2024              [Page 272]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.22.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Wrapped Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10335 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6634 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2277 bytes
      └┬╴multipart/mixed 2167 bytes
       ├┬╴multipart/alternative 1142 bytes
       │├─╴text/plain 380 bytes
       │└─╴text/html 478 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:17:02 -0500

   MIIdzAYJKoZIhvcNAQcDoIIdvTCCHbkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAA/5lrL4kmebJpSEzLmG2eAxf00A32ZCqSb/
   4tZx8rN3sjyrgsuWkmPTcLJq8ue9QTSvExXE+E9IItSXSpjDHlJyI5ip1is1A8+c
   C23b+UdTyqg7AFYmpeBYF9r3NcJyEiiP1ePOSQXiJUDFSCyW9R5aQvn7EdPuvdwN
   o24WkvUT197woB21b+EaRqj90YA3fKIh6IP9zW2dUjWymoopWl2M5lHpLI1nstQH
   NL3SbD2AcMJYlxjihno+Ebn82yJx0QNM6h7dccTvg0K97ZV3+hQBJ+r/A9TXYheB
   R7flkF0RNRH8sBl3qMAdUCqEjmSqlsZ8F7vrWj6y4lLr0TWY8i0wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhbToqdixQDzsFZ2CSALrfLQe
   TurTZSbd9KaS/mD8AvMtxw2q6bMFvQdVfgLF4vsDzeJkCIEAptD+TgGQjZwYadji
   wo6qCGizJw19Sd32kxLBg1ppuJiJM/W6bkuT7MCSceTEGMwaKdbubZmDqPu2y+oe



Gillmor, et al.         Expires 29 December 2024              [Page 273]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   W+UCqE3RgLQQ6bcFDP0ySZ5bqBeqLgdf1+zrDfel4pq45UrJ/xdJlE+MPj8Hhqlo
   z0Owwmplxs9HLWbHjpLNElgEAM9P0yK/sIAbZwmwsLF6DPCYIliuAFv7w42mijyD
   0HEN+GLzgDSEajcRnKNb515DizxL9lk43wWXbUoa6VojZajlWPGNl1x26zEN6zCC
   Gp4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEOWqHtqFS+EG53aet9QZShuAghpw
   z3UHMbDcUIEau5B85UP4YdH/6MRqPeWx1XEFMo0XPR4Xai32doqjqAl6R/6nXneF
   Of1q76QlzTnwjbLFaUzxD2bh/AslgZPC0Bo2fCLwVdSaXqpXe/IEtezz00SnmLdE
   S0OVcQFlQxUq0VwA9wSkd7Bx/ThDnkllDd9Ul+c9HQydQfQ8+JmT5TcCVkPtPjf2
   VD1KjDVN49YNkyjILZKrAObZWKByehaqW045x9GiwRm2pFINyTROF1uIh5gkqFlb
   iMlZUjMjdD8ef1pGfwA9ONVqrOlx3pf0ljrDtV0duyzw3gTgUpuMsSdftIWSyhhT
   GwrC2w6Am4ynncrjy4TD9rF1kmw7p1onM97if3NVuCpGQm3FiZprecI1aysXrIyY
   nAPtTwfyEQ5hPDnVRHOLk5IM8hWIz+6eDM6mo0A0EJP9H5MShlYdAdsDoCmLWcKB
   uB7ELbDlX+HCVqxq3spQM2YxgfkZz3pQtS87imV09LSGwZdsK2TkhG6YoPoRR+t4
   3LAQX/zJJQygWUH5Bilyp/jaUEZNTS2kzm2IQ5Lfd3Z/U/mJs1yM+G2ScT/5QX1K
   YU0VzldGwLAyVaf54sOMSWGrxP4u3e4H8AFGX13bR14J1lXC+5OotKpFlCqFBn+C
   +GgncHnAUnJTCxgm3u5eFcsIcPY1BPRvyiM2b8bSiSf9KV3ScAbNkfFTEQBiNNhv
   5rgrG3ul6oj/YshrtOcP6AUiHwIedeDj8+m9n+KQGBOEg9H3kdTcUeDR1Olt93YL
   DGiIiqJC6PkwfnVxWX1P3bvFpmC3+Mx4bTXtiw1U1n2oOpuY2A0i1SQ6kGMRDOG8
   vy2NlskF/AEtC6bqFkDMfIXMW49Rt3RZYi19xI3GQhKwnt5JXkQmzctIAuPbnaQO
   wjIuPacEpLNSHVbz2Wwe3WsxrM5rMCG6UxW1gk1FEaewoN9w5ZH9hR7QIF3kCprX
   6L9JrzoZYYG0lOULh/IEi7yhbcU1NNapB2SctrBX5RczhlgZRu7+qjU6zAZX1Co1
   jaXlGLrhmuUidnYcRGdxJohPx+sP2gC6VY3TfgGczGwx7fQk9tbH2A8ilFyzX8zl
   kb5KMwxaMAjaRMt70x8BszLn2vx42SPBrdu3BRfnz7tBqmc9LvZKt2eIwR9MtAAn
   bgMuSJ0b+duSjIiJpLzXGuLNKr0hHwLsRCRa7YvXaXjhHcTQGArKE2PHeDcNj/bt
   G/dujf7GAjHg73XdyjCf91SUxfdRPv9yzcyQbvocl5VU4DHOvE4m9skFhV5p9hDq
   KHU6/xcCWR5HRrwGADN0pAeJtl3bG5lpqmuF0kwtlS2z0HO0/snfhdXc+eKvrhgs
   Z/P06zRPMxjpALzMwtqUo/LTIBa9PhN3N7vNeptdw+7kBYfh5w+Tu10gjsdjDkvz
   +fyenGOtNcnt6V+dfsSD8auia/kIIeSmU7UGy0wLt0pMlrIroIYn9+z1Bwsb8f7y
   q+LuNOltNTvicJvljJjmILUiCDqU3Mkc6HFUw4rmCQwNQ+AfUaOyRY0+RSvWIVIe
   ccSAMk01m4hwRYyU98D+2hLuV66laoTAmBxslRd4+QRaZarZgpUe6oTcgAX12gnx
   TWYPg19anqa4sVFSbGdmxcUaDlKmXZFyqGJqSQztUpPZUOAEcyZfWuyWXEW26i3A
   FjgQEB77P3TYmGygpTtltJRkzcOM9Au80GOlVjKJ+y1ZV1cqwvGVb5PDOUzSNt3J
   q6Tf9nS1GX2IF6t5ZEWyYilWeTNOi6kPMZ33LS/y+c8/4tZ+4Wn5qhqWzq8Il4Ne
   0bjI4TcZB7/qbt14l0kyvOGjbLi/23RzoShPqcLZ3hzbuwBvI+12vH32abUOfXdW
   UjWkQ0oB66L+/C/L8NXKuyZwC7GbMxHwlA995YditCGT10Qjzq2qKA8E4KKoHc33
   HEmHV6c0DzCqREqh8623ZC9kpE4HIH/8Yg7qHi8asd5pyMe2trKNiVUcIoe74rMd
   pQ4PK1KdlrallHgcXIYEzK+AQ9mFvkHRIE2dgrTZBrfB3JfO0zKmW1wW1hyKEzgT
   m0orBDO7UyvoKNM6id3b1oB2o9za6qYy4EVpthVlv+MuTlCWKLpo98X8WRiHSCNK
   20bQw4N+1B09CNhuhzCdixmCsNd8UJ0fK4aA4A5hlaeHzfoUy16ffBnV4Gr+7WEx
   GhM/VKQ4F2Y34e6hJZJCm+immfM/P44Gto4r0cdvq0fPY9OGjPoqyZv8bdY2daKb
   YhI3+ux9Xb0+hBMIZmo+M6nNAGPM/YCW/6Yu1pN7PoJiST9TtRj8EjpucUiqsXHF
   45jY1JdBmIx2x5M3dmuP7HAAdtxbbJWYS7jb/63ddPOKSztiysYXVY1xAnZx9KOL
   zeW0pN+ekWFsbsVPRVZZoD8+rub+LoITm4yKdCAuEduuZQot5nHM2J3b7DAgfUel
   JbiLYNKldgOPNSs3uXUgQnY+ufb9eYsrs/r6lISwlvJH62NhiPlKWs2wdqvUDFYf
   KO1pFUMJOt0iGnP9mnq58lnQAMmOEZElzwMWndWjAJAYoxcdKkf45Q4R2P1yzK9c
   wECHdIXotEQzO7p0s8jxdPIv9e+UMO0It02rEiF1F1tbnHwmQlzBT6R/iEa88mOc
   P/v6csv7qaTiT2ICf1bnvTcVebjm7zVDSYgeSVQjNhGAHlDcXcdKpE+kGuk09jHT
   av65NICYDqKaD5Tf2GnuZdP3pdmNOE3mVIlG7RxAUV8cLofPz18S8zxv+jaHs8Vn
   y6P9OclgilDCj0KFEFfhAI0bG2ag1dEk/8GmrIlv543zJVf9efUtm5aaGAKdu/Mv



Gillmor, et al.         Expires 29 December 2024              [Page 274]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   V/YBDGW3MxGUnZri99u611fWTN45fQ99f2EXPk4AyetDMhLEC3ZtYiVYeGjsqFlK
   26I6YyDrUUSaq+AfKaOhoObH8rstkkxiuoxQIHP2hn1/CAMSWwX5KnOEJt0LRKdX
   ewKqUeP2H/oPUyTH7v+EaA1dJMLPBSvx/TBhlhAjKCmpbYM9LnTSGHsKJ6DGechc
   RKZsDt3jmu8cx5ElfTMhQouctavtyDod4Chpt6ifXu4m52+h9NiZME1PjMq4fDSN
   hlX7G6aEi5vM56eh6lbwlWnL1miAc/V16EMclVLFBn21z3ikR1HtXH0R6sUHE3rC
   dmWoKFBqegxQyryGlnIaC2JAPJZyJMltT1aVJLpYeHC1mx4AkYB4M3hm/zUZL5tR
   IA7/4N+72eN2qhnRdI48Au5D/GfRITfPPmnAAnUKeo+xdkVPdL24le3XI0JfrRrp
   tY8Sbuvj9sz+JhUAnZUAEeLknS1OZ84kcUQpiN/J3559b4UIlKkd9mrxuKQThpDO
   OVhlFuGrRuLuQOy6miiO+NcxZfAmSwa/4KfcpJNZVnxJZLceeec0p4GN0UyXfwI0
   b4yORgZ+lvkSPNpP4NsoKO0eztjK5LZh+5qSYlvYuJrmZ5xe2neJ02nvtUpYhMjX
   6apRKIoqakw9Q3t35MLNVBwU+/Rpcd626npnvtMkPPeiv964aIopMCj37w7M3by6
   czmNbtb6K1QhEDSAHX0crBMNlVlQ637DEB9UKbPvXvtgPiwowX9qIQu0rtM91fhN
   ZHwaFLeczBv9ujvbPSnmnPYd1i6tGWk2cR5VNHmTsLHhOmbHQkxLOEfP1JpUp+Em
   s4I182PZwaI7rc3sDOLAIC2/FgWIn9uzYEZcgxMfQiUmuk+I1xWJUGuB3E+XFwDk
   XgHRgLtUSPpcPrGmsAWqfzW5BsYLa299xcmEeMWIF4+p14i5LeJWa2gxNIydiJjo
   OLfrc9Zm6LrVhLxkrSsZ7TYuATFrBwCt2X0UPcGktwolOF0eKEswH8Th7cewvEa2
   oQQptoiLOq44QXOXkdr8XMC4Zon2gxbmRMoVkUFLxdTxsOTjhAfiGu/vmqjS7v3C
   RC2vz9Rmutj/3rlMrvNcbt5KWwgI5K5TxxP86MKAXostigwer+hRVeCktpyzma9E
   HyYKrpivj+e2/tbJJ6h4RZ1fzhdp5f+45ktPfcs8poafdPnnrs9KC0Q0cT7YPbtX
   U5+LRqEaQI9Y0RRPglwtu2e9eTyddy/aitspFIpvuyuR7NtFEkSXSldq1OtBneqc
   gFolnTdpJadRgtDGr18dQ66GHoCUD8ETZM367H7E1UwjWtV0NStQTio6njLbNgnp
   BSL4piVHNko9IlngUMQLHKSD/OTbAHpGMQGwkN4/AtSAZ8ioSuIwnEMNnpSigdrF
   gzNw957Re90snnQ4wpUCOkgcWLF6CL0Xlfw/rFu2rQJ3N3DhrQY7uagVYKhgdS98
   p9UTjb965PQ5qtUQ3uJSKWDwhIxFwQPWOjxte0/i1yU7SF9nztQTvqkeMvoVOlcB
   Bh4u4Cpqiwt0hl19Il0KnVSeZQc6D/jih+eycZD5yNA6RjZr0aKBJwMorFRWV63h
   2WiyvWcVBgYExNW3xAVLkWC2P1Zoe+HUwurkSGrcqTLaDAATPPQcmauFw/QFiOl7
   PbVilQSMfY9b8I2PJuWGNAvWbNiRoppsWRpO1E/2tzrBauvhDO4y9ZjA8QLnvmqP
   EpHiuH7sqIo7GmFNpITCsyQlwXFD5HYLfBNaYPela+TdRoLZ4+Hid4lR8ZjLFBhi
   12uep3hLdN2Iqt3HHhcOg8BskukrGMz4IKl4raB47/8ziqm58NdKhdsV7ATKL3Jd
   Q3c6z9wZ3jl8XCEXDuvWolltYxBeZw6FHBzpLzlWaJNPXrlqOSxjqVJNVqBvnQsl
   ipu4llvdQZ6INItTSQwvDnrrpRDb6RsoutWik/Jxe+aWF7y7UuXJi4YrYv2nQGu7
   7Tba5T+e2BCqowDCSRAzUb9zNgZgX5ONys7as+s/1HLsisSs6dOg9gTodfwNlwfQ
   /WQeaVT57NfhOAAtwzKqnSYQk89/jgAzO1wcc/s8Wvnni4XOkB8ubPdpdX+XeiRR
   65Ig9fZuq6oPYr1J5hcwZkMrNizb7gDNuzioF5eQwBml7ZGsSuQpwfTvbvc4Wzue
   G8uGZtHOnM8gnmaIfJ39etYCzlcJVuYM96/3vIZLKZzu8vpxMVmscStpRWi6WVFn
   H60Cnnxw6XZ0lMoHDqvSRPjFpaCdhqFH74kFPz1i6MjlnUIEiVRp+1gj/lsT74A/
   SSCQw3eCpjeSvVrRQ2Hl7sd4isGV3Yy8PEsO426LS81vEhcKqyqsr1zEx06aP7OI
   nE3GxeZyV60JSF4QDm39wShYhziz7dYICB5J9y4GdZTBmmal3pUl1kukJ8cQKI6w
   rSfJJM0yWnzyU7flxlNBgnv7MzdiPSSbrabGt9pEzimyepZuZW3vokcGbY1r0fGM
   l33SDMf7hg7kd7o9AqDgvqXhLci+iVIQdiJoR8kwsg0h/odCM+qKiGimEsNDg0bF
   KO9kklYuGj7RYNrfp15UNAUq1w7agRTf/gml9tooLclPGXDAIEr1BZmKORNrfWA3
   +qVIp2I5NZ493UGSANeCa+CFKS6v51QNgV6lLSfBea3LChAa7nvMidR+9MRhWC6b
   3NqgtN3anmnBmIIyFS2CDxbh1aUX9wtKsrDV6pQcRzvjgFJeI9EUx93xXTPxaky6
   ngPgYT6hLa8lDseJOK03oW7Kq9ahtbmrINV0ydhNPl6mPoG8et8LxOv8lJcznWP4
   PKkrNKLflo4NBmNr2nYDhI/GnJ/id3Mo46mCVj6A4V3PJuFHH8N1beinDOHHrVv/
   NhXFvaZHsM6+SLU4DszM5u3YoJOr8ygAZl1CgxljAPCQVYMnUZi0R61CgtUZUM3Z
   NpaHo+DaY9tHlI55yu+8Nz8rWW7/nPP3uLD6dYl+jRkKCRgXd9Nw8LrMqUNuc8m0
   AoKVg6NrPuOaB68GnIAmUrhoaCYBmB5cOrgPY27rPBehN+MdqqJJWe7YxU5Zmacj



Gillmor, et al.         Expires 29 December 2024              [Page 275]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   4FQfsTh6JoKfIneDqJ0P/3V5bc85Rnup/GKgrDo6wRLvDmprCiCDR5vvFHbkwyy/
   AFQUdHEzUEiAQFY5UiMCvw/gUVEcckLbd6OJWciDeWtidSphbE6tQhvJ1q8gFlbo
   4/pQRlFOXqupoAByZTq/3wij9NQYd/dxzxKBfDC3LyMwKSc0yMqaXRhdZ61XD4OL
   AVa8QtIwsycFmaNjFiIfAMyHxqVGTgRw6E2aYBmZpJpznAwSRmlrXVSaRIclMcRX
   /lL9uRPQv7hKF2wVWRdtyb4h/Le4EwjBMlNfymM6eWBo0ASpLYSRclyURmb5dvCH
   z5+5gUDGYQuro2sNNBqvC8qmh1wEVewzxGVTpH1uxPPJ2g5/B/QaiC6WsM2UcpL6
   CSQ6dY26W/oNP74JG8ACECpGB+FdBeICmNgXjLBNB5oG0qum+kJO0ZiWABdeRvZX
   JriECqy2dVk2B7WzpI8mnrn8k4+a+0Cu8g0D8eivQ6w0S7fhRKW8bWSJ+SJ2Jw8s
   mZ4qpCX8IaDa0+6DYFeZt44c70UIZ1w5vqAUTK3HqYCIllOZt3AYF0agbjj9KrAy
   fKBDKTZPcWvNU6fBG3AirtANz31f6Ty/62ev8V6c4SM7F7WrCngBsWNdZdurAxQ0
   Jir5yalGQ/76MZZbkatuTJaLyvhw4xIVRAaryYRjJz+xcn0igZCQsIZbOG5YyoLc
   XVkSGciQvQRBwedeV+8pVnO2fg+rR/LY4X8hhgiUjwIut9ADuubyw9gE+tqeYrmd
   TJxe0hbBL9f0bqAcVKqOFRd9HNa9jfpAKctOsdDZpZPI2AdYjCIEKTnNChqTvIFY
   7kntCVQ2AaM2zG5xJQZnmvgYtpSkLVk+PiKSjr46fcbyYYfqf5RwpMghPurM1tpg
   q55kauMMsxvlD6k4g7A2ruVtBq44HyNoX7ZCETeZREnt8WP+q+os3UczL0wsGLEE
   PJej2a1fcTuVcaS1AxfMqx0bxnr9NrgmUuNKi3gsQfjXz0rCyfqquKzo4eCCXEks
   +1i++2STPBx71TTCDACXDl+4ZYVg3wp46dJbUXDZEzPxoB5+hiEc2vPL2sxPUlHY
   0TQ52sjwQecc2A1IOVrEn93s470ECGK8J71lFdbe+cPLjdzCu+8wa88Dw4+Jtwf/
   GSt3Y+NRkXRlj+FGRrrRhfWZAblaOWJvduwiyMB33dmRCn3taXDJ0R/+seKlJdE7
   w/lLOcXROg+cM7zOLmzimZ0E/OC5u8glOdaqlFtAsFeyLy3TTawGZXYH7/8qA79G
   akemxHRo0rkGfEAGi4FSIpqwyUxlP16FUGB5rBKnh9zCzmsGJQLEfps2iwsmiNOK
   gXRCWQiFxoZnSjoWyeArScpoo3MuNyBSDrs9GcSoYzTzDvp1iH5yAH4lP6eD/l6/
   I2n0Q2cspR5BYjvSOIJsHDJgXr2lEivoKYZrJ8MuN2ETls5Rm7jNieXWyxLG5rlV
   cc5TPFGVQVFghxz2cd0RbKtwCB+l0OUe+5ZijJVY/3SjiymPnxZ/CAhLlqliBeei
   XHj7XAikVpT+ca+z+o6I8L+sOeS1W7Y/HR2FWhM+/Gj4+rgDuk/AmPYcKQMuOeoN
   k6SZ319WxLe29DkCM45Wj7j9iz7zB0EtySGeH0A0S7l4y6rVO+9vIzQ4ONjfkrkw
   X/2RQoe+L+9MSGu4uWtPC1ZaTrXW00y9xtQUmNm4b1km124iZujAfXVzLLbIE7Yw
   43GbsruAVWVK24RGmWw46JWRSniVBzHQpKtxNqnC2c43sPRuxKEyFn2vSyWsQHMi
   cebQ+tk3bnjZItND2xfP9S0SOHPfuQynBxFDvlDjC20ETngw0/fZVE45/s9dhLxK
   SXg5dm2IvT9M1ZvhRVXJQNhJjfw7eV4xEV3EdqRqKAGpLsodrMos3qGqsatzYGeW
   GI1JGSiUnFmxW0o4LwIBMfDax5f1nV17iQviFPHrK6FM1G7qPZ8/BgrAkxCsbx+3
   vZoUDm7bIvk6jsVnXr2+3sDR2T3BpzIca9iSSnu1+Q6Pn4QDZ6fuAuPyiXDo+2HN
   7o0vS1XBPhxxcQC92LGYmmvr7k+/3cGuts0cmGx0tZS+Tp69QrZ7YtxubgmyhxIn
   vE2z1SckkW996MJx0/d9lB/MBPmXJUs9yzSfc1mXEX3kNJUTBiHU+z0Ml7ZPD+hn
   r72zsxcIj6clL8LVVRX/r4PBiyxUN1tNT9nF89g/qrl3z7M9zoMPOSGhVaNEmCKm
   /lpRQxGH+9YZXvgKVMLH9QNa7Em01Ox2nfsnG6cDO/tq3aBtoxaGRrjRl/vKlmv3
   fFW5MWrinEDiTOad0LoGvxOFGCC6GIynvTKibIHEKzh6yt0ZlYTkpBN43w2gooUe
   2va3jqpnNf8ejXPCkRbxSwRAYvwW8bZgXYwJopVE1ohPGeozpZ8J6t9lpnb/JODD
   Q+wvT+T1122CPIRhCW9CRdcQTrvQpSo6+XNCeUiaCCvpAsNBlNg2rY0uG9xxPdu2
   Cif6ShSQeVGa87ajtpwwdpEyBFGh8CnXsWZNaS8Q3hldn2Du6X19SBlZOWzSJFWK
   iYslUI034vkrO6MzXJpxzUI31OkL5mYqKK/JH7VzmJpibUIUsqshJDcXxaikeUP8
   QZDgNznK0+nI9Zn4cYokV7AWj1mtE68Wk2Y/ZyqYS/y229Z8k8dQH6y1nXd7QeHX
   /kzj+Agu07eJw5ghGTRI3sxjUEMmLD2n5gQe7Ff5HQOmXgzxgR60LziQzIK8CFcj
   uFsnzECn4mxEZ6hm4Wx6G7FVkIv8ySsKAQScqx6l4E21zTahayLxWewtvpIwXx7q
   SvkZpmoScXeJXgSpCWoQHMiS5TpT1laJA/aurtCbLT/N0TtEopHRC4JwejOglaeE
   MTWIrQguYRCCst6cA2q9jMvppNX5NsKCucORq7pfDzCLqhzcg0+WVF+BxRDxM+Vo
   /QrfgwsuDBu2UfsOjKao6B291Fv+971zOBiPfChl17/4YV28/DstlHNK0ff/eBgT
   ylm3I4Vt4NTXs3y37Zavk7AJ3uPadopinswu/6WK0I5jV90Ux2FcIEDbWq7OPVTy



Gillmor, et al.         Expires 29 December 2024              [Page 276]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   lyzt656xEiTsikuuTc06uMObj84k/Ee0QWMOSVZoMnRWfXZ0xMNBLw2gKMCyEZ7E

C.3.22.1.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Wrapped Message With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIS0gYJKoZIhvcNAQcCoIISwzCCEr8CAQExDTALBglghkgBZQMEAgEwggj7Bgkq
   hkiG9w0BBwGgggjsBIII6E1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2lwaGVyIjsgaHAtc2NoZW1lPSJ3cmFwcGVk
   Ig0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCk1JTUUtVmVyc2lvbjog
   MS4wCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iNGZm
   IgpTdWJqZWN0OiBzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1zdHJv
   bmctcmVwbHkKTWVzc2FnZS1JRDoKIDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgt
   d3JhcHBlZC1zdHJvbmctcmVwbHlAZXhhbXBsZT4KRnJvbTogQWxpY2UgPGFsaWNl
   QHNtaW1lLmV4YW1wbGU+ClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPgpEYXRl
   OiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE3OjAyIC0wNTAwClVzZXItQWdlbnQ6IFNh
   bXBsZSBNVUEgVmVyc2lvbiAxLjAKSW4tUmVwbHktVG86IDxzbWltZS1lbmMtc2ln
   bmVkLWNvbXBsZXgtd3JhcHBlZC1zdHJvbmdAZXhhbXBsZT4KUmVmZXJlbmNlczog
   PHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC13cmFwcGVkLXN0cm9uZ0BleGFtcGxl
   PgpIUC1PdXRlcjogU3ViamVjdDogWy4uLl0KSFAtT3V0ZXI6IE1lc3NhZ2UtSUQ6
   CiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LXdyYXBwZWQtc3Ryb25nLXJlcGx5
   QGV4YW1wbGU+CkhQLU91dGVyOiBGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhh
   bXBsZT4KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPgpIUC1P
   dXRlcjogRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjoxNzowMiAtMDUwMAoKLS00
   ZmYKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0
   ZXJuYXRpdmU7IGJvdW5kYXJ5PSI0MDIiCgotLTQwMgpDb250ZW50LVR5cGU6IHRl
   eHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApD
   b250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgpUaGlzIGlzIHRoZQpzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtd3JhcHBlZC1zdHJvbmctcmVwbHkKbWVzc2Fn
   ZS4KClRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWduZWQgUy9NSU1FIG1lc3Nh
   Z2UgdXNpbmcgUEtDUyM3CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEu
   ICBUaGUgcGF5bG9hZCBpcyBhCm11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdl
   IHdpdGggYW4gaW5saW5lIGltYWdlL3BuZwphdHRhY2htZW50LiBJdCB1c2VzIHRo
   ZSBXcmFwcGVkIE1lc3NhZ2UgaGVhZGVyIHByb3RlY3Rpb24gc2NoZW1lCndpdGgg
   dGhlIGhjcF9zdHJvbmcgSGVhZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kuCgot
   LSAKQWxpY2UKYWxpY2VAc21pbWUuZXhhbXBsZQotLTQwMgpDb250ZW50LVR5cGU6
   IHRleHQvaHRtbDsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVyc2lvbjogMS4w
   CkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1sPjxoZWFkPjx0
   aXRsZT48L3RpdGxlPjwvaGVhZD48Ym9keT4KPHA+VGhpcyBpcyB0aGUKPGI+c21p
   bWUtZW5jLXNpZ25lZC1jb21wbGV4LXdyYXBwZWQtc3Ryb25nLXJlcGx5PC9iPgpt
   ZXNzYWdlLjwvcD4KPHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBT
   L01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcKZW52ZWxvcGVkRGF0YSBhcm91bmQg
   c2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGEKbXVsdGlwYXJ0L2FsdGVybmF0



Gillmor, et al.         Expires 29 December 2024              [Page 277]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nCmF0dGFjaG1lbnQu
   IEl0IHVzZXMgdGhlIFdyYXBwZWQgTWVzc2FnZSBoZWFkZXIgcHJvdGVjdGlvbiBz
   Y2hlbWUKd2l0aCB0aGUgaGNwX3N0cm9uZyBIZWFkZXIgQ29uZmlkZW50aWFsaXR5
   IFBvbGljeS48L3A+CjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWlt
   ZS5leGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4KLS00MDItLQoKLS00ZmYK
   Q29udGVudC1UeXBlOiBpbWFnZS9wbmcKQ29udGVudC1UcmFuc2Zlci1FbmNvZGlu
   ZzogYmFzZTY0CkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQoKaVZCT1J3MEtH
   Z29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQy
   dVZUT3hiQQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25i
   Y0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taCnNncnpmY3FWTXBMMmpvMDQ0N2dZRHBl
   QXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91bGkKdmRQZjFR
   WjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09CgotLTRmZi0tCqCCB6YwggPP
   MIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUx
   DTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1w
   bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2
   NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL
   EwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3
   DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnel
   N41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i
   2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNH
   T82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+
   ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3
   qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgaww
   DAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcw
   FYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNV
   HQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1Ud
   IwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCB
   SXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9
   Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz5
   3PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/
   eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744g
   qoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXz
   lEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp
   1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1
   dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExv
   dmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5N
   mn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDc
   DkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFt
   md+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJ
   OMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFec
   N7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq
   90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpg
   hkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0l
   BAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0G
   EhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTAN
   BgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7



Gillmor, et al.         Expires 29 December 2024              [Page 278]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd
   6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7a
   gyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazg
   PYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jM
   hwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9C
   qaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
   DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcxNzAyWjAvBgkqhkiG9w0BCQQx
   IgQgKRHgmdhJI2Tf+K7JE1TSxA3zTExkKzVZUQVOVW9+yKMwDQYJKoZIhvcNAQEB
   BQAEggEAKbi/JmRcw0gpEYalPmmBkAA8di1brSKUmdXhuiR4XDQV3JLIsh51kBcu
   aBKaSfyJokhmkSxYD4n9O8r3QzI5J7vbmcfhRydej4wrO/GUkfw7DopCF1xSYsvc
   Nj5NluPusqWeeAStWaQPYDgPsokagqWN/yXQWif93riUrT6gbVwxk1JzRry1rkZX
   UO8F2nQnJ16QroYmDa9mrzYS5h8eeaZ0uZnGygIqub7Q+Z4rHb2cGjUrsh/bqxA6
   2b53ptk1Gge/tLHhqUW8qy3agPlUR1aLVlnjrF61IjX9cUFRgjbUoPvX+1AjWV2D
   O6cUaQmlwk4Y0tZlrEGgN8NkQjJjBw==

C.3.22.2.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Wrapped Message With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="cipher"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="4ff"
   Subject: smime-enc-signed-complex-wrapped-strong-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:17:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:17:02 -0500

   --4ff
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="402"




Gillmor, et al.         Expires 29 December 2024              [Page 279]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   --402
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-wrapped-strong-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --402
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-wrapped-strong-reply
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection scheme
   with the hcp_strong Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --402--

   --4ff
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --4ff--





Gillmor, et al.         Expires 29 December 2024              [Page 280]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.23.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10295 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6600 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2189 bytes
      ├┬╴multipart/alternative 1146 bytes
      │├─╴text/plain 394 bytes
      │└─╴text/html 489 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:18:02 -0500

   MIIdrAYJKoZIhvcNAQcDoIIdnTCCHZkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJpRx1qb8imXHlvxd54NywfBM+4WesLPuWdH
   iIx/demZvX1kc2+vkfSRcTzBTkfQd2mVsFT9OPsikYvPNlDayc4zF/9xbSpK1cK5
   O8fnjipEQicPXJOg9bhI85cRTk4PKiX04VTF/mzbun0sR/3JCQ7QS7yUjXMHNE/k
   IwipLBx5ES5+YiWcRtIOlGj141xFkChXpdnc/+9YOuCezWXgwvLClgL/Zhs8CG9U
   s3usMkBnvhRElkMkKmGARYaJTKjzNSFd+TbJFksBOx6ctQvWdANyIm8uC69WYCls
   2oFXgMw0bT2LDwpK7IbVeoGTM5w7PKhdx+O3fcoa8y5rTThYirowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAkdOtrDNvvWIxwW6IkqXTPAnz
   B/9nLA6V8K7oOf6JKIzrCQJ+m8PDhZWsJI5yjRKz5SR1IjgWUeujoUWHQSPQZesE
   6LYfacRmzAQlZTU0fKvkYraiw1JEVVbv3s2t6wjU1xl6nwJyPqlxmZ+RSMV0DYCS
   Pd8iegKe0g2Elf/AdBVCn5OKMnXeiVAM6NxAWfi4I6ZwTzyEtFxcBjzZHTM32cg1



Gillmor, et al.         Expires 29 December 2024              [Page 281]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   DoNA9VjMjFj73gRVtE3QwDCwpZ3XHDDr4CSQ5bd6LmK6kdCRXWlwjvIAla7PdEos
   /4pOdUolZZ2K1521tkoAdWt9IbcJM5Lh60NcajJk0PfCSUbXeNdP8cbt+kC2BjCC
   Gn4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEELjlZGJvxvh0NYRpL2seosiAghpQ
   QZ9Q4FELuGRsMfdLBEbn9LGhAmi5AGvDcOSykHUlOK9MLsD3N2MuLFghybzTDQmQ
   3f8jNDfcsl6P6ds79L+3F0xT2ZGrwtGCvQtmqYxJfsrLBO8sSwOOhtqzrt36VSXx
   C9OWVdWrWGrn583gp4LPVkjm9KdO1FBFv6VnZzZHmGsuaMxCUMlhXy+BlbJ26l39
   p2EPEyUGDNAG1wRRyuOH40apWzNt5ZUPIXIAGNsKxU8MUe8WV3neVDgqWdR1ytyp
   TO9kH0ToOQxo9EzYzeTE8De4BxEcfQqQPLM3AR8Vy3VQKScjfXC4Uyv3LuGv2cTu
   LqWZJ7/Iq4on7qzhjRPPp5eW8reK5j2741uYzSkPQlgVgK9Ee1OSG9x3u725d73T
   5Vb6gaVYAAvjN0SXLhb5ARULhNts3jW49nRRl60xP9zZg6dYcj3Hoitwl74UOcHz
   f//wO9BkkiBmu0KeHVGa28Ed5l/b4BkLUl4+SH1QwfQnYIEfQE5V80t5FXYSZOER
   ayqDbahEFmC5o/j9sIh782aCuWgEYgjS7EQ4Gpg+YwCRnPsWrI6U2bjYykT3Zj0T
   +w8D0Up/wNAIW6L22iV6fNCzJS0VxsPsDmgvbDkXtsfNLSKlIdPA0rj4jRcIMXsB
   S5EWVrp3CcWebtbddGr7F32fIldemoNavl5nYkvGvET3Q3ITk4pBZcJAknGj8Yv7
   axH1/5bbDAUgqQ/UKpyBQK9aOpMw6i9LyOViPruXGnbAVjvH+P0r9KAN7bt3hM9g
   arv95nsTWfQwDxru6uZCXRxzIGafA9DFwXqiIqfoRxCz4vKNjFyGxTu74sYqycz3
   X1XXXYQZbyawmv0hDPCJkSUQc5ZtgNDjneClHkX+4TTcZT57r+VUdo8g4bjFYXLp
   BtNK7poZBqKO8lNLX2aJkAWNh2lh6kq+QuzmDJ66XVJ356bdytRCJcL0afDWrFNP
   RLzFMI7f14wXVIMm9clfFdOZjvI0FaNcleCOhPrBZljkhyoN9moVNOZmjWNXKxyU
   pfpEWAK1ZZE4+hkMRxp50blt++YuyJ+aOc4jv5yFw5uY75euQ5cJBcEr31DxdXKV
   Ax1S6mEO4WvmX9z2Uz7dA54wR3BskOWoy/k5eyD12ij8M+mdD5d4/xntk2kyHLQP
   6fbiO67flDT5cg+NYn6jpZWsr1OxYt7GJVzeiaC3hmk/rxFSq2m/5An3WquSvFfH
   6PTYkJfR0bhFuVLta2H8CHb221EicvS6Teb3PO2Ozmy3AjPWCRank3lFF3/h7jAb
   EQnHGAbbkWa1Ej9brAuxfXP05gXGbVKRQCg9vp7Ygw9XqriQ6TnlXRHE4Yo8HoVM
   wttyfp1shItCSP8zrR6R6kSVx7DPI0iBNYYs5I0aUn3MCMvM46TfYa+M1+NBEUwa
   APg9CnmDm+s9vklR68oT7GB8kGdCiMcCn5w0p5w5EAi+HYmbrRsMiBmM+sf5Fx7o
   LW3KK5aLWkaIvx5xHCgVcYgre1jIho9RXit8wRMBSV+EquArPV0/U7sidNG/TRW0
   bdwIphVqj07W77HhW5qUVDbif7bAzG2lGJu1wrAI1//xUHy1Ib2h+2jhm0lVUN7P
   VhSuMGXDiT+cVLLpYArt73wTRRZYkkeiSgP3mr91uxos9ryabQIf0AbYOso2NJYU
   xPquQH6uKI8JBmJDY+adkIH9XAjfSzC1b/0KRNQY8RJRiedm3TcVxYKuT1eUx0CL
   8XXylaoK/nAmYbZuPzxvVOtrfNOn7qigK1Cc3y7SzlmttjsdeS0HU+3pPx5IOkh0
   75YU1RJugSW8AabZ3piFgrevEM2aVE7BHgNIylZ4nS+2lkH+phrxbFMruIxNtqZk
   2VcsbQtXc0VPkCAGdXGp+vkJSW9mrsxwhvROXskGtKxM+G2Nj3wLqcTNmQM5way0
   YJr70al3xk4NuXnoLrPKvrixw7XRgLI/qhbtGoouXU0i8CQAJR4AqaCNYVCUVQic
   L1U4z6dP4RauaHNkdYOMslekgklh286UZ8VlyBk20IK74ieZXdeLgBDrkTevM9Q7
   SPxQGZJkZflQecHSsQjuecvB6B/jex4zWV9kY9tyFe3nlmTt47WijNvyEFRSTLET
   LbD4sg5pRAYXLZIvYSxPl2Tng346NnBmXy6ek9I0l0x9MPp25yZQI0VB6sOAX6VV
   Zul7Ec1CEP7nZvLaiwMwnxmjqv4qSWYdsgS2i/udURss95TZXPuDsvzvm1MAT3pU
   Zj4s1SztKXZUODGTU9cXF6nPYO3AiPCtwS+aLSpYV8orEEdeUTa+o6eLZ/r+aGPP
   0XZkonHpYfwam83FdC7BIHbNCI1UEgq74U/qwbpUrLBa3RjPyN2i/IIWYZDVYIKO
   DSMAQKXYSkCUl1UKHRnZ0NCMHqHtza7OWxAvWbHveu775Wq5g7DD/i2UV4v+aGuj
   qlyTkjO51q2R5seTkVsk8x3yxCqNv1VzzwyDur/JgFoHV7XJR0DT9Io2ZG3rNNNu
   jgHEuJHDPakvzQcrxxOzBBO5jltc/FSq0++PYJ0YRnkzpMAVkiP9OH2fJzzIxDXs
   4AWaRsDTbvJyeoM+Fv6XkG1a1yMazV4WAPpC4AzhbRVihevjoWaoN88a1R7AejI4
   0ngt1v7b11mVS4nl2Ea9UThT/DfYJ3g1qOxoXj/jyj80FYAVX3aJYhR2jwPCK7Vh
   k/uKtUCiyRCw4LK1pdXFlJHaRDKogzf9Bed3vGhw6rn8hlMDg9YfCTenmuqBXT21
   CLGOsIYALpwiQsmzqzsS3h7stbuwKGKx2D1zOi75uNUbt5drYOVhAJ2x+Cv+51rc
   BCi1CKmma/TXwOvmehVgrk+pr6aJ3PWM+P9Qt6haLZYDF+KQku+FS53dXi/t3124



Gillmor, et al.         Expires 29 December 2024              [Page 282]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ekgUa6xw0dixaByt/cEryBa7NZdj5WSCQlhKwgNp/6TDFVNV60to/o8zOFPRzE5m
   kWVs8D7vRNeZx9UtEN9lawI51su8mIxaNYkBTTEMHzsN+THOsmwCgumagyBXsDvw
   UmGvhO6i/ayJW2mdkRqgBIKSO3z9OBEzCsioS16En51fsfyY0vJorcXe1fTx3oYH
   sA9yNN5aQtChSlRr0JF0NwMKmYH12R3OP8qMdwJeHd1B3IEkPA2I4l3azG2kmPeQ
   nzOa4ktSOHoPfjBh0AxvV3cfv2fbDMkYlRPN9YR7X6QUbRLhNOJBArM6xreGjTbt
   YZ89gM31bpg0/tTrYFn6GlgGaJZarbudiYsifd1d30/nN59X1Mh6c/lgbGQgwLH/
   ItbxlKxAxm0rW/mEHN0nykz/bq7sOXIn4Ge7s25nWGbtMs38Zz3TO/vs2/sS6MK/
   PUImny8KVBtDp+KGF/+9tCEGPwszTmqiaD72qzoTEsxXYmeTwLQ5CnTDxbwR99+W
   7HH6SKJEDx/gw1AVGQoPSFRf94/fcC59rxe9B6nubpTYobzC3DMLFDlezsF9HLCj
   arshSx5zNGXN0MS2qN6bGzeDioe72wCVKNczbWuupqiV0n7vM3zEudhj9e76SZiG
   zJCU9k9FsqFsjX1EIZt5bussB1j3b6eTagdFa4cgW3KSIdE1P4WF1y4IbJT3fVW2
   Zl4ym8xo0uR5Uzaa4i+rLNsK9quwbP0sWuvNeEKRQiEERcA/RLxzx5lD/Co7O+fw
   Mhuvh5zF8Vx1mSlO4S2WKwBPmHSkmG+Pr4asISeS/2EcdisyV8rbk71PiM3284Fa
   2lR1KE5fRjxlxmSGPNhWL+xBcGUZZuVQ98rHv0RwOpDpTJws7rs0DYn4T2dugpnc
   992nf4hbUlFH1InOEYEUZrvBuGKpEHMZgxI3l0f89xEsj/YvWM8XAzUknwWlYLpW
   DjTzlxYLGU0cwmtv+vRP0nf+8Gd0ZMI9kBl9OBuhYrqwZGlyLDA41NUTvYbDHdZY
   MLd9D8QPyxJzY8/WRkDuuV1OUL5c5fHXODEX9pzsA+7TwHvKfzpapaf/JVLI4+Iu
   P5VjihuiDmen/c15KpwzgUh4+UafFT58eUasH+CIgjWw76FuG05P4jU4UVDs69l4
   SeDjMtCG3wMmtj244DaeYN3vdlNgj6PctJa0DUX83+5s0qbKDCDRRJbVfCcIK9Cm
   vKXeYsHOlGBlgtgYuvWu3tO7SLzNwmCKF03JfXgnQgwp6+6wMI7wb7ejptoXCTYP
   +6oQcugS+9FOXfUc+NIj9NlhQJGoA2M9cbm9i6jjZv3xOfh2kYkLJF5ekSMNibDf
   PLMo1BB0I/bNktPXZ9RjjfksbB6u/Wu1xd0OTkuigpHGb4PhClh4pWzdnAIPhS4/
   JjAx+muL4Tq4kweIFeKd6JY8s1oR9nzFZ/ofG++t9sGNucLoKfBsuVQ6BV6L44Fq
   gVr6F7SuSUiiALBEaY52sluDWbG4pga2XzTWGPuGF5XBHZthKcwwT9KGJ8W8UYEj
   w10/Kw3pa8GT/WHiTY6fP7KD4MsA56hIdWdmmZlpxTyPnpZQPoNZ3zwIwxlq/Agv
   /UvClh7sxs4KmOTWFZw4YO8iFtzBAeBqY4TGgoyGXAYElFPEYGmHjxPdbAE5li2M
   nICJbB3A1/j69/mek6Ofl94eepxRDgw/9ri0bmfNqZ0yYA4bIucd35Qq/gpGL7Ez
   sAaVP7isjQBG0IuHxYDQ3HBoeJcXuUxAfmgVytZr0BAia+udVo4vawfwTYzZ3NRD
   +7kvHaXbh1rXzyYli8ZOxRZFAuztGzIUFHs30rw1EYuWBAjrEQBDc+3pSUzRpBSh
   /lxE3dP92dplCbGiZqgFTAD9RCvPO69Zq8VOaFI7yJowhDaoBVMLYdi/OSynGUDC
   azNJIVvDIICXM24g4JlSlyLddWRhgmYgXsRScCKjroIB6kCXzoe67Vxz+P04NL18
   vm1U6wRJEUrsXkfc8vXk+YDAYP9qUnwXZQvO12EIIPiu0Tu5RRF4aj8dT0sAmopV
   y4d25WQlf/5xhwTZUHCxFFFeYMotBvNgT5cCB4g0t3+abtRH+zrJwtQEz/VnC7U1
   SmPMN+XWA+vHPzp8+SOGpSt+Il4euSNl2NbJKmtLeWEtTNjsc2ycZKnnF1US1oNf
   SMPuX7rPZyOS3HDixxS5y5tn9TVGQZzJDBuaiIBGTTThODaxjdLOJqW0+opGvk1T
   SjrFzOl3UEadU6nUOots/GVBMpKQ3z+z97S0IJD6zPfXyH8HjWzUU8iTDVgk35JX
   alJGZ3jfEPDTVZoYBREZDPx7tujOu9LUne9FuM3Af+wbMxI9yZrRYfzWDfs2FNxS
   KN7SPPzbyOzEdLvvpC94Chk82kYdrO8jaVYhnhsCsfB9BYiQ1VPEMGvcK5ccnxsy
   zTYcONCxtSKNBYMhveytnoOnd7qoD9sjMa0yMQ+xnMQX47K68ZZ0sCghlH9Sopgg
   DjM4HuhWXPyXB75VZ6igaVI/VK0vbdmzhP2FKyFPerD69fs7Kwx7LA5zYVUD/5+b
   +TLQoCyMPBEvOe92lOJNixM7cQiHeqXCY1R8NCn4qIXtLTUVUl92guvw3wQNRc4y
   tcFLRewRtZnqS9SWyLJN89yooQVldAO1NkoOZtByikeel/jd8NZ1OHX9BShN3QZT
   QXqkgAN3diDjA2ZEgDsItoZoMbsk1Ho7LOpfUc2IHA1pCCHSODvPG+1BdagSjVsW
   NBmOuBCQAWBqaM9Lm4sc9dV3vOTAoHpAnGJXb4YYbCK5990O1sFb5jhx3IDHndHb
   dtOj2lukCNnvl7l8xk4jZGE8GMzPVEwBxQ81RaolChN7PiFpmoUh628JV6huKUmh
   /HKBFmJanx9JJDIWBKFH9va1T9DTK6HOpQUCopBtR95jlOwusMRgVZVZOuN2Oo1G
   39mcYyhH6N7BuzsPMAGmSTfhxO2xyzqlIwgFmKZ9INa2eEIMT07+P7CcIH6HhwA6
   JNzoJhJgcVPyeqLgrv7GvekgQjhyR24bPnwpXCOssVG8a8xBzDx5QpGTze3Bt1ZP



Gillmor, et al.         Expires 29 December 2024              [Page 283]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HhuEjmnTD9a5HMRTJij78ijFJ2+N9zmQMu6VJBmkCnuuWL1ac/LVWBLDS0G+E2Tb
   TYiM8C/+Yj7sZgwSlMmxK1dK5W0o0dlysR/XNAmJc4hdr3poSA0PxzgcNvnd+oNS
   jO1lF62grlNcmHN+nwMUZcEGwJo0FQKxI3w5/uoPLDQWKIIkdSroIi3yPeLq5x1f
   3gVYB9zG/4mwpEUnbu5Pe5/WMTywJUoxvzCjQhMNSBfQnTt9tkm1luC+plQAtbbx
   /UBO+AZ8smN4t9po/on1RW3WSOf3MOtb4fQ+k0pmmZj8P1QJpyHXTc3wOoHC9TJd
   NnrIlO3X7Q0sCGwbS8mR2LnRaNxcqyL46rn2QHxk8OlfFWV9fjE0eEZffHhXGP1P
   26btD6rgIBo3H/3ExMk5MwwhG4eOsl+IOmho1i5ToVnwacjI9xELfQAiGT5IzqyM
   aV12sQ5g14y7i3J4hHpIp0Ml1hjkGh5lu0zf2uXqCmp48fXxUzIvvABJv1dngKyz
   MJzN7xneNkqrAZ5HXyDiLXqqesXYaneO6JH+jbD6V+nAlMviNsPuPKCcgIT2pcVk
   HqoIqlStwJgjocgmGI2Lh2fgFgv5v8xxE2UeoZ92eoRXg4ed0GxWGCbyCxr4L4it
   uugFA8pC+X3SffJGMHeuIF+y9Uqd4ova0exf4lVCmra6FlGw1Pg26WYuh9wv/Oxc
   r/iS/7sX4Z+ILtumBxKrmGCanmJuKock2Px7+qu/r1CeEDr+zUdVYj+/GjLQQIFj
   NRs+toHzMYfUnqNEzFotwqxNzmYCMYo05ZSrYgSaOSDZUpm32QNQADw78h+RNItt
   5LjN8m1HJ+rDN49urlL0mG4bsSSV81mxB7MQsvvKitcwNlOYCrY0BoS9Y/+Cj8M/
   ATQFo7//3aNU3G6GiumymoUQ4BTGzTAbjQPSa/8uCrw5an/XTFPXN89AZRNtlvUa
   ifQ3T3hYVe3rkDGM/sAhzpCxIn894NI3pjfk/q0rn9ZzKOa4CQLnLM6o3DFbq3Bh
   5TnNmJE7rBJfWJgBtcxTGWgSgClE7nQFTFgdrVm1IKTCYnpeiuTgjnohlBmeygk6
   75XmeQs2RPyobk8mG9LmfrTf1E00ijfkC3U6Tp6c7mwfNqJ4GUigFzlyC4r06Cb2
   53SGm0n1yYiuGUMV7bBSfYYaMXbvoPxNx94nLcv/jvtLRE12mubcupTckI8jXu77
   akdDEQm04ccOOIqarTmEKcP1WaDS+IQYXTXK1ALs/WmT8fDYD7c/my1vANEwzMJn
   IaQKDOrNwq0WtwUX1knyf+WKF8/oXOM6nffclTMAI+BglY0LmGIWwQTRjv4r/vj8
   N6Z90KquWz/IaJzA4GUp6JAGNcSCqc1Mhit/ZxeXVJPOBoTT+n+pLxjAJu9K+E5O
   KiR+WVeTLk3OG+NBZ/9bzG70wb2KtM7xLSjut4xNtmmiqly5G3iGSMAgnDcV9bio
   c7LOQR71WGjLz9v3GCOEgf78nheQ0/r58ZVo2E0Lt0KtmylFjajDE0r/vGhCSveh
   QMcJkFUxtcoUamDAtt3BFaQpdWugMhjrNnkXP9QMJEjwL/WP43xrqa6Z1x0mCFjp
   5gv4oVjvVCfqtnzMbp9OnbMtaXZg03bLihDJD+rpyHPjPKz+506Dge9yd9GvGj7T
   iss1jv7hf6gSd6AlA7DCG/ZaOYr7QoMhHdbNNdWeunyh8NGYEYGMmq3XsR6+ly5y
   sWd1+gGyA7HsXwTAfjvWJjAA+UOwSeTNqOHMnlF7eMMnY9uTDoIfzf52PRYZ25d2
   bKghIv6A928yB8E22b/XBtYj1pM7awHZ5yecQbjH9chpKfDYtj2q840+GcwAHAOL
   kKy9uvpsTEGOxvopfa+MGbC9BkGNG+kqR14VkNIGG/7IFN7+PBOD6l74Yni3Kc8Y
   A/wSwXvwzAWlek/8ERw2qB6iZKrvOwxTy09tEkx0JvQ8qYwqV6xTgF/sUckh30ZK
   xT3yy25Ul0gSOuJd7qgp/DbImW4YJr4SZh5ATiskdMKs/L4Bu8qs97f5iFMykgL3
   uAvVDwHhDtLVqY1w5IsISf4Fize+i8nTQubKolBC56zTK9LfcK9Mx4kDDUP034/7
   gKoZ5bcSKlTfYTV+hP1JZt91GbZPLIR8Z7MQq72vPLfN+1RFR/qibbFpFNcUEmJ6
   wqRLxvY5+Pf+4ESnN5dZPBsh19hIaF08AEAaAZMtB4GicYKKgiFsfMTHBX4xVUjk
   A5su6lEqkjvcti6iOy8naVOCCULF1ZtgQRPLmqs+KlQgRE0klomOBXcIFrEkECFG
   VmmhORjiimvW7ccHxrGn8LQdh0AGpOcb47mjUaiwI5Pn45yYHSitmYHRB8c4ho5X
   d/HqmcgsjismZsenQFML6QHw8Teb9H5OyOeXG4AXj4HTQhe06HfM+meuM9U7uaon
   byAhWCG1qG14Q8fFuvzIxzaCkxLPNfKU4LOXQTRskgTvYoUoYkSTYB0fdoejvfYL
   Go/DNBkMGqyrT9FEaD2NhMH/mFLadC++gQiiHBsUFM9tLMRcTa3Vb+YVJw6ycUjy
   ZmsPbSqHDB6xcy+M24oqXx3UnO4hBYoAuSH5c+ZD9yTSxELruwWu/e9L098FGyeV
   ybR7nEe8sgeBNqJU/CRKrAMpV2QyrjOEpq1t/DUgWwo65sA9g//gLzH+fMlJ6TZz
   AQhc4/9hZfTz8GaL894w57tQdZgq43wpfLAxMe4UvVAZEcpB74jeooJzdOzHlsfe
   b/Uh7WdjLJsEB8s6EHJxuLC/CaDbHbMy9Tq7A89z+7ScaCUF1h+9KIOAbu5Vqs2r
   8t2cFtS327iTZKnLxop9wyf11rNySanlBhjL8+Sq/xjN34oJkBy20GldPpsbfMdy
   S4740vGOBErZCxkSy6piV7SAcDs7CQzSdFRYpWUcozcsKXYS7rJOdEKDvb94RQA6
   tyAxr54Luu6veh9iXKQXBVR58wyDm3whIR15kn4LKVmQwuPAiaukG2lygfML4aXV
   +mlCpqSunAmZKxkki1Zjbg==



Gillmor, et al.         Expires 29 December 2024              [Page 284]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.3.23.1.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_strong, Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIISugYJKoZIhvcNAQcCoIISqzCCEqcCAQExDTALBglghkgBZQMEAgEwggjjBgkq
   hkiG9w0BBwGgggjUBIII0E1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nLXJlcGx5DQpNZXNz
   YWdlLUlEOg0KIDxzbWltZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ry
   b25nLXJlcGx5QGV4YW1wbGU+DQpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhh
   bXBsZT4NClRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KRGF0ZTogU2F0LCAy
   MCBGZWIgMjAyMSAxMjoxODowMiAtMDUwMA0KVXNlci1BZ2VudDogU2FtcGxlIE1V
   QSBWZXJzaW9uIDEuMA0KSW4tUmVwbHktVG86IDxzbWltZS1lbmMtc2lnbmVkLWNv
   bXBsZXgtaW5qZWN0ZWQtc3Ryb25nQGV4YW1wbGU+DQpSZWZlcmVuY2VzOiA8c21p
   bWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLXN0cm9uZ0BleGFtcGxlPg0K
   SFAtT3V0ZXI6IFN1YmplY3Q6IFsuLi5dDQpIUC1PdXRlcjogTWVzc2FnZS1JRDoN
   CiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLXN0cm9uZy1yZXBs
   eUBleGFtcGxlPg0KSFAtT3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5l
   eGFtcGxlPg0KSFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0K
   SFAtT3V0ZXI6IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTg6MDIgLTA1MDAN
   CkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iZmJhIjsg
   aHA9ImNpcGhlciINCg0KLS1mYmENCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50
   LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9IjE2MiINCg0K
   LS0xNjINCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNj
   aWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGlu
   ZzogN2JpdA0KDQpUaGlzIGlzIHRoZQ0Kc21pbWUtZW5jLXNpZ25lZC1jb21wbGV4
   LWluamVjdGVkLXN0cm9uZy1yZXBseQ0KbWVzc2FnZS4NCg0KVGhpcyBpcyBhbiBl
   bmNyeXB0ZWQgYW5kIHNpZ25lZCBTL01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcN
   CmVudmVsb3BlZERhdGEgYXJvdW5kIHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBp
   cyBhDQptdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGlu
   ZSBpbWFnZS9wbmcNCmF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhl
   YWRlcnMgaGVhZGVyIHByb3RlY3Rpb24NCnNjaGVtZSB3aXRoIHRoZSBoY3Bfc3Ry
   b25nIEhlYWRlciBDb25maWRlbnRpYWxpdHkgUG9saWN5Lg0KDQotLSANCkFsaWNl
   DQphbGljZUBzbWltZS5leGFtcGxlDQotLTE2Mg0KQ29udGVudC1UeXBlOiB0ZXh0
   L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIg0KTUlNRS1WZXJzaW9uOiAxLjANCkNv
   bnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQNCg0KPGh0bWw+PGhlYWQ+PHRp
   dGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPHA+VGhpcyBpcyB0aGUNCjxiPnNt
   aW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1zdHJvbmctcmVwbHk8L2I+
   DQptZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYW4gZW5jcnlwdGVkIGFuZCBzaWdu
   ZWQgUy9NSU1FIG1lc3NhZ2UgdXNpbmcgUEtDUyM3DQplbnZlbG9wZWREYXRhIGFy
   b3VuZCBzaWduZWREYXRhLiAgVGhlIHBheWxvYWQgaXMgYQ0KbXVsdGlwYXJ0L2Fs
   dGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBhbiBpbmxpbmUgaW1hZ2UvcG5nDQphdHRh
   Y2htZW50LiBJdCB1c2VzIHRoZSBJbmplY3RlZCBIZWFkZXJzIGhlYWRlciBwcm90
   ZWN0aW9uDQpzY2hlbWUgd2l0aCB0aGUgaGNwX3N0cm9uZyBIZWFkZXIgQ29uZmlk



Gillmor, et al.         Expires 29 December 2024              [Page 285]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ZW50aWFsaXR5IFBvbGljeS48L3A+DQo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+
   YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+PC9wPjwvYm9keT48L2h0bWw+DQotLTE2
   Mi0tDQoNCi0tZmJhDQpDb250ZW50LVR5cGU6IGltYWdlL3BuZw0KQ29udGVudC1U
   cmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LURpc3Bvc2l0aW9uOiBp
   bmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFBTlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFD
   TmlSME5BQUFBY0VsRVFWUjQydVZUT3hiQQ0KTUFnUzczOW5PM1RwUncyMGRxcGJm
   QVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dy
   emZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3
   dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJrREQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdn
   Zz09DQoNCi0tZmJhLS0NCqCCB6YwggPPMIICt6ADAgECAhMPLSW9ETmXSs5CVIeh
   7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRp
   b24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxp
   Y2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6
   i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnelN41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf
   8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i2GMt4jse2Dqs165ernT9O5NLFflHUjUR
   ca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNHT82S6DgCReZuTtMc1zy++MxQlqdn9WZL
   hOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cO
   NxhvBbaUl/k1swdszUtjhflyFZ80RuQ3qFC6vL/PGeWy6SCf58duq/AOEksCAWlb
   +MD8QH9Yj7CFSmq1AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAO
   MAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTAT
   BgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJT
   QdVEPIApFXwBI/Dnjq/N83cPMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxo
   dvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCBSXignLEynBakDKU68ro0RsyXWAPkfXgQ
   Lgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q
   94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz53PYDBh4zE4Nar2inC0D+VM6RGDy66K9l
   +D+bl8Wj9CyGUc1ppMNURexTg+z3web/eDOdu+F2MVtluLihne0Bp1GUTkr0mJBo
   lg6dSYal8Hw8/ANHpyExl56BJABb744gqoeuD9YSHjKK49+qYC9faFmQ+mK80lh1
   M9RdNI7srjn0LKpuob6w06jaRzWdNeXzlEc2tUpAr4vRhZjVD6FYMIIDzzCCAreg
   AwIBAgITN0EFee11f0Kpolw69Phqzpqp1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExB
   TVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MTha
   GA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFN
   UFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEF
   AAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5Nmn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOA
   Er0sI7AjaO7B1GuMUFJeSTulamNfCwDcDkY63PQWl+DILs7GxVwXurhYdZlaV5hc
   UqVAckPvedDBc/3rz4D/esFfs+E7QMFtmd+K04s+A8TCNO12DRVBDpbP4JFD9hsc
   8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJOMayCQtws1q7ktkNBR2wZX5ICjecF1YJ
   FhX4jrnHwp/iELGqqaNXd3/Y0pG7QFecN7836IPPdfTMSiPR+peCrhJZwLSewbWX
   LJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq90njlsJLOwIDAQABo4GvMIGsMAwGA1Ud
   EwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2Fs
   aWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/
   BAQDAgbAMB0GA1UdDgQWBBS79syyLR0GEhyXrilqkBDTIGZmczAfBgNVHSMEGDAW
   gBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfO
   qaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7GKJ19naIs3BjJOd64roAKHAp+c284Vvy
   VXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdb
   EcZXL2+x1V+duGymWtaD01DZZukKYr7agyHahiXRn/C9cy31wbqNsy9x0fjPQg6+



Gillmor, et al.         Expires 29 December 2024              [Page 286]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   DqatiQpMz9EIae6aCHHBhOiPU7IPkazgPYgkLD59fk4PGHnYxs1FhdO6zZk9E8zw
   lc1ALgZa/iSbczisqckN3qGehD2s16jMhwFXLJtBiN+uCDgNG/D0qyTbY4fgKieU
   Hx/tHuzUszZxJjGCAgAwggH8AgEBMGwwVTENMAsGA1UEChMESUVURjERMA8GA1UE
   CxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNh
   dGlvbiBBdXRob3JpdHkCEzdBBXntdX9CqaJcOvT4as6aqdcwCwYJYIZIAWUDBAIB
   oGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEw
   MjIwMTcxODAyWjAvBgkqhkiG9w0BCQQxIgQgDlCDYbnPMju62pBOiIgqwa0lfQWJ
   HM+muG7wsizUAzAwDQYJKoZIhvcNAQEBBQAEggEArBMx9cHbOGiwUHmDr9cbxcw4
   8DIqsgWmwlqDf0Ut11TjWl7w7RTb1fu6HFWpzv0akTq775OzLT8gBcXiglJ71vmL
   4NC6R0tVLUSJPjAUFqKc7Xe2gLLTrkW2Gg9Maz9sxofeHdHqheuxuy1pGAy1t3QG
   JeykdVFBFQfeFTjoPbye+X8BeaPu66ebx6CV7ns7Aw7i9SouwN1qwYk5yoSGqVi0
   oE5mQvXuAODhNQ3xN28dE3gjH0MbeXMjs0AAMWaOy+Qk402rebgeJrFctL/M92Wu
   hq5bgKoPXe0E6RE5+/d74e4OKg+qzjpsVQYPf72s9S+DJb2e32i00RfZJfVjIA==

C.3.23.2.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_strong, Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-strong-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:18:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Date: Sat, 20 Feb 2021 12:18:02 -0500
   Content-Type: multipart/mixed; boundary="fba"; hp="cipher"

   --fba
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="162"

   --162
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the
   smime-enc-signed-complex-injected-strong-reply



Gillmor, et al.         Expires 29 December 2024              [Page 287]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy.

   --
   Alice
   alice@smime.example
   --162
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the
   smime-enc-signed-complex-injected-strong-reply
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy.

   
-- 
Alice
alice@smime.example

   --162--

   --fba
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --fba--

C.3.24.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.



Gillmor, et al.         Expires 29 December 2024              [Page 288]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10965 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 7096 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2539 bytes
      ├┬╴multipart/alternative 1457 bytes
      │├─╴text/plain 497 bytes
      │└─╴text/html 657 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:19:02 -0500

   MIIfnAYJKoZIhvcNAQcDoIIfjTCCH4kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFUxXNxUNcZT3kJ60Xa1Tt7zUYKlFNrMLSOG
   bUyIxlVElWw2Sw+T2dwdzL4/DrUHfAEw0ZzPZNIIM8bORMxoVh7LWqXhc4k50tND
   /yeqFno468ioy65QVZx7S2rGmttTsjRVwQJnENaNLHPLp2UXsEolqy3bqSTO+llB
   LtpjHAckmFpZ5v4iuXVoD7Lj3WHKBVvc8mik9f81tjsYpDkkWf3Vnvu2EhSfUYBM
   +6cWlee9cs3h2bXG72lndybW6kbXplN8Svnvo1Si4HVUTXyYOw9BgNzx4F2ITbS3
   OwcjLP+1r9mA8cUHHr8qbuHKXHthgtQ89V3WkxI9cfctxz8XyA0wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAf228n3whn0uQ4M1WvmWr1QEm
   3amx9ZECE/q2bCMv/OXwCU1cJST5wXgpmM8yLyYPB59Puefm9ieTSmhGMyWCCGrA
   qsn9Aq9y2genA5P8GkDp320KC8ioqEXxn5qNfntUKn5G6KMZhaxwZmsgqLEp1MU1
   nRQMefXOc0YwLYhIZicublqDWNRnC014ajRsfO2go66sh0uzuHJ/8MUn9Mnl8YsT
   r6DA3Rv1loi5BItz1iR0ULuHbuzDb7t05GAjWXsGSyzOA8GaujyYEpEv8O13GYWU
   WvXeWMd0BK8SyWvYRRN5nFeNQXqx67GgMwN/IBoCM37U46bPfjvBducm1ykPOzCC
   HG4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEC7GjbLfapPmro7V0CMTUZiAghxA
   R929mgldWNjIKKDns52hrh8JO9VL+r/Tn+/ekMu5XhLtjofd6kkmLM0NxGwDzmyE
   JUi0GOI7nVoPKMbQFvRs1yfqPGxOmBd0mkico7veMp4908a/6GobdF1GIQ3lX3xy
   XTepl9fBydQRSAUbMaQyge0YT1weuezsQ0nhple/fzYe5cqOLzhLXQnqmtFKSGYG
   prv3EZ7hSwfCKPvV+oHo/jRSG+eV/6dJNXxEuyPc/2cqtItPyPBeTZt58yiiYZl0
   eu5k/j0y9wY0skyzFYKICHbmbPB8s6mFb3Lg07AjQNImjmFhdeCIgsd7ToqS4OIl
   y0iMKecZMCNkMfyHSSvFH+NuWsXRNRFUaUql1QTWeGtY3+ulk7ihLl4EWuLD2a4g



Gillmor, et al.         Expires 29 December 2024              [Page 289]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   SlOoGdDcRmf/Qqb60526fc0EmzrzPFBbtwkDbzGclOghJCRdAX6R02i01y6QihFz
   Yr3jrx8dYNpSGH5QTkOy1XUMMLNgsgf1wsB5ftEDS4N/GHULx2k3odeMuYva+1XY
   ppqTIf+TEr+cJY+thuI3I7JrFbxELVaJINN9Q5HfIksA8CBjAW1XPNx3S9qhboZz
   ABwav4S1XUpjq6iebipJRfhb3kpiCZWAsoAYHJCLe30WDALPJC0ZvEajD1ka5hs5
   FdH+B7JTytA1HlDt1GIzeNoH+iPPohaf/8VG15rRHG8HP6DRRGKhEY1ackWE9zKM
   oP4qSXpvD4P6/aoAjEc26P4iNKPx/YIcaTCH/VgysPzKuRI9M2NQ20yZG7YLfIQO
   97AD2uKopBZcYlhJq5XsF4wwmBsjFK6Go0bJUjIbyiSeUXpkaZ6mq814+U7AzKse
   +msT2lNORdOAZ4iSKx46IbV6f5DgDrLdAM323M2rAbCh8qJLY5RX36Oo5Rb0ViaM
   dbWvmB8iYdkLXrBr/rb7VfvJbHAqFNgWerZ5myeUmXXjk9JSwokpElcSq8So+0Vs
   MzUDk4p9CaQIRYyirUrjn71t9LxMRab3869iZr1AnSKtZQIM+Wmn4svwoZ3S2q7C
   INCLJ/AdjvGRHYWDV1bsWnlB4Ma7cxeA+8jiSCGbTFjv7hY1dtxBxNqJTO47Yl75
   +PuDcsJ2MzSgp7gJsCt+EGDGTsjBrK0ngEZ+1U+CzQ3swZjSdp5Du+aGFQ9z6vzn
   o1NVyzX200082s6EFb1CWeNw6R5wm078tbi1mNr+m/Ba0Y+hXJi50D5J0Bk3maqI
   s3xgA3smi3NJpsoo/yjfaPnfr1aW1Ng2XKgPhfeoioil0/OO0LJHUGOYoYAlHJ0l
   hx4/TCw0Ml9tMvDsemKbZ3rQS1WT76DsgWAHlWZaJuj1KvDKKrq9HFTOEoVwJWv/
   eBH1qcq73G1P3+NMxdsNUQmSnwG8SrTtUP0giNPQ1Z9pvM5CVPzmbMysSxJMqHM4
   OZ9bnAmcjGFBdZlNcwyYrV5VNmRGQqgyVHnqheQqoCQT+eCfwMa+GfQM7dgTxOp/
   zNp+uPzh2mjnkgB3WH4k4QLU+9CxhrxkyRupTNu2xDRWGEJ7sXiDl46o1jOXzn4J
   gkwr3SaXJckxYreP14Z/CUz48KOMl8cycvfmYLkmNlNuH3Gw4NoBZEPbFtokA/7O
   9g8PJ0lNeuqN/Rrb8lKLCTDAm5NYzm+WtR6pYs5HlwrNmgPXw2ewUSEZmvmO1m+U
   5Zs6tvyksYCAV6iI7C+FG5b29jOWDHvrsnvn6rHljLVZwSA0ifp2uRsrQxpR5tlt
   xoBd/KHwkDXUduizgf9Y4c+HbyvvXoqAUWvyeTLfST4y1GEGNLKVRQ+am+cO2iLF
   o2mkZTgi1Vok78F4vFkJaJNIGtQ8wqdPsM5WJMTrNosGelOJ6+oRaAW6jvllceiG
   RU2K/vgDNalAkJQo6QOjNiAxh2FecPHqlBoriWDxZpDgYqq8Jb+3Ayc/u9QP95dK
   nqj/YHex1yx1XnC7HhruVJge/33mmwLNZJxEycchn5J4L3yKjBDYJ5+ZX3eD5E0i
   GZWfqbTskNkRsXAFmVLxWiH7FufWH/1GbE65s8PTdCvGYd1+zDjDKpIRDu9WvY4G
   acofMNtQTMsdNuXOArpLWCt/ukQSXpgDafNftHpaIS1QDsrpOHZclGu7qcnmhNUx
   0a55DhKjWv1j0Ve2ElP3U/b4yin8PRurcXqBaPgLFT6bjBm2V07PrZDplGBEal5O
   UB8yzHGFsrIrYquIFMTNFG2Vy+3Gh708TRzXLrzXo9cPYsvzQ4kGDlotba3HXzoC
   JHyt4JyfrRyCFPegtOQLOUzUp/MuVSUjrm2v3E+6q5lWFBlX6gpzSy+P2JvYlHBr
   P3fiSexKOqk2G7xhok3rLO2eMt1vcayNddhyKHcCUV34FPdSgZGKEtxLBDERoH1T
   IIUscoogDkxcu0FJl7yJuNV04XvctW50tuN6/HxMy8j4foDVyxgRB4Psa9dOl14L
   JkRZtcHA8o8ICv0nhm19+VihPNxnlMjrqyPcETRReGHtnxhNUx2kBieI7vIEseWt
   5SGcqDkbjKMJo1HvmksvtqGMSwRtwrSgqYsb3rAVIk2zl/Ko+DB0mPcX2kaUx7li
   iJbvyFvMeb7MaAmQxR4bFM7ZJPVXNoKDSbF9ok9JwkNPocNqhSl/QAycOfCfMNX8
   7kDkEMuOy2zFDlL2nsJor1WZCq5EhG1Lczhf58s4Rh//+ErEJhCK9yoQx55uSOop
   Y3aonRotuiFf/WwM+BP6wHJ3IN4vglAsKqzhntUo9qq0yeaigBEJTXNg4ze1bvhW
   ldNF+sZjlPQqNRHpeO/Lah8zhD/MpRodmndtZBQAwRCJ8X35v6Zjpg/r0+5Ie0zP
   JPmWWP5HEbV3L/w3lvqNijEXfMcmOmajVsZPQsJQJzwdToWLPUDbcuvPznMUGJJc
   uF26SxsiS5AaaIeK9Eb/klhpDoO8ANeenF6FAy05Rae7GZfh8aVH4hZ/tR++S5an
   T1FI/ZAcNhf7Dv9C00uMy2cmUsL3FeKMAOOYmksSl2NqleXC6lSNLU/RkvSZ9ngk
   MQERhy0s6X1AyNpJdhqqoHx8yAzKWzKpz05fC00Q+evvAg+WdlVt5DF833lw1O/v
   RwfriVc9tMEaY1ymVWUHzdkjLzdifbiQKt2HNK38lcXoaL128fioKxNy8a3W/5gx
   tpkv6/o7WPJARjZeFsYOlAX1e1dx35uOcF/PD7k4QshRZL5fy79G5/oGrGZCyKlD
   f+2XCdq7GNnegV1/QVRUeyv7n0Y1kHMADFuK8s6eLAaLfvp1OztBWzOjOAsWaAgo
   I2Vzz968sGbupMWtHEDV0yiY+prEoiUd48rWWQt+EESKBHr0XY+tFi/sYibs0c+h
   h/7v9tjyMT9wni4l76ofujiPhxo37OoOHNH9vRjGAM5eBsicLfXO3LWHKev2tt0O
   7ESO5JHirjbmHpKbe6aWx8WyCB8von/6zUkldI/J0rTYruw1+cY4p1CG5dgGRg2I



Gillmor, et al.         Expires 29 December 2024              [Page 290]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   psDzxMFmcNJqC2beeXuR5Ub7h6I+RlOMF3/soVKhxjFIrev03TKRl4I5vRxJ+YEY
   +cV+omO0Ew2IwNFVUXT0KmXccT+OpsDRbTAlyc0jJkErQSIGSqT+j1UcBREizDpJ
   4mQJV1ZNkyE5UWDWfzG4MF1aFQi0yHpwW9nPNFJ2D1RhsESwBKDFOalNT5GJOrFh
   AX30EkK+G89NiQ4JatUociRgBdHvbFeY7iXvJytfFqenX3/kR2jDsGkSDKQw3/iw
   3GwDbL9SGNdoBXCR7VuEEX6vAPWQN0/mybM2Ouc863jTUX/Y/4qWznng3+Zxceq6
   qN2DrQ9TqoS5zMZQAr5/FaR1wV3w7ezXghAfOnzEorfslPK9KSuZaQ+VzpzYcYgO
   NrK/aQatKoGIqPTAQhC3Ei2qAh04/Op6C7AWsZfKkBXxySfUzD4cpbRYqQRWcnuJ
   WxG4JKJQEHawGMHHNQABGiflrarpZ6OhkZ1wlLJYVqzcz/KSK9ZukK7pFqQvY24d
   vxUrGHEJnGx83rOrxM0H21rEi2fw7z4RCDoPTNzHDNtp2i/fS5YWQFDDilOsouN7
   RFWY2+9e0IO6Us60ajzULP0W4KN99eBxu+H2SXvBY0huvmKIaIUK0hbV41HOoONU
   4HQlsGL74vbUR+iwGfKQWlkvucQZrqa24EDZ3INy7QRFxbsj7pBgbSvApZ+hRKBK
   qcilZQVLd5X3QR80ZpQjgiAwuVrr1jPqKp6r6uMh4Iy1r73vUHD+ZYY46RtLGMYD
   e7QM5GKGvZ3pJTt8w8gdqeAMuhOiPvc89m6mWB8yHuCwfLPiKjgXau4wTUb2ONLN
   kjoGQ4IIwmd+rR5ep8TSbH2k82WwpFLHOJb3inquaau+58YKwYGSshaM6D2id/vw
   SKTG00zyxLdtN2paxPqKvX9jahDP0HgHya0Sgbefh3IpeKQLFwOG1VarfIVa0Kd/
   wFIpNliHq4QwQw8CbN1TWKqfZtUPegFDSk/MMXELeBnU5qyyWqq1O71UFZUPmjmP
   g6lKG7OEJ+uMJI+WV+oerb0BoabXorPSwHjpw3u4lEGoU4pDdnmwm1fswg24ltN9
   yd207SzDV0lwsfibIfct7UlLxXgaH6vTV3Qx80nLzZ6MzgAmsuN4hNeIFTsZDS2g
   WEaRV+6Fgrffm94ckdoWNbCAPhQ15dLtchypBCHZkqx4Mntn5P25bW7vSE6HOqGO
   j4/Qe0LpEOXmFGSR/UWvNQ5w7Lwx72vJBfvHO7wuxj5mfmLO9GaYn1tw+HcWddwB
   BF++xrZKExeHbpYMVNIj+vWXmkjFAYckpmeJy2xU10qKde+A5a3E6O6Q5CWGm9KW
   iieQwcbGTIvjAU2jor/Fwbo+smVkF4XXp0qsvQSvUWwTu72JFoVfxxsQbflTugyM
   aO8qtFgBvQaEhtFdQaVGtOpdnDN2zYskcmxcDL/iku5KG476NobkfLyzWvx6OCL9
   A9AES39YD8eHYsL5eorhK+E4+lJQZGOgj3Akn4SumLWwXtGqhZonraBEXQltp3i6
   NK+EoKhjBwCAaVkN2Ln69TjcJIUR5mxpAAREldFiJNZv2AyjKSmT6PNMBhqnNgJe
   Ix7kcTHUG71MP4uyJyQcaJ8EzI2GiY+SDJsSNhRJaH6AhhZeUBGcq72sCxGRTavy
   j7bRMOW8BrzAZbzQnKEHhHR6SQ1xUqrpLOcajwvSOnkVdaP7OSg9NCy90OOHcP1P
   g5TIToGSZEd1NG7YIkWQhC1lM+w1oPoorkPN/lfQYNfSNIA0r1ELiQvW570Pqfs4
   fP3sdxE2u7NwcMwaGGax7fHU/1X1/3Kc3y87eKQaaaG2F4aWRYLV5bpJ3hD4EDKH
   T8H6+ixyLcjjUmW+lnVWJfFRf5fy2xPRvyDHxyTQUf+SYMb4w2yyjGcLutwBdv19
   xsX0yKDJU9ezgGgYIsLifN4IKo+YQbjultSXWbNRUw8pUboE6+0cNrB9imhUvla9
   95e+GQibSybUh29JPyN0fDppXLxZpkzdlYf6sIVYYTEZRHcuwFzhdg1CVwj1QaGB
   QY1xNGCjXoEeancn1iil7D49eMIFqx8r8YVlJEe2syyWlH4FkWtnAnkstxnOqyox
   JZhONe2D/biPTiA8niK11tv/eZsAg4RHH26s3hbD84bKICNI6OBdHc3cQt4W5jrY
   urXkKY+RQzTYLUjb/olms+3ax5Q6JD8DEGzFOKy9yCyE1o14PW4h/caw0IXZiHtd
   v4MU2YLgt/Q8RSNEcK2Dg60U5aggp+iPX3m2pfdFrLdPWyza785LraV2pblGGg6a
   z/cOdBNFvsQVCTvvNvh2RH3XBOuqKPkYp5tZgznBodH3E0oaQTwjNK4FOHpcavI8
   oV/KWJuuKpYO7CEh3yfGScm22YksGcPla19qmsgyTGDGExkd195SyxM8jtdw/qTC
   QPeg0xg8zRdd38zellG9dJVj1Egjk2KkjTi3GrrartKDUPZB+N0lpiZCuykBnoeO
   ffuW25C8scI1vZaVNlr8LZQgfBTgHjVxUSfvbQLzz1jgC+xhug53SqX/j6g97/1/
   D+TGEqyihfVtFWbnuRaoMDd8ul//yOC13DRV6gMaQgKcH8nbBYXZdGaKYCNPLuGN
   dOKgJiZupLtPfeHYNxBn73k4vDYLeqM8dMGNoRvCOUSP4G6wNgKWm18JI5B/RGOV
   2aSAyE6G0xQ2B/fIeedadQe5CBM8PtzAPZwUlWfC+DYU8UAEO75QoLhyCSbm8flV
   OjPANL74VYP9XIfUSklEvZK013h9pAZOTI6/c+SZazC8Mylj/7BPY2b3lcr2T3vw
   8p8OzfUXFIbeSr2PnUVCLmZvWWyJ3xoqqOUAKbJcYyozU+afJzEP6QxMtlL+6PfL
   l8e6WGHFpPQBJpBUgjSCW1g3X0PGIzYa+Feq4d8efyz+ccTc8Sq/xut/rUbImwU/
   QVQ0weNXLuEfzP6frc16/Z+2UluoOc7cLNJiF/uunx8iLFsAMUIQhdUvyUFZhuhx
   0db0+/861wHfKEikk/8wJxcxd0B57FAdalRyFNd7JZuiRpHX7EtOhIcXHt6wxyq1



Gillmor, et al.         Expires 29 December 2024              [Page 291]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   hrAdbpJpUD2M0u9ngObV/n8oCBxkjg3gfahitc0u82I4ulJ0aooY+nzd6tZRXTb0
   zLC4ViBpFMveRJacj1AN425sjY8LYmMOxCj3xCmGT3XhM8geVj+XwNe22uY7sS6v
   oj9Xx+EmauOdOTCNDjCg+7s42M6IiPaefFrihDC5xvb2y8QVTy5saLL53+QeinUi
   xP1/847hSk686h4Q7iesy3NQBz60BwVYYnk2Zi/bfEFmHk5c778vY9aZYH5Q6LGo
   o15GbgDwa/N/JPAho7bw85ApoLQQjbtlDxQ4PzKGbWTVNXPmj/ODDu9wobQUMgl3
   7E8GdTAZPIrDhg866v+OJODviEu8em8wXn0r92/GLos0UNKhx6XSe3u97C1EKPiA
   3D3WhJlw/Q+dO4qGLcV2wuLk/XqAlKIxl7zXXlqviVGnn8bvYxBIpzRdf2zdyYxn
   M0iiQlqMUKa/7ezOJgWnH1dEMx9l50SP2/s65xd+derbQB5hDrkl8CZDHBPzmxAH
   5UpQonSzRST5a1Wv2Lj616fJ3Olv28WJ0L8QRFJojqrHFUtjE7xw+AG6JOBQOobj
   BWpnG7ZBZY4KUcVwPfzMRI//YMzg63PgorqdVIN+lCTVMycvAJzevXT6oINAIQQO
   b3XS3OF2sWu8MBszSmS0lN050uZ5oZxGR2fDGf+HSFEjX/7TzAt3+mbsrCZuZpOX
   rVgZTo3RQCuX2sEeKIAWjF3eEMqgf2ZkklJp1PXl9UultOvx5LOuLx/5+Ioy2kZf
   RVpRLcO+Yz3qSglmn0Ktganw8cmbSoJSlSHio/wKaFqWW3J1BYRfU3BK6Cq8Bu/l
   k799pBAJgQc9vjZkPDI1WMoXLN5wI44QmMIwCYihxS1UfOjTImTMpBlVr37NLlJv
   I9wx29pIRA4TOKduI6kdrQh/LjFjiuOpsTV1wZwQ21nQvbEU8UD9Xd2Vbg+xVWK5
   nCnHq+f5OwUI3s9rsVFelnqaiRyYAyR/SfNAteyyRDalEPCZULtYjCIkGytXnZBC
   iKlCowPCxHHmf2ZRdn7hNZz3NmZWeEYUelehVjG+TkeAAEXgbPMmriYP+FUipKG4
   2DU4Za10etiWDFh530P8qYUYMk/h3PEy0naobH1PqaOq1h+v/anVrWCxFsM4pEJq
   NeTkOf1/sCTGT5zadHUkXXgcmOT2Y+evW0hAveTVbZf15oEyuVsi/oqa/N5T3hry
   GlwSdTf6pvF6FdRh4+rZCLM6Ou+6jqqTvax5iN21wZMLFYcUZCwjdn5JsgpohzoG
   jAgOEuvLIvQmUjFFhtMzs1OkSuZWus7Nk+x7BYoqmwgRZfJCl2YRkMh83prQ52v1
   qgkPkrBxDA2yUyUJceAMPhrYydrjCP2yihT38enZtKrxDh6EvDTTwzKeGmztPN5h
   NpxF8F7eJ9HwnkhnTMoouHdjwHW0KcBJ1C/SP0nh+0URDgqE2DGXxEqP52sGGbz8
   B9eCzoGAiKTZr9PmSTM6hyssG8/aq6pN++aI4nLmgJPDCBH25LVRO8U5CtoKNwCI
   lFp4KLv3Yev15qL2vifkCJgX/luJQDyUYiWF/O0ofa4Xurn9AT0BG1yxVwA0KpB9
   bD25WT/xxzMHzl8nq2JTlayDboyY6RR/8UvUzW0ugzqxyPdBb51icd0YSRe6MbXZ
   Z7pwrIU4cJyp+mp7ggxZOMYPqWFTiURBgm7xlWvwEBnp3JB8eXE24EKzhSRF+8AR
   j+e7uRADxMUY7rxixO6XdlGmEBi2fsRQBjtNKsMvyssxYjsrilwR67e/FQqQ9G4v
   R1OATIALx/ds0z7Aq54qRl0Vnek5WZXKwjS3ofw0lv+XCycU4Jahe/laYNBmARgM
   pQny8S8fHslev6pyiEmcpra6AYBeOBHZ5T8lbWnqDm/l225StrfhkEAx1Rwr6C/K
   RKlAhQI0BoSvNUjWo+mu/k1PpVP2xQRSA0z0bixbAvHB/ioi8n0MnBOYVddtOUN2
   v3lsHUu/7e+JU/vRNhwzhDJ6E65rv9bh2iyKXD06JGYoFaken71YHXNkF+gJNEoj
   hZ/jssyGMMYJpRnH5qBahlFe/RMYQw3xu0aWjx7+riCnD6zkUS2JRCdHWbO9gaZl
   yqXmVm+vbD6VLWkhOblF6InHwMgzJL9gcsRnvaoYUftgEWGJyF+QPraOYJzkwM6v
   PXyYv61u98MO78gQROQTV3QiWgJ1N5LNQe4OLqcFgComj/nCFD5rY1bv0Kpn7pw3
   aCAjJtPIxrQBHncueTwrskrwBRkMAR6NN39E62jBMrXcVah8M6pKyirXgFZnP6Aj
   6bVV1/UeaTjLih09Q5AlZxjsKBwG5mDmoVPkPmk68Z86OXlHF8KQbkztWoHOgkAJ
   ukHDoxJymqQ1r5An8TGDLkiiR6OXimYHTi2z6bcYGYVdVj0ODRuTOconU+LKVrAq
   S830y0Pjm1wZ3mK1f1wTmD1p5McW5i+uEV5UcYUvY5Racw06CC2VhFhyNGLTTkEv
   g8OJTfrByR+xPtYaAXdxflN3pWF15VrDJNVfKUXdpu0EsukLxlFc5btGfgfF7DEM
   itLcsh5dD9wrVTXGf934LPCQUp8oKuF/yuEJs+SNOYvf71+NjRw1P9teCDbiP6p4
   7nmPgWtITXv/Y1sDgKzdbxyqS/Fdilef+GyLLVNxNxRPf8qxlvY83fn/FBhqv7Pu
   vsnajwD/hJS+u6sNzdLjKRQ5hFlLOqY35ITghp+bV1D09GDfT+4veAHUfOTSmsbg
   oI/lAqyNeAUjIE+ks2IwqSHUwzoW9AQ4ZXoSU0LpbLRXk+27fDt4bApW7HFMvVkX
   MNUL7ArDm6AbUD7nvwlxijJRTn/GqlZVy10DDWcZZIAuPsv/bsCJKysenSf4tlXn
   zYYsnk5xwvVl7/jjcLuPFWq2/PfAApPbCOi4Su7h1w0JBFJLRdTvWLEXj87cDm2/
   3izWZX0+G2ZfK4zCqpSLmOsTnptqQC8mEPnY8Sfwv1jXZxn2tOFP2e/libKak56I
   jjOfWqBWbWr/S+wz1QKHaxFKZxvay2OB7s6a0GfqzbO22Si/gS5yaVx61tLmuoRs



Gillmor, et al.         Expires 29 December 2024              [Page 292]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   GgPA2A9uk2F+dV0AFhlQHtKv4cErbjO3k/zdpuVP9D8=

C.3.24.1.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_strong (+ Legacy Display),
           Decrypted

   The S/MIME enveloped-data layer unwraps to this signed-data part:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"

   MIIUIgYJKoZIhvcNAQcCoIIUEzCCFA8CAQExDTALBglghkgBZQMEAgEwggpLBgkq
   hkiG9w0BBwGgggo8BIIKOE1JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1lbmMtc2lnbmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nLWxlZ2FjeS1yZXBs
   eQ0KTWVzc2FnZS1JRDoNCiA8c21pbWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVj
   dGVkLXN0cm9uZy1sZWdhY3ktcmVwbHlAZXhhbXBsZT4NCkZyb206IEFsaWNlIDxh
   bGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+
   DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjE5OjAyIC0wNTAwDQpVc2VyLUFn
   ZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpJbi1SZXBseS1UbzoNCiA8c21p
   bWUtZW5jLXNpZ25lZC1jb21wbGV4LWluamVjdGVkLXN0cm9uZy1sZWdhY3lAZXhh
   bXBsZT4NClJlZmVyZW5jZXM6DQogPHNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1p
   bmplY3RlZC1zdHJvbmctbGVnYWN5QGV4YW1wbGU+DQpIUC1PdXRlcjogU3ViamVj
   dDogWy4uLl0NCkhQLU91dGVyOiBNZXNzYWdlLUlEOg0KIDxzbWltZS1lbmMtc2ln
   bmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nLWxlZ2FjeS1yZXBseUBleGFtcGxl
   Pg0KSFAtT3V0ZXI6IEZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0K
   SFAtT3V0ZXI6IFRvOiBCb2IgPGJvYkBzbWltZS5leGFtcGxlPg0KSFAtT3V0ZXI6
   IERhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MTk6MDIgLTA1MDANCkNvbnRlbnQt
   VHlwZTogbXVsdGlwYXJ0L21peGVkOyBib3VuZGFyeT0iMDdmIjsgaHA9ImNpcGhl
   ciINCg0KLS0wN2YNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11
   bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9ImI3MCINCg0KLS1iNzANCk1J
   TUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0
   DQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIjsN
   CiBocC1sZWdhY3ktZGlzcGxheT0iMSINCg0KU3ViamVjdDogc21pbWUtZW5jLXNp
   Z25lZC1jb21wbGV4LWluamVjdGVkLXN0cm9uZy1sZWdhY3ktcmVwbHkNCg0KVGhp
   cyBpcyB0aGUNCnNtaW1lLWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1zdHJv
   bmctbGVnYWN5LXJlcGx5DQptZXNzYWdlLg0KDQpUaGlzIGlzIGFuIGVuY3J5cHRl
   ZCBhbmQgc2lnbmVkIFMvTUlNRSBtZXNzYWdlIHVzaW5nIFBLQ1MjNw0KZW52ZWxv
   cGVkRGF0YSBhcm91bmQgc2lnbmVkRGF0YS4gIFRoZSBwYXlsb2FkIGlzIGENCm11
   bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGggYW4gaW5saW5lIGltYWdl
   L3BuZw0KYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSW5qZWN0ZWQgSGVhZGVycyBo
   ZWFkZXIgcHJvdGVjdGlvbg0Kc2NoZW1lIHdpdGggdGhlIGhjcF9zdHJvbmcgSGVh
   ZGVyIENvbmZpZGVudGlhbGl0eSBQb2xpY3kgd2l0aCBhDQoiTGVnYWN5IERpc3Bs
   YXkiIHBhcnQuDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1wbGUNCi0t
   YjcwDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGlu
   ZzogN2JpdA0KQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7IGNoYXJzZXQ9InVzLWFz
   Y2lpIjsNCiBocC1sZWdhY3ktZGlzcGxheT0iMSINCg0KPGh0bWw+PGhlYWQ+PHRp
   dGxlPjwvdGl0bGU+PC9oZWFkPjxib2R5Pg0KPGRpdiBjbGFzcz0iaGVhZGVyLXBy



Gillmor, et al.         Expires 29 December 2024              [Page 293]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   b3RlY3Rpb24tbGVnYWN5LWRpc3BsYXkiPg0KPHByZT4NClN1YmplY3Q6IHNtaW1l
   LWVuYy1zaWduZWQtY29tcGxleC1pbmplY3RlZC1zdHJvbmctbGVnYWN5LXJlcGx5
   DQo8L3ByZT4NCjwvZGl2PjxwPlRoaXMgaXMgdGhlDQo8Yj5zbWltZS1lbmMtc2ln
   bmVkLWNvbXBsZXgtaW5qZWN0ZWQtc3Ryb25nLWxlZ2FjeS1yZXBseTwvYj4NCm1l
   c3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhbiBlbmNyeXB0ZWQgYW5kIHNpZ25lZCBT
   L01JTUUgbWVzc2FnZSB1c2luZyBQS0NTIzcNCmVudmVsb3BlZERhdGEgYXJvdW5k
   IHNpZ25lZERhdGEuICBUaGUgcGF5bG9hZCBpcyBhDQptdWx0aXBhcnQvYWx0ZXJu
   YXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZSBpbWFnZS9wbmcNCmF0dGFjaG1l
   bnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyIHByb3RlY3Rp
   b24NCnNjaGVtZSB3aXRoIHRoZSBoY3Bfc3Ryb25nIEhlYWRlciBDb25maWRlbnRp
   YWxpdHkgUG9saWN5IHdpdGggYQ0KIkxlZ2FjeSBEaXNwbGF5IiBwYXJ0LjwvcD4N
   CjxwPjx0dD4tLSA8YnI+QWxpY2U8YnI+YWxpY2VAc21pbWUuZXhhbXBsZTwvdHQ+
   PC9wPjwvYm9keT48L2h0bWw+DQotLWI3MC0tDQoNCi0tMDdmDQpDb250ZW50LVR5
   cGU6IGltYWdlL3BuZw0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0
   DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KaVZCT1J3MEtHZ29BQUFB
   TlNVaEVVZ0FBQUJRQUFBQVVDQVlBQUFDTmlSME5BQUFBY0VsRVFWUjQydVZUT3hi
   QQ0KTUFnUzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2
   c3FsVCt6dDljaWRrRSs2S3drWg0Kc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsr
   T25KSGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQ0KdmRQZjFRWjJr
   REQ5eHBwZDh3QUFBQUJKUlU1RXJrSmdnZz09DQoNCi0tMDdmLS0NCqCCB6YwggPP
   MIICt6ADAgECAhMPLSW9ETmXSs5CVIeh7j00Boq0MA0GCSqGSIb3DQEBDQUAMFUx
   DTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1w
   bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2
   NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQL
   EwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3
   DQEBAQUAA4IBDwAwggEKAoIBAQCalSn6i8Gi44/oAVAn5GnCk4PHHNjrSfWUnnel
   N41KImVaTC3D9zFCrS3i4Pa9ZgHyA5Qf8JW3ZmnVz5q7M8onZm7mZjqQeb6FUH4i
   2GMt4jse2Dqs165ernT9O5NLFflHUjURca3ynqEBBV4DmhnZp8eDhv3t6dXyCjNH
   T82S6DgCReZuTtMc1zy++MxQlqdn9WZLhOAOpeNZKGmVwjeVy+8FkyzC3jX/Qcm+
   ZLCqlLqhBwDHdZ5qDTII2PVX1X3K7/cONxhvBbaUl/k1swdszUtjhflyFZ80RuQ3
   qFC6vL/PGeWy6SCf58duq/AOEksCAWlb+MD8QH9Yj7CFSmq1AgMBAAGjga8wgaww
   DAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcw
   FYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNV
   HQ8BAf8EBAMCBSAwHQYDVR0OBBYEFKJTQdVEPIApFXwBI/Dnjq/N83cPMB8GA1Ud
   IwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQCB
   SXignLEynBakDKU68ro0RsyXWAPkfXgQLgy7GrW7SrZeBc5IEcjoN9f/gsOx/Ht9
   Ii6zyBZVjdaox644DsiLOQEP4YMS7y4q94RFFdmdzEbDLYx9sfUhvdTxDNOOoHz5
   3PYDBh4zE4Nar2inC0D+VM6RGDy66K9l+D+bl8Wj9CyGUc1ppMNURexTg+z3web/
   eDOdu+F2MVtluLihne0Bp1GUTkr0mJBolg6dSYal8Hw8/ANHpyExl56BJABb744g
   qoeuD9YSHjKK49+qYC9faFmQ+mK80lh1M9RdNI7srjn0LKpuob6w06jaRzWdNeXz
   lEc2tUpAr4vRhZjVD6FYMIIDzzCCAregAwIBAgITN0EFee11f0Kpolw69Phqzpqp
   1zANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1Q
   UyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1
   dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsG
   A1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExv
   dmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtPSJ6Fg4Fj5N
   mn9PkrYo0jTkfCv4TfA/pdO/KLpZbJOAEr0sI7AjaO7B1GuMUFJeSTulamNfCwDc
   DkY63PQWl+DILs7GxVwXurhYdZlaV5hcUqVAckPvedDBc/3rz4D/esFfs+E7QMFt



Gillmor, et al.         Expires 29 December 2024              [Page 294]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   md+K04s+A8TCNO12DRVBDpbP4JFD9hsc8prDtpGmFk7rd0q8gqnhxBW2RZAeLqzJ
   OMayCQtws1q7ktkNBR2wZX5ICjecF1YJFhX4jrnHwp/iELGqqaNXd3/Y0pG7QFec
   N7836IPPdfTMSiPR+peCrhJZwLSewbWXLJe3VMvbvQjoBMpEYlaJBUIKkO1zQ1Pq
   90njlsJLOwIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpg
   hkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0l
   BAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgbAMB0GA1UdDgQWBBS79syyLR0G
   EhyXrilqkBDTIGZmczAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTAN
   BgkqhkiG9w0BAQ0FAAOCAQEAc4miNqfOqaBpI3f+CpJDhxtuZ2P9HjQEQ+v6BdP7
   GKJ19naIs3BjJOd64roAKHAp+c284VvyVXWJ99FMX8q2ZUQMxH+xh6oAfzcozmnd
   6XaVWHg4eHIjSo27PmhKE1oAJKKhDbdbEcZXL2+x1V+duGymWtaD01DZZukKYr7a
   gyHahiXRn/C9cy31wbqNsy9x0fjPQg6+DqatiQpMz9EIae6aCHHBhOiPU7IPkazg
   PYgkLD59fk4PGHnYxs1FhdO6zZk9E8zwlc1ALgZa/iSbczisqckN3qGehD2s16jM
   hwFXLJtBiN+uCDgNG/D0qyTbY4fgKieUHx/tHuzUszZxJjGCAgAwggH8AgEBMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzdBBXntdX9C
   qaJcOvT4as6aqdcwCwYJYIZIAWUDBAIBoGkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
   DQEHATAcBgkqhkiG9w0BCQUxDxcNMjEwMjIwMTcxOTAyWjAvBgkqhkiG9w0BCQQx
   IgQgFqqklRz7JHCK19lnOkADrzmRRIoVl4cAtmiosfbXeRAwDQYJKoZIhvcNAQEB
   BQAEggEAoIov52zejLtV8Ydkf2mLypw8iY2Q8yjL11CJU9J+RLcbTRVpjPkFL9Tb
   bDkuqJlC6fe7zq9KqRef6ovCrpm+Flmiz9splGbvauVvEFcmvb1sqaujQBz2+WrK
   sCCUkYYEiNUSQwkzSLQKlZi1RyoED38k/ZmCQHwhrmVL2z0mUflmPcR3R2eHiprT
   fg8/wFhXuFqHnz1VWumXGumNLYJMDoqgvL87ziLu2+iJuG0ECiMuoKhPgqWxfS2z
   IWMZlTe5WUuv6p+Dh0yLMvHHhDQMYEXfi371P9nkPgBuB75sWEEJqw2/8QJqkV58
   d8LvPDgpjlXSyrpxPXvXBm+stxLxfA==

C.3.24.2.  S/MIME Encrypted and Signed Reply Over a Complex Message,
           Injected Headers With hcp_strong (+ Legacy Display),
           Decrypted and Unwrapped

   The inner signed-data layer unwraps to:

   MIME-Version: 1.0
   Subject: smime-enc-signed-complex-injected-strong-legacy-reply
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:19:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    
   References:
    
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID:
    
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 



Gillmor, et al.         Expires 29 December 2024              [Page 295]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HP-Outer: Date: Sat, 20 Feb 2021 12:19:02 -0500
   Content-Type: multipart/mixed; boundary="07f"; hp="cipher"

   --07f
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="b70"

   --b70
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/plain; charset="us-ascii";
    hp-legacy-display="1"

   Subject: smime-enc-signed-complex-injected-strong-legacy-reply

   This is the
   smime-enc-signed-complex-injected-strong-legacy-reply
   message.

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy with a
   "Legacy Display" part.

   --
   Alice
   alice@smime.example
   --b70
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Content-Type: text/html; charset="us-ascii";
    hp-legacy-display="1"

   
   

   
   Subject: smime-enc-signed-complex-injected-strong-legacy-reply
   

   
This is the
   smime-enc-signed-complex-injected-strong-legacy-reply
   message.

   
This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme with the hcp_strong Header Confidentiality Policy with a



Gillmor, et al.         Expires 29 December 2024              [Page 296]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   "Legacy Display" part.

   
-- 
Alice
alice@smime.example

   --b70--

   --07f
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --07f--

Appendix D.  Composition Examples

   This section offers step-by-step examples of message composition.

D.1.  New message composition

   A typical MUA composition interface offers the user a place to
   indicate the message recipients, the subject, and the body.  Consider
   a composition window filled out by the user like so:

    .------------------------------------------------------.
   |                 Composing New Message          .----.  |
   |          +---------------------------------+  | Send | |
   |      To: | Alice        |   '----'  |
   |          +---------------------------------+---------+ |
   | Subject: | Handling the Jones contract               | |
   |          +-------------------------------------------+ |
   +--------------------------------------------------------+
   | Please review and approve or decline by Thursday, it's |
   | critical!                                              |
   |                                                        |
   | Thanks,                                                |
   | Bob                                                    |
   |                                                        |
   | --                                                     |
   | Bob Gonzalez                                           |
   | ACME, Inc.                                             |
   |                                                        |
   +--------------------------------------------------------+

              Figure 1: Example Message Composition Interface




Gillmor, et al.         Expires 29 December 2024              [Page 297]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   When Bob clicks "Send", his MUA generates values for Message-ID,
   From, and Date Header Fields, and converts the message body into the
   appropriate format.

D.1.1.  Unprotected message

   The resulting message would look something like this if it was sent
   without cryptographic protections:

   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob 
   To: Alice 
   Subject: Handling the Jones contract
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0

   Please review and approve or decline by Thursday, it's critical!

   Thanks,
   Bob

   --
   Bob Gonzalez
   ACME, Inc.

D.1.2.  Encrypted with hcp_baseline and Legacy Display

   Now consider the message to be generated if it is to be
   cryptographically signed and encrypted, using HCP hcp_baseline, and
   the legacy variable is set.

   For each Header Field, Bob's MUA passes its name and value through
   hcp_baseline.  This returns the same value for every Header Field,
   except that:

   hcp_baseline("Subject", "Handling the Jones contract") yields
   "[...]".

D.1.2.1.  Cryptographic Payload

   The Cryptographic Payload that will be signed and then encrypted is
   very similar to the unprotected message in Appendix D.1.1.  Note the
   addition of:

   *  The hp="cipher" parameter for the Content-Type

   *  The appropriate HP-Outer Header Field for Subject



Gillmor, et al.         Expires 29 December 2024              [Page 298]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  The hp-legacy-display="1" parameter for the Content-Type

   *  The Legacy Display Element (the simple pseudo-header and its
      trailing newline) in the Main Body Part.

   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob 
   To: Alice 
   Subject: Handling the Jones contract
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   MIME-Version: 1.0
   HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500
   HP-Outer: From: Bob 
   HP-Outer: To: Alice 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example>

   Subject: Handling the Jones contract

   Please review and approve or decline by Thursday, it's critical!

   Thanks,
   Bob

   --
   Bob Gonzalez
   ACME, Inc.

D.1.2.2.  External Header Section

   The Cryptographic Payload from Appendix D.1.2.1 is then wrapped in
   the appropriate Cryptographic Layers.  For this example, using S/
   MIME, it is wrapped in an application/pkcs7-mime; smime-type="signed-
   data" layer, which is in turn wrapped in an application/pkcs7-mime;
   smime-type="enveloped-data" layer.

   Then an external Header Section is applied to the outer MIME object,
   which looks like this:











Gillmor, et al.         Expires 29 December 2024              [Page 299]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob 
   To: Alice 
   Subject: [...]
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   MIME-Version: 1.0

   Note that the Subject Header Field has been obscured appropriately by
   hcp_baseline.  The output of the CMS enveloping operation is
   base64-encoded and forms the body of the message.

D.2.  Composing a Reply

   Next we consider a typical MUA reply interface, where we see Alice
   replying to Bob's message from Appendix D.1.

   When Alice clicks "Reply" to Bob's signed-and-encrypted message with
   Header Protection, she might see something like this:

    .--------------------------------------------------------.
   |  Replying to Bob ("Handling the Jones Contract") .----.  |
   |          +-----------------------------------+  | Send | |
   |      To: | Bob              |   '----'  |
   |          +-----------------------------------+---------+ |
   | Subject: | Re: Handling the Jones contract             | |
   |          +---------------------------------------------+ |
   +----------------------------------------------------------+
   | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:           |
   |                                                          |
   | > Please review and approve or decline by Thursday,      |
   | > it's critical!                                         |
   | >                                                        |
   | > Thanks,                                                |
   | > Bob                                                    |
   | >                                                        |
   | > --                                                     |
   | > Bob Gonzalez                                           |
   | > ACME, Inc.                                             |
   |                                                          |
   | --                                                       |
   | Alice Jenkins                                            |
   | ACME, Inc.                                               |
   |                                                          |
   +----------------------------------------------------------+




Gillmor, et al.         Expires 29 December 2024              [Page 300]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


            Figure 2: Example Message Reply Interface (unedited)

   Note that because Alice's MUA is aware of Header Protection, it knows
   what the correct Subject header is, even though it was obscured.  It
   also knows to avoid including the Legacy Display Element in the
   quoted/attributed text that it includes in the draft reply.

   Once Alice has edited the reply message, it might look something like
   this:

    .--------------------------------------------------------.
   |  Replying to Bob ("Handling the Jones Contract") .----.  |
   |          +-----------------------------------+  | Send | |
   |      To: | Bob              |   '----'  |
   |          +-----------------------------------+---------+ |
   | Subject: | Re: Handling the Jones contract             | |
   |          +---------------------------------------------+ |
   +----------------------------------------------------------+
   | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:           |
   |                                                          |
   | > Please review and approve or decline by Thursday,      |
   | > it's critical!                                         |
   |                                                          |
   | I'll get right on it, Bob!                               |
   |                                                          |
   | Regards,                                                 |
   | Alice                                                    |
   |                                                          |
   | --                                                       |
   | Alice Jenkins                                            |
   | ACME, Inc.                                               |
   |                                                          |
   +----------------------------------------------------------+

             Figure 3: Example Message Reply Interface (edited)

   When Alice clicks "Send", the MUA generates values for Message-ID,
   From, and Date Header Fields, populates the In-Reply-To, and
   References Header Fields, and also converts the reply body into the
   appropriate format.

D.2.1.  Unprotected message

   The resulting message would look something like this if it were to be
   sent without any cryptographic protections:






Gillmor, et al.         Expires 29 December 2024              [Page 301]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice 
   To: Bob 
   Subject: Re: Handling the Jones contract
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0

   On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:

   > Please review and approve or decline by Thursday,
   > it's critical!

   I'll get right on it, Bob!

   Regards,
   Alice

   --
   Alice Jenkins
   ACME, Inc.

   Of course, this would leak not only the contents of Alice's message,
   but also the contents of Bob's initial message, as well as the
   Subject Header Field!  So Alice's MUA won't do that; it is going to
   create a signed-and-encrypted message to submit to the network.

D.2.2.  Encrypted with hcp_no_confidentiality and Legacy Display

   This example assumes that Alice's MUA uses hcp_no_confidentiality,
   not hcp_baseline.  That is, by default, it does not obscure or remove
   any Header Fields, even when encrypting.

   However, it follows the guidance in Section 7.1, and will make use of
   the HP-Outer field in the Cryptographic Payload of Bob's original
   message (Appendix D.1.2.1) to determine what to obscure.

   When crafting the Cryptographic Payload, its baseline HCP
   (hcp_no_confidentiality) leaves each field untouched.  To uphold the
   confidentiality of the sender's values when replying, the MUA
   executes the following steps (for brevity only Subject and Message-
   ID/In-Reply-To are shown):

   *  Extract the referenced header fields (see Section 5.2):

      -  refouter contains:



Gillmor, et al.         Expires 29 December 2024              [Page 302]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


         o  Date: Wed, 11 Jan 2023 16:08:43 -0500

         o  From: Bob 

         o  To: Alice 

         o  Subject: [...]

         o  Message-ID: <20230111T210843Z.1234@lhp.example>

      -  refprotected contains:

         o  Date: Wed, 11 Jan 2023 16:08:43 -0500

         o  From: Bob 

         o  To: Alice 

         o  Subject: Handling the Jones contract

         o  Message-ID: <20230111T210843Z.1234@lhp.example>

   *  Apply the response function:

      -  respond(refouter) contains:

         o  From: Alice 

         o  To: Bob 

         o  Subject: Re: [...]

         o  In-Reply-To: <20230111T210843Z.1234@lhp.example>

         o  References: <20230111T210843Z.1234@lhp.example>

      -  respond(refprotected) contains:

         o  From: Alice 

         o  To: Bob 

         o  Subject: Re: Handling the Jones contract

         o  In-Reply-To: <20230111T210843Z.1234@lhp.example>

         o  References: <20230111T210843Z.1234@lhp.example>




Gillmor, et al.         Expires 29 December 2024              [Page 303]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  Compute the ephemeral response_hcp (see Section 5.4):

      -  Note that all headers except Subject are the same.

      -  confmap contains only ("Subject", "Re: Handling the Jones
         contract") -> "Re: [...]"

   Thus all Header Fields that were signed are passed through untouched.
   The reply's Subject is obscured as Subject: Re: [...] if and only if
   the user does not edit the subject line from that initially proposed
   by the MUA's reply interface.  If the user edits the subject line,
   e.g., to Subject: Re: Handling the Jones contract ASAP, the
   response_hcp will _not_ obscure it, and instead pass it through in
   the clear.

   For stronger header confidentiality, the replying MUA should use a
   reasonable HCP (not hcp_no_confidentiality).  Also recall that the
   local HCP is applied first, and that response_hcp is only applied to
   what is left unchanged by the local HCP.

D.2.2.1.  Cryptographic Payload

   Consequently, the Cryptographic Payload for Alice's reply looks like
   this:



























Gillmor, et al.         Expires 29 December 2024              [Page 304]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice 
   To: Bob 
   Subject: Re: Handling the Jones contract
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   MIME-Version: 1.0
   HP-Outer: Date: Wed, 11 Jan 2023 16:48:22 -0500
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Subject: Re: [...]
   HP-Outer: Message-ID: <20230111T214822Z.5678@lhp.example>
   HP-Outer: In-Reply-To: <20230111T210843Z.1234@lhp.example>
   HP-Outer: References: <20230111T210843Z.1234@lhp.example>

   Subject: Re: Handling the Jones contract

   On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:

   > Please review and approve or decline by Thursday,
   > it's critical!

   I'll get right on it, Bob!

   Regards,
   Alice

   --
   Alice Jenkins
   ACME, Inc.

   Note the following features:

   *  the hp="cipher" parameter to Content-Type

   *  the appropriate HP-Outer Header Field for Subject,

   *  the hp-legacy-display="1" parameter for the Content-Type

   *  the Legacy Display Element (the simple pseudo-header and its
      trailing newline) in the Main Body Part.







Gillmor, et al.         Expires 29 December 2024              [Page 305]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


D.2.2.2.  External Header Section

   The Cryptographic Payload from Appendix D.2.2.1 is then wrapped in
   the appropriate Cryptographic Layers.  For this example, using S/
   MIME, it is wrapped in an application/pkcs7-mime; smime-type="signed-
   data" layer, which is in turn wrapped in an application/pkcs7-mime;
   smime-type="enveloped-data" layer.

   Then an external Header Section is applied to the outer MIME object,
   which looks like this:

   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice 
   To: Bob 
   Subject: Re: [...]
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   MIME-Version: 1.0

   Note that the Subject Header Field has been obscured appropriately
   even though hcp_no_confidentiality would not have touched it by
   default.  The output of the CMS enveloping operation is
   base64-encoded and forms the body of the message.

Appendix E.  Rendering Examples

   This section offers example Cryptographic Payloads (the content
   within the Cryptographic Envelope) that contain Legacy Display
   Elements.

E.1.  Example text/plain Cryptographic Payload with Legacy Display
      Elements

   Here is a simple one-part Cryptographic Payload (Header Section and
   body) of a message that includes Legacy Display Elements:












Gillmor, et al.         Expires 29 December 2024              [Page 306]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Fri, 21 Jan 2022 20:40:48 -0500
   From: Alice 
   To: Bob 
   Subject: Dinner plans
   Message-ID: 
   MIME-Version: 1.0
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A compatible MUA will recognize the hp-legacy-display="1" parameter
   and render the body of the message as:

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A legacy decryption-capable MUA that is unaware of this mechanism
   will ignore the hp-legacy-display="1" parameter and instead render
   the body including the Legacy Display Elements:

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

E.2.  Example text/html Cryptographic Payload with Legacy Display
      Elements

   Here is a modern one-part Cryptographic Payload (Header Section and
   body) of a message that includes Legacy Display Elements:












Gillmor, et al.         Expires 29 December 2024              [Page 307]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Fri, 21 Jan 2022 20:40:48 -0500
   From: Alice 
   To: Bob 
   Subject: Dinner plans
   Message-ID: 
   MIME-Version: 1.0
   Content-Type: text/html; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 

   
   

   
Subject: Dinner plans

   

   

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.
   

   
   

   A compatible MUA will recognize the hp-legacy-display="1" parameter
   and mask out the Legacy Display div, rendering the body of the
   message as a simple paragraph:

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A legacy decryption-capable MUA that is unaware of this mechanism
   will ignore the hp-legacy-display="1" parameter and instead render
   the body including the Legacy Display Elements:

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.











Gillmor, et al.         Expires 29 December 2024              [Page 308]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


Appendix F.  Other Header Protection Schemes

   Other Header Protection schemes have been proposed in the past.
   However, those typically have drawbacks such as sparse
   implementation, known problems with legacy interoperability (in
   particular with rendering), lack of clear signalling of sender
   intent, and/or incomplete cryptographic protections.  This section
   lists such schemes known at the time of the publication of this
   document out of historical interest.

F.1.  Original RFC 8551 Header Protection

   S/MIME [RFC8551] (as well as its predecessors [RFC5751] and
   [RFC3851]) defined a form of cryptographic Header Protection that is
   similar to the "Wrapped Message" scheme specified in this document.
   In fact, the scheme originally defined in S/MIME is a subset of the
   "Wrapped Message" scheme specified in this document.  The differences
   between the original and the updated scheme are outlined in
   Section 4.2.

F.2.  Pretty Easy Privacy (pEp)

   The pEp (pretty Easy privacy) [I-D.pep-general] project specifies two
   different MIME schemes that include Header Protection for Signed-and-
   Encrypted e-mail messages in [I-D.pep-email]: One scheme -- referred
   as pEp Email Format 1 (PEF-1) -- is generated towards MUAs not known
   to be pEp-capable, while the other scheme -- referred as PEF-2 -- is
   used between MUAs discovered to be compatible with pEp.  Signed-only
   messages are not recommended in pEp.

F.3.  "draft-autocrypt" Protected Headers

   [I-D.autocrypt-lamps-protected-headers] describes a scheme similar to
   the "Injected Headers" scheme specified in this document.  However,
   instead of adding Legacy Display Elements to existing MIME parts (cf.
   Section 6.2.2), "draft-autocrypt" injects a new MIME element "Legacy
   Display Part", thus modifying the MIME structure of the Cryptographic
   Payload.  These modified Cryptographic Payloads cause significant
   rendering problems on some common Legacy MUAs.

   The lack of a mechanism comparable to hp="cipher" and hp="clear" (see
   Section 2.1.1) means the recipient of an encrypted "draft-autocrypt"
   message cannot be cryptographically certain whether the sender
   intended for the message to be confidential or not.  The lack of a
   mechanism comparable to HP-Outer (see Section 2.2) makes it
   impossible for the recipient of an encrypted "draft-autocrypt"
   message to reply or forward it safely (see Section 7).




Gillmor, et al.         Expires 29 December 2024              [Page 309]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


Appendix G.  Document Changelog

   [[ RFC Editor: This section is to be removed before publication ]]

   *  draft-ietf-lamps-header-protection-22

      -  Reorganize document for better readability.

      -  Add more details about problems with draft-autocrypt.

      -  Rename hcp_minimal to hcp_baseline: in addition to obscuring
         Subject, it now removes other Informational Header Fields
         Comments and Keywords.

      -  Add an example message up front for easier explainability.

      -  Unwrap sample message test vectors.

      -  Name pseudocode algorithms, number steps.

      -  Reply guidance also applies to forwarded messages.

      -  hcp_strong: stop rewriting Message-Id.

   *  draft-ietf-lamps-header-protection-21

      -  HP-Outer mechanism replaces HP-Removed and HP-Obscured.  This
         enables the recipient to easily calculate the sender's actions
         around header confidentiality.

      -  Replace Content-Type parameter protected-headers= with hp= and
         hp-scheme=. The presence of hp= indicates that the sender used
         Header Protection according to this document, and the value
         indicates whether the sender tried to encrypt and sign the
         message or just sign it. hp-scheme="wrapped" advises the
         recipient that they should look for the protected Header Fields
         in subtly different place.

      -  Provide a clear algorithm for reasonably safe handling of
         confidential headers during Reply and Forward operations.

      -  Do not register the example HCP hcp_hide_cc, rename to
         hcp_example_hide_cc

      -  Rename hcp_null to hcp_no_confidentiality

      -  Provide a clear algorithm for the recipient to compute the
         protection state of each Header Field.



Gillmor, et al.         Expires 29 December 2024              [Page 310]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  draft-ietf-lamps-header-protection-20

      -  clarify IANA guidance about registration policy and designated
         expert review

      -  emphasize that Content-Type parameter hp-legacy-display=1
         belongs on all main body parts with a legacy display element

      -  clean up/normalize pseudocode variable names and text (no
         algorithm changes)

   *  draft-ietf-lamps-header-protection-19

      -  improve text, capitalize defined terms, fix typos

      -  Clean up from AD review:

      -  updates RFC 8551 explicitly

      -  add "Legacy Signed Message" and "Ordinary User" explicitly to
         terms

      -  tighten up SHOULDs/MUSTs for conformant MUAs

      -  expand references to other relevant Security Considerations

      -  drop nudge about non-existent Content-Type Parameters registry

      -  clarify IANA notes to align with table columns

      -  explicitly request HCP registry

      -  add references to other header protections schemes, but move
         all of them to appendix

   *  draft-ietf-lamps-header-protection-18

      -  only allow US-ASCII as modified output of HCP, adjusted ABNF to
         match

   *  draft-ietf-lamps-header-protection-17

      -  More edits from WGLC:

      -  clean up definition of "Header Field"

      -  note leakage of encrypted recipient hints




Gillmor, et al.         Expires 29 December 2024              [Page 311]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  clarify explanation of LDE generation

      -  clarify how some obscured headers might not actually be private

   *  draft-ietf-lamps-header-protection-16

      -  correct variable names in message composition algorithms

      -  make text more readable

   *  draft-ietf-lamps-header-protection-15

      -  include clarifications, typos, etc from comments received
         during WGLC

   *  draft-ietf-lamps-header-protection-14

      -  provide section references for draft-ietf-lamps-e2e-mail-
         guidance

      -  encouarge a future IANA named HCP registry if HCP development
         takes off

   *  draft-ietf-lamps-header-protection-13

      -  Retitle from "Header Protection for S/MIME" to "Header
         Protection for Cryptographically Protected E-mail"

   *  draft-ietf-lamps-header-protection-12

      -  MUST produce HP-Obscured and HP-Removed when generating
         encrypted messages with non-null HCP

      -  Wrapped Message: move from forwarded=no to protected-
         headers=wrapped

      -  Wrapped Message: recommend Content-Disposition: inline

   *  draft-ietf-lamps-header-protection-11

      -  Remove most of the Bcc text (transferred general discussion to
         e2e-mail-guidance)

      -  Fix bug in algorithm for generating HP-Obscured and HP-Removed

      -  More detail about handling Reply messages

      -  Considerations around handling risky Legacy Display Elements



Gillmor, et al.         Expires 29 December 2024              [Page 312]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  Narrative descriptions of some worked examples

      -  Describe potential leaks to recipients

      -  Clarify debugging/troubleshooting UX affordances

   *  draft-ietf-lamps-header-protection-10

      -  Clarify that HCP doesn't apply to Structural Header Fields

      -  Drop out-of-date "Open Issues" section

      -  Brief commentary on UI of messages with intermediate/mixed
         protections

      -  Deprecation prospects for messages without protected headers

      -  Describe generating replies to encrypted messages with stronger
         HCP

   *  draft-ietf-lamps-header-protection-09

      -  clarify terminology

      -  add privacy and security considerations

      -  clarify HCP examples and baselines

      -  recommend hcp_minimal as default HCP

      -  add HP-Obscured and HP-Removed (avoids reasoning about
         differences between outside and inside the Cryptographic
         Envelope)

      -  regenerated test vectors

   *  draft-ietf-lamps-header-protection-08

      -  MUST compose injected headers, MAY compose wrapped messages

      -  MUST parse both schemes

      -  cleanup and restructure document

   *  draft-ietf-lamps-header-protection-07

      -  move from legacy display MIME part to legacy display elements
         within main body part



Gillmor, et al.         Expires 29 December 2024              [Page 313]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  draft-ietf-lamps-header-protection-06

      -  document observed problems with legacy MUAs

      -  avoid duplicated outer Message-IDs in hcp_strong test vectors

   *  draft-ietf-lamps-header-protection-05

      -  fix multipart/signed wrapped test vectors

   *  draft-ietf-lamps-header-protection-04

      -  add test vectors

      -  add "problems with Injected Messages" subsection

   *  draft-ietf-lamps-header-protection-03

      -  dkg takes over from Bernie as primary author

      -  Add Usability section

      -  describe two distinct formats "Wrapped Message" and "Injected
         Headers"

      -  Introduce Header Confidentiality Policy model

      -  Overhaul message composition guidance

      -  Simplify document creation workflow, move public face to gitlab

   *  draft-ietf-lamps-header-protection-02

      -  editorial changes / improve language

   *  draft-ietf-lamps-header-protection-01

      -  Add DKG as co-author

      -  Partial Rewrite of Abstract and Introduction [HB/AM/DKG]

      -  Adding definitions for Cryptographic Layer, Cryptographic
         Payload, and Cryptographic Envelope (reference to
         [I-D.ietf-lamps-e2e-mail-guidance]) [DKG]

      -  Enhanced MITM Definition to include Machine- / Meddler-in-the-
         middle [HB]




Gillmor, et al.         Expires 29 December 2024              [Page 314]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  Relaxed definition of Original message, which may not be of
         type "message/rfc822" [HB]

      -  Move "memory hole" option to the Appendix (on request by Chair
         to only maintain one option in the specification) [HB]

      -  Updated Scope of Protection Levels according to WG discussion
         during IETF-108 [HB]

      -  Obfuscation recommendation only for Subject and Message-Id and
         distinguish between Encrypted and Unencrypted Messages [HB]

      -  Removed (commented out) Header Field Flow Figure (it appeared
         to be confusing as is was) [HB]

   *  draft-ietf-lamps-header-protection-00

      -  Initial version (text partially taken over from draft-ietf-
         lamps-header-protection-requirements

Index

   C H I R W

      C

         ComposeInjectedHeaders  Table 7
         ComposeNoHeaderProtection  Table 7
         ComposeWrappedMessage  Table 7

      H

         HCP  Section 1.8, Paragraph 2.14.1; Section 3, Paragraph 2;
            Section 3, Paragraph 5; Section 3.1, Paragraph 3;
            Section 3.1, Paragraph 9; Section 3.2, Paragraph 2;
            Section 3.2.1, Paragraph 3; Section 3.2.2, Paragraph 3;
            Section 3.3, Paragraph 1; Section 3.4.1, Paragraph 1;
            Section 3.4.2, Paragraph 1; Section 3.4.2, Paragraph 2.1.1;
            Section 3.4.2, Paragraph 2.3.1; Section 3.4.2, Paragraph
            2.4.1; Section 3.4.2, Paragraph 3; Section 5.4.1, Paragraph
            4.8.1; Section 5.4.1, Paragraph 5; Section 5.9.2, Paragraph
            3; Section 6.2.1, Paragraph 4.5.2.2.2.1.1; Section 6.3.1,
            Paragraph 4.4.2.1.2.1.1; Section 7.1, Paragraph 5;
            Section 9.2, Paragraph 1; Section 9.2, Paragraph 4;
            Section 9.2, Paragraph 5; Section 9.2, Paragraph 6;
            Section 10.2, Paragraph 2; Section 10.2, Paragraph 3;
            Section 12.2, Paragraph 1; Section 12.2.1, Paragraph 1;
            Section 12.2.3, Paragraph 1; Section 12.2.3, Paragraph 2;



Gillmor, et al.         Expires 29 December 2024              [Page 315]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


            Section 12.3, Paragraph 2; Section 12.4, Paragraph 2;
            Section 13, Paragraph 1; Table 7; Appendix D.1.2, Paragraph
            1; Appendix D.2.2, Paragraph 3; Appendix D.2.2, Paragraph 6;
            Appendix G, Paragraph 2.2.2.4.1; Appendix G, Paragraph
            2.4.2.9.1; Appendix G, Paragraph 2.5.2.1.1; Appendix G,
            Paragraph 2.9.2.2.1; Appendix G, Paragraph 2.11.2.1.1;
            Appendix G, Paragraph 2.13.2.1.1; Appendix G, Paragraph
            2.13.2.5.1; Appendix G, Paragraph 2.14.2.3.1; Appendix G,
            Paragraph 2.14.2.4.1
         Header Confidentiality Policy  Section 1.8, Paragraph 2.14.1;
            Section 3, Paragraph 2; Section 3.1, Paragraph 1;
            Section 3.2.1, Paragraph 1; Section 3.2.2, Paragraph 1;
            Section 3.3, Paragraph 1; Section 3.4, Paragraph 1;
            Section 3.4.1, Paragraph 2; Section 3.4.2, Paragraph 1;
            Section 5, Paragraph 5.3.1; Section 5.4, Paragraph 2;
            Section 5.4, Paragraph 5; Section 6.2, Paragraph 2.2.1;
            Section 6.3, Paragraph 2.2.1; Section 6.3.1, Paragraph 5;
            Section 7.1, Paragraph 5; Section 9.2, Paragraph 1;
            Section 10.2, Paragraph 1; Section 12.2.1, Paragraph 3;
            Section 13.3, Paragraph 5.1.1; Appendix C.2, Paragraph 1;
            Appendix C.3.1, Paragraph 1; Appendix C.3.2, Paragraph 1;
            Appendix C.3.3, Paragraph 1; Appendix C.3.4, Paragraph 1;
            Appendix C.3.5, Paragraph 1; Appendix C.3.6, Paragraph 1;
            Appendix C.3.7, Paragraph 1; Appendix C.3.8, Paragraph 1;
            Appendix C.3.9, Paragraph 1; Appendix C.3.10, Paragraph 1;
            Appendix C.3.11, Paragraph 1; Appendix C.3.12, Paragraph 1;
            Appendix C.3.13, Paragraph 1; Appendix C.3.14, Paragraph 1;
            Appendix C.3.15, Paragraph 1; Appendix C.3.16, Paragraph 1;
            Appendix C.3.17, Paragraph 1; Appendix C.3.18, Paragraph 1;
            Appendix C.3.19, Paragraph 1; Appendix C.3.20, Paragraph 1;
            Appendix C.3.21, Paragraph 1; Appendix C.3.22, Paragraph 1;
            Appendix C.3.23, Paragraph 1; Appendix C.3.24, Paragraph 1;
            Appendix G, Paragraph 2.20.2.4.1
         HeaderFieldProtection  Table 7
         HeaderSetsFromMessage  Section 5.3.1, Paragraph 4.2.1; Table 7

      I

         Injected Headers  Section 1.1, Paragraph 1; Section 1.1,
            Paragraph 3; Section 1.3, Paragraph 1; Section 1.8,
            Paragraph 2.13.1; Section 1.10, Paragraph 1; Section 2.1.2,
            Paragraph 1; Table 2; Section 4, Paragraph 2; Section 4,
            Paragraph 3; Section 4.1, Paragraph 1; Section 4.1,
            Paragraph 3; Section 4.1, Paragraph 4; Section 5.2.1,
            Paragraph 4.1.1; Section 6.2, Paragraph 1; Section 10.3,
            Paragraph 1; Section 10.3, Paragraph 3; Table 7;
            Appendix C.2.3, Paragraph 1; Appendix C.2.4, Paragraph 1;
            Appendix C.2.7, Paragraph 1; Appendix C.2.8, Paragraph 1;



Gillmor, et al.         Expires 29 December 2024              [Page 316]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


            Appendix C.3.2, Paragraph 1; Appendix C.3.3, Paragraph 1;
            Appendix C.3.5, Paragraph 1; Appendix C.3.6, Paragraph 1;
            Appendix C.3.8, Paragraph 1; Appendix C.3.9, Paragraph 1;
            Appendix C.3.11, Paragraph 1; Appendix C.3.12, Paragraph 1;
            Appendix C.3.14, Paragraph 1; Appendix C.3.15, Paragraph 1;
            Appendix C.3.17, Paragraph 1; Appendix C.3.18, Paragraph 1;
            Appendix C.3.20, Paragraph 1; Appendix C.3.21, Paragraph 1;
            Appendix C.3.23, Paragraph 1; Appendix C.3.24, Paragraph 1;
            Appendix F.3, Paragraph 1; Appendix G, Paragraph 2.20.2.3.1

      R

         ReferenceHCP  Table 7

      W

         Wrapped Message  Section 1.1, Paragraph 1; Section 1.1,
            Paragraph 2; Section 1.1, Paragraph 3; Section 1.2,
            Paragraph 1; Section 1.8, Paragraph 2.12.1; Section 2.1.2,
            Paragraph 1; Table 2; Section 2.1.2, Paragraph 3; Section 4,
            Paragraph 2; Section 4.2, Paragraph 1; Section 4.2,
            Paragraph 2; Section 4.2, Paragraph 3.4.1; Section 4.2,
            Paragraph 4; Section 5.2.1, Paragraph 4.2.1; Section 6.3,
            Paragraph 1; Table 7; Appendix C.2.1, Paragraph 1;
            Appendix C.2.2, Paragraph 1; Appendix C.2.5, Paragraph 1;
            Appendix C.2.6, Paragraph 1; Appendix C.3.1, Paragraph 1;
            Appendix C.3.4, Paragraph 1; Appendix C.3.7, Paragraph 1;
            Appendix C.3.10, Paragraph 1; Appendix C.3.13, Paragraph 1;
            Appendix C.3.16, Paragraph 1; Appendix C.3.19, Paragraph 1;
            Appendix C.3.22, Paragraph 1; Appendix F.1, Paragraph 1;
            Appendix G, Paragraph 2.11.2.2.1; Appendix G, Paragraph
            2.11.2.3.1; Appendix G, Paragraph 2.20.2.3.1

Authors' Addresses

   Daniel Kahn Gillmor
   American Civil Liberties Union
   125 Broad St.
   New York, NY,  10004
   United States of America
   Email: dkg@fifthhorseman.net


   Bernie Hoeneisen
   pEp Project
   Oberer Graben 4
   CH- 8400 Winterthur
   Switzerland



Gillmor, et al.         Expires 29 December 2024              [Page 317]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Email: bernie.hoeneisen@pep-project.org
   URI:   https://pep-project.org/


   Alexey Melnikov
   Isode Ltd
   14 Castle Mews
   Hampton, Middlesex
   TW12 2NP
   United Kingdom
   Email: alexey.melnikov@isode.com








































Gillmor, et al.         Expires 29 December 2024              [Page 318]