Internet DRAFT - draft-ietf-lamps-header-protection

draft-ietf-lamps-header-protection







LAMPS Working Group                                        D. K. Gillmor
Internet-Draft                            American Civil Liberties Union
Updates: 8551 (if approved)                                 B. Hoeneisen
Intended status: Standards Track                             pEp Project
Expires: 2 September 2024                                    A. Melnikov
                                                               Isode Ltd
                                                            1 March 2024


        Header Protection for Cryptographically Protected E-mail
                 draft-ietf-lamps-header-protection-20

Abstract

   S/MIME version 3.1 introduced a mechanism to provide end-to-end
   cryptographic protection of e-mail message headers.  However, few
   implementations generate messages using this mechanism, and several
   legacy implementations have revealed rendering or security issues
   when handling such a message.

   This document updates the S/MIME specification ([RFC8551]) to offer a
   different mechanism that provides the same cryptographic protections
   but with fewer downsides when handled by legacy clients.  The Header
   Protection schemes described here are also applicable to messages
   with PGP/MIME cryptographic protections.  Furthermore, this document
   offers more explicit guidance for clients when generating or handling
   e-mail messages with cryptographic protection of message headers.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://dkg.gitlab.io/lamps-header-protection/.  Status information
   for this document may be found at https://datatracker.ietf.org/doc/
   draft-ietf-lamps-header-protection/.

   Discussion of this document takes place on the LAMPS Working Group
   mailing list (mailto:spasm@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/spasm/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/spasm/.

   Source for this draft and an issue tracker can be found at
   https://gitlab.com/dkg/lamps-header-protection.







Gillmor, et al.         Expires 2 September 2024                [Page 1]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 September 2024.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   6
     1.1.  Two Schemes of Header Protection  . . . . . . . . . . . .   7
     1.2.  Problems with Wrapped Messages  . . . . . . . . . . . . .   7
     1.3.  Problems with Injected Headers  . . . . . . . . . . . . .   8
     1.4.  Motivation  . . . . . . . . . . . . . . . . . . . . . . .   8
       1.4.1.  Backward Compatibility  . . . . . . . . . . . . . . .   8
       1.4.2.  Deliverability  . . . . . . . . . . . . . . . . . . .   9
     1.5.  Other Protocols to Protect E-Mail Header Fields . . . . .   9
     1.6.  Applicability to PGP/MIME . . . . . . . . . . . . . . . .  10
     1.7.  Requirements Language . . . . . . . . . . . . . . . . . .  10
     1.8.  Terms . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     1.9.  Document Scope  . . . . . . . . . . . . . . . . . . . . .  12
       1.9.1.  In Scope  . . . . . . . . . . . . . . . . . . . . . .  12
       1.9.2.  Out of Scope  . . . . . . . . . . . . . . . . . . . .  13
   2.  Specification . . . . . . . . . . . . . . . . . . . . . . . .  13



Gillmor, et al.         Expires 2 September 2024                [Page 2]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


     2.1.  Injected Headers Scheme . . . . . . . . . . . . . . . . .  14
     2.2.  Wrapped Message Scheme  . . . . . . . . . . . . . . . . .  14
     2.3.  Sending Side  . . . . . . . . . . . . . . . . . . . . . .  15
       2.3.1.  Composing a Cryptographically-Protected Message Without
               Header Protection . . . . . . . . . . . . . . . . . .  15
       2.3.2.  Header Confidentiality Policy . . . . . . . . . . . .  16
       2.3.3.  Definition of HP-Removed and HP-Obscured Header
               Fields  . . . . . . . . . . . . . . . . . . . . . . .  17
       2.3.4.  Composing with "Injected Headers" Header
               Protection  . . . . . . . . . . . . . . . . . . . . .  18
       2.3.5.  Composing with "Wrapped Message" Header Protection  .  24
       2.3.6.  Choosing Between Wrapped Message and Injected
               Headers . . . . . . . . . . . . . . . . . . . . . . .  26
     2.4.  Default Header Confidentiality Policy . . . . . . . . . .  26
       2.4.1.  Minimal Header Confidentiality Policy . . . . . . . .  26
       2.4.2.  Strong Header Confidentiality Policy  . . . . . . . .  27
       2.4.3.  Null Header Confidentiality Policy  . . . . . . . . .  27
       2.4.4.  Offering Stronger Header Confidentiality  . . . . . .  27
     2.5.  Receiving Side  . . . . . . . . . . . . . . . . . . . . .  28
       2.5.1.  Identifying that a Message has Header Protection  . .  29
       2.5.2.  Updating the Cryptographic Summary  . . . . . . . . .  29
       2.5.3.  Rendering a Message with Injected Headers . . . . . .  30
       2.5.4.  Rendering a Wrapped Message . . . . . . . . . . . . .  33
       2.5.5.  Guidance for Automated Message Handling . . . . . . .  35
       2.5.6.  Affordances for Debugging and Troubleshooting . . . .  36
       2.5.7.  Rendering Other Schemes . . . . . . . . . . . . . . .  37
       2.5.8.  Composing a Reply to an Encrypted Message with Header
               Protection  . . . . . . . . . . . . . . . . . . . . .  37
       2.5.9.  Implicitly-rendered Header Fields . . . . . . . . . .  38
       2.5.10. Unprotected Header Fields Added in Transit  . . . . .  39
       2.5.11. Handling Undecryptable Messages . . . . . . . . . . .  40
   3.  E-mail Ecosystem Evolution  . . . . . . . . . . . . . . . . .  41
     3.1.  Dropping Legacy Display Elements  . . . . . . . . . . . .  42
     3.2.  Stronger Default Header Confidentiality Policy  . . . . .  42
     3.3.  Deprecation of Messages Without Header Protection . . . .  43
   4.  Usability Considerations  . . . . . . . . . . . . . . . . . .  44
     4.1.  Mixed Protections Within a Message Are Hard To
           Understand  . . . . . . . . . . . . . . . . . . . . . . .  44
     4.2.  Users Should Not Have To Choose a Header Confidentiality
           Policy  . . . . . . . . . . . . . . . . . . . . . . . . .  45
     4.3.  Users Should Not Have To Choose a Header Protection
           Scheme  . . . . . . . . . . . . . . . . . . . . . . . . .  45
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  46
     5.1.  Caution about Composing with Legacy Display Elements  . .  46
   6.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  47
     6.1.  Some Encrypted Header Fields Are Not Always Private . . .  47
     6.2.  Header Fields Can Leak Unwanted Information to the
           Recipient . . . . . . . . . . . . . . . . . . . . . . . .  48



Gillmor, et al.         Expires 2 September 2024                [Page 3]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


       6.2.1.  Encrypted Header Fields Can Be Inferred From External
               or Internal Metadata  . . . . . . . . . . . . . . . .  49
       6.2.2.  HCP May Not Mask All Data in an Encrypted Header
               Field . . . . . . . . . . . . . . . . . . . . . . . .  49
       6.2.3.  A Naive Recipient May Overestimate the Cryptographic
               Status of a Header Field in an Encrypted Message  . .  49
       6.2.4.  Summary and Implementation Guidance . . . . . . . . .  50
     6.3.  Privacy and Deliverability Risks with Bcc and Encrypted
           Messages  . . . . . . . . . . . . . . . . . . . . . . . .  51
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  51
   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  54
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  54
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .  54
     9.2.  Informative References  . . . . . . . . . . . . . . . . .  55
   Appendix A.  Possible Problems with some Legacy Clients . . . . .  58
     A.1.  Problems Reviewing signed-and-encrypted Messages in List
           View  . . . . . . . . . . . . . . . . . . . . . . . . . .  58
     A.2.  Problems when Rendering a signed-and-encrypted Message  .  58
     A.3.  Problems when Replying to a signed-and-encrypted
           Message . . . . . . . . . . . . . . . . . . . . . . . . .  59
     A.4.  Problems Reviewing signed-only Messages in List View  . .  60
     A.5.  Problems when Rendering a signed-only Message . . . . . .  60
     A.6.  Problems when Replying to a signed-only Message . . . . .  60
   Appendix B.  Test Vectors . . . . . . . . . . . . . . . . . . . .  61
     B.1.  Baseline Messages . . . . . . . . . . . . . . . . . . . .  61
       B.1.1.  No Cryptographic Protections Over a Simple Message  .  61
       B.1.2.  S/MIME Signed-only signedData Over a Simple Message, No
               Header Protection . . . . . . . . . . . . . . . . . .  62
       B.1.3.  S/MIME Signed-only multipart/signed Over a Simple
               Message, No Header Protection . . . . . . . . . . . .  64
       B.1.4.  S/MIME Encrypted and Signed Over a Simple Message, No
               Header Protection . . . . . . . . . . . . . . . . . .  66
       B.1.5.  No Cryptographic Protections Over a Complex
               Message . . . . . . . . . . . . . . . . . . . . . . .  69
       B.1.6.  S/MIME Signed-only signedData Over a Complex Message,
               No Header Protection  . . . . . . . . . . . . . . . .  70
       B.1.7.  S/MIME Signed-only multipart/signed Over a Complex
               Message, No Header Protection . . . . . . . . . . . .  72
       B.1.8.  S/MIME Encrypted and Signed Over a Complex Message, No
               Header Protection . . . . . . . . . . . . . . . . . .  75
     B.2.  Signed-only Messages  . . . . . . . . . . . . . . . . . .  79
       B.2.1.  S/MIME Signed-only signedData Over a Simple Message,
               Wrapped Message . . . . . . . . . . . . . . . . . . .  79
       B.2.2.  S/MIME Signed-only multipart/signed Over a Simple
               Message, Wrapped Message  . . . . . . . . . . . . . .  81
       B.2.3.  S/MIME Signed-only signedData Over a Simple Message,
               Injected Headers  . . . . . . . . . . . . . . . . . .  83




Gillmor, et al.         Expires 2 September 2024                [Page 4]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


       B.2.4.  S/MIME Signed-only multipart/signed Over a Simple
               Message, Injected Headers . . . . . . . . . . . . . .  85
       B.2.5.  S/MIME Signed-only signedData Over a Complex Message,
               Wrapped Message . . . . . . . . . . . . . . . . . . .  88
       B.2.6.  S/MIME Signed-only multipart/signed Over a Complex
               Message, Wrapped Message  . . . . . . . . . . . . . .  90
       B.2.7.  S/MIME Signed-only signedData Over a Complex Message,
               Injected Headers  . . . . . . . . . . . . . . . . . .  93
       B.2.8.  S/MIME Signed-only multipart/signed Over a Complex
               Message, Injected Headers . . . . . . . . . . . . . .  96
     B.3.  Encrypted-and-signed Messages . . . . . . . . . . . . . .  99
       B.3.1.  S/MIME Encrypted and Signed Over a Simple Message,
               Wrapped Message With hcp_minimal  . . . . . . . . . .  99
       B.3.2.  S/MIME Encrypted and Signed Over a Simple Message,
               Injected Headers With hcp_minimal . . . . . . . . . . 102
       B.3.3.  S/MIME Encrypted and Signed Over a Simple Message,
               Injected Headers With hcp_minimal (+ Legacy Display)  105
       B.3.4.  S/MIME Encrypted and Signed Over a Simple Message,
               Wrapped Message With hcp_strong . . . . . . . . . . . 108
       B.3.5.  S/MIME Encrypted and Signed Over a Simple Message,
               Injected Headers With hcp_strong  . . . . . . . . . . 112
       B.3.6.  S/MIME Encrypted and Signed Over a Simple Message,
               Injected Headers With hcp_strong (+ Legacy Display) . 115
       B.3.7.  S/MIME Encrypted and Signed Reply Over a Simple
               Message, Wrapped Message With hcp_minimal . . . . . . 118
       B.3.8.  S/MIME Encrypted and Signed Reply Over a Simple
               Message, Injected Headers With hcp_minimal  . . . . . 121
       B.3.9.  S/MIME Encrypted and Signed Reply Over a Simple
               Message, Injected Headers With hcp_minimal (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 124
       B.3.10. S/MIME Encrypted and Signed Reply Over a Simple
               Message, Wrapped Message With hcp_strong  . . . . . . 127
       B.3.11. S/MIME Encrypted and Signed Reply Over a Simple
               Message, Injected Headers With hcp_strong . . . . . . 131
       B.3.12. S/MIME Encrypted and Signed Reply Over a Simple
               Message, Injected Headers With hcp_strong (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 134
       B.3.13. S/MIME Encrypted and Signed Over a Complex Message,
               Wrapped Message With hcp_minimal  . . . . . . . . . . 137
       B.3.14. S/MIME Encrypted and Signed Over a Complex Message,
               Injected Headers With hcp_minimal . . . . . . . . . . 141
       B.3.15. S/MIME Encrypted and Signed Over a Complex Message,
               Injected Headers With hcp_minimal (+ Legacy Display)  145
       B.3.16. S/MIME Encrypted and Signed Over a Complex Message,
               Wrapped Message With hcp_strong . . . . . . . . . . . 149
       B.3.17. S/MIME Encrypted and Signed Over a Complex Message,
               Injected Headers With hcp_strong  . . . . . . . . . . 153




Gillmor, et al.         Expires 2 September 2024                [Page 5]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


       B.3.18. S/MIME Encrypted and Signed Over a Complex Message,
               Injected Headers With hcp_strong (+ Legacy Display) . 156
       B.3.19. S/MIME Encrypted and Signed Reply Over a Complex
               Message, Wrapped Message With hcp_minimal . . . . . . 160
       B.3.20. S/MIME Encrypted and Signed Reply Over a Complex
               Message, Injected Headers With hcp_minimal  . . . . . 165
       B.3.21. S/MIME Encrypted and Signed Reply Over a Complex
               Message, Injected Headers With hcp_minimal (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 169
       B.3.22. S/MIME Encrypted and Signed Reply Over a Complex
               Message, Wrapped Message With hcp_strong  . . . . . . 173
       B.3.23. S/MIME Encrypted and Signed Reply Over a Complex
               Message, Injected Headers With hcp_strong . . . . . . 177
       B.3.24. S/MIME Encrypted and Signed Reply Over a Complex
               Message, Injected Headers With hcp_strong (+ Legacy
               Display)  . . . . . . . . . . . . . . . . . . . . . . 181
   Appendix C.  Composition Examples . . . . . . . . . . . . . . . . 185
     C.1.  New message composition . . . . . . . . . . . . . . . . . 185
       C.1.1.  Unprotected message . . . . . . . . . . . . . . . . . 186
       C.1.2.  Encrypted with hcp_minimal and Legacy Display . . . . 186
     C.2.  Composing a Reply . . . . . . . . . . . . . . . . . . . . 188
       C.2.1.  Unprotected message . . . . . . . . . . . . . . . . . 189
       C.2.2.  Encrypted with hcp_null and Legacy Display  . . . . . 190
   Appendix D.  Rendering Examples . . . . . . . . . . . . . . . . . 192
     D.1.  Example text/plain Cryptographic Payload with Legacy
           Display Elements  . . . . . . . . . . . . . . . . . . . . 193
     D.2.  Example text/html Cryptographic Payload with Legacy Display
           Elements  . . . . . . . . . . . . . . . . . . . . . . . . 193
   Appendix E.  Other Header Protection Schemes  . . . . . . . . . . 194
     E.1.  Original RFC 8551 Header Protection . . . . . . . . . . . 195
     E.2.  Pretty Easy Privacy (pEp) . . . . . . . . . . . . . . . . 195
     E.3.  "draft-autocrypt" Protected Headers . . . . . . . . . . . 195
   Appendix F.  Document Changelog . . . . . . . . . . . . . . . . . 195
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 200

1.  Introduction

   Privacy and security issues regarding e-mail Header Protection in S/
   MIME and PGP/MIME have been identified for some time.  Most current
   implementations of cryptographically-protected electronic mail
   protect only the body of the message, which leaves significant room
   for attacks against otherwise-protected messages.  For example, lack
   of Header Protection allows an attacker to substitute the message
   subject and/or author.

   This document describes two different schemes for how message headers
   can be cryptographically protected, and provides guidance for
   implementers of MUAs that generate and interpret such messages.  It



Gillmor, et al.         Expires 2 September 2024                [Page 6]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   uses the term "Legacy MUA" to refer to an MUA that does not implement
   either scheme.  This document takes particular care to ensure that
   messages interact reasonably well with Legacy MUAs.

1.1.  Two Schemes of Header Protection

   This document addresses two different schemes for cryptographically
   protecting e-mail Header Sections or fields and provides guidance to
   implementers.  One scheme ("Injected Headers") is more interoperable
   with Legacy MUAs, and is mandatory to implement and interpret.  The
   other, older scheme ("Wrapped Message") is described here to enable
   interpretation of archived messages.

   The older scheme was first specified in S/MIME 3.1 ([RFC8551]), and
   involves wrapping a message/rfc822 or message/global MIME object with
   a Cryptographic Envelope around the message to protect.  This
   document calls this scheme "Wrapped Message", and it updates the
   scheme described in that document, effectively replacing the final
   two paragraphs of Section 3.1 of [RFC8551].  However, experience has
   shown that even the updated "Wrapped Message" form does not interact
   well with some Legacy MUAs (see Section 1.2).

   The more interoperable "Injected Headers" scheme of Header Protection
   is introduced in this document, and is preferred over the "Wrapped
   Message" scheme.  In the "Injected Headers" scheme, the protected
   Header Fields are placed directly on the Cryptographic Payload,
   without using an intervening message/* MIME object.  See
   Section 2.3.4 and Section 2.5.3 for more details.

1.2.  Problems with Wrapped Messages

   Several Legacy MUAs have revealed rendering issues when dealing with
   a message that uses the Wrapped Message Header Protection scheme.

   In some cases, some mail user agents cannot render message/rfc822
   message subparts at all, in violation of baseline MIME requirements
   as described on page 5 of [RFC2049].  This leaves all Wrapped
   Messages unreadable by any recipient using such an MUA.

   In other cases, the user sees an attachment suggesting a forwarded
   e-mail message, which -- in fact -- contains the protected e-mail
   message that should be rendered directly.  In most of these cases,
   the user can click on the attachment to view the protected message.








Gillmor, et al.         Expires 2 September 2024                [Page 7]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   However, viewing the protected message as an attachment in isolation
   may strip it of any security indications, leaving the user unable to
   assess the cryptographic properties of the message.  Worse, for
   encrypted messages, interacting with the protected message in
   isolation may leak contents of the cleartext, for example, if the
   reply is not also encrypted.

1.3.  Problems with Injected Headers

   A Legacy MUA dealing with an encrypted message that has some Header
   Fields obscured using the Injected Headers scheme will not render the
   obscured Header Fields to the user at all.  A workaround "Legacy
   Display" mechanism is provided in this document, which most Legacy
   MUAs should render to the user, albeit not in the same location that
   the Header Fields would normally be rendered.

1.4.  Motivation

   Users generally do not understand the distinction between message
   body and message header.  When an e-mail message has cryptographic
   protections that cover the message body, but not the Header Fields,
   several attacks become possible.

   For example, a Legacy Signed Message has a signature that covers the
   body but not the Header Fields.  An attacker can therefore modify the
   Header Fields (including the Subject header) without invalidating the
   signature.  Since most readers consider a message body in the context
   of the message's Subject header, the meaning of the message itself
   could change drastically (under the attacker's control) while still
   retaining the same cryptographic indicator of authenticity.

   In another example, a Legacy Encrypted Message has its body
   effectively hidden from an adversary that snoops on the message.  But
   if the Header Fields are not also encrypted, significant information
   about the message (such as the message Subject) will leak to the
   inspecting adversary.

   However, if the sending and receiving MUAs ensure that cryptographic
   protections cover the message Header Section as well as the message
   body, these attacks are defeated.

1.4.1.  Backward Compatibility

   If the sending MUA is unwilling to generate such a fully-protected
   message due to the potential for rendering, usability,
   deliverability, or security issues, these defenses cannot be
   realized.




Gillmor, et al.         Expires 2 September 2024                [Page 8]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   The sender cannot know what MUA (or MUAs) the recipient will use to
   handle the message.  Thus, an outbound message format that is
   backward-compatible with as many legacy implementations as possible
   is a more effective vehicle for providing the whole-message
   cryptographic protections described above.

   This document aims for backward compatibility with Legacy MUAs to the
   extent possible.  In some cases, like when a user-visible header like
   the Subject is cryptographically hidden, the message cannot behave
   entirely identically to a Legacy MUA.  But accommodations are
   described here that ensure a rough semantic equivalence for Legacy
   MUA even in these cases.

1.4.2.  Deliverability

   A message with perfect cryptographic protections that cannot be
   delivered is less useful than a message with imperfect cryptographic
   protections that can be delivered.  Senders want their messages to
   reach the intended recipients.

   Given the current state of the Internet mail ecosystem, encrypted
   messages in particular cannot shield all of their Header Fields from
   visibility and still be guaranteed delivery to their intended
   recipient.

   This document accounts for this concern by providing a mechanism
   (Section 2.3.2) that prioritizes initial deliverability (at the cost
   of some header leakage) while facilitating future message variants
   that shield more header metadata from casual inspection.

1.5.  Other Protocols to Protect E-Mail Header Fields

   A separate pair of protocols also provides some cryptographic
   protection for the e-mail message header integrity: DomainKeys
   Identified Mail (DKIM) [RFC6376], as used in combination with Domain-
   based Message Authentication, Reporting, and Conformance (DMARC)
   [RFC7489].  This pair of protocols provides a domain-based reputation
   mechanism that can be used to mitigate some forms of unsolicited
   e-mail (spam).












Gillmor, et al.         Expires 2 September 2024                [Page 9]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   However, the DKIM+DMARC suite provides cryptographic protection at a
   different scope than the mechanisms described here.  In particular,
   the message integrity and authentication signals provided by
   DKIM+DMARC correspond to the domain name of the sending e-mail
   address, not the sending address itself, so the DKIM+DMARC suite does
   not provide end-to-end protection.  DKIM and DMARC are typically
   applied to messages by (and interpreted by) mail transfer agents, not
   mail user agents.  The mechanisms in this document are typically
   applied to messages by (and interpreted by) mail user agents.

   Furthermore, the DKIM+DMARC suite only provides cryptographic
   integrity and authentication, not encryption.  So cryptographic
   confidentiality is not available from that suite.

   The DKIM+DMARC suite can be used on any message, including messages
   formed as described in this document.  There should be no conflict
   between these schemes.

   Though not strictly e-mail, similar protections have been in use on
   Usenet for signing and verification of message headers for years.
   See ([PGPCONTROL] and [PGPVERIFY-FORMAT] for more details.  Like
   DKIM, these Usenet control protections offer only integrity and
   authentication, not encryption.

1.6.  Applicability to PGP/MIME

   This document describes end-to-end cryptographic protections for
   e-mail messages in reference to S/MIME ([RFC8551]).

   Comparable end-to-end cryptographic protections can also be provided
   by PGP/MIME ([RFC3156]).

   The mechanisms in this document should be applicable in the PGP/MIME
   protections as well as S/MIME protections, but analysis and
   implementation in this document focuses on S/MIME.

   To the extent that any divergence from the mechanism described here
   is necessary for PGP/MIME, that divergence is out of scope for this
   document.

1.7.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.




Gillmor, et al.         Expires 2 September 2024               [Page 10]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   The key words "SPECIFICATION REQUIRED" and "IETF REVIEW" that appear
   in this document when used to describe namespace allocation are to be
   interpreted as described in [RFC8126].

1.8.  Terms

   The following terms are defined for the scope of this document:

   *  S/MIME: Secure/Multipurpose Internet Mail Extensions (see
      [RFC8551])

   *  PGP/MIME: MIME Security with OpenPGP (see [RFC3156])

   *  Message: An E-Mail Message consisting of Header Fields
      (collectively called "the Header Section of the message")
      followed, optionally, by a Body; see [RFC5322].

      Note: To avoid ambiguity, this document avoids using the terms
      "Header" or "Headers" in isolation, but instead always uses
      "Header Field" to refer to the individual field and "Header
      Section" to refer to the entire collection.

   *  Header Field: A Header Field includes a field name, followed by a
      colon (":"), followed by a field body (value), and terminated by
      CRLF; see Section 2.2 of [RFC5322] for more details.

   *  Header Section: The Header Section is a sequence of lines of
      characters with special syntax as defined in [RFC5322].  The
      Header Section of a Message contains the Header Fields associated
      with the Message itself.  The Header Section of a MIME part (that
      is, a subpart of a message) typically contains Header Fields
      associated with that particular MIME part.

   *  Body: The Body is the part of a Message that follows the Header
      Section and is separated from the Header Section by an empty line
      (i.e., a line with nothing preceding the CRLF); see [RFC5322].  It
      is the (bottom) section of Message containing the payload of a
      Message.  Typically, the Body consists of a (possibly multipart)
      MIME [RFC2045] construct.

   *  Header Protection (HP): cryptographic protection of e-mail Header
      Sections (or parts of it) for signatures and/or encryption

   *  Cryptographic Layer, Cryptographic Payload, Cryptographic
      Envelope, Cryptographic Summary, Structural Header Fields, Main
      Body Part, User-Facing Header Fields, and MUA are all used as
      defined in [I-D.ietf-lamps-e2e-mail-guidance]




Gillmor, et al.         Expires 2 September 2024               [Page 11]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  Legacy MUA: an MUA that does not understand Header Protection as
      described in this document.  A Legacy Non-Crypto MUA is incapable
      of doing any end-to-end cryptographic operations.  A Legacy Crypto
      MUA is capable of doing cryptographic operations, but does not
      understand or generate messages with Header Protection.

   *  Legacy Signed Message: an e-mail message that was signed by a
      Legacy MUA (and therefore has no cryptographic authenticity or
      integrity protections on its Header Fields.

   *  Wrapped Message: The Header Protection scheme that uses the
      mechanism described in [RFC8551], where the Cryptographic Payload
      is a message/rfc822 or message/global MIME object, augmented with
      a Content-Type parameter to indicate that this is the explicit
      intent. (see Section 2.2).

   *  Injected Headers: The Header Protection scheme that uses the
      mechanism described in this document (see Section 2.1), where the
      protected Header Fields are inserted on the Cryptographic Payload
      directly.

   *  Header Confidentiality Policy (HCP): a functional specification of
      which Header Fields should be obscured when composing an encrypted
      message with Header Protection.  See Section 2.3.2.

   *  Ordinary User: a user of an MUA who follows a simple and minimal
      experience, focused on sending and receiving e-mails.  A user who
      opts into advanced configuration, expert mode, or the like is not
      an "Ordinary User".

1.9.  Document Scope

   This document describes sensible, simple behavior for a program that
   generates an e-mail message with standard end-to-end cryptographic
   protections, following the guidance in
   [I-D.ietf-lamps-e2e-mail-guidance].  An implementation conformant to
   this draft will produce messages that have cryptographic protection
   that covers the message's Header Fields as well as its body.

1.9.1.  In Scope

   This document also describes sensible, simple behavior for a program
   that interprets such a message, in a way that can take advantage of
   these protections covering the Header Fields as well as the body.

   The message generation guidance aims to minimize negative
   interactions with any Legacy receiving MUA while providing actionable
   cryptographic properties for modern receiving clients.



Gillmor, et al.         Expires 2 September 2024               [Page 12]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   In particular, this document focuses on two standard types of
   cryptographic protection that cover the entire message:

   *  A cleartext message with a single signature, and

   *  An encrypted message that contains a single cryptographic
      signature.

1.9.2.  Out of Scope

   The message composition guidance in this document (in Section 2.3.4)
   aims to provide minimal disruption for any Legacy MUA that receives
   such a message.  However, a Legacy MUA by definition does not
   implement any of the guidance here.  Therefore, the document does not
   attempt to provide guidance for Legacy MUAs directly.

   Furthermore, this document does not explicitly contemplate other
   variants of cryptographic message protections, including any of
   these:

   *  Encrypted-only message (without a cryptographic signature)

   *  Triple-wrapped message

   *  Signed message with multiple signatures

   *  Encrypted message with a cryptographic signature outside the
      encryption.

   All such messages are out of scope of this document.

2.  Specification

   As mentioned in Section 1.1, this document describes two ways to
   provide end-to-end cryptographic protection for an e-mail message
   that includes all Header Fields known to the sender at message
   composition time.

   A receiving MUA MUST be able to handle both Header Protection
   schemes, as described in Section 2.5.

   A sending MUA MUST be able to generate the Injected Headers scheme
   (Section 2.3.4), and MAY generate the Wrapped Message scheme
   (Section 2.3.5).







Gillmor, et al.         Expires 2 September 2024               [Page 13]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


2.1.  Injected Headers Scheme

   A message that uses the Injected Headers scheme has protected Header
   Fields in the Header Section of the Cryptographic Payload.

   For an encrypted message that has at least one user-visible Header
   Field omitted or obscured outside of the Cryptographic Payload, those
   Header Fields MAY also be duplicated into decorative copies in the
   Main Body MIME part of the Cryptographic Payload itself.  These
   decorative copies within the message are known as "Legacy Display
   Elements".

   Such a Legacy Display Element can be useful for a Legacy receiving
   MUA that doesn't yet understand how to interpret or display a
   cryptographically-protected confidential header.  See Section 3.1 for
   more details about how the ecosystem could shift so that a sending
   MUA could avoid the need to generate any Legacy Display Element.

   Composing a message with the Injected Headers scheme is described in
   Section 2.3.4.  Rendering such a message is described in
   Section 2.5.3.

2.2.  Wrapped Message Scheme

   A message that uses the Wrapped Message scheme has a Cryptographic
   Payload of a single message/rfc822 (or message/global) MIME object,
   which itself contains the original message (including the protected
   Header Section).

   The Wrapped Message Header Protection scheme is very similar to that
   described in Section 3.1 of [RFC8551].  The main augmentations this
   document provides to that scheme are:

   *  an explicit discussion of how to obscure or remove Header Fields,

   *  an additional protected-headers=wrapped parameter to the Content-
      Type Header Field of the Cryptographic Payload to indicate the
      explicit intent, and

   *  a recommendation to mark such a Wrapped Message as Content-
      Disposition: inline to encourage Legacy MUAs to render the inner
      message directly rather than treating it as an attachment.

   Composing a message with the Wrapped Message scheme is described in
   Section 2.3.5.  Rendering such a message is described in
   Section 2.5.4.





Gillmor, et al.         Expires 2 September 2024               [Page 14]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


2.3.  Sending Side

   This section describes the process an MUA should use to apply
   cryptographic protection to an e-mail message with Header Protection.
   We start by describing the legacy message composition process as a
   baseline.

2.3.1.  Composing a Cryptographically-Protected Message Without Header
        Protection

   Section 5.1 of [I-D.ietf-lamps-e2e-mail-guidance] describes the
   typical process for a Legacy Crypto MUA to apply cryptographic
   protections to an e-mail message.  That guidance and terminology is
   replicated here for reference:

   *  origbody: the traditional unprotected message body as a well-
      formed MIME tree (possibly just a single MIME leaf part).  As a
      well-formed MIME tree, origbody already has structural Header
      Fields (Content-*) present.

   *  origheaders: the intended non-structural Header Fields for the
      message, represented here as a list of (h,v) pairs, where h is a
      Header Field name and v is the associated value.  Note that these
      are Header Fields that the MUA intends to be visible to the
      recipient of the message.  In particular, if the MUA uses the Bcc
      header during composition, but plans to omit it from the message
      (see Section 3.6.3 of [RFC5322]), it will not be in origheaders.

   *  crypto: The series of cryptographic protections to apply (for
      example, "sign with the secret key corresponding to X.509
      certificate X, then encrypt to X.509 certificates X and Y").  This
      is a routine that accepts a MIME tree as input (the Cryptographic
      Payload), wraps the input in the appropriate Cryptographic
      Envelope, and returns the resultant MIME tree as output.

   The algorithm returns a MIME object that is ready to be injected into
   the mail system:

   *  Apply crypto to MIME part origbody, producing MIME tree output

   *  For each Header Field name and value (h,v) in origheaders:

      -  Add Header Field h to output with value v

   *  Return output






Gillmor, et al.         Expires 2 September 2024               [Page 15]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


2.3.2.  Header Confidentiality Policy

   When composing an encrypted message with Header Protection, the
   composing MUA needs a Header Confidentiality Policy (HCP).  In this
   document, we represent that Header Confidentiality Policy as a
   function hcp:

   *  hcp(name, val_in) → val_out: this function takes a non-structural
      Header Field identified by name with initial value val_in as
      arguments, and returns a replacement header value val_out.  If
      val_out is the special value null, it means that the Header Field
      in question should be omitted from the set of Header Fields
      visible outside the Cryptographic Envelope.

   Note that hcp is only applied to non-structural Header Fields.  When
   composing a message, Structural Header Fields are dealt with
   separately, as described in Section 2.3.4 and Section 2.3.5.

   As an example, an MUA that obscures the Subject Header Field by
   replacing it with the literal string "[...]", hides all Cc'ed
   recipients, and does not offer confidentiality to any other Header
   Fields would be represented as (in pseudocode):

   hcp_hide_cc(name, val_in) → val_out:
       if name is 'Subject':
           return '[...]'
       else if name is 'Cc':
           return null
       else:
           return val_in

   Note that such a policy is only needed when the end-to-end
   protections include encryption (confidentiality).  No comparable
   policy is needed for other end-to-end cryptographic protections
   (integrity and authenticity), as they are simply uniformly applied so
   that all Header Fields known by the sender have these protections.

   This asymmetry is an unfortunate consequence of complexities in
   message delivery systems, some of which may reject, drop, or delay
   messages where all Header Fields are removed from the top-level MIME
   object.










Gillmor, et al.         Expires 2 September 2024               [Page 16]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   This document does not mandate any particular Header Confidentiality
   Policy, though it offers guidance for MUA implementers in selecting
   one in Section 2.4.  Future documents may recommend or mandate such a
   policy for an MUA with specific needs.  Such a recommendation might
   be motivated by descriptions of metadata-derived attacks, or stem
   from research about message deliverability, or describe new
   signalling mechanisms, but these topics are out of scope for this
   document.

   For alignment with common practice as well as the ABNF in
   Section 2.3.3 for HP-Obscured, val_out MUST be one of the following:

   *  identical to val_in, or

   *  the special value null, or

   *  a sequence of printable and whitespace (that is, space or tab)
      7-bit clean US-ASCII characters (of course, non-ASCII text can be
      encoded as US-ASCII using the encoded-word construct from
      [RFC2047])

   The HCP can compute val_out using any technique describable in
   pseudocode, such as copying a fixed string or invocations of other
   pseudocode functions.  If it alters the value, it MUST NOT include
   control or NUL characters in val_out.

2.3.3.  Definition of HP-Removed and HP-Obscured Header Fields

   This document defines 2 new Header Fields used for conveying the
   effect of sender's Header Confidentiality Policy: HP-Removed and HP-
   Obscured.  These Header Fields enable the MUA receiving an encrypted
   message to reliably identify whether the sending MUA intended to make
   a Header Field confidential (see Section 6.2.3).

   An implementation that composes encrypted e-mail and hides any of the
   Header Fields as described in this document (for example, due to a
   non-null HCP) MUST include the appropriate HP-Removed or HP-Obscured
   Header Fields in the Cryptographic Payload.  These two MIME Header
   Fields should only ever appear directly within the Header Section of
   the Cryptographic Payload of a Cryptographic Envelope offering
   confidentiality.  They MUST be ignored if they appear in other
   places.

   HP-Removed includes a comma separated list of Header Field names that
   were omitted from the outer header when the message with Header
   Protection was generated.  The HP-Removed Header Field can appear at
   most once in the Header Section of a Cryptographic Payload.




Gillmor, et al.         Expires 2 September 2024               [Page 17]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Each instance of HP-Obscured contains a Header Field name and the
   value that this Header Field was modified to in the outer header.
   The HP-Obscured Header Field can appear multiple times in the Header
   Section of a Cryptographic Payload.

   If a Header Field name A doesn't appear in an HP-Obscured Header
   Field value, then the Header Field A was either removed (and thus
   would appear in the HP-Removed Header Field) or it was copied without
   any modifications to the outer header.

   Syntax of these new Header Fields is defined using the following ABNF
   [RFC5234], where field-name, WSP, VCHAR, and FWS are defined in
   [RFC5322]:

   hp-removed      =   "HP-Removed:" field-name-list CRLF

   field-name-list =   [FWS] field-name
                       *([FWS] "," [FWS] field-name) [FWS]

   hp-obscured     =   "HP-Obscured:" [FWS] field-name ": "
                       replacement-value CRLF

   replacement-value =   (*([FWS] VCHAR) *WSP)

   Note that replacement-value is the same as unstructured from
   [RFC5322], but without the obsolete obs-unstructured option.

2.3.4.  Composing with "Injected Headers" Header Protection

   The "Injected Headers" Header Protection scheme places the Header
   Fields to be protected directly on the Cryptographic Payload.  Unlike
   in the "Wrapped Scheme" (see compose-wrapped-message), there is no
   wrapping of the message body in any additional message/* MIME part.
   This section describes how to generate such a message.

   To compose a message using "Injected Headers" Header Protection, the
   composing MUA uses the following inputs:

   *  All the inputs described in Section 2.3.1

   *  hcp: a Header Confidentiality Policy, as defined in Section 2.3.2

   *  legacy: a boolean value, indicating whether any recipient of the
      message is believed to have a Legacy MUA.  If all recipients are
      known to implement this draft, legacy should be set to false.
      (How an MUA determines the value of legacy is out of scope for
      this document; an initial implementation can simply set it to
      true)



Gillmor, et al.         Expires 2 September 2024               [Page 18]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Enabling visibility of obscured Header Fields for decryption-capable
   legacy clients requires transforming a header list into a readable
   form and including it as a decorative Legacy Display Element in
   specially-marked parts of the message.  This document recommends two
   different mechanisms for such a decorative adjustment: one for a
   text/html Main Body Part of the e-mail message, and one for a text/
   plain Main Body Part.  This document does not recommend adding a
   Legacy Display Element to any other part.

   Please see Section 7.1 of [I-D.ietf-lamps-e2e-mail-guidance] for
   guidance on identifying the parts of a message that are a Main Body
   Part.

   To build such a message, we replace the algorithm described in
   Section 2.3.1 with a more sophisticated approach.  The algorithm for
   applying "Injected Headers" cryptographic protection to a message is
   as follows:

   *  Let newbody be a copy of origbody

   *  If crypto contains encryption, and legacy is true:

      -  Create ldlist, an empty list of (header, value) pairs

      -  For each Header Field name and value (h,v) in origheaders:

         o  If h is user-facing (see Section 1.1.2 of
            [I-D.ietf-lamps-e2e-mail-guidance]):

            +  If hcp(h,v) is not v:

               *  Add (h,v) to ldlist

      -  If ldlist is not empty:

         o  Identify each leaf MIME part of newbody that represents the
            "main body" of the message.

         o  For each "Main Body Part" bodypart of type text/plain or
            text/html:

            +  Adjust bodypart by inserting a Legacy Display Element
               header list ldlist into its content, and adding a
               Content-Type parameter hp-legacy-display with value 1
               (see Section 2.3.4.1 for text/plain and Section 2.3.4.2
               for text/html)

   *  For each Header Field name and value (h,v) in origheaders:



Gillmor, et al.         Expires 2 September 2024               [Page 19]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


      -  Add Header Field h to MIME part newbody with value v

   *  Set the protected-headers parameter on the Content-Type of MIME
      part newbody to v1

   *  If crypto does not contain encryption:

      -  Let newheaders be a copy of origheaders

   *  Else (if crypto contains encryption):

      -  Create new empty list of Header Field names and values
         newheaders

      -  Let hpr be an empty comma-separated list of Header Field names

      -  For each Header Field name and value (h,v) in origheaders:

         o  Let newval be hcp(h,v)

         o  If newval is null:

            +  Add the value h to hpr

         o  Else (if newval is not null):

            +  Add (h,newval) to newheaders

            +  If newval is not v:

               *  Let string record be the concatenation of h, a literal
                  ": " (ASCII colon (0x3A) followed by ASCII space
                  (0x20)), and newval

               *  Add Header Field "HP-Obscured" to MIME part newbody
                  with value record

      -  If hpr is not empty:

         o  Add Header Field "HP-Removed" to MIME part newbody with
            value hpr

   *  Apply crypto to MIME part newbody, producing MIME tree output

   *  For each Header Field name and value (h,v) in newheaders:

      -  Add Header Field h to output with value v




Gillmor, et al.         Expires 2 September 2024               [Page 20]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  Return output

   Note that both new parameters (hcp and legacy) are effectively
   ignored if crypto does not contain encryption.  This is by design,
   because they are irrelevant for signed-only cryptographic
   protections.

2.3.4.1.  Adding a Legacy Display Element to a text/plain Part

   For a list of obscured Header Fields represented as (header, value)
   pairs, concatenate them as a set of lines, with one newline at the
   end of each pair.  Add an additional trailing newline after the
   resultant text, and prepend the entire list to the body of the text/
   plain part.

   The MUA MUST also add a Content-Type parameter of hp-legacy-display
   with value 1 to the MIME part to indicate that a Legacy Display
   Element was added.

   For example, if the list of obscured Header Fields was [("Cc",
   "alice@example.net"), ("Subject", "Thursday's meeting")], then a
   text/plain Main Body Part that originally looked like this:

   Content-Type: text/plain; charset=UTF-8

   I think we should skip the meeting.

   Would become:

   Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1

   Subject: Thursday's meeting
   Cc: alice@example.net

   I think we should skip the meeting.

   Note that the Legacy Display Element (the lines beginning with
   Subject: and Cc:) are part of the body of the MIME part in question.

   This example assumes that the Main Body Part in question is not the
   root of the Cryptographic Payload.  For instance, it could be a leaf
   of a multipart/alternative Cryptographic Payload.  This is why no
   additional Header Fields have been injected into the MIME part in
   this example.







Gillmor, et al.         Expires 2 September 2024               [Page 21]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


2.3.4.2.  Adding a Legacy Display Element to a text/html Part

   Adding a Legacy Display Element to a text/html part is similar to how
   it is added to a text/plain part (see Section 2.3.4.1).  Instead of
   adding the obscured or removed User-Facing Header Fields to a block
   of text delimited by a blank line, the composing MUA injects them in
   an HTML <div> element annotated with a class attribute of header-
   protection-legacy-display.

   The content and formatting of this decorative <div> have no strict
   requirements, but they MUST represent all the obscured and removed
   User-Facing Header Fields in a readable fashion.  A simple approach
   is to assemble the text in the same way as Section 2.3.4.1, wrap it
   in a verbatim <pre> element, and put that element in the annotated
   <div>.

   The annotated <div> should be placed as close to the start of the
   <body> as possible, where it will be visible when viewed with a
   standard HTML renderer.

   The MUA MUST also add a Content-Type parameter of hp-legacy-display
   with value 1 to the MIME part to indicate that a Legacy Display
   Element was added.

   For example, if the list of obscured Header Fields was [("Cc",
   "alice@example.net"), ("Subject", "Thursday's meeting")], then a
   text/html Main Body Part that originally looked like this:

   Content-Type: text/html; charset=UTF-8

   <html><head><title></title></head><body>
   <p>I think we should skip the meeting.</p>
   </body></html>

   Would become:

   Content-Type: text/html; charset=UTF-8; hp-legacy-display=1

   <html><head><title></title></head><body>
   <div class="header-protection-legacy-display">
   <pre>Subject: Thursday's meeting
   Cc: alice@example.net</pre></div>
   <p>I think we should skip the meeting.</p>
   </body></html>







Gillmor, et al.         Expires 2 September 2024               [Page 22]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   This example assumes that the Main Body Part in question is not the
   root of the Cryptographic Payload.  For instance, it could be a leaf
   of a multipart/alternative Cryptographic Payload.  This is why no
   additional Header Fields have been injected into the MIME part in
   this example.

2.3.4.2.1.  Step-by-step Example for Inserting Legacy Display Element to
            text/html

   A composing MUA MAY insert the Legacy Display Element anywhere
   reasonable within the message as long as it prioritizes visibility
   for the reader using a Legacy decryption-capable MUA.  This decision
   may take into account special message-specific HTML formatting
   expectations if the MUA is aware of them.  However, some MUAs may not
   have any special insight into the user's preferred HTML formatting,
   and still want to insert a Legacy Display Element.  This section
   offers a non-normative, simple, and minimal step-by-step approach for
   a composing MUA that has no other information or preferences to fall
   back on.

   The process below assumes that the MUA already has the full HTML
   object that it intends to send, including all of the text supplied by
   the user.

   *  Assemble the text exactly as specified for text/plain (see
      Section 2.3.4.1).

   *  Wrap that text in a verbatim <pre> element.

   *  Wrap that <pre> element in a <div> element annotated with the
      class header-protection-legacy-display.

   *  Find the <body> element of the full HTML object.

   *  Insert the <div> element as the first child of the <body> element.

2.3.4.3.  Only Add a Legacy Display Element to Main Body Parts

   Some messages may contain a text/plain or text/html subpart that is
   _not_ a Main Body Part.  For example, an e-mail message might contain
   an attached text file or a downloaded webpage.  Attached documents
   need to be preserved as intended in the transmission, without
   modification.








Gillmor, et al.         Expires 2 September 2024               [Page 23]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   The composing MUA MUST NOT add a Legacy Display Element to any part
   of the message that is not a Main Body Part.  In particular, if a
   part is annotated with Content-Disposition: attachment, or if it does
   not descend via the first child of any of its multipart/mixed or
   multipart/related ancestors, it is not a Main Body Part, and MUST NOT
   be modified.

   See Section 7.1 of [I-D.ietf-lamps-e2e-mail-guidance] for more
   guidance about common ways to distinguish Main Body Parts from other
   MIME parts in a message.

2.3.4.4.  Do Not Add a Legacy Display Element to Other Content-Types

   The purpose of injecting a Legacy Display Element into each Main Body
   MIME part is to enable rendering of otherwise obscured Header Fields
   in Legacy MUAs that are capable of message decryption, but don't know
   how to follow the rest of the guidance in this document.

   The authors are unaware of any Legacy MUA that would render any MIME
   part type other than text/plain and text/html as the Main Body.  A
   generating MUA SHOULD NOT add a Legacy Display Element to any MIME
   part with any other Content-Type.

2.3.5.  Composing with "Wrapped Message" Header Protection

   The Wrapped Message Header Protection scheme is very similar to that
   described in Section 3.1 of [RFC8551].  The differences are outlined
   in Section 2.2.

   To compose a message using "Wrapped Message" Header Protection, the
   composing MUA uses the following inputs:

   *  All the inputs described in Section 2.3.1

   *  hcp: a Header Confidentiality Policy, as defined in Section 2.3.2

   To build such a message, we replace the algorithm described in
   Section 2.3.1 with a more sophisticated approach.  The algorithm for
   applying "Wrapped Message" cryptographic protection to a message is
   as follows:

   *  Let newbody be a copy of origbody

   *  For each Header Field name and value (h,v) in origheaders:

      -  Add Header Field h to MIME part newbody with value v

   *  If crypto does not contain encryption:



Gillmor, et al.         Expires 2 September 2024               [Page 24]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


      -  Let newheaders be a copy of origheaders

   *  Else (if crypto contains encryption):

      -  Create new empty list of Header Field names and values
         newheaders

      -  Let hpr be an empty comma-separated list of Header Field names

      -  For each Header Field name and value (h,v) in origheaders:

         o  Let newval be hcp(h,v)

         o  If newval is null:

            +  Add the value h to hpr

         o  Else (if newval is not null):

            +  Add (h,newval) to newheaders

            +  If newval is not v:

               *  Let string record be the concatenation of h, a literal
                  ": " (ASCII colon (0x3A) followed by ASCII space
                  (0x20)), and newval

               *  Add Header Field "HP-Obscured" to MIME part newbody
                  with value record

      -  If hpr is not empty:

         o  Add Header Field "HP-Removed" to MIME part newbody with
            value hpr

   *  If any of the Header Fields in MIME part newbody, including Header
      Fields in the nested internal MIME structure, contain any 8-bit
      UTF-8 characters (see Section 3.7 of [RFC6532]):

      -  Let payload be a new MIME part with one Header Field: Content-
         Type: message/global; protected-headers=wrapped, and whose body
         is newbody.

   *  Else:

      -  Let payload be a new MIME part with one Header Field: Content-
         Type: message/rfc822; protected-headers=wrapped, and whose body
         is newbody.



Gillmor, et al.         Expires 2 September 2024               [Page 25]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  Add a Content-Disposition Header Field to MIME part payload with
      value inline

   *  Apply crypto to MIME part payload, producing MIME tree output

   *  For each Header Field name and value (h,v) in newheaders:

      -  Add Header Field h to output with value v

   *  Return output

   Note that the Header Confidentiality Policy hcp parameter is
   effectively ignored if crypto does not contain encryption.  This is
   by design, because it is irrelevant for signed-only cryptographic
   protections.

2.3.6.  Choosing Between Wrapped Message and Injected Headers

   When composing a message with end-to-end cryptographic protections,
   an MUA SHOULD protect the Header Fields of that message as well as
   the body, using one of the formats described here.

   A compatible MUA MUST be capable of generating a message with Header
   Protection using the Injected Headers Section 2.3.4 format.

2.4.  Default Header Confidentiality Policy

   An MUA MUST have a default Header Confidentiality Policy that offers
   at least the protections provided by hcp_minimal as described in
   Section 2.4.1.  Local policy and configuration may alter this
   default, but the MUA SHOULD NOT require the user to select an HCP.

   hcp_minimal provides confidentiality for the Subject Header Field by
   replacing it with the literal string "[...]".  This is a sensible
   minimal default because most users treat the Subject of a message the
   same way that they treat the body, and they are surprised to find
   that the Subject of an encrypted message is visible.

2.4.1.  Minimal Header Confidentiality Policy

   The most conservative recommended Header Confidentiality Policy only
   protects the Subject Header Field:

   hcp_minimal(name, val_in) → val_out:
       if name is 'Subject':
           return '[...]'
       else:
           return val_in



Gillmor, et al.         Expires 2 September 2024               [Page 26]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   hcp_minimal is the recommended default HCP for a new implementation,
   as it provides meaningful confidentiality protections, and is
   unlikely to cause deliverability or usability problems.

2.4.2.  Strong Header Confidentiality Policy

   Alternately, a more aggressive (and therefore more privacy-
   preserving) Header Confidentiality Policy only leaks a handful of
   fields whose absence is known to increase rates of delivery failure,
   and simultaneously obscures the Message-ID behind a random new one:

   hcp_strong(name, val_in) → val_out:
       if name in ['From', 'To', 'Cc', 'Date']:
           return val_in
       else if name is 'Subject':
           return '[...]'
       else if name is 'Message-ID':
           return generate_new_message_id()
       else:
           return null

   The function generate_new_message_id() represents whatever process
   the MUA typically uses to generate a Message-ID for a new outbound
   message.

   hcp_strong is known to cause usability problems with message
   threading for many Legacy MUAs, and is not recommended as a default
   HCP for new implementations.

2.4.3.  Null Header Confidentiality Policy

   Legacy MUAs can be conceptualized as offering a null Header
   Confidentiality Policy, which offers no confidentiality protection to
   any Header Field:

   hcp_null(name, val_in) → val_out:
       return val_in

   A conformant MUA that is not modified by local policy or
   configuration MUST NOT use hcp_null by default.

2.4.4.  Offering Stronger Header Confidentiality

   An MUA MAY offer even stronger confidentiality for Header Fields of
   an encrypted message than described in Section 2.4.2.  For example,
   it might implement an HCP that obfuscates the From field, or omits
   the Cc field, or ensures Date is represented in UTC (obscuring the
   local timezone).



Gillmor, et al.         Expires 2 September 2024               [Page 27]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   The authors of this document hope that implementers with deployment
   experience will document their chosen Header Confidentiality Policy
   and the rationale behind their choice.

   This document defines hcp_null, hcp_minimal, hcp_hide_cc, and
   hcp_strong as a way to compare and contrast different possible
   behavioral choices for a composing MUA.  While the HCP is not
   strictly a protocol element, this document creates a registry of
   named Header Confidentiality Policies for ease of communication.

2.4.4.1.  Expert Guidance for Registering Header Confidentiality
          Policies

   There is no formal syntax specified for the Header Confidentiality
   Policy, but any attempt to specify an HCP for inclusion in the
   registry needs to provide:

   *  a stable reference document clearly indicating the distinct name
      for the proposed HCP

   *  pseudocode that other implementers can clearly and unambiguously
      interpret

   *  a clear explanation of why this HCP is different from all other
      registered HCPs

   *  any relevant considerations related to deployment of the HCP (for
      example, known or expected deliverability, rendering, or privacy
      challenges and possible mitigations)

   An entry should not be marked as "Recommended" unless it has been
   shown to offer confidentiality or privacy improvements over the
   status quo and have minimal or mitigatable negative impact on
   messages to which it is applied, considering factors such as message
   deliverability and security.  Only one entry in the table
   (hcp_minimal) is initially marked as "Recommended".  In the future,
   more than one entry may be marked as "Recommended".

2.5.  Receiving Side

   An MUA that receives a cryptographically-protected e-mail will render
   it for the user.

   The receiving MUA will render the message body, a selected subset of
   Header Fields, and (as described in Section 3 of
   [I-D.ietf-lamps-e2e-mail-guidance]) provide a summary of the
   cryptographic properties of the message.




Gillmor, et al.         Expires 2 September 2024               [Page 28]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Most MUAs only render a subset of Header Fields by default.  For
   example, few MUAs typically render Message-Id or Received Header
   Fields for the user, but most do render From, To, Cc, Date, and
   Subject.

   An MUA that knows how to handle a message with Header Protection
   makes the following two changes to its behavior when rendering a
   message:

   *  If it detects that an incoming message had protected Header
      Fields, it renders Header Fields for the message from the
      protected Header Fields, ignoring the external (unprotected)
      Header Fields.

   *  It includes information in the message's Cryptographic Summary to
      indicate the types of protection that applied to each rendered
      Header Field (if any).

   An MUA that handles a message with Header Protection does _not_ need
   to render any new Header Fields that it did not render before.

2.5.1.  Identifying that a Message has Header Protection

   An incoming message can be identified as having Header Protection
   based on one of two signals:

   *  The Cryptographic Payload has Content-Type: message/rfc822 or
      Content-Type: message/global and the parameter protected-headers
      has a value of wrapped.  See Section 2.5.4 for rendering guidance.

   *  The Cryptographic Payload has some other Content-Type and it has
      parameter protected-headers set to v1.  See Section 2.5.3 for
      rendering guidance.

   Messages of both types exist in the wild, and a compliant MUA MUST be
   able to handle them both.  They provide the same semantics and the
   same meaning.

2.5.2.  Updating the Cryptographic Summary

   Regardless of whether a cryptographically-protected message has
   protected Header Fields, the Cryptographic Summary of the message
   should be modified to indicate what protections the Header Fields
   have.  This field-by-field status is complex and isn't necessarily
   intended to be presented in full to the user.  Rather, it represents
   the state of the message internally within the MUA, and may be used
   to influence behavior like replying to the message (see
   Section 2.5.8.1).



Gillmor, et al.         Expires 2 September 2024               [Page 29]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Each Header Field individually has exactly one the following
   protections:

   *  unprotected (this is the case for all Header Fields in messages
      that have no Header Protection)

   *  signed-only (bound into the same validated signature as the
      enclosing message, but also visible in transit)

   *  encrypted-only (only appears within the Cryptographic Payload; the
      corresponding external Header Field was either omitted or
      obfuscated)

   *  signed-and-encrypted (same as encrypted-only, but additionally is
      under a validated signature)

   Note that while the message itself may be signed-and-encrypted, some
   Header Fields may be replicated on the outside of the message (e.g.
   Date).  Those Header Fields would be signed-only, despite the message
   itself being signed-and-encrypted.  Additionally, the data from some
   encrypted or signed-and-encrypted Header Fields may not be fully
   private (see Section 6.1 for more details).

   Rendering the cryptographic status of each Header Field is likely to
   be complex and messy --- users may not understand it.  It is beyond
   the scope of this document to suggest any specific graphical
   affordances or user experience.  Future work should include examples
   of successful rendering of this information.

2.5.3.  Rendering a Message with Injected Headers

   When the Cryptographic Payload does not have a Content-Type of
   message/rfc822 or message/global, and the parameter protected-headers
   is set to v1, the values of the protected Header Fields are drawn
   from the Header Fields of the Cryptographic Payload, and the body
   that is rendered is the Cryptographic Payload itself.

2.5.3.1.  Example Signed-only Message with Injected Headers

   A └─╴application/pkcs7-mime; smime-type="signed-data"
      ⇩ (unwraps to)
   B  └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
   C   ├─╴text/plain
   D   └─╴text/html

   The message body should be rendered the same way as this message:





Gillmor, et al.         Expires 2 September 2024               [Page 30]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   B └┬╴multipart/alternative
   C  ├─╴text/plain
   D  └─╴text/html

   It should render Header Fields taken from part B.

   Its Cryptographic Summary should indicate that the message was signed
   and all rendered Header Fields were included in the signature.

   The MUA should ignore Header Fields from part A for the purposes of
   rendering.

   Because this message is signed-only, none of its parts will have a
   Legacy Display Element.

2.5.3.2.  Example Signed-and-Encrypted Message with Injected Headers

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   E └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   F  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   G   └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
   H    ├─╴text/plain
   I    └─╴text/html

   The message body should be rendered the same way as this message:

   G └┬╴multipart/alternative
   H  ├─╴text/plain
   I  └─╴text/html

   It should render Header Fields taken from part G.

   Its Cryptographic Summary should indicate that the message was signed
   and encrypted.  Each rendered Header Field found in G should be
   considered against any HP-Removed Header Field found in G and all HP-
   Obscured Header Fields found in G.  If the field's name is found in
   the list of Header Field names in HP-Removed, or if one of the HP-
   Obscured fields refers to the field name, then the Header Field
   should be marked as signed-and-encrypted.  Otherwise, the Header
   Field should be marked as signed-only.

   If any of the User-Facing Header Fields are removed or obscured, the
   composer of this message MAY place Legacy Display Elements in parts H
   and I.



Gillmor, et al.         Expires 2 September 2024               [Page 31]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   The MUA should ignore Header Fields from part E for the purposes of
   rendering.

2.5.3.3.  Do Not Render Legacy Display Elements

   As described in Section 2.1, a message with cryptographic
   confidentiality protection MAY include Legacy Display Elements for
   backward-compatibility with Legacy MUAs.  These Legacy Display
   Elements are strictly decorative, unambiguously identifiable, and
   will be discarded by compliant implementations.

   The receiving MUA SHOULD avoid rendering the identified Legacy
   Display Elements to the user at all, since it is aware of Header
   Protection and can render the actual protected Header Fields.

   If a text/html or text/plain part within the Cryptographic Envelope
   is identified as containing Legacy Display Elements, those elements
   SHOULD be hidden when rendering and SHOULD be dropped when generating
   a draft reply or inline forwarded message.  Whenever a Message or
   MIME subtree is exported, downloaded or otherwise further processed,
   implementers should consider whether or not to drop the Legacy
   Display Elements.

2.5.3.3.1.  Identifying a Part with Legacy Display Elements

   A receiving MUA acting on a message that contains an encrypting
   Cryptographic Layer identifies a MIME subpart within the
   Cryptographic Payload as containing Legacy Display Elements based on
   the Content-Type of the subpart.

   *  The subpart's Content-Type contains a parameter hp-legacy-display
      with value set to 1

   *  The subpart's Content-Type is either text/html (see
      Section 2.5.3.3.3) or text/plain (see Section 2.5.3.3.2)

   Note that the term "subpart" above is used in the general sense: if
   the Cryptographic Payload is a single part, that part itself may
   contain a Legacy Display Element if it is marked with the hp-legacy-
   display=1 parameter.

2.5.3.3.2.  Omitting Legacy Display Elements from text/plain

   If a text/plain part within the Cryptographic Payload has the
   Content-Type parameter hp-legacy-display="1", it should be processed
   before rendering in the following fashion:





Gillmor, et al.         Expires 2 September 2024               [Page 32]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  Discard the leading lines of the body of the part up to and
      including the first entirely blank line.

   Note that implementing this strategy is dependent on the charset used
   by the MIME part.

   See Appendix D.1 for an example.

2.5.3.3.3.  Omitting Legacy Display Elements from text/html

   If a text/html part within the Cryptographic Payload has the Content-
   Type parameter hp-legacy-display="1", it should be processed before
   rendering in the following fashion:

   *  If any element of the HTML <body> is a <div> with class attribute
      header-protection-legacy-display, that entire element should be
      omitted.

   This cleanup could be done, for example, as a custom rule in the
   MUA's HTML sanitizer, if one exists.  Another implementation strategy
   for an HTML-capable MUA would b to add an entry to the [CSS]
   stylesheet for such a part:

   body div.header-protection-legacy-display { display: none; }

2.5.4.  Rendering a Wrapped Message

   Some MUAs may compose and send a message with end-to-end
   cryptographic protections that offer Header Protection using the
   Wrapped Message scheme described in Section 3.1 of [RFC8551] as
   augmented by this document.  This section describes how a receiving
   MUA should identify and render such a message.

   When the Cryptographic Payload has Content-Type of message/rfc822 or
   message/global, and the parameter protected-headers is set to
   wrapped, the values of the protected Header Fields are drawn from the
   Header Fields of the Cryptographic Payload, and the body that is
   rendered is the body of the Cryptographic Payload.

2.5.4.1.  Example Signed-Only Wrapped Message

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:








Gillmor, et al.         Expires 2 September 2024               [Page 33]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   J └─╴application/pkcs7-mime; smime-type="signed-data"
      ⇩ (unwraps to)
   K  └┬╴message/rfc822 [Cryptographic Payload]
   L   └┬╴multipart/alternative [Rendered Body]
   M    ├─╴text/plain
   N    └─╴text/html

   The message body should be rendered the same way as this message:

   L └┬╴multipart/alternative
   M  ├─╴text/plain
   N  └─╴text/html

   It should render Header Fields taken from part K.

   Its Cryptographic Summary should indicate that the message was signed
   and all rendered Header Fields were included in the signature.

   The MUA SHOULD ignore Header Fields from part J for the purposes of
   rendering, unless it is rendering debugging information.

2.5.4.2.  Example Signed-and-Encrypted Wrapped Message

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   O └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   P  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   Q   └┬╴message/rfc822 [Cryptographic Payload]
   R    └┬╴multipart/alternative [Rendered Body]
   S     ├─╴text/plain
   T     └─╴text/html

   The message body should be rendered the same way as this message:

   R └┬╴multipart/alternative
   S  ├─╴text/plain
   T  └─╴text/html

   It should render Header Fields taken from part Q.

   Its Cryptographic Summary should indicate that the message was signed
   and encrypted.  As in Section 2.5.3.2, each rendered Header Field
   found in Q should be considered against any HP-Removed Header Field
   found in Q and all HP-Obscured Header Fields found in Q.  If the
   field's name is found in the list of Header Field names in HP-



Gillmor, et al.         Expires 2 September 2024               [Page 34]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Removed, or if one of the HP-Obscured fields refers to the field
   name, then the Header Field should be marked as signed-and-encrypted.
   Otherwise, the Header Field should be marked as signed-only.

2.5.5.  Guidance for Automated Message Handling

   Some automated systems have a control channel that is operated by
   e-mail.  For example, an incoming e-mail message could subscribe
   someone to a mailing list, initiate the purchase of a specific
   product, approve another message for redistribution, or adjust the
   state of some shared object.

   To the extent that such a system depends on end-to-end cryptographic
   guarantees about the e-mail control message, Header Protection as
   described in this document should improve the system's security.
   This section provides some specific guidance for systems that use
   e-mail messages as a control channel that want to benefit from these
   security improvements.

2.5.5.1.  Interpret Only Protected Header Fields

   Consider the situation where an e-mail-based control channel depends
   on the message's cryptographic signature and the action taken depends
   on some Header Field of the message.

   In this case, the automated system MUST rely on information from the
   Header Field that is protected by the mechanism described in this
   document.  It MUST NOT rely on any Header Field found outside the
   Cryptographic Payload.

   For example, consider an administrative interface for a mailing list
   manager that only accepts control messages that are signed by one of
   its administrators.  When an inbound message for the list arrives, it
   is queued (waiting for administrative approval) and the system
   generates and listens for two distinct e-mail addresses related to
   the queued message -- one that approves the message, and one that
   rejects it.  If an administrator sends a signed control message to
   the approval address, the mailing list verifies that the protected
   To: Header Field of the signed control message contains the approval
   address before approving the queued message for redistribution.  If
   the protected To: Header Field does not contain that address, or
   there is no protected To: Header Field, then the mailing list logs or
   reports the error, and does not act on that control message.








Gillmor, et al.         Expires 2 September 2024               [Page 35]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


2.5.5.2.  Ignore Legacy Display Elements

   Consider the situation where an e-mail based control channel expects
   to receive an end-to-end encrypted message -- for example, where the
   control messages need confidentiality guarantees -- and where the
   action taken depends on the contents of some MIME part within message
   body.

   In this case, the automated system that decrypts the incoming
   messages and scans the relevant MIME part MUST identify when the MIME
   part contains a Legacy Display Element (see Section 2.5.3.3.1), and
   it MUST parse the relevant MIME part with the Legacy Display Element
   removed.

   For example, consider an administrative interface of a confidential
   issue tracking software.  An authorized user can confidentially
   adjust the status of a tracked issue by a specially-formatted first
   line of the message body (for example, severity #183 serious).  When
   the user's MUA encrypts a plain text control message to this issue
   tracker, depending on the MUA's HCP and its choice of legacy value,
   it may add a Legacy Display Element.  If it does so, then the first
   line of the message body will contain a decorative copy of the
   confidential Subject: Header Field.  The issue tracking software
   decrypts the incoming control message, identifies that there is a
   Legacy Display Element in the part (see Section 2.5.3.3.1), strips
   the lines comprising the Legacy Display Element (including the first
   blank line), and only then parses the remaining top line to look for
   the expected special formatting.

2.5.6.  Affordances for Debugging and Troubleshooting

   Note that advanced users of an MUA may need access to the original
   message, for example to troubleshoot problems with the rendering MUA
   itself, or problems with the SMTP transport path taken by the
   message.

   An MUA that applies these rendering guidelines SHOULD ensure that the
   full original source of the message as it was received remains
   available to such a user for debugging and troubleshooting.

   If a troubleshooting scenario demands information about the
   cryptographically-protected values of Header Fields, and the message
   is encrypted, the debugging interface SHOULD also provide a "source"
   view of the Cryptographic Payload itself, alongside the full original
   source of the message as received.






Gillmor, et al.         Expires 2 September 2024               [Page 36]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


2.5.7.  Rendering Other Schemes

   Other MUAs may have generated different structures of messages that
   aim to offer end-to-end cryptographic protections that include Header
   Protection.  This document is not normative for those schemes, and it
   is NOT RECOMMENDED to generate these other schemes, as they can
   either have structural flaws or simply render poorly on Legacy MUAs.
   A conformant MUA MAY attempt to infer Header Protection when
   rendering an existing message that appears to use some other scheme
   not documented here.  Pointers to some known other schemes can be
   found in Appendix E.

2.5.8.  Composing a Reply to an Encrypted Message with Header Protection

   When composing a reply to an encrypted message with Header
   Protection, the MUA is acting both as a receiving MUA and as a
   sending MUA.  Special guidance applies here, as things can go wrong
   in at least two ways: leaking previously-confidential information,
   and replying to the wrong party.

2.5.8.1.  Avoid Leaking Encrypted Header Fields in Reply

   As noted in Section 5.4 of [I-D.ietf-lamps-e2e-mail-guidance], an MUA
   in this position MUST NOT leak previously-encrypted content in the
   clear in a follow-up message.  The same is true for protected Header
   Fields.

   Values from any Header Field that was identified as either encrypted-
   only or signed-and-encrypted based on the steps outlined above MUST
   NOT be placed in cleartext output when generating a message.

   In particular, if Subject was encrypted, and it is copied into the
   draft encrypted reply, the replying MUA MUST obfuscate the
   unprotected (cleartext) Subject Header Field as described above.

   When crafting the Header Fields for a reply message, the composing
   MUA can make use of the HP-Removed and HP-Obscured Header Fields from
   within the Cryptographic Envelope of the reference message to ensure
   that Header Fields derived from the reference message do not leak in
   the reply.

   Consider a Header Field in a reply message that is generated by
   derivation from a Header Field in the reference message.  For
   example, the To Header Field is typically derived from the reference
   message's Reply-To or From Header Fields.  When generating the outer
   copy of the Header Field, the composing MUA first applies its own
   Header Confidentiality Policy.  If the Header Field's value is
   changed by the HCP, then it is applied to the outside header and



Gillmor, et al.         Expires 2 September 2024               [Page 37]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   noted in the protected Header Section using HP-Removed or HP-Obscured
   as appropriate, as described in Section 2.3.3.  Otherwise, if the
   Header Field's value is unchanged, the composing MUA re-generates the
   Header Field using the source Header Fields from the values within
   the Cryptographic Payload of the reference message, as modified by
   the HP-Obscured or HP-Removed Header Fields.  If that value is itself
   different than the protected value, then it is applied to the outside
   header and noted in the protected Header Section using HP-Obscured.
   If the value is the same as the protected value, then it is simply
   copied to the outside header directly.

   See Appendix C.2 for a simple worked example of this process.

2.5.8.2.  Avoid Misdirected Replies to Encrypted Messages with Header
          Protection

   When replying to a message, the Composing MUA typically decides who
   to send the reply to based on:

   *  the Reply-To, Mail-Followup-To, or From Header Fields

   *  optionally, the other To or Cc Header Fields (if the user chose to
      "reply all")

   When a message has Header Protection, the replying MUA MUST populate
   the destination fields of the draft message using the protected
   Header Fields, and ignore any unprotected Header Fields.

   This mitigates against an attack where Mallory gets a copy of an
   encrypted message from Alice to Bob, and then replays the message to
   Bob with an additional Cc to Mallory's own e-mail address in the
   message's outer (unprotected) Header Section.

   If Bob knows Mallory's certificate already, and he replies to such a
   message without following the guidance in this section, it's likely
   that his MUA will encrypt the cleartext of the message directly to
   Mallory.

2.5.9.  Implicitly-rendered Header Fields

   While From and To and Cc and Subject and Date are often explicitly
   rendered to the user, some Header Fields do affect message display,
   without being explicitly rendered.

   For example, Message-Id, References, and In-Reply-To Header Fields
   may collectively be used to place a message in a "thread" or series
   of messages.




Gillmor, et al.         Expires 2 September 2024               [Page 38]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   In another example, Section 2.5.8.2 observes that the value of the
   Reply-To field can influence the draft reply message.  So while the
   user may never see the Reply-To Header Field directly, it is
   implicitly "rendered" when the user interacts with the message by
   replying to it.

   An MUA that depends on any implicitly-rendered Header Field in a
   message with Header Protection MUST use the value from the protected
   Header Field, and SHOULD NOT use any value found outside the
   cryptographic protection unless it is known to be a Header Field
   added in transit, as specified in Section 2.5.10.

2.5.10.  Unprotected Header Fields Added in Transit

   Some Header Fields are legitimately added in transit, and could not
   have been known to the sender at message composition time.

   The most common of these Header Fields are Received and DKIM-
   Signature, neither of which are typically rendered, either explicitly
   or implicitly.

   If a receiving MUA has specific knowledge about a given Header Field,
   including that:

   *  the Header Field would not have been known to the original sender,
      and

   *  the Header Field might be rendered explicitly or implicitly,

   then the MUA MAY decide to operate on the value of that Header Field
   from the unprotected Header Section, even though the message has
   Header Protection.

   The MUA MAY prefer to verify that the Header Fields in question have
   additional transit-derived cryptographic protections before rendering
   or acting on them.  For example, the MUA could verify whether these
   Header Fields are covered by an appropriate and valid ARC-
   Authentication-Results (see [RFC8617]) or DKIM-Signature (see
   [RFC6376]) Header Field.

   Specific examples of user-meaningful Header Fields commonly added by
   transport agents appear below.

2.5.10.1.  Mailing list Header Fields: List-* and Archived-At

   If the message arrives through a mailing list, the list manager
   itself may inject Header Fields (most of which start with List-) in
   the message:



Gillmor, et al.         Expires 2 September 2024               [Page 39]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  List-Archive

   *  List-Subscribe

   *  List-Unsubscribe

   *  List-Id

   *  List-Help

   *  List-Post

   *  Archived-At

   For some MUAs, these Header Fields are implicitly rendered, by
   providing buttons for actions like "Subscribe", "View Archived
   Version", "Reply List", "List Info", etc.

   An MUA that receives a message with Header Protection that contains
   these Header Fields in the unprotected section, and that has reason
   to believe the message is coming through a mailing list MAY decide to
   render them to the user (explicitly or implicitly) even though they
   are not protected.

2.5.11.  Handling Undecryptable Messages

   An MUA might receive an apparently encrypted message that it cannot
   currently decrypt.  For example, when an MUA does not have regular
   access to the secret key material needed for decryption, it cannot
   know the cryptographically protected Header Fields, or even whether
   the message has any cryptographically protected Header Fields.

   Such an undecrypted message will be rendered by the MUA as a message
   without any Header Protection.  This means that the message summary
   may well change how it is rendered when the user is finally able to
   supply the secret key.

   For example, the rendering of the Subject Header Field in a mailbox
   summary might change from [...] to the real message subject when the
   message is decrypted.  Or the message's placement in a message thread
   might change if, say, References or In-Reply-To have been removed or
   obscured (see Section 2.5.9).









Gillmor, et al.         Expires 2 September 2024               [Page 40]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Additionally, if the MUA does not retain access to the decrypting
   secret key, and it drops the decrypted form of a message, the
   message's rendering may revert to the encrypted form.  For example,
   if a MUA follows this behavior, the Subject Header Field in a mailbox
   summary might change from the real message subject back to [...].
   Or, the message might be yanked out of its current thread if the MUA
   loses access to a removed References or In-Reply-To header.

   These behaviors are likely to surprise the user.  However, an MUA has
   several possible ways of reducing or avoiding all of these surprises,
   including:

   *  Ensuring that the MUA always has access to decryption-capable
      secret key material.

   *  Rendering undecrypted messages in a special quarantine view until
      the decryption-capable secret key material is available.

   To reduce or avoid the surprises associated with a decrypted message
   with removed or obscured Header Fields becoming undecryptable, the
   MUA could also:

   *  Securely cache metadata from a decrypted message's protected
      Header Fields so that its rendering doesn't change after the first
      decryption.

   *  Securely store the session key associated with a decrypted
      message, so that attempts to read the message when the long-term
      secret key are unavailable can proceed using only the session key
      itself.  See, for example, the discussion about stashing session
      keys in Section 9.1 of [I-D.ietf-lamps-e2e-mail-guidance].

3.  E-mail Ecosystem Evolution

   This document is intended to offer tooling needed to improve the
   state of the e-mail ecosystem in a way that can be deployed without
   significant disruption.  Some elements of this specification are
   present for transitional purposes, but would not exist if the system
   were designed from scratch.

   This section describes these transitional mechanisms, as well as some
   suggestions for how they might eventually be phased out.









Gillmor, et al.         Expires 2 September 2024               [Page 41]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


3.1.  Dropping Legacy Display Elements

   Any decorative Legacy Display Element added to an encrypted message
   that uses the Injected Header scheme is present strictly for enabling
   Header Field visibility (most importantly, the Subject Header Field)
   when the message is viewed with a decryption-capable Legacy MUA.

   Eventually, the hope is that most decryption-capable MUAs will
   conform to this specification, and there will be no need for
   injection of Legacy Display Elements in the message body.  A survey
   of widely-used decryption-capable MUAs might be able to establish
   when most of them do support this specification.

   At that point, a composing MUA could make the legacy parameter
   described in Section 2.3.4 to false by default, or could even hard-
   code it to false, yielding a much simpler message construction set.

   Until that point, an end user might want to signal that their
   receiving MUAs are conformant to this draft so that a peer composing
   a message to them can set legacy to false.  A signal indicating
   capability of handling messages with Header Protection might be
   placed in the user's cryptographic certificate, or in outbound
   messages.

   This draft doesn't attempt to define the syntax or semantics of such
   a signal.

3.2.  Stronger Default Header Confidentiality Policy

   This draft defines two different forms of Header Confidentiality
   Policy.  An MUA implementing an HCP for the first time SHOULD deploy
   hcp_minimal as recommended in Section 2.4.  This HCP offers the most
   commonly-expected protection (obscuring the Subject Header Field)
   without risking deliverability or rendering issues.

   The HCPs proposed in this draft are relatively conservative and still
   leak a significant amount of metadata for encrypted messages.  This
   is largely done to ensure deliverability (see Section 1.4.2) and
   usability, as messages without some critical Header Fields are more
   likely to not reach their intended recipient.

   In the future, some mail transport systems may accept and deliver
   messages with even less publicly-visible metadata.  Many MTA
   operators today would ask for additional guarantees about such a
   message to limit the risks associated with abusive or spammy mail.






Gillmor, et al.         Expires 2 September 2024               [Page 42]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   This specification offers the HCP formalism itself as a way for MUA
   developers and MTA operators to describe their expectations around
   message deliverability.  MUA developers can propose a stronger
   default HCP, and ask MTA operators (or simply test) whether their
   MTAs would be likely to deliver or reject encrypted mail with that
   HCP applied.  Proponents of a stronger HCP should explicitly document
   the HCP, and name it clearly and unambiguously to facilitate this
   kind of interoperability discussion.

   Reaching widespread consensus around a stronger global default HCP is
   a challenging problem of coordinating many different actors.  A
   piecemeal approach might be more feasible, where some signalling
   mechanism allows a message recipient, MTA operator, or third-party
   clearinghouse to announce what kinds of HCPs are likely to be
   deliverable for a given recipient.  In such a situation, the default
   HCP for an MUA might involve consulting the signalled acceptable HCPs
   for all recipients, and combining them (along with a default for when
   no signal is present) in some way.

   If such a signal were to reach widespread use, it could also be used
   to guide reasonable statistical default HCP choices for recipients
   with no signal.

   This draft doesn't attempt to define the syntax or semantics of such
   a signal.

3.3.  Deprecation of Messages Without Header Protection

   At some point, when the majority of MUA clients that can generate
   cryptographically protected messages with Header Protection, it
   should be possible to deprecate any cryptographically protected
   message that does not have Header Protection.

   For example, as noted in Section 4.1, it's possible for an MUA to
   decline to render a signed-only message that has no Header Protection
   the same as an unsigned message.  And a signed-and-encrypted message
   without Header Protection could likewise be marked as not fully
   protected.

   These stricter rules could be adopted immediately for all messages.
   Or an MUA developer could roll them out immediately for any new
   message, but still treat an old message (based on the Date Header
   Field and cryptographic signature timestamp) more leniently.

   A decision like this by any popular receiving MUA could drive
   adoption of this standard for sending MUAs.





Gillmor, et al.         Expires 2 September 2024               [Page 43]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


4.  Usability Considerations

   This section describes concerns for MUAs that are interested in easy
   adoption of Header Protection by normal users.

   While they are not protocol-level artifacts, these concerns motivate
   the protocol features described in this document.

   See also the Usability commentary in Section 2 of
   [I-D.ietf-lamps-e2e-mail-guidance].

4.1.  Mixed Protections Within a Message Are Hard To Understand

   When rendering a message to the user, the ideal circumstance is to
   present a single cryptographic status for any given message.
   However, when message Header Fields are present, some message Header
   Fields do not have the same cryptographic protections as the main
   message.

   Representing such a mixed set of protection statuses is very
   difficult to do in a way that a normal user can understand without
   training.  There are at least three scenarios that are likely to be
   common, and poorly understood:

   *  A signed message with no Header Protection.

   *  A signed-and-encrypted message with no Header Protection.

   *  An signed-and-encrypted message with Header Protection as
      described in this document, where some User-Facing Header Fields
      have confidentiality but some do not.

   An MUA should have a reasonable strategy for clearly communicating
   each of these scenarios to the user.  For example, an MUA operating
   in an environment where it expects most cryptographically-protected
   messages to have Header Protection could use the following rendering
   strategy:

   *  When rendering a message with signed-only cryptographic status but
      no Header Protection, an MUA may decline to indicate a positive
      security status overall, and only indicate the cryptographic
      status to a user in a message properties or diagnostic view.  That
      is, the message may appear identical to an unsigned message except
      if a user verifies the properties through a menu option.

   *  When rendering a message with signed-and-encrypted or encrypted-
      only cryptographic status but no Header Protection, overlay a
      warning flag on the typical cryptographic status indicator.  That



Gillmor, et al.         Expires 2 September 2024               [Page 44]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


      is, if a typical signed-and-encrypted message displays a lock
      icon, display a lock icon with a warning sign (e.g., an
      exclamation point in a triangle) overlaid.  See, for example, the
      graphics in [chrome-indicators].

   *  When rendering a message with signed-and-encrypted or encrypted-
      only cryptographic status, with Header Protection, but where the
      Subject Header Field has not been removed or obscured, place a
      warning sign on the on the Subject line.

   Other simple rendering strategies could also be reasonable.

4.2.  Users Should Not Have To Choose a Header Confidentiality Policy

   This document defines the abstraction of a Header Confidentiality
   Policy object for the sake of communication between implementers and
   deployments.

   Most e-mail users are unlikely to understand the tradeoffs between
   different policies.  In particular, the potential negative side
   effects (e.g. poor deliverability) may not be easily attributable by
   a normal user to a particular HCP.

   Therefore, MUA implementers should be conservative in their choice of
   default HCP, and should not require the Ordinary User to make an
   incomprehensible choice that could cause unfixable, undiagnosable
   problems.  The safest option is for the MUA developer to select a
   known, stable HCP (this document recommends hcp_minimal in
   Section 2.4) on the user's behalf.  An MUA should not expose the
   Ordinary User to a configuration option where they are expected to
   manually select (let alone define) an HCP.

4.3.  Users Should Not Have To Choose a Header Protection Scheme

   This document also describes two different Header Protection schemes:
   Wrapped Messages in Section 2.2 and Injected Headers in Section 2.1.

   These distinct schemes are described for the sake of implementers who
   may have to deal with messages found in the wild, but their intended
   semantics are identical.  They represent different tradeoffs in terms
   of rendering and user experience on the recipient's side, things that
   a given user writing a message is not prepared to select.

   When composing a message with cryptographic protections, the Ordinary
   User should not be confronted with any choices about which Header
   Protection scheme to use.  Rather, the MUA developer should use a
   single scheme for all outbound cryptographically-protected messages.




Gillmor, et al.         Expires 2 September 2024               [Page 45]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   This document recommends the Injected Headers scheme for generating
   messages with cryptographic protections, as described in Section 2.
   An MUA should not expose the Ordinary User to any configuration
   option where they are expected to manually select, enable, or disable
   Header Protections for new cryptographically-protected messages.

5.  Security Considerations

   This document describes a mechanism for improving the security of
   cryptographically-protected e-mail messages.  Following the guidance
   in this document should improve security for users of these
   technologies by more directly aligning the underlying messages with
   user expectations about confidentiality, authenticity, and integrity.

   However, many existing messages with cryptographic protections will
   not have these protections, and MUAs encountering these messages will
   need to handle older forms (without Header Protection) for quite some
   time.  An implementation that deals with legacy message archives will
   need to deal with all the various formats forever.  Helping the user
   distinguish between cryptographic protections of various messages is
   a difficult job for message renderers.

   However, on the message generation side, the situation is much
   clearer: there is a standard form that a protected message can take,
   and an implementer can always generate the standard form.  Generating
   the standard form also makes it more likely that any receiving
   implementation will be able to handle the generated message
   appropriately.

   The security considerations from Section 6 of [RFC8551] continue to
   apply for any MUA that offers S/MIME cryptographic protections, as
   well as Section 3 of [RFC5083] (Authenticated-Enveloped-Data in CMS)
   and Section 14 of [RFC5652] (CMS more broadly).  Likewise, the
   security considerations from Section 8 of [RFC3156] continue to apply
   for any MUA that offers PGP/MIME cryptographic protections, as well
   as Section 13 of [I-D.ietf-openpgp-crypto-refresh-13] (OpenPGP
   itself).  In addition, these underlying security considerations are
   now also applicable to the contents of the message header, not just
   the message body.

5.1.  Caution about Composing with Legacy Display Elements

   When composing a message, it's possible for a Legacy Display Element
   to contain risky data that could trigger errors in a rendering
   client.






Gillmor, et al.         Expires 2 September 2024               [Page 46]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   For example, if the value for a Header Field to be included in a
   Legacy Display Element within a given body part contains folding
   whitespace, it should be "unfolded" before generating the Legacy
   Display Element: all contiguous folding whitespace should be replaced
   with a single space character.  Likewise, if the header value was
   originally encoded with [RFC2047], it should be decoded first to a
   standard string and re-encoded using the charset appropriate to the
   target part.

   When including a Legacy Display Element in a text/plain part (see
   Section 2.3.4.1), if the decoded Subject Header Field contains a pair
   of newlines (e.g., if it is broken across multiple lines by encoded
   newlines), any newline MUST be stripped from the Legacy Display
   Element.  If the pair of newlines is not stripped, a receiving MUA
   that follows the guidance in Section 2.5.3.3.2 might leave the later
   part of the Legacy Display Element in the rendered message.

   When including a Legacy Display Element in a text/html part (see
   Section 2.3.4.2), any material in the header values should be
   explicitly HTML escaped to avoid being rendered as part of the HTML.
   At a minimum, the characters <, >, and & should be escaped to &lt;,
   &gt;, and &amp;, respectively (see for example [HTML-ESCAPES]).  If
   unescaped characters from removed or obscured header values end up in
   the Legacy Display Element, a receiving MUA that follows the guidance
   in Section 2.5.3.3.3 might fail to identify the boundaries of the
   Legacy Display Element, cutting out more than it should, or leaving
   remnants visible.  And a Legacy MUA parsing such a message might
   misrender the entire HTML stream, depending on the content of the
   removed or obscured header values.

   The Legacy Display Element is a decorative addition solely to enable
   visibility of obscured or removed Header Fields in decryption-capable
   Legacy MUAs.  When it is produced, it should be generated
   conservatively and narrowly, as described above, to avoid damaging
   the rest of the message.

6.  Privacy Considerations

6.1.  Some Encrypted Header Fields Are Not Always Private

   For encrypted messages, depending on the sender's HCP, some Header
   Fields may appear both within the Cryptographic Envelope and on the
   outside of the message (e.g.  Date might exist identically in both
   places).  Section 2.5.2 identifies such a Header Field as signed-
   only.  These Header Fields are clearly _not_ private at all, despite
   a copy being inside the Cryptographic Envelope.





Gillmor, et al.         Expires 2 September 2024               [Page 47]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   A Header Field whose name can be found in the HP-Removed or in any
   HP-Obscured Header Field from the same part will have encrypted-only
   or signed-and-encrypted status.  But even Header Fields with these
   stronger levels of cryptographic confidentiality protection might not
   be as private as the user would like.

   For example, even if the Date Header Field has been obscured, for
   example by normalizing the timezone to UTC or rounding to the most
   recent minute or hour (so that Header Field is formally signed-and-
   encrypted), the MTAs which handle the message can of course record
   the time that they first encountered it, which is likely to be
   identical or very close to the original value of the field.

6.2.  Header Fields Can Leak Unwanted Information to the Recipient

   For encrypted messages, even with an aggressive HCP that successfully
   obscures most Header Fields from all transport agents, Header Fields
   will be ultimately visible to all intended recipients.  This can be
   especially problematic for Header Fields that are not user-facing,
   which the sender may not expect to be injected by their MUA.
   Consider the three following examples:

   *  The MUA may inject a User-Agent Header Field that describes itself
      to every recipient, even though the sender may not want the
      recipient to know the exact version of their OS, hardware
      platform, or MUA.

   *  The MUA may have an idiosyncratic way of generating a Message-ID
      header, which could embed the choice of MUA, a timezone, a
      hostname, or other subtle information to a knowledgeable
      recipient.

   *  The MUA may erroneously include a Bcc Header Field in the
      origheaders of a copy of a message sent to the named recipient,
      defeating the purpose of using Bcc instead of Cc (see Section 6.3
      for more details about risks related to Bcc).

   Clearly, no end-to-end cryptographic protection of any Header Field
   as described in this document will hide such a sensitive field from
   the intended recipient.  Instead, the composing MUA MUST populate the
   origheaders list for any outbound message with only information
   recipient should have access to.  This is true for messages without
   any cryptographic protection as well, of course, and it is even worse
   there: such a leak is exposed to the transport agents as well as the
   recipient.  An encrypted message with Header Protection and a strong
   Header Confidentiality Policy avoid these leaks exposing information
   to the transport agents, but cannot defend against such a leak to the
   recipient.



Gillmor, et al.         Expires 2 September 2024               [Page 48]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


6.2.1.  Encrypted Header Fields Can Be Inferred From External or
        Internal Metadata

   For example, if the To: and Cc: Header Fields are omitted from the
   unprotected Header Section, the values in those fields might still be
   inferred with high probability by an adversary who looks at the
   message either in transit or at rest.  If the message is found in, or
   being delivered to a mailbox for bob@example.org, it's likely that
   Bob was in either To: or Cc:. Furthermore, encrypted message
   ciphertext may hint at the recipients: for S/MIME messages, the
   RecipientInfo, and for PGP/MIME messages the key ID in the Public Key
   Encrypted Session Key (PKESK) packets will all hint at a specific set
   of recipients.  Additionally, an MTA that handles the message may add
   a Received: Header Field (or some other custom Header Field) that
   leaks some information about the nature of the delivery.

6.2.2.  HCP May Not Mask All Data in an Encrypted Header Field

   In another example, if the HCP modifies the Date: header to mask out
   high-resolution time stamps (e.g. rounding to the most recent hour)
   and to convert the local timezone to UTC, some information about the
   date of delivery will still be attached to the e-mail.  At the very
   least, the low resolution, global version of the date will be present
   on the message.  Additionally, Header Fields like Received that are
   added during message delivery might include higher-resolution
   timestamps.  And if the message lands in a mailbox that is ordered by
   time of receipt, even its placement in the mailbox and the non-
   obscured Date: Header Fields of the surrounding messages could leak
   this information.

   Some fields like From: may be impossible to fully obscure, as many
   modern message delivery systems depend on at least domain information
   in the From: field for determining whether a message is coming from a
   domain with "good reputation" (that is, from a domain that is not
   known for leaking spam).  So even if an aggressive HCP opts to remove
   the human-readable part from any From: Header Field, and to
   standardize/genericize the local part of the From: address, the
   domain will still leak.

6.2.3.  A Naive Recipient May Overestimate the Cryptographic Status of a
        Header Field in an Encrypted Message

   When an encrypted (or signed-and-encrypted) message is in transit, an
   active intermediary can strip or tamper with any Header Field that
   appears outside the Cryptographic Envelope.  A receiving MUA that
   naively infers cryptographic status from differences between the
   external Header Fields and those found in the Cryptographic Envelope
   could be tricked into overestimating the protections afforded to some



Gillmor, et al.         Expires 2 September 2024               [Page 49]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Header Fields.

   For example, if the original sender's HCP passes through the Cc:
   Header Field unchanged, a cleanly-delivered message would indicate
   that the Cc: Header Field has a cryptographic status of signed.  But
   if an intermediary attacker simply removes the Header Field from the
   unprotected Header Section before forwarding the message, then the
   naive recipient might believe that the field has a cryptographic
   status of signed-and-encrypted.

   This draft offers protection against such an attack by way of the HP-
   Obscured and HP-Removed Header Fields that can be found on the
   Cryptographic Payload.  If a Header Field appears to have been
   obscured, but no HP-Obscured header matches it; or if the Header
   Field appears to have been removed, but the HP-Removed header does
   not include its field name, the receiving MUA can indicate to the
   user that the Header Field in question may not have been
   confidential.

   In such a case, a conservative MUA may render the Header Field in
   question as signed (because the sender did not hide it), but still
   treat it as signed-and-encrypted during reply, to avoid accidental
   leakage of the cleartext value in the reply message, as described in
   Section 2.5.8.1.

6.2.4.  Summary and Implementation Guidance

   In the abstract sense, the above concerns are of course also true for
   any encrypted data, including the body of the message: if the sender
   isn't careful, the message contents or session keys could leak in
   many different ways that are beyond the scope of this draft.  The
   message recipient has no way in principle to tell whether the
   apparent confidentiality of any given piece of encrypted content has
   been broken via channels that they cannot perceive.  And an active
   intermediary aware of the recipient's public key can always encrypt a
   cleartext message in transit to give the recipient a false sense of
   security.

   Despite the external inferrability of some encrypted or signed-and-
   encrypted Header Fields, the MUA should still strive to avoid
   additional leakage of these Header Fields, as described in
   Section 2.5.8.1.









Gillmor, et al.         Expires 2 September 2024               [Page 50]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


6.3.  Privacy and Deliverability Risks with Bcc and Encrypted Messages

   As noted in Section 9.3 of [I-D.ietf-lamps-e2e-mail-guidance],
   handling Bcc when generating an encrypted e-mail message can be
   particularly tricky.  With Header Protection, there is an additional
   wrinkle.  When an encrypted e-mail message with Header Protection has
   a Bcc'ed recipient, and the composing MUA explicitly includes the
   Bcc'ed recipient's address in their copy of the message (see the
   "second method" in Section 3.6.3 of [RFC5322]), that Bcc Header Field
   will always be visible to the Bcc'ed recipient.

   In this scenario, though, the composing MUA has one additional
   choice: whether to hide the Bcc Header Field from intervening message
   transport agents, by returning null when the HCP is invoked for Bcc.
   If the composing MUA's rationale for including an explicit Bcc in the
   copy of the message sent to the Bcc recipient is to ensure
   deliverability via a message transport agent that inspects message
   Header Fields, then stripping the Bcc field during encryption may
   cause the intervening transport agent to drop the message entirely.
   This is why Bcc is not explicitly stripped in hcp_minimal.

   If, on the other hand, deliverability to a Bcc'ed recipient is not a
   concern, the most privacy-preserving option is to simply omit the Bcc
   Header Field from the protected Header Section in the first place.
   An MUA that is capable of receiving and processing such a message can
   infer that since their user's address was not mentioned in any To or
   Cc Header Field, they were likely a Bcc recipient.

   Please also see Section 9.3 of [I-D.ietf-lamps-e2e-mail-guidance] for
   more discussion about Bcc and encrypted messages.

7.  IANA Considerations

   This document requests IANA to register the following two Header
   Fields in the "Permanent Message Header Field Names" registry within
   "Message Headers" in accordance with [RFC3864].















Gillmor, et al.         Expires 2 September 2024               [Page 51]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


     +=============+==========+==========+==========+===============+
     | Header      | Template | Protocol | Status   | Reference     |
     | Field Name  |          |          |          |               |
     +=============+==========+==========+==========+===============+
     | HP-Removed  |          | mail     | standard | Section 2.3.3 |
     |             |          |          |          | of RFCXXXX    |
     +-------------+----------+----------+----------+---------------+
     | HP-Obscured |          | mail     | standard | Section 2.3.3 |
     |             |          |          |          | of RFCXXXX    |
     +-------------+----------+----------+----------+---------------+

       Table 1: Additions to 'Permanent Message Header Field Names'
                                 registry

   The Author/Change Controller of these two entries (Section 4.5 of
   [RFC3864]) should be the IETF itself.

   This document also defines the Content-Type parameter known as
   protected-headers.  Consequently, the Content-Type row in the
   "Permanent Message Header Field Names" registry should add a
   reference to this RFC to its "References" column.

   That is, the current row:

     +===================+==========+==========+========+===========+
     | Header Field Name | Template | Protocol | Status | Reference |
     +===================+==========+==========+========+===========+
     | Content-Type      |          | MIME     |        | [RFC4021] |
     +-------------------+----------+----------+--------+-----------+

         Table 2: Existing row in 'Permanent Message Header Field
                             Names' registry

   Should be updated to have the following values:

     +===================+==========+==========+========+===========+
     | Header Field Name | Template | Protocol | Status | Reference |
     +===================+==========+==========+========+===========+
     | Content-Type      |          | MIME     |        | [RFC4021] |
     |                   |          |          |        | [RFCXXXX] |
     +-------------------+----------+----------+--------+-----------+

       Table 3: Replacement row in 'Permanent Message Header Field
                             Names' registry







Gillmor, et al.         Expires 2 September 2024               [Page 52]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   This document also requests IANA to create a new registry in the
   "Mail Parameters" protocol group (https://www.iana.org/assignments/
   mail-parameters/) titled Mail Header Confidentiality Policies with
   the following content:

   +=================+======================+===========+=============+
   | Header          | Description          | Reference | Recommended |
   | Confidentiality |                      |           |             |
   | Policy Name     |                      |           |             |
   +=================+======================+===========+=============+
   | hcp_null        | No header            | RFCXXX    | N           |
   |                 | confidentiality      | (this     |             |
   |                 |                      | document) |             |
   +-----------------+----------------------+-----------+-------------+
   | hcp_minimal     | Subject Header Field | RFCXXX    | Y           |
   |                 | is obscured          | (this     |             |
   |                 |                      | document) |             |
   +-----------------+----------------------+-----------+-------------+
   | hcp_strong      | Remove or obscure    | RFCXXX    | N           |
   |                 | everything but From, | (this     |             |
   |                 | Date, To, and Cc     | document) |             |
   +-----------------+----------------------+-----------+-------------+
   | hcp_hide_cc     | Obscure Subject,     | RFCXXX    | N           |
   |                 | remove Cc            | (this     |             |
   |                 |                      | document) |             |
   +-----------------+----------------------+-----------+-------------+

          Table 4: Mail Header Confidentiality Policies registry

   Please add the following textual note to this registry:

      The Header Confidentiality Policy Name never appears on the wire.
      This registry merely tracks stable references to implementable
      descriptions of distinct policies.  Any addition to this registry
      should be governed by guidance in Section 2.4.4.1 of RFC XXX (this
      document).

   Adding an entry to this registry with an N in the "Recommended"
   column follows the registration policy of SPECIFICATION REQUIRED.
   Adding an entry to this registry with a Y in the "Recommended" column
   or changing the "Recommended" column in an existing entry (from N to
   Y or vice versa) requires IETF REVIEW.  During IETF REVIEW, the
   designated expert must also be consulted.  Guidance for the
   designated expert can be found in Section 2.4.4.1.







Gillmor, et al.         Expires 2 September 2024               [Page 53]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


8.  Acknowledgments

   The authors would like to thank the following people who have
   provided helpful comments and suggestions for this document: Berna
   Alp, Bernhard E.  Reiter, Carl Wallace, Claudio Luck, David Wilson,
   Hernani Marques, juga, Krista Bennett, Kelly Bristol, Lars Rohwedder,
   Michael StJohns, Nicolas Lidzborski, Phillip Tao, Robert Williams,
   Roman Danyliw, Russ Housley, Sofia Balicka, Steve Kille, Volker Birk,
   and Wei Chuang.

9.  References

9.1.  Normative References

   [I-D.ietf-lamps-e2e-mail-guidance]
              Gillmor, D. K., Hoeneisen, B., and A. Melnikov, "Guidance
              on End-to-End E-mail Security", Work in Progress,
              Internet-Draft, draft-ietf-lamps-e2e-mail-guidance-15, 1
              March 2024, <https://datatracker.ietf.org/doc/html/draft-
              ietf-lamps-e2e-mail-guidance-15>.

   [I-D.ietf-lamps-header-protection-requirements]
              Melnikov, A. and B. Hoeneisen, "Problem Statement and
              Requirements for Header Protection", Work in Progress,
              Internet-Draft, draft-ietf-lamps-header-protection-
              requirements-01, 29 October 2019,
              <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
              header-protection-requirements-01>.

   [I-D.ietf-openpgp-crypto-refresh-13]
              Wouters, P., Huigens, D., Winter, J., and N. Yutaka,
              "OpenPGP", Work in Progress, Internet-Draft, draft-ietf-
              openpgp-crypto-refresh-13, 4 January 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-
              crypto-refresh-13>.

   [RFC2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part One: Format of Internet Message
              Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
              <https://www.rfc-editor.org/rfc/rfc2045>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.






Gillmor, et al.         Expires 2 September 2024               [Page 54]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              DOI 10.17487/RFC3864, September 2004,
              <https://www.rfc-editor.org/rfc/rfc3864>.

   [RFC5083]  Housley, R., "Cryptographic Message Syntax (CMS)
              Authenticated-Enveloped-Data Content Type", RFC 5083,
              DOI 10.17487/RFC5083, November 2007,
              <https://www.rfc-editor.org/rfc/rfc5083>.

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              <https://www.rfc-editor.org/rfc/rfc5234>.

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              <https://www.rfc-editor.org/rfc/rfc5322>.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              <https://www.rfc-editor.org/rfc/rfc5652>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/rfc/rfc8126>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC8551]  Schaad, J., Ramsdell, B., and S. Turner, "Secure/
              Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
              Message Specification", RFC 8551, DOI 10.17487/RFC8551,
              April 2019, <https://www.rfc-editor.org/rfc/rfc8551>.

9.2.  Informative References

   [chrome-indicators]
              Schechter, E., "Evolving Chrome's security indicators",
              May 2018, <https://blog.chromium.org/2018/05/evolving-
              chromes-security-indicators.html>.

   [CSS]      World Wide Web Consortium, "Cascading Style Sheets Level 2
              Revision 2 (CSS 2.2) Specification", 12 April 2016,
              <https://www.w3.org/TR/2016/WD-CSS22-20160412/>.




Gillmor, et al.         Expires 2 September 2024               [Page 55]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   [HTML-ESCAPES]
              W3C, "Using character escapes in markup and CSS", n.d.,
              <https://www.w3.org/International/questions/qa-
              escapes#use>.

   [I-D.autocrypt-lamps-protected-headers]
              Einarsson, B. R., "juga", and D. K. Gillmor, "Protected
              Headers for Cryptographic E-mail", Work in Progress,
              Internet-Draft, draft-autocrypt-lamps-protected-headers-
              02, 20 December 2019,
              <https://datatracker.ietf.org/doc/html/draft-autocrypt-
              lamps-protected-headers-02>.

   [I-D.ietf-lamps-samples]
              Gillmor, D. K., "S/MIME Example Keys and Certificates",
              Work in Progress, Internet-Draft, draft-ietf-lamps-
              samples-08, 2 February 2022,
              <https://datatracker.ietf.org/doc/html/draft-ietf-lamps-
              samples-08>.

   [I-D.pep-email]
              Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp):
              Email Formats and Protocols", Work in Progress, Internet-
              Draft, draft-pep-email-02, 16 December 2022,
              <https://datatracker.ietf.org/doc/html/draft-pep-email-
              02>.

   [I-D.pep-general]
              Birk, V., Marques, H., and B. Hoeneisen, "pretty Easy
              privacy (pEp): Privacy by Default", Work in Progress,
              Internet-Draft, draft-pep-general-02, 16 December 2022,
              <https://datatracker.ietf.org/doc/html/draft-pep-general-
              02>.

   [PGPCONTROL]
              UUNET Technologies, Inc., "Authentication of Usenet Group
              Changes", 27 October 2016,
              <https://ftp.isc.org/pub/pgpcontrol/>.

   [PGPVERIFY-FORMAT]
              Lawrence, D. C., "Signing Control Messages, Verifying
              Control Messages", n.d.,
              <https://www.eyrie.org/~eagle/usefor/other/pgpverify>.

   [RFC2047]  Moore, K., "MIME (Multipurpose Internet Mail Extensions)
              Part Three: Message Header Extensions for Non-ASCII Text",
              RFC 2047, DOI 10.17487/RFC2047, November 1996,
              <https://www.rfc-editor.org/rfc/rfc2047>.



Gillmor, et al.         Expires 2 September 2024               [Page 56]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   [RFC2049]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Five: Conformance Criteria and
              Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996,
              <https://www.rfc-editor.org/rfc/rfc2049>.

   [RFC3156]  Elkins, M., Del Torto, D., Levien, R., and T. Roessler,
              "MIME Security with OpenPGP", RFC 3156,
              DOI 10.17487/RFC3156, August 2001,
              <https://www.rfc-editor.org/rfc/rfc3156>.

   [RFC3851]  Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail
              Extensions (S/MIME) Version 3.1 Message Specification",
              RFC 3851, DOI 10.17487/RFC3851, July 2004,
              <https://www.rfc-editor.org/rfc/rfc3851>.

   [RFC4021]  Klyne, G. and J. Palme, "Registration of Mail and MIME
              Header Fields", RFC 4021, DOI 10.17487/RFC4021, March
              2005, <https://www.rfc-editor.org/rfc/rfc4021>.

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, DOI 10.17487/RFC5751, January
              2010, <https://www.rfc-editor.org/rfc/rfc5751>.

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              <https://www.rfc-editor.org/rfc/rfc6376>.

   [RFC6532]  Yang, A., Steele, S., and N. Freed, "Internationalized
              Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
              2012, <https://www.rfc-editor.org/rfc/rfc6532>.

   [RFC7489]  Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
              Message Authentication, Reporting, and Conformance
              (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
              <https://www.rfc-editor.org/rfc/rfc7489>.

   [RFC8617]  Andersen, K., Long, B., Ed., Blank, S., Ed., and M.
              Kucherawy, Ed., "The Authenticated Received Chain (ARC)
              Protocol", RFC 8617, DOI 10.17487/RFC8617, July 2019,
              <https://www.rfc-editor.org/rfc/rfc8617>.









Gillmor, et al.         Expires 2 September 2024               [Page 57]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


Appendix A.  Possible Problems with some Legacy Clients

   When an e-mail message with end-to-end cryptographic protection is
   received by a mail user agent, the user might experience many
   different possible problematic interactions.  A message with Header
   Protection may introduce new forms of user experience failure.

   In this section, the authors enumerate different kinds of failures we
   have observed when reviewing, rendering, and replying to messages
   with different forms of Header Protection in different Legacy MUAs.
   Different Legacy MUAs demonstrate different subsets of these
   problems.

   A conformant MUA would not exhibit any of these problems.  An
   implementer updating their Legacy MUA to be compliant with this
   specification should consider these concerns and try to avoid them.

A.1.  Problems Reviewing signed-and-encrypted Messages in List View

   *  Unprotected Subject, Date, From, To are visible

   *  Threading is not visible

A.2.  Problems when Rendering a signed-and-encrypted Message

   *  Unprotected Subject is visible

   *  Protected subject (on its own) is visible in the body

   *  Protected subject, date, from, to visible in the body

   *  User interaction needed to view whole message

   *  User interaction needed to view message body

   *  User interaction needed to view protected subject

   *  Impossible to view protected subject

   *  Nuisance alarms during user interaction

   *  Impossible to view message body

   *  Appears as a forwarded message

   *  Appears as an attachment

   *  Security indicators not visible



Gillmor, et al.         Expires 2 September 2024               [Page 58]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  User has multiple different methods to Reply: (e.g. reply to
      outer, reply to inner)

   *  User sees English "Subject:" in body despite message itself being
      in non-English

   *  Security indicators do not identify protection status of Header
      Fields

   *  Header Fields in body render with local Header Field names (e.g.
      showing "Betreff" instead of "Subject") and dates (TZ, locale)

A.3.  Problems when Replying to a signed-and-encrypted Message

   Note that the use case here is:

   *  User views message, to the point where they can read it.

   *  User then replies to message, and they are shown a message
      composition window, which has some UI elements

   *  If the MUA has multiple different methods to Reply: to a message,
      each way may need to be evaluated separately

   This section also uses the shorthand UI:x to mean "the UI element
   that the user can edit that they think of as x."

   *  protected subject is in UI:subject (and will leak)

   *  protected subject is quoted in UI:body

   *  protected subject is not anywhere in UI

   *  message body is _not_ visible/quoted in UI:body

   *  user cannot reply while viewing protected message

   *  reply is not encrypted by default (but is for normal S/MIME
      sign+enc messages)

   *  unprotected From: is in UI:To

   *  User's locale (lang, TZ) leaks in quoted body

   *  Header Fields not protected (and in particular, Subject is not
      obscured) by default





Gillmor, et al.         Expires 2 September 2024               [Page 59]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


A.4.  Problems Reviewing signed-only Messages in List View

   *  Unprotected Subject, Date, From, To are visible

   *  Threading is not visible

A.5.  Problems when Rendering a signed-only Message

   *  Unprotected Subject is visible

   *  Protected subject (on its own) is visible in the body

   *  Protected subject, date, from, to visible in the body

   *  User interaction needed to view whole message

   *  User interaction needed to view message body

   *  User interaction needed to view protected subject

   *  Impossible to view protected subject

   *  Nuisance alarms during user interaction

   *  Impossible to view message body

   *  Appears as a forwarded message

   *  Appears as an attachment

   *  Security indicators not visible

   *  Security indicators do not identify protection status of Header
      Fields

   *  User has multiple different methods to Reply: (e.g. reply to
      outer, reply to inner)

   *  Header Fields in body render with local Header Fields (e.g.
      showing "Betreff" instead of "Subject") and dates (TZ, locale)

A.6.  Problems when Replying to a signed-only Message

   This uses the same use case(s) and shorthand as Appendix A.3.

   *  Unprotected Subject: is in UI:subject

   *  Protected Subject: is quoted in UI:body



Gillmor, et al.         Expires 2 September 2024               [Page 60]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  Protected Subject: is not anywhere in UI

   *  Message body is not visible/quoted in UI:body

   *  User cannot reply while viewing protected message

   *  Unprotected From: is in UI:To

   *  User's locale (lang, TZ) leaks in quoted body

Appendix B.  Test Vectors

   This section contains sample messages using the different schemes
   described in this document.  Each sample contains a MIME object, a
   textual and diagrammatic view of its structure, and examples of how
   an MUA might render it.

   The cryptographic protections used in this document use the S/MIME
   standard, and keying material and certificates come from
   [I-D.ietf-lamps-samples].

   These messages should be accessible to any IMAP client at
   imap://bob@header-protection.cmrg.net/ (any password should
   authenticate to this read-only IMAP mailbox).

   You can also download copies of these test vectors separately at
   https://header-protection.cmrg.net.

   If any of the messages downloaded differ from those offered here,
   this document is the canonical source.

B.1.  Baseline Messages

   These messages offer no header protection at all, and can be used as
   a baseline.  They are provided in this document as a counterexample.
   An MUA implementer can use these messages to verify that the reported
   cryptographic summary of the message indicates no header protection.

B.1.1.  No Cryptographic Protections Over a Simple Message

   This message uses no cryptographic protection at all.  Its body is a
   text/plain message.

   It has the following structure:

   └─╴text/plain 152 bytes

   Its contents are:



Gillmor, et al.         Expires 2 September 2024               [Page 61]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: no-crypto
   Message-ID: <no-crypto@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:00:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the no-crypto message.

   This message uses no cryptographic protection at all.  Its body
   is a text/plain message.

   --
   Alice
   alice@smime.example

B.1.2.  S/MIME Signed-only signedData Over a Simple Message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 3852 bytes
    ⇩ (unwraps to)
    └─╴text/plain 204 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part
   Message-ID: <smime-one-part@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:01:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIILFwYJKoZIhvcNAQcCoIILCDCCCwQCAQExDTALBglghkgBZQMEAgEwggFABgkq
   hkiG9w0BBwGgggExBIIBLU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F
   bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWltZS1vbmUtcGFydCBtZXNz
   YWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2Ugdmlh



Gillmor, et al.         Expires 2 September 2024               [Page 62]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   IFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgdGV4dC9wbGFp
   biBtZXNzYWdlLiBJdCB1c2VzIG5vIGhlYWRlciBwcm90ZWN0aW9uLg0KDQotLSAN
   CkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgIT
   Dy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJT
   QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
   MDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cx
   Qq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeu
   Xq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7T
   HNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3We
   ag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukg
   n+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQC
   MAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNt
   aW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUg
   MB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58
   BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAyl
   OvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeu
   OA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9o
   pwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4
   oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPf
   qmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY
   1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcN
   AQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNV
   BAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcN
   MTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIw
   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr
   +E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7O
   xsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTt
   dg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZ
   DQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj
   0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEA
   AaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAe
   BgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUF
   BwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
   ZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQEN
   BQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTn
   euK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qN
   uz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt
   9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh5
   2MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4
   DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX
   MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
   hvcNAQkFMQ8XDTIxMDIyMDE1MDEwMlowLwYJKoZIhvcNAQkEMSIEIESMi+9/LUlD



Gillmor, et al.         Expires 2 September 2024               [Page 63]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   fGjj+6U50VNLFxbzvyVJ0wzwnTS114DyMA0GCSqGSIb3DQEBAQUABIIBACJHeayB
   UllC4GdcgdojTUjoeIy6UIbrSg/aKZgAkCB8Dwq0hdU10qiun6WKI/TxM5izpRvL
   UsNBGmqknPBMFhvwX6KCrwFk0p0j5Y5DZqX30deiQiGTUv3NiwZGTrKJ3JkyymFO
   HGbe5Thrq3inRLVfilEuIZewaJsnJhKfnEq9fS09icTJ5olPDAH6mZbW6hpYmU3F
   KBk2qJNqJX6bo60rCogu3wXDj0wxnqEXmeNDH5/+L9UVZur+EWzviUc8Ldd/kP3L
   DOO7ivs10bAWe8Tbw7NjuP8ZlVvzcvj3nXWzZzxh2ymDIOvyJA+t0LHQvsN/fbdW
   fC6Pm51fEkabbmw=

B.1.3.  S/MIME Signed-only multipart/signed Over a Simple Message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses no
   header protection.

   It has the following structure:

   └┬╴multipart/signed 4191 bytes
    ├─╴text/plain 224 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="052";
    micalg="sha-256"
   Subject: smime-multipart
   Message-ID: <smime-multipart@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:02:02 -0500
   User-Agent: Sample MUA Version 1.0

   --052
   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses no header protection.

   --
   Alice
   alice@smime.example



Gillmor, et al.         Expires 2 September 2024               [Page 64]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   --052
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv



Gillmor, et al.         Expires 2 September 2024               [Page 65]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCDAkJYhqVAHhprkzEWP6PweksoYhj5ULTLbcfQ9Tu3C
   zDANBgkqhkiG9w0BAQEFAASCAQCJe818STb4M4utvQsdcQEH0CZR7I38uL5TSZF3
   llKmD9PuCDuV3GIkfdmZISKRuffBle1xaNc2av/0Qogr7OaFF485DAONVAEIQ7ah
   t94pwgAE4yvXXWKmFQkKid1tnMXbnHADKWU0YC+BQkgd/5J3zg4ESeMwOUm0+b3C
   GDaUBTIJhHfu9sqlt7jXa7PbzQEfemYZORPI14/uZSs86SLkPvNGUpWb4mN6olC0
   2h/U4SCpq8Oy390oNM0VNpoa+nsTu5yOFc34pMIvjwCJyIOYPaDnvw9FYgr2oOp7
   cdOgFcSJ8q7I+Tx2yg60VW8tAT7UBkifc37UUuVbnOsqeVB3

   --052--

B.1.4.  S/MIME Encrypted and Signed Over a Simple Message, No Header
        Protection

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 6720 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 3960 bytes
     ⇩ (unwraps to)
     └─╴text/plain 239 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed
   Message-ID: <smime-enc-signed@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:03:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIITXAYJKoZIhvcNAQcDoIITTTCCE0kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHmnSO2IdHZqhpStR4KWdgv3WQtCaxYUhXTJ
   AmWV0NBvy5u7gilyKnpgY7CcJ4T5bA68lWNos4i4D2bsiLDGtMAuEynCKejeKp+r
   rS6BU+iI3QAruW8v4xxFHmYtOdge1tV1uws7atc8fXnUlgcfpnOD+IvLOdwkrJBs
   o0AePTxqKmi3pUkSoZ4FVkfXJNkM3KKlXsqf5VFJV21r/AY+3w5V5sFkengnXv6e
   kAZWUVMZ5GiiLzCk54l2rGO3Wi5oC1cYqkbmnKndm2MvcwEosO48N6XTvW9geENp
   y9stPxv9pAp9HD4miuwWA2KlUPBVLh7l7XwjDwA08MGsRCzHP64wggGEAgEAMGww



Gillmor, et al.         Expires 2 September 2024               [Page 66]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAdOnjKorhe+/7PA3sZPAMGBA6
   bQlRDw3HF8/5y4ld+ZCHw02YeGKvc4OT1TO4SsY8zdOhNBhJRaQqRkK+5HKOOPqV
   ADA6a90U36FAyNI0Zn8veG4rHlb/vWHVdxWbOW69Liymia3fBz65o/6E1yX/GAb8
   m+KPtKx9cvSFCazv95M4C3Girn8LkAswtmwR+deEp7tYPdjHky7TOkdXpV/z0Ee9
   HtjilLeqUD+mvV3CJkIbywsUBRsZ0iLA8B9WoIsvcpYDU1biaxMko0rWlUFh2VSd
   j6+TjlW90dSZM7xUF1YefRDd9XnF+HcRNbO58ucu8iIMxVJq+LNBEY4N70XmFjCC
   EC4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEMyuzbDBN6Tv2WSNq2aSZ5WAghAA
   nq1HKlEGKfDdd9BKbpZgRqgsSUEEBdGSgAC4v0Ugu6eD+ukLBk+TZzGuLHFj1vB3
   /Nk6mjv4xakp/x23yGk7zc6bzmHduR27avvu9zZf8fdeNMkwBeuB47WIXEnQKmlt
   y6I7vVEJJE4CEVF0VDIFH7B2wpo5pogs0N3vJt/Gr2vAO2NjRosgGuHTRDXybQlY
   KZKOCw2G0+vB1CYCP9YeM5gG7vQNirjQdVPJ0K+4NOEHy8JZHQZvu7dR2P02/QiS
   5p8wcYPSRLsWRdaPaBDnfkDTWaaQYUcm909iydoYUI5Xg33LzjGh0UMDg0vouQ/1
   Aqj7zwHXfHJVKJ38lSQC8fL88/TaCkouGMAw/dHCUQYOB5v4JlsSaYBo8ojaPIIk
   T6PYuFUo01ghi56h21sKNsuhnYSR8c8rZMq3jIKDkmdjOpNpn6kevulBHeNnH1wK
   WPBiMx4CAapizFjeVmbgnFbjNBdw2kO55bPqXrHMoG5/hHC85JV/IgCF0uvQgOY/
   kG2eTl80pJ3dF3/iJnHsn6wB50UDPYAqXt9bpAgtNNd0iCyd5Gd3guQOCAfvpBOO
   IkMPH2K8xsvqk6cUncEtrbSColrldePnQhiTiwyAmJevan++mvjUuBRPN1grXH4v
   AeCR28K+htOxC/5SaONcLX6FhppX0MR09j4nlwlWvvXfmm0Bo3eyaYqLAatmId1/
   ig17gk0JQBw2zzZHqEm1URQh50r/6DvStMj2ASjGgtsPPhBQKO+CaITceLhuRNyw
   cH3tSLeGmhMj0lDT6gmB/d3PFcLjUx8DwCwYsshDY3Z15GrzIq1jgZvmzjBxaCuA
   VPGA3jWMOwBdJtXhAP7uYCe5qjbTL9L6EqIo8RQl7zrXxP7etwSjbAFbTUKBxxik
   AZKPAGoTFsO3cVhUBmSzoMupgiUAieTOOS43iP9JeXLFHOnN+cAlo7iJx/gEcL68
   1ENpSaWRV00NBtF6vjpNIEh7eN0MCA/fTipRR7Pz+g2oKQLUZPNkVxUTi7PjoSPb
   bfKpK0xbHqao40mJdNvX6lng73PsQnJGadYu6DnMvVG7oTibcsA3aoh3jreb1vLO
   mzpATxg4b1QFC0Cjxqd8FKRxQZlync5cO5E3EhYlVXW0pi17wW/a2Ca7S8iT3+Rw
   bVNd2A01JgS6r+NsvgIXQTjxA6RNzP3K1Iorkuhg6nNbqgJffskHz5uD72AXQc9J
   OfxGIFAgnIbNr9u+pvj3WVqJLZTHFdDvvXPGza5/D3tnoWb83j8Z9T8pxlTGK3m2
   GVFm4CyJxdzDrOcfXznRO3lYkNeTA0lSySF0yhTHAzIOU8lYaUT/2P4y28Fc/79w
   ofFZSqVz+J2QCoGbZfbWsj8RbrcaPYzPj0cBWtUxPyCni0Mf/4if+GxLv1F8a7DI
   onHVJg5w+Lo1RKcvPpRIrq/w7wrwFOhEehyQr6a/8WbiAOSMMRsqj3+9atQViPFb
   QChAtGHq1TMWysVVGod4S3OhkiOsp1s6tOFCJb8QIL2DYlDSbg/wtnNbWA0BXytf
   tR1bhQRI0ytm7mhN01kfW+dWXOPqzofRG/zvaKIGoufnmqJpbk4RR4r+KHUZ3xDP
   2URkSh5Qrf9yZ7wE791QKomGSZygvX1Tp8TzicUWpeTQB0IHXsCg2JBTykU3q3m/
   SV1NYl6oP6oClvVAzRNxQgs6TQ8PEgGqPsE323VDCpgAnqsA5zq5zeZjjEK8p+Zy
   HWjcaWf1top6+l9Tt/5chnAmCk4wS120Lkisu7fOzB9M8UzQC0yVrJ4L1A/MD73Q
   KE1zP92o87ZfJnnNjpBb4A/EcBTmhVxbjSlC4cT6UR08pv0cfhSqFni9eMhImQmS
   0XST/0NkVeqBmC6b72fATGQb09Iv02pyV/2w5W04gCNCvWBN8kmQQLEEhkDaOmZD
   OYxGkgfbT00RxsC2fa8VnRuc8FyRJwFO9qWn8OTNhnVHbd3DPfsoTHNl5v7dsGDz
   0aOnVMmwSmAFfzQStA9qC+OPeBPXBCKNXd1Y7/7ruO0GpUW9hSHKkOc227QtbTAH
   LdUAW1bBIPA3gNJQDkmGQaefVFJDV8xn9v/lRuVxegh4N8QIK1U9IPz7+wec81S/
   4cXz/JT01u/oGpcSE86jzarGMh/ik3ovckGLvH7q7TdT5BdOYyZZa6PcinfkT1Tj
   rj/SMsHH3alXNipnSnb+5OdEIQUJksSgQYE1nFgV2M9PBONy3YA07Z2ArF/f0sEf
   hRKQw9YH9grv0beRA0C5182tvvKrZ5j0q6gttYZ8PacoD9DnaXJjNGKJ01jwNsmV
   vlPx7G8yOuxx2qUuTBbqr8jHg7XR9/UaYEuvmDslQZpnuDMOrxuRPufI1nWVZVd7
   wxWd588fI3XOXmE9ZA2/kq5uq57xpoRLlPh/sVqVysj9ruYTU7uHz629jFeq5mF4
   iIpa80hPVJyC4gDtKLqF8Jb8VVKb4kdbTph6+pcRwnqIj6pEZq4G8FvquntzNn0o



Gillmor, et al.         Expires 2 September 2024               [Page 67]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   8ydpnyZVV/bu+Py7MYq8YtkcEVvIk70b9gBI3UhKEL1PfRj/t/q0XM2C63a+c93j
   YpMSCnb/wOlpy9Ws5VMCISKsDYQLdKwNjj/aYWiHfgyghXGSY8/KDLl8Yyzfqz2n
   zaOUaFMS7TMvHSjTe6Cv0zIYvht8P6gQmXVvEOLJ1VWUh+q3ccXnW5EHg4CgIbCI
   dm5iN3a+OlIejFQSZvFW4kB/RWNsOiyBextmOxxyAmu7xGayLZul/bzBFT5XrQwv
   sb524bGOYs6zcKA5zjnkQY215aGztAXFuMkI2nRiUsve5ARm/KQhbl2NGthQu++2
   r807AnZGdjhGlz4h5XfR/VvmjuMF/LxdgIJG31VC37u/343lgNbIOWybUorzFaeg
   rVnSDvMrfzMdZ/KRLTBhVUC9KFjlhn4L7FdfpWz3LbcW5Kn+uIU6EsRkbdOwdRPN
   mEPhgjT/+PD+msMoxtC0kaPtgRgB39I5jnIgPBAO8iKtObHttmZoZeqD5+N2uTyK
   WB+tC1CctNGGYfCR+YAUMTojhou1FSwiJIBTTE7QmSueuLmrEuCYvxUdEuA7RtTd
   LO1Abt0S05WURWu0pNDFroYbYPEjX5vEoFbU5jHhzEZF5WQ3cy+/EqMkxk7/47dh
   ux/J9UXXJTyT4Sh8KNZOPh38lcVliqIO/Ms4Nn859zwafCAKBZxn6ZqFQbBmxZWu
   D8ejB8KfXUIUp9H6wSPWvxJ2XW8By01UuZFIE6vvZunm55eYvotkhjQFIag6CzOH
   CaUZfwJ6bEWreih4lWFghnRL1ZhRptnfQhnsKKVUqJW0jiaGZNZC+4jVCOr+36bo
   W9e6LYfkemtKEMer/nrdgvW9LXo2CaL4BNgReK+T4ZkQbyob/2/ADN3mYe+ETBF8
   m7lbfEIx73e87xNY2mWhvNMA1/hZ04lIJQdPySNwi5V9YE2/cS+6UuLfOVIyxiNG
   DpixiwTJroJ6GeKOtBn/K5eCqxKoF3gKiH98DnH9NV1otBej74998NG6ATN5jpaZ
   C46LiTJpMZpTx91EyasuT6eDW+lEGa6EWylC7x7zjjjwaNlqD2mMlNpnSm8L1oB3
   vvcwP60GoLgyu50+M0C+hYxrNuyCG2aoX6bvzdFrh9DyLl8LEErVdOPj9r/hOMtB
   PJzmiDqHIYaZv6+uyarrjfRG6dO+kCZDtzuAy/HEU+UXCuv27i99gkEyeMcasQSp
   DkRjvnVJQlO1fMx/ttIGyyUbTH/jlBmLQ0cc+hrBeGGTYyKM5N6eB5WCukYSkfva
   6p7zGiKUER1py0ZmcO4BN3UqPR6P9pJbJ0cNhpCTx7/pKa9OgDpT8+Ma1RxanOLK
   mskKwQpnkJf+2ays9Rv0oYtbNfVzJJPrT8iVglD3aFwmCop0Ml/kW5sYFdPpFGsH
   byzTzq3Fjw0AQ5UOG5Qq8EpsAlAJ3hy/5Vv4OaVizAoJz2fZXnQ9Bw00lud/outL
   ZbRUEC72vJewbIAS1lzdJ7RLlpSMvB48/cA2dgeXqqfnvnAsMzgOIlaFlVID9H4m
   /KtMJfKPkagrka91wFwLECu207zihtHmRbkkWlrswqA4SyumWfR5AEGW/sZ8g9LA
   rugrt/sE6SpyYi5zzYL9/vNT61kQVy7UhUqcasQU+1CLVuaplAk4uvRso88wXYKn
   SSQXesmy5m6eYOIevOmyUMQzzfwKswT49j/7hrHsECtzpyCOP0/8zBgGH8f/wg1r
   /sZ/O+sZNu819qUaJhHSFIEx/CQKuHYv5ez6aT3BAtmPn0iWrFVzna3Ogo8XAL68
   eDwN69Qm82ikDO2LFkKZrBzn/1dyZs/dT6lQYpsmhxJzoluZzW/sYFeOCX6fWs7n
   fcrz9yMIDKvj70JrZp5jPRghFKHmqo5xh39TmeTsQFp2B8UlGD9YK6YfgSEaGbyL
   3BpUjZN/713jmWYHzGvEQfx7vP3SaZBMZ4GSCoeBT2grQoUDe575H7UDJsmRVJ04
   bO7iTWPZ1LdIC+oifedAhGhCoum+tApUYj+3BHz1xIAZJMCGARqgyKcnvjw5WVu3
   fDna+4xJdNs0YK1uBkr6N9FBDfmQIuneIsQHAM7lZfucd1FenZhy1zNreqgls9QO
   NncRNlltqmT2qmERXw8/HwcwNjR8FWrwbCCApsMgAZ0xWaRxpEct5lnGNbBpplEn
   BrMafVecUlQgwa1jchA5ZiOuaZxizi1Pr9/eoaX93aa2u+6OpsyPqdadxwDeV1Do
   4dg2NrDqQMFo3I1IcADeZEcEqPx8PV0tYjEeFZYsE0k3Qmcti+RuRj/rNTaXQ2Xw
   VkgL1BG8POkxw0pVIKVyevcPtUD5tSlTxfp4qBFlEY/yrGCHy36q2mboBcRyYQry
   oBnsvoEfrIE8FEz1rOJVM+HN2udrKVJZzEPySflZvbDzxINcqDu09r3UO+L+ymW5
   9/ncHCMyoa0KbQ08q9i8VsGchL2FF5Q66g7I8U9u7R7V4Fz8RvLOzs6bB/Oh7+Z9
   0dTWreRYp9/82pQ0VSuvkWYiSPwiy37spaE8uALD5MvZOS3CqOwGI+o45uLBP/a6
   dgalPv1kThe8/a25+FqiQP6boCsN9wgA+T3v3kRFibzFEtyqX8C6Vu795PpycZ14
   /RGFTm2Df/U38DN/mlNhGgM6gMQr1YuSPieFJ+0/ctzGpSaS835d+DkQVvS3zT3/
   5EpybkOZrqf6erhNTVa8Onr3ZNdt9QyNUCmwxpYVvV2exwoVfcIjQgCxwehySLW5
   UprvrRNgHo0OBMH+UmSggBfT7/omejxHgAJz5WCl/P+DiQ/dZcBK1OCRh1ZkocLB
   WVpunKTMuLyqSqNG87nzXAgFCLYQRWeCQNcItSbJ4aed+sJIYxmEm2UzyKAk9eXI
   dCZ/5fHOtmMDl645r/v9eSjeZd7Ed6MhGladuVlNm9Dl29sIzKcUu3zfZAqBlzFK
   1RzPS3IUeM2VEJbK9AowEQ==




Gillmor, et al.         Expires 2 September 2024               [Page 68]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.1.5.  No Cryptographic Protections Over a Complex Message

   This message uses no cryptographic protection at all.  Its body is a
   multipart/alternative message with an inline image/png attachment.

   It has the following structure:

   └┬╴multipart/mixed 1406 bytes
    ├┬╴multipart/alternative 794 bytes
    │├─╴text/plain 206 bytes
    │└─╴text/html 304 bytes
    └─╴image/png inline 232 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="c39"
   Subject: no-crypto-complex
   Message-ID: <no-crypto-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:00:02 -0500
   User-Agent: Sample MUA Version 1.0

   --c39
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="05a"

   --05a
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the no-crypto-complex message.

   This message uses no cryptographic protection at all.  Its body
   is a multipart/alternative message with an inline image/png
   attachment.

   --
   Alice
   alice@smime.example
   --05a
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>



Gillmor, et al.         Expires 2 September 2024               [Page 69]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   <p>This is the <b>no-crypto-complex</b> message.</p>
   <p>This message uses no cryptographic protection at all.  Its body
   is a multipart/alternative message with an inline image/png
   attachment.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>
   --05a--

   --c39
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --c39--

B.1.6.  S/MIME Signed-only signedData Over a Complex Message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5249 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1288 bytes
     ├┬╴multipart/alternative 882 bytes
     │├─╴text/plain 258 bytes
     │└─╴text/html 353 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex
   Message-ID: <smime-one-part-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:01:02 -0500
   User-Agent: Sample MUA Version 1.0




Gillmor, et al.         Expires 2 September 2024               [Page 70]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   MIIPHwYJKoZIhvcNAQcCoIIPEDCCDwwCAQExDTALBglghkgBZQMEAgEwggVIBgkq
   hkiG9w0BBwGgggU5BIIFNU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjMzZSINCg0KLS0zM2UNCk1JTUUt
   VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
   ZTsgYm91bmRhcnk9ImUwYiINCg0KLS1lMGINCkNvbnRlbnQtVHlwZTogdGV4dC9w
   bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4IG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQt
   b25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUN
   CnBheWxvYWQgaXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRo
   IGFuIGlubGluZQ0KaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgbm8gaGVh
   ZGVyIHByb3RlY3Rpb24uDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1w
   bGUNCi0tZTBiDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMt
   YXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNv
   ZGluZzogN2JpdA0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+
   PGJvZHk+DQo8cD5UaGlzIGlzIHRoZSA8Yj5zbWltZS1vbmUtcGFydC1jb21wbGV4
   PC9iPiBtZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYSBzaWduZWQtb25seSBTL01J
   TUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQg
   aXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGlu
   ZQ0KaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgbm8gaGVhZGVyIHByb3Rl
   Y3Rpb24uPC9wPg0KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1l
   LmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS1lMGItLQ0KDQotLTMz
   ZQ0KQ29udGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5j
   b2Rpbmc6IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlW
   Qk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNF
   bEVRVlI0MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZ
   bkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpv
   MDQ0N2dZRHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91
   bGkNCnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTMz
   ZS0tDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkq
   hkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNl
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+Rp
   wpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPK
   J2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ
   2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3
   lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMH
   bM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpq
   tQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
   ATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYI
   KwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw
   546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG
   9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXO
   SBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2M
   fbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHN
   aaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwD



Gillmor, et al.         Expires 2 September 2024               [Page 71]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   R6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459Cyq
   bqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXnt
   dX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2Vy
   dGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5Mjcw
   NjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYD
   VQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
   ggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRr
   jFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP9
   68+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dK
   vIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCx
   qqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATK
   RGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcG
   A1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5l
   eGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNV
   HQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfx
   CShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cb
   bmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVE
   DMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhs
   plrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnu
   mghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4
   rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYx
   ggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdH
   MTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9y
   aXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3
   DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MDEwMlow
   LwYJKoZIhvcNAQkEMSIEIMhGVzAx/S4dUwqko0cb+oa+gXfmEqw2Iz+svSKpWzC+
   MA0GCSqGSIb3DQEBAQUABIIBAGtNM3MMhWZVJdN1nlfSk3mhNk6E+LFoOqG4aiHz
   e+HEQjN6bKft5zulMCqh7NKRpRmDcEE9RXDGKGYQ9BKBf6Od/04lolBY/xpPu9G5
   XnUTHN3MmqubrTSP3xxU5AozL8i7XmkB68VxKBQ2YpfcXBFGbuvlc6FXkbh2QtRX
   UgBZEp+GSxG7o0UVJRa97t6wblUdMwaQ1ONrtBsmrO46bThv4cgrlGBvz8tGfHwR
   4HbS/Rp+6jNAS0K9fZ0PQxy2b4M4braYg3f1n4q3dDH8N0XiUcwG8FiB9XQo18+D
   fdkZwTVUoDHWjSVdIREobdPI2wdpnGxS/AB1VuiYpcebi4o=

B.1.7.  S/MIME Signed-only multipart/signed Over a Complex Message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses no header protection.

   It has the following structure:









Gillmor, et al.         Expires 2 September 2024               [Page 72]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   └┬╴multipart/signed 5234 bytes
    ├┬╴multipart/mixed 1344 bytes
    │├┬╴multipart/alternative 938 bytes
    ││├─╴text/plain 278 bytes
    ││└─╴text/html 376 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="452";
    micalg="sha-256"
   Subject: smime-multipart-complex
   Message-ID: <smime-multipart-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:02:02 -0500
   User-Agent: Sample MUA Version 1.0

   --452
   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="ac5"

   --ac5
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="813"

   --813
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   --
   Alice
   alice@smime.example
   --813
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit



Gillmor, et al.         Expires 2 September 2024               [Page 73]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   <html><head><title></title></head><body>
   <p>This is the <b>smime-multipart-complex</b> message.</p>
   <p>This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>
   --813--

   --ac5
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --ac5--

   --452
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx



Gillmor, et al.         Expires 2 September 2024               [Page 74]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCBwnBPnNMORN+JxFvMbZIJ5PtqEBkyDbOtU1Ar5RuGl
   LjANBgkqhkiG9w0BAQEFAASCAQBRpXYXiiCEQ/lshkbhpH566H65wAf9rZbGn+r+
   o8vLTFSs84ER/EAHGhePmVDiObJS+nXIC7Sa5Y+tUe8JitKPXBQ2oDq2+3tN7tY5
   G398yv+LnmYMMf91dlnlyPnQujsEfPSLXYNToa0qBqp1DThm/pfn6RbbOqpZjYr9
   fdcNdErDql5+CKaf8R/JDW+hiLyvD0KCpXucWLHb1okt1Jpld4kkaA4wu9Idh9fK
   GlN20s+dBXoytH/G6K8NhOh3Qaf3lMP1R60gkvJVJ3j9jIs3/ZG4qH5qWQJHLvi2
   WLSxDhkYmZ+dYSCyfIauNkq7a0wauSpZj82elFA7HdyZmNp0

   --452--

B.1.8.  S/MIME Encrypted and Signed Over a Complex Message, No Header
        Protection

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses no
   header protection.

   It has the following structure:









Gillmor, et al.         Expires 2 September 2024               [Page 75]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   └─╴application/pkcs7-mime [smime.p7m] 8690 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5426 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1356 bytes
      ├┬╴multipart/alternative 950 bytes
      │├─╴text/plain 293 bytes
      │└─╴text/html 388 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed-complex
   Message-ID: <smime-enc-signed-complex@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:03:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIZDAYJKoZIhvcNAQcDoIIY/TCCGPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAB5TXoiCIIIIxehywh5/tdFM72iw946N6OzE
   mkIj1x+ShPweKrmTgPxaZbNgZpMdyNetqSXTn5HlZwUAxOkE+EPp301kveWwxBAM
   /Umzr/ODGiYLHWORWh+cPwjo0OIHo8IJzmF9FWMr7CKYhvbSZn3AFuERRfEccwH9
   xsbB+X5og5bu0Mn3y8KdX7XOFVbgAgFuqqWpj6mK2AsyWS0zRKnGNd72rELjEzCv
   RZqBFAecaxdJd2RXKKwLmJg5EL/VmKuyN6TgtmtwvzGCKc5YywdhVrP2IvQTye10
   +paj8dFQb3W9AGOuCdw8r5CoawAZdYMvZ/v0ixYIkQid7fsOE+AwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAFLvnVkTKKAXPN6g5xLlw/7bO
   5NQs0DVNxjuCAOXWm9zsyhH8tYGdNVvzktxXkn0JV4g19TEu4MisuhcIhqJyrSsh
   4epi0ZxbyM/YTnhHvi4wttaZq07tNVF6eafyuecDKLV8/WF+AGSVWe0xPumEni3w
   GADvkwmcO2mDZO/ad/u7Jvl4jF//Id/IG/A0y/yBgrWq4pH7BPwp1W/rXbnwlEEm
   8an56+5f/m8teqqXaiRMVQgMaKGCmXHyD3Ud21Rqc4jwsN0VCpzabK9DSDPcxwVl
   H+PPUtza/Ux7yNgJ1gm816e85luOjvpf+HliioHpNKCQ+eh6mH0BqLJKJkketjCC
   Fd4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGaUNdPZs2K03fcnaJXCvfaAghWw
   qf0kEcGMlxiJegJu4TKQPvtUKje4+xRba0xUUSlTzhXrDk9tk2J8zdmnQglvRW54
   r/xH0TLM7ny0unGI3ow8lpyUV7g/LFmW9kiaoTnhNcEe6qqSk09dEH1rEqIpQoQ9
   1GjuFwlc7uf9vMzb72TdAEhFIOVwboM5hmLtoADvQeH4AsDKfbPvkrFPPNDB7Rj4
   QCh2PilelLH+3+78XvJ0NdcZw5KyVFIAa29vlSYTjPNriFn+rKPzxjk/cQc/zHSH
   DLZ0CRHvJZKX6z+oIVAq/DYUJfhm4zz4LRSReQfdyChRHDVv4V1dFT2uaqtBPP5C
   6c8Ad/SQUfk84wns2/+pKocqa69tVTIok3Y4+1nDcvg8jzkdPD0cednWdYjh0vQz
   0qXaJYFlyVuQV8A3IUFV7uX7JCuo6m/PIQIiH23dE7fkGXCPiIwAl9BZj0O2bo10
   ZbQgka+Csxk/S/lBiJ5hfdsU6tOk7JZwSNQXHgGrCp7lboSljxOEfiKQVjo+ynyE



Gillmor, et al.         Expires 2 September 2024               [Page 76]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   LmUM0zoZz2eUdsUILQtmFs9r0AvBrW8PcF79IIOQR+X4QEJ6Ztz3zAgj409q0Fmm
   fCrhJTUMcVZyeqLUTpyLWDBKqV+jm5dA7WR8CL5NqEsmtyQRTabkPv8a0DNpgMl7
   fCN3bIs6VdsiQXdhwwH8U8pcdZSINvNb2nNbUrFWlU6ZOxl60DGQKm5KxuUd0Uzi
   xKe2v0DMl5TyjRekBPhoZC3Mwqf7Ud6vDoBk4Evhlxjv8MAKA5LOghtfvv4xP/eP
   L5i4V3EnZtRy4hnW060tcDOodWW2PXPYFPxN0z7UEdKk1hjomBGFlWt1QrPzMO5x
   0/m4NezYVWJNWkqPmCUyz+bDzQgIdWXGXGAejNBJsssEvS8eHlRs7V27UfOQ9c2k
   /KqDn/Wf15RfoIiT1RfoU4FjBoiq6IXkerP1Km+SzHHnZozF15M684ulz/PPpo29
   pziu9WRjDPsWYmS8RK/XzutHp1r7vDInwCdrManEI811C7z/3/FgwA7RJIJ6GNhn
   GVD+PUBULWxEIPHQU58y7KwBeXtNX/o9rPul3Nt2HOINyYhhLNgX5AyTpGlONrFJ
   TzP3rrqvgLSlmq644pBLfJagaxcAJENyoZ7GT9YgWrT6WzVM6t92VpfCo0Wy0SRy
   uy+l6De9bJWDvwPy+RciW5UyN7YuCWxe/vYcAiL55Lv2ZO0m3zmE101bJ7/ZgwtA
   k7yABCQqUQPRBc2EnchLv8JdYW1ACX9JIlG/dTmyI1OLNAGb20UGX0d76mGajwT+
   a5OF6z+HYxd2KehL1+W7wYrUxfZ1Utk6rACIVD5b+36nE1mqTTnSOw9z9mAZ0+8+
   hRcBQ9I0JOB3YMAi4lepbcGGvEAFh9kOSY+9bYy7Lri0HoQEaDZ0aQxf1/12UEAj
   P83AjqaswVVKBJNvFpqJnJeh6Y/sTr9eAYE2+Y1PGGH9Z8fzbD7+CqL78sbpaMCP
   7cgM9UHRjLY8yOIEl3fME/JF1pR3NMG3LQ9dohsgvl8Z11JABy8+Zz81O3g5ZjBy
   xJXkWAXBdTYx2l0bdaIyoTQnWcN1OPaCatCv4P4P8L0SoCj3DrEb1rK9pCUIJloM
   pElAoPDJIgYrEPo2d3TunL2qJwAJEy0asaONMvvA3eSdC8kzM+NP5gYHl6gRFvDQ
   WbU2LRsCKwu4TtHRR92OqKW1r9x4ZgyZH7UvVnIZVGz2buta7ssQ+PLDwIXemtFh
   3laYmNYrssJ7lnd3WwXvS5MxWa/OBwPpDS20IRwOOGmAYKWpQzgFJb/gWf4/rSiK
   KSeC0qIb9UXL31AX7eA++TR9mblzEoIrlBebF+MwX8EzQbYRtbvezL3xhXeu1TsS
   JUUBS0Z7qF/2AljMgrTjkIQGNuVLhLxexaQJr0GLAwlK2ijOxXK6bGh+JUW12HcT
   Ms71ef811J1fHrS7mTzqAAreAsUrUs30WBByMwsvRyMMqNuwRJr4Ax1jF/5HBNPI
   bdx9X6Dz51azBBQb78S2hxLwrGLffbheyYJO6CwMeM1epsV/VvCuKfakVGINs4yg
   i7DHBQrHXekU6XzCgCRARC288zwDpRSxqubQYGchpewg9ZBK/Syu1FRw/AjQowNS
   ONatikKD5N8UZAaf/iLznbZG+bXF4esrMpUm8MY1acow7A6IyQBioGEaAh6U05Ww
   sQz+6KO6RNneu5+PvGtl8rGGmVjdevtTZSTT//dlJyREItmsyHkY5cHMugzz8FAh
   Yy2ez/q7sbll2P7YFY6TXRc4FIIEVooK6LbsHggzwciBhc80Ue7bq+T6ouFYECBW
   lhNwzGLbtjkOlui/ljbqBRAYkbbqciWj337ZRjzbea8NeaoYYQo2ZHM9HKMK7mqS
   z6E0XGz++vz83pdsh/ZHF/i8l5OgvGZjG99KvpDy6zZ3PxSdASBOxx4O3wpUEd4B
   +8RB9N4I+9xPKmqBFQx2/gLY3jqLc8lWGp8oP1jZHDCYv4rMPnFZk4k+gpYu65r+
   Iwy8HIYDzsUNJPxZwHo1GX9BQKt+/X4p0aqLE04G5gP10TrnsL5CM4WGyphpPz0U
   3b69yGFwpL/Fj2NZ3LxD6b+fFsVccoqrEz70WPpgfB4NAVVVXLTjI4GkMCHApLhr
   466UrQvoEGlVzAPbxVo/2qVa1+cTc8XvIY3s/kKLcHnsOvC6oICvKMlfNPQLv42s
   K+qg2NZpM3RHyeplbHe+rPzUeOIOmCSUluVQxp6HghEivLX9D4WU1Asaut747uMy
   fugR1lvaTmqVHpcO6Bdc/lO4TiyAXvZYYh+Uv9U8YZPckNZCHl5y4sJTVxQGQhLN
   KzQzFNX3mcqFYBW7xzr0fLSGaQxC1qQ6SPaOcUKp2jShAInPMB13i16MzOSOo9BW
   9SgnXDcqaiGQWeM4VY1gHuuQmKj4WitLU0Ue5AizZDTPMN0JvUnh99brfVETjien
   gNHRtdvrXwt+N2baVRn0GFtj66ebu/rAzqTNZsA5p/F+APdUzxUDrPfh1WYrzzSQ
   8DxlRmCTLLRzafCVXLV3xNbWnrfFPX4ilkT+roGTRjYqPv0yDUtvrIt7HKFnZoLl
   mLkk4auI/TQgJ72Ne3+wYYsMvOwrHbF8NLmsgyAJSEgWl+FUUBx653i9H6CiABOF
   8YVvz7ShqSwhxGllroERl1wJLdXclLWgR65rvkCYvCH7bIHU7kvQoyIZXaLs1Anh
   rBNh185OH8RmBfNXNPbt6Hh+2KknmaPCkMxEWkNrLmGseoTJ1/okRunut+DW3FXI
   ashoguanB05zVngb+r+jzAwFRGVY3OCgeepb0gBwQDyeZBCCWD3Mr/1wXnB7S4Oh
   /zMURX7NtwZUOh2qcJ3Xlpi0S12mNvLSmIyxzZv2dYDolmPwJHptP7tBiKnsZoHM
   wbCEUA2lJsHRLDXXyC82AtttZv2auF1pO6Ne2H/en8Y+z8MRDG7gBI48IDGKq3Ej
   E0hlVdxVhWvEuavw83TVpvdKo0Q7rVRC1hHSttat1z8TxnKRxIRvxC+fJ2xGxlPv
   on1aYRq5tL/jIujIGVHHeSeqB81yiwJ2dFfYdlI3VaCSObVBwVbDKvRli1HskeSB



Gillmor, et al.         Expires 2 September 2024               [Page 77]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   WGT7hyhS0SDnh9MVHw0z30JWnxxXfg4dB0C0vQWLsTqZm0bncxxBZBR060kSY8RL
   S9mYpaSeHLl29h3OIKecjiXhhsA3UI60yIS7VS9dzLE9W53ttU5MLiHhXnYANy5U
   eqar+8l1uxtB90CjunOqtgkH0u4Ch+lnAUjdmz7cUPxLwgPgwr/WqJxORTnpGLlO
   hEumGFYF3h/XIuW3bNCqjAutco8B38s0kGBipd0XCg+Rr60S3lUS2//mnrqlE05K
   VtKVK+NxfcWkpzczLFOIxGLwHsSqg3He2QgGovkRRkCZE0/bBqhvbvAeZYZlOi2/
   clB4eYdplZZJ7s3hKPwq678LBRXT3Fs4a9BpqEnvUot6WfgOsP/zsszS247EjWra
   w+OAKgdhSOILeuaxfpHRR2FEDYVU+yBdwJjHYzp3knXDDsEALaUmAbOIhZ3A79hY
   tCSmzEhXfHdOdpw0wqVoL8VpvumZna/GZE84U8uPEHbE5eeX/6BLNJx36o6FXkB8
   waoUUNuiHpPMQbz3cLxZZxN2TGrmmUbpId9+CPfymRGQ9sqBTShxg+tZ7FzO3vSM
   WB7Vv+uxhCfBOy45MPX05vVAaxIENdQRabGPty7WqZepGXNdjwC5PaKDPuG699WD
   22BOPA8sJ7TLqGj/yJ8Azkl0p15DUr+Kr5gDSwf+j8jt3hhzeFUpQ+9aFmxblIVf
   W0lKq5VXLVscZZl3J7hpbG62BmnlEMPy7pV6B+PkbxWkXaT8b+GW8OVSzW2uuOcl
   Fedl9AGzjYPlFPfRAtZkHqpMfqbtk6oSNkGx/9mjs5oYR90RCmy2PCKiMh3tPYCj
   iQnyJymV6x58UB1tRNbjaUD+rCiuea5hEUv04xdKB37XJ1OEcNT/Z8A+DQGLpLby
   u7GHTCTMzNLOwMibhfc2FRfC2q/MaZC4N/IrB0EWAXDIm7GDHlkUOaHL9ADc9vyg
   xz44m/CTcf5ETE4d/rEm7FEFnzVtBPbdlGhi3EXhQ7WCRy1ojRPoktdKNvePxSQl
   fVemwRsBA9jfLTwIzS/ASUTQohDpYaaqV97aUNn9psRuFblwgGUx0I/XuCUdbFxa
   zuM9a7jxDByOVyTn43GINFOlnK+/R3zX1cYm0CvF4+QUNZI0uEP0NvE9Cjb68SfH
   qAeV4HIRBg3/jU+8PRHTyUzlQf7vRXKiDM1nrT1belccJTWxUtybEKECersUX+zv
   Ybv2/w339RJrY0+Bc2VJt9uB6DX7p2HTQyfvaZTgN80ZLAkBJ/xk4WC6Vc+h7fm/
   y5cqIjJJj0SES2VoyP0cu/rJ06+gg7v+OHHehmhkehuQNsLnXldAgGJyiFKcvw4C
   +NrQ2II8uJ54Q+ytrAMr8GDV7F6cHb9BuyTT1ubQEP1L5EwcEFWUESEv3A4quit9
   t1r3jEuPBc3fqyIcmDNKP58qS0ZPO3m/fJEW1LX6yR0IEkrSxZD6PbUYgNT+qZD+
   RhlNUJ6dIpd+xxA837NxUOnkrJQ3uvOvURBKVv20oOXzDVkRtAIEy8aVic6ZAxIX
   ZHqkikEiFxgNcMxiO4agsE7qwCKvpq6llM+xxXFs5Puqoj7vL1ihzCjoABqne5SE
   yBkYqU2OU7uoIvWSwVdtwqX1Ih/adN5t01nlHWcMHBooh04nfpMrhci8Oi/XYTA0
   new3jLMwZXEBZhlkZ62ZZtlPA68K9f6XkSTaJ+bx+s3iV0K4RmLt7VC88+1Kspsn
   /pnDEBfBCQhGD07YeKUJBbJ3RPdRi6rsj54PRsZkOAi2MoQZJ6PnzfI6EHsQXNad
   PnYFB6ZGrse1ayA9QqibkRFMKGRSakkB+fq12M36RB8CeO766iMoc5qc8n5qz0oH
   BBlfTiAHTGU+6AhEGU5kifLZaehBcp5yDl2I5I5lc0X786Zjdm4oGbGq4q6Ieyu1
   OLx8vkb9L3ZvkLgZAvn1r2dZKOxyNewjQwFG05ErbK7qpqD6TC5VZCiTLJKslN+B
   l3/UjwSwc0Lt3P7dep8oDySMgxKYDQJ0qNBFA6kwdZzTlaXRfQUFHukwn6fn10kX
   1p/2K+oYUsA40E9qL0cWEMWcNmYRQyk0qpgWWIykrMl4efXkQxSddTqP0WfW/uxs
   pQB4rVeZStpzO9cie1E0tVcoipItpNvvQTENdC/p4Eg2bw2dW+Vd6NB/HwobsPY3
   YRox1LGrfj0LH7Rg0qg3pI0D2u9qo3A7ZZ95vkGUtTtF0BYkIf9/SFoEwNSJARNp
   BOBA5lMrq3S9qwJEOYoA4KuFqLmpbmQg1K3bdi9M9aDK3hgQgLqWSGB4TF0OWuaG
   lkKQSPvZH0dZGtYxCjnNDth5Bp1MhVmS05mlr/uRKdVjdSq3MKj/2O/Nm7P28dRt
   O+w7rvRINTp5fWbstkwtBnheOkyX9usXU1qigTIUsAlXqlaG5g5qrDpG9Ijqya1i
   ShQJ7cLOtGFIJlkZgG/fT+jbJNSNke5uvMLF9/chmmR2SZEHou1tahe8J2/97H+H
   L6epMyb4QYeH9JTLDLEbyz8bvouA8ydhOHbMj6Vr8Ox9af+Uu1FhDtJs57goehgS
   /SBljJGQMwl0kHhLpK8qOk9i+NZOO5N+GiBlVgusHDyjsUHnxk3mM8hoRqqpkxAW
   7mqZagmE09qk7PEctl1oAgrwdTSIB9WHIudg9cV1yFi1kkI2ktjEZPD/i8uZqO5n
   pd6v4w/XJuPopVn5nwJxOwQy1RKDNSOUaWRasZc3l+16D4eywDgDesSLaBmXUlUi
   dbbtKOi4OnAEwQ1iyE+Q7JABttILJ8aDSejBvP5gUvKPBliDLwAXMR98ruJeMdbE
   /6qCA6YAc5v/UxREKCZBqSYsOaEqD1YKZEIMhn64NDqpdiCX4gwe/sCawTcX1E5r
   XLgnSSpfLbIexggQ46Ma1BLGp9CbiGO2bw1IZmlGGOXqpQmKN6FP0OsSnwwq9D2J
   nquParO4ILWbL9aWBcA6EIkcer/C0fWGidtazmTj5MXkD83lY3cozRuC9dYLO+4R
   FXsWzvqQeXiauLz8iQsgxKUj2DcPT2k6j/qzSXz/M5xapj13Bk6VH9KoR194/smT



Gillmor, et al.         Expires 2 September 2024               [Page 78]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   gjGJvWOnYdZjv5J3i3oQOwCL9T/ZgdqIFW82jfmGvoe2zu/00XnV9FP4Lbr4rtv6
   if54Hr/h8jqJoRnBGAh3doQIGdgLiZZDPt+GWMxreYAk16mbXpuqn49bP8G75ZKq
   5Azp5xgNcm/rPGYEp+9iQJSggoz+dqGiQ0u37lK+i0/A0OzJ845NW82hoUye0C+X
   DB6OkbbYCgGmPou7bBVaUJNQQdRUTnGd/Yr1EaOQVScMZ09FN2hjx6V1zjdMUvTe
   XXpJ2C5Rl4kxHY6pw8mInAg9ja7jmY2e7xaNA4cwRNTjbH7J5uZFNEC2kSf4ZO7V
   k7MOX+zDe285FfVBS2+97yAlL3xalj1E4DZVFOw+3dKD+W2bg4r0Yhds/wxYH+M5
   GU9zLrHEbw0GsPwUr50w9isSu+o9SKeOCfWrzHz1fJnH26woPOObWy+kkG2cunPN
   T5e+OPw9K3MgBkNZ9YG6Ce9ULqhO65f4LISdwDSsMGl3eNhgzMPLtCJZAP8K7dEt
   8Oc3POY0NSB8lq1oyxDwHKJz0S/HMwrancUO5V9abkZuYhsOGW+1Kjswd+cPh5Y8
   HoL3GF+OAopbYYesvIWgzh0/MtYYUoI3kPvUd4vdWNHEbtHlfSALDs5pukAE9ny8
   0GhNtdoH04cVlvDmpyfbLcDTwi+UJ5tT1VQMGLuFo/CxDV9vWjXhJd7kSt+7+K1L
   YPzrT6ggMFrLA0kYRIa5K/n99wp2aYab7/DkwfpEjZI=

B.2.  Signed-only Messages

   These messages are signed-only, using different schemes of header
   protection and different S/MIME structure.  The use no Header
   Confidentiality Policy because the hcp is only relevant when a
   message is encrypted.

B.2.1.  S/MIME Signed-only signedData Over a Simple Message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Wrapped Message header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4319 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 inline 642 bytes
     └─╴text/plain 228 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-wrapped
   Message-ID: <smime-one-part-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIMcAYJKoZIhvcNAQcCoIIMYTCCDF0CAQExDTALBglghkgBZQMEAgEwggKZBgkq
   hkiG9w0BBwGgggKKBIIChk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6



Gillmor, et al.         Expires 2 September 2024               [Page 79]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   IG1lc3NhZ2UvcmZjODIyOyBwcm90ZWN0ZWQtaGVhZGVycz0id3JhcHBlZCINCkNv
   bnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQpNSU1FLVZlcnNpb246IDEuMApD
   b250ZW50LVR5cGU6IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04IgpDb250ZW50
   LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0ClN1YmplY3Q6IHNtaW1lLW9uZS1wYXJ0
   LXdyYXBwZWQKTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LXdyYXBwZWRAbGhw
   LmV4YW1wbGU+CkZyb206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpUbzog
   Qm9iIDxib2JAc21pbWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAx
   MDowNDowMiAtMDUwMApVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4w
   CgpUaGlzIGlzIHRoZSBzbWltZS1vbmUtcGFydC13cmFwcGVkIG1lc3NhZ2UuCgpU
   aGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2UgdmlhIFBLQ1MjNyBz
   aWduZWREYXRhLiAgVGhlCnBheWxvYWQgaXMgYSB0ZXh0L3BsYWluIG1lc3NhZ2Uu
   IEl0IHVzZXMgdGhlIFdyYXBwZWQgTWVzc2FnZQpoZWFkZXIgcHJvdGVjdGlvbiBz
   Y2hlbWUuCgotLSAKQWxpY2UKYWxpY2VAc21pbWUuZXhhbXBsZQqgggemMIIDzzCC
   AregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0w
   CwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxl
   IExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0
   MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMI
   TEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0B
   AQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeN
   SiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+Ithj
   LeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/N
   kug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSw
   qpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQ
   ury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwG
   A1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWB
   E2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0P
   AQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSME
   GDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4
   oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIu
   s8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2
   AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gz
   nbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqH
   rg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RH
   NrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcw
   DQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMg
   V0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRo
   b3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3Zl
   bGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/
   T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5G
   Otz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnf
   itOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjG
   sgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/
   N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ
   45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZI
   AWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQM
   MAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIc
   l64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJ



Gillmor, et al.         Expires 2 September 2024               [Page 80]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   KoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xii
   dfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2
   lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh
   2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2I
   JCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcB
   VyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUx
   DTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1w
   bGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/Qqmi
   XDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0B
   BwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE1MDQwMlowLwYJKoZIhvcNAQkEMSIE
   IPno+5X5nFLPT0q5vegHgVP4OV2/uzd4xPnLWkqhqYIvMA0GCSqGSIb3DQEBAQUA
   BIIBAKG7Nq53TFMHU6ciIcQ9Tqq987YPEVAIJJ23U+60DXrXSrrmcZCqd2ZTyhJn
   f5Wc8vBoC9tzRBoQpl0WMS3WyQQkkWYY+ovPyDqcEt3iixC0aVRWIZoDiq5SiWR8
   lB9CUcsKueu0IG1xmdvCmI/wrODkDEgiSV0Z+d2cs/I+OS1FSNVosffsd4JhkTxi
   2dD5BMCfa0zaS96GPadv47p3oizmSO9u2TIBCceD94k6iIhG0jl9rdeUmOunTKlb
   Odz6Y1TlVrb+s+nYGQUtOWWGulO854oCYjWuTi2TwzlBI9NrrMM6xR+T8JAxIkXx
   vKwjA1ETt2Nvp0OqVR9izIeeiO0=

B.2.2.  S/MIME Signed-only multipart/signed Over a Simple Message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Wrapped Message header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4562 bytes
    ├┬╴message/rfc822 inline 672 bytes
    │└─╴text/plain 256 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="8a8";
    micalg="sha-256"
   Subject: smime-multipart-wrapped
   Message-ID: <smime-multipart-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --8a8
   MIME-Version: 1.0
   Content-Type: message/rfc822; protected-headers="wrapped"



Gillmor, et al.         Expires 2 September 2024               [Page 81]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-wrapped
   Message-ID: <smime-multipart-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the smime-multipart-wrapped message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses the Wrapped Message header protection scheme.

   --
   Alice
   alice@smime.example

   --8a8
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5



Gillmor, et al.         Expires 2 September 2024               [Page 82]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCALOMrQogvVsAh7w8dZ49veRaAFhTQ49VmGVz+1eTbz
   tjANBgkqhkiG9w0BAQEFAASCAQA/IjhMNkM+NpI3wGfQyDClEMkiUG5SQ88JC0zc
   Xaz46K27ncQh+PW9TChvi9V9VR9EvKx7sh0dBnjhogrMTH3V1mZPgyL2HdsfLvXa
   WHmHQmbTnsZH8+kqOLdOZG/zbQMgR3sSv992f6ShxZNdazwGSf5s7Hs6+an6yy24
   VtJqhT5xHHvMfDLUVW4sXwRugWKohiW+cjZ16SQ5zP14KJBpriMWv8A/4sJv5aC2
   ImraEATJ1gIse53X6XPDt/+9BsXOrvbIvXRIbgMJBK8gIz6aO72n/dvm1fHjdBXv
   9t75zqN+O821RiUiSbBoaB3FP0sl3prsZ4QRr3Yv7vpv/HoR

   --8a8--

B.2.3.  S/MIME Signed-only signedData Over a Simple Message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Injected Headers header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4234 bytes
    ⇩ (unwraps to)
    └─╴text/plain 239 bytes

   Its contents are:



Gillmor, et al.         Expires 2 September 2024               [Page 83]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-injected
   Message-ID: <smime-one-part-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:06:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIMMgYJKoZIhvcNAQcCoIIMIzCCDB8CAQExDTALBglghkgBZQMEAgEwggJbBgkq
   hkiG9w0BBwGgggJMBIICSE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1pbmpl
   Y3RlZA0KTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LWluamVjdGVkQGxocC5l
   eGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzog
   Qm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEg
   MTA6MDY6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAx
   LjANCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiOyBw
   cm90ZWN0ZWQtaGVhZGVycz0idjEiDQoNClRoaXMgaXMgdGhlIHNtaW1lLW9uZS1w
   YXJ0LWluamVjdGVkIG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtb25seSBT
   L01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxv
   YWQgaXMgYSB0ZXh0L3BsYWluIG1lc3NhZ2UuIEl0IHVzZXMgdGhlIEluamVjdGVk
   IEhlYWRlcnMNCmhlYWRlciBwcm90ZWN0aW9uIHNjaGVtZS4NCg0KLS0gDQpBbGlj
   ZQ0KYWxpY2VAc21pbWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0R
   OZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2Vy
   dGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5Mjcw
   NjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYD
   VQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
   ggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg
   9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07
   k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74
   zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY
   9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r
   8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcG
   A1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5l
   eGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNV
   HQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfx
   CShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRG
   zJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5
   AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5U
   zpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGn
   UZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19o
   WZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgw
   ggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUA
   MFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhT
   YW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEy
   MDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYD



Gillmor, et al.         Expires 2 September 2024               [Page 84]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   VQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqG
   SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l
   078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6
   uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEO
   ls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBl
   fkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4Ku
   ElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8w
   gawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0R
   BBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAO
   BgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8G
   A1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IB
   AQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAo
   cCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoT
   WgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2z
   L3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF
   07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSr
   JNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRG
   MREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBD
   ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglg
   hkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJ
   BTEPFw0yMTAyMjAxNTA2MDJaMC8GCSqGSIb3DQEJBDEiBCBWJ1HsKaiXvrMR26xS
   /wrb+5CS85FLWuHRuKm85dkUFTANBgkqhkiG9w0BAQEFAASCAQBE/g/trAYogNeF
   9oD6esBshX+oPQp8AhmTNr5mdEi+YCHauiO4z94lPIGHwPGGI220cly1C68bMsjT
   HPlaumv6zhotJym5OtJH1nD0cOxeqMSP+/htEgb/YmOTs1tGL5W6MRDE2Qpk+ZT+
   skuKKBT98a/VQGEmyIZSTJV9SmiapvYDb9BA+KPuFZ0Yd/vMtTjq1dRBzadE9byX
   O10GDNMBiqOeDeVcfU2j/rb3UELfJqSpiTqEST/JIq1PvZHr+En2Z0PfMA7BKjTm
   sl/sczGLBObDAJztOOG7oU83zowcKn0JNse2cKU2eQMAENtuahfaXzVrmbfsW665
   Mrfom9Z/

B.2.4.  S/MIME Signed-only multipart/signed Over a Simple Message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Injected Headers header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4487 bytes
    ├─╴text/plain 258 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:








Gillmor, et al.         Expires 2 September 2024               [Page 85]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="f1e";
    micalg="sha-256"
   Subject: smime-multipart-injected
   Message-ID: <smime-multipart-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   User-Agent: Sample MUA Version 1.0

   --f1e
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-injected
   Message-ID: <smime-multipart-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: text/plain; charset="utf-8"; protected-headers="v1"

   This is the smime-multipart-injected message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme.

   --
   Alice
   alice@smime.example

   --f1e
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK



Gillmor, et al.         Expires 2 September 2024               [Page 86]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCA6Rhu8s2iPcyWQk+TNKhP9ZHJ9+wulWjsMpAF1NXCE
   jDANBgkqhkiG9w0BAQEFAASCAQB4QMAYf42dnAelBRb2NotiixNgdjdSpVK75af6
   oND3UjdCWcd4bPbrfTZMQKp0FBPoOft9lw2fWNgXwKbhD1cL3RWUmUq0zcNbI3XI
   86vWp79p+KwM/+SyDdfgudIRGjbs/tmKaBvaH89a8SvuxhNxq/pxgDzpy/JWC8Er
   AUDTbKrNVsYD+MfzMy9B0TlK2YLKoQ6rV0N1n2nXbW0e+Ztv0a/getNKAEAP+5hE
   OQkq50RxUP9pI5kQ1NdU6zqCNhRjmd1wnMxn45K+hfY8cxwwemFn94PgDGpPG4mB
   yRXQPj+5oyduWiHRMLXG1+fs4tqxHZXN+WaUHvSIDqNXK3rj

   --f1e--








Gillmor, et al.         Expires 2 September 2024               [Page 87]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.2.5.  S/MIME Signed-only signedData Over a Complex Message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Wrapped Message header protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5737 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 inline 1689 bytes
     └┬╴multipart/mixed 1584 bytes
      ├┬╴multipart/alternative 946 bytes
      │├─╴text/plain 282 bytes
      │└─╴text/html 380 bytes
      └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-wrapped
   Message-ID: <smime-one-part-complex-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIQhwYJKoZIhvcNAQcCoIIQeDCCEHQCAQExDTALBglghkgBZQMEAgEwggawBgkq
   hkiG9w0BBwGgggahBIIGnU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBwcm90ZWN0ZWQtaGVhZGVycz0id3JhcHBlZCINCkNv
   bnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQpNSU1FLVZlcnNpb246IDEuMApD
   b250ZW50LVR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjFkNyIKU3Vi
   amVjdDogc21pbWUtb25lLXBhcnQtY29tcGxleC13cmFwcGVkCk1lc3NhZ2UtSUQ6
   IDxzbWltZS1vbmUtcGFydC1jb21wbGV4LXdyYXBwZWRAbGhwLmV4YW1wbGU+CkZy
   b206IEFsaWNlIDxhbGljZUBzbWltZS5leGFtcGxlPgpUbzogQm9iIDxib2JAc21p
   bWUuZXhhbXBsZT4KRGF0ZTogU2F0LCAyMCBGZWIgMjAyMSAxMjowNDowMiAtMDUw
   MApVc2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wCgotLTFkNwpNSU1F
   LVZlcnNpb246IDEuMApDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
   ZTsgYm91bmRhcnk9IjQxMyIKCi0tNDEzCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFp
   bjsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQt
   VHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKClRoaXMgaXMgdGhlIHNtaW1lLW9uZS1w
   YXJ0LWNvbXBsZXgtd3JhcHBlZCBtZXNzYWdlLgoKVGhpcyBpcyBhIHNpZ25lZC1v
   bmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQpw
   YXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3NhZ2Ugd2l0aCBh
   biBpbmxpbmUKaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIFdyYXBw



Gillmor, et al.         Expires 2 September 2024               [Page 88]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ZWQgTWVzc2FnZSBoZWFkZXIKcHJvdGVjdGlvbiBzY2hlbWUuCgotLSAKQWxpY2UK
   YWxpY2VAc21pbWUuZXhhbXBsZQotLTQxMwpDb250ZW50LVR5cGU6IHRleHQvaHRt
   bDsgY2hhcnNldD0idXMtYXNjaWkiCk1JTUUtVmVyc2lvbjogMS4wCkNvbnRlbnQt
   VHJhbnNmZXItRW5jb2Rpbmc6IDdiaXQKCjxodG1sPjxoZWFkPjx0aXRsZT48L3Rp
   dGxlPjwvaGVhZD48Ym9keT4KPHA+VGhpcyBpcyB0aGUgPGI+c21pbWUtb25lLXBh
   cnQtY29tcGxleC13cmFwcGVkPC9iPiBtZXNzYWdlLjwvcD4KPHA+VGhpcyBpcyBh
   IHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0
   YS4gIFRoZQpwYXlsb2FkIGlzIGEgbXVsdGlwYXJ0L2FsdGVybmF0aXZlIG1lc3Nh
   Z2Ugd2l0aCBhbiBpbmxpbmUKaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMg
   dGhlIFdyYXBwZWQgTWVzc2FnZSBoZWFkZXIKcHJvdGVjdGlvbiBzY2hlbWUuPC9w
   Pgo8cD48dHQ+LS0gPGJyLz5BbGljZTxici8+YWxpY2VAc21pbWUuZXhhbXBsZTwv
   dHQ+PC9wPjwvYm9keT48L2h0bWw+Ci0tNDEzLS0KCi0tMWQ3CkNvbnRlbnQtVHlw
   ZTogaW1hZ2UvcG5nCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IGJhc2U2NApD
   b250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUKCmlWQk9SdzBLR2dvQUFBQU5TVWhF
   VWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNFbEVRVlI0MnVWVE94YkEKTUFn
   UzczOW5PM1RwUncyMGRxcGJmQVJRRWpPeXdpd1luQ3RrREtuYmNMazY2c3FsVCt6
   dDljaWRrRSs2S3drWgpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytPbkpIa0lo
   QWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpCnZkUGYxUVoya0REOXhwcGQ4
   d0FBQUFCSlJVNUVya0pnZ2c9PQoKLS0xZDctLQqgggemMIIDzzCCAregAwIBAgIT
   Dy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJT
   QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
   MDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cx
   Qq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeu
   Xq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7T
   HNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3We
   ag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukg
   n+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQC
   MAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNt
   aW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUg
   MB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58
   BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAyl
   OvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeu
   OA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9o
   pwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4
   oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPf
   qmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY
   1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcN
   AQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNV
   BAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcN
   MTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIw
   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr
   +E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7O
   xsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTt
   dg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZ



Gillmor, et al.         Expires 2 September 2024               [Page 89]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   DQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj
   0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEA
   AaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAe
   BgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUF
   BwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
   ZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQEN
   BQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTn
   euK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qN
   uz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt
   9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh5
   2MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4
   DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX
   MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
   hvcNAQkFMQ8XDTIxMDIyMDE3MDQwMlowLwYJKoZIhvcNAQkEMSIEICsRogMUJrtS
   GAERSFiPMhqWk+9misjv48XcSNJBKUj5MA0GCSqGSIb3DQEBAQUABIIBALJCpfEK
   FQ+M1YQIuTcVEHr/K/w/8ht4pOy4BmEE+q3yZUBAThT37DxdZUXRZjUB52FdsWed
   agkt3DjtFzJwRiDSteChrjrA/0jbFVOuV/9VBm0VGGfodRTovS+6wH+yJNAXHSW9
   p1GXmPcDFAtN5wr69zBNCX5mKU6bwcaVX41S7/fmcDlBNSQ45fx+RrXRhMX/vG2A
   tgu01LuRSCvGgzh719968R5D3obEtZwUi8uSOpvl3XqThZC5Q4NMg68UNgNb//OT
   Puaq1MOvhWhSkTNKjbtv2P/MifHWXj9TYHkRc9l5k707LqWj3yWNFR7tpVO07n0+
   hTEzoJRFKuxJlQ4=

B.2.6.  S/MIME Signed-only multipart/signed Over a Complex Message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Wrapped Message
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5653 bytes
    ├┬╴message/rfc822 inline 1747 bytes
    │└┬╴multipart/mixed 1642 bytes
    │ ├┬╴multipart/alternative 1002 bytes
    │ │├─╴text/plain 310 bytes
    │ │└─╴text/html 408 bytes
    │ └─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:







Gillmor, et al.         Expires 2 September 2024               [Page 90]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="aa9";
    micalg="sha-256"
   Subject: smime-multipart-complex-wrapped
   Message-ID: <smime-multipart-complex-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --aa9
   MIME-Version: 1.0
   Content-Type: message/rfc822; protected-headers="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="a30"
   Subject: smime-multipart-complex-wrapped
   Message-ID: <smime-multipart-complex-wrapped@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --a30
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="844"

   --844
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex-wrapped message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection
   scheme.

   --
   Alice
   alice@smime.example
   --844
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0



Gillmor, et al.         Expires 2 September 2024               [Page 91]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>
   <p>This is the <b>smime-multipart-complex-wrapped</b> message.</p>
   <p>This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection
   scheme.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>
   --844--

   --a30
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --a30--

   --aa9
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8



Gillmor, et al.         Expires 2 September 2024               [Page 92]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCDvCBOZJKngosmsBz3B3if2ErlYiRyR1KnTpWbe6AN0
   fzANBgkqhkiG9w0BAQEFAASCAQB6Xc+YUIEUCqF3vqlZTP41u/jEG33O+bc5jw7D
   VLUbKQ+AI6c6602LAgMwX17VuBdbgHecf59trY2F47Wr8NlcbTcAq0jN54tqrhri
   8cL4YzS8YGH0vLrDdwilChjs0N1+t5nQ8Rya+rdGqseE0TK38P/K28cnU3udgTjb
   6E/QcopIlnLaaji+x5qjRHql0Yt9tbA5F1L9vgqgu7Zf9w55tZIe9cESnVZpud/1
   +zqsKDfj4ndnMDFzrUtXztY2e1f/Y8EVjSIVtY+ZeYuldtGhPpvk/N3koxZ1yL2Z
   mrPQemZ0C2bIet7T1vv7lFCUtUObdyHoHBvXI7OhbCmGmak3

   --aa9--

B.2.7.  S/MIME Signed-only signedData Over a Complex Message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Injected Headers header protection scheme.

   It has the following structure:







Gillmor, et al.         Expires 2 September 2024               [Page 93]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   └─╴application/pkcs7-mime [smime.p7m] 5700 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1614 bytes
     ├┬╴multipart/alternative 950 bytes
     │├─╴text/plain 293 bytes
     │└─╴text/html 388 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-injected
   Message-ID: <smime-one-part-complex-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:06:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIQbQYJKoZIhvcNAQcCoIIQXjCCEFoCAQExDTALBglghkgBZQMEAgEwggaWBgkq
   hkiG9w0BBwGgggaHBIIGg01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4LWluamVjdGVkDQpNZXNzYWdlLUlEOiA8c21pbWUt
   b25lLXBhcnQtY29tcGxleC1pbmplY3RlZEBsaHAuZXhhbXBsZT4NCkZyb206IEFs
   aWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4
   YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA2OjAyIC0wNTAwDQpV
   c2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjM5NSI7IHByb3RlY3RlZC1oZWFk
   ZXJzPSJ2MSINCg0KLS0zOTUNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5
   cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9IjkwNyINCg0KLS05
   MDcNCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWki
   DQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzog
   N2JpdA0KDQpUaGlzIGlzIHRoZSBzbWltZS1vbmUtcGFydC1jb21wbGV4LWluamVj
   dGVkIG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVz
   c2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQgaXMgYSBt
   dWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZQ0KaW1h
   Z2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMg
   aGVhZGVyDQpwcm90ZWN0aW9uIHNjaGVtZS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VA
   c21pbWUuZXhhbXBsZQ0KLS05MDcNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBj
   aGFyc2V0PSJ1cy1hc2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRy
   YW5zZmVyLUVuY29kaW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3Rp
   dGxlPjwvaGVhZD48Ym9keT4NCjxwPlRoaXMgaXMgdGhlIDxiPnNtaW1lLW9uZS1w
   YXJ0LWNvbXBsZXgtaW5qZWN0ZWQ8L2I+IG1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBp
   cyBhIHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVk
   RGF0YS4gIFRoZQ0KcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBt
   ZXNzYWdlIHdpdGggYW4gaW5saW5lDQppbWFnZS9wbmcgYXR0YWNobWVudC4gSXQg
   dXNlcyB0aGUgSW5qZWN0ZWQgSGVhZGVycyBoZWFkZXINCnByb3RlY3Rpb24gc2No
   ZW1lLjwvcD4NCjxwPjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5l



Gillmor, et al.         Expires 2 September 2024               [Page 94]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   eGFtcGxlPC90dD48L3A+PC9ib2R5PjwvaHRtbD4NCi0tOTA3LS0NCg0KLS0zOTUN
   CkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29k
   aW5nOiBiYXNlNjQNCkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJP
   UncwS0dnb0FBQUFOU1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxF
   UVZSNDJ1VlRPeGJBDQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5D
   dGtES25iY0xrNjZzcWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0
   NDdnWURwZUFyaytPbkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxp
   DQp2ZFBmMVFaMmtERDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS0zOTUt
   LQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZI
   hvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAv
   BgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
   IBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElF
   VEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCC
   ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKT
   g8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidm
   buZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmn
   x4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL
   7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zN
   S2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUC
   AwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEw
   ATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsG
   AQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeO
   r83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcN
   AQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgR
   yOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x
   9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmk
   w1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0en
   ITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6h
   vrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/
   QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAP
   BgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRp
   ZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1
   NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UE
   AxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
   AQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQ
   Ul5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evP
   gP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryC
   qeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqp
   o1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRi
   VokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNV
   HSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhh
   bXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0O
   BBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8Qko
   ZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25n
   Y/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzE
   f7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa
   1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poI
   ccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKyp



Gillmor, et al.         Expires 2 September 2024               [Page 95]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   yQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYIC
   ADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0B
   CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA2MDJaMC8G
   CSqGSIb3DQEJBDEiBCC84gf/+no5va6ErXhHIk1xELMQNWg9BUh8E1M78W5u5TAN
   BgkqhkiG9w0BAQEFAASCAQB+q8buLwucKfPrBoXxKP7ZaJ/ifg8Y4Axf84AhNJXC
   +NWzThUSgq12Fn9cdSVO858oDrWDSndd/zwgab0TgQZ+64atwiQ7bVTDkG8qgeT+
   I/R1I8jGOCUTpkKcK34tOYbmhkc7/2BLITc3qOAxuN+lrsWVL2NF8LFGh9RbfzRu
   WFVqAMyfAo9DRr1PeFDoDQnjAGti37M8/WvftXixxOAevVmFUWbpnFiwdvSwdrt0
   CKquQ1NYbFAvxOawxLU0jFqhIgW10+fU4jqQDukUVSKFiw1/dK+7jlZC6sCXf3Ys
   oHRhxqY/bSsgXn1DUWSDjhae3HnlZuoVXLJDHGCd6oSR

B.2.8.  S/MIME Signed-only multipart/signed Over a Complex Message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Injected Headers
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5580 bytes
    ├┬╴multipart/mixed 1672 bytes
    │├┬╴multipart/alternative 1006 bytes
    ││├─╴text/plain 312 bytes
    ││└─╴text/html 410 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="f91";
    micalg="sha-256"
   Subject: smime-multipart-complex-injected
   Message-ID: <smime-multipart-complex-injected@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   User-Agent: Sample MUA Version 1.0

   --f91
   MIME-Version: 1.0
   Subject: smime-multipart-complex-injected
   Message-ID: <smime-multipart-complex-injected@lhp.example>



Gillmor, et al.         Expires 2 September 2024               [Page 96]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: multipart/mixed; boundary="099"; protected-headers="v1"

   --099
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="9a5"

   --9a5
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex-injected message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme.

   --
   Alice
   alice@smime.example
   --9a5
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   <html><head><title></title></head><body>
   <p>This is the <b>smime-multipart-complex-injected</b> message.</p>
   <p>This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme.</p>
   <p><tt>-- <br/>Alice<br/>alice@smime.example</tt></p></body></html>
   --9a5--

   --099
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ



Gillmor, et al.         Expires 2 September 2024               [Page 97]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --099--

   --f91
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524



Gillmor, et al.         Expires 2 September 2024               [Page 98]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCDzzjU9zkYamvSgC05wewF4LgTekLa4P8khUZ1HRNkO
   GzANBgkqhkiG9w0BAQEFAASCAQCFAaiW0MVy2tnagCpthNu6sAL22/BBu2BS5XY0
   vTH4/MtLzU4lSokfcs8lgpXmE852prfBZfyoBiOtKZF6TkW59XPiEx4TfBZ+pFwb
   MaJbZ5Kil2GpqKib2sEKbaNHaUY0H+vixz3NP6lo2Izras33cw4Z7FE24qs3zTAA
   1WYTF8rtPhXVW9rFLumBOF8LgGKPTh4mjWrAEcaqqmscisibxTJ5yp5DJhHMf9Xv
   /HVi9lOJJ5BlYOQOL/jWPxQorYJAP62HwEEzz7/GE24hm43pK8uHT5DPHiG+gZZL
   35qcfe8j50JVLTG2wcRH/aKhat12MMnPFMqnJGwugLv4rwg5

   --f91--

B.3.  Encrypted-and-signed Messages

   These messages are encrypted and signed.  They use PKCS#7 signedData
   inside envelopedData, with different header protection schemes and
   different Header Confidentiality Policies.

B.3.1.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
        Message With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7540 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4580 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 783 bytes
      └─╴text/plain 321 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-wrapped-minimal@lhp.example>
   From: Alice <alice@smime.example>



Gillmor, et al.         Expires 2 September 2024               [Page 99]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:08:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIVvAYJKoZIhvcNAQcDoIIVrTCCFakCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAH7NZ5T5anffqtWAgtooMtA/krAJvMnVSghb
   3dWk15izranm5qH2EdFCxvdagu4bsboapU7GH2o8sZ+Hr7ExuiAFRSoQMS/wgOgW
   VtfwjKSoKYqQb0/jxCKMtDGqfz1p5qBgNAz7GLEkC/P+PqYNHJrwX2ddrlHJ1O0G
   6ut7Qjgsv03UIxSO9IZ+KwsnxuPko5AuveAifbOyN5zNA/yNGWrdVsLFboz5sD1Q
   uyI/cWctTDCLvoyVtBRkIWRUJlHmgB8AlFoT2pBRmFCExx1NK0IG2xlDc/K8K2g3
   LTFEoderXpcOY1S9WuXuEGWpYFu//Pqt0kmAacfbp8DbF/KL0k0wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAPLsdF0Kyueyd/ofoyTKriNDH
   mh/Nr7KhbiqQDRZpJ40SL2QR5Tkt95RZ2FcHOmP8QVRoCMPDfIY7tXXVxdaCewju
   qBEW8TrDCSLsBa0NZ0hFvMUed1VgMLZuyj9RFumYCfg6MXjvS2yLskPCvdZJ6urd
   n7P1Q+Izs8yKSZzkYuxY3Zu94pA7uedClTP8hS3LB6JeZWSQIVA4ZLZ2/9JD+0Tn
   0EX6Zx8fySJCZwcIoWewcn6KSmSekQ7XRevkOxj7FWvJ4UBlQeo/trWa25Y/oj4Q
   BoBvnOSiMm+64zARzVjmqIHTRmZ/HCZdeEcM6Ci/+OxRs7aO5pPEKCRtRtPQ5zCC
   Eo4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEIdKwwRA9368qAMYmmSuOLqAghJg
   05DvwW0FJ4IGaliquIe+CXt+Bh0UMV7FaAia3k+cV581Iq3yTmhX8bZpRLBqM2Hz
   yb65FDoCFqzmilBH2rirDi/ewj0y0rXunHq4WvNxl1a0a5meWec2kdG3vUir8BzX
   b9qVNGn2NNkOUWkPtrdOhalGjRVAfF+hzgdU3GTmBRsEtzaOqRKg0Bfxa8Fa8Q8n
   1IjYA6HV4bGzWTg6Pd+nsjZHLvlLcoY5fHh6Z7ZFWJ/oxxRTXBCYurOqFz+YPtod
   p/0h7yiBEbOTFPCAvzQ+9dlK/SK43somDj66PlBwNm8gi5K6MlMxpXqXvJkGMYu2
   X1sfp2NH3pzHe6raO//jdBoSnHN/qPeeyJeGpPe311/FJmBEWX+ZWlOb2Q9/hyvS
   sSkfEHkypV539+WK43ClMA8FCLC1zlZxv/oSBJS3CWz9OtpsXk1yXKJo8QZV96Gd
   pn0pzdDuEzx/xLrBDDkWMs3UW13xf/1gHznnU6Sv14VF/Q8Rmbx5wsveQunECnaT
   J7Ay+p3RuywANEfFBjzlMwW0zk1/zH2f5vdGyIjjUhJoHDDTs2xNe2KpCpc2ZvIw
   rgLXVb+lep+Qc53Un99tKCAAb0H3ApCa8lXpWVBZR1zfpike6Jc5T8EYpeEjLyDr
   w3jQcR4jAg/5dwiSXX88GzfwJQQg28CCTWX9moVevQAH/y8ZbALaiCHzfoGEXvNb
   I3r/e6ebWYf1JJkUEPGQeUU3IBUT4ZQY+S/ZPvPkhDUBho/2Gk5zIZiAS+YRRyXO
   IUOYkjpOBtnd+sKnqQYE1wCItzG9hOVcuJdU5uJjkXTSquf1DwIt5GYR+4EqW8nN
   vnrbeRvCUgiy6G0kPFEvFbFVyLD14ldVAJyjPOsP1G3QGTEhBtAi1RzEQU8jvtk4
   IHm2aqYKntIFcC/wq9KGXjiKBfwhg9mFvyESYFaj8pJcIbgPzyez/+WSRTV6LdMd
   sbwiCXbeJVezAFlb5yd0aBjHCDE2q7KR4ccTksf0n4Z6Kt2WXir5yd2StKcJ4sLb
   5P2MchRjPSDM609l/5sUOItLje1NgeVYUzvN494kV3s7rCNfuyyw0gRoM9HGWlj1
   rvIdVGKZ0vJhaV/WjxznFKsZuOUG+zQzlka3LGriTQH1R6cVrSi7XmlCLrKDR70M
   mN5SlFq9Uw0TZ5K56IJQ6MIjUezIwONSFDwynw86LVLM33cvV21Fy7/4XlMkIRYU
   vSgwDSmvxLTrdaUNNThIamtC3LtTwZ91XjnjgmIXHdQ7JS3cX9cIsNTBGOYCT6V8
   taxyzv33pjwL2GU+3C6GfTzGnPGOByOnAWpiKxbECz3fuUmG1EwyBYeyLcta7ZE3
   y70fhpvFggdVt2Q2fpMFemnc6d5hdi3KBrTb2YpyFRgpE91HjtGoB/iB+StrTclS
   W2MeGn+p9EkJMpMq+JubFN3Vx0mLFvZLlFQFRv9emZmtWYJLkQz3c3PSge9QOrZP
   hEv4WgV1U3jz2Ll0xMMAqlvO65tqZIAuDVUOoVLE5busbp7/kk/boNimArS2pYlF
   1IWIk7GR2c3i6QDrVf2FGLFJxmitYscRPyiyFS36dI+iWu5B+tbvEfp8ZjJgwA93
   BueKKNalKOG5JbOAbBrErm0Ol8/g7auxPthuRWo3hax+Y7ESVNTf5tniEmluPj1B



Gillmor, et al.         Expires 2 September 2024              [Page 100]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   /A2wfORTi41sE4CQpMVqWufaOUZ+syc0Ow6Xu/JINvYGxpU2X9mMbSVzv3ZJ4pZ0
   AVlCvEVLp7bt5XZR2kolPa3PXU21jCh1iWshgtlXxtdQSZFPYxItjcOVIJ7X6O8S
   ByN06PYQ/piOG6RaJ7DGK95xtz8sxbYKW5oDliU6IF3lEuVPCXfWKG2tks1aLfKL
   dXDiDw1P5ZmDMhLnyzsMzrjcdrlvj3hOE2rGb03ol/cfmAD7LWsetaXnSTOus18Y
   ksvaKwIffgFbu98nxLMbwXjLBAX/FTagi+3NJ88lKbnI+2ayPwPFqEQZsI5W5N/w
   IlrjcKDTxfZ/nvICwDdKnB813pJWoMk0/SM0NYEMANMmFexG2NfjRwhUAxLpy2Ma
   nTr2fRyco1z2VyoUmI5909NNDHrOtEtsBR/LcPOENy9tR1N7WbpoktjlZ1s9uYxJ
   ng5QDXtIN077yCdhzbPpdx5eEQEx8jUC4eqIuFiINusUILf+jzErtAS4Dr3P+HjH
   1ZXU/klxwxngMgG9FdEPnO08O7JoYVYjpaZVaRZWwaKjkypcmehYxXq5fx9UIYxm
   gbTIMF7u8uK4SR0i28fEigIvInts2xEYfO9WFq1A2TgpTh7q/I3JyuW52KYCtFOk
   40xiQuxiC+/58aZycbjLfP6e+pYsB1BQiBamlfJceZuCTW2vn5sjuVCdSqi5k02q
   hgzUSnlduCb1T7QqZ9KjDZlEIN2fgmA2RVxeaFZ5EXVxVjA6C1dL70yW/GlA4Pjm
   hojv+slDVfXxHoaFC0LutvBFxMf9I6efheihKbGM3mCXWplzMKcqWgl9KIJT9raf
   N9SrtHuhC2JwEqRvvn/XQN29NCr2GbhsCtmayGkmgD/c4vgN4noukUo1vuNVF4Wh
   1GPwju657zAHJT6qRe1p7BqE81Cpf8aNeWWK1xBu/HlAryRMKKwRXm8x2baOs/L2
   CokiV3GM7ip9Uf8hF5aML8fL0yNMMpHyk3h+rhsntjK0A/0sF4gysk8WyhBnD8Qw
   lhJdkVoc81NkGNxIrlgVFjQ79fScPfe3oIveHHrs7BpEABdcZDf4NSrCZVStw0AX
   YdQ9RjYbTiDHprs7sO7D9DV3VEVin1Ng3rMtoPqxb7HKv+Sa72+11QJeu+lzVQax
   Uy9EapOeTELAwOqsSSMxgn65VMaLgd3E7ThUr0Kp8RJwp+mEcJ0c6AzdYLnfpyD6
   ic12ENgtL/Q8FG/0tahkp0Th7TkVcjpJzuVNpijvkIxhuA7d1xIkKaLHxjkxCiuw
   oVTfdW8Yt+R89SnkPcx81+ArlpkCaC8V4K9U6C2FIz9W40dHFUFajTnycgUWMybf
   A7D1UNAeJBNjRFEliSqPu1Yr2mooi4+hV2LIMjLxs/aHWKTMah3K3mTVyoltAwVt
   +2kMIaqtWKQi5xr3AwlP8GKEo9FlOsza4B1kWK3eDovCy2HGl7R3HJGgWnDxt02I
   KM/HTywrU13qMwxdkejYgV/4RWQeOI5FBBAemnwJNdquKrOOQiuHFxGxl4OY1jja
   l/sRUtS3pecm5x+CHCqYHSTlmAk+1kWL4ELwdAd4atsyrKn7SiVuZCgZ3/pi0kEd
   ZBkxh7WmzAn49FMg2lS1S68skCN14LH+315uxs2PiTtxtm+h8D+Fsc9G+Wnjp593
   CyPHQxQo8xSqCrVupdxeuimn1I+ONn1JUpZh9O6VRS/Ld7A27xW0a9hkGx5V0ACQ
   J14i+gpcsW5jP3JVV2lplpgXqktR0gMbgUOU7Qvst3ZRQueiLJb9Ujdvhx4KcJS1
   q6jrEldOXTHkz4N+RZyMn7JJAlwBB/gag5biDlHjvFYKWnrpLL+fBj5KPrfaDK8I
   AvKMhm3PdbsAw6qieAntacTzE/ivFsORPUvlZr9JFJ3C+E6ScztrMvBCCqK94Zst
   WVjcWVvKmd1ARSmPE1Q/SO9OzfHBTkMaFNXA9l6yUfQ1b1E8TNDHIDO+CS+6U2Pt
   oiPay22qExWsnkuU0mCUDkrzKUR0lMQlYPTf+zD1qHPZ0BCHHFsCNxcE3YKpK4s4
   y4HdE8oCVwo3II/rpOHAqIb3qEM9lAH41jtX0Z6FfIhOi0nltPJCIEm1OElmVjpZ
   fiOYsXjTw4QgDiQF2w88sIV20ov/bvCydBTwd3Q0YgDLLmGfo99XJREaPhXeKKNf
   noNSNV/xR30PwOnWoWpTSPZnYioxFOY1knpUIRVEbqW48B9KMUoXrawIZPGSWO+U
   Ib3H1DxwlcWEpkC4GB/G7UYeZS0Z4XKcqStEdn5QSSkX0v7DwoqI7etmUhuspNGn
   Po/HL1PR4q9JF6jPtYqscKm0EjF4H4C6QR3Frdz8FQeIT0Mz+9/6rAgYjtCbaQN1
   I2zn8qkKQfmbKC9jYTRgg/T+IGbSvZPuWVrkOmMrv6K8uQCySuDpfPS9KmIT/0Ln
   iGtUtycME+riNw4Tc4SjOP2VVoFEX4rfiGaybVy05BUcZVahbmL2CebxLyoT8uE/
   D3/w196tyWYwNADDgYXdH6jSdws9FJvTNT6I60Z6fAiDspAlPO/wr/S/yTiFHDJw
   h3jzSj2GQtWGiDFmLuLXztFG6BTTDVdyqBhAg9AghLuPLHZctNvyFmIVNUxDjvzG
   1ViFJVfkuoj3YLMeLwrD6vtATct5GUQfKK4sagGwZ80egMMSxb0yViB1SglEsrRd
   nQP5vA+1INUQrR2n/L4mG5ZdJL1Eh/dRpBbRn8szKMXtGIuLx0LIYVl5rnFCbBMN
   H1U4fbHFiHdX41FTOiurCxvya6dNboLwm/2qQY64dzbj5kTQpxz/UmBN/8AwdvOf
   NAkb97d3/CsE1i/soZowZMghezjWUKs/hhL7/KBIcXiTG+2aXKs3etryNJRiyCOW
   ehkEpOvhHA6IX4y9VmorT2v9vee7hlGaOWekbl62EpukuD+dCCay+FRLP1jU6wqD
   Q0Cqv/7kybANL4jcZI4Rf3joE/yB/mr8Ygd+5ATFHNmOVhdm+RKrOQchuy+lhrre
   1mjLtoeQs4d8bUT6T/WcX+xGG1Z7krfiYwJQ90qHclVqAUsYFi3eQOtsHdliyOLm



Gillmor, et al.         Expires 2 September 2024              [Page 101]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   AW8Mr/aZSkSWgygqL7dd0KGC/aOO7GcryqAQeQtSFBIXvb3xR1S0HgownwgCTdZs
   IgWrM8BkESGpywMrSi3bsfkuKnTX0lFuso0q7Kn3VQE0kTCfSRUunOT8lNYLA+MV
   jsWgB7uYX8AXFhWM+MANGIuOFk+IeLwtCfWfk01YCLn47NUahQsMPo5/4N0CeiWa
   SFmwu8CY5UCLCPCW5tD+zP/mRtLM9Xd9joS8LXF2gRUAKEzOCJpy+qy9YkCuMgPd
   PNx1cq3rcLz1qMopCmrDO5xR/LkUuY3I0l7kf29Hb4HZ/nXil/p9tKlOJ+qOiQI9
   zFRxqQoxLQsN5QxA7D/w/5mBSDuRda6am2yifmdvwjsARsZiSSY9CY8Q5yEc5C+H
   BhK6qMC0u82Yl58VjqrJRqvQalujMN8+CS8+4KiK3giZU6PE4mqoBMmNy9Mg4zQ7
   zOjg0m/DYvPz5/AMk8Z/jRF8PQEffb0JcfE40ksKQyja8lNlTJsqJslvYQdITz1f
   ghmVxuDfcXURzz7vQLGcezLOe6cKbPtt6S7OoAvvtJjpJOrdwphSmJN94BG/9DYn
   fQoQz9hUbboUgfRVeUWfStMEr++fciSexJVyAj+kgObAaJrhstvjM871PFLLfY19
   EZFMrV3ymygWYc/pLKWW7VFXKxmHjMAG2tm69LCpPWxsw/rmUaVBVe2jycb2FLHi
   8sw3ecNWoFsCd9fucBGtmqPEiWr9nrIVj6I4mPd7tCXZQEhaN7sLz9hX6lTd9Ybg
   3WO1YSWzaBZyxJDuxXbZ4Zd2t4T43PRJov6W1FAcatQO21xzOIq1u0oY1s0eMXHO
   FF554eor4J7SceENG0c0vlIarFDPYzPmNoMMthvb9+7N4qmgJTBJH/SwBalbeDBI
   7yN/SZwHb8juuXOOlfmuBDofTWWS4nkPi3Z+vUMUVVElqP2Th4mlmP6f4H2aknSj
   OrMFPM3C97UY6Azyvb7RYb/VrUcnM7kiYjYM1irfRSYjD/vVYwxfGj1ruSFYw7Sb
   +iaVQ0+g9XDTVytovy4xr7302goBJcUK35kDlz/2E2CLeFBxEQu/PmYjOoSvpv3f
   YQvWsQsCqBfZIGAlYbQjPeHJIISVsJg8pa/BkKCCu1VgvnuyQoCAbawv81tMB6sh
   L66GdRK9zc8G4dcr1tjaxAp6/LW+taetP04yRNhBlXAjd10/6ldyaEkyLRk23dWN
   VMr38oup6w4rhFwWt8Py+b48djfqRzq1cdqrxx4B+qLsecEaojx3SgBriytofYhT
   a1zNXHzltqSPV52O2s2DPGkjQy9ZCIjX85WRW6KZ1e6aT9TXE3jzDJdtsAnp/jf7
   0S0DZMAx0hh7ELKqrG0xP92IYh1sf+OhpubGIjuBAPo8L0JaQ0SmSWKUwfF8XrzX
   HCzu+MtnQ+6Lf7ctJ15XQJNEnSpEWsHPFpXGL2IRFdl/EgvIk75OC4JQ1kW3D1/s
   R93ikylznWBF7PDqWREq9Buo53ENUx/lBdsXxJ/AxF5hz8tFe5QnK5fZ+iYHbhPV

B.3.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7435 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4498 bytes
     ⇩ (unwraps to)
     └─╴text/plain 333 bytes

   Its contents are:









Gillmor, et al.         Expires 2 September 2024              [Page 102]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-injected-minimal@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:09:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIVbAYJKoZIhvcNAQcDoIIVXTCCFVkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAE4jHFjgjvcL+vJbAAHC/TgYkD0lhFkLlWZh
   gSxqqlgjf4wieoJudnfk5t9FO9lLxUqqrqFCOoR7MTdQMJhgmcsb9G8ncJoWsNsO
   EZ5Fdt/rrxHgtjXJodVbrk0BOJ7L9GVfzQBPFdwKEg49vP6+sVp+CGmByXvdlA54
   ueZCKs6SK2QMzodp1nJws4IXm7BIaJsvGu6huNEI5lNe+NSl9qAGej+oJn0i5vsa
   S/2H/0fxS81sIBfY/QYRr8AAb4lbFltWRWfQgix+kORhltIPP4A7Jo5a+fA92ZCT
   HpFER/cZBLpalp2M+HVBajOUgASwsA/Y30Y7Sj3kXqE37RvaO1IwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAEBy7Zg8b9DsTrdlACEAgiB5r
   w6FQ6Bugd6UDLrGOmyCSZ1KoCmPUxpb3veBdbYTrjSIuhkMYq0/ZUQ7JVS4jgFMe
   4dHUshBT3CKj63FQj/fT4G7xFKuRnyfk7fpeaGBR/1UsvQ+OyViHQgf4JA6OGEk0
   R7oyMOROcZznSFT/Em585/5Iq2dxsq2X+fQUPeHW9sSRRnDZQMmIhQGwo0tDI1vv
   OOlAGv2FP0p9iYQSzJ7VgJAViKHYoXDZTrGJnL9uygiIJea0gvw6f2jWLK4j04cl
   1DNnQ4KYhWgIaPp5njGCKEiqssMGIj+TkkIYludeGy6dEK6f+Noqc7Lotfz7YDCC
   Ej4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPLJkiAiTOk6hJMM2eSXOzyAghIQ
   VZdGI8O0ZwU7vWIZenIr6HSnwSw6yJDWDd6K6bteA6qxZ4LMCFXNpNxH5VFIowK5
   PqneUhXG3FUR88453uLLUDllY1ynMwvcbH0GGPOIn+tcP0VQHkFpmJk7qbmc1f5Y
   jOsWMVVdYDGqgiDMgBAPp2YdqNv6o3h+RYItALY6rebm/0FbQq1nSRduwh8oBlnX
   BOhV/LwC4CsqvRo8SigWxGOMMhrJeV2l27uuqEmOIA6fNpQ7yGiKJHxZ+eaVfDmy
   bhz9jPZCVH5gL+7cBE2LVTjDrF8H+JDpTC+uQ5YJzGCaxubDbHay2R66Y+qfSy1o
   EDXvli1/aX2yqXViRyxhkPteHBCt5Mtwqnfqai0krk76mx1JBeBQ7KrwPi8US0Hv
   LXnQxj8tVVts4btT9bNRh8WPAdnhc/elcokASMaEZIB/Oix6hvhR2/AxIIXEOn+5
   HOHzJ96UhFBstBf71mIwMzwW/l27zYIzNGK9r90kUhK5psMMkR5Ul6evSDPMO3rT
   gKJJwfLH9nKvm12kp+Knn8QDoiHqAmjytzrBwgZrpklqgFFTG8Zz633BpPLwqb3s
   j3tSaGrNv0dfFG1HgGsgahfXtvvFpNFj4zR9zx7UNQASXTRXZ5lNVt69CnKkvuYp
   45toocAZkYQhTGEnU9s+GD82vFxKYN6PL6oRyef3fvAZ9F9tYOw5xlyf8TZxoMIY
   GGM4Unaqsty6YmFqqMO4do+bF2G1bFXYI/2MXa34jz0tnExGOgZ6bsfi/5KYZIia
   +w26I0OOyv58j0Jy+CQ6Mfx57+9WOwhx2tOcYeyv1SM2ER6edH0j2bMgztGO9+UJ
   APUN6Hq/NUJ1uiBNq7e7nnDHFS9gyiHabq7GI2yilnEebZe32jw9OSyu0v/SyAsx
   47m7OKZAukwI3h/9W4iS8L9cEShGUJtSKf5Bnp/m2iiX9B6lSdqT6nwVWEJ+67lv
   6wonwAn2CDGDOsvXNoMTktDt4dBNb1lgLC/CgtupTXSosPovX8vgpb4VdzK2arCL
   ec8EIaJmGVRW0xyI/w+EkcYIzBAoUDIt+fAIHLz5OXKPFFs2rGHrmneOsWtToCcJ
   L3oqpz2QXV8/teUQ5vxF+11nF95vIBDeiZrEY2eAIPZwhdaCVc/EkzdxeE2Tx+cq
   JIoVTA/anwMUxmgIRPKdIEMevgiUe/te4pIm+aXhy3VTNlDk+AnGAHvJnh705Zx2
   zmmhRUj2OL1sOLxHkC/bMz6E0vjMiE1WsIhxds3EW9booN06wCjZ6GUKnSvOj8S1



Gillmor, et al.         Expires 2 September 2024              [Page 103]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ac5kAAomzErAUisWkbsQ+lNCysqNGEowSWqOG4703CzjcCMDoAfwCv/K7JvpHxvv
   zosGC0LXLQHITM9qT2PMN4D5HPavNCGAxKQz5mJsovndj6BMJ7HqvhtPixWrLNK0
   N4yQMc6NUUDn1J7h+PNquTtzRMqSURk/L/baNF5txyv5m6TgIHBfslnMrfRBEvuI
   3sgpW+9aers/0vMh1LOLAW009kCf5+nkqQ/I8ZFaLIFvdRM+AkvbVaQN8li+Ew2z
   lef/Aeyo4X1ofNkmFTqxyP+F+ZrB3ZF3/Z2m0d27379QyCXviiNrBvOE1BXzadwd
   TqcyILwqQaqFlgEx2d4R/sdYoZLu95R9iLezeZmzYi2KLXmm/WGTzB2gzW0WINqE
   k0+b7Jqg4qVJJBeQ0UrRFBZvVwVDQ+cXfWZt3ij6jo8h0iHG+LXHlQ/sIKSmCZKK
   XV3U5Zz4iiOCCWEenuA69XN60VJON15QRBIiWtr5vjNUJ8AAg01qCygGZ5VkQzxi
   fh4YIBk0OY0nzVIbKKvei4mNDYNdv2rWWuSFSUp3MfqPf1Wt35sSapBXPgUNLujS
   7J12ZGPeiV6iB7xibbLsIQQTjroktQrP7qgGvKpSu2Q6yQOsJd5zqrQmyVzzhKEo
   Vl1wAMYDEOO4vxNHSHpz6m4B0+ey7ltH8MpeXHk5cyQYAh+dn0u5uR96FWRjM6Fp
   G3gPC/0mS2PytJG7KfQOkOKE1w1zt/ypg/iAKsuaMBx70HLuVR+BiQYFTd3YO/72
   y6c4u7BarWgn1FVLjnNQ4aodZyoDqh/DluEdkF5AkJb0jNjP8DQAp+78E+ZsO4OK
   C65HWQdfag2gNtTvm90RMtQjK7K4vXneBvWLahp74vouNNaZSS9mAAQQ/1YEDIdk
   rJxa5hnjgB4+m63U0IqZhO6Yzuv4AlkVtp+BdYcCjur10hvWyq4k2FwFslaROh0d
   idOlMirNC/rSnXcVagVonmS28Ykg61SE95r7CHtbUIKIGcsOe+AcSGX+mpJwLYqr
   1qNV5PZZ/mFX69QwcDVRrzmDBLi0MW4iGQOup0f/S6RXTjW1nTvoJOmcm9J7/Bgn
   nRhkYcd8C/4g//H3XndKdxyojr7KV3UY7iL/KPHI6pIVI7h/HgPJTAuecdXIXWt9
   Yr/Srk7R48cpqLxdFvaaDWe3Q30LtNeiL5czscnLubAT6LBstJPTeQE6vnag6N0J
   BU0Z0kiCLLIE6We1CUzwQjBzUAWVwHl2uTuFJZdPyVt94VpWeBEP3daeCwnJaOgF
   krgkYLC3qySMLK24Oy6X8wESNuJjTEPn30t6/D5CzLIF0SugIwd7GeswWfJvbql6
   4Z7JiTCvpZ+M65LFmLn+2oPB4xh/hyzNe0qs+9Z1zd94M02TxZdk6LRaNwI2yne1
   2Wv0Eg+JEjqilnIPljd5KhJLou9BwBKciZTGu6OgCeIWY8pKsfLFvMdxkUs41xvN
   o3FRhQ1UZPs1VzMabkP/NRb8D0pEedyPiY7v1PlefnU4jX6jP++Ejwbr8vT8K5NK
   zB3tC+1MfZa8YTb4zuEIz4ept++/At6oUaZ29DOzhPzckILTsHxoqdbudSpC/RQ/
   djKYTYu3XM1EYCUf9fRDaowYjPTHjrNgFzqF/Gv7tAr/1EOT/5SeMNrKaDCngh27
   BzE92JTTjgkIjyQKo39JT0DNbcxViUX41EIH17E7tzY7Kaaphousqdjo/mBm4SCu
   ncHK+mEBQ+2IGm8EaRlzTHqUqPXwwY5hsv4QMFezLQCFAlsgh1vA1/IpPIpESV+n
   EvIgZCr+RLFWnX4m9mEOKHjK+yTds+Gspc1BWBby3pQUqWFQa36zSfA6Lkm0vuFv
   0C8YKHKDZdtIrhPTD7e1Gooz4yGZc9//xiUO18HruLHiCnsbQjSHaln+EFk9qzxj
   hRSI/4iyfn6mDqwFfqIt39GGA4Jk1eeb871bwTBhATbBkGwGhKVkeRT8xp+dRlCj
   S4IsUDbU30rS50SbJ/fRYpVB68nQQNCC8pE2Hg9TlopAnRY9kKiJ1pnMNWRMoRV7
   axH3BppdTvAcqaOOXFAtTUJR1lSrJ2XzYQ4GzoaA6Y4VjEu21Vlapjg8Zd2ehtVf
   Xfjyc9vQSrv5AUuCRlQRdt26s5VveM0c9wODONxLgL5pimKUmPC1p/0oD6vWdSEn
   uGgxlXF/Y0qk92o0AIFjey7xiQELwIP0bl7ukxi6TBayeZMttq4y/OrVgMZMoM/p
   PWYnTHfoq+c6iuHc9HBcBlkUpK9crv1iKaNo9UgHvfIg87FkGkLRvol/c49VnRLb
   Vm2IImWCOS4TyQxWrdo+iBENltYA09vpCHw4wrz9qzCGEblfvHhFHSMn0V0TJA6r
   Rv3W7KrYhIYrLRouWtm6pR0yvXtsGK2b7w1Cn9afoWBsqOyxlAFfSwMpplXIA4rJ
   6gbR0FIKgCA6XVGQQroYtdUihp+Ie9EmQuoesyzg3Of2T/ehNil9aZqmeh9rNuSM
   PkGIfa/qMaXYiX1pECSNgRaPeUkt655B424KedP4A1p5eDkKKAwHoAsPM5nZ3LIp
   WvK6pBZy4wy9ivoTR8WQUtyqf36yEOJLdVF8r5h+UjR2RGg2e0S/sbSyU95KWshp
   2agwKQnzGBO08K8IP1ELlNP45stzpXYFcXxqezUwwRzyWqC+hK5RPNjP4CXjAd8j
   z0ex0sEoe+5laknet+MPWkQ1wGRqzkrgbiWbl5SFpbM1Qtfv56YUTe25h1gmu8ik
   cRBVoPVIi5As0Jpgc8cw/q/1mmC7ha73V22W5s97y2B2aSn457eXZjJ6tR0p6WPF
   q5PDDjjlvDliZP4NgM/uyllFbyi0gvW+TZiha7YQIWATaG3EF+0QTzBuHJADH+M3
   4RfT92fV7Euya0+/nNxCh47H1ex6v8fxvN46aAuYLv+GVVKC5Sa/QQX3IwBqXBwa
   Vb/57a8+dqonQpvr6q8FjdymapGR4kCDVzXNdCgAuoqMRcuO6wJI+ZjgmvNHTwIx
   03ASdCVgk8FZaR8hA0MKSDexs1iIvzEzWnckwVdGsuIszxlLmnhTiAxJZygh5GJ9



Gillmor, et al.         Expires 2 September 2024              [Page 104]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   SYEV5exBe9E4tpAV2fKtzLK3b439ZK25JVCE4ZDY7M/4kPBQ9caFQzx5AiE5PuSB
   URZbMFLK4wldwmfM3B3lRsRlgHxr3D7X7fp7/92+fkcM7F6kGwoR3YZ+cXbVrdYP
   IJbepUoDIzoLXwC0/5KjivVlt/VVGrL5SKcQ+QEob9DlhP6l4jevV6KYq0QXEw7R
   r79EnzkKGqgb41HjP902y1agv8+RqLQnna4cpiySi4SX3de0ojbntyet06Rq2EDY
   O62yLHGAYRrOs+qxV3DPAWKnMbXa+Ae0C8D+MzJCk9ZJZNnNTRzeJ+bVBypVC5wO
   0E4ouXA3i1tcgrjQqr3yg69l/aj9sPoT5ybE90+pdYccH0VO3beXOS+xZUUpcyqq
   VliZINAOxf4y+P7FgPh7+gvrfKYIh+SJMcxk1DxsO4zA4M/aE7QhxjivEpi7ngr9
   +0v/VV6X+pCFPmFxia9TpEiiUG81LsdGCHSzedABgWFg0M7rsPuX/5gNN0s2rdti
   7tZu39pRWZ4+HXwXgKnMPk3Kx6i5PMLEW0PlM7NV+pLLRiwS5C/8w0RWnzBlth6g
   nqX4mN3euezQmTrZAoFD0SEymLjLhOoMLIMEuDBp9k/4pQTE74VMW7ZwjYxz9cDS
   sAWa3+sk4c28sAmTdV8hNLtSey+NqA5hRj/bvVEiKNLvuilkbwlseIzqg4OHnrqq
   6OgAaZ0bNxZ5PYbY5T2hVA2+tqja9FGJLCvFr0Dq7w76VeAui9hqmpQVmw9YrHmz
   TqYYYvCZRTn71eHmITO7j7MGTRnyfqcZNmM/o1Jya8vss8tiusS4DkGNiqq3J2Vk
   KjueAqBo+3uYmzqm5gKSbNfXrkDTZJCxj41ZYZto1dCCHUADSQ0vQ8QoZ7ICW7yN
   4sMnoqOGL63m7oaqc4983iHk9sK1ZoB9rrkBqlQVNN+ZWE1SgE2ASfen+tnvFKeJ
   72WWtgQtK7NhYVPfWF0pzOlMoBEwJaLoMVokYW3I1Cp2joriszqu2ALAmgGTUbC/
   dafVABuvHuOErPhHmlp0yVcifF6496mspG2pRxEb3hhHkOmq1JwrVkk37qMUuMTJ
   Npr2r0galtYT+Hzmsw4ZMG42O9fUEyAvsNfF2VeanmBJRdxHslBwMHDEyxrkYvcE
   R+FMtAIvKNqyDTQZOWkdy3knwDgfz2TJ3M5guMPO9zdQLN1ckEDa7nn83lCtjJmw
   lujtT5N0RYIpkt0Xb9ZZKAsnxvn5LlSfz2dC9VFeoIn/amkVAVaZXZ9vWY8V5Ae4
   UD6f19EhvZ2SbDCk4uRWCf/i5LcjKOyGwLOtTY2HCfqjmfpdaHDfNJKwikIx1Yly
   I5421BKwMlaQuVPYzBUgN3Abd5CaRn1etDax+i1N2jyg+dj+x5NQDBsWJ9IJUOXT
   nMDScnH1YW3CeuL+WBcBozVltZaO2RKSDCpm1z4TGTAGHYMoek8PGW8/ZBTIMqCh
   7Y1gq54IRMIhO5JS+MTbp4MWaR570XxKrc/09PyDD1EzhIpixAOHqDf4LI97i8Pt
   M33AKEIwZjG7lmnCnURdu5YNA9Q1hBgjshd7tHAZI57I8UwdX/GrH/jGm3Zd0L38
   xPfZpa9QSr2Fs/f54Zje/G+9vK543k5PY26PckeSxVFrAc1eLNRRXuP0DHVc5xxX
   pwj+ARVUo23qb2bn2j3Rk8u41Z+mtOq4YmLc5Q6a0M034HTqrc4jiHU0Hy2nekJV
   pBbOU/BFByUFHn+M1h6yRtgQjVKmC88O/aBb5u7MqrOsQ6cvNqHfs3A12HgjBxga
   +vBLwEHtHYgBOeZRdIeQwA==

B.3.3.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7670 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4674 bytes
     ⇩ (unwraps to)
     └─╴text/plain 423 bytes

   Its contents are:



Gillmor, et al.         Expires 2 September 2024              [Page 105]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-injected-minimal-legacy@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:10:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIWHAYJKoZIhvcNAQcDoIIWDTCCFgkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAA7foZVL0cKGxTAGMEqr24xmXk+R9+1tBvxo
   vVC0FR62j6F3bEqRPggJoL/HYhvhbCluNzS462O1GUESTn6dU0sFnAtHvpm/aggs
   ywFJsWc/fzzIyEN9wQ5X+2BWM9SofTEikdGaUUz/fub8KpV3ZHmpO+boNOMRWys5
   gOR9GFt+iv5LEdqhvaymsdFs/qKAZBZo28ffE4DsanZEVmYufMriwoyRtyqnHD4A
   hmihNTH5ZCdeUUSZXb0w/UP9TWlQ9C3m663fywaS1zUNaol4gEpTcto76D/FohGk
   s9mZ4vFcBgGWzH7GJWJFWE4VRCQoNiWC4H8y+wIqfIDE9d4isEMwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEASY3CY6TZFO/11DvnkCjzRwpZ
   S+1JJ7S/t7cPtxZxd8ZVVAmNmVEvYkcXsCNbvUrTy2BlVFWYKuPOOvfXQVHhK4PP
   Yq23OYseIXVnsP7qlDMS/ZS+ptGBIXV2ZzqBt7I9jgMLC7f5i2NQwDns0720Slz1
   MOIztq+Ccy8l31WlF5k40PlI6oy6PLv5RgM7v5CGr4RmGBZBiv2rQPYlfSSGvAQ+
   Xn16CHji/70f9tEXfXGREJRzx/lIKFjz+JdROE4gptu/wXNjw6bTVTPx6FmfOhnD
   8XUZA6oBjN14Hi3lLHzYlrhKQG+9owD4tsTcOcdIh7B8ZsMy2G8Mg0mWWHTWgTCC
   Eu4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEFmrLeGX3dF7SOczv6nMLxWAghLA
   C3wQFKe2rnY/Rc4LgupEDeMq9p39XhDQIEYeYvcNiPuRC0ietAnYPfAegOQ1hsZh
   Nd87LpWCtj736OkRwUXhQyoVEdr8YJRIBBgOYC56WyHutkdWAFsCXrHhJAeHdq4y
   5XAdOPX9McvqKmdeDCfanXMWNs28G/sVIfwA1o6Tg4COw7g1DXVJhYqyZnX2tvDH
   u5XM4EMVezY3F1dh7rs+NTNQ3ziFs/48dzIVPLmOZj/OX9o2pcnhzU2gyE2ciPtR
   t8p/hWw2bdllp5+ZH4Ma/Cmaz+48GrRn3TgQzSw1/QtI+x6h6RBGSVTRo/nTEvWQ
   t9SaoC1C+SxmEtHCPWtWLDnf979+I9ZGkqsrrjasoTKZAieq6KeTBB9Fya6eyyGj
   VdDEx7jmKtpJpGvb0pBvl8xxWKD7hjX2f3qbgFKrwuToayXLXCw1hYnX3UQ4L7cH
   t7h5T5m3pIehG8+HyNFOGvt1QaFTLzibQ1fgU8hdDQQkVhPDkPyCbLI3nFZ8HH9D
   V5dxxd6O2t6oNeBJQUKMAzOxnfsygBhw89fobdskQnOPOBvl7PCSLrzGMvvE1WUq
   wamSi94s7V6gFfUmbe7YYdZEl/VEEawzaw/eZ+wHbjVxQkpEZ388cFHMdHOnkhUG
   SFobdwBYQj8vV4hxRTuoM9V7ZaV58S1MuS4Z86MUkCf2V9Z/9+XgkvmZMu/G+G7A
   td574PqjRaFrOuLuEQHRRZgcgUP+5troXLRgcJJTYdZB6JKdfNg1ikBF6Bsl2Fv2
   XxXU5o89L53X87Q6oyycSuZUUwhaVQbx4voWjnoR/Wcgo5bE9+moXhXHkFYOajDs
   UAORrQGVC+NaaVwpQMQujvZUOYQJJaRiZc5kALd8TZ8c2W9s3j4L4pDDmQcrgBp7
   BVdBnNDh7rNwFqrsp5Tt9lJkaA7A3JcMhTnxvWQCbe3e8jbgj5oFfR0vIZju7md/
   NwT5rzrSVOAHpgUGEalM6u+zN5YU1Am9aisFYy9s0d1j6uzGTP++UfSI6mJPX5HZ
   7HHVExQmVCjVgQwpifT8sOA8GBWUb9w5i3+BXhJroFJkgELcna6RHiRasndr5fdK
   ssqW/DRjs+O5WlNfHhnXW6fBpXGeG7tUuaOj26Va00VWkpudP9jiH8qw/tc/ff4v
   5aNwO8lMZ5XjKDnRNIkS4lSFTUsYDYhxpnQiIS4PRpbpr3GLKLm9d+vWsq+MV0xZ



Gillmor, et al.         Expires 2 September 2024              [Page 106]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   u4UM375UCi4ngrtagq/pgrQKdMW7zd6S019eRSm0QbGV97o3Cipr4+6uC+Hv/MHQ
   GTCxM/6+uTqESnsngQu5N85Zt/zs7HagRGSOozZwfakUuxpqyGQ3C5W7JMsbQ2HM
   KFwQuYh//C1mSX9AZU7Fp0i7sKPp6C211ErUeWUgyViDrwFRi6F2f0nDHNr5bmXy
   QCsJdvRIZxCQpWtz7/iFPlEP68dNsGZsz1nXjgwXycst36IRdPks4A3Wfx1H2Ifn
   BrLKqg1FUhJhE7dqo4KrvJ3zWIhMoyeQf6roKdxmcECrzigftrVRP5C7++3Jqj5U
   VFDeof6JedRUP1rXv0TYjzwta+PUhyGFbDIU6CskSQo8+Rj3U5uYGSUPsbv2bE6u
   luOPZYpYNKgBylPsoHZZIRbzmeTit4lDlehWANRFjCwsGjdMUTd8yca9zWr9l5sX
   qhWA3Vijz8CHW3DQMSO2obmvDwGnOmnHoxvjWWcexoTuT6AfTBw04XIIh5UAgexI
   e5FS/2RzsqbY9la2WhGerXdrB2EIWsO2xaQvExyuo6JJEyk+8IsBqmgRr7mS1lId
   H35SzbjwXkPK36si16vgsbDs/p0NIvrWE9bLCj9YZTagqyyUSkXNZssfQQdHGssE
   kX/pWS+8l1dXcbQxamf1XENYHuovkX96nTq7a8jxP62FR0fbz3CfcNSAmu3bdGGR
   CsQQfW996D18+xtbHuks801cJW4Lnnavjq+SCb7mZroFuDSeS96poK+g84uXPdMj
   1TAPgXxHDuvf880nUeuwdnM4j5nA1nHGSnlB0U8ZPQTRn+MVGKHgMycl+Rh1Klkm
   DjwrzflGBkMbtiPqKLA1nsyHw9TnYfBqQ5MhlY+jnH4MaT8t3Fm3hzmki2m4u+3W
   AXeS5uznfU8p6Sbm5UvXJITRQbBowGD3/6cz04ymkjGwwAEyUyjUNOtlbjLa+8Lu
   g/zvJ8EWud3a0az7hFFVY0ZQTR4CympFQUNtT7lszCRL93lCa2RLD+LZst8wCoJ6
   vdrHmCsuuXoNnoDE+Ox0CNGRZI9t6SleqzENwLpY//X3Gna/iLEdWzgo9V91DZQj
   WVxuPB6YLrlWYoClG4ZB8LANa1t3iGnLGSdzmWDY5ajrAEiaPDe/6ApPbHkuhB7/
   fl6S11je2MijlHJn8x3NLamw7qGJeYdq9lnsr+5UbhU+3+xtIUScT+7ncvWgf0aZ
   Dib+Xv5ss/GIh3AwYdgx48mqd8/ERfgA9dbr1SiHk3KD/0R5t9cU8VFo449vbODy
   1E9s2tyRU95zkArMudoHKvoiB5qBazMPnTEE3AKNbr6HDZwP9EAkpSkdc1ZXq5pW
   SvELQVvdVLtkG7Ujwr0GfDDasCMk/g2EFAROVPDhcPuAIivHx9Q2BMCX0ZePjeKc
   xOy/iTWnwCwtvlbadizD8McGqQRkFnIezjKnsGDkJkuTxuigBitDNM9m7hKR2N7r
   nbYcfPEJ+PorfaaeLIFThejzpBW38NqjPJay+APZ/r3fWNqb40Z/5pB4viBttLx4
   ZHEqf/82CA/hNKoYDucEx9lJwB4CBniJDPE9j//Ncr20M0DJYziFgpb6g4+9KNsn
   Zz2HIkYvy2DLlgxzyCxqcZsmZIBahX2ID0zsGo8hZ524yyubAG82OCwKf6q1OcFv
   ONVGNtH4/GGzQ6PEjeaJiibzVYJJPBeaqpitJMiVdwu8Ar+yS7aO1p8RS5iXxBjV
   L770yo2DGgwU3J6BquWeuiO5BK+4AsKVSMhsQgz5q1krKZpMOUviGbO3lCx+SsNd
   pLevlECSZqkhjC/XaiHeoHRAuGd8Vo9LcntNjcfJKRXBE/gQ7H9nB1C7qIf2FngI
   y23th7XSrUA8R8xHi+AwWyHS8g+WeTx3w5yDh5ey4l1qOR5SpNvuYOgBgZhWxlsV
   agmPUcoULPsxeIyQYKQq42fcb60hJrtw+gYB4x7RPDQkX2bEA9TgaXIOYPnQnxen
   mkAlIIE7VSHKhPdDpQ6NBueQDmMwby3UbgjttiHXtffUmgZPTfE7G98Nfpq/8Stg
   RNPunCj0SUIbIrdMTUbyHOkLMq6kcH9EXu9NqdY7lBLDMo8da0edY28n/sdgrzDI
   03GESEjBV6KYjs9gOzPGhUMNXM5t+pst2LbzFpVOA+rONMzyO2lbED8Vc0skQtGz
   H4Oliksszm1Cy2zFUXt2Y4kzmO8FCD+vfeTD/2QestE9geJOL3P0YQdGQntB/Wff
   2T2J/ERLNLgwZzB+WQcBmH9rIgOEJ+LaWzHF7cJRqkH7b4wui4WsxpDlB1Tj3Xsv
   jVIfXsRSUrvCT7QBXcbHCEnCPo1ETMv6/owEysVPYEnym7zc6L5e9krLDoJCY0WR
   wENraaPluDZy7PA6NIiKknhAR/MxnpQE1XF5Bhil1l+1hW0KNooHjiJgHQrxkA38
   oSrQRciYbzVsBSjiUEqZ+ksD0IeCQq4MzkwV+3WhQ2Y38pKeTNIDsRlweO5UsXXb
   c8c0nFaWoSsAP15G5TSqiywqOMEZ/K4sqb4H+FBrqXtAzxzRJmCWKW0su2WsM6o+
   YEqxZ5xBL/GmTLVCMR+DIOV9Bd9fnKdjk1qvTbOWK/RFleAyMvWO1W79B+ZlRo36
   0m5xGBns9m5Q6doBefeSJXmCBo3krhxznDD/RG85psnlxOugVJuAl8cWXnz8t8pZ
   uuyNZc59Sw67IQj1lvJlS5Ta90LcroATUGB5AFRkjqZAkvDF+9LaWeIaIkxFocqF
   UPCDVaxdupakvrw4+pLukG2C6e+GU0Dqv76Bnx8xfPrPSafG9whqi3wrzq3dWIah
   kUFnkhaE4tZH5ek1fOJYBneStouSN8Yf6M6qE0TsgFWo9EI0iUWASB9HhS6bfTCu
   Erg1bH0+JOKrf07HoKCScBx2cnlQJU06NET23bnUg4Zg2DDMdox/278ocQ8qmqum
   4cpayWMHvTMgFz1In1++n13n8EVBlKJE0NpNFs1YnRHYRk1z2x6jB1iYXbfPJxje
   pSx1qAL2w+hr/qi3NXnkKnz57h08weIgwFjf+cvF84sMThqf4Kr7r3iRdlXtY63C



Gillmor, et al.         Expires 2 September 2024              [Page 107]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   mmlYKZ3iJVZEULsRnCGXsOla6x9DVqP5a/EurYPWqlzvxXp5sCvqIxdfIc0IGIjg
   ncOXHSK4V0ezr0vRzL3rINxh8WOuvkcfqthJf1S9aeYS5S/8YEYTDdXf9BK/PcHt
   tN6SX8EPYpHDtPatkS5vHQG4cfdGQG57Z644DolSNs+bKsmjb2KFPMaEyoDCW5pN
   ue86Wkzk7ArN3HK6tq/HSqrSU4tUBObViI4trOxbNsPDFmcbJ3RIfcKKIVGkEjGD
   t0eh3ox4vdNkiW+5La75VAPGD7Ox40zqHT+6K2oNHfrAgRcecBBAbw9dCRuPPH8u
   +m5kNdTo8cvF3BR6pVOx4rYn2T2uZaZPZ6JhMsRRwHbYDsoMEWBmrhGcHMnrVXKa
   hnygPpIl0z5REFlWSliNMpX/35RG7dODm6TeK+Wtp16qdSLOso3Kd0BgcjEUbMlB
   DMefqY+0dE3Pts7J3UXPw8pn0H6ARrZn01euFeHVxMPJU3GPss/1B5Y+xtT2zrVh
   j+ouAdHOtXx7VnOwpYi5P91UEdlBOG4ez6eBc3BMVi5Mol1Qgp5Jr6eHrOUI1DEg
   +G2HD2jrl/ClhWcPUJSEZqqH3hkhQ25iJxBd0ol6F5W7NQ2MLaDeE2/xGZ5OBBPB
   stf0dFsoohdVtIM6laOIVeZ+TviAh4IlJoHZrmjMRjpZ7vGNlIdjg7z6xM4YYtCl
   piJl0n2/rr66+GS7pQcoVOuFAyBnblEg1HrJTfDBy6BAgA46Fe03npuCYpiBGoFR
   4I791+nN85fE+JzuEuny182ui/qtR+PQWeNV/oiV8wmhCez8g2zDmuLwfNcAjJtI
   xQSOvH5PNt2XA4OjaJWv8YzHdnEHdSmV0gxm7g7TVeT8Ez866jn93fwOKo17shfZ
   9Y7TyDCRIcg8hAi/kEM8eRL0G2/Lgb1jMH1HHTZuguE3DYf+LhGXkcvmmwzpAlZO
   vLSKYRWObJBU7ag95fr4LptxD0nVfzXyteyTYRyyjceeqcPNieg4c46mYxalmU9U
   BZ1p+2eM3AVLiW9+J/UmWE1M+oAjKiJ7C2OjNda2ap/eCLQUsvoHUNQKLz8uawn9
   zVJiD40xcpahlF99YhzGTdkUf4vSSaoG7J2g1y12kto6eWS3SawEnm93qJAVDQFK
   I9lT7QKqJ305eN9WVuv9+uQBgZHBUfMgbaeGtlycTfasOD5P4y52hP536f7+jS9f
   bjyLRnXj2Pzpj+fr5XfkbsMU2tecChJsqoED7EhTeymOg0OOt252dORqQxb47Woy
   xRHi40jusIM+HWXCMMPRPYsHESSG2+Mu1IMl1ZN5ofSEUuswoFaboO/ssZaL/Xf+
   5rhPpG09YC+I9ZWYyotIl8HQbf1C6hylXTuWQo8bU2IsuXCNH6GdlMJIuTKhLGk+
   +RAhVnCq9A1abcvuAYCDFnngY/b78DIENgq5cmSnC+1740SV3TdxVIVEmz8oCgrt
   2UMbnsxrgmTW6qDLZdF0bda4854AI3SQ0G3UUUTTkq8+/E2HOVXKBsPKPKIMi9md
   mlRE/xKUvsb/Rtw2AoYjDEyciwi4jCc+nyv6ACbhWO17v9FpcHAb8QRD8BxTo2S9
   bB5J72cU1BLec3z6p7ijYxn9G9GzyHb0R8kbTcwUnFsP8/LGhN9Lx911/2Y66t/2
   7GtZkv6xcttKPN4xDfSdu6Ymvjh/2EjvyvitWTXCMmbVTrkLu4DXeBW3SUYawjxi
   8UvT441E6oOK669K33yNnj9q+YtuUWm/vx9oIICcv8njy44W/tLS74wXasF6T9nB
   OdZB0NVb1cA5gCgkMyY96lBkTe0h0P5gQjU2cxuEsVc9FhEUsR6j5IGpPJAsmr66
   HqUKznyG28I+Khru69SZnyewyvKMsnlCrMSMTsIDn7vfZmB7nDbwhSITm7t3ksfP
   /weh7b31c9dq1m6Pi89ZZ1hCCSA/VcjpLT0SwbjvG6s7Z0JXl0en7Yxr+09RxghB
   sfFSWHHhwXjuVC3uQyRMtF5PN4HGo5FI4tSqfWnK4ScVVEKXlSxKTIRJOkkyZTgn
   4jyvnToOV6/ViCIEeub6qd/rU7H6I/01SIo60W+hjgqhO9CcHz98fH0lCoWK9+0a

B.3.4.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
        Message With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:








Gillmor, et al.         Expires 2 September 2024              [Page 108]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   └─╴application/pkcs7-mime [smime.p7m] 7735 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4712 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 878 bytes
      └─╴text/plain 319 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <73a42f8e-8f5a-5c62-b982-82ace766fd32@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:11:02 -0500

   MIIWTAYJKoZIhvcNAQcDoIIWPTCCFjkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAIYa3OenGvm2fxVDHCD1/mOK+G0pkvIp9vgH
   9ie1Xt9FsGcfZkoi6msDh/Td2ZLZXWyP3RCOcqvwu3e0M6IEbbWhFVAdgkfJ4k1a
   wlfIpe+ECDsja7I4rP2Fle1lPelgQ0yw+pmG/epN9Ga9FVvfKhDTHm0Zr11mNjIO
   FRuTtU+G6A+hQJrCz+DVh/3ub7P1DBomlG+bL8PIcgSzVwigtc0Hh905uZWb8ypd
   CE7R4SzQfX6u2/I/9K7FgZ9pSp8zZpi5WvcBuJvSqeLgTL08mm+7AMAYHEld005y
   B5GFc9fTTV8ByI1eLzvFK4xl8EnFeQNVtcpoIuJ+BxAihm3OahwwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhCWApyit+JqyC6p1+Y2mE0rR
   LziSUeCZ72cLwSS2GXyl4YE86WTYQPgF5IHUymyTwtnqyjKZB2DUP4jOCqOOuHJQ
   cEVy+uO07cYIp/K1bZY3mKy5EQkdlo6qpOYJmIs03zoQfzYb/5FxBBIhudMqB5U0
   t2kPTnlgFsLbo5c4FTnCzVBezJRyA1Gw/tQeZU2Rfe8xySkKEU00vUkIVI96X1RR
   UNPGVgO72/V4w/Yr0oF0ZT36RZdW54hhccAS1t7VZoiV8z09xsgS05xvs5d1eRzz
   DcaFCz+bvtACJsjt/UIf4PP1jar9bL9BYoKzI8ypqzxfsMJSYiQziKpEWoaJSDCC
   Ex4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEED3mqLx7mUQlV1YWlLnecdmAghLw
   +jeehq0xxQt5o5VAsKJcy0+00gqRre1nhO/2cQRsFmJHkOhTtWzY7H6P/0Ayw6iG
   KvSlATb7J+tV2lT4UJEzr9abvMIGwZ2wDNZAHuyWv7hKVuriVh/NLsDDFeJXGJVP
   XJ01saqeGsyx4UJmjV3alsjtqeEzcU8Dz0TA5l33v1FNXR+HB44Sejg3zHWLPw+2
   MMc7WiNZeIcovrOKR8RAuBER74EawkBsNoAG+itMPIr+iTjXD1AJNOADfz2SBi7p
   zPMS5ypb70F0xnLwme3MS6QMSkV5Qg2llDVzDR4vfqgLWkjN/fUOei/90ERrY6Cx
   Dwt6x1oy+cIi6DmMKBiVnblM1UdWhGsgmaA6LV9ZKm4BFXPxZ9HJRq8JXgRwBXRO
   iH6xjdjkVzyPnB0jeGInCRBz5vPp4GFUhXPu1wJzuOjVdvMecqrciyF/sN/RfqGo
   KmZ2YO6iKAt0aijTPWeDprUeE3BgEQ0DWyjySWTsnAdqPBCT3XPpUV62nhb9Iu5/
   P459Trn6R0LapKmeKdTSj6QC+pnDLe7dMIynjzirX+EfkFJVSiy/PgsnQlA8vRut
   1CtmYTF3GAtBd4K58whmTBLBzyuJlXKNmmZ/OvfalVZ/+Zsz+vNdgvurE+Gev2kO
   PGn+OBtx35F7joWW/HVgzhySOztE9/erD/1mAc5Gi+YH5pv1iT7QLtow3x4srGHv
   TBugWvLVdIkzufB8k7IlDyMGYrAP70BK2ogKd2J4QqDot85YmwPephof+R9SzU2j



Gillmor, et al.         Expires 2 September 2024              [Page 109]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   PyahZr1xwg1Lbuw8Qhv7padO40Y+Af55ZVktcqV62T4PaYy3Qc+gTOSfcNf7BoR2
   aIsaoX+OQVuL7SQol1tzETE1bliyZj5Z4DUWxyqmrz4fJHKm99YubT6qe4nlCTFs
   NrRcris570kqf2EjIs4VHzpN3bsbMG1Qwr5lb1KXT4EjBO7LFeNppze7Az9Vq3aM
   ZoLQ5YMG/OFDYOVIOHqjq9zgoRw2X5KaXC8Fzm/hiSqRVNtnQTXtQaVbSWUo3voP
   BX+0zL7U9EGyg3/ZwSLHsteGIoDGA59cFYaG75GTFeR6l8r97ETkjxmxsYbMTyRN
   8HfSx3kQpm4ODyvWqaXZuWM+uzSQuTMXro84RtndNGUryVsQItzw8cCTzw1ejwj4
   9MC92mTKgXkc5ShYU+TiKTchBUznGj27hklFmss4YC/V2Q2X5TzdFj6O1cuyP9QH
   zBlYkAgxl+wXuyr4Q8iYy2JN4eC+LQitnzH1EANrnQ06quwQPtDt4qyrF11u7VN5
   wF84SvB7KsJaj6ft5FvsPjafdp5z8Yq585ytPwLQ8+os0fJC3GOsIzngpJPx/13d
   +4MV39BoENEB3AJe3UHtafueBqmwsZG1ps1gcX/Cnrrkrcywi8tfKEVXRaERzKw0
   D41TD4R3Rlw5duqTfVJ8c8gSDR84UW+XZ8e9aXRKPkkQGSvfquuTDZ77ed+0Y5+g
   2hse1k2svSQFnkH+OWAcGZy4RarI6CoovVbqaByGnwB3G6R3rzitT6g6b9kV+qpS
   sOnBanfi4yEoYUVw9eo3cqLnjo63eT61aOcl6DqDRo95D5VLZPCBt2xBh9D1KV+b
   6kvyLOo8/HJDIQHPnsKwoGaQMXkg15kAx0aDxKp00IFxaUU42cxKMyEmrfzFx7Dj
   cXH/++jrGD51788PaAfS1L73WAlQafbExqQe4tii8gPrjCyVo3/XsIcciz1TJDW2
   OOfINjUrCW53bLkxn5xA40FX7zOBGzwvNygBfhnUlPDEthU61q4MU25UY/tnFPqK
   2GjtgQrOVpF1itYCjxWcFoEFWYCy774wU6juHT4nDuKpCLXuJcnyzRLbmRnQpO81
   skocHI5mRHtDYfeyzioGlqGG8wC0c8JX3wrXHX8LSnjkQYf4mPiClzbZWXSA8Pe+
   xwxV7EvU4maXQBIWUshvL85WdfXABKw+cvg/dt0OdCt8yz2vz44qf6BNt6z5jMJ3
   SW7Bc/4FfH5W+uZV8uuXChFs7aWVW/rWAcB6saT5KoOm3EhrxXxdGJeeuOP05xJO
   UR8hsj95Icad4yP2mtnh7kKrTXtv7MsRsJKqLWrhaeSDf2XBvluolV31F/mFYmaZ
   gdvAyxbL6rY5dljH2moP4TxjvaA6V331FYCecnv/e5UZQBJLE4WEZYYAAuTwgn2p
   /B85JP1/yB5BP5pzmf4zM3ye64BKsmjN4xwsFkHuKg5whYiKQ+/BhL2x+Jsu8iY2
   7y1OAwMhlBFADf5DjFsufeouIj8P3wpPMF3FVsv4hgkQH17zZiNtyaga9q+zSz7Q
   omgiUOJMcV3LSXnjkf8GhyqwEu1iZDmn1HBMy90ASC4bTIfHa9bBG5TJzDnNtUiC
   FHNcdERJw28fod0FPvZQaQuvN+sLJOtmaycsOnIkGUjqxu/GYRR2hBPo6QEuwxAG
   paGbRSmSLoMg65AEk4XKCsTrEQUWvejYnIi9G8J8fu5pLoHZ7HQUBttthmah3S/A
   s/yRcqqUz/83XOJuf/OybwGDGRGS4YO3Mnq9H6owu3F2h3BwASjK//nf1xm7AvpO
   RxskZ/s6dMLJjWA9+g/uacJozJa5d5Ey6yY2TKR8/Tl43/b3laJFj1rfRcXLPBJ/
   AJQK60RoDNFmmJKIF66xB6g8wF2pumwve8XW/BK+c7baEInlSnMqHeqpoACrk9BZ
   Y+hM+2Pyq8kK2hvwr4eG5C14zlJSwrT55SNbSY28iJUEJNE5dAQzgy1f3vgO3Key
   pTCAyPZ1nZa/1ttJOkiHwdSq5ZdxxRWC5WZKv+9bHdgQqqmEyNgasTaIkdjeriZN
   pQMxHCVUBUggzpF90c/GOIx5F2P9f9cRVE5eHACIGn9noZgCrLsJ0VMtRWBy/dCa
   3eSl++nDtO//2DHkUHLjdIZ1fcbqE/4BG9z071HZhOP/Lu9thTQOmutlW8s1r1XQ
   LYe9hz9oPTVDsVxNF28k8YKuivkBic+9tw12H4pFyBhJyj8+mhXm/dbkq2ivrRYJ
   0tP8vrLfTbT5kocdUYzpauQR5K7PAM+pNfo6vpOLN+ODgVk9O3fOYoqk7GmfN0YU
   wXC3tPldjOSQhNCiH6YdMljREzY0lYf4u5hpBimeyS+WauFcNu2Misbo3e+4x3zA
   3DyNYJKgj591NEbZA0Nd8pQ22qvBpsKyZTIav91dItnTsORY8XTvXmYj+wYt/0wB
   /l/G8jrnXetyASXo0gARxWK02+dpn+1waz4ml98luqyl3fwp6F5X3vimLQTSgIy0
   RCgxOzZZBQxX7fFrT+erTGjtovMMXaLwepMqrB6aGAF611Ku6bQ0c9/RpYK+tegt
   R4ZqLYg4Acmam3X4mRmX9XZC7WJzYIFuJRQw7/vFPBz3dsrtt/F+j8ggLF+NLM2B
   yfZMUYJmrf+jU8PxL4mHI5UxLjKvhZ/LyNG3jbTXT9jQeK3AQ9HCUpXkFhbmrVRm
   LQMXiFq4gGWm9PgAweg3fY06TEyl1aIJyDNNeI1d9vWCiNG/tgH5NoczSUSbOPSw
   l1WCNMJRiJHAjWGHquAN/seBE3gCFftDU6UgZVAgHOwE3z6nVzAzrmfR/Lwe1kU4
   T+WwUYBi0CMZn44ecVwA4n3GL1aWgGcKo+g66jUfTtng2IIn8dm84QtW7RDM4LKu
   iOfBOm42+RzL7IYOiZPqzAccfAOiFb/yOekTLaktqrksv5P8PkNkgGFBFDrMc5br
   VTOZVVDiZcvQZ6kvW1Hd0yHfoGSqM/YPcHvUGjof4khiq9XXzwFamWwlknjNR/Lx
   NwCDMKTzXEbiuGya/NZP6dKaZhSCHMmE1Y12TVgS9+q45eY3J0hHiKnjMrEQP/j/



Gillmor, et al.         Expires 2 September 2024              [Page 110]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   txu2pgqDedURvXNsT6R+R/MIlcsUoRJag3zVxzTaJghdZdsw88WO/0IzTIIZmQwd
   v3nDIYOZwVwcL5QnjKgeMDK8Tr5BHBJDdV8QZOpVtki7/EgJ28ddySuaxqtzzYMX
   sb1eBNjSIjgx0a3k148jnf6V7PqVy5m/2OPcQmly/3qtl78b8N2cNBzBavyAKnUM
   68dCfQ35iCnVUIfIwfnUVhNKiiKAGM1/6GBAN4aUgqdlLq4BBgJMU9aYRObiepXc
   YVKXWJOjsKOaHKTWWTjaWi2DEn3h6PkLidZm2ZMm5RJSwX5H5Qj4Sh7NcATBZNnS
   bBOgTrBj4ygNhnPWStTQOygKTVZ9beT+GLsJGD9xI6vejiro4j/Vw3sYTYuigmCM
   ufMS8n8P2IB/DjVU/GE2+dZ5mL33sUbjHIHJ6J6+1XISEI2F6YILoCK4x7gBp0Vr
   5BacDYcAwfgbI45ZurXWaxY2ij7zHg9mupavujjwv6y9MuLfKHR163xEkFX67ZOz
   u4aCFQZ/8u4WiAVcyQKTypzfNxz117azpUwT7E2IEpPF/zDVpeo7K2W4fHgrG+lp
   lNc5f7flrrbr1O9/V7dMTmqocFjjaOmHOvpVV1kpKoscVEoEeSx41nMmyPyJkEDP
   INDak1B9tt/t3q+vEQkJKPKojFQlYzcHS4l+z4aJ+4ccU0+3K5tfrungA9LCevnY
   +R/RH+TIGxGMW9WwWjqmKIPlhoD8JmUK9tYC0JHWB0KL7hxf13sIqI/BpNGRZ1oG
   40HdzmxYZW6HQvWQtUYFxDOa20ZtBp2rRxJmHuB2gK+Wd0t2/HXxQelJjaW0YQaF
   nNmee7PTMk1bCBYr4cJzmOCfTtHAdHNljrzY55BCHntWekYhk5GpzaMttu+4BsW2
   lSrupr4xY1zrZkUYGNXLgU0/hmVCasYJSShypw/y8ZGpFI6uEzHY0gok0akWFLe7
   7SN0PdxP3abKrRlROInFV5YC1hvjSnEStZZxk2Jv14j5q3dO0CWROB/y6+P16954
   jSp+i1/FOp41IpAt22NZgwC1jMg89aTnK79THy+SSj4S5J/2h7QaS3v9XdGKmj0J
   msVwgavzK2amj4InTp5/dT5nMAA+GgvvF/8+W/NNc3yTSG/D3M5re7p2Jof7Ueo1
   Kja5Sytmef5+Ot6fhwQhiI7nUZC0dgCXg4ZNKR7T4CHa9WB1YUOtNrGr+Xi2Y7F5
   nJ16NC+K2jcYxfO27VTNA3xaOhtwg9pioeYaZmqErIRhm/8R26ganjVK8Zx9AmxK
   sn25U99AmTeiMNxwMRFFQC363YrcdX6kz/YV81DvEv9SeJ7psPYlCkTVJ+OUn9T+
   PauBE+VH+Df/CAjF2yJyEMr+M+QZiXqxBI5pGC9lDRQvlEzkOKwbs0d1GlQroafw
   KbJh6WiJufkF0nInX8FFCIUKF7f3WoqrbGGXm+rgdGCthmxvv1T/vEuPSEhJyzX4
   pA52Y6LUOg23VlibFqWZVtZ/SYG7gZ4mT4iYak7bA/g5NGLBi4DCstHKkWRB48OY
   bd/v/ix9ell8Pno0ximW9AI9vHbZqAmCpMjKMumYiSh3UuaxfN3Wv5dU6eUbQOzo
   W7yrSBHi4Ik8tbe1XjdKHg0Q90NHbxBMIZYO7NC8gTM/VRUNOR0wZkjo9yzmu/xN
   CDdNA2mBeFwoa6gkhUOahSLAgfCcHYKN0yv0JHTYULBkfGG7Dvp5Nlj5M0oDhJo5
   0CP7VXrZUyYDUbGzZWS/JTH+VroILUH6exoyHIJzrwTRGqEZmEcAOv5/r6fGYQdx
   UMWrAAuh2/IEDketRdcfnRZLv9jmqJj24wFjcuaiqGzFlYj8VWvfjn1hZDUDpZOS
   aO0SEBBTr7Oi8iryKiT+fvaoo/SMm9fu+Rqatl47jO4FcZYHaDj0GE7KBEQe6FR8
   S6jqCH+/IbfDXj/scyQAyE/PxCW2BJsihktnMXqz7D7+8C0JYiQpXw8VegGob60V
   R0fYbKp9R55mRpxI9th+PhEhggRqvM7sf1Byaw5Kl5s/+M43RPzL3hDdlgDRGFz5
   jKEYDNArBSzxUCrRfGU8q/OrapWmIjAFdMcH9MSh73X6SmLMTsHjniSCQ1nmbZUQ
   uWND/WSArv0cT19TpVRWgPYZwQQFPE88x0DwcIaqz0DFpWgE/4ccx9uyQwfZeSb4
   K2cp5yDrYxdTciH30Ha9+w+7/2XK/AfEgSBMtoYIkdN5yNggR7NLhjc3MzaHLhQx
   WGDSsxoEctMaRW2aXUTpzIvjwAM0z3Z/aF29DnihMhTWC88s+rizq5abnNNToDQ/
   lRUfcGKmV48N5Qrtr6UstwDqEFyMqLGnqR3WNTQYZM+4EiAVeVecZyjOayQj7hF8
   4vGVhj7am2+BDuVCY4r9wLu9n0VCniC2wOAfjm9ET7RmuhoebdVxm5DzogO07bAr
   lxhMnaxljhzQkS9T+wygwTBVedEJPb4H0EMa+E38XjO6l0XHh/F3Dp1yhW+RD3oU
   jwrH8KIx1e+RN0R3zmkr8I5RFaIWWY8lQk6YgJvbsKjgCSPg+/hQ4cL6uLaGxkJT
   gkBqMWgKsJFrcQst2zUg46wBjHJF+k1lcfkvp7dMQn/CbmiAZlkVTGMgHkrzBz46










Gillmor, et al.         Expires 2 September 2024              [Page 111]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.5.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7605 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4630 bytes
     ⇩ (unwraps to)
     └─╴text/plain 331 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <27139e00-e05f-581d-a339-d2bd43bd0f42@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:12:02 -0500

   MIIV7AYJKoZIhvcNAQcDoIIV3TCCFdkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHDjf6b8nYADPvM7jm6fi20/h20vJSvpXabk
   JPChxwLJxY3a33r0vWwEanKZo/k1fbkxXa7w+FqMEEM/3EsktY3BgsTBDC+vN2Dx
   1/hX9wBNi2D3emJnmwEv8vOmNxGeg+P+vZN7WjM6kqVrUgEyfyRkzMo1o8YNaFgB
   F/b9ss3PjYUEkN+k+Oi1Pyi3GIxPw1KoYyO4LXX4QQhTFOIje7b9UOZk6zeoz1qZ
   sBQjrOnh2bKeSENwgaS+61RvS1FKweluIyE1OuUUvx46WQXVJ4czZmdnSORW0+nD
   XbSo3Um6fzwO7Aqqbw82qHcg7sGhQWhbA4F2Ud2aM8p+zviUEn8wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEARXtsiPCj7mfzszkuZ4d+30YF
   Q2pPbJbLfhl6xEI171WNKwmLMtWS10oQ4Ojmxw+W2/yJCMtUbIr1gXWOlkW07ln0
   ATq9WCN99ipuScfQ7mfB1AsCelAoxbEzGtrNX3IInAk59oN21SKltH4hd3UCULlo
   So5A8AEJOdYnzb/Wq16ln1wOvAIIousVa335bEoAMco4rS4TitZKYdFnD4PS6tB/
   8hUlvet84cSYqoFT7Bxz7TfnP+JksrSGrUK6dqWiFPJbbQHtNKmzpSM25Vfm1gHV
   hPX7Z3HJiYpkGaYVmu89MbX52WeBrHj0BqMAk3ufG2exN0VxUI7j0burMpZ+tzCC
   Er4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPvMKX3d5Gy0duoR8bPf3G6AghKQ
   LqYpvTxH6buu+cekW2Pe2RA6jN+IBCcBJ+6cxCkvOPPnwwCJ69Zx1tMlcIVpUkuT
   2TBdnTeSqCD68rvmVVJuwagJxQKiTOvRpxNTj+jUssmuMMiA0WIff/M5FFQAGJhq
   d0JadL7CjuJaHYu/4aw4Xk3Mmw26Ptp2DYCzr316UksQwHW+OnDPX+BEfsc4lQjj



Gillmor, et al.         Expires 2 September 2024              [Page 112]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   eup79OjAXl+11lwi1poPQrsB6TtxuIr2z8J99L6t4ZUT7WHmlUH6ukEeYmOjWIpD
   9UD0VD7jZCAK5LE+YbDuoYuQ9vFjMnDmvZoyH5WAvSYsPSQSlM0oyVxEhKugQUIF
   aKcp/fgnqcmtN9ko8QmVCvZpR7Jju84Dhc3Bpf/Y0ma0Qzqpu5IYcPmrnany2x+k
   hDQaRsrJzkE/d0UJ7djUHuyeSucC9qj9Y7ch4RtWUjCKhsQs1BpFmAyCjd287CXh
   a03YYg1/Z3o8D8ZrghJ3xmmHt1hCH+1SOBQnPZrPCOSrDkU4+BAw/oGPVypqYUaI
   WJbk4xP4qi9EtLOHz8jOhMrgFlgMthbicK+kkHti3bA/xWM5I25N9mvDYjHHrhuj
   0RcPBngxro6ZGrxvBYhXtSOGEn5RbxCeS7lZtAK5XcrAL5DV7mur+Ehp3NulTDj2
   2GSNuneGWqYMMT8dvfG/UKmt5OdmOockk/x7UBMJ3TX0DQUxrJDFsUVUr1gbZwuE
   5K16iZsNxoaZUi/cUaEv1ZHXN9GkM0wXNATMcbcHbbxxhd5+Zd/PJWmTbWK7Tde2
   Bir54zdAo9Ojo/0AfT06nuQsVdM2LDr3PNEQ4aRLJzIDSA8IrQVZWB5wQBwS7Msf
   2+CKkYwaWunIJ0DVUQVSg72bQ8xzT1NhuwfXIlekPECI2B8yaaZeLT31fctGzvMq
   jodeOtqynMwWQBrmHVw1yHlagtIJdjEXVL9Rc7jOWvlqlrHE4QmO3EObEmQwmUHs
   DA5W2ODPAuH373jS32Mq131XastFG407kZU6vHZ3HBtrBUmYHcK7Madx7/FYYEdi
   tUa6anlBEYunHFs6srH1tif3v1iIX9UCqoruSGyUfwlNSXpIxEE1bQMigNu9Vgmx
   8nAq51UoxS7TALdy+xn9uG0JH4JbTptWJqhnaDJfUQfHWBKTNQmZLElIy+Dz+BvA
   GXT+V6Ay7dq0Zo34+NNVsnDa9rMqW/C8uDoCgADb4+JVQ2pwZgmki8FPHpXDKM7V
   HX19hK8WGNYPmFot2aNujTRIB9VWFJhUCNpjgc0xhzbTv3V5DTOmCuXkrQHe7JjB
   eR9BGvUs5KSjB2KegldfeFJSIz5zAEZYNeTkQVhAGd6r/OmYj0YJN63eXQCub0Lf
   q920ok8k65cBl71HZ96fJqTDAfjA3LKanV5RUAWaTQUCg0OjGgNc1E4pCXa2G3au
   VN9iES00s9wbsE2ZR8Hk7ysl1qFQklo2drqeKFH5pKI4bhmkMjeLIa2tzR6AxrnK
   jKxIO6fpCAAvWXf9mRpuJ5YrQBqChE97AqfaNwE2CeSOkO4FYIXeOm6iK4iCFlOG
   xG1R8uNt+OD/Z+6ODUGiogzH8GYjb1jDbLHn4q00hZaNiB9eCbP2Hx5ighKA72Wg
   nGaUCQTTwS2N+Xty/u9HGXKK9jDWBrqTo5YhT7TQ0MiwjRAZSqRii4VBjyAQAnTi
   ECS7wsAuljtRPChIW/JIaXlqDCTBg8hirddXSqgk1p9ZmClNmOtP7O7c8zxRhRii
   NcgZOwC3DG7asJZGXQWoje/df9XTOgI1ucxmndRwmID6y3BQ7qCge8TubbnDHbUl
   cAinpK16k327c3I0D54w1C+BNhwtRgtGTC3CXMsmEBqQ4fJDyvM+sLSNS+rxMhYR
   K0WrOlGT7I3oNHSTjUQ+T/vuOm+b1ur0ziYTNnLcWYtPYwV812hDkuHSkeEXb7p+
   HBJE87WtIHoYpM5QZSqWBTFAuMTPD/+3n/w3UqFq+xsq58QyNFU4007+u33ttYda
   +UXtpu4iReGCHS4Ay151t57xFZMsXHVaTz7bQ3pBe6sEiXWP9uu2J1GZ7b0N7gWN
   HEWmJkp511T/OuhmilfxwdCQFM2oJvftqt8h3ex5qAn4hHgipUFI43AaSAj68LaD
   wQb67bSkJL2pMbGwTOFNkKb/Rf5O6ytV16S9CZJ+62Es002vE9b6c7uJQkqmdZW6
   GQkKzxPR0ghsComJ0h81djW9BUg3qitlOz36GKDHU3PkmjyPlrTFamByceF1Bk7q
   FLASGnS22UQzPS0iPpNJrsHxr80e9LqvMB+ehs74gDeQiULdowlcnlLwRblJJTkc
   Qy3Cpoi5Vev/MTV+O2Kh3R5L86U/RSfBLXqby8dQISbEGUxIMe387kI2BjgDKV1R
   ypOOGUBTneqpeBkzh7WZ0l713a6BC4sunMqkd6GmrD12V0/AWcNDBU7S17W4IQyj
   sSNzMIeCE0gCVAQ4cJ5ANyqSFKwgbzcECBr7Ojbx3zsjOsXqSNvuZKzj4iQnbmvN
   rUhVnU0a1gDozNXT+jsRUctKu/OYwp+MnporZrdMktt4KZ/E3LPWnLY0tUBcWgen
   KY5ea9X7rPuons1LqMEMrLsn0GWQ3sDRw42vIPN+tmJUoeDTqfaW6knY9xvT7238
   r1HcX6bqLLyQdBl5H9XOPEDiwH8dwYuHMlexpUw/oJ2q+qD1a4Mmboi7UYmaBTWn
   t1sFSUAmwKt+H5kT1ivROq72KwY9Katrj5WBcfZWdcPaP1ogsF1sb41UzVc6Nwrp
   MVjU+f4i6I1N13UXtAKcgwzUPR/QCQ1WfPC4oInSCeXnnmUFg/R7aM1uPVJOR370
   5yoIy4T5p0H2I0jiuO1Nk7g5Mt4GulRXVx+mfDf8xytnh/QcQDmGER7HkFGPrHnf
   Ye0fjorSCNfoaJJkzwRe+S8I5MjT0KDsEJlHXhE5HYMv1OoYG3bbvp6l81FFhIqz
   EzkJKm6QSF4ucQFQBHhxoyPO0ck1o/XO2YSmEty76cNdgm0XDbqE5RY0dv6xX/Q7
   oiNl7uNs+sCX/B5GXek4cSX4o4DpETAerxHSQ+RTt0uBGXdMa11MzXYzvVSwFu0w
   DZ5gk3U6ol3u4d2ybyXb6FdJE6Xa2HECqY+8rjtAp6kH2DWT3+ZI+c8nRd6c6qN9
   pDQU1+IkggGB110TW+Y1l2fvOqdFar6K3sNHRby4dNG2o8KuEYT/8ugX0vubsioz
   puXFdGMGTtYdw1kDDH2jNot0LivJ83jCsHYHKho2tepBY03k5O/c5+/OUAeDDLeJ



Gillmor, et al.         Expires 2 September 2024              [Page 113]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   BKj18gSXmSuxbdoNd6bOcR+8Mavjb1Uj+FUJX5rfeYaam2hGe0EUzy7xUTFqIsFb
   3FWos6oUdW6Je2nBEqitj9JmtpOK1pQV/+HtGQb52VZ+VrfEhQAhb7AaeHTo3s1E
   i9m6p+6lWTomxSefzXVKHayZ/M0VedRHba7aHrZoy6wq+QkpWGWzGmtr6RFoXJtg
   PloLaAGIMqRhpDJ1ltJMrbyY53Nn2GIQJKz5pzyx5Q3Q6RzHvYBb0g2n8wYsmV0H
   GzT/PMBUc6QcfWdNTIpQooRuIDL0p3iuNO+1CU4cDi5hiJ6MWKEyabsMqw9MWEX8
   9YWG8j0fHOcyDaHh8L/kcv8kS7ZkeyULPrJg0LYGfCWUjhBuHRmjiAG1w/6XddgY
   MKeSedAqY1k6aWbfgz6P3R8q8tnooRT+SSgafEf6FTL1oRqhcpebR3Cxac0f27GY
   6s5WyMCMpqS56o5eUExkDHlgcY7en+SvrgJ53FbgGiEtX06F0/OXSTn+zqiCmJAa
   nF1hCWkY7mqfFhlRfwBa8acf2zC6H8KVpohS4ysfpildCSvnl44YkXt0q4b1A1RF
   Dv8/7nY1Exe8PbAve8ZMWco/ymkk63Jd566Xc+wNToKRYWPA2Otwc2DADreliK6H
   Lh7rkX6ECjN3BouQjsSszZvKlUH3aUfGpXzR3QAPiLG7FBAI9VnRv6+xp1u7eSbV
   xPQvaCQL4wpvq1esafxBe382ortk1jN8QkPVBHaUWbg/MGrlB9AzaW4MoxdyTiSH
   40lXVci3ed7dMCdOpQo4yXiYzRGqUCAbXbQt9uFjATfWNQfpYkEJ/Deqg6mEGmdC
   OYt8WhZ11YQGzOAtjbdjJtVbc8sqe9C4c9q04OUMQbBKeXCFn6BM60ZDam6AAUM4
   gUf1zf/yuIuU13g4GJE8tQH4Apj3W/b6VDBcbqPkoSoq8Yeqq3qU/DVuKMdxUa4n
   Mus4uc41tp5oDHUOr+/85OIURWJrW8Kg5+uEduYAmw88k6s8EHdmEcr08mla9ayR
   m3pRnjAmN5vqrhq3Q403qXFv0ykwHjC2WOjmZIiK8cAmUG18H0JAbAcLyD5zHNIG
   PbQB45HCp0OGvPhD9psTA6eRkpGgtxhDzwvFwZqYOYrDTIURWvhyf01V9M4ic4wD
   coosKQViJ0GlpavFtNg5gD4sEbgfSfdwWr/91w+wewdfV9Jj2iOb12FcUSf2sqpv
   cB6m06b3ZyRlcWABdtI1YL6f/VVY1omR60muzBhIP2jZgVq19DNh4ybqAHkjhHex
   Z9EqQiKt1HmleD1sxtNKvWDkLMAIRmnxfrXkgWEsVw4kNSvx71kcjOd6nYUt5ye9
   IIyIHxemsnbu7hEdWoaOba7pTmQy6I91CO65PcLvwUlC8aTP5m7IY7Uq+RUlreVS
   1KcXieD/dXZ1k+TsC5UnCr4YjvCKLKhzSFJxEBDo72BrcHemHONC8gqvT68iOgny
   GwsFYI6H4m1ZDUvJvMq2AGNgK8P1p8gcvjBhZ5rTlci2PugR+MTkV+F8X55sCtHi
   NVZ8IcbctOf2OUd6hC29sKwc2T4mL2L1+aBxa+K69qO0ovkcoeEuQhp7Qq4GU7fF
   v1jGl8AQn3MgDjK1gz2EoRfpV/ldPutJj9AE/6HNJIJ+EA53GttHHHmTITkaMpfR
   RPRihuaXChirqsUj1oO/7/xSCh/N3YZqpfQjqsxVIUtYOaVvWXRRlKkZUByuc5dg
   rZ0xjjkZaZKEfvwfffsIl/bjUeROkAPPRrRDN90kOuRSa6jMqwEp2rUtqbJLiNrE
   Bd+WT9deckx1CA7KayNNnV4iaesg03rfB+D+vZq6NSvG64fBQR+Z3acg+EH/F349
   2gqq5FU4XpaCtcP6u8/dDRKdXyhXy828ccNWJ376U3MGp0f2yv69hQxHZPoHH2Yf
   MnpzSL+rvM3W7lmdCCBe5R0H9EhU5cA3IgC9CqWnW9i1UJlhJ3YUaceTAU7maqAx
   AFEYkeFBrIXuFtPOJlpCF0hiKiv+ErAel8JsjbR4Uf2aQC7t7of3O555N577Kj5k
   e8ACBNxpQe1tSYgxPtFmCHZpvSoca9cls3dBXUlGhhhMtIqW0EfzMIb3Yal/J6Ex
   NS2hKchqPCdXTUbRg5N14Oyf3QLMaTFCNUj4F9QiKJF6GkYpbH7WWuiGAkZQ3Sfk
   VZYAoVx4Jpu2plETEqkpqP/y+ZCfYEj87aBCffr6KMZV5Dph2Prgk6lGWQGPxhlH
   b9yF43oTnrNhHvICmxveNRhRVNWNmGpCNqgTmzZYCsxEKauBaz6wE7RVC3/zrrjD
   lF97OwVw1JZzKXDWidcNhfZhRA0fYA4PwribzPsPQL0R3CjLoguFBg/O+rdjs55d
   4O5UFNk7h2ClnpA8IN1dnmJtLCTd6o0QWLC9lS3lonmdYoBICIqbrrDW+1GiS4Ss
   pWHB9IgpnieX1+wbEGqtdPPe3+ePW/gOZTGnRvGvZeZbvHqrCUoGsqldBjwLBvD0
   BAHwRFavH2mj9QTxr2bZMNtO35pfh0TnQ+cYnvtX60GuZFJM6LRydzWVurZXBlLo
   v1Q8PvIjPUEpAZx1k2qSRKreV97NQU1QknjdcXXxVQCef6J4g5Y86CvlDPzRE8Ou
   lxfNL1pfhQQyOQ7xjM2LCDkM2/o6HHjmqpyiH0F6sg/FklAYysK20loKgFQdi3dC
   lO9V8L/2Z0jZcA5gr0GWc0/Hu2T7cMeK8MNvOsRpI9dUQY5P1nQ2o3Ea/vj2qvPy
   Zlow1vZxNCYyml7+3AcsWG+W6Z70DJw1aOz2HAHiwPklH/U4VJtFqJ+Q000FmWeE
   tZkFcKcbivE2E/sBQ2fGnmf0ZF7fAx9D2CMXmoq38hJeoBasdfLCjIU3O+S1on1B
   IdVeW1nxpigFuyF198kJDuWcRxEIFJk5Bt8yG4KWyD+4R04NK/CPS56AyPoB/2CD
   lmLZUeWYYGrqFER375gyRnCgPDAircopx0XiEh5ZGox3ml7/QdkHXvV8kx55NLGz
   dNVeRNDadBm/1OIBkWpeQ2CMnuJHsIGDlfYtC6N4k9cBBIHfh8dItE6BYuDCzcas



Gillmor, et al.         Expires 2 September 2024              [Page 114]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.6.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7845 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4806 bytes
     ⇩ (unwraps to)
     └─╴text/plain 420 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <fdccb76a-49ed-50c5-9030-e4aeb83d7f04@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:13:02 -0500

   MIIWnAYJKoZIhvcNAQcDoIIWjTCCFokCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAGXrH1WNm/k3nn8sEvr1NxWi6vN9dWkgNKBk
   uyHpuWbmQxgdsC4i0rQBk0W4XOaDdu5yYwt4uzqqfbIlgJQRnFfNt5Dj0tx+Wqxs
   /uK0Fp8oCFZ4pJQVyX4idSfWvbq6J3iTIA0cPHBogIE4y8mMuByXh97VK5IGKvXc
   RDYnE9vsYJY0Hpm//5ZUvUcNa7PeIJmrv/eJ0kjxAW7pa/64ni9T5qP8BKHgvcJm
   YFYS6zy4UMjRNEftjlGNZa6QElsy207BIZI3Vp3I1nvBCZI/Y6IHyN/Z3dKLG+Yp
   eRhvtvF+PO+YeOLjm+o76hCIkJx8qqg3EYLV8dbbthK1aDgNO2swggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAbVIWhJ9+bVLKFMdyq+QNi1mn
   qFxMKKidulH5s3NmRCYn9/nu82R8k+r4+FeVv+mrIIH90rG6v8pJZDFUDkG270Vj
   v+ZmqsJLTuV1xsS8p6sOi/1sdoHC/GBLUffalroOJhRJ90aoSYnM5b9h4hWxYFi2
   ai+WG6mgK7A5/LN1OW5em+aWzWNjoDNDzLAcPapv7ZjeKA5loyIutbbl1Lgkta8t
   b+hBmyREyCb/Qh0xS5ikztPqgDO2n39erubT09E0YzvGo7RTmb1DwnH1kW44Sdlj
   wqVIwRlX4oIDLKMvPd717j7wEplmgAHCWVRMTs6E1cjNm+CezS3o9S+6CjkQSzCC
   E24GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECNM/iph7panVLTQtINOBe6AghNA
   Qo2zwm6jSmU3io3mCTlOe8vTtf9fspgytoop1I5ZqNb1lqgiz4jdvAbqYVo5nnw2
   arDhE1C1ZaLGxTnRC0XQbC/b1tBmQepeQsOYizTIj+LdcZLN+M3AymhRPXWc0H5n



Gillmor, et al.         Expires 2 September 2024              [Page 115]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   wibbdCxS9+OPP0B+QGfH95bSynkzdmD5vIiNuVGFm4FQOPnN3ZuPxID/OpVTZLAf
   E9JN1SRdxiyZFDPNA1tduk3GVRuSt4Upb3X/jfTe6FhqDjFKCx4D1WypmTR9Ivba
   B/+DiM9xrEry0mv+5eauxR6Swoclp5NR1jSWHCbD7g8viF2dVA01qefOm4+WwMbu
   YbhjIDZtfWbNcYKtRnGOB33qSS6+K4Z0aPy0q/ACNzi/8srbxY+jRgIqimXxMCjW
   y2hmPPct8YYx8333wLs/psld/zLowShPRg7Fsnj0HxDP1AKYbW6ja72ER8sDONSl
   KpZ9JaHclqk9FWCBSZjqM+cChupgq74LYakwM+leXncSuNs8uMcaZYqrqM/nrigE
   gIQ0jYOPBVnmm2SAGOdLs1exex9K9B86w8zNJKYuZ17C7I0iicM1kEGl7UO+Wu4V
   XmYqLW1E9QmF+LFqXFQlhBbpfkRUu73us8VCyLN8aaM8Tkqean5cvvC02LFCySfp
   hhQIPKgNx7ccULAUatdK5si0RW1Hg94dZW5FBn87RqXKLoUYuck/NZs9r2tSkKCd
   VuE9o90GEQwhWvcZYiZz9OsPY4NkhMHQ2Mz8FeVPmqEmzRlnPJRBgt9ti1d8UfMa
   xzMfNZru7RRMP46WvpOy2iGvCUIDwaoz9tY2+Q/o6BYrOn3Fdd+HRIk3PxQERjnW
   UGcZtWCuaR3/ughENO7RkhD78sLGXe9Fzqj+CT6XxPRECtmd4SDSE9SpZTKB7rnr
   fK7+Y2wUf8Za0fZjiqtmfoLCjG+58fPGXlcrpqDbI+iLmXo/YaiEeLr40Ifa6R8Z
   pgx7Qni6iVHLFHV2xUurrYWQMqtysGlZV73kGMkIdfZuljygg2aytx5JvrKk4XlY
   nnS5+N7yX9lI7pDj+k7kFJpDG6zEDiHyMtOLgEARvI8a68+6+oI0/QTi/t4aE8jz
   xfQNWWBDxOqkJtvV7437P7D8RKJ5fKpoarCD9haO/WkZhI0zoCEO9Ii33x/Ww2n+
   qbpfqiVl0FarBUwm2Ch2zCqF9n3xYHceJJz05UDqjn0i/obgYVYw0LHikI1Lg764
   hy7xiuD8v24dOPpLBbVBqZnVTn++QsIy7UgkDOzCl3IexTSXIwCj73Jp2lNkyho0
   NIZRo/SJ/otAG/qMzA6O/hip6tk1qo94Ku0/y2XtdTc2NyKGxwWN3lB8XnBIKDOo
   V3d/eCDvmDFm1oOkHBtaa5Zq7c4uy6b1V6tYbqOoQSS9DECTKMNcQh1aG3V/kyCy
   ddK8cKLDVPNXzjZVYYsL7/0ATa+iwjR6UpHzLEpU6BQWpPzkc6rgi6ornd5iYN1T
   9DyxilBWz4lNVg4XyY+C8iFMiTcS1/+wocjrV4/rReyDX8/f7IMubpwtxC5Joe92
   bwrkHg0imSBZv1oiZBVjORNv/QKD4jZhfjMDTbGTuMllowR6Qiyw0vgWXN1jbjP2
   R/HcWFEej8HwYWTR9RUEB9GFnxPsDmv2EZEF944hp7Ic2JtI1M/eKc0r3VGnPIr7
   q8L/4kMA1bE0bbyCKaSTskVD9+81+dNxWpPICArAutROOammgmwBQmjsyfdCRaCX
   Cu+P3HoDV11s+Nu6PfoZGjEBboaphvAkvRbboH5Zi6i5uw98EXbX/lsuBj+xpBeS
   4ChlG/He6/z/et6zfnewQ7VVcmUwi3q5xIFMCMr6/w3uO31UgPuq6CqMZt7wSid4
   78SPQ03EmUeAtottuaKyW38pUiyfzZ7ZpBVuPCE9MXR9H1B3ccuGNJdtUcPu6UBi
   ZZrkkg0ahBF25NNuTTtzx7reETt+LfQXQlljxYO7qfoNa1VkJy6ZUJ570ITorgoW
   sU3/W9sIujanCYHtJVHjnHnFYFasbzkS7XRi/mrPx/P3R2f0FQW/LBJ2CMcaFxMK
   JkpfZVBxHgHmv+g4UFnyECawrxDXoRuasd2F9AvB+YqkDLLxdHsbBiCnpjjetZyV
   DSv5Dlpr19jrfbgqb9OaQVigeCZxt1WXV2nx6UvU8ZVfmJPb2O2eBiPKl6GYyGNi
   cSdQYzy1KNR4Ge0sNliCYOipwAYrwcDmcT9S3A9EaTqy5qh9DeCuaHhMpQMrRdeI
   X7KKs5Q/8kSeLG2e3FqK+tX0HBDvJOXPV56NdwHWtuysW6p8I6HAmQZLG5e25MLQ
   UWkStjI9ot11X57ZbKxwyb5FLXR3dsg0RD2ooDQxIqxulErogz6QSgk413I3c4Lc
   YnE/ni5a0FjbSk/GozWoTfE/11FRKJETL25KwMSo7x6jZSnOQVKFR/z/gNdV0zsi
   MEpeExLkPt8PYVCLHJ3RNiLEGZBnWyYPtf2+SAZjNZ16GlUIbOXlCZxdJfQYP0M7
   LNmRF0eBtydwhnyyjm3e/ub+BgtCDJCtYZZLntmZLbFIfFDoTUeLX2Yz8uwRvkKo
   tZY2yd42PYbiP3ShlxmIWrYllzlnmFRq8ack/ooosUxwmu3QOAC1k7Uzn0OqdC95
   X0KZ5C2UMD9O/+/2v/bFohGg7FZH/kFjRUoJHgzG03dYS5fsr7sUQ2n4i8qmNWkF
   cQhNIsaCEYrXQcIaUOUYjn34GN2UcStjCxEN1N0LWvXc+ri72fTVFbO/oHEPdOLe
   gJUNg+HrBGZvDdjLvXh8+XaGYXhwD8sJR3ZnIjmL1N5ExrUztL6lY8Pxvi0TnntP
   AEXrJjxMX41WzZ4dGQiGko4GDmcQxz6XS9qRe6V06szDcD1WMo8K6XZYFSeogUvk
   Frw5z1occx5dw1GNI81ju6EjlfzJKyyEvbkSGFKh+KoSP24u+rNDR5pTXvgrZcTc
   8iBC1dbgQrOfppXVfV8/PSjEM12J3a5BFK1WtHHqF4uvhUaYSc8/i26bW2Oe78Co
   bFqTac1us6O2iHkyd8a5rnA9TOzN/2lMh3Kxtlddg1bIAPvrHrAfMEp4LtBQqD6p
   ztbsFjaFJ38ErhFfyUNIFm8RpcLWFS51MTKHkhdq4hFgfYa3oD0QAHeTmtMydniy
   sB1VaSFiihGPdz0Jc5DH3ctkW5z5PoKcjGO+zInaT4ZQbIxQeXFofn2wOD6bEbk/



Gillmor, et al.         Expires 2 September 2024              [Page 116]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   REar3MAKFvpYGVHrtRLnVhBtvzF5YBl6DDm7CA5uwdOuUlq3WZixz5T1N1IxQEwc
   9giATZqkns5KMzd6HUzCrSCxRLK5pyDI+0wDg1kNEl/Zj5esdBV70XtBE/PwxM5/
   WQJEhHmlBDokH4wFQ2P/MUg0l7DEZju64u8ecXqMMYV2IdLZUp4YqoStSIk8j7/6
   hYBrI5LmC/Ix7h0UZzbJF68i7NgV15jrlraF12SEk/CCuAu28xtT8r74egOAwNbo
   zi/FeWIvtXL3Yhf8JH/ixoq7VIDucmaeFNTa67z3AZnLvpBluzevUU1n2/oHmgAD
   c9nGegB6z5oqYxuqQuSQgMbwwtcYw9aT3vu9Kp+gkxqDPfeegVTFPWSodXD+WBWg
   +wQD/alscbM9OET2jjYen1kbiwGbr1wYqPaLSlhm/PaSDCE7bAVjNhtm3m/PeThT
   C7OomaXsSiQGJYU3JcRGP1jHAA9WQMflsCimBfMFrv93VkJm0LdbeFeCunPeV/jA
   Jmvl0Cp0jBZMbFrng3P+kCJgqVMO5tOZzclvTFQu7FhgFOxAdC2S2RWyf4F7uYjD
   SfIize9a56bglabgNitpEQDnLMDcPEdPXUNve3aWTZxm/b6GsqDjw3xdXF7fHwHy
   0H1HB5iZnKrIWEKEQ39v7kDdLxKN1S2QjOq67dK0BsJlfsqeXndO+aiVfX+Ba8V9
   79w6+pbA3icZMxmE4NX7wwBDSH38ApMrlXxyi5RNSCT7IYa4cLxmHVHyWWm8TCtA
   N/vyBGrMGWZWavUUVdwk+LdU3PiuyOXR4KzegQan9N4FQk5UJtl7hyVfL8RSocom
   3gqxb6kp1TSlVVi6jEBiMVaV3iIl+2L0MgLsoyfm1WD3RYkvh5+IMLXSotqyHRVf
   U4ba+gCxZl6vURbjl3xl4JMOOisTCXBKp9INr3eu0Q0PQ6rNbqx7Hp8GjJx4sXJK
   IgtRP7k1960vtSqMb8b8P3l/mwqvB78UlawDr7CPgxeEII5liB1zcXIULstXNjvK
   X4P073MAonSLwx7mNY9xKDRuPtDWULdgi5pXgs25MY0ihsN6STfI0B+TTC1WLQvT
   /5UVL3MitLxttN2Xx2m13KlM+hmeOihrqBKZhgZIRrxMSde5auXUlRqlcN9VOBrI
   kQDKJN7ep0p8O12R8Yqa6jeOvohm+GU0V/GjCxoilT9oCfhkAAB4xPpFCYEtPGyf
   9JAe/NOkoTGE4LBzBvGERqBa058QXgQ0Bdt4tEVsZMdCdFWyBqjdic3smHV7TCNp
   2UFw3fgFKGb1QetyuQkF1gdLCXf0U5PlKpA0G2jh7cerGQZsXZxnW47wf1Ndgw5s
   9GR/NPdZgU0VZbJUN2mcFz4G9ZH529P6fDCpBdHNjytwEkk5PF5FGKiTbyufN9d4
   rwNnswfum0xd+iDDVcw62233XsiABn7cTdIinAMgVFka5nyjer5rahKb1LbpTfoc
   M7UdiiC+v6jCeKAZ0LLeFcDzup+MiVZ42Ej7KELseu7DgSOz6H+D0irGKJYRFoy8
   Kk005aNSSKW4MZJFKnFH+k6jbR7e2QBR1Ez5vZi1sll7VE8OfK/dig42iEe0QjCQ
   a2cq32gUJk9vx1XigKb1uXtnLrtgygNsmuTlwHaRZrJETIVUn/v+luj0Ork7eLSH
   ROuUdaYravWkRYwMbVSXP/Nien3DXvzaxH0Yg7cdWaFP9RTXsIe2N3SO6TzKgKgP
   cVZ3qwiFS6gt3oO4tXqkZYmnj1kpoxHRYCj/dtBywX+0V0oZznm/Sib3ldnHBnGR
   ucCCw37DDKxad8H5c2NSDOQ5s4slTuzaf/N1x4d1UoKzTCX5WecUJGIeAduYjdTm
   ZBrkkx+qPy6DvnzWVL8CaI3zfgBLoLuqPY5WRufCp9j9raLTg5XWFGabXFzQFR3Q
   a61HhRCp/PihuQjmzB9ptTYaAT8JdO3rNDM8Dp7gHC/KFkbZLvnrhZUBLWuP/YPD
   T1cKQst74EmxtqvkW8lG3h/NZZ7PoMRyL76Uq258RNkibjDhwGQKGWvHL/KhJXZq
   7OZ8bdceHcz3uFYbV5gfPAbYWRgYtctF6Yg/OeMQBI7g0XTLzn9famG80pOiLGlV
   pfWUsjkiX5xP6tz6zyvS4d4QpT9e5/fB/PCp2XHEwEuIZLQz2uiqwuwnDnOmi8G7
   I5cxhgPBZA7v73VBmLP5oJ71P5SmOWfAPB5xPXwmDkxhpg51s4OxDOqvEakQTU20
   udBZsy4GSJyusTkeEy+GqXCcspEuJ8nEcJ7QlUTt1lsShzfiVaXa12+U5CB3kPen
   Tv44U5XkQpOB7Qny6VkmSy9C9FxSagQfsqhvS98xB+zZ+JFvSwpfFQ/1Z1wCkCvS
   FjkUBep2DtiqWBs0FW+UoQfo/hqYqEtYSyh+nmOJrozT1wfBdxLkSvH3QsC7p+Ia
   OaPsIpTl+8fwngzxE4CBOLHEuyQt8BrUrb5mvluTjATicxSe39A6sDqPK9HXjYbb
   5eJfY2TT7PvH0S21hEdUK6KX2TPFgfam/KETn1wFZxFxf82jCd0PM5WQn+COYkFQ
   KbQgsiyDhd6zqS4o3gOF9gFyRAA6TtaTygaR64kTFsqWWFDA+V21fz85U5Wy0KA4
   /s5Q11MJfrYHWIn2MsBYMi52Ac9JqK3Fm3uVltxRWtNCmOZCuoJoGePlVNUfA5/3
   wK4Zs5XERUmVKEh1w8DMduuRbZfVvBmE4/8aCjDCVfbvxNz7s+Sm6mvTmDh3RYUF
   ycMXmp47bO78qgAj9hzCcYtJKzbYc0d6OvLKjesGXycWY8irkjwzbDxVcPghoYGZ
   xgverdClW38h52/Cb9jXtYFek/6ZTkG4tmzJdwxjqcvMsoZnmpNIYVRRb5bTLmRL
   JI3VBioAc8D5YsgaSmd97GnASRCaS2sR2zUfSE1mvXiJr94LrcDyfk86P/aHN5Ly
   9VhHlyhjtILy3BOt+uArWFjnIEJ7LxHd7DknIYQ8JWnxYQyEJ+4zpIkS8weBs9bP
   BDxwfiN/gUVj+PbTueLVR8VgYzta/yc0PobG9liStSiQZdXoCzihjbctN7WbYb9a



Gillmor, et al.         Expires 2 September 2024              [Page 117]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   7O+E5GosuFO3VpWxchFXWSUziMnI3Rn9bjzK/xEHMgMe87ptvIp/J7dNwdHCYU2z
   dOi3aTvuK+9EcqUKl4k75wY+sysg/ljl+YrwZ6AFCOJ0q1R4Xpsu0GszFGAh/Pgc
   HR9+sS2JY1U32Pw6b3c+6PMohOZzb0i80GUOphN0SDH+bbKWejwca7Tqee6oKHRC
   w/zoutXWDDK8Wmd1JTScfF/z0DjHa771J+7ypwu+JcDhAhjqWWMYJ8G89fq9CkIL
   v53RWDv4IhiylEv0KDaVOKDVJ8OpOIc0I7SCiZDcn5c=

B.3.7.  S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped
        Message With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7800 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4770 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 920 bytes
      └─╴text/plain 327 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <smime-enc-signed-wrapped-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: <smime-enc-signed-wrapped-minimal@lhp.example>
   References: <smime-enc-signed-wrapped-minimal@lhp.example>

   MIIWfAYJKoZIhvcNAQcDoIIWbTCCFmkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADEgUQKlrg2+/XSX0UPb/Ei3BGHV9bPdcdb6
   9Kb5AzgrFjXl62h75z9kr7n7laGQIEvqVHr/93cOMCfOrmF4Q1jiQC2HazguNuQW
   x9frIxOQqKnSf6rkeN/HeMp/z+ySEn2rAD/zJxQkqcX6vOLCR1O2whuQzkCkWSun
   vgWYeyOHcf7tbf3u/FTAZkBW4lfpA6vBgNXG9ntspArT1OIyI8sworBZho3nldHi
   Y7A/02cARB7jVoueV8YhcAs4QPGxNtpseWHfQn1ISTT+SYc+sBmmdznvWo3w9a+0
   HrXHwYaayfJ9iH9gFLeiBGNC6yahQXMbgzxXHfFw6wl0LvGe2NQwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6



Gillmor, et al.         Expires 2 September 2024              [Page 118]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAjtCbyUK4xtTg8t0Bw1L16j24
   DjRCQoOLLhszshjDrp9pnOh6s1QJv8VbzDevogdYjAqPWdrDmk1tuWch2OBIVjtv
   rUEXGs9+sBmZglM+6JKfXsvwXM38Yf8i4RRapMT1V8yY7j7QJCXZNh692flbhxUx
   yaxznpBTqRwT4x53QrqegkW5YWpDvAd0PjUTlPHJl+4ydqKvVxccndbagHi2Kr3N
   Eg7zWLgJJS/Qdmbo7J/ABG2iMGJy7BkfSI3Lb3sXtvzo34W92xyrQl5djXr4sdgn
   6pAnDdadewJPjkKOCJyEMVdAIU9Esrr24u+3+M/JmBwK7n6GWJdZ24BU9OnIXzCC
   E04GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEKsx8ZPSgjzn8vj4hZoLZmuAghMg
   iS17y/PtsB4ir0/csayKDxSY+QJi2gtR2PJiBXvcd5798sNfVd8v1gAXrRD7gEiG
   rc7epVre+xFxcPxPkPmvE1rINh7rKqqewi9tkfjHDslSuuMdpk8fxrzmMfBRP3Gf
   YaX68MIhEUPoP3IyaKSeGxmttqimF9r/5px/QHMu2F1jqMR2vTJvUs9Rdjg5C2Mf
   CGMf7Vq+nr3sfMAZCLHRJV7DpakDcI1uYHGAQr2v4Hy1eKpNl7MDWQtAB7/9+e7o
   HHw/wlfeulbduI9yZbQrHhVzRGzdVYSlOcQfqte4QP+wTr//Zos0O46bjxqFH6qx
   Sy9WZmLI65f2kJntJ8WLH+6Fwh0q0+n9vXSJZRKPIRE9Im3m+WyJgE21ONlaAr4t
   Xh3VetqpF2RpXduFf+h3Rwu9eNGI2WK+7/mkXizaCgo7MGh3xZo8vPW5RH0p0+qo
   FQRFYl33SI1EhfgUJylqZITamlC5ofheuGFaZusbIiqiwJzHAjGuXjEPNw19ATas
   Fxw1syLlYybYnxeXaPQ47mO+oHY22+5uy7o9/w9V+TmJeTzPoG+zjep3Ly11TJIG
   zVGFDT1boc2XbF4i3KtuouPppZ0Jwc9vL5VW6BWKDMpe1hDfTSuEJb/OPF/9cCNF
   m4ie91Ke26vk85Dl1rFKAiDXqTeoybboIQkxqJ9VX+9d+zkRIwZr6nDAfUicYZFS
   LSYZahUU7ynGZi9NCk0Hrun33G2dPkMsCWAhdI8/EbFZQW4r0UJup3/DfIBpS2rV
   Z+aZuBHUDR/VSdIJ/rWF3MvpfNBxPfkbts7Vir3inntwzEpw7LrVlU69pQQCq5mz
   VICUCuHYi+S6x7fcFQqDK059DlL4kj1bRiBdzWAE4iEFMjX3w1v9Gy5TGbWCXOxO
   JV8OQsyVKq4renCtVCZZ8+EsmuNsND4sQu7aiy1nBa0RCjerYLtoXQI7Mb7Q+JKF
   tQbxl4Olx+C1Y28HcUyLr4al5o3fc7Em2Ymvq8rfrGiI8RPAC+ILPSY5BjD/wUEn
   aUDG9H2IRvujrljKScWRhSFF7kC4cZTIvf2pSSb9HounYaL06fhn+ORkxqWsH/uw
   oeeC8WAfRb0wHciuPzXTCDxclNse2BbOOra+Py9fqFgD8JMxj3JvBLVOb2rgtawk
   z5j09zUQpXNudjsniOJgF9+gSIx0Bauh2Lvh9y/gQoEegrpixk9JYsMQRFLLPnfd
   jnp8V19NiAalG+Nb2JSMxtmiqCKOQnlOyi+zOXpPt1TVOpfF9z1dyIrJ9V7l/Fry
   xdak6KdpWa8OhZ1TCvFHg9qjRvqkMu5tsLo152pFxcFa5SVOgNgTyiAtlKAe8Ndx
   +2AMb2tEHmOEzKXSf4F92q3qI66KdMaUQjuwX7PjrJ7VVbv6lC1NM5ipgQd9OuMw
   eXeqwR8I52bpsdwWPcCHf4Yz+hcgGil9n0XPtbHEjSewRQ9Sbpmgv7eSDpLSdStD
   YKvIxlQ2ryp74wCMJvN4XfYpdi2wbRM7Gwth/65UADr2YFr4SvghWbMpJRZoQTGM
   r1ldQvlqL5GPz1XV+xegItPjCWNiylJmCKl/YEnntd9ZJTJpj4PE0f6yWwLwm0S0
   yEWkZe/Glujp6G53HGJomLlJPYNGv85+wEmHkHF0au6K2LmNtdk1D8b2POiCI75w
   mlBF0CjkNnT6ThDsNvr7nc1UW7HOnCn5WmI02MTzEVPUCuZguB+txXNTtWuf6wRP
   eomizA+yRjQDjqBAvIEHJ1O3iTcMhcrcuBYFX6zAl20KHVsVadLS6KGcAxU9iYec
   3TYoapsk/UQfBajAABRL+JEroUv1n4rUFkCjAoxHIgtwdeUlHvzGPAQPA9nZOKEw
   DIeyqfSvMiuiQ2lBO6jncosYYMFAmQShPAposPh+sSOEsm4qdyiKj57aukzHRwK3
   Rvk0HKAPc86zgjVxycwmHqFZJQeQ+Wtn/F57FB4BgcGDG1jlkPBZjKSg6LwuWOGL
   wIb+INJGPjtgupHsxniigLnF3mpjS6TgRgXKxzXQExhdJP4LAWfGtYllk1b39Q/4
   V6vDp3orU6LBaqPCkFSzm2RH3rFk9uWoKpfqE2gYTQn+Z/jNmjhlXXQ3AXi6205N
   9GcA+cLN/Wzb4OyL1UgburhpV98dWoNFxwAUsRQDYklW73E1+7BG43xj2BR2Joiy
   WI5OqND9q5Ar4NdlqSNXKimbPKUs7rsmkX/4ZhGj6q7f2Ab3IOwlppriTiLNfuKh
   +0/pEL7ylcCYpfoweDGOHYkQyH5I//E2tZi0IPVVsB2XZYf89/Kx9kcpV3GTjOtq
   jDyg8cYBUIBEhk5iXvzN9qPQtKcYc21phk52AG2fKX4LJRcOO8i6Bt0AuDCOY1yo
   CmCou2RNUM6CeAvD1ByfJF1Ot5z1Z5vILqNwM5P0ceRYvr75IYOs1iwD9niVw4vz
   nrZF3p3st1AAqn0xU3+DGGkSCTG++Y6i+tUI+XG663dDgebHfG4hQO0uRjfwHkk1
   mgxwuILvaKSnlu8RPPynmyBopwJzp42hlDsK/353KzW/fbNHBEVKdAdB6BWiqssR
   mynNSEB4OBiEtlHz+emLHAbXA2dQR0VzMErSu+pL7qGAMI0uYV0yGMdFwNkNz9Fl



Gillmor, et al.         Expires 2 September 2024              [Page 119]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   IMMZfN56MDXbVlupC4qOYV80o3JmFt9HP1Aym3gEcoTBqU9pywqtJ/ZKLQniP35o
   EGr83kjqRrZEWG9tkPHZ/goYnv7jkPny/Xl3VTzoeO+OYlwjfTLkVCeaZYZRjymO
   cRbwkDqoEceY3r+EzOu2EOczNwOpMmNGwEwTKjYQ3kCdfZOhOne/s5e07vwfttCv
   /Isj2aruUyiK5t3pVverelLUjrI/f7I3t61yBvIZ097k8oRfrzxtxGJCrfIL93hG
   xMwwYmBLePzSZJITPrjijQ3JeHWn1VjN8OY0hRvhCJDLK99ZjVEHY0qj2HHPQ3lX
   +xlyJM7Jyz3Npo73kfPBAjVxNRvX1dnMwz/ArIxdr04NDncJlKrkAfDGl2vhXvKp
   Iyg9tTWHs6pNeeZg7cNTdtHLI0TrCnlxYSp+A8iQGB2D8I8fVOX7XkqEO+WikEvs
   LXiTDGI59+tqZ0XeP+/i747NjJDkPfxC+1tDXxADkFBcm6+ANoo1o3DrmBCmn9O1
   ckf6Mz0uZjT8l8E45Gfn8UBTqB+bzjqPBzfk/Ad19P9RhpK0j5mcUtz9qSPg1tTY
   wrwDro9fBLq0Z1fhJnHx3DGV7SZaMP6Uo60u2MO6NDVsnQXo+ocpU45CDsxgMvH7
   elmYKhslSDSGRKAUvXv1VRtLB48q14Dgy93ElRmr491BmQTcgJIrlxJVmA/knZ57
   4qY/jGQUarug3lCFcbiiEJJWMNoHO6Pe3JeYq5snveiH3tUwuHiJQ7awt8KJGQGP
   Nrw1dQuk2jhrYSsK9CTQJQ+7/pf9DP3EuB5S5lPLs6sgQ9ycVdJyZDkbUYXvQ9rl
   IjiIlKNMar/QswzUQSRGJmzrEPKP0lUFJY5YTVXunr1HaxQ9sFrt0VDbcTJL5Kty
   Y646gRnQbKXXMdS6EdLmvpCAS7idGSajo95kUHWLMl9YhOI2Nf5i1dNxz4EwIoQN
   2dPTPDuBO+D528sXnKs8COg7Q/g8Jzr72dBWxk5SxcG4L8E+aX/XBIKe1eUB66mR
   bfrmdAuYy75WKrZjA88bzYg9hmVsJ8C5O37y6vSBOpPqfeus+IjIL5N37DjkUv+a
   Jbm1/hotI4RNSAUmtrqqbI/Jklf4wwk4/dH9+Tz0gfI7Y4UqExlV49zuAtSROv2t
   GjyuNOnIlpCZhvD5sIwfbUM3NxCNVwgQ/sHBnd42HDOLDlJwHrDTUH3pmIX1XYOt
   +HDxecBZB5r+vGmbpt4656gFqdmMikyJSNLfN/KSg+SccTFDoPVs2p7loNDDFXVD
   Nc2QR24d3Yn7oXTBXso/K4f0sFI3L+G3DVhnf4DyvkNErfYw5RBPgZq1SXqFSOCA
   ZCVIhoWYU5WtVKPp+tX2uy9Jq3Sv8XvV+ABvcimu9K105kcMMsB6EvACBj3yzZKE
   I3HyVjL/xsrBrMXhqH0liZt8XV87B0vzvGOACMrCzKamWLQgMjnAYPuSz9In886N
   c/AtcB6sd9MsIc7+eBx0ZrL0VLqc/OVSdmx2xZIHIRpM4xRKLkDpnQOBz7eeVtXd
   a0nqWLTlObFj79cqK3qZRTxBmsyT1U+EJpRhkRsTw2z3aGsTBgs0RRORRHNxoXr+
   zMNlRpxeFllxFCEncKYlESBXh8O9hpNvauqQZEe5cSGAzxVBY5kJGl2NGtQ05emc
   JopRgZkk6NGhMomd7nSbC/Xm59uglu4kYFagCmcdx77hkQUYENdvC6VqzFuGSH+s
   9VNLqk6XHsF7JMD5zX3lNIJEGL/1J6Xje0wHU35O3wxWpi3eQDvqMe61iWJmMWZI
   AkeoRYTe/AbWI8v6oRDOrYp70UL4oVbUj9u2XOZC3ileXlTJO8WNUdDYCFHhJxq2
   9d8xiN0uKrSetmkXSIsWlkCK9WXIpu1XiWlkfa1G7lQPe7UzFuAMf5NfPVaLfiha
   pFFKZf9+8FiV0ITW1w17zRHppxxDlaAk3RAm/PtOJL879ZVEwMC/ojqcfMGHIHtG
   NzpGDh8/IJWfK4EP8TGJ+BRcgl402cEZNUBGlNINkPTT3+gPb9xqKal4vmyPxMxV
   QihLWp46rN+h09pWdfBUTcCu2i9pPduVaFQlBPhQNqQpldYGP3doV/0dAHijPMin
   6z1Z4pH7rJ5lvNhbwsF6FgQJCx8nvblCVDHgaEKSnzffaLbNFe/Ino2Kcn8FyxQ9
   bg1q52Tc/fg9OSqL7w0mtsCY1lXyP6Pe5JM84ZS05qbodmBiFJEuhXBWwbG70cGs
   YQXbas3elKzU+wXkiAhMZ6CE8tWKg4jg7cK0pFEquFdJywhyvcIB3ZcpF6YoYVMk
   8rbp3tFrSPIZRysvYBaVWMwwVmtfh3Hm54j5l2HtQEsA/lD5Qj0IlW58kCvYKbOB
   wHdchLAjfquSyf3kRtf9fS/3YX4SyWKzqhw8Obwkh3bL76dI5AebhR4HWCQvW6r8
   tggt4/qewNm2fg3MeKQ+Cf9AG6MWhu5NpZ7RPjiE9Vo+5NUwulIh1bFOnrbMTKWD
   dW0PveLdWdOVNVT6hnFTYYvmsmrhaDoVa0+Li8RuLhYsgVGahqOPxnmukSTTHcuR
   uZ5apKQhIgdcNZtNzynv+ruAVoSsf/b+TXGoLQ8ylbEY9tNki62wl+ZgZmUSbMxZ
   reoiBSlXIzLvNtoBpsbrB3hvp0v1+Iz1dXuEwOjwvEwwfq8+az/g1VA2iQRcDfzw
   uedZed6vGX9q89IBerou2y2Z7a+f2tILq6vUSWKR3ThY3dPBTDlCmVgcBvqC7u9l
   PMXh1SG7eGSlXvNapbDwZ3QU0Ztru7zefin7488j0qyv2Y8e8AjbxSpxl1Pgjn2d
   sTDTlm9TQ0N1Q2Z7JwmT/v5cVQeRqmmXHDYk6U56I2JRdLHavyNJe8G0pPmQX9f9
   YeSL+2Zxfx+VJ7N4ia6xv8HOfMxhJxRVOcHEaAGBS8wSaWniyZTMq/CdD2/gLhI8
   WF3HsSrzVjL4WzjrarXOGWrZEgn2H2y0mK3b52Flpvunm+TACpIhzfP6MkdvFLJS
   prCQH0fplNH/taeEMpcehv5qd+V1QHdAtx0Rt0Vx+j+gVyWtlA/bG8LtVDUX9kYr



Gillmor, et al.         Expires 2 September 2024              [Page 120]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ngwyUZS1wKDz95Dz2I6KufzIftSxSJPWl2IoegVu7Eb7A/xWWdDojUv2cS/QxHiP
   NBplM6VCUQ9rXnhuM6wZQnUFboecqtxSBNmLgN9443vnRw+9xOUbdCQPVYDGS3MB
   2t4X+TLBfJPadxtnD9YN+xpF2UZZbhTLBfw2gIlz5eg939BJ43WATFsrbXmvhVNm
   +5HB5zKZDqdydAy4fiGeF+xmQ83xA6x+bYBZdEyqDcNMgIjkoG5fit1dVkykgtls
   Iy58ittUjbA9wxVJVSazh/HTYpJ5qMLAFsq8zdcV9xVsB0SVuMRs4TtThSCej2lC
   rb89/BFQX/BHcvTEWgsUqjH1rjGxteE0kUPpbCWW4bFyY53ayBT/0p66TA36DNTB
   ddfbL26ptulZxKU4Gdlk1wR+GTaITVqEu7C+ZJWGUrf3BZyOqVJChr2ZwyKqUK9M
   8wrvDU4eoDVqzT1z5Ttj/g0SGX8LjFv+Qznd3xt518MWiuguL/1FSSZeZPNGhFPJ
   nISe8wWDh9MLBCV8xy3ZHAVLjl1+cYvIHhn85T7ToO58X8YFL6ki7k5UPm4PYQsF
   HuSEWnQ2KZLPVUJw0ckbZAyWgzkwoR0SltIeaGvJ7nM/10WpLdxGQr3tnHk8e7PR
   r4rsLVQJvEfj8FLgki651UrcnKTEPtp1TChLZbhegBSSGkgOokLpDsR99hGdQtQT
   TCet+3Ol0Otq5uCRkncOGVDbrJO2yqONU4Sq0oksMt6ZQIEZM8150kh+bVxu/ixt
   86+BxkTFfKo+yOL5/K0Qo0J2WK1ADN16IKZbrr3kQFuVOnHmKcZrt/kwttlO8iFj

B.3.8.  S/MIME Encrypted and Signed Reply Over a Simple Message,
        Injected Headers With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7695 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4692 bytes
     ⇩ (unwraps to)
     └─╴text/plain 339 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-injected-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: <smime-enc-signed-injected-minimal@lhp.example>
   References: <smime-enc-signed-injected-minimal@lhp.example>

   MIIWLAYJKoZIhvcNAQcDoIIWHTCCFhkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00



Gillmor, et al.         Expires 2 September 2024              [Page 121]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFd0ZCRsgbltPZeKwiWXdgr2zAIdA97BVi70
   qi2qyF9MtDCkjE1VWu9artXd4M220u4iJKEHTdBXZ7jbhI852ljKnn4JsClo7OqH
   S4F5NeZyaT8gX6LCnL/2z9SoWJrOIa28eSF7FO/vwxgzBYHtSQBtUzaXjimb6BQx
   TVq+GrpOiE+QaWzRTmip/sgOfiGPQBSJPRJiIzM0NIQhuc6ZeFpDyRz5/EK8Upuz
   kOaQZhpGBAq6QeP13CxmYYSk4jnnhD2AjxRGscnonaluELmP4moEnc/SOLAkVHwj
   7wEdCG+PumR5Ni1Jf/nxeopZKGYNWva7zQDdTqGdMIIIzfLaA9AwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEALks1aYJrPOhzZXHz5t3vIx06
   ssGmUbBL7qhD4quYbIx7rjyMPQ55uKOHih9F7PoSzE35IbnPLQgkDTs4ZtaVXcM7
   PBVdS7qD5DpG8MG01KnAsJ4Jl0J69xinHszEmRHtAjKngqImWQGHJIFwqSyHijWu
   qDuVz8RajyLdLQ7hPFkAcZG/Z5jCr/yR1K/zZIntgHdm2d+TxTIJu2uLzkAZx6L0
   H8/VXloYxDgzrZ1rRUoOwfr0VJMcOhaNBv0Jy5fSBItRA8j0D3YdWNX9obhn4trq
   mtm7HQ6G8fxu/pnMW3IaHZxzw1+HeZ7HoDzEmgmTjhlFmQwxxPJhxDJh3LaBVDCC
   Ev4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEFUjt86MMy+RRwRy93mHvryAghLQ
   /QMIFUvM2LMdY5WoMKf0OvDUdxH0en9D0BFGuV7pAJ2MIc3jAdFF5dQyGKupr30P
   Bpoqle9nx+B/9yx8VNFzVX77ED8ilv4m4ljFpYSgPfLnxsqOYUz0QxfxzMRaipwY
   GE1YcqaoF5c+xx/nprdc9wBIAllzfgViI8uNe+sBU+uBHTfEU4/FAb1wc4YyiPAz
   QnIMQOThJoF1rPGj2Hyy0sDXub3rhylY1j80hv9t4gYZcfVsbMXL8nEPVl4pf5yU
   d8puc0TJfvL5hi8wX2TK7+iMXpsY8BJqs5i0LFlBUYN/DNDl/vm407xQqsH9ZfZs
   /HGlPUU5SK/7MYjDCGOkht/5nm2l7HgcnKPviwXmnFpsL5pBgyo/+OX0mJkJ6ogj
   YDvGkm44QctWqyaQnFxuQFTODSMsaK3bf+Pbpb3boL5Xe5c0uCb18H8q7ett4osn
   wMrSn3KWrfaOsR/TeinnfzL3GeXCAGeskFb0+yKW8maBPSo4z9TZ9TvadOGt+CTt
   jcAYA2WkU2DT2od17husRWjnyHZJr1xX7Rh6LjHuKm3CLF2OVsxP9gojEI3I0+Oj
   +YXlalQBv+9+t/lN6iz5zSKLXpluR1uEPzm4PyKhQkFMd4srFGRsa6BVMIHhjpXG
   kDrsdbX+xP1RPXRWsrAKsHoQ7xrzpyR4uSmW1US25FtYUg7G8z5Lo6pY1iFd+2RP
   XoVClVqvOS/F8J0mBR+DA3V3iCsKu9ZV3xtfe1gagTOGGAf8Gx/di4gzXts6SRZ3
   9R5HWi6uYUYvdbJdPvH5skjSQ8K8RxvI5aVpaUKU7Bq+sok3nYZjY4sWvlOAMDui
   /NkD6AaUlklotIl8MjKPE3Sk4/TDUKL/jeT3Fj9r+6tgeROmjcQp0fG3q3VRbzjv
   t0M326Gse66+BjVJ0hEnvY0bHvi1mn5ig5U5xMglpvIQPgPezEXEj2w6LJULE3oV
   wuj4vdbOkTwDv1ZxZ08X6eaBXWihWQ91p4e+TtAC0SuYtaO6GeUBRBayPOuKNutE
   BwYV/BHExCGdu4S8e4aYElCzJKqLnKFhyfmQcdMk+s0EOu9Sc97Tyr2KvQQfoIqx
   vwsGOnMrDAx9BE1rQDB03ef5NwuB+sNZNL5afiJoRLMwsYUB0Epc/jliF6SveUGF
   9shSHfMZjwwEtaZRu+bQP2u0RZOz8LVP2XqwHNinMJ0tHiBwagNYBAzuxGdTJZrY
   271N0aevOLqjqY9XhiCfnddN9RVo/JI0+FB2Ac/UUXvhiz+d0/u+RK1lIig0VMUW
   YIEzvS9b7Km3WbbdjiLP1wGiozIhDiw4jEjiSEIhV467vtaOd+Okvb303E5MOL1z
   UbFo9wS1+aNvoT3SRRD73mFSzUlvjpXEsH2K062D7Q5wT6i/M7hJPbsSAAJeMSxO
   Aj+rJZQy40qWcPDYuXr/g+r9AjpjfnZTcbBMv31v++4GafzK4bPXmSmRpIWzaV7S
   JU+/7g3rmhEk2o30AMiOmm0TmyivruXSv02JSJIxwyW1U3xSWYNEu5izoHmLO/9D
   XrMxTVJiOhLKI0RTUQGOES6G+2vmprU0YE08pBLcI8ZRM8Wlbwbjg7tswLA+Huu7
   PLpIv8pW/WhkHCISVcjG/xsWqPxnHafoN72Oboc1IJeDq+3j71qRJG27Gf4p6tEm
   KI2HTsDXqC+7q5cX8/d2OR8rw0W6oBNTiGjptNW11qFiEhrB40JKe+cH1lhDxn+H
   otfBlklHlTyR6U+ObJazcvm4i6F+f/pn3q77mF5BYakoE6L3TD5V9astEcS8pMQ/
   IaU5vHiSndSPEj2pFBLmgdhGwhf40tCDoEECc5Ue7hX62dywRxjzPH+YuwESuaIx
   ZxLcrJ7o5j4TBBeswJ0txEOM82yJ+qeDtVFvQibY6PLiRuKjWa+biMk144lHS9+7
   wPn/kOgreAq2FpFLJJlrCbEOqyORe0d1Jy6L2c6444aL699Tw7zOfPsXyilazfU1
   51lS5d0uJhymls67PFYVjKDWejAB+2bQeE1HVj0pCmBDcn0fLWLPJnbeidYCrafm
   gi1YIyR7S+wIPmK5w5ofKNzpQaRX1JKQAYAR6PZF5c8Isj+1ipfi5bZyhwQRzl3g



Gillmor, et al.         Expires 2 September 2024              [Page 122]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   1E1VP/Eg4PFPfMmkOl62rPNzXQnm2iEixa7S2Rbzpcj0Lgu/h3PCccZnw9Gl2k4c
   DJoWmPdaOvOODW845ophWQCWNCDoEy9KJyJTz/vqC3Gyf0EYXH2SGNhL3tpZtgnO
   O1LfQJ2gu4dzBAMMgFxvfmza1se1xE+uhBeP+Fjpcfq7PNp4rc7fJu5JoVBcGMI0
   EkchC9Q5fRNnyCwunYFGd6N7lsVtdDHDLKSykeEzSoGH32ZZbjkUXKyMkEcm5DDx
   k1FQSusYCMdFhS09n1+Q+A7gj3NxslrEPVrdkKW01aUgg4OxFuN4nV77NBE28qV7
   hJOdl0jvZes+tqgl8nXgtqJ2cWaM3cspKT78fpwnqbg3rGkgQrgcpuUlVXO+sEk5
   CDEQ9RAsCLW+A5VRXHMnggzobOmVnXAzLQ+M40LnyQTxn80NvFr5hC0uthnRAF4a
   1Fu1CIaw2MMcrPHPRXR776hQGmMk11+1Qbr/XfG+D40vAVWulOLMw9vccahQqBjY
   G0Hv6whQPJEx66ubMBa8uRNdCTOJ9dJ1xYd/ETrswLw2OULJYtZtek8gwWQXgFNn
   X4WnSQSCbhN4hbaCmcnmXiCxQVHNruc5cR2YzGQkgSD9u0CPiVMHHVcJrXFjBKM+
   //OmFwCteJaVwJS0fVZb+BeHibR48NZmALl614z8vGGAX7MTvtWd2KQSnKkDz7f6
   /ktj8R1p7qLOMaGgUTX6zjTEY4mY/SkCuWeH3wrHHcvE5RBz9PbPU8QySOBEZTrN
   oCwBAivsGUEB0RbjLWuXoB0bx4Yzx0vRf69Aysweg75gAni6UXBOzp2hXMPZiCxS
   1JhNiWJrGwY/q8Z6ATTMOdNfhKbN1JiwHKveTni9Dfsje6z4C1QR9p1fqwb4qGpw
   m6tVhn2G4cbOUThfELe/o2hv0WXqMj5ev7D48QZnR17Kp0tHvQqMYZ27n+e/haui
   4O5F5HBuc8HCW/VwPRtprxK1ACi7jyfSQP9iQ/XOkYz0JpiyFZJJmSLlmFm3q6a7
   JXkTdUPOsyihmaOQMZUaggBSX91HMjL1i7A8mCEK+wIEzLbQmsoHlaJ8SANoP268
   6j8eCT+/DAXWWSGnqIsfB7c97m3ZkDZIFR66KUsvoebVWgVIuQSvDe5o+Oq16O06
   3zB1xqC8z7LFmrX3P/IItA7R1DYMdaZdVh6Vgpgr1epfHDzy9hdvGV6Jzc6vAi8m
   TPS5xRdipf0OqwiHo9ohbOB6bFDCF9pKBHxzZkg2C4Ncjewa2wu/Kd2YlDhuVy2M
   6xz8KrTPGd9TEBHL4VusO7xYgsdCIkdWUrHSAu0MdJAP42502bILxq2OFVLmjFDU
   /7lqHRYZll9Q7yv63A+91Sqndrb9MLzqX4cCcQryi0GKzKx2d2IZacSUViUoP09u
   ngg4T8DvUz51lGL1kbPSPnZJY2LEkUjemb9SZqGJmcguAqc91t2BAKZIoENUX66x
   IJpr8RprrolgomTGbAbX0rAqX1vyGp4T2iStwnNEtHmocetfGN5IdtmCEY3Xv+5a
   YJvFq4q49NAgz1mLXpskg2krz64Y5k/z7cYnsnsgWlLec9hcvSEyhF3wnt0j2ABe
   TK6dDOIcvy2JtucgyMOdsFTQSAxOvd0hmKG2/0zn/08j1d14yBZ16osCUzZTaH6t
   IYCAuPi8HfiYa9Ubmx4V9zoMN9c1kUqcwvFnu/6mUsMNJjvNukgH2bXTteckFM3S
   IfDi9yr3WohnQzt1vITL8c1g9iRxn1Avwh4C3X/CTpCNtAwTTQlD7ZWIJm7slgOy
   m0dk0coKGO87sYf0BECv4I7O5iyV20ILpsFC28RsFBJY/cxXFOCX5siu3HM9E5Z4
   H+FaZJ5ToyAwhjvY9FWv4Ti6RSxz5OEDcQ3KJnNIynHKWihSg2Q7YpCXP1HlNgS8
   T58rUJyJd0ny1RUDrxDOcNCx9KCsZS7K9k8O9BtPax6rUC1qnPExO0sKeNUzpBH9
   vJhBq9ROFuVTACgHPJ9g8vFOAkdubhtKfUGHTFPkaGvSlV9ZrQ7j1jS6MT+Q+jQO
   DBjddj0VGTbdRxdkeK69fuUTP7rnngfE4lTzLCSFi5krqDAT6rJxKy77LwKi+qEZ
   o8YuPHciXH/gIoGnGgcOlKoEXMILHxWDFuuKNU771gvbbDoUqrRqsxUTxKeuSvHw
   Cc9cIvsoBHSlpK+wxmIOEBBSDfdeyvh8dpAtmrQHM8H20aYmc456+H+2TCTBpfcg
   g509oV7/W26AyC/0P7nIYV9Ar7sHgS6s78jHnfwv7weH9FB4iXXgoTkm5dT/vjsR
   uqgRxgFm84cAXmxgOcr4UrafMV5+PAXCzrZY+0xtCFDOr//Y/k67qTPZc0pmO5jE
   IxlPjxTkWvXe3oz3bOspcHjQwrIF0UpeQ7WL/uQskIzHkwkcu0zHnTKkZCQke80w
   xczH/bjD27nHOFzUWZkeUwjNd2MF7VXKwQtAPgj0T0f9TxGiyNQgKT1IdvSRS+s9
   iiffpaOtdSlMiOiLRDL4CzQDy7Bz50DwzhrA1xJ65SIYL43R1vk4QIkSP5n9KkbV
   /AgJahlpkEdfqlhSa0i2BQW3VMyHSaLbnEtgcrnmNKcDDBS6XmM/KBuS/C1EsUBi
   4k9+KQzY1CJcQH1Wy4fuz2su3P5uiHMbK2pm7td3GxAeqkzsqKFYgdCRMSLS0MLb
   jDUBmKWUOE8oqji1aswkk3DBxAKGh+uFNMsEGjK5uWGuJ5GzUZ480PBiyng0WdC0
   VgihPWbHWDqvZcCspnl3ctcLeQNfnk1JbWdyYMvH5sIeYCjD6c8FZhgtaK37g8qV
   yWmXUVrflTnHMDVect+w1aJoAkCvDUcIJvqI/82xaC6uQHkixVsKu+etn7/FChpW
   02+7TNMRKypX2uzpoXe7ac5mGAf63tUiRyMSSKbO1KRn/3yHCY4seFso3t+Qoo2w
   830YLb5Zxhfb/Y5n3NQGVwWDjgyAmm9gNy0EJHDVKyxT9OH/leNVOQSJ9lpUSiw6
   DCkNvxgQ27LBb8DEBC2jIZNc5Hc+ZWSHR38WCDj5EheuHZk1kbrkqWwGhzBfr2+F



Gillmor, et al.         Expires 2 September 2024              [Page 123]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   qQgLn9l7zVPX+UgQfntjz9Ob7SNGx+LJevZqEXLIk2kCmGy8lOdlwyaI0XMFcWlu
   d8xX3Yn4WL3rHiLHk2TvJ5cd4vtmjf+hymG1gUs+dX6HOapOyxUcS/Uy4CmabJ/O
   G1sWS2A1RBR6Zq1oqmWrHPrZ17ueDHLJMFh4EW0of5/hALa+8oZ4JqvqQVhxaIQZ
   f2/NanRIIbg/Gk8mS+xhmojHvBVWovqFxDj7pXKr5/WQnDFdp4Dn/cKGeO/uwwhL
   TKBwaGuxOfl+Wt1rliL61ccrFd5ig/WBcGUkHTOy5kXzNHzjf5LRj9V+R5AjWy1t
   FJDar2UKU/zYl3BKmesrL3CIqMfEiM6DBvj0vyI4E2eWceH6VCQGCEleHCGR7WO5
   S1uhPIAvBbSFrA/lCSqirWwh+NYrWq29672fA00zm7so6xAIS0zPJquC/wI3VFM8
   T19KG7zDj+O6iiY/kNyLqhLdGRcCerXNreYF5ECVDPvv24wDNYNEdHz5VViqP4p9
   1RT5fozXiecBkaLZUAJFZ1xMHuU6xjFwsCKvnY1VNUvePDXsiYE0WXGj2EwTXRcN
   zUvFNX0a8nB4bEwiQ/YfTKXD0ddCNX5jwEhDdf2fe4cyvmuUJFxC+F8ZdydupSrH
   Qu/0XTCLEA+ijEDmc/7GXAQ3+P4lVn4RvdbwnO6Kn8aUPge5yzSk/XNjQ3G/eHP3
   twEYCIhcWH1TWHx+yU51292CCb6nBvO+mNNlTTmTNEwmYMJPttkVAmMRIoxcOOK3
   tdQtdnVty8ffhA15B06PwNuQ+EUSbvZxLZXrbDA9X2RMgfUqEJfyIWTIa9M57rsD
   83EVdafKSbP++/EpkMImSvPVGMawSSxY0R6Xbz80ER0OvghegfR6Q6dv5NT9r8CW
   zmFtg0kmjYfcUR8/mt+EIFO2524dzqprmI/sfIW8OfOH6AJwSOGqFxzuM1KoLKXc
   bEr0mv5Sr89W1FdRxsH3zSLnPHacHx4GYO0tNh71eeu28Z6VejDlIVOf2wy0Mu2e
   DsjxExn8Jsp4SKVY6USRe8mWcr1HAdibmFNjvv97DA9+3sRp20x1rk/FGL504nvL
   ArvivC1f0t3LkTDhnXI+/Ae2jOdIolpJJnMOU9XXVnzs2A6v+Zke0ZfsS/SoPq+v
   vME37CehB9IHyjfYq7pikz7vLFdRn7JyIbPqExItB8611sXkKvJPsmeKJE6kzvJD
   KWZrv4qEgfqOMJHavYX2TQ==

B.3.9.  S/MIME Encrypted and Signed Reply Over a Simple Message,
        Injected Headers With hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7975 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4898 bytes
     ⇩ (unwraps to)
     └─╴text/plain 435 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-injected-minimal-legacy-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>



Gillmor, et al.         Expires 2 September 2024              [Page 124]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Date: Sat, 20 Feb 2021 10:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    <smime-enc-signed-injected-minimal-legacy@lhp.example>
   References:
    <smime-enc-signed-injected-minimal-legacy@lhp.example>

   MIIW/AYJKoZIhvcNAQcDoIIW7TCCFukCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJDxg4GjNIIaOr9Kf4xVYzLZ9okfUMbBaiZn
   ecCbmpTZbaEOu7Lsxuw+MirounSBPZIeG3keg/uO0HHo9r+kHDt2wq97StpAQRTE
   Hb9sdS0xHiGYiH2vpgtIInNztCQQduzOHBzbGtQWa1KG+DoaGp3jzqLp3yaP+o4f
   BxcCLcNJIxn7I+H04wSWHE9jQpaguk/2SiGzUZxr+KMP+0HFuYT4l+72cOVcAAXY
   p73P8kiMMj27mf28SB3naBDB75+fwsgtcrfqOPHBCIXwyKnGpJ6vmKvFvEzAP9kM
   oFQGsi7dBTzi+MQBtg6EfxgHhJfGtcHfE25FlAJJj3o9SbGVEV0wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAVQdgmLjOaxQWmpnLHXA3Y2Zk
   ZWxNCpmIwmiVM5jvuIjRsU07QcEkLYXVM1Jx6UbJ5A5olBUM9719poHGSPTP+bv+
   E3U4Nx1u3D7tgJ6hyZNhn2mGfZmrHahQ3ZZvazhBOpxjIyXo8NmxHIoql8I+1loG
   WZIZ4lICZl/nR3Wb+2t8WGW0Wpbhqn5GJdngzvYcRzna36ug4UV+cdp23qceR33Z
   nD11PDV0Ss1cGjTH8qpL/45/wOjuLWb+8dOnsQZww1PiIA4XxJgsIjcwD+/Z6g4v
   ql91e8oFFZxa6QwoZKrX9x2mbzkZoIugF6sL2TQS87WiDd2SElT8xaqfgYhLDTCC
   E84GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGR32whnqKtvXU4g4YzKmm+AghOg
   2lFfb92lcqqgkptJ/+rpubdQoPqjugHIPlnXT85kvzfd1dnun9BqrSYaT7KGeVqT
   +h+/4hHCwH0HVE3d/cnxFzXrr5a4KoQ98mwnSeDgPcRXUg/AX/ujo6ISFgLPMAbl
   XX30BDL3B5CamNf99TxPgTl74qeHHXpW32j3whi4kZ3O69YvwItHKFdfpgwa+gg7
   /gQJeJUJ5PXF+RLOCA38aA1ttNNj8VJ1shQTarg5EcmTABp56sq7xtFFnBnTab9P
   ZEAvuaFUwYJajkmsydsmFNLHFrtoHsl7KC/VIgRP9OB4jiYs6FGUsxJJFUSXLH7U
   H1DM2i/L/AXCVKDvI9UKdfnroVFnYUN2B6IHp1ttX5McGsc88N1/rms5T8Meu5t4
   JNBrlOMRzGAzdT4RcsJehRBHZHcBdVFM+ia2LQWNHqCAGjCqMxw48Yh4YwPFf+jL
   oOkQO/iodju2oUkgbHORifXs9NDSPA4Pt378dD/8UDbyYNnYStzbf4w8dCyP6Bzz
   2tFeRao9Pmj58lIBvsD7KMHSeoQWVZSv9cz12tZ3S/44BLL7J/o3vQFfSCpsImsP
   LXf8pGzBlyoxtGlVlRucmIX8WqwjYx0ks1rTCLs8hd82kSTD42D4MCOC9Q5FP1lB
   t2P/mwryGVBH8nrd3AKqoGV0fs66nKow7PptKKF1rZt+6/GUe6w9tsmGY78Ttedh
   /NwhsA2gKoXMRefM84UTbV5bVdf3xEeS5spdUU/tgJkGULHutcJTuf3e/y7bXaeo
   79y7TmuAImqltF3q/Ca/RCa+Dt8fjqNoeFW8PjB2e7+JniDtCzRFIHBTgc1eEGh7
   IGGXl7p7C31HY2uC5dfZGiMgIehllnbMUELM1FXa7poslg4lxhv1Zjp4D2ik4YvA
   VMITUelZwn51gIs/ehhyfBKmSFML/X4Q9ORFUcogCi3kDjd5J5D1SMZGzLIuWLGY
   tUuLHOXGDiqxIoMoe+aANm27mcmHAJNN86lKeg6Uee4pAIQpOUIM7NL/qH8tZnbn
   lrZFXYTKcot6xU0bDaW5pnsKjRtmlsrHJ4ptM+10GeyMai+YGJE1bgdsHvbv36Pj
   9yzxUoEY7LXDo7AQbpe/PLZoqXnTMQi24/+7jj0MRdxWtTNjbQRH7vYeh3mwDvNN
   gy7AXcYC+EM9Zo6O4ZJ9Ui+b8yzoI8oWJhi47dUA9RNxB4JOu6RV285d8pCR/pyR
   kKuTNojs5j3uHfCRwyriuVRGMsJnoUKbbQ9wJ8Jx0xamrXJBQfqp8yi2KLpxeYNi
   cyMlkErYBCBNuLX/q2xC2tNO4dUvE7kVt+bDOozxlQl4bRqZJAHptUWxEuzla9Mb
   Gs3M6j1d0fuXMjbC338aAdkcAkqWYJ3kOJuV5xwmsY6OKPxaQ/glvL41gGA0lbdb
   UFJDlNr5mftCfrDflCObU+Gkcf72xtGnlaF6QNSdreznJjlhOpHK/4IrCDcHWsbI



Gillmor, et al.         Expires 2 September 2024              [Page 125]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   JRO9kz4gBp0L4T20vsAjTq166fhrVZNU18mh4b//LIGHwp6pITvfA/7PsP/NBewS
   1/OAagmiSYDKONByLYeSND4iMPv/XC07RR7+LqjZhEZoQDxGiA4Qxaz3D0wIBX//
   SQI1r7PA5xcLt03AWMbfoUX1IDpgoCL0joJqKQsRSCRvKS7tMqTq8R4jq3Bepx1h
   wY7clFUh875araXYrFP/Qodw3v1weVou7gkIMt3xYLJdPukMzovZuUYtFyUbug/k
   KdjZMslV7z/5zebF6vXdE2T26rJX/x2lnl+/6CNd5ouzYjVtYUD6keay5McDeWm/
   jd4L1SWKIxIaP7g63Z7PfoESg3LfZSSQqEyoBQCjsIzovw44nji7g7hhntlRUYfW
   ansgLFyQjIoytcp7jSTdkUpDF7D5gVrzfRl3Y38ICQ2K/s6kUQshwg8+EOCIJgDw
   O1uW60Q3mK9m5KkGkb4gTHKhQ6EUEKiYzh0N8LZ6EuYh2U1FxVSVojscPXSOkUm0
   MGGouE3Emh5oqvM7RZlUdZqCgZ8GEsXyVd6Btw6e244ScNa0PawcHxN1Y0NL8x1Z
   ZGjainNwNhIm7+Oh6310xmWAGQDHaaxuLq/IgCmjzykv/7EIclsAGx36HtroVBY2
   hn2AvFBTd5jxgwRsQZB11ULfzFbJI4DN+3F7EgZJpHlhW3FDU53zGIMB8/PyDN4n
   w42R0kaoGxm1FMMfdfLEt9FVvraaA9cLcOlcpa3mUoyOUeaHnKzHnj6BuZ4XChjF
   v6PHxHopLPh481OdSKvbrj4E1wxwO0F6+cHqNf0laLkDopyk/WrklnFftJOEAOHC
   wJ/JfHBWputTFsxXqKbcX9sTijO98Ev/RoBUaGRZUgNFNQoZ/UpOhvu8OQeW3M7T
   6qB+WbGsxS2yP/MHK/ndvJD1I+/lNxfBEve7A8uwMLTGVbpawNaOU9lm0H7tQhix
   Zs4yW8RSs8GtcvfkC5f+mvwTHKGAZGqR3RF0wSeqT5PrGHBJtPQYVoSbyj2PL0+C
   o03+/TPoxqt3GiqhPquawBCi9B2QfJS/G8H8naocVhCcxINMx9bhIZUIVbz+0Lo0
   NSHpeok9++dHNMFiGsIpEHrXubh+829CI52WXZOp1tZXza9XVGgcBD3rH1FT2mYD
   f2dtO43MDcp0WYQtItFHV/CpmlK8ro2o1+G+ONhkNgRD7h9+2EU2ZVgSjQM6U6Ec
   Y90MHH2zi5UWzR2z/JPGRCif20pyzHziWWv5OW2t4IxU3CVfLbMTLe7LW5GULGk6
   7RgazcpPHMCokgUxOggyIA/PAi/pYe7NOvrBbUUqK7a86V5vMAZkQuKXhHlhv1jc
   DFv68Xwt5AIazMGhmWx+sn3ZFNl7NU/ymWKXeDXEvgxuJjP6ZoFOXmm+TCcnOUel
   +TxQaF0VG7oVHnQTqJCRCjrP0Sg6IQ+m1gS6Tb0bDS5jeGM1uP4DDQHV3+lwk4x5
   zhjPpc8VJuj/h4e/v6IxvlvnuBri+g8B9RwjAjqIYnMgTtrYKz2gRJuU5Vz4KEj9
   ocO1dUyQRGF/uadBBnt0yQLlojLMkcZB+WzTmM9ie2NlHmIK+RmhJtOHCMn0h0Tm
   DKVVeatwpVcOV4aGsoeNrcmx8b/8tlT0ZHpsDmWCiNoKKlX88wZAINbI6W7ZRM61
   yx5iXaxQu0PqtvqjoDUiObfBVn2/ndoZ8hZXnd4L7P0KnkakNuBzcRSXxdRXu9m/
   OJruF0wtJjDynhk6wP9zk/x86Zt7/yVNGMrKlA7YjxTSzSi6hPow70atzw3TTnm6
   MDJ6NlIvWVdO7lG9F2tQaH/3l5wflbzIBQQW6q3wKLf4nakWiBv4R5wZQDIUHsQH
   z0OnJT1cdZVPQhfHI/mgKdZWow+4E4PNnsDgzhdCsjeVJfAb0WxysyGBpxPs8DF3
   0/aLzMoFTnoysbR6XjmeZE+fZr5lGxljessNjSC/64JBznZIcv7cNn8N2BhdKMxx
   y1hgRBBVqSRRUdJfWeYQ/70s9MKQMr0pFaIG9SOqnjTwRobuNSsVPlTeNvYSuC5j
   SKC4+UsqX+Yn9x6q82oCO0s3vDVF2FfmTE41i/TyAMUaWaKUm7GCLkJD3NPSDBso
   MG6X0eyUVnw00kNryFDRrkzZC1M3emVBsb9AJZdtVd36QiA1pC2k1vZymbVBaQul
   oRZiy3zXY0PRKXylj1PIXX/u5tExzIKy4aufl06ijj9B1LrQ3SAI/PYEisYWTZTG
   jPdqJb3yXpawXuFjYVeQHCNIjT63dlOtk7z9Jn581d6/T9sTraD+O6Y4CingybdU
   LmQ4LS3vEbjwIQiS2siCVG/NLkZK0UMie7NxDbFr0jIBu7SrbIamNU1fLPr3w1JJ
   fi5i6664AdPxP8myP6AGRiN9eP6UkTr7K1w7V6KVbYQ9dhSpssT9uxW9dYoDE96O
   4pTI9xXtk8pAfRuZzIhZWMIvgBz9u2GByz6+sze7PDfjP0MXZd3ByPSFPgBCtU6t
   EIyEtZ9rYe3Jwm5ySdIeTZz2S2fSEBg2BxoR/aTj/2H2cD9+BD+DKoDrCAZTV3aL
   8JEGkiC+h5HbI5bhye9vRxDY6zywDexbG9PSB3QAZSzYqJDye+21Gog3zStMpXEX
   UzrpFFfzOhr2hOZkAMFmMapnuzw3rvLVsiu3qCiUnG7r9/eJQ8MwNDy8nqT6TCLw
   870KN72CRyuiKaXdm8VfPRdthwzbzBvUwex2DkX8F/0vSAYUc5ZHlWM3xPu1HPRM
   7naUuSSv735oWvlN31HWbj2wHg44tXKmhEU0Yl6MfeEEkd0IkGypUNkGVysHVaPx
   AaVYrPTbsQMHyCpDeA6Xolu0rEUzPnc2SYTt1GRbPHDv0YmXVmDwEo/mOwDGj6C5
   RGWSRcIDn3gp/ySu07C2JX8E4xredCAPq9Nb+bSjXvqQlQ0MchAEQKo8ePl8QLK1
   InQ6+T2938i1iBg8iXbipkWsV+Ep7YBSicowe+rJJoCVzLafdQyj15qOSkJcHLsu
   MBNU3LcjN+BA0QB7+BJX4f9dNNMVive0FT49o32XzN/pEdntoDQKsZW5ZPW76kUe



Gillmor, et al.         Expires 2 September 2024              [Page 126]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ctCGV2moGavodZVD9Ur/HWdHwYhRyrAeRWXy14YCeYD+K0S4GiaGYKuA3rMU+r1/
   X91wYcdaC00Gli7JGP0ka+7HmoW6iDMHTbg024Iv4S4ot/iQM7L47OFraAJ05zId
   i68W8HRnZSMfbwC6r36mT1hLNZ1/PTYKEZNtZszM57dK2qEmdbI/BW530wwxQ7TQ
   JAzVEs1+EVNljJw6EIIVXK6q7uM0woFCBYLhrwzy7kJ8jsL+5ugyEYKPszJrcOCN
   f2aznRRq5m7qRACNhlppSv8ByS6OGAbG964j4fbUYtdcXQTKA6OZ6lwBd/2jprt5
   OudG5QjqtSH4O4RYZS3F2KSbC2jXvhhhJh++/vCPIrhleP7xcdMLB7Vhffq0Sadf
   pSWqz2mavJqA4J2qTixNbZuef0Rc2zNBpYWTFaw2F9AIwYLAbzjQTbJw4BOdquze
   OWsY//12b1TUESK+Tw/8Lu4tEq6qqUzPwgRfW8FfTSX3DrVOWFIgJBdlqfvss5ta
   vDNin2vh3f3Rbl5p8bqw5w1QhEFYEB0YdZOM0IUFKsTrtC8+iAnuM6ngoXW+ldYu
   F1O6Z9kLacsMTZSBzC8SVjOvHEFTysH9uttHvNtBLF1HyRCNlaND53lNc3J39Ftq
   yiHm7xWQaCZSFcvoIgOaFTkt78H1PJAoQVTGwA6Frj0oTxPtQufSaqs58aHWzJ6G
   jjskZbSZP9g+gsa8tDiIxEpfiG/c0FG+bFDsVMOhHgtkfy1vEiT1v7fAghkZmT7d
   kiBII9WtYxfkpjyF4eSJyoLFSkRIys+v4Ki41Ys1SrbDmeBBdoYEnD8D70qVdGoV
   Gg1nlw+PBf9g3EgtwkxV66IvFACArHYzpyPzuzT0ICL6sjVmRFgNTU64Dra4uaaj
   nK7iUyHKxPPXMD5oTXE0aBKbW6H+fySrYcjiUKW6N5hk1aGzkui5tkE9L5Gn1ZkS
   J3sVajduSlL4fdejTFitqStbyr0YDp/iuaYUH6TA03YS6TxMk5uCgiLjZOohoeeF
   9pm9SCTWKhIXiX9/vPl4ZqU8rCwt0520U6qK+hx2RVENYOY1LUQRUYucULc9FFdW
   wnD6bi3OMmMMPMvVbtbMKplN9gsBtDa9yBjRwvl7L0iV9OLc45pJpde6Xd3A2P/D
   6mxXl94H+4FbvTmRn01JHHpgmJ5q4faFcj9o5XCUmRvX8rkp6uxGX3U+wDJSq9Bx
   12CSAru2cJ8D5yBvnss8eOHPFb6VlcJw8FFMR3g1qezR9pg0z+K+ZSJTfeTQf2Tm
   4HhFYOO1ZEGBGHHO7NiqP26Mj4EzbSSfUSEIgI0t6+w75uH6+dbiEyPm5tAwpk5C
   DLy9p8eVkXIz8H2GWQjULBYzO21dK46b79Sa1pudQ8bHyt/eVT/aMcs3nNWn9xO7
   ZpddAqveyjwMf4CE+gt8zmAGls6WaZ74LTNJIdc+KNkLg2VpAID6UlCrpjzqPZv/
   oDa2DbKyDHLU9T2AiTcGBkmGYXmoVLVfuHflXDeVSDyOPtpOdcEkzBqy/qRf34MI
   Kx/X42u/uOX8Eh9ivApezUoAp0J1FeB32wPtmmfN/Lmi1E3IGtMJsnKperFjVq78
   rKQF5uf9w3CKdAqwWfoQBPKmjP5WI5q99TzMtvQcNiKW3f9plHbmVaEIvor2Btws
   B6rHqBxcvN3mTy27BDYzvJEGe7QK12kfeNGIRmWTGo/DT6xxmwYmVdHTboZmUDKI
   z129E2C4ITu4A7xvT1C0CScD3fVjDg7D2SVfcYSHzA/K3b0jkOYMg0/OiUlHOI//
   iYFURenOu70sXJXtT1ttz4cQEEkRgKN9SIiloi/TdbwDcz9Sg3+NnLkeEG1UlEz3
   eFUbAsBCwJBVZQACGtAtyLGEElMEdNz2za+G6Mpb4MA0XTI3gENKu8SAKLzAU/DC
   Cns8/koY5tSTFlPbwA3cxrrFXVyvWLRbqCfEpa8/L/peuj870nOsjtr485s4+Gca
   t5YdE9k76pIC/JLfBA5GpTjY79wevaWEmsmKTry97cn+C73zzT4YxVFjpVeRuCBH
   4Scq1sR5315HRzoP4mCkIe7hm7pbYSd9tk+uJJULCu0h0ZiUelbNtnZQiSp/zGqM
   MdCfVk66rAsqEdIY6iwhMos4tJHbn5xWrugyfjc2jKk=

B.3.10.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Wrapped Message With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:







Gillmor, et al.         Expires 2 September 2024              [Page 127]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   └─╴application/pkcs7-mime [smime.p7m] 8020 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4930 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1038 bytes
      └─╴text/plain 325 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0e210732-9184-5855-9a95-2a635560d3a6@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:17:02 -0500

   MIIXHAYJKoZIhvcNAQcDoIIXDTCCFwkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADm9A/Lp5jfk4RN5/fhwF4iuuVOef9Jr8ed4
   zR65esdHuxyfoM+gBpdSnrLZQ/0uWwXFKh2ORkofXO+K1qm+UaYbOq5byHwddP+6
   iNP86nopcRJpeUNqsbWCSWr+niLbjxfZyJX3brf3+ckwjgo5+gik4wePBK1c58Ks
   DmRWbl16bqYeCReIFAHJNXd9dpGcUkyI1NunHi9720uyDqOvmM11xarP0Qalz/Au
   /D24dDevouDo4V6YGvbQ0Xy1rJ7DeIowrlqAq3t5+NbuZZPgDDQ/NdmLdrQOlsEi
   0v2M820B0uM9L/6nO3BrFw66CWOx+PSAwrTNRnWLP68+XVJaHBIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAm/DOeCI+Z5umxSECDJc8oKbW
   cicXtQzeI2drFZVX0d0QNvwKLXKMM0Jt7MzEjnYG7J+LKI/VbVJJ1kGJ0rDEYNZe
   6cb8HDEW3TJxhB4BMf/offnCpOgwlE6+w1p0h8vgAZsPW/dFSMQKpjU+p1VabchR
   Gu45855mlRhL+mlFR/ihLARYrecR8JCrmFr4dFCXcodVIHDjwGuKTk2yWYRPzHcu
   3SwOW4QGCkyB7SiWzfFuNjoAmBnZA7qhI2CYuZH823xiDMuZ7c1uDYpXokDvq9Kv
   MPSKR22uK245maFCYuznTJ9Ytsx0ZD4k9u5R5vuQ/TW6NSEfOpXhBO4BXWR47TCC
   E+4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGtJ4Z+U4xbXftzqmsfU/U6AghPA
   p9ayt17k6B1aYmjgIIhLk/8MjagX8PWTBf8EyjvtPgSVHQtFagEUSz6qxqD8e+EF
   kgYXoxwqQ1jG2SqUkMiD6Cnvo5LTABgkStQe48hUtZGTHiNTzdjy20e20eZSbtr5
   M3+nwb+z9ED5UChCqS75dfCpjwvtOFcoTn8EbARZuK0xChaOf6QjaAcVjmZEbChA
   hjPWg79eIYvpiNUqmtDd/FIc4SyqlI1WPcks8EHhJBdQyIEucsSxs34WMf434K3R
   wQ0Uj7CFc6NEptG1aYodQ+ln9nbo4LMz3fa7ZlYMYSskGn7zmGtsVbFCr4K0ZwSn
   M/NK6bAI5TFYi+gky3myxxV3S9nW9uFOMpRN16kDKoUdoScK3KWoNOVn4CxUlO1k
   hNzGhIHkbwj3qkqxtlQAcTvtIhb0nB4hMFIgT00Ei7Fd2UwsVPVDlVSg9P7D+OXg
   a6G4CzOCV9zLPY2/Sjb+J9saq91T00NyDVc2tyttc/HpxezzMDeDJ1A5f9yj6HK6
   kg3c3E6q5u6z2+eyC9tkgAsOPUT7NFYHqfkvMClffbHPJqEm9nxRToqIEEgfNiy8
   jx2iFOZN5kbYBzI8eJEjHXkRXEldgx1rHOkoUEgONs/D/a6sNk6x8TeXOK/e1h7B
   oESRWMKWlG9XsVvbIyTUELuE4NeQE/Dvh4ihOykkM0FqmMHPNYUcYvFQEtnnqCXX
   +L2sEMl5LR8P1Pkhi2nvVtQiNTNxcGh3JlzIEFaGa1tC5qmujuTsCpt+nirfTGTu



Gillmor, et al.         Expires 2 September 2024              [Page 128]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   RNe7iYjOiC1XnaMgJsMPDcwHsHdHot8T7ygUpKIPCGXCyfg8LKHv8k+ml/MvWMjg
   SkO86BNro1DutdQzXNHdkH6t5deKcbRuPe/bVOKNBavG+WYdAjHJkHTyWB4YdBey
   rvadVNQtI1qqpNhIanX6I/rJoyabAjyTs+pBAunzs5HUbrmYmIGN7INf5FDdQbDb
   zlbtZs4L42dwvJXGV8X8OHVzfEfskSSoSq1r6qf19T/uaX5OEXNWuNrI2k4i5Wy6
   jDrleDBct0I/QDFtCaPuqfDRt6I5DuP32JebT8J5M7jX8kqjPUfB/ufyiZCNDCRd
   Q/S/HXRNF846LdRYfg254fwTfaN2LBKIfMS5veiDnWkHtYmlXKPkA8GPi56FZFvG
   M4zStmbWUyd9AkeWirtGwL+d6hqk5fHwWSWT2z39iYlDhwVjoE/ne4JkytM6O4ug
   1AnIL2e8uz7PXI03gWSCrcafWZfYK1iHh8AMcYThwjNqN71MBIU26m9am4GvcXhR
   jhvBIlhkMU6JrgoDT5JqRC6gCI8AC8pIJX1C0uMSS60VbC+7XSVi+oWtuZCzUBqa
   5klMzAH2NRRKXzs7mo7YuECRopaH0lOKQ5eCTMAzHA3VxJG2no8x+PTCNGNOC2Vn
   lzPMVnCJgDdpGpm84+KA4OSUSdIPmxuSkSfuEbdH06vBuOeu9NEjx1JiFobolGGG
   7Dqv6O18ZRBlieCLXEk/JuL0yM2KZ4oEFx+iOPdiSNFuuupwSYHWw9HxGtTMZ81P
   +XE6KsoTR5laoTwBUbnI9GiAHRc0VRKaB5aPFJJ/lhkculb0vKZQQXgQrWcl9Tbd
   lKWzF1bP7j9bBFoPtyP23KwTwlae10ACagVbEc7+2ZWDcOMs3ypB5NwtZT5BCiYe
   xj/t0ZYDlKWN99XVIbRmmx7r0osHT20O+cjmgW9RbX9UPADtzGmlq2Pymj24Ohn2
   ly7iM2td64JjWMSvW16HJJ6USOtl/6oZOUsow+3RoX13K3Bz0UmB8ZjTF3WQJI8a
   8TJHckFf5RR5IBQiNTU3mM4dsuFXhr/mPQ+O5jNKyEaW4FWgH7z0rn6ksbhv6A2W
   U/ohnuKWOMj4is9yAxVnFMJMqAb7q1mSNA2IKi4lFyZuQnV+TxaxYQPppFx2x48e
   1lZy1tPKuV1xg+1pwW3DBmawDOAAYIpU4bw6s1COIRMNup6hXLxULVegKIpiRu6d
   xLccRPyrhHhsUfmsaPOQqyZ71oTUPJ90OpVK2luY0l8aTR9EWW/Xk2bompBJfh4l
   Fzdpxvtd2mYKN8g0V68uFlcrnQCq3yvJk/21DFNL9fAtk4ey33vQ5Jv1peCe3hP/
   rR2oBpYjdhsvIKv/gjdKgzneTpEGxfus/HlvcIgRC3/umwVeHB45jbGh68/dxcEU
   UtA6MTbEskhGDSV6uhdvQQ5jCeZyINKye1fWuna/wyVpDJ2b4N3uwj2bbPxVsPPo
   yd6wNdAkDxYc8IWY5I80t2U+Ncz2+DrrwFE9ZyMMykJJyDHp1RDQ1n66K8X1Hfa3
   N/Q/uFqyxTBhMvvPZlGThSuJubC04KoaI/5XR3D7zmQFuINwZm1GHQEdH8r6tFuG
   hNJWno/X5BKiA5/+VC73O0ucPmPhsm/nEJ+y8+eIMEG3+yBQHL4nvEAbiNj6+aPV
   zTHqYoRnaZAlsbSHZ1KjGvZu7kuN8wrr+W1bWnzo89YXRmwa2UUcf8968i9fKP6n
   26uM4WCJhUCloxGEio+6urXBq/htCSgdE5OPpxKxH2HDvmcNQzzxPjOQPkdbiflR
   IdiObHbA1MPOgTc8CzlqAKZFmoDjWoimkbWJOLU+Ft9Ft9ru0qrCeZXO3wtlxGTz
   20omYEdvK3yUChTA7lBjzjMnfF+eoX4bHVGFcfmgqPufOjZ9bFNSTpuVv85umlNh
   gxzAuMp0gqzoHzUaCjorSNag0d5N8HJSC3iY+OJaI8fNfVcOugb+afnxjqRTxDnK
   dGMu9YyBnZB4iLzG0uIoT4zKmQDdxEJazCg++3qBW8b3P1KRyLrI62xXhPqi9cgM
   2n/UreP5L4giCtwVM+u/nbV+jw4TbcMdhETOm7PC1M0fpc+lL2v7SaqThBZNAfa/
   dQHlbCT+zC/sJZIrZCzJ7gHCc2P8Ssx9Ro26E/1L4pOzTBkSeW3v/4mwrrnrd/b/
   3sheutKzEBSmJCBMioV4EGLu6m7iQNgs3dZoWgWyvQVJ6nrKQ0gOjRlIx8yGYzt7
   7X87m16KEHtZlAEkTI96QDw9kesWZlTMc35zW2cE34ks0//uqPUk6fQbUIXIIu76
   YdXns6VZ7VZj2NE/CqI4zRbLIhygeyyMGeU66lRhlflzb2qJWXW/Nh2yc6pIm5O6
   XEc2KqG/rXw4K3oTdz/y0CpgW0zBMoa8UAldo58EH1Olp181m0EmBjAg18yk0NGN
   lkoHNmWhDkOgwwYlFncx1VqGB46io9oWhk1DRGiJqL02MmYmdq/Xnu0HHQciIvH2
   3T+/JQ3mYHrbHaqb5zKX8ZU8QASMtXtE/382cWfAQ1xB0l5t6lJA5z04IMZ90Whk
   NiMZVb9ExHFjwz0EGZLzg47mdR4APxSUjNEY8Z0f7Jdf/cQ6LLM0HphKocXU9v2u
   oFYV1XfL3uWq/EtU3PEX97NkQjdoSQ390BDWxWAde/PgOVsybOYHC7y/njkjj/Nu
   3hSyhH77/j7iafINbyNudIKYftjzmibVKV+OKb+/ET/r0sYtPIoA//ydD5YjANsD
   8Z8/WSD7ynvel5OSagRnC+b/FuXyKBXLXQgnf4MhbpzyVOMzuhgWCK4u5e5iMGjG
   Nnn8LVeQ11SuvgKlWx0BCymk3OWWCs1kPYxPxU+m5XQ7M1XTyUFAxV4MSskl8+O+
   RXCTjMfOUE1rmKR75KaRgn8NpEpD8/PuzBF0EAB1dRX6AfrhMxjvxI+HzOvhVgR5
   FjcCDmu34XlXdT3hWnVgp7iRJpkbMmF07K3ocKWBjtgHGFXL7nViJaY6z/58dCt6
   6IfX4NDdUY4RTn5LQZK/ikoBIJV81ndz+iGq8H0KCynuuZEOrlAUuXDCOluQtZhM



Gillmor, et al.         Expires 2 September 2024              [Page 129]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   zJgLZY97SZapoSD51I/P5/e3J4cwU/3IS1+IZon7vWBVu/k5sBazKp1zmc0VrhAb
   i6qLPm0PT2hNA9zuzzOg+RVX8QvthJXeF3+wfRQKXqwF+7ksZWz+3w20qxaXIq2k
   lCiJ96p1pY7URCexuT8ojzu2NWjb2DHCr/zD0OoYYwtFQGN488p4W5y2GdZevC5F
   c4u1z4nYifn3P0lYeHboCnVNhnCG9gfvWMeoeFG1brRqXXQJFdDqWOjs4/c2sUHI
   nJu57c8QE99N9Ff+V4LwcDcOsPM27InXlBntFSyaIF7WVkCXSN3TG8jJ9HDtIo8Z
   tnTE3tgs1jrWzh8f/93XHf22e5ONRXaFCMFx8YTd420k92b0hiZUf10Of4iq7W/W
   YVzuBuBub6Qc0pH8bkQ9uPNY+LwsWwDXoWwQxTq2m9kQVyyZ86Kl5mgoNpO95BJk
   qyIUogq4sd6v8hsmesRbodZWLPdE+L4Cqk5VBJ9IEqd4ysmc5MrSn21hegQKlRnT
   UsCgWwEs2Tk7MYYH/suoXwjYBXF0hXWdEWsxHZE6LFDEFnMJJXRgdgjduEahO0Tl
   Ap1o+In9D6hbH7imH+aDERpfoiwpS8lJTmHc9JZijH0zJpWzulxpoowdJ2gu6uiR
   CkwRP7Cx+x0MMtMXWZmxNZi93FwGUE3VkTMev+VrnjOHrAHjrN4Sje9POQCW5ez+
   ankMWvnqjJySSJEKKF2r1MY/bSrd3nadrm+DYQgKYoRKkZ7adqbhQBYW+y1qpy1d
   XtZ9R5RPozSNhuMRLuTdPgu/GLfTTcwLFj+hTpFFUwibzcpu/uOmnP8vOaxx+kAp
   NEZbxxla+OnidzH+DJ/atOeJGfiF3/c2W1apsSRDxFF3f0bIVTKX8nF90nICNhOj
   3MU63gN2ZitDhpRdIejMeL++Ew6fJIvNbIJsQhCZNTXW8MvA0xkDdaTDah5RrkGV
   cd50F3IO5/vretTC+29bSEE2DTkBoa8MgYgqo1XikHfUpQ2MmshlK5w7dtDre34b
   zEBuOO9M4EBD59wxKnzpfbNwI/7i19GjqdJJs/kHcFsZ8ySsK1dW6idfrkKCeUF8
   MhzEEJTmmrwveeTgrWHqB9gQXUiZoS/OkzCb0Ks2qQMf3ilQxtXS60Hsj5xy291S
   /jL9aQ101hDEpgeIyqE3tSkDKfCAd1SO3nmd0HEeLpz2ehxUiT2pfsvcHF39CoZ9
   bQXFPfoZiZmJGRtXvlZE653IALcZaJJAQdjQOTaR3+MnBZ0BJ57zw6MtggBPnMHQ
   CnCS4EJ0OgHwZcNGC5DU/QqELmiCyuQwUtwdqLgJFFs3Fm/KnFZmuzc9eRkREwea
   hOzRdqFUYsLWPc79PO3T3abokv+YB9fHhlWIiR1qYhUTV5Pgc0DwZ+ra7rSi656E
   JhpFQFe4XmYTiMEYm3+TRV4NxbqoA0x/Apz3L7xCaHkCnszgV9RfmGtcNTb+J8BU
   Ivh+ENByU6lAkeCmud/aYIRsOZqVYNOTITXnJspOg4Eo7etLX+dng6RCqtYV/dzC
   +C+zL7iL52/WxFp9Hm7bzGaNQIQrP+TayH69yhJ5aVRoM+YDDaqwARv6AcxL06RS
   OTGEobPVtu1UFQOLsSWKulmw+E6YsuX7Pq3AN6dGefAmn7Aw/HVXoFyZ2pK9DKRt
   CFNh6q/kdY2nVzXQ+mCoWO6qysw5WNk+BmcUd+GVjq6jm+eOSS0U+VHcxFofz3l0
   DptR/hDzjBhLn9wfclooN99hxKZhXH+aKZk9/AUjau3GU7yZGBNDa7NOJodjtXe3
   j+SZ+nVcenPKuVewTHEOzDp1U8k0KwGW1+EW+Lk/z6OxyAh55d3cwRpHxYsuJSUU
   C2eNrgv+iKA1KY4KBmDH2T/U58k5+qXxeHpBPdRnk8yxvDTihIgFljLR37zhM4Td
   M7F30MyDGT44OBAHTEbPBhG0B5gZOj0mIyoBhoxPi/257AfLXXY72bZKm0swqmok
   PWMhH4J9/MfLnJ9uDNo3dIgCJ1kOkCx8XF/BSs4Fda2mfwmauTMRtk3BBoqfIYkB
   eAW2DADrliZEkL+SsapvFsN+9HmnVICsIB6gkOtZLCKyVwkIThwidhNBkNqj93EW
   yReer8xcaoldRfJN1uA5ck0A+f4hZxP9lo5fqMs8xa+sdc6fhpLUoj4RUAfmo1Ss
   P+4DPjHkpTGetlTf4t4cQe05ZQesVRt3Bis3nmKpVPV6jv22EumjmsEbRESsiddQ
   3wnIADljTzyOXvAESQm/SiRQ7HyrHzzSWyOkO6MyuYYQZJVbQ3kBW2EmuBXP1WjP
   I62JN4S2vyMPuKIWxSUxoraWWIg67iK4rmK8PhiO2I6bfB1GayDw924X+xTUw9d/
   nWO9+xuSQHZIk2ykPb4cjvPKxV5ZlzmfI+b5WmdTF32SKR0tPci8hcYsBgrfTv3+
   UME/HraCoC0eHV3mzRff0puWyEu3v5Vrbip7Nz8QbYGkm2JRDfIip4ZD4ZBUIzJY
   qyAJHhkpx0rDgAnzV8kkfjdEAF3Ji6+RKNgrGHcKq6gyE6Gl797Vzof7MgzJy6en
   3ertjNhzGjms0qAUSIsx1jQVF62XoLVyO1uZwU7PqxOgfJSe4JyE8a+ddcY8xF9O
   Dy2R1536+eeRmguF0XC1G9wd82w/OadV2yWMoOMpxAB8Ase+iU1WYz7YtVWlKGye
   LWfbtQqVSlFzQr+MWOMi1BT9+TPj+8EIqodap1PjmU8RLebZs0EcNaPv37djsIFn
   SycK9UBlEai7T0/lYr5h3f2/O4XsLqtjGwq553nnnk56WpIc5Muo1SSljiz5OX5F
   lpIdOuLXNQlG/+emflGTbcsPta38GX5VAwe9kF3vVjsWryw1SNPXYoOKAJVkBLq+
   C0nuJO5Lu+dbA+wkaMCEBw==





Gillmor, et al.         Expires 2 September 2024              [Page 130]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.11.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Injected Headers With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7930 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4856 bytes
     ⇩ (unwraps to)
     └─╴text/plain 337 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0b3ea6dd-0e91-5a91-9bc0-3d553f892983@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:18:02 -0500

   MIIW3AYJKoZIhvcNAQcDoIIWzTCCFskCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJcdIoUSpo1n7vGPkIbII5F90QJDgjFBWqN8
   mrP3eorKCd/HmE614/YrIqI4MD0rcJBkd6xNbUeBl2z3wU9w0tyThZKAxZH8XkNw
   ZZu1aA3MRM+wqwCnxfJTSaZjkIMhsMe8U9ROY7InwRXqH2O0QRqRU4iJpIe5/DUH
   dn/70YqO5g0HOGjzWS+6IoQdiHf3eSU40AlqNyg0QQT5CP1OM7aRXxt006GWvqLW
   Lq52uimRL8AanDUkrEsOh1DggpFwsn/kTkOq9eBrjgNA8wHDA1BYfoLBHJQvn9yd
   ivkXnsjIqoaBcx/61TLrP97dn2v4STbiZd3LDe/8yBCdnOv08qkwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAZ09H8ZLLO2dMDjR2ysuZrqyi
   j3KqVh8Rq7uzjB+IKkzFfun3FxVZlUAvIwb1Pwrt3lFx20ekpF4PzC7x9sdbxWJ4
   ZJKftmD6sMZ7DVeV5GABH3ClO+aY1MWs10Lq82S1TBzwcJZpKf5srR0QCuXaQq76
   47owb3Dd9Ecn03AIPeJDy05EMNGLRJFqc8md08ykQEJwHFXeZOotDWDm3lBAmqn+
   An31eGbsWMcYYwAXoz65melW788tJWCht708gsiVzGdY4Nd5gQAysf0/iCFhQQzg
   X+vrFmPwm8EJUmHPEX6I0V8ylyDXBt5qplJgku+51eH1BJtF7WWMVvI/1RSE+zCC
   E64GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPmUUHGHIyJ8IXE0zUFiAKOAghOA
   iBj5O1lKw12s28QbuFG9Tc0Ejhf/AcHUB2kdSeTBAKLACOsXNXcO/eDFttc+v3sJ
   eVAZIO3p97XjwZi7q4YWIInBEFjVrZilmFnkmWymEEuhpAx8eYBZ176CRtq4F48F
   DHekBraJgyEOpiuU/k0K0rsPu0/2W2vsy00QsefIBI/LN2+CxgPqcJ9+s3Veru6L



Gillmor, et al.         Expires 2 September 2024              [Page 131]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   VbHR0Ih2NoLj2RPi1czHvU7B/dQGIWw5e0ZWJFAiEujZ4l6Vp/9I0CN/Wwj5BO8Z
   B1cm/rrD6uM7VDJS5jPenm0O8JHd8TuJh2XBdscrw9sePmwyubHG11fViRotOw9r
   ux552Pq+8Vwx70+nZVvST8LzYfKT/GmRt5qP1cyg8lUgiNZyb1wScDff9BIXNKnA
   +8tZE7yi2VA3vaUMGPb1CWbpTm46mbhsfzRacyyB0pEK1mphHbPdU5pFYULJUhWu
   t8O5q7gWy3SeJxtmkTsSbMfRHxaWQyzfOuH8iWW9IPdpd8bcj1Z1pklDe/cy48zT
   TWUpSy1hnEOhuB/NLwycjT0pREGh007G04SvR46bH1t587B9Uy3qO04tn3NK8H5U
   +hi0SpMxO5Cjp25sOrNToE++zO7dUe6ZjnBDyO20o+a7ASKG1Ec1bJfa26O+TxoJ
   kW+R8eMHPF29QefDz8LIDozyulZ/telKPX/Y8pIaOPbnaqcWmO6I1k6kCWLeZAkd
   VCpdT3DHbLDdGswODw6iXAMpe31811knTKebGJyX8XTnPTu3HOWirdtoMvmhOlMm
   DqqSKR8+uxg3c0++pVGrXwCurOyYArWvkli7ZGy7Ve4ToAOq36hImlr+Zl+G8+Vw
   Jj26za6H82M8w3kmuZRwQwqH6YzAivjVxutOnwU8DTSp2b+eIzuyb8dMRqp/X4aQ
   CVGBDC5Uqrtccea1bs8pV9Q5t6KDh7jEgISAoTdhmrnwXWnXqcWDX4RCzlDWJiI1
   DeMJ1DOQcxuMd1vO15qGRI8PLXa3FPrAABKQWg0zfV2UHqZP7kybbYCOQy++TDA/
   dYdJ6SUccFfuYIfuUI+tJP7tYihnJZmD1JWPuDoIymjpnRk6t0J1ZRNkA9UaXWYD
   wC6sLn3yDvKsP7ZdiQDUt4OfqW8tY5NmaxTSVdwOMjkKB9JN4KxWKsox15ntar8e
   So/vSDBPzSLAjZbqOnP0RppwUAhm2eLiEPNmATCk08jx/F/bqhainHUZFmq/2D4m
   WsoQogJ01DtaVBvtzc+6GqknFATY2wZVpbNe0RY5T0vnFfDlg/S8BHKrGNX36tBA
   +2S/Lj6qM5B7Lk+BOqrJqhfquyUaNsmvyxFtGbzcdjmAYtOLEpaZ+QtdPBjaZGdd
   J1v5hErhQW9At52gT35iZP1kKMhMWFkC09VBQw0QHf9hv8plt3ugvYpmLn4fzKhe
   xytNCyLbaWooIDI0Tbpm2QZw9IJ2VyW71Qtqke0qlA5m4tkB9/PpIXu5xeC0OgPm
   orNz6IrEGtbbg1C7OFEsJTvRLE6zzmyT7KnR1CjTLXQ6cODPVduoFF/qISe1wKhO
   hsBHjdGdK4rcJbVzX5QkJbaqc09IsVnkpJfATyDBN4IGM6xzLbBXxHboK08928ZP
   PnDUYjzyArjKhWguHl0f82ioF/Y9miD+iohw1TpHci2aHo1TflXgLWtOLCOXxV19
   V49w28dLoz4jPIi9P1OpdsVK2q8gag2vndmDPnIK3AXbiIKAYz7GHXnCIKChgBWZ
   TuGfWhVbmQ4yyS1izCmwdQ8ws0qCFethd0HaJUBMIKMYesmbwhw91QEg8T/cTpxW
   IsRfc0bVo6MScz4QG+mtU0HnutzA2R6LmFBoaf+25nWOA4bCosrlw9qHRok1AVCz
   f20uzQ5sTKU8rTXYwH7+9qzc+LDb47Y31s1xLNXGcGfOc15HXmx8EOUQrYeIyKle
   lupWdhk5woEwRCljgnyqsMG55NbLSjpKNmaRYISZBM9MFZRUwtNKt42DgCHXLdM7
   oBEMJXlUzlzoSmFKZ/eZ1yjrrZSZaHrvr2H2ulXLXukLfPSWmRX/TY4e5x707ygj
   2WVGxTYLCwDRGVR3/ugq3hfmi5jfUHuX+/0So8NVwgWfL74GYJT4Zx882lfvu9n2
   gy2dXVFzQwGI4hYUx/SjztSGpheuAvUGf6tJLBGVQz7Z/2LiNWge9giNioE9M8e7
   8Vwb1cWx6fdvGiaUvwqR7tt7y6kot9giYVgEtzDBv+owhubFa5LFx/U47smDVvIJ
   A6fElBOMSJZMU2Obp3ycYL/CEXtilbvX9nK3InWn5/ldG3JtUhWDSUGMxUonvcw4
   BJkxZwAQUQieYYLUF5Q60qF8k5AIWHyp3dtQ+Yt1qwfBpm9ijgfJnxqmtVeUZyA2
   dQh1cDhSd9UCodHm85pLfdIdqUcd06uqbR9TQh45Hpgoo9LM8HjeRXeHAYCiJqgs
   qAnRgvyQCnqUibhlsE5elrdQGHG0n8zzVBYoB2knm8AwfrlbrVD+nTvmgsGNmIlw
   9KU/VMyfHzVQrlfkxUh5E5ILVNMHPp/4RtQ/l0NLPfYfrzrlxFaXbQyVR0N4gTWF
   o8OfmoNviIAAxp3Kbu5sc2k0hZHyw+ASxNB5y8s0gwvFZkIiow5VoGT9LWP7BKbe
   1VdPq5M8/0ouuzwV+2L/KpqYNbOIUryuJJ/YJenj3g/xmlqcWmCybKIwXWqfawBB
   lBPquzSz41/rrjmkrqw8Jcf0MrC51275U2RN0FEOcBCFrNquHH3OzBQrUxHIeZMw
   mmzqsM4vW+7qz2ezpa7nPWGfahzqxtsJCs0DnZveLaIfiidQ1x9ePxuraXB8d07T
   OpayZXMmrNyaUkxA042EcB7w5IrIW9Gypkcm8AyA1NgLYbh9hiXy7MMbKOV6sTdR
   cC2cMoC1GMvH+NywpGWhc0WH0yZTbVH6ldT+wXz8C01pXCmpll0cjv8f7kwFVJLB
   MjQUZCsrNwFRyo84vHTEhkviLEM1DLoooTVdvqd6m3XkhkHfZLKFKHIKH5B1SskQ
   UPJszpZB2I1+OYuTPfTnbTIeQToxA2BB/HhXbj5eRx1LEQ56ZL6QGVQp6f14zGuO
   ZjNQb8lwumE5wUQrw4aye+lv8ObWe/0nNe0swGqhXXPOt51vjbXTbXIZ4j9mMnig
   9fIMVSHkNWgA5KUHxlc0XRypWWm9iwsTFIoW8LssH5gtyHvJShUGxXM4WlerQwz8
   EmGefrRxv112w0IIV4Lc0F8kSgM/yxBE6yW0PRhorcsbMU7wHPj51yRISntcHG3Y



Gillmor, et al.         Expires 2 September 2024              [Page 132]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   MHm28iiL+ztiEwlowne4R4xYGMT3aTHmXCXEYUI77jpocMP3rWLAjt19lsPAds1o
   I7PzN/3g+0EFPh7pJng3C7JZwYhDJ8pl5y3sUB8Or+gcm+4pk2aHYz7d2PlRMy0/
   fPaAeoIOwi4Rv4YoaqxNMYf81DuLcY7rJl46PbNPcqHNpbGBaq8ZH0b6Fp7hvNp8
   dCyC439vM1bEA9ttQaOcYDi4bGSB7Mg9NvLfcGjSEFvbwbl8sLYsNrvAetKXUDy7
   AK5qGHaRykDTkERofBdCACtruRkvBAg6EXGXtQQtHstDBr6J5J7Mc4jdsBcYaLU5
   ojWxPYnDo32c6+Z0qWfV6rKgS1epva4jxSe7TiK7rkgYf5JzF8rE0ZAOEox2UYER
   3HDuERoK158ln0FnyD2khZNai0O3/SJfyvnk1x1FYhpsS/8z0TFDq4UmSz+eS5UF
   vqLVeJ5yJmcmXy1gSR29EDjeMI1fwzTPXF826D4WjZwGGecNt6KdaSP+PBqsTOIM
   mReUZsSlu6Dg6MiIIQptScZH/6XslwzlHbK55ElqYTs8KY/pVY4sjYrxNlobfWpL
   MJReUehfNwg3Ki39HUh9q7zYHxuIfqn+JmKKwnJNp4AOhIW1GoGCMuX3ncr4Yj2C
   pRHiXXB6/pOxf/UQMpxnBC7fmPeYq0hxMcx2M3VjUWnWxN61jXbPIGgcpzulbzej
   T5bs/C601iqgRWAV1Pr27DCW1VFPJARsuPb7Pg+USOHF+Vzjom6+TelVKgbQYQrD
   xo5M881NCPxyXWsbe9nmYhZpXBFU9wmHhOCf0VFyDDFIdS+X4if8JxQfcbHan+4Y
   +OdeWcCVnEzccKGc4K3sKhrhn68L4KESLKgVSm4bRWfWU5Wf4vahdOfGcczf40gS
   NtW2fBTR7EQ91csLXE3VJrETcylQcdLrIykLbrg0F7qzbvi7RVXpUDrvQGfIsCpv
   68b9h45msj5nGLh9f5onwo/DUpU87fkuUNgjH5r4FkNAjdgQI04aYbDQ+KK+1c9G
   bsIcRhkIZ8fLQ4WtcqqlM+CVH7hkZwtMJXHXESB+n+iXn60tnHao2St9dtDwY1NV
   lUIeqHTqGxluMEL8ykS872P81rnPAyVZKg50TW7iE7aLlxTD2TPOfx/pATDVyHLb
   VzGaooYr8NHKwrGECZr1Mo0zb9nuhc3NHqDLj3gtwnT4LbVsgdIXwaQ9gEL7E+eR
   Y2YFrtz9AXeuEWpvM/DOZgmYXIQeHv4VPv/CSped5JZMMQ2ZnXrG0ptqNgI78Tdi
   xuHJDKVFsmLsHRDX0Q/DadNMcCjF05i5pQjKqRwVI7BF3vIajtMB1QQa/fYxK3ib
   94PceJKlxDb430CZgzgW5+e2Gbo43lP4f4HDIzk7lbFtHxIZWdqB1gYHf9ZFXF6S
   9kIqQS0plZUxv/4fqLFQ4gs/caAufbwtfeqfFODwecdVZwiAGfThrOLhowxJGhMf
   NIU3UiHcv+onKVNi0XODU2YQe9ONr/rK19W54EhpIDa6z/dkTTGCw6cRtvRN22cI
   KZEKfU61fllzaDV0ea3BOVY0mIrsTTQTk47vH/HYRXAubYgEmD4WXGFP20tDG0lI
   OAZ1h9w5La4O58urEk002ZJUEMxEZlBzjeTljb8rZoefeivEJ7Ns0gitHesLJv81
   mWrqhx56HHzLIJ6RxW2ChEkZyMsjzYK9eXQ3duSAd7Ye12/dVQEKQVqmkO6UdQJB
   76kbQum/jgmOIi2mHiFwCHeW76kzfnIqzxd0Wu8nwQj2OR9wHO7KoiI+/T6ur4s6
   FP1VBvzfUXt0Qa9EaI9wMUYAVoZ2xNyZSzpLkQh9Yec1FycEjzkW9cjyBYkJSVwc
   WDVFDFDdjZUulonv0rmlz9i9fsK0tsDYcS4TDkimaDOKrGCtnxbxBzzUhEm8jN3W
   qoVoAWCnE3TgIbo4Vw1gkFMP37obVrw9ocSMklX3+Lrp1B+Rod2Ps1n6LbuyFXr5
   lZsfFJr6eT1DFQ3JBIhm47uGURZrKAucCK63kh3Y1zjLlL4mVDrARMnHYZw+2hIA
   lFpuTp7Cu9DNSAsMTIykM0UGNU1XsOGRPo1HkmfxFLCHb8G9N9SAwGggAT4yg0n4
   TZ9TbG98508vyMfRYSLODZ+63bvunv+RUtMH40WQE/tE0WNiykDJeQ5igkeLO1N9
   SIsUXGsNZG/8UAZSvGxMsgPrjg+7dF2afmE4IHRKFBhElp2TkIaKzkbYgRftnnSC
   JYSueC9y9IwDEH01R2ZR8keYLGRG9cxJBWb0Ow2R04XmbarLyvFih6AZ8WnPdGPS
   mn84uHqyOupRaIDwvO65LDs07v/ArqkUZcy/ADw6F/2No9nju7zehWcnOYoX4k2x
   x00JPki8h7nQo0GH+qtIAwt4pAXorqTbGqyWKXgW/TBm7uwdg+ciIaUL1hStw8XV
   3RWW2cmL1ew4DzG4auZOOpAPxkOkPq9gOj6NjlPbAz3g67v82Obv/YOzLwxa69jU
   MofBs5itg8XQf23gUVN8tC2zbJL8letTIKnKGvxelQHM96R83PxT4gUjfnKR63rs
   cyrtlqfU2+PKa4SByfb9NgaS/v4h2R95j6JGGtSW1Ua9rp3aFLVf1fACHiMz9EJP
   pbPFxUnT5GWxORbP5Y0vVU8RFgR0ArKRZhn1Mmyk9vRaJSrT+6K1c3igKDpDvcZJ
   AF8NHDUL65szSSWVc0b50wlwBfAIW5MgI55uqDrhTleip4lbbWNwxcd3a6yba9qv
   lu0ZAD6E+drFKgZu5B86BRnvcCYGaK90WaHA72ptEQcSKbAAe9Ox3IJ5Cl5aCr1m
   M+2nh0x5JbSuCP76n4PJEgrwYJUlSsHy2ga2xMc4wIvi/hkgvthWNLi3unev6A7C
   zF2AMR1vxDJYJV833JkA7oLEojGM9ykjmDBkV0QfD2WPyLAFRLR70BmVo2JB1Utx
   rb+g5Zav7wI/yusXsFMjEj9rEVhBvhNvpmsehl2ZnvOk6jUr1dNksxH0CdT5hHXP
   4fEeZuIxv0mzkAbWntTAYy7HAhBp7i34Pe7c19c97UnP1ZYB8xCWu11ty9kydQQD



Gillmor, et al.         Expires 2 September 2024              [Page 133]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   9Ve8V2DvgTdgLrc3SHZn1BgtWwISf1jLRx3IWmB6kIRTKoqUND+Mh/bgblfnKy4o
   OTPmg2hFLvY64mJEnWC5ATZUx8IN71dsKa18CyDCVWjaq99H+DMbBB+DWk15nbke
   ZPwTyUM7CiHIlnpoMBu5Xc9H/2EtLsESNZ90tNbyQH1eCU/OaBM/5ivEZWE3VCnT
   7VRke7s3JYbcBAkWMO1oRGj/s0HrPFR6ju7LHjZvWIjeZap1Zf4ldJpTyC6yRcs9
   DjJIu9BUU1QE/t4uLOCPsCLlcmTzXtZpD+jV7+9wH8s+LZ0AE1GH+3FZyL9p3UA7

B.3.12.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Injected Headers With hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8190 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5058 bytes
     ⇩ (unwraps to)
     └─╴text/plain 432 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <b10dcc75-cf43-5fd7-9e48-f932a9d68fb5@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 10:19:02 -0500

   MIIXnAYJKoZIhvcNAQcDoIIXjTCCF4kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACIQq5gYVGjxS7N/umioYGQaBDzYuvtRP0wn
   3/iHOuNThZd19MbrcaWCYkYZfrFFpAuqpVCPZ8mtxHrijYN47vAQUV6uOSDoZYft
   drJZYTnB3yuCJmfeS9zonrI+CYksfA9NwkFJdyl9b0ILw7tVf2QFEqX/5tU+6o6b
   NEoxlwp8I2+tICsm2oXq7rLZq9Wxw72pyV9OzNAwajOQML1nvPFyV7P1nB3EY6K6
   3Mcx5TMplYEYEQ0sDzftTXfsau2fbQ756q1myA6aa344Y6j/oeUMeOuuUx/dQJMy
   BbvzzmA6bLmr1mBkuSJRher3NNZkY5BlYpziXXlzrdkZcClYAtcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEADTrdvyR85I7Vq+f9+ow8LIO6
   6OgE1Cs5YeDyvYgdYW5xpKbd/WKj8IbrUqN7ucVaFEyGjP9Iruf74Zw+MA9CO/iZ
   SDn+UiblUlWTqtiWx/4m8ZIkEkh0CgcBNHJT/ZqIF5WclQKqvxJGGUBlBQBhJSd5



Gillmor, et al.         Expires 2 September 2024              [Page 134]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   snC6cKkTedQBfJ81GZT2ZmoX0dRLABvo/bu5k1h/5FtQibRcd/XGzIeeSSTsiCS4
   8BsQKkx+mBDsEAocaLIzHA1Kmm2fDwPwDBDDcGAV4P0nnzZWK5Zdo17pJRpg9yLy
   OfUh/w7EqPopX8bHRQuyLIoFs9lzNgMTcGmIg7SL86SfkClkJ831EXg4zX6DlDCC
   FG4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEMJrzgXD5KffUisHbSEv+TWAghRA
   IybXhrlTywIGr1n5kLYPD1+FGUjGaKjKFAIK6MYGZur6Ba9G9y467ayUbv5tpU+G
   EF8VfYFZG5o3NL809/9vII0FG1ujgRN+t72UvIBuZTDMdP50+imi0G0La93BNdd/
   bZ/9eWFM/RGEIoj+krdearRJ9xeb+Y755WcrvlyQBhgDwlTeEAdDbTj/3GFGjIYO
   jypfQPfUNofYhFLFi7QwrctHzP7qele64/i4ouHWk1ETw9vzgfxp3CuZVdmImuQR
   PSXHpBwwfMnqQXAV1keUPqCifrNWkVgEvWGPBgLoC1jhOK/lbJUBpvhEiFtbcywd
   gR7wg0LEsXe4zsEW6GJQy2wF8+L2nXAA3XlSCwpHPj1uAvL3spgOTKd4tSlQ9f9e
   5DeRJ60FO4KIq7xG30bwBAguprf/8KzSl7xVntSslz6sp0YLk2OHcD8EC9ZkbkcJ
   w9qH487wyqWrl0gAMrxWyac4OsXJV/SfFvYjBMGpBrZXYPYO3Ay0ekLT6xFf31Bb
   OAa0hi/TNhOjwBpeEah+zgAyUYla0fsYrQGrJBzUmQxcSWATGfBtAvHGc3EVFSH8
   gyP6B0k8tm8vz6Gkp74S/3BhudhO818GBM1RQ2JNwhdXyBmwiTUwYKjCrvoWcSp6
   CgTC6c1bSn9u3zwkoenBs0pCarBGHMbL6TytfeUb5l1Dmtebv92C1F9i7x+nuOML
   ZVKjjGTISnWJX86Zj3bJRNQHN0j/dQMrGhnJmvIpdp2iayt2vR3yYTHIWMmI/H3d
   yeBNVb5pU/RWt9AfxkSNZjrEh/tiMXhawYChB7aHpGI8diS8N5mBGjvXMFQMtGqK
   8oFwocldvtjpALqmlYPRaPbLyaZNQrjrCFRyLA94WyuflPT6EWwIycB4spSWTriv
   uN7aVVZwxis97frZ+qeavt5lIRSUwmkliIM9bwq1NYVjNXHweN5IBVHvIKl/sjdl
   FtmCf9eKCspXsEKSIRvN+AFTVnfP7VQB9xY9OMuBrgwzDoknaZKzJs5BvD6VDqvK
   4N5eFGhmQqWZaaN/Jgyk/Bg2Hf25146/wsPsOTdRm1urQl9/G5QiAggZ9OdCPKJX
   qdmuO9Jg6DYckWE+MG83Q0gkoi5s+z9mZDtzPCIMU6wh8zwRXwAFVNCi2oNE6TMz
   WnLgYyYj/YioeKeYjgAXQeqlMOy47wXn84Za5XBOaNmYV5cr5MBD6heVcQauCHTM
   ofotrXaRsrqH77iEVsG3i0BaIagj6KwnlaCmy+xCMDR/WEIX/t1UQE6KOhNGHyFP
   zlGaxlIHlfnjWweHoyFntunZrY1MbTnmaSCA+xx/ii9lg5urxqhRPEtbUv49p0Bo
   CeSQ0YCTp/Yla4j80bPDB1eno5riUPDzR4UNsLpQ8Fms+qvJJk5e5rsA38Z6pOOi
   KZFlCOQqRw/loZgoiPEhYjnmyM6wZyLeZHzr2NJINYyB0ODP8AG71xbU0IFEBoOc
   orxAjpAS1giNwHPKdoSdCAwOainwCNvDuc9XSHH//sL9tHQK2o6h/USpxeYK8weC
   cmkQD06rqzZEXes2aHfuQo5hq19cSBodUqq48KBGlCF10oIIQkVw5X/PkKX/MrYk
   u6rk1NT19Eg3+HUXfp56X+qQvx/KSlC1qRzIZrq4x7p3ANQNSUM/C5h1stMD7Q9L
   WNj19BnTAJRJLnASVzBJn/TvdlD9ersXGjwpzPe8fAcXJWfPP3D6gsLdNP3imiac
   Etg6Vt6PJtvWO1jf2Gq8lZu4GX3SH15n4jkDOWQtJO9hEG16PCx4zT/5TqdVpYxO
   q8QA0QTXjL+zONDwCCgL395n9zW1VGVj3HXUCHo3vLRwRwEazmyllJf7z9nsGyW3
   Ol2kMeLE9ddPYavLm8FCQSDq0g9W1w2mZDtRahx66kV9WtOXJdCKU1LPYRr1/gVH
   VKpC0NR5f/WNB1RcbCyFb0TqGVirR4tletjdUIbdY2nRov7PIV5hNH68WNS4pJrs
   ZNP1iYiohIvy59OyBzsz2mQR/ETCquOf82fJCXRxZ0wphAdXO2oy2o9Vky/njGFf
   Fz3EStlH7Z7EoyLkj5d5F+74a+1hWzShS4mw3aX3LmsNq9f5MWC0TuwzxDvSGPU3
   PeVLog/vsCNt0fhrWold4Eazc9FmTsyVKtWgNopnXrDO/neQpy8ipcRzn+klpPmY
   5g0R+BohkWzBP1aIWhF+b56ZL3Afkpqw5q5LkXmHCuSlYA6yMhR7govC1uFoGJ2c
   dP56jqn9y84MqKUMw1fhizhxTjvUKfltPk5398zwQTx2yKRH4bThluK82EFtnNC5
   B6E7uTGHX4/x3nz6Q9hLf5zmhUdFJzo3bh0KZx17YFBEZMHFqdcv9jXMBQzy6aUp
   qVav9IzRx7h8uYGUwo2agvCoUCuBbujuJrm1tGy0Z3IMxy1w0KMKtkL4Q2uunLzm
   MI9KratRPCpqZ2yY0HoGoOUJUmua9CGxrmYSUCWZVdyMdGoUMPuUc+7hqqSvChgq
   LfJSqyYKk8TQXVycB+Zq8Q6GI4POGaorIJxqenAMQwqsNziX4/X/YRWSzaHf8PNq
   uHUGjv57I36gUl10ZKbsWrVTP0C2/DcilAdhHyJmynoYDpfkMMvmgPO8A66Z46//
   XTAtEipnx3Mp7KX2D2M8UyYq6h8c6yl0dPvgLAB8ZO/Ji7/XTTy0z8hG56+Jhslv
   Tcxgk72593Vqy9Q6Pqvbe7EiT8kAes14lP4kj+DlTJ0teWoc6dbndK94cE1fE1oO
   S7mlF9RiDK4Xq71EbKn5TINq0JsVBv2LHY7m3fPSMHAqrX077CEOy+Xi2PpNL+45



Gillmor, et al.         Expires 2 September 2024              [Page 135]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   k2g7mTjU15dCOYWuXF/Ma9RiggjsR3fJ/KOu1IqAHkG402O8WF87Ku6wNZUy4bE2
   QJYljwwnBwej2sMjSjLpr16fzvPm7hTx20Og4gMZB2qTPtL+VcQ8oPSVUWuEDuAV
   Ds/pIMaQUr9EMPSqQumDXpzehQMe4FGaDUu0AF5ynuTacYKNd0am8QAA0mT+zB7S
   3Om176opyuGSbkVqff5EpOqKZzk/QTlWFutby/3y3mn4qmEQ5abZ74CYHVuFcQ7b
   vcYDHrhgNqGnMVqADM2LIEyl4+SWlrjekytTOr+I9s76C1TG7wu3q4elefZpGSjm
   z8DQG/TMK/pRFOyAiFk1PtqiD/VYcUxPQmaPMx6Mu1VArGjkvedqIVJcTF1OsMIy
   UJPYGI49Udgb6m4KHK7Q3g8ZMf5eNGfl7myC6mf1/PMSmb+19xI3cW1De4AJCrLn
   eiTrLL+kPYbsDjJLzwYAWa1N45ogcCFdKbRtVR6G4Se92b/CU/tdOEajhj19lFCm
   pR/oet/vj8C+EH2wgjbKP59YwVTQyaqknZQxhfQIZINt2TCwLF2VT05qGU+TPhTm
   UDxOgTObCpElThELwI8D8DHHV9VTrE8SbyuBO07+/6B8m/Qz9NgHkPIpc8Zs05XQ
   l5fzm+Ck0IEvY1pc76oazSqN2RtImopUnoB36IMZ1TghD5O+4ywZTAFpd/L/YNoU
   O2tqE+hiZ9/08f87g4jCGgNBbAEX+wiGUUkt38riDgrmXvI5PsA6LM4FY4p0PVBN
   G4YoqMypb/pU+CeI1yx50N1v4HWhgdkyHN/twWTJyNGESpVjKdlsXmAMonKrJZGg
   SSKYMb0T4vxG6PjT6Xg6F7mCZmMAMztXzaEAUNqjr/1taVW+RplkwzeP8JvOTGnl
   zOvt3DkVWZqvjXjLHxEptCy2ja9KlPzwvXTZ1KotdAdC755M41I1P0oQSHLCX15w
   WAjyfghMQOnpsK40K1wVLwvOW37vkxmh09R+2BMfNRdnXtIO7yKgeY1qsZrgmAzq
   nGTXthixWwsW2OHKLeZNBw31h16k1jDm+8twEqe2kYVUVwX0VRVHJE+zspuhsK38
   HVt5vCJERCyXRSPYZmoUjgRKY8LpvzJ6U2rv8k+qo6FAIGY3o3sIF7baks05BM5r
   ME7dMGsPTqpkCNlJZA4V5JM7lzAwPu0IsXvIeNQw9EK/Flo/7WftoAQADZ5fLx8p
   9XNA+/ycwSsCj6a776f0kfoL+Bx9bA7FRvZk3VY6nxT6USrcT4vrsYyANLc2xVDo
   nRWog6YpHLv2TtrLCqSqfltbeJxwHEez+0P2MDhVvJYpEeiyZdAAvov2YOF+PHyy
   FrAUaltnbuhem4aHs35aaMMmCGItXBV0/cVkW9dJn++8Q0ouM1TMBzFgEKdwVZRP
   LdP01nDyyh07WJFXK74f5y2ila2gjAVrg9VsuCuegKCmMb0SoxJ+10gFl9H/F+qn
   3Hrx36LBy+tBj4EcRJS07q9m35hmZIRhE2zV7yfnpSYOWEHXsVxeL+aanx1dVIZ5
   D6oKjPH252uV9WKZdbvRgPgg/l3gLAGTGXvPbPL+EwYeHZkDVCuU234l59t+Db5w
   orVZheuE5q9klV0SauNu+JawzU9UZg69m5QnJ9b5fyAMtAFVVNVlmTzZsonY0ovj
   KX6rj76Y4NcLjEKXwJzWDGJvZHv7D4KKgK+ptBpud1hAfmwlDWH3oFP2uelz/262
   0sUDU3I3IZk2XDKbPkt1Z/3+WyEpbG+MSKeSvHKEENeqlHpRK56qBuid4QyfuhO1
   cWgT2D+w/Nx4WQcz19h4LWYBecrUml8Wo53DQApeLJNMdUzNgeKKOFxs3an/y5/g
   NEJT4p+kCpgQfSHJ8sKujf0X8/HHoaxfH3Vd/V2wZrYCVf5IxECQ2xyO1lorvU0w
   YbK6euqf597puiFolZtRzOaSnuauUvVAQNthTwfOhUWswoUC/i+jaS9m/4GkIoUH
   S6zPE7/w7KBrEne/4gtqgpSOROl0YDnxOGNIFOMNUjZ1zlIKASa4AuU94hYtnix3
   dxg6Y2g/v8GUe8Z+RKoLGdjzavyu0AVgZ5O2eH+u2BalxfpQpbQtVFxZEFCeHDLZ
   w1IbrXQdbtoks9WVtqjVSutiX1Yf07JQCK20WeGfaVfwvmd54VWBNypXSce1RRhZ
   Ek0uX5FGd71l59FYucHQ6TNPbS1fptvSfsiaCqPzU5Tqk1XLBMpdwHrJQU605usd
   T4no88uZnmoWE794m7CZ81ZpxhluRB3Dp67znf3gEYSFpTvtRvhRc/e7lBBmPWZH
   NY+bvMfrfnWwgkR57Y3wrKLMMcUfH/R1PcXQ1KbLA4FGkUUvc6lVW2u+wfHX1xX/
   s3ht5TA4CJ1tubjVmaSFViifQDs5BHADZHVmSPdmpDVjogtBRYnDVNqIEZPWqdya
   eAlLLPLNjthzVWmnWF8bBew5sWsjlV5aw+Ly5tCC472KLLM+t2NcVB44OcBa/BSE
   p/vh3TEsoZ/m+UfK8EGLqNVs2vPZhuVW9i19cN/5ALp497jj7Pdq/LY19x8VIrjV
   EqbFPWIKeRDcBIvh4R1+0Z6nlHvILjv1NlNABnKqHwfjCQicvOaE7OlJ3QWWbBjC
   dtOkxhC9+gBqDlq1YWgwbEzDPcFVzcCmTPH9wHhshcmp25O7lxqSxONeNcGMKy17
   yBSrKmaQr1escqeLJLH/yofTni7sb+xeohrz+YYJraXlcdLgSK6BzpF7wpWhMB7c
   Kyc5T3ReUPHrm8RIcaccjIwgxxyJ8YW3iCpH2s+vdaJnEC1Aa6D+53+0aCFg0/2g
   asqTZ/iLws+bFux6MrNs8cohuvtF8Y6A/++cp40kp+PtSN8G7+g1CmkdZZdMg5u5
   9J8s8SIrSbVj3y8eH/DSWGQ0gMc+NYLaWBXNReVPndwWP7aqXjLysuRAVVgOFvJa
   zrwFU3JeUphCtGTht785hFePHTZ5IZBw+DAxvWHGX/5sIBokYH9E6l224r3ikUXU
   DApjB42XlcYwo386TU6OUzfE8xHaJ7o+nW09t6sWy99M+BYngsu5ghjqIz7EAZjU



Gillmor, et al.         Expires 2 September 2024              [Page 136]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   BEB4pDKLcVf5tXVKSOSeIA/nauOxb8y+xve2ZkY8UARMwrtt7mqgqYgB6/gLD7Ah
   Rw/Zs0+oQiNqv7XTY9clU/FfAQlRYiiz8o9fU783ccpsuw0PcgtnHWqyrw5I4vl4
   fRHOIu+dIl3Bl8fbPQnoVJkxbLTvG9plaXf4fKPpYsR1zjIOSFSqimx/ogkNjlaq
   4eG8h+lcyFIT2fmz4Pekl1uASudAGGQn4AGPu/d9FsM6LJv0loYzcQVI13F1ASgz
   Eo8/ks2dfhjeiMfHkGl5aFybZAmd1f/sEtbUX5rCGkf0REfa17TC2NpB+OVSIJKI
   V8sLYNVsZc9eiBJTli81ZWUPzNaFtyk8zRcmd1OzUIvpESNve8x/USztcqIpMIwX
   N2mlj8D1qwnFIOqgHEoMgWx3Dm9EMD5xjgCA9f1Q9dkD2WHVv62DnMUnSuYH3NKi
   4fZ5EGXTNezry4SpXmgLiEOGpiXz/wSLP+/n4RvNfJ4DE0D27wiHchvTAyW8IJgo
   9uJU/KuVEk+cmUVwAbqWimq2XpY4TyopHyVjSFy7a8iaYs/sd+u2E2EEfXiyVra5
   UsJmo/RdgZSCt0yLcYAKsO3gpXW1KSthrAUFYbSDlg7g5nQ9y2JyLsZGhjM+c1/I
   6fEhOucX0MBaqMWpS31pMw8LUKSKOdiMXS+OlKzALyg3X1ObR1yK6PNK4XWs7L0+
   a8nAdbRwoasr6SrenKYuTPkuRhLEkj0k+V4B7ilY8xGYuYjiZkxYxpZBwB8AM07m
   ck4fGBGOOYdaGhraRy4DImP8SzVebtEj7i4wN7s+fHs3c8d7c6QuKOJhicyK6Hj+
   spmo/oEd8vsvHieyu056IHduU4aeDkVoTYN2ks7itpuAv9wMOv6It2r4fob/aRSx
   ExuZeT+RW/qnFpLDiUXa/z5VYZH32Ea6W/MUjoLc6VqzfGScE0FKJte+XiasJ8BG
   yLuotJvLI5hCIz8gW8M4nSo8yly9VeyZ7Fn/DLsoJ32jQpYmhUjKjtNzqLcq6Wti

B.3.13.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
         Message With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9665 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6148 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1923 bytes
      └┬╴multipart/mixed 1818 bytes
       ├┬╴multipart/alternative 1132 bytes
       │├─╴text/plain 375 bytes
       │└─╴text/html 473 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-wrapped-minimal@lhp.example>
   From: Alice <alice@smime.example>



Gillmor, et al.         Expires 2 September 2024              [Page 137]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:08:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIb3AYJKoZIhvcNAQcDoIIbzTCCG8kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHpthaX3pLTY1dQEpjs916ELlnCWjEQaqMJC
   b7U14ds6WpcbE+m7YotdmTDc6sMudcq8QWt13YfuveYJMPp88TnfLOJlmxvh16zM
   pBvxeDudVMaVk5AhRsIDeZy7XejbTUQbLvKNsfYaWpzcFQgw4pTbSj8adkH9ktJn
   BpOb9B1gknnHni97slF+6wc8y6UClQmwSV6M3rFRhdx/QIT1Y+JsO8Za7ByfwWzZ
   8mgmKCW1WhQKutZUZes335ES6TFg/rXQwZfC/g3K2gDVWQJ2KOGoJfd+3gV8UhG7
   XGwzJHn2H16D0+ryfmLqlEpdpH/n7lxL0etM9wJmyXGCbxNfODQwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAldsl+A7Bcif3coy6a1u5rzdj
   R5dLE46I2ScGw8LvTkwXyGnpR4KoNvWvkQLJ7kbXAYLg+Td3abYLDxibz4s9DqLs
   6fMo45Sdrifv4TLZ3JyPl5Yc/ZjpjWcF6h35foI9SPuGOSeMD6nYX/d+Baa0Lxlm
   ncAHYq+KUWhmWmkw2xDmiY6QWQgo1+Og+XLtVhbgjiHGJ+bYeVQLuQgq9Tn1vIHi
   8EcvqA6lXaP80AOPS1Tl3Dph1MQaU7yEySyasiRSVlYA45iEA96JiPdLvdneG/2D
   cLzhkZigGZHVvH+ZpPnr33S8BcTQG4W/ZHLwOmNB/To+JnAcSYoziSp78qs/7TCC
   GK4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPEfWWrJtkXQczxhrK23VBSAghiA
   aS2akkBo7J9AIkHtSGeZno2vqidZXAF44XYi6sQysoQgX9G4Ovywjq23qbXFxShT
   d9JP1tZcoL7KXlyCfHN+ua74NUetNTmykoElZY5A8dzmPkdITjZcUEeEYiWk2t+b
   VWP3qeCIFmL/NVAkIF9v8/VLns17uzop/bx/lbV0GRWkc1ipS/75ZIY7jzHpognM
   /6lpOKEJ6DYjOUJJS+cY7SfDy4dVudowyiFBrEPeUXJKUe95R4CmAiByVnO9oFf9
   7g3HiiIEJI3IMjNGTgloeXTVINkoNIJu9FGRZn7W84mZ9J6mPTjtY1vSCZlkr/U5
   eGA406ZJWU/y3ZijDfRdhQIScUjg9GhMovYHTYfAR4GF+HTbNHt+eRj7pqWRMetq
   febcQhuqnMMiossq6zTSnD5ayVbKeDJTdwnQjdR+Cyg1L+AVM202LlZwziW/Yetb
   57/s/DR0KNjhwRhUYYNhQ65g128BoI7MuaySnkMAqtcmnmAfMhQb4R6reVFA9fLU
   sCuN1MKsFmFKgSJwNWbBehlofCp3gvdApXBXMwCNLZLIprA/n/6uzTe3+EsJeX0B
   vLlYVkNaS2/MwbbObqijmgjR2Y0l+hlwOUmXDTG2tFQkVEHcaEQogZ/Wf5Kamvny
   kzrxGZBdjUWQ78DOWhRWcmczTuhYR05IIb31y8r8wUoybRydTl3EdRCXy8OC3PS+
   EeZ7H/2Pv0TnQySjAT1OP8LGliiRg0LWmROmaQ0CHr6HU8o6mQHyaC5J8Km3mSEW
   7krJMqL1e6ecYCPXOi6Asur22Rh41pyHwo7dgtvuKf3IpP8KQOSSD1gUkC9WUTPp
   qP22f5R0JmE0tliw4h38DSLQC2M7uGmByCzXw4YSggF2paW54gQuDKEay229lpMX
   mXIbUTdjVDymXuOBv4R+t8rcV09x8YY/DbqoGBKkY8F/SVrx1vlENIba04MEUe1z
   xUkP+1cA6KdrPcTHjKAhR4Vq35XANyJG2T4NhF/kF+O9OQu4UupdB/wgjJZZ2HJc
   XjQlQxS+f/Y5KsPNdkax8lDMwf9aSOSQIpYpm5PqjjHxnA62n9ho/hwXnk++61c/
   3ZJWp0ck0pBqhx4rbQwMVlPcO8zl7qYK2LVDPVyhkvUB61EK0gToOE615MlmmUUE
   PC8NtmwjfC/rXFRIPI4gwYNCqn0BmGB91hXWTrmbNVT3H+wfshod48QuVr7bsvOf
   DAmtDZM6eYWoAIUrOgoAg8OcZ+sPg6OzeiMoe7VENTa3m0whXHOTLxGoe4VBtQuz
   52PTK+4a26qICcnAZvx4C2AgEba/sdUOKDjg53kR+JsQPPqS6/JVuL31eki9tGeo
   UXnbhk5ZKUboXj+nQCWwrKkreNEgV5fsHgeZwY3/+FXm6pk9qQ+/f++S5cnBm/Se
   iSvKwkAXzcf9/lGSgM/EKg6AcX4/4Lyr7sNOtIyZhLaVfsceLAU1oprJ53hED4HC
   6E2CuFllF+EwIYAaTQGpAvuJPfH/IiGy8qbaY9foYbO1WKjnumHdyoGwXHw5CdFf
   KiF0zW1a6fjvM+Z4ld7SeKv+TzRp/cjVr7GavRHEp4EG53EQc9CIXLqmz32Ep3ph
   kMsqm/REp/VswvSaoxG/YV82zgdK3POhTESIAB85awrPmfj6mCOu+ypnLYuua8mo



Gillmor, et al.         Expires 2 September 2024              [Page 138]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ZNqIleDvcofTguOy68I5cI0QGLog8915R8umqPZcRPpA8I9gotIqkvUyPQHczLfL
   oIHnLKwe7WxHcQQdbQaKuz5YAIewUz3RF32g4qmr6d7C/MdkDGQi7+d9+wp9wbDX
   L5klauXJDzsNiz4E2wrpOrzuRF7vMrc6VoIxjSco4gkBI4ANZCwtqB+H+Ci8ubwT
   VUQ+jDIpt5q50EXMEfqnzdpQ0tBWgwNS0b7vguUec//5MzGNx69rnaw+06zkjzri
   JEmsTZiXPrwEhse3yu+N6xAHtCF2/CiYgeHio0/toJyXpmbRsC/MaeWtHgd07KXj
   LMC1fnTPUn30/aR17rISnLWhcezEHEv0h61K5mABH9VI/wUywoiQuigl34WCDHa/
   Q0hpUc/wC/rFsHK34ZWSj5MAKtdXacbZT2ck8yK2HJRPda1lzRurZd/A+rCebXRn
   q/yHz8t/NYxz8n0mGRKpwu57Sdt+eASt7YJ9laLMYfSd7cJzO+8rhJKXxU0eSFdr
   NryDjHMvoN5nPle7UFcu1Rt1kfjRnTyjw92wiTxskGeG4/HLc+Zlg85YMXq9thhh
   +gtRMVrVsahRty8rRLglJmmZOXYT4/i2e+mqPTOgngCABmnU1CkAvfwo6QVAYpTN
   tTjEbS0dQ9FBPqppQ9Npyv2bpfPJPIf0tCTClO6JPCC+73agjOyQXT9zHvcQibNY
   WWsvh7ri3wm2RYEbsheP7cPePWS/raFKNdRIRBcyqTcpV3YIBgiY229EmJMXagKr
   3Z4KgNT6RdSwrLMOxbdHU88yK6OMRMfHOgHrPinFT81j0oiw4uxnmFnXUqcWXaC0
   gv9Vl/z8PvQE/YgY9uQNwbC/UEcZ7GttnxEZdVk8nuJeFYr4o4/wJAbVcMKWh8JM
   V21ERzWoTjv82VuBGSRFQw6KlLMUQAfZF0q+hnLzdTBjT945GXiRkeHcENxsdC1H
   br+HW2bg56ZTVerczUKODuHQtviQRl9oV+7uWv2BCEu5SwM05rEOjwKMIE04zgKc
   CWflGpudQKJXXs24iQiMzPU3ZCxokBgqz/eQxcQAPk1rFcmGJvvGj6oN+FsjcXtR
   jAZUnr+WumYu9f3GcTm1emtRqnnMALVzp0sJ6XDmIh0xhey7UCWDwodz0w7P+IhJ
   J8M4vvPwj5f7OsVx29lhsZV/hBXgS9WW8anSrLLHYH6+o1tiSHEQKgHFQ2MdPwzk
   xNtcmpGHeH9TJtiseGbU5hsYzeSJ8kbphKcHO6gL76h6XXOcZpXNywo0TYTDcH1C
   BNBIdskqGrL8gd6IoeP7fjG6f4syoeYjWhCM3RXgR2tNamFxD1P1lQeX/A1/WQ4p
   p5bRsC9itl/uiMjVM/fic6eslIJ6XOGpYACPjqrt6JoCOEP+e4fHW5tjajaVbk+F
   jl4aZ3e5/WvYwJzkUulTuywdp79Sejk9kil/RAzvSOS2v+40sWXoFFdr1TRtazlP
   gciRlOsTAT5y4uiL8Yi+IPO8SjS6C/mbpyAfIFgY4cWu309zo656GNlOyEqBQSVg
   bVYJEXeJ4dcix2LloMbNDoJfiFQz+pmyB2mPGYrktDG0hwV2w8CPHCOhEg4yCV8R
   JoZRLQiix/6WL4mTIy9dLsMruRq6CaQCauiu5XUB8P+aPVuilx0WxwVfWdEcX4if
   Ns57xmGj5mNaCjSrtaW++043bfXR9NQQr788cReltBMTdEZCVZdQJ6/K0idnWfaj
   CYiZ6kE9KUe2phZxbq2J7Rhk06dq4qicFYZAqvjXsxbOdJapQNWtM1HOE01MA6aQ
   uOgZq8CWvVwZMRE/KRF8RPYgrhVPnfB6TVUoTdGRLgnz4S7dqwz6q9H86Jd2Fz86
   W212B+LIrBkZGWgmz6QNMT2g85LaC5GnqMLKwsSf/cBUWc2rBjwYk0xb8jEmZwv1
   8mz5o8YJN80qMAKyeL4aDF4naa6RPoBUavZP0bLAX8YHasz+85D9lRPSrNWerI64
   SqRRS2OQfQCASnpGv60IAGbLmNn3URRIcRfVP32kgLqk78cuSxlg/qhwvStNbdxL
   AkISRZdOd+ajyU+y1JFRFmcMRDlDef5gTtJ4vWNKWiThJy5qPyW29NkKxBkU/6F0
   0Z90MjUznhx6v5DJhIuxKL/v2OZ8VB0oDfcMIdu6XC5x93NQoJmyxP6R8MHHiK+v
   WYeVVPHfWtDbfd6dfKhyVyXO7w3pk/8tpruc2vwoe0uG/f0fCTUG1xCpCahTGJYg
   Dm1/+X1gFWJUthK9NMZ6GouF+DJuNKaBBxQu9nJfHmUzzl+4eQf1bcKgQk9BjuVl
   1zWXZeKNGXRIEaiVO2E87/m6fqRx9Yv9me9QIhlmVvt2687/eoV5CteRKzL7+RIW
   uMb9lNatVjX9pIv5ZZ9W9le1wJasoc4sqKYhG+GNuVl7cir1xwmjJcZD6rHgjF2D
   xCDwrKPudpbxkZL11eF7QYzvqylmgQx2v0cbshfIEovZAbD1zWzdqvpJSrWEDs5q
   sXPdN36TAWVF5Rod1fueIo7bv0tCGQ0zrYu4FHPDLe9a7uGWZs4kzAnQBSKGKrJR
   METU1btrMvybibgU+8/Z5JA+4hbQsxjGAvpwLitXcPmO5By0dULQBdRlHXXMd2mF
   Q8XuScWoGQDxeCqOj4VGgGAUZEj8iW2UyU/q6vuSfzA3TAMl0cu0dz7/WQxdqw+g
   hYQx4N26R3DG4c8B5plDcEENHZhBkkeEcAyCql7jDpPqwdxxaSHM4HjcibrgD/mN
   HDyVgwbyy+aiucg3aq6EfpZHM16DVA+uwHs0WN5cqByrJqAiI2AWa9/rCoiXtTkZ
   b/hJbDIXlNZ2b8s8wZzt/MOeqyMRaDuR3LiGuX18y79ImYk8qr4bAcsdsl5zlGHs
   +5Zuzs3K3MEAMW2ff9c6QUmfkMGmdKtMtG/hdiqFcpzbXlSmxgZVw4EM1/OLftTI
   Y/6k4QuE+TXh2OOeNl5VGEMYam6+AMjWPC9u1I/AtMy5y3yOcuouRXayBqpfy5Hg
   xbxzoQGhUqg7P+Pn0MPjUn5bQdbHfnbyK4kv5sGQrocQ4Oqtk7VODaEx0mcm0wN3



Gillmor, et al.         Expires 2 September 2024              [Page 139]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Zs7jzcVxRC6bZtH5yxR5zDdqzsH7qqXHRe8OZ4yhvc4mokrQrswiIL5kFt43gL3y
   h/cIlBp4KBX6pqf1IzoFuiO9scgFVRvtHygsgQ+UqWwuq8xMWgXFaHuy9jrrPUls
   iV2hQ96pKCkERQkt519xMKmT8/w7neq5rUUyOtCgLcT/E6NMwmpyZv4F8BQoHeAO
   69PHQ7dg2uDeKAyy7szDr7EPA/1Jc/AiRRX30ohPEc6xqiYFO6U4Mc+Wrf15oW/2
   SFuh5+2j09W1y0XVMSM9vXGfb1wiIp3QZqWUfavm4C0NyXLjfCkNg/M/rIjRFJXr
   sToHAyus3wrRT+UVN4ARzT4thfejIx65026NFyAE8qeZNd/cgqcCLOzX0Wuh2uI7
   opkl0J2QCYuxsHHQf93VcnwuLhh8669HdPTuInw0poWzmy6nUTWifZ/MXIqq3WcG
   E8mkjQpsl2vGJfHPAsW43/cwJ83dI1LKzJA0XHaURU9C0yvzblaU8QO47t2q6Ne1
   FLdOIHwGPSvBbhw292F14iT2oSe3CQ8QjfKRW3686zJMlsjjjRLL1JtnAUOeIyNX
   OwXB4pb6m2emOZWfp052z13bmAVc9/Ja5Ikgf8pCgL004WZpKF4kJ+7wuoIbwfsx
   mu5aD3C3+wzRZ5d8KEDuLGY6EgtSmhGw3jBUOS8hML62lYiuqAwiTZL1mmXjcmY/
   nB/YncK44CBsJelOJyInx6trRM9Buwo3K9+Ul7e/QlZgri1Zph5InrB0d+vO+bSy
   iqYu3lF/lAQplxijK3siURdEUWXYwl0T2qbHRhJO3MwvSi/lHz2jFdl6llJTC40e
   vBPfwOt3wv47assyifSqlVL4wKGkpN69kjmvwQzfBO2oSxoYebosX0v1OCjHTpvz
   Eg6986NX5P7sXt9LlQ48xBmrSjaB2Nmh2Vwhxt0/nNd4yyMUHpaGC/Hht/pnUlU6
   2fTGCqA1LOxmZT72lb8OSPkt6quZ+8xDbpX/183FsM9Bt3/m8x7Nxk6HRHj+GVsv
   Zo5epA+EX5gQNZ/EFg5FoNUuXu/j15AwMF5tl6XoLxuyjdIdT0TkJ2/fYXqAjmWq
   IV8IaPJpiJQ8jjuEPNean4Uu3UI5d14katc8yW9HvTd3ANXpAO6Jzl+ujhPkRsdr
   9xSuV63fNXg60C2wrFU/B2E/rAf7fPllZ1atvIb6AksnwXHaR2+apyI4tgoBEqqN
   eHS5rqgr/vtEAYybOrz5bzQo9ZLBvqQ6Sy6ijaNbJJU72OMwlfNHdTUhYpeMcqy6
   RhLOrFX/OwyRecOYtyJm+8N4/nmea2gg4bdN2ajET9GXbEuIwBLUxYEpg22XIrIu
   iC+Xqm7E+vcG0DynGLW5AR2HVRKnNFeUerCE0Mi3lns0tbpls8FH8cLIEzpU/6Jr
   4+A711E2aY30HIbXcMhGVkFRFKawZllGSY/3A0/zuWcPLRfvfI9iIcO+73fDrXwg
   CUg2KoHBh81rwMDzx9HBEThByO++sY+8FdYPtC5EmMHS2gICDSfcmiI8dC5J2bla
   Zfv2s5rw8lFMWx3IjmAt84jPNjFvXoCm1bWJnhX2YZP3l2MZdVRq1RQWlSZ9eQFp
   WyYA4Dohp27izdz8Hk1l62EMEsyjumHHdFl8ZuYlGETLFyzJcJjJb4THJbi2S+yp
   Z+83HZoTX9OWYh2M3/Si5jUuVxs0KSM8odJDNE+zbRmzgKLih19EWkFRaEPGld1H
   q8uMXq0CHByd303MVR3z+WPQE+tZOxHjhtMVION/5cfKTqO4UWVTYup8pUYa8Ea0
   4RvHlDc6V7HARTWo7lai6vm81p3U1oOvVqIX9j7mx5+WLmPznM7KcIFCIQihXANM
   Eu1/tbpFG6sOGgVacHsz84P3laZZuFe6i+gjlz+Xr2PjNgshZJOHzLtuTuWsBMdw
   l2AoUC0A+icf5564zgsyYJ6I5iqKvFdL00zoVMElSpFqCdEkA5IHYfPnIlwsAMnp
   oqjcoxfwoXnDKxKFjS2Qhae3Iqnn64YDxCD+gtxHPe9QMRFQvbM52yPxLGPwrayr
   1YhDipe4Nh67gYRaNdsmG7hnVA6zlGhaEyPaP5AJ+YsuH85cMV7Ck11H19JFcx3l
   7ZCjw5FQGx5ThOoZBJeEp24yO9YPRnlo8Sy9gAhIc34ZeBoFfx08F1hu/Ii55n+c
   yme3YGUazZhErIP8TwoSes0daEXzSn8oGwWspxRP282frfyUAhe8W9OUlKgLl2FI
   bRZiV9S/F/QgoDkpxo1T2z1rMoAsOQ95Oy/9XtNw7ywsbLJVIVXNv0KCK+S79eIY
   XxCvDW1ZSOLAxZKdstP9ZZiAqkC5bANpMFZlEUPxBSJCBEb1cav4k7NV4fTYNQ4V
   Niy8WS/OUMFWZHw5BITRjRx2bwmvaSEKuPPiGtZ4lQV8j/jguZyZp5oH6pkGlC2B
   AoixTqj4y9w6DbC5ruYke0o0px/nkH5V6NHGOdDzuyEPtkmYVkqMezNDnx1qynqV
   QrPZIvsHT97MYbzj58Y8DbTx/hBr/uJ+ya39MsR+N+vpBV9t3ubM9i9l906akTWg
   rBbNwdU0ayL0R4q/TlmDYVmSOc1xDwVe8kLD9vMiNcwobOkzxZK7J2Qcq4cromDf
   8vNMzjYu4DmR7WaE9wfzUk3FpixeWJrhJpdNC9cUaZ3I6y7RSNl43mKdZF54x6JX
   AnSbwNE6dtuLKa07MutWuq2MbBDQDIgxattEmnRniwOjClKdQYKtJM4MOQVfUTy2
   xubs/4wjIS+YOdmH1XGlnXP9N2SmFqE1puBJ/5hdp1BOIFGHUj7KUra7lN/TqtRU
   e3NjQlC5VbbYNIxvcSsKqaVBlESsxgEuC8pmJ4N8FBVclWekXo5kn1NevMFJphMO
   Fv9gyRo7NDCNRY7oY2yzyhnoZN1FHQr7GxeaeKseOtNc7kM1QMeCdhZ53wPyLJ81
   lG4lCHDePQ1RtI/Kg3foHyNG4bvQ3vgPPt9s4T5fX7GStMQxh770i2Njo9OdNidJ
   2+eyVuGFwwP4PNeEqEYe8iCGygDbGxh/I02zBPV3UgFpx/eWWx7Fwm9VBu8I3NYT



Gillmor, et al.         Expires 2 September 2024              [Page 140]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   0OAtTUB0KWDXFZ+02uwKwZ1+Z8FBStB+HLuP5c03Iwo4gDkWWbSP2SoIeDnC0fbF
   nAOHb8tHJ8AbeJGcnaE23nsgI+dal62PL623w72uvK6SFvPNS+q93uPxNNKmh7lu
   rq0hQiaDtBSgSYRa1oLuA8Cuh2+K+AUKIc5mnC3VRpje/QqISgU6q/3tQ7LE/bip
   qJONE7TiWw8hKRhOPgqRuLVDpYk8qaqujTt76rVZwY3Dd0rc5bXljTp7YZpMKeg+
   3YStlo2zgFrMc3niyYZsDPoNsZhxUJFLMIynBQO3+HpX1ve8WbyKJ5WqkS5E0Hl8
   rHmLEJrQ4PYsu8yFosaRtfDDMfWA+pYSgnHSw9VAxlXS4Fs4uSPbprbuSNo+ARpY
   PlM97viQDUdxB4co3vcChQYRv+j5fzxE0nd2ceKTj9XJ3RrufrA5KhBB47OOXxVj
   HNp5W2ERPEBIRszF3p2J/V1HqRDd26MrORwfpZ4r5Jmv91NxKZyw+mnZqm+Sf0PF
   /X9g5MCZtCrPWFH1AiRB8S2XUvbQMjh2c4BWPExc1Dw=

B.3.14.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9620 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6114 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1848 bytes
      ├┬╴multipart/alternative 1136 bytes
      │├─╴text/plain 387 bytes
      │└─╴text/html 482 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:09:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIbvAYJKoZIhvcNAQcDoIIbrTCCG6kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADkVMpcJRfEa4tT386C5ia35Oz07sK9g9yn1



Gillmor, et al.         Expires 2 September 2024              [Page 141]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   vdGRpk9pUDu1dIeio6wLIzCtwl4TtjfxJ3m9sEL0KDMSszkV0AANUZwxl576jpM7
   qEl/7d2D+WXVGAI56Oe6ihINfrnPUJmk6BCj2Vk9918mX2FaDTtCQsVnrK/gDNu6
   c8b8uJJbjeqbuDN8cyhATJA2+qSl/Fhoxieu2uiYU2CRjTfGELUOB5ReaksOxw9g
   ICfc55w7fuiIpTo7egwLaPaA3m4yUGoQSfoe+FZm4tCpsyIufBR3YXRVmPFMS2Qf
   k5G6ZQnLkxynZ3SEy+XjqO4q3HZS+3ylb3ikQlo+7umpZI/eQ3kwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAafaf6lhcWl9exMGYiSEijqEQ
   wFqMkjInWObOGS4Tng36oAAiGiLJ3JBV4QEgcjr/FhJ6A1HeN/LFxBMhYBXiMrqm
   d3HVnDtlWSNOcEoyECUeaAPQxVKbvXCPGgsts59nCtEZwE2Ct58RLkd43lBAEt03
   TPqKfzo7u0wADP1KHfxSpzJwmpj6HP2pKNaVZNKN9w4ZTMHCwDRwR+3WXb+kwlp0
   7ChjrmpLPuWRhRE1ljniRdx1tM8R6OlmbB/6rjtpRXbKZH6jTYBRmOnzHJg9wsMo
   WfGn/uYtvIegq4e2v/H5peA14Fp79u8ndV7c7xyPsGDbVjNARvy5hfYQF/m72jCC
   GI4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEBxcSQvgHyVtT5BnVpnby6uAghhg
   I79rjVcQLwsmWeOaVCPz8zezMot4x7NhxWfX0RKueazhiW880A8ASrDW+77sbq83
   HMur9uth951A3ICkuqZfb/Pj4GTxR2TNYDqiv5R79Wc0yf4gG2Gb/Kq7CE97/6pE
   /9U65LLuMDXIdL1Z73rlxjjtN7LVJ8HN8PuUgtT8gIEnw09IIp7aSh0T/xaV4F0L
   Bahsnd4oRINgxXYE0gJB/vO0rDpL5UxLwCoS4odsalPUY4M/03+IqoIuaJv8nakO
   qrzULjcy7XFNxQCvVP8UDntvjoTZ7+RB4sLmRNd5qIp9R56dXjUMY8zizE9qR0LI
   B4f4fp5IcCxU78UO+JRu7IPJYbD+0Xctx2pEOYwdl79cK3AErM2wSOf9xuQt//s2
   CquqezZyeFs/i+WVqCjuSBJU0pnRS1gZvz3B6ulBPK/qehAGFpR5LHbulfjWelny
   0svqhMcozSvTBm7xf9sIlSF0Xdl3G7cdHXHsyYc8v4huclggFvcd/5vXO+QCetkh
   H9vThqYQFd8tno4miPI1P7KvtypnLUeREpFt2pkuvy4pZl+Z2J6cZI3DaoKvjI/M
   4Nhh5SiqtwrM4ZTweTwCojjvdr4iEWRLQ3KscA3X41AKm2XqoNNASzhLw45bj3t5
   nJiAVobe4EiCefuqp0gq61Pz5WyePO2u/uG3mZKCsouebdQEl4xhRub/aHaq70nK
   cXLnAV8knPXcA38r7h3lAGgCc2ZB1CQiXs6ewaNz8oJPr+P5dd6TALhtev9Z8pz5
   YeNWY95AmMMNAvsFWAq4SGALAp2hH3w2yJTu6F04Caacxouy9bB9MAanJfxS+i1/
   gkU4dn/3Em+wM0tEPznYckcrsFi+bQMyE6/DWiya1ykCTr7IlTQGep71wsDaX5Qb
   mfnhBDo7vOzGkqvchMMAxgD6HKBPojdvnMCmFMVAv33jErGGGkLxV61QntInFt6P
   K9aGiS9EbU0v2spQQJZ8gXJRBwAP7E0c40EoDkSVnx2XBZD9CatzPnbgf7lgWdFS
   tCka7NXluuRUV/R1GWA2AArMHWpAECzTdVfkQ9nSNqkeyZbcPazgr7WUKXM6SNEb
   KgchxJTCfQ6dJC/+dD9MCJH8FNN7j4lCgJ/Uaf8FeSHnvGnAhPogjqrENYjJM/gh
   czK0XK2x3hzgq1f7If5CUqD41C0yzHAlfHolKZQprZHJXw9+QhjHzcJ+uKovp+3x
   mu5iWxhHpwF54Eo0OD97Z81UDdSeypk8OwazoIKgFXm99jeBgv9TDhXQYwUIfAF5
   Qnpp/CR1d6mfyv6wAAw//K+/fwz0PwK4RuXSg0upbodg9dM9O+dFOAidpd5Ruu/t
   pGnP94ytVLIouSKq8rM/ZP0Gl51fLB56Ps7JjadBOFPz6nepHkMDwEZu5U8tqOq/
   akx6ZakjqkTIVkhHC/HSypAC9d13AYm8XV/uAjOCpGiAZpLh9/lNqpVSadeQ/Zjl
   8ZDJg6usgfxm9DPTvpxQ8+KuQMNY8vWJRrn6HCnoTh6eE44Om0ot94prlFOLLUuT
   BANmXOYxSHPJ7IAduMUUVh6h2JMIhiVkfP+mZj/4Sy9iBc/8DS0SgpVlc1etv7F3
   fGkzsDrMrdMT3YwxpF5dX9k8rIabWYOl03YVHdfPUNK6r9sd1asvGqXVenMBANuv
   ZhHPs8NtYgdbRfOAfrtaEsE6SNubEUI1ndJiDZE6hOdfIbOQ92++95XmEneODZOl
   6kXy1HeheBzeOCe1w6TXxhkTaSBPcr9GRBeXoTThiLev4jZG4LDjRU39hZiGKJQB
   5hJBnL5DBfEy8uR9xNcHHZpcBSnWg7FWfSNOlywaCFmOKXrJp4oZjvVn3hdzWRP+
   H50Wi7BNh83CSxqGEGuw3gnSrZtzcpnt3/pbNJOvBfIl4RE39eVZuDT3d3n/1Qho
   ae2X6PhEG0MMgSObXZzL7cYsQ0itfsLJUDLaoJXT7tTHhhyaxNUY6Aqk8R0d6FC+
   07T6EL5cZQ5pg9ERt24WLufIQrUGah/nE6+ebdjlGmc2DF+NM/+VGcLJ+3CSzu0e
   fCxi3lBhvGr6/62CFjPk5XMR3xRrnVlxgj/7A42/tFpOFiOQ7OI2Kp7xl4y1cdoP
   LmLP/6PgY498fadbyWqDEWnICOM60W5B+T12/p9d0U0MZOafSmSKLO+5TSzjT7Jc



Gillmor, et al.         Expires 2 September 2024              [Page 142]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   xptzejYn0T0t1/dwsYCsmvu8NRCsEAU7B02ZrTbzau98CrSOEQP51LJ0ploRv14w
   qXA5Qwm9prF9NS0u5pVN03iEqFGBYv2t/z1hWC8H2gJaV/0hqY6RcIsGWS9C6LHE
   qhX2OmpHao31ElBit6XdWq7iDtpjwtQPJv6USeFbCxuqk9xSGe6cBHeS1MQh3xBH
   0z75ey41DSTO+B4IwWjzHQM+JS9/edI2wq/yezQGpF0U+mULZk9OOWTUXpacnx66
   DbOyeglPiA8tYZPR47nHoNFEW4nGeF6gjHpWjse/a0c6Jx1ALd60QN6cpKrJfb+8
   y/Lkn1V4xgFHcsG1C3GNyMDTvA7A3CDCdCALCdXD5vlOFHwLJIemygKspPIBZIP7
   v2mXqheE4arG06MTu5sCAPYB8L220WjdpGy9Q5c9lay52DvH65JnnfsrtopkKSfU
   RuVo2eNrGKKSseL3wFUS/xjmSvYJDWDVScT/KNtRWi8FDuLw+lCq/eOC/CaQ95a/
   X6rKyGuE1mUYLe1fiFJ86zZKhQ19+LOMjituykizW68szy+5axC62aBP/Q6Dv+Vm
   2NlOVssZubRNnFvzq+Sx2Mr2GdnLC3wb/zFnYe3Ctm4WSJ72khpBfH66s6gzPZC9
   RXJdghEHdV8HiQ1YR1YrLlQfwON28p7PpMcOIJ7cemv1V93L1/ysxppMA3CZIm4Q
   ROUIAG7s5pl/j1G3D6wHmkibNs3uUS4S5TuZT52assAMpQPJMl2tF+ubwEtRqhiA
   6s2u4jNOqEWyzCDNitKGzjtw8ifBVm0PDHRGtI9WFemCWtlppNto4RlKf8NjOfPf
   lupXyISaAFEGggwbxx/o2WraNc9pOq7COjZZFAGw2DPA6eyC3yKcLT3GuiNGuDlp
   DrzlrEfo2thkAyqsyG5lMNkzooihi7InouvIgUCmshAEr1qrjwGeBrcsdVNKur0E
   kEQFLtI3PycbnBxC4q6V3VjyNHL5oscmbqxoFVaMIbK3ApXNzuWwl6hsMI1tHeTu
   zWAMuMnGlKbgL09iHUaTvUhzMaaKlR/dZWG1J420tB3L9aEud6lU4IhdEz1EjC1d
   7VEti422OQzeYU16Tg5WiHU/MxmsqOQsB09A0kHbZ99nGeGsUNU5k9xfF2oVlfsD
   kKnNrdNq6xD+Bp3iFxjLxMsr6HzXNaAQTRjTB8EaqCAp4BgkT9j9xMsUIY185eFu
   SI7Jgze8WAGAHQ9WSY2QxVbjO5I0Slz8ZNy2Fv7JeDkCsePALuKCdDXNlPHRoxsa
   bcpXn1oiJAb+PM0V4AGYoR3jy9+NznK1KeHYGi8lFA4I8uI7ukS9VBm89BHNGYI0
   ajV82mXIessCtaSClGjy5vWNIFrYyHKWNdxd/vQgwV09EAfbhD5Q3X1SiwvCvdvl
   hQRWAF9E3GMXAg7q93r23Q/cIQpkaDHzOK+p637fnaEawuSDU5pTANgz5NdNSAPe
   Df8unnMf1L7cwlO0ED9WO5JHa1TZBMZejB0G2+074YE2HzZm5omS6fomxsQ5Ldoe
   jaCAMDTFXy9SaM1H/0R45750cyD+2xrJAWtgzam7JUiSeeWdpXdnTgkt7nrrpE9T
   eHHbf3v79yWBnq6ov2N2bUii8uoyZmGrnT8pRC6/0814qwZWm3GxsB4WBv/0EmTr
   20ARsnc9A/ve9EO4TcsMLzBBPV8P8PouFoqK6O01+QATE8cBY3GekqAXAir7r1Nv
   Vlnz8UKFQt+KoDyZakAyxk6/haJajS9vKnRfJFNs12w9Yp1lbQsQXwaLwu6y2EQP
   V1ph2IN6BH1+v52YtLQ6ntEIcX7wBEwlcJCcQAMILW9OSuwIrIYXSkDaQ3Sw+YDz
   oNRiHneHKaW7HevSOZY+Kk/A6XozbAXxeuJv/LeCWALBXbz7r1kd9p/0t7M69bJR
   ysTKvNcnBEbHgMK7eggzqd8saboT++vWnO0Ye5VV2Jcg2FOm4x1rgscniJZnxUUR
   92619lqtfVNV/rjcDymU5mKGT1+lAU+LqS5/oT8adjEbAYyN1v92qSJPLQXeOBmJ
   McheNylR6WsAXo8oF8VJ8l8fwM3NptO439pKY9dXfVo0jH2FQXfCTyvlYZL4OhEF
   Y8Do9OPbiBaKtUllqH2hEUrogERXS7DLUloS0yA6jD78eDD8fGs0KYomHiaLws7L
   m6laUjiU3RglTQ44hZFhqlfM1zUgCXc94u0wXuRdpik2abxTmCqcWnzPZJFGK6Vk
   oF1vZLfve2b9fdG4EB7uuQ+Q9IVJrTui1bH5d9klS0A4fQ94Qo5Rcy2k9+xKU+Tn
   s7KUduEGalVl0BtzfCMpd1XbHLat2lnAlsspZwYY0UCfc5f6HNclyA0C+8fCCbnD
   f+tRvZ0KxpgGr2t6z6b+3dZNZUNNBQiEW9UIP+TOQEgdzR1YL9gg3BowpQlV+Koy
   dGFRKXcKDlyBPevC6jkf+GjE+ocDBtq12gCNlQlfE5mXQMtFi4uce0KThx98kx/L
   ZJEWOZvOoWSk7J+BhiWtbGt9yzeZJ6s29i+f8mtzyycmc85wJuzoPIv9dXmIyyXO
   NnnCNc2J3G6PydP/xNP4z5gcdVYwi96JC42Cc0uwRdZl8D5ONOLpZdLuEV4Y9vZu
   86jLXnWdF5pIf2JqB8rDjrUtu61jptnqFWmcXOQonYmcjzyb+UUfo/cgAalZvK7W
   4KzJ+NOdwZVLnYqlWA6XkQFmxKjVIm5TTYE905ylznpKfz6oeXRltKsxrzCJns3r
   WysdeDewoUczT3UbZ5X0S7AKtUI3By8+CHHzKWlU0ZWGk9+wZeJT4cJIDaRM6eUO
   v2YHnDxXyR8o5VhGlE/UxR9oC4iPrZYleAG7amMapIIKmb26ZOJYcyKuwjNg1Wlt
   mTzz0VI3tjsHXgPWHEMiZyI59esnDD1XucN86YfpT6W4PMHz3+LzTutcxMpx2Yhd
   OfMmDFITE7bkJ+6oQrLOa+BjScN6jRUQsxUegyrj0OYW2ze1o+gXAceznJzUX2hv
   V8C228zzHZUSNv6h+dRXdaztAu2QTtqPHFQawCqB3UX1u67Ulnlvxb7/JVshl2aS



Gillmor, et al.         Expires 2 September 2024              [Page 143]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   hkioncKVxXhHKSps9i9uZOGgzRwmCo3ih8WDkSDUeD8e4m8Sj9aCYvPEyNld442n
   HldVFGAnskP/hBeRYG56JJTN/W4Bzsy8b2K92ylQdZm1NVzwCBSp2r2k5eYGdPmO
   cOlwT5xUKkubKqQmpdAzBCeAJBhOUY9QuCtyP1CjZ6WVaFG/QVvaXbByiI/2OvIP
   Z5T0+lt8QB2kE05KXSYnWkxcyaelYHTkSdsTICUnmDgT6IyjGFuDfSguDtN0p6H9
   1yCPKLElSNcL3z63fDngAivYZE0LyicVlnAGuKMzV5THg72IXU7V4N0WOff+dNDY
   3jHsYCNYwYXW700r8golnfgZgBzzoEeUWGMhFHyubXoaJOBcZhRG3CPggPnUY8ij
   20UXJYo2X2r7+pRRx6H7V1taYZA9os6VKoyM0i2V1cIYsOu1neXd3H+ejP1dzJYr
   1blx2Cd2Fw4NmCUimekWxSFyhu5GPHcvqU00kA25Djktmsq9MKxZdtZ8WvNYnC4U
   sh5m8JjYPQqvELzvt+E1szengbK5sQUam7Iln1zT7/3cYTB8sAJkuLcAy9u/Y9+M
   y3xqq0VhH+4/joj2w4Vm1YB8FT8Hm9Mq62hYz4XHhQOS/D5r6dvnDUqSZOVxMNV+
   pHPQhUrUFQ4fAFWzN9I06Pen2IfWDJKI9+ftVP/CwQxXFvG3lzJdua1Kbo2IvujN
   Nn05Gc01PHgQFIMBy5pVTUwq1y1r+RTBRnv22/paj3ih1r7iBpSKAqtlBEssB9HL
   E3Nwkd2P/zM8vccDdoxjsL6Ss/sjwe5yU21CncXDcvRd/hpN6OTXSWsw6VnlN5fh
   wE7NVmwQ+FQ2Hw0ro33zRiYsY/ZgIaslOedR/ybDho0BOcx5l7OIyEdowQpFaJKs
   W3NYVvaMtJZI7AANOHg7gxKx/TstLCkyzFsa4l0qnjjzLTVu5wyWQywERtjv5U/m
   1CCXzV/q3pBARgEnMhmwdRb4Xfp6Ik/LFzRddG/t5z8iMKgrVKa8EJeiOqo6iGiy
   b6NJAvzaOb7SprYv0m0fow3nsWSCA3m0Vr4mEyCkQVeKZq/CEmWKD+XKV702YxiC
   W1vyaQITXt+s8Pi3GqoPTfTg3TE4KoGUQymE1cgBZqEJslMFXWzldvspyS4hpO0r
   LOwq/o4RkYhXHMfib1sAC39Dxxct0KHEJ6cFxaWf7ABIVwMk1EuKtm/QIlGh351q
   N064Qn4kwMhr5/glYjIFKIJLU1MMKWg/bkqLx0L2eIUpD+UFzSC2EjvpimPTAhNx
   RsZk4aWNscJI1lBgaeJpZ15ZojjBQ146+QGcri2isW6BkiJ/d0L4MbQT3q5Ejedx
   I8+xt3C6U4OIcf6gQD0Zr3AgOQGTIa42iuYhAK6I3ieJan051yv3PjfX9nxxdsos
   EUvn8b8jG5liQpwbJEbh1UhbXFppv8BXDC3Dphm9NIR/v4456Q7KwZ/IDD/zUI74
   K6JUXolN4YuzDrXMZnMR6oHywLqvHmvXQd3F1KRpr8A9ofuQdO5J1+YLhNtrzquj
   1wuU3soH+zNeM1dLjOpGust8sdezM+6maqI/ILZ+5GA43RGU61td7yyGpfbG49Ml
   SGBPSyMn6MhKyngbNMJp759xxTl9HeJ/pFg1BAvvQoCDJMEbl7V10LZIgD0Db/7I
   qUF/hkPg2siW/VctB0mgFZWLLOeh0s2zmzuZAFeTUmtvtulaO/R8YcujUEyw7nR/
   8SmT4nxvd1j2n4dLW48ukpkahCkULWVR248qmZr+1DWYPuz4P7OJsOSk2dois0sr
   ZH/EgSGHRtyHbv7NxchaEWITkKuH+koQMYCE8g7WoW/kcsrqRuuV50PYqKllmtZ8
   5n7duXNnnO8hLhahIcA9rXYchQ1P1dIZCx3oI3VvRh94CQeyTjFzzlBCZOyESzWt
   /ajcNHM7gRo2oYUyGymikspuvvKozoAiRPS4rTK88un3ojvlI8+JLZyiNHaNuOGz
   uP5h/BuuwOcKY3eLCgtTsapMqAMvybQB4hZqxywoEwKvZUwCA/HJkoxuwSeuM2uH
   PmmxufmqWHndNg3BSCpN0xjc1f5/ZGQZGREjYTKwY5QsyeHItmHr3rCGM+Qbdm3H
   4YoGwPh6sa/TVIkX1a4zlElVzDVlqN3+ecy34zJeZLfgn4f6cYJ1Qz8ga+WfTt67
   QIq84sNMaKCaCnUldP2xVFDLwxzqMhHXrYEOrLGt3tGFRbxGJH7ecz02vHp8CWdq
   VhPyB05RPFgch57GAsu1IVNwhKUYlgvFb/9aECYgONcxqNcvOCKGSVgyRDWGV0Sh
   wPyluTaz+0QxSQGaYvU3THYzzQ852q09DbDhH8xR7QsDTpTbRr2Rk5CSNHw/gNsh
   OqgdYL44V+ryJA52q/zBESoP1oyZX3Yy9c8PbI0n49sm8Y0KWbHoBhsywREdtTsH
   0hKK5j1XjgaZY/pTen2D34xSh8guGQIseDi4DMAkRMAhMCQCD8sbZKk3ZBujCB8J
   JQioHhcIk7wHbcBrtL/P+MZkp3StzSncn/zr+2gd9H+Gs1dS/gun5ZpspGcCk3xT
   tG7VqZxKyehEXeElCXgbNtwGKnsKOAgZ84MMNukFt3EIs1x9JR8358lB6tpYeY/j
   7zYSdwnUlxvtt/ETW682XYqVRBHS86vKunHAnlEZvleRLd8Nd9WM+5LmRM1o77N9
   x8n/1qvmJpzVu8g9sQzy/31rWtN+f35p6ISDRs+KHOX9EYvpqrh/dwVacsd/XBIJ
   T/La84y5fr9p6pNODlgBr0s9c3Vkw6isbZXNdYrSwYOAcRmzXJ/51Mxt4P8r4RQC
   HVaPR/tewyb8GF46BQ/gllVnc8eQK6GH2yw3FZba4hKJ6HdGEytfvMUSdoSF2Do9
   XUYR9Fq5BEThAGYx1RFfVR9K+BdqLJpD3Fx1UzZ3fFrmyjE5+vxe86HOo4x6j3WI
   A4ljep6yAgRzIFJ7f//L2+5/7drzD8jhjnwH2CKQZiSoSqTMAVqNA81BSdR1o8X8
   Vf0P11sV1zr7VwyLFJ4K/QB1nLAOnj2wcgGASli00ns7w5IJJV4HbZx/cyDwyekA



Gillmor, et al.         Expires 2 September 2024              [Page 144]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.15.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10205 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6548 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2157 bytes
      ├┬╴multipart/alternative 1431 bytes
      │├─╴text/plain 485 bytes
      │└─╴text/html 637 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal-legacy@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:10:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIdbAYJKoZIhvcNAQcDoIIdXTCCHVkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAF3P8K//f2QuFu3CB1QYWA1UVOKdVUefYICd
   TG2PVFlsq76rPSChX/WA765rYh7rlp7cpKSvcuGYkLHxA28CXiR8i77ZCcoxFVVR
   vOqPGTZZ9eoNvpYa0qOai6KVhkRbGTwyXC6mi18N+Sy6tLCtR96jSLi8k4EDtKJs
   v4cCrA4QRDEpNFyzftj48yfjhKCBZSjnlPSeq6p5RWl32SFKGe81k72ez4VV/pzK
   idOG9ltviQ1ffeRFlI71VpEQov3fKCkkxCo/h1DilcFAo88o7TMc6U8DwiaMr8x4
   rQXB5S8uBJBLNuhrdFiNIftRM2OJp3ij5DM3YRBoUvnDaKfiEMQwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAGuRE7UAzm9ElVleX0vu8IXiY
   vh/9cLBb2MVdmWGKIwHthSLxiZA5X64VxdGjFMlZzPanUhhexMLTZaP3ADx57dat
   SnmSfpT9XXbpkokCPBL+NBpA8e9vtWAOS7yIgfpwdJyBbfcYi0CHGqs1q/ctRsVF



Gillmor, et al.         Expires 2 September 2024              [Page 145]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   UyksjPX0dvJjqSM7Tnqd7F3FIToSdoe1ZtprDHh/opM/acJl++qovSgJyL8AZak7
   mSU28HbTnBZD5iXxCppi0LH2wK6KfwPqSV3AG8wTpdlqF8vlIvjF2Sur9Jx+hwKZ
   1kNPDKOH8G+PgnIA8O0gH2VDW4Husj64hxShEWzAXUFqNqHPwxFbf0h5Lu0S3DCC
   Gj4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEI0ER8I07SembW0J+kNg4yqAghoQ
   QCNckOUPTLID4uHVLA4bv4N9/bwWoKN68FQvcoXFHbicA+KkrxCMHO+nIrFVSNnC
   FtVXb5N90rVy82ACdT1MWQzC/npd1fKQB41F8f5owkRSGl01CZvxE/LqDhFNfLrV
   xHdPWi6djHNRKK96S8HDwhR0FtCrCt6kSP62AO/U4x/FUAcQxxc/ad0OwHACucFe
   IDeoHb8ne3fF3cyuh4Q1K5MdW9g9xp4Qw4nA6WUYYFY9V78X8jYvxwC15XRKiWaH
   rdeQCMdY78V56IvSXto85uCJDMgsvTs+xRyyQZpzm9dt6LWRMm4XNmkt8deoXn8g
   K8G5QenEWFqj3uPVN7MSVYwA8WCx/qgCDtjeNZkM70EGhX6SXm8JRhmj3QHS0wth
   rc6Tpc6mGZ8ZWBGXOVlGpL4JPB7jgewWM1qEnZOjofwyOLAQxhnqpPOEmTvfNSrm
   /yeDFBz9qPX4Q/Z9OUnPYybiVYoly8Flam5bJqnejR9XFUjv95E0rFkwzMv+ceLy
   WaicDNCPbXI71Kqj2KdT1NefcSSRLmtEYqn14aKeI0MWA0HHfCkmf8SMkLGY2Cq1
   DdH4sf02yoiXpCa3iE1BaoPavMrkVzudyrzRXqIRIDci8ND4knhVdayLUfvyZ2yB
   aNomiQ9AMtya2CCGh3GJfTwz2U1IzEaZ0n7ZczW+2pWBCMatvgQfbtCDEhmXlQGN
   V2UGz26tMwf775yNhAoldYesgZZp+tnGlmlMnwGgbWIxyqM+FPO+Bmj7/g8/vKC+
   zvuyYW9rwbU+VIMDQ+X6w1o6bzOYv/znSdKKl5UI8nSmfkbechyN1BN9o+kX3uJR
   Mw6gCShn+ouiA7PK7iy7PCaEAAPS8cRsT8XbYZoo83KcHZM2zaYZ5gGOPOnu1cOX
   GSmg27A1zRDjJcP0aEJ/StIwomT864lGe39dprTUlIj6L0pWWEa3x8M75HWMmA92
   phMd2f7X+eht71Ix+ne/tc+0BGdKcWRRWJDMIrfpX9WeJZaZZmJhNzT+geR176CQ
   OPmmtsFaNt0toVbWDTquzcHJqRNFwRmwL9jOxz1USPPtKAXIvtqgYXdFshLDpx5O
   V3ETsmomoE1r0McwwHHB1rc3sVvNoP5cqjNdmtYu/2iX8lc7BjFPfUQmwfMdhKb1
   mYMEyzrWT+ABCCSzf9iNjkx59oKSuVDi3oFHOFgu5F723QCw94nHfWjlfhsx05tR
   zaZpfuBwc+a2z1Pd9FCsu6KTLwdiUVR0AeFsgMl14+1AVVIeAsZt8p2el/f++W+7
   T+OxYTpeN3/2sUr6tzJANWw+1dAmMmiPqlE+2XiSJ1HFqIyeHUSKJVRhjxkbZIxo
   e9tW6wU0pb5abx1A1E7rYiL4HlN9DoJStLEgRADxYBCf76QQAlOjR9JLmOFI4w1t
   alUkC3MRpJeFfHl2jdFeeHoABM6NaLhOzS7+MtokP+zQsFcLea5FmCmsSNdJVu8v
   esS4A1p2szK6fuwXOhsPRdOAuia1U0mc5zRolxW+VD7vB0JN+VxR7puh2b8/5qEd
   XJgEedzO8cDKRer7hSoLxDUsdJq7Ruidwvtsz8lpXeVF8ferw+weDNrM1diDSv3J
   kk7XOqvLwz5Ud5W5D1ffo2cl68LbejB6ZgUzV7QqCKIzEHfgOz7AmZ4rkw3L2qaN
   7EmE6JC+JGsqQsAB+QQgmwmM/atuaDcUXnzKrRWHmNL1XJe8Cdpd3tmquKqp066C
   qEriBqD1qKbtSZmYA80YRrjfFRKk5hXuPimek9XJaXn3tOa6WwDniXvS+nE4+qyf
   by1qy3ALwm2NVMFkVAU7qFTLgK53sppEEmDMyR6bMoDX7zk9vR1Gipb4JrOtkuAT
   yZdVIgkW67kLHQtdyLSaGujNjA07tAMw8UTMzNWlxlT7KYHDrqoMMm6hvXKPhh1g
   PaHGTRFxDebmW7hQ7nmcLHs9ca4cjBgAfeNCZrNhm2BZ1D46gO6lNf56npjATYEL
   saJmeJBAXtrvgqC78CfngLG5SEAcZnKuUYHnpOB0mCUdqL4KHB15LmUg6jBRIUuQ
   4aZQHx5gJDCwhvcQCI9uAxtnhwxcwJ/KUwGntfBeyh71UAbLpNqjF9oJ2UQfAEol
   j/qr9QQ56NJT4Re9obu9XWzR/l20chZp1Yy8W0cP1MZRQU1zq/Fp7eDuYv6qy6jo
   1yZfWLLe/8u+zaL61XbgksEvDrR21Belq1vhJApw/LC7Ju5Qucsc5HTEtND+k5TW
   XUlQ4QI9Vf3/jRsoCuW2jpqgA1krLDAtxzHV4MkyDm9hqWHeFSSqLGguud0MxFel
   j6q/ubZsIxt8Ce3NuAQcQMZdkUM+0e/4KEHFJPPUnfh6JbdX5wWJieOPRWt+lceR
   CaIpvQKaCPKPiGMWEyI5xHcHJDJJDy3WVmSCTtm+gka/CpwZcI8+szy9JRuUnjyg
   LviXjnEQm/4l3QFgW5eV3oa7aUjjSEuh5+DvYWfB86ECneJhQCXG7c4ke+aIE4ub
   dx9dyOez2MjaY0eJmjy+xfNHYSfQfmDlMdarcPJv5oBdM2NFiDPAVBgRQte8tSmz
   rmjWb06jRzhn7LEMGjRZ7UGjgsIL+/+MO8KckFs32yjzEfz0QUXyhaxn0BVT/4QU
   lfQs3C3Perbudo5GXbhXIDIwkIoWLwbUyZee3O/Q0oNBpYsax7AAk/IuKNbdt5kz
   LssTIxrLDnpFirt5pPDBFbaQTJrslrPLTiIZIMwwJIOryGbP+P0N9g9XoQal0qPh
   Ub/O2CsSfragMboYltbhGMmSvPgnlC71dVztlpMJ9LZdoHHgdtH64WqBO30dSljg



Gillmor, et al.         Expires 2 September 2024              [Page 146]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   rb0kUNNAz0Sj72N2w5PM7RQ2wzbwNirC0eBrul2CmT4cPTGzQdeA3ygoAWvHYJ0U
   MYERTPUBHccQjOqicPZIPz2FEtw5+40jxzuJgyJOqRnt/teJH/MFCkDLIDC2iOGa
   JTljsSqTQMOjJBNb+3vAF607LVoRAFapgMjjbJNHRvfNzMk2+PAbQQemEe8zOVQM
   Ab3iyFIdJxQl1UiDrfh5/4myWu01BaFPZLCyJET64QX0lXfSUaeYisf7ebvvcCbp
   4ChqhxZcomqfs6gKhZNevlv//8YDEwWvHwRaV7vxuGFhZycUsnXUS3JazFw1hUgb
   3H3lKL3QGyWPkK3ogmMD2HfKLvFblPdNBMu++jeAef5n0Gvau0oWOHn9vhhZ++mq
   ZGbkhfD5HyxOzglF8/MrEQmFrs/ISemFKtSN07qeifzpxqAu5blrV3rdx+4aDK2J
   JaKBX/GSu2y6XkrZ8vHZ2leXDaBZzQ1K2cjZuzqWwNJhAg9n+xpOIR1GkLpgm+XJ
   hbHWef7y+g93cpVAEmMY9dmffRWFMDZdfNUgCuaV20JhWnqdRB4fPlbPobneyqLA
   zFt8R9DjsY0Xy1KXnY07X6yDnjurVLTd7h8dYMv7XM4JGHMRqOwMJvz9ou0KfE+m
   VbDkzN49wyy6lbuhVFhBsibXtKwladl9hapfGbDKm5/XG5FctRbfzTPIZ7vfbrxP
   JOKjfeTuvcX9igkNJdp0UbJWxdTCUw1or53jlGHZN6rQbjF7GlFkXiXGVgI3T9VC
   P48zTCqoHKmWkStKjtqFqO5vVFjOxmxLaLoDlwFtme3apTbbs0jedNav1tXjQNgw
   Xms+N9DnpcMsXaYLVB1J/8aVIFmAemuXcShVeu8cBynkRj9oM4q8Cf3nK498K7B/
   WKv8qfCmzUUN0LVQWE3n9XV52lMhYDRpUox0D3RCC9WedWXT5IQgJliBR9B17taK
   pSRyEq+XzVqgIn8KkTSXinxMbXWyRCncYB8mUdHaEiULkw3QaxyQvODJyF+V4CWE
   v+T0EeqkT4QkVzH3AKdURw97F6FodhmJht6qT/F/WnoIvPSTq7OJQ/uzEs0aL0UP
   L4oy5jHYpYgKnQZp3fI7DQSbCf+Nw1Z2+Cn8mXf2iA5Ps31CVPObfPLQ1LG1Zc7o
   6BkGub3bqmNp18/sgGHB/pEQT2gjT1TllJGGH5CoGE6+x6xqHssugo1pH4+NreWd
   O8EBjGAOEDy4vjGAcZAiIYgIJBzIeffDw61+R4Kl4Ljfehkmx6ANtXabGYI6NBs9
   zOCIKNe611oHKZT5FuQiBCivdDyD6bLeoKtzHcfkBuTI2ZL9FtzolODBzv6FjMP3
   VlNJRtZ4UnsT/nvJaeqZVofqAvVBL2CRIWo3IjfKskRothbvUNlZmLQ+RtWeA35G
   xjX54VlBAZxZcudbJ2kDUsAieSIrPWAPeywbvbWDvAme00PJXFUsTZ/S/aQXmg20
   EBpACCUrGwYiybW3Q75cuTTwU0HTG9mQJsX+zDmNAafP120lzB+kvv+G9ieDWrie
   PGux3Fg6G5X4VXtUrEn6Hee4cDLBVbuVNX8vWO3cjvauzQZHq57wD7ixxcFyXk4f
   pPevmSEX+3aQDhEabRe5lNBzhH9DdzxG+Cfcyj1/02xDgVZIlqventjBkkA6Qfp1
   Rxz4FHzqNMlbWM/P+CKHf5e/tojrhoIPsne4rVGFWPYMXigF9M29Pllut0KK4qDV
   RuJJB9ruG3Rs6sqN4x/m8WJxvGjsObwvvrbQh9yusV00pV6d7BswCBv50wnwrHWB
   Ka8s+Bo9Ax8uTsPKBM1Cxu5BMKjWtC+3yRxU0zSjFu0vpae4FvqHqHqAwKJTqkmY
   KBXnDbB72DTTLivTYYqgTrsx38AOpi2MwZJGdn4AEiaufo577rehC10lcCWUEmHN
   X/12qsTLo2Ym9oQySoSW313ZKFZdFrIbmPd4QcL2ecedk+ZjsEGyJ0yNJv5NDPI7
   yASEOLCqzTmiei33MpN2B2N2V1bhx7+B0Dfi2gdguoGACqwqnIFRBrUK1cKPPAE5
   zfIDDXp66XmUMvCwKEbCJPzND+6x8ypvKqyqbu5scS9xP6daSNY1QoDKSgLKIgm+
   l424sl93XfOfotYJtZbpZANRfu/aUjV04Ptej3NosmScgp+mEoZbMC8HlUKUJE1Z
   g3LNZPYisTWNhHPtqjldPPr+4p1eX0+YBaAjfizeh3aLcOr8lgzKsfrxGVYs/oj8
   JrY2oN3C6sHrdKJnL57AFzE0vF56/A45znvbfqSUQPI9ylahE706ABHpHqk5/zxF
   2brwm2BWDD06T205PghrDKwGwVqmfI3ckcd4UNMT8Gqwd/sw3Uf4W3nPFLK7yD/Y
   j8uT3TrjI5yY2KvIj6m23hTCa35r7PEB7WcTOgsmFjTvWPOysOK0d5az3wbsV8DU
   xbKzsGPSOCWy+ykdW8eN5LtE6GBFitU1rbw2DIYQk5dKtdUoohaM/x6BmXIGvmp+
   pTTLLVJHEYwuZTEEgzDBYPB4WVx2ziXGrfQiuBq71tBp587VNDpMkqpyoBUSCugj
   Cfe58nW5DBGA8Q5sjAKHtcGIO5AkHC8LDQDdvWDTMqw5+d6WbAsTRESsL8XRHxIO
   pDDcs0006LNcRIJo9zdEsADDZomRxsb4xRcSETKevgAhtPPD0s8qEl2I+V9o9dcu
   oFDBeALHR4KWaZ9xQDbhTw3w8QSwZbzbYOrPB22eudzmLxrOCCim9mYM4vp9Gan0
   /bvTWcHJt8AkyqR5y08VjOjHH9UGJIaCG++2/H8ij+ya5UVY8+Gfewt6TLIk+3Hy
   y8HSNIBn+4G9DydfmUSd/j8x+L81YkRQlZ5S3/peWTOhJOXV8StXSXcQb7umRy87
   45hrrDffcSZ6QeMHnVRv6ifh8ImIC5hCxMG9dfz4sMZR5tJRv+LDcL45OLZ5H+p4
   TNxGHpDpkdDzrTMHb2r9oYMPjHvZygHlfWcpAtkDDy0fUCxvJZAKoVhKyW4IM3fp
   FrlxJ/614a4M46CIgDMH12FoZj/wUw2VKDf3okpusY7y/R93akMEm1BIDCXgGmUg



Gillmor, et al.         Expires 2 September 2024              [Page 147]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   dy2OQI2FGjeongJUo8Cn8XGfMD4eWShqBUDc0zEiZT40Nx8Ao+qbwfGgwegBpx1u
   xSWIM4eQ+YimqLpmMqN1qwk9cME3pKAHZnVBUwJ+8YxJZVz/R1CUmcjbJ6WKDk3e
   vbl2FQbV3Kas5vierHSTaNdFaRxZCwfCkFfhjShAHdbHYd3ftwdw4TG0Vo1j4bCJ
   DyVn4v+/aZ0O6cgRwsmIvbjHQzYKItzegcn/6mNGuz5i8doi//cwhm6ylr8oxebT
   d4CPHfNwL+rbtjV7nh3Px+8PZEcYOXOs+uvpdtGMSiao065lTFb5F5QBbtH6xODg
   HvjZ60bVzK3C9ZTIkuE/JNQRQjHhhMikeXuv2k/QPysAo8TQvox5Pcg1DXSMn2Lh
   MVj973B3mm/TXbBbagKFeQjcq/4nKiy3lDzGwR3rkVMEJzXcS7rgYkopzccH8XuW
   l7dSymO24h2J/7mFotR3SlhGn5jrDWLT9oCyh9caExf58KBKm4lmsmSyTKj70U0d
   5gQRSWxDezz7AvWNJo9OZWjaEpBQdcjte3KZXlZxxv9scEsI4jDCQY3D++77vGon
   8BcwQbQlLyzJnA7kSBW+QSo5DwceOU1DQqSa9/Kp0HANjy3mZxMp1Bg/+0uA+8nS
   UCxC7DqQVVa6xFECxaQwVA/fD/Y4NJhmFxvh1iBYC7iA34K4WOE8P++6fglm7gS6
   XyYLVL+ExjjgJLn4xRC3556CGSr46XWyYLTEsqZVWan6ThcxTdYeybeUXW4JOUJx
   AlDIL3mM5447P5A6gmz9/VUuRkqPRQsdeOAd7YQfWAe89carf7gQTqdsG7CjD+x8
   0ivGprQjfXi5cwfC+NOCowZsFC/qdlr4NciDjsgwZNpP7QW9trhol8evo6jsUiv+
   +4kC2qdQ/Fm37xMcwtqTE5PEnsNX1302Qbhp6Pkbx7mrXsib4gTqz6Wyid5h07LW
   Afwkvju/p1sUV8gIWmRS1UnrmA9PepLt75pO6+u+7LDcYuHAOun/TC3N+AvC0ORE
   CtRIiyMFPDw5v5sSeRidVpoRX2AV5/2ZncYnXizGk8FIv8C8dj/Mtd/GnFFIot7x
   9zvd3fX7PGdeIzpTPDSl81a1QbuvxUNiY/d+oaO80/HkbzkoA8VaTLlHRxLJveMH
   Snfa9GQFzHP1eOBuwPGNrTNHMLiREC4EQuHunyHyaZ7ut1eRwCXqDMYd5i9/Vclu
   K8yuMt1kCyfG110zuCfSFQ2COl1eN8K8DKIiVAzIVvQuG3yaVTSwtNX90mP2qRkn
   b6O8M+Xz3bOsrajjxa5ZN4eKROuu+1KA2JeC0OBu4r9wHIS6OtoBgyWzkhkHqjkC
   2n6c+4YPcMMi2XgFKF6T99hEzRr3rWKTKsAJh/5dSVSQ19dH3Hwcy7C3WygiuupI
   qWkHmnpDMBUuuL+YkF+Fxm2wU7mKDB5ee3GTO0MD19qZSpbHvrSk/ATudlAbgYXd
   NGmHBF72S8VKdS6PVPnsTpuNbkYAHMat+AmfdezW/FEWV2Q3riL6KA3thnmayFxA
   GlCMQ0sm/4u9IL2RCMZF2V9/v5InTRTAYEzo8sSp+5Zu9I6Rb7mwHZTgLmLWOBQd
   kjcbxygVSiBLWvyofQ9WkP3iyUVjsB2mF5ABk4SWMeFiIld/aAi1QvbcnrcnjbKw
   b5jnYm6b6bKUJUZzoMGR2dzWi082TnFuO3j1Su1+1DxhOB2LgKypeJGPtMD0smZD
   jg2ZhpB8HAJCfqhoseln3lYN2roINWEC0kyTDIyHYZmmubd64Upe/wYbJWAAI2gm
   kj0B6+HBZatjHCdhFv7oR3+smnFUtfF59LQ4x9eI6DkJ/3r/Iwyd+5XyZKoDJYJp
   5jiwD6pQKW+VuYzg4TxoTc3GXIb5s/22yQI30v3sYG3uSQHviYmStGQxp3pVBA0q
   +9xkOMpzp7nFrBA6C2obNabDpTofJeF2aItfPPmuiIrjQYpAc5o3542Sl2fQFmbQ
   G2LumyaiTdGuH8uqNBtYNnDQFUsWfnyqcDfIoyLairThbgkMcB8PLip2O6TEKwfV
   s3O4MG4vLdGYjBsus30axpSYXtS91JfYPgPcEZifkUR7yZw+sfb3JPAjeNelqs2H
   llcNEiMQzL50A8cOtzXftKbLU83H1DMhiCYnS49VqxgChYK8EPCnA0UoJ18CAahf
   oRmOoK8N+LMEohQV6VcVL58ggwnR5oFGY6ZuBIv8jJcCS9uXiFZnnoCY8bgkxxvK
   7d0kASdiN/eFnzJkPfOVHnkVLUI8kSIY0799iw3kl9dYxShfrma18Xcq0r7BKM9n
   LChsKG4lP0RLLWKrTNyi7J6cX484j5FswT8MWOAayc5s51MPUkTn5OX+bWyGV2eV
   Th8QwyRTgo3DVcoqNWQ4+W12TEgXbiM8w7ZPxWiwfGTrL4vR+4y/H+BqKvJUjT7W
   za33W6iRkgh1bd0jhbehmno6yRcpw6Zcu7ndW+FdtlGBoOtiXjmqolBo00po2cdP
   3ToOU8fHl/NExBG20S3Rqhl+IEtVq1Xrw5hVIF7FTF78CXeGpvjue4BAKoiR87Yo
   mHnesyBocxOaTxGgiEucDWJtMnJ1L9oh/Ob/UAPQVQngkWSK9HgP+cGiJDkt7e2I
   Ktd/Se7OjZa5Tj0Ry5+9akSpa0HWnn24GtauqUmgnotP3QFxrO2FR1KiG6LbsfGH
   8NrUGUVymMDePLAGDb4duclasNJGJ2uSzS3GA5EKHqMdIV+VBjl8k1uEffwn55Hz
   h7lqzW039NOQ/WyEJbmZWg78l1CnW0dz8dD2ac/fWqpEmT3+pBsiJok+WxPKqv39
   s7La32r0XAANEUcA3m79ExjUtD6YfN3kls83zlZt7rgoI5jTVMSEdtaUctJ5/GkT
   +ruh1fX05FpB8/8oq8hPLAvf5nLZcVtEBHcgKuIeFwPmqChyqPFxnRC6PjbzPVBH
   ugfpbVP45xx284ej8IpXSSXnFtmPhAzPkzNSTfYK3NG5I34qTSaksvCQWkPJIhUd




Gillmor, et al.         Expires 2 September 2024              [Page 148]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.16.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
         Message With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9840 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6276 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2016 bytes
      └┬╴multipart/mixed 1911 bytes
       ├┬╴multipart/alternative 1128 bytes
       │├─╴text/plain 373 bytes
       │└─╴text/html 471 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <95b9bb39-c028-5ff4-99b1-f179cb5d7585@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:11:02 -0500

   MIIcXAYJKoZIhvcNAQcDoIIcTTCCHEkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFa5urZzuujCF68lwqMjpt5q6ecCrubcxfRW
   ufCpLVF9IwsK5B8mBc/Y1Ao1Izm1ZLHe71vRftcPkO7APU/bkaJ0YtXyElF67P9c
   AvW8XQRf2oDHEYgVerva1KvWDxoCDgyBXIGfaD1wjaZKs2nAM4fnWfju+d6zcw5q
   uArKn+BbUI43ryuHTDiaurzBwBEUps64ZyXNjP73X3xSlYV58OfftHQSHOKoPHg3
   zebVKPSqARhugLWk06GxDMXAEjYZZBqrrYEgKNANwQllu72bFkD4gCXm4kIc9ezU
   ZDNTctiFc1ShGZB4Kdmrrm66ogsxJ+Ecvw4YVAkWbJE4+eV2g5gwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAKQ13b9qWHas/pyz/sKKJKkkz
   DMpP1zOvhEtFBfsUoKvSrgDwWgmKhO/V+B7abpEzibR7I4rAadHzgU1wfbNf30cb
   WqcCmyj+YA6w02rB0+y9X/SazD5+fmBwbDJnMWDXnggImy9xXrLjTl+7gII2J5Y0
   JQXI96iSLWdFP6/Tq+Xj3HD/ZKL0+HgV6ncTNcpjkRPPuzm9vTMeU4qFVoNvTErI



Gillmor, et al.         Expires 2 September 2024              [Page 149]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   V5vvmzvJccr8E+oyloP/xbd4qv9OrxbfFn5SAZ+HkypGkE5NAy3peSRDwQ6qLEM/
   tKuYIewKJdv3xjJO0JyQxPRcA0FCEQpOOvt/zPum3aJ5Rb+YPiJEVHhwd7gzgDCC
   GS4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEInoQ5WNoSAuuCSGvrpkRuCAghkA
   Retlz414Eo8kzcdBnIBWQ/HdAhaJ8anHqEqq+Cko8a3zBHxAD3QSJ/Agje+62Cj/
   1Mn64cw0oDarrIzkfzH7bqOjWOys7VmqEOX+v4WePKd0CoAzYO4J+ugOf7QcGPzj
   unj5pXTjPmj7RvklVxhPG4DfYaFwpjQBApLE6stWAV1Rdhv34LuIeKVJuG1114ZI
   Xi/0ilWgeRg1HdxXT3OrmrZpP8VAu5oH2tg1EkPHoKqeahyNLkA+fLqjGH3ODVOb
   mphub7wyBNRDH8yyXZBJKoet/jq2FQkNjworQgbL4YNYH6yysK8/rRwAldZGpKFU
   eeHZf4N4wwquwDAV3OgWJ2ugJIIvqIEB36JwQ5ocvWTZSUdGe/HwgoG+YUzL/53s
   Kyok994Lrrq9JQKYIkPIibF6ku46LAyMz8Jg1RMazE9zSWeqfyicqZk1bR9+r8dw
   E7PK5p8EAEEiL7MLCcBUbxkqZVHnNFPjGsQbMCwkRx8ErPM9hgvmpSRTh0X26ZDO
   rdTYZfkF6jfnMHXPSbsjx5nlpGV1c/VnxRJOKmEFFFDA3rOigz1kV8x1Ib0RlxDJ
   Spkyr3KVxFvHNOM3/GO1Pnaq9fngKPMaqANwp7TqHrGp3pU7aCg1Ol4LS2NPFFaW
   o+jRrCPgs2jBcIC3ySvWlUg32S4UH8eSFYvO9XbC5Yp0EZxhpzLST4Xk+VfDT5oS
   LFoSO+PAis9cEqeolVrSWnUdCkMyku8djSOR1OHUCd5XVnN4aXGDSlKF8YvwbDiK
   vvjwb6NO99AAMx9YMhETIKmUs2GHuROkegdjm5rLqgdZ0mXIaAtUM1vau+MBrcf6
   JdyQYp6b1i070O5xb5gI0nS7GsSf/5iSaBRJwPz6s2wr1sG3hIOkqBaq2GBVNI4i
   3wZcI7YvqFs0DO8hwJB40+I1lKHsu5+SlivBaOnMcu2Pzd6xXBZ7AdTKhSXrBdhH
   Ge/Ly/00AYv1cawWvhh/weWV47y9bSef4B+8PVMh3WT22z7FWUldPkeb4+Ovv2LZ
   MfgrhWZHeCqE1mrKBn5p3CmhP3B3NQyKfeB9PT3w4niTe+0HYZbrmunGUMXOJSah
   3A+sRIlKDThxImwKy8D5EUEFICoNeUIAC2qv7KyLrIlRHBkZV1WAf3V4Day6ZtJX
   Q2/oUM/Z8rrUmveCkr5oXm0z2CqDSaUJEjR6VDc8wP35WqjR9LFL1DsRhCLwukQI
   RhdtVXu9gdhaDuov9QXKZCgkKhodE2IGMQ1W+fQf+39ZdsZvgSlHV1GSCFmb5Pet
   n3c7ECQVvQ7SwA6/IMej1D7lQ7LPNGVdR8mcX3+RW8duiFecerWDYakOWS+OnlSx
   sUh9FAEnNdK+YI5RvUfeS0Gii1D3SpaJ8OQwlvgTdCetw2ID5rvzFTA5OV5tpjI6
   CTRK1q0JzV2gdSmRuKCTr5zoAti6NyI9v1qhvZr+zwpyWD4RrieaATjL4MaSNJUU
   mYE961MOVwIF8/Q/wXq5XPDrkiwbob/ak3iWSU9DUQuzPCUaOtw+Xo1GoAn0RxMW
   KucqrbZmfeCO7vlbdWxju2LSfh8LA56h+OCAZqOFLiXeRcFVsrRMf4OGvku7sWOH
   x5XsHZv8mqEsC3kP43Yceby64n2mxxX24b27xbk0J8RyqAOVGsPPIvLIW9R1zScd
   /iSe8/DyE625H7qMTezaRKaxbh5ylY3+cMJzlGvJLYewQdjHCLCTVbRmG8yRRPAD
   7siN3po+WEMLbPX7LnZP02v3xicnwD0lNX2VQIw43WYf/9dbGBnxe7uz/GMt3yMb
   E92nayUAsBNfPJuIz0hwUS1C1eISG9UhBvH58caoQkMU3CTiMtvhr53GDdgK/cxX
   1z6yN5peJPrMMLlRSNBVmFR1ZRVf/iwchvVdmJmQq1hRcIbkzWMmNtalkVCfBRcD
   s1k6lglZZc3kdpf0oOWNPcqp5BpVHP2znONgalrjyxUaHEh7dKrZluNDXmioUzTe
   pCEB3+IMVjpv5Hvs59XkeQRl1Lol3VIu2bwKHh6AjV2/6cOjcN+K9LDDbSorkG30
   3q9paSowTBYlYiI0vFOECCXRxSCnUcEEwR6GAnr5kYjJQZXZLzkOBx6BiurpG+JF
   EOchCrk/Ob/SHgGqHpBS0l5TspZRyVFrLDbcr8JxTIn9LTmf67Gyb0R9jWMKX1ku
   5dbscuLIfOVB0fR5iNOTE36AJdzPh3v+/Ws9EGxf/ptwIakmB1Kab04yUPvuxWeo
   NOvgDRVPAlA9jm1k1bHGJKNYOwuvo6rzeDIW4EhsxBr8kt9R2ElJWlA/TzzuEIBI
   ox2BaqT2u/txvIdpicpnuAOE8Ae1o+9Zm66oM3ODAcBxkHqk9GLh8jotY8Wt7o/M
   faZI/znUQ8bOyNXhxNriA1N8+sXZaNXs6enoRNovkY4mvNVevT3VmSSNTB++tMb0
   whqgHyba3c+Bds5cymzWzDD9Lk81KR+40AkaE7j9CEGqAGpvYqcDcODtwuLQuScd
   OSyp00p49D/XTu+UCqw3gqCDDC/mM0xFaOviJv+8P6KerOCy4LOGpJxnPjg/o6FB
   LIFv3ihEJ4Pk0DMEPnWHHgY6NQcdXlgLPRsbBJvIuKAB4BvOrcH1Uexufy9Aiq3P
   B+QhhbU2nalxV7ITmWUENWm0hZkwkwQ1YDfFvIi9G+EhJ+3j077ACzF24IBkILTr
   VOyQOIty1iM24CcfuHtVmJ8St3RVFpv/xJ6hwmdGKxOzrPSNuqHhkLXGWXDt/xsP
   B2xbmu0HBkUxhPr6cgtNnZiVa+6sSXZa3GmB/vXh0FwGhU7F95z4+5tKTF5ZxjaR
   ItfRMxBsvxWjfrYvvECR9em0dxN0Anom//+PZHgt+2G0/tUqgow7nUfXy4DHRNUp



Gillmor, et al.         Expires 2 September 2024              [Page 150]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Y98wavg3qQRZGSrnK0BTsjtEHN9au3arzZ5Xp69g7URznIP5OimdiYj+Yeo87tU5
   EryHhybdIF4WVE+JoYxf6rDIc3trm/lr6J7obw5aQQRr0Vj8Gbh2XaaSFcyuWax5
   FTwV87GDJ05XiLP5hk25q87j8zbM+UOUJV6LCFXBmL8yXucztCg9/GlznC83IadG
   VbzQNXF9TVEpq12SF3aCJNrrEHUxM56h4aio2jQIxo/v+nHVy5pYYWieY8mgF31x
   g8ZtrORYYV7szzHzETbz1i4MF6SOQh1B7q4ShOxrZfLbl1G6gUPOIgox0nK5dxnu
   DFcfYFiBerJJsvUIwpKAq5u3AJdunp7XQYgMKjV0xcMCuhR/1jpb5eSLNm9AauCK
   obq/JL7lDcL0Nr6XxhvDiqtnjFVd3OZdU8XpSl5S9LdU+c/PrWmM5lJlqg2lLNKq
   FAK1nXcNLFqVObOkJ6Wf/ZyXg9cXQzFVM6SbSI31yXfmi4ExNz0iBolp4v7v41yh
   VEfUCgVUAoYswcpSnw5gihnwz+V4hQJ7vLq4j3i9bZI7pIWCwlqI7wWgyXxsBS7b
   NZ37cthex2uleGyMZ9YCASqKRggUtFgYDQBoIK/aspPg56sgCMsubuvfRJHm1pE7
   JBmHw6oHXOEwGQBuQPW8VPE1qeNxSTTiAToP1L/ohUkZ6lg5LSWbiDPSccAHv4EZ
   kJGibe1JTJK35hvpqFCZOLJ54psjr+XGgJ1juE0nyG0+b1tVZk/mlGaHVzBurltq
   Yvd708BkUIQ3Q2URK60iUi29j5dnS2t60Sf9+v6i3Fn9wVYyeMoQ3Vx+2ZcaNBSF
   zef+luDfHPRMakoe4pio0Z07wUqa8+oC9YSoxGBiJXVlew+NUnf/iCAQCUfIhEUE
   1DhhyeVmduzHRQjroBxypREZDli0xANfdWjzgw5E1J6AB3iZhBZBTHFAJO4P1Qto
   yG346IVa3nbtOeeGw64/79zQR3/LH7IdJ5bVa2UbkRDeX5ApmsHs9uOQKGICY0AW
   Acg176FtnOZ5mIDCxYmP18wy9KQIi2iAz/b65sauY49ZtYcoKE6z4gsfnrgIKRaf
   f7taSiGf10nDIjnkkBeZ2+ZjdUKNc4r06SQ1SFyMKmqsgmGDOvckQKpzmizcwAXF
   MQEOX39G2FNtuVXp6yQ1Xux+qGjlyk7U7QW+Tj3Fwra+7weQXK4slU13EUnTfE1y
   8jmEalkz/76brf3qCE79EC+HjkzxmRwkLcAKA4f0ihLUjHGZArEbYM6gAMqSkC8T
   9C1ond51z9Tvg1xCqQsISZbP4o87T4TPzwXXc6Ut6cJkuILsgZwVDPgorvY8uS6u
   vACffeqKhsO8h/VVEHQ98CHVt77Z2dMKCCdKJsHsFmlo5FL9oQaX6LauE6sJEcq3
   VJSNs0wSMkLZPDNg85VrO/8kHaAMfmLU41cjunocgqkLkIGvTo0ej4IiF0UrGpyw
   o1UNBcNJcy0IhIgJ0CiYj3tX5VaJFNWUY8AWe4sdYCO0WNmuqS88iTutRtuRnXWp
   SAZbLvFh0wGU58oc+S82bLD3vNMIq74n2QuyJlB2mq7nwuYzl1LE+UhlnasRw3Rj
   3BMQK6aZNOT9uUyfwF3iWKlZRKOhDgozqN3mltVEvHOSjy1RlAvGW9V1ZudRsw9u
   vHGkeePZAwmC90aS3DEwzEvHYebTQGQ7en92357TOQDibUT21r6ZAJXqHyqD8uYx
   qAPtGRwNNspAFV5ad43e6FoL+muM3gyY12hhfbkf8r/6rJwRWt6/hL8OljP7DmfW
   vc2WPBTA/OZ84Ixu9I68w4ICrBSN+VqH2NkHQcUQALoTzyYBLdT5oEN+S8W6oNyJ
   tQ1+UcdjaBXMblf51/tFazIBwvZw9VYyas/N8zPRK2p6pPF8opsCRE5Kq/cuIrHZ
   fXgzoXH4VfIb/zGuzqEIZfCHgBW/ELX3u8l40rrP9m/EFKjdgd+/tA9zVEYVQW9+
   M6E3gpLhddhZcuVfLxQYOgXU+jIm9K0VgGCsFFNpMP7DBDfTQ+M2QGJkj0b2a6Bc
   jgmiy9Zrn69p9sC+OmPOLv8c/lyV9HGSDqLAWQTeWYAkaeGk4/rhOh2i6/cUVWCu
   NSeHLnwPewb6OnSAIvQez/VAGlgYiSNJdMktfKSlv9Qi+FKEIy//14TU3Ce6VamE
   JcRE2QTHTr2hFBPSVM2nGgQfJJEK5093YZ2kLqb1GZf6JawN6Z4MMa2ukTCpNgeZ
   XXSft3CnJtUJ9DJ7SRlmh51wDwgS27YNF5SL4vn8HF/2c88Ig1o+1yJvXBI48ZR2
   ra/aQ01dJRj4IB3Qzi1ByAC38xSmHMk/zxcH7j3Xxd9wvm/PNNxhcn4bfe4bseHO
   GiLE9e7eU/H7TeEfzN4CClJ1YWDOf6t7Jw2AXSfdq9r0pIg2/mVZeQ+PP1PwRzLx
   uMVJ8tgylHYd3gfMo8Sok3dA4/0pNTfJ0ggaM8+0KOl4+fScbm09JskmDhXW7pUN
   IhygGYLOPXCn1u6Yua3TpX9zTww8dKD8iVmwAVISrdD7EFlAD6MkQsA6Z/tFuRrR
   egyD1twvVSOGsykAnyuQfQ2YTi7nht/4wAyBGsD//iVZf6VQG869Ng4Dje4X6Bh1
   sl17L4Rcl88LmgVeyhR1b/lRu2rJTn+eFWJRRn/uOJJF5479W/lKd0EMme1SJiyt
   EgQdT+S7Uve5onHYlbjHETKQ56nVhqu6BigLBW0zwb49JA2GUkLGJQnvyKEd7u4T
   d23K5bx4AqlP/w0UwfYV7qMS8vnhbhv+YOVaGTTQXnDLqvnMujb1+nuUL2jjDD+c
   syFkpm6uPbi45bzzuLuNEcuh2Q55mLrEMy0hVOYbRaZszGgv+AUrLIfoxzTZNwrX
   krP18o3/IYDtZc5LdKSM4wZdk2jMlE+2SxvsdP5gRXc8CVwZ/b3nOkXyGzvgFUb4
   Z3rCZX4J3ZjXRkhjCx+ACp+ASuz5C7RSr5Uox4dEiWnUOYjS6P07x9OwYKjbX/U1
   QfhTQBIEsRC6xrmG15zLT+6CnBF0GalLwcPbLxRTX4auRJMfy5Mn1HX7sQL6jEo3



Gillmor, et al.         Expires 2 September 2024              [Page 151]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   c6hUtmfI2fcFotqVgwc5yciX4Yp38rqmRhUwFDRVrENyyApvk/uRSolCxnjiQca6
   9GPC5brfg9PRgljlCSCZmhA6UrKy4xuKB/rGmKl2rnHeuL+98ldK4R+dvC067eyn
   pZjuwZ9PpGrCKsmib/rEuwoU9yB4g/ycnE4SG/C6NRjy6gILdckQN0LJtvHw+axy
   3TlT2uaO4cX9dvxLtxPedO8s/j+1TJjcBjG2HskT2WuHHz5h0oPTSxTvqxfYwZT3
   nb4QiIMxMTBzh6LXYA+gM9as0QNvJjKG+v5/s6AVzPL3/J6Hn2biG9hXRhA/TntH
   JwIW8Pg0Dp1vhhLqllXG8UFCsv1SY82sQpnZORkhBfLuznHYp4ZgMhRBR8BIOKto
   TwqaaoSuAxIhSFTXt387mLmJJMs55N79cFU4T6bJLhwLmW1TNeusli0vRJnN45Cx
   6owQ5CDcxU0nNeyoz2HjTSD3EDIdRbMzQs8iE0vNVMlKIg1YTsTr20dFMTaE9TfN
   OeKML7L8cI3PTZt+fUg0Ezfy1YdAKHR0p/hVW7kzlQyti5P727yrxeqOQNGhiFig
   SYqI/OO/r8xtXjNG4nDJoUOpRPEasOYB9EZM/Gq+VewG7G+JG8pYU7azJpUjXCkQ
   jaq6IRUXnSuQlzmyEIcnCAZ77bKoLqe0cmY5NJ78T+R2cZFFLrxEjhYyGAd7O+LT
   sNzLqrrH41P6rta90BM4EslmLv7oJHchdKiFZYCXqZXyW4IwIubHzb4yNF7ntoki
   4Yk6qadQrQVZjF6tlZz8xevPwyodUC6tNcqMT7PunPwUA1flXHfWksPqm/J4RqEp
   CgQZdkX//dWt5PW6/vKUK87BBcC1ISVM8NFpME+EuftXLNP/7GmSOeSu7qnS0+Qz
   yoLuC+4FFXxB1+ocpvHf4i0WWfme7qP737bCMwNpdBS3XwUMwG3U1krRnKUTL+rQ
   vSmW9vSX0Q/xDcJIX6d2Lb4i5qHV0/o/BtQiQrP3F7f+r1sI4EQiuUMCBxsi8Zab
   pC7wd/XWms1TED0yOsFRX/Nd8hXakrgC9XlRyoJ+mdMsI5fqsgIKIRhyhRmUejXN
   9D3FAu2c8PyP+bWiy1w+0KrlTSFOT3FMLF6DKUDQYLplVm/stmREJFXJsw5+qxbm
   rtFI9hQHJiJNdxFvmxVcvurddJIt/D7PUEALkldIQ50/mIhTUBgwvj12705bJ8ju
   xFi/YkUlINhdbIEt2/we04QAuew6Y3mAp4CR46OeWNIEtQeGL1tSJ3nSl7lOX2L9
   gsxwKtfHv/33n78w6XiK821wJTrRGfR94ZDLJAA0yoiOZdAg0RS8+HOdrOgMuOwL
   t27Zct6RzT8Ni+L8gjI86UIepUe6QVZJMYgDr/nisD+gegJhxxuHTkJXWYPuDkNh
   ACLgHS5iMh+0hnI2MLcoYO5shOLUVXahs1nJbeiJ2onEo/IG9EsUzzH+oIX+hGSo
   nzdTu7MyoBte+VEYtV/7QkTKuhUa51kTyUwM1vfqTU15wlOxAhfp+sPcHdAtdf+O
   xmaUqDurFcltQbvjHoU/bB8y/Bw5Ie8Q1ugu5EVSaIoavmrSgTCioF64z4wwqwDk
   o1sBx4NBtjkUl6m/CGW58geCIIioUCAXD6EpAllknha7gBdO18Je9fMM+Dr/URfJ
   AUv4cVByu0d0cHaPAwplNg6+CK2duL0uHg3LG8HIGuL6NHhM7G2D5/Ltw/Wi2t1O
   NqXI/OmdjwHXJ2Bnt1S0/cjO7shAgnWigp8PiTN7nQh8U6ZA6TWqPm2uDFcY+Voz
   40PLNFLJ5akdKBZ1w9mjtx/U+Uhkba2GoKehjaVcc3B1uyk+wv5i8RrrIdO0S2Q2
   SZBCSCOLjU1X/9t/MjhFNHduhUzTGKS2PUo1ez3Zpuxxh39tt7UuHp9YGHO/KwBL
   1gKGVgHggeGt6fgk5yjAfpz9rRGfl2vA39y+Bi9sn7KP0CdJ158rt3qW2Ka8Z1Kc
   IVOjzoFecveQJ7NxVo18YTD1kyYmxDGXBuHWX7CdNWM+jzdHgoL4Q87WqKHticB0
   Y+3d/RVb4oHMVXxNpxFXzX3Ogqp3Nr1Glz/nbqzFmyokBms0BeyPqzGkScdiazy+
   w80USxqJR4KXl2xkkadNHaXkCvjgkbVQIi0nRuoZN1PrPczmszFrsBlUKa1xPG4g
   zij5kClWI5PvJYxEVKHNn4dCOYTli6rrPC2lB+RNIH2KXdjc8+8xKJ4QKkrJ5sou
   COsGRNtFRVyzVT30Xe5NKqjjsdjFWThXkSbIhDDMORY044NnKKvK0AzS0WHwrYel
   4ZkrPY1Ta7lYMg+kOCEW8wKiFW34JWRq11hJlqJxolDwNy9oWkKtqUXuZ2rnxRWY
   knSvlFJuo01S2dQHAxO9bOJ+CCdWry/9UCnIB/4xwwezHU7NT9stBLCJgIflRtQ0
   mRnjevYNQpB7W9HqVRoExm47+jTJInDIr6/fXm2kk+sonwyulCHhPJFRhkBdchc/
   Ad+iZ5IK554dEI+e3JQesa5vKtTRtsmBdZiyEpkrXNA/Xm0AYWjEB0KDUVmr7TTE
   3EUkKKEGHIMQy1GrVMcAiQ==










Gillmor, et al.         Expires 2 September 2024              [Page 152]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.17.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9795 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6246 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1941 bytes
      ├┬╴multipart/alternative 1132 bytes
      │├─╴text/plain 385 bytes
      │└─╴text/html 480 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <23abef5f-8781-5c95-a46c-61e3a4464d58@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:12:02 -0500

   MIIcPAYJKoZIhvcNAQcDoIIcLTCCHCkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADPyejv9Q41LGeGoBdDpNDv6uYtRx1aRJOfn
   f4sbWXr4O/34962uv8O3XkNQUPykKKYZ41bEXBUU3enu5MvV/CQIbHYBIxhYmAMD
   vrw41JyVFN+yH53wtubTwSC8poa2TtjNv2S4nBgbsDQBbN7IR/DHKqCbUK7Am5t1
   uuSHgMWpZrcRkUmBlkkqYym/kYfK51FnZbMSODJESjwQOrdhXJqv1RJFG6T0kw2a
   GOTxsg7spf/dDxEyNMnqm5tLOArFLKOBOxcpbJBPTWumUyKh2P+d8D/8pSGW351u
   SVEfw5Zw4zX5klwBKLVowk07vI3oSlu5DKfQJ/5WOBucU0EqDGIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAKK12BJjTcV/7qS94clNAH+Nc
   slgE+RXD3UJ4VQM1fu/X4uszwrQtE8eWO/ToCVp/g+WSFZIzDRBfhbv/7rFDF1s2
   oRVHpoZrO0sUrB6IQB7R+5WCueJomWRjJYbjbAcFSuff3WzC9sh6o+hu8p69lnJm
   7/ht/8X4ObRHcno/68mPOu4UEl9jOphAxwAzVPc6DqAPztyBvTOIERp7JhfYUy9W
   r0lWxuYsVFF0Z5NI0ZRybPAJPuBQUM38S880am6CxgKgOR+QLy/s0HDiZQ63tbXG



Gillmor, et al.         Expires 2 September 2024              [Page 153]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   NcRsbWIHMrIC6xLWHl4cmq6VQdnSNGqoHVaQKAzlQjDgfwp4cQ9pFK3HaJJ3bTCC
   GQ4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEENbAf5M2+FbI0Ai6GKC0Vf+Aghjg
   88tKiODrMGsmUZonZvPq/tu/822mi0P1iqCEdG3Jby4dU+exxrgn3InoEZQI0QcL
   go7Qm0xpqdSPHFp0ZPf3qDAIJub62gC6/kvshuxVyWeHySYp9qn9nwwesP8JLGBJ
   iBqtQEjeRZPxl7A0oLLalGfe5C88Z/zM4QqL3H0HuJzBM55W5pCm5Vv2fvtAnnpW
   q4S+YYV9zO5elpo1x8dQQm8+D3RGp+Dlp5nd/yiSgMSolIBZhnxK+jkPZ6dicKXV
   CQwyIFfHB5k2J74wsGDYBqeZKIhGZuXEL2YQ9LwchmMv++AjoGOhXnoYdStCh7Lu
   zI7eZqnlMriXFXJ4rMdD58BXYByFrjDMoIiMXCD2dZF6wrCPDfECKtaEA4XFP32n
   hkLdX6o2r+9uDS7vJX3RvcYVocXdk6VnwxB9664vLWuczw6BueYitlxU50d1sU29
   v7IpFTrcSYJOtqftglY38+L1fHGrfd0EKIeY1KeXv2TbT3ZDpiZOVe9KuC993XWl
   +5T+JGV02jiDWgDgkP55TRnz+F+i0cowve6gcRrDVM87ECP/4qC3mh/st1g/AkvY
   y6DFD45GTLkrMqeKcSHBo06jS3D+/BarpG4XO1tNUhUOgd5DVhURSMNQXrtVxA6y
   ro5iupYlJh/00sN8gHoCcwsq4v1Y20CwqmSrfY+8FhfZXBQA4sHP/apBVJDmIrgq
   MRBXrZUHNmSwEaL/kFVMzNDPrVjU8RPr2qgqufkelU6si9+sZptEEEraqNWUyWZi
   X6e62jWAxv8qOnuD/6zukqOx7tsQVpiJYPHDw+tVd76Yvefe5UCtp4/mBRFqZoz4
   tZFm/nC52VuRNyDQ79h4YPQTryxvrgKaGEm5xDZLcM5MtJUy1o/sNiK0yoZHVEix
   d4DkM5/IbEOoJM1zhVp3fDh1qkkCEF1yKLsYV1HFamAN22U8ImlGsRSnZVmpLMM6
   GuV78wRP/zwJJ0pYrwJf2SzyXI+K9vc6fZQUT9oLCV7mwRRuMN17HMJN/Qi64lq+
   KaL9sTZKs84Nu8jAmjGLD1lKbvpAXJIr1nlnKoeoT356OIh0lRHfXmh12ZtTl6qc
   zUPROCNGcbDePcmKwpUrS+DPsN9VZnIFqWVsi2bsGFbA5pRxTiulA/rTgIT3/ToA
   M4gp2mANIG3dtxKYDnJskUn6LoX7Hsbf9ALSI2CFrA9Ma1o47ILNMhDZn8foho9e
   do6cIw1LY/lbaxjh5sRFe6IEYI8Bsc5whhRRX5s2cxYtQprYfr+HDYl1LwJTOEFl
   JDlwQ0yEBSmGFnE0wiZPM/iquwnfVsackMwFxg2eC1e0wcryRSH7qFtB69gZYJTr
   lGiHXr9TKeKduXVk7CpeiM/SQkgi3cA69dwezdb1HAKCcb8zjpGp4hjHWXAnTrwV
   kuf9s26nTCljU/z5XTJc3yP746MKHe+G46Qetn+h/DjvX612v5VKA+XEavB8eyex
   5NYLFh0/JQ4zgvNB7DwW3T1+OXyQ+rqplaj3l8sMmH7Zkcvk8Zlbnl2TAHV1w0c5
   GQnUCeoJV0guIC4KKjgneu0rNxhWUD7WczWwm5HIAvgq0bjZu9dzCIoZXK9UJ5UN
   hp5W/G5MLCqEzmweTXGidg9UBuOBRWjaAEoLsDZYr4E1ElQiIzY0VUoIRh9qt9tO
   DvB3YksC/788W5jJX3Q5G+MjX7kxm4Y5fcXWHU7BwqMLKkpvy2qCNYC4z3rBPaGL
   ftZ/sJdkR9uvClh9X5zU+JJNAE3R9LlDFW68cUIFxpw+bx43BCesis7r/p1hW/Vp
   4JS1x8am2uChAKNMQTjHxeGuaxEvoBjOwTT2D21i1F2KJp+SxKZtb9bTbJZvt/fX
   /8nUUR6VdwSfgxmOEf+JCRI5U/z7V1Yv9O8BZ+wf0vvNbfGsFdR1UhEGusARNV1w
   gRO27cfkJ0lWDkqYWzWXXvwoTbTgVJ4i01GhA6nChdatU6m5nR8cXrUchXkZQ837
   OsNAUN9sjSR11PA+bwM49kF1kysRRv7T1+uZ59hw3Plj/eN95+GNORsJMwUJfAZp
   bqx+8YdB2szVpBoFYy9eYmeAajdO6NYkzeXvYAoP739iFs+DQSYvoASUr6CxhBZi
   6d3LO7c+OHsgGTiocgGtX8qcP7T3rHDd2njfPzhr980zHQbESJ7TaZOsSlYtsOB4
   5rL4nWDXBFqtd5ugCfYmtbMdyWH8xuOTPB7yCUjUI9AdnTEFGPPZlcgo+YHHcQMd
   7K7A6C58piH2qnz2NuFcOol+4uwVittRGS5ETrpEA3wPjiNtOl8wt72MbtsYgMec
   36DWhQpUnnKOJ6l9jbQPooa14Gc/TlrSLtEpsOJEi5UHkXiuKEVTH2yjP9RdlRYI
   7YWecLbK5Hvl+Tw45k81X9IIKMFtdPbQ4sUanD3ErzKGOvccIcEQH947ZI3BlVJT
   Uvah9ODsIdJ1a68GGJwFdyydJdHI0WUqBiQ7190/33x3CzxtOTlte9dRkJkP75lo
   V+vLRDQ5HHcHOSzWQ0VeGAsoNa4AFgrO9HMcMTH5VYeeHMVZBCtKGpuC08PKehu1
   rxY+tQ3j1bYgPdL40IdyNFCVD4edYol1sDkYofsGEjcV5J3umLHWcfLOSdcXylcj
   OcGWIz1mAwSeOT8Qqk+8vM6fRKy2neC1QB5L4SFGrmnnVPg91KBEgaZt6E0OMmlP
   CwrbY5VET5Nf/w2jJWlhxnViPqlg6E2Zx9dRRTriGItd81FA87+dL7xZc+kt3Otk
   2RhG9yLW6OlIpBQC9akLEAlqq/ikJWziVrerWKZ0XQ7IAh7c3Q9Au83eRYqL3jEb
   1nXN94Di6dfwGXi29FwYqxzkgz2P21t6KcpvrRIBk378yKn7jLVgkil/TEzQ5vce
   quAinWS2WmF+iOaW7nhcIpYBO0HZK1DYSSLAraK0xvydsZTO5HdGkynJ6ddty0z9



Gillmor, et al.         Expires 2 September 2024              [Page 154]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   j4KhE5VT7X6hrqIkOcfoGl2GNXjelhNDUJS0YKRYvda56b2hbn7ppThsaydOmdG1
   HxTq+/9ENaBmASEqcgF0/RojJ5ZcLv8+fww6qmxkQI+GG7PLyseI0GA/Zy/THHoD
   uhikRUmY8eFAZNT10kL/4w1GFIG0Ik/ZGVHs7paRJhWeOcFhnGHqQ+4q6ocGcWMi
   AZGIgzD7A7sb0zKxtbeSWWrqvS9fhussCMA7avcDNi6WCVTxHSMnV1wCzM5CHemt
   rYQ6/kRKQ7mkJ7xWyHuKDb4e93+ZsBOomaM3AETVwagmeYiMKG8Ir7EswzuQLkau
   Pe5qh3i33Z3UcNE+4jaD+Pg01LUOHPMsGkTi9hJSADwC7bZpRsE52WtoJ7PoL0FJ
   I/SNdk9yzLnDLPiOziNQiY2i+rLI5H2BlRwGRspyZiRw4MthuP4A261dhCscP3fI
   TY+DQ9tV5NItvRVNa640EoX/CV/bwNIV8ciFrsGgpVrkAD7gmSdrK5IUsxUEUaYh
   v6LECYSmICQb1n0A+GxwCFrPWL3Ls59Q+8UxDjyqcPUA3A9jyz6GUGGAwN0YOqXp
   DXHHafrIKs8p5ixcjVili9Lz6Hni9XJGZClQ+nxZQm1C5h55jft+UD0b423beluT
   2O+M+Wenck9OpxfbK7IPB9XOvBTj/WNQDWFbt2t2wzgYxZmGZ4x3ULMYHlyqGlu9
   KpGu40w+3pAqtuF1fiXW2yBiv5exC+/vz/mfozBnW3PF7BpCmwqHXPp0IHwqcL5W
   qtmnF3rz3SxUiHGvIwDU/P0C6PExGixbP4xhmAyVH9kxYLOEK3Jil2QpL8UHh6w3
   eXJwuztXaK4HUQhLI7a33lDRtI+fQ9JPfh1bXLJJsLw8Lor1oBgjV9CR3Dl9ESff
   NFUj96B5QPwu10KAA3G5jtrBoNa0U+PWxyw3CUhi4d7gsy7eXpGJCc0JNgY6P65t
   kXVIzY7RI6zGg+4RFES3uiaxG4oUyfIat4YYGq50ox5iwmOQgav6Y8CkGOQmZUmF
   49CiEvsxVUxzUsmESGvvTXTeOsG550DX/XqyG44ieigPjCcMjRTQw2wO2CaNy1HC
   8jMIMiteoLovVqThlAmHBnK03EqnOcRJ0isR5JHkv4WTpML0gU+oEkiDhjEKymqy
   UAgnKwdZN+2dc7wYFSj8U3oMnVKjtQzgpRVZsanuMmTGaT1hY7+HmSl5M4TjViqb
   IOJ+mJLVYyNr18zvp1hl/pAI1wepwoihSO4m3S0IjU+JWproQm6EtEPuW2VNfmIZ
   cggeDENMq6OqS8ZoX2wPUlhXge4OlFNSKHividiFYCqqW5SZ/obLqU6aetzZnSVT
   KLfpQDqib1Izp2wKJXvBiZgCfIp2gRLoushp7v57DoTlG48KBI8/a8b9xlCvxFVk
   1Tx0irCIHSjcnI3OYSPURZQfZE/RZiiyxOrnMiloa2wP1lq+z8mDFikKcyqHNL7W
   do3FS2GDA/hj5GJFV9SEtV3vBUmdqjSxyA5skxAXMleHwHl9RlpoDmpAUq/4/hyJ
   8NLVJ6GGOZFjbbfJzLdh75qTgjbCj/tW1W0ChzhnjXRN9U2d4YCR3UkE51Soo/Fw
   Jg5AZNo51cuygrvWAljeRgCmDfaHp67CYonsr4VuWy5JpuI9/lszIk/19C0U9qY9
   wH23xyRz5rG/9NfWMbh6auVHRGypfQAGNwwjslF4hIFAAJ5WkmbPSRn+7SVMLDdW
   FYOpNc1iMbknfapvsU9cQiTxkRB7NJfgazVxd6A6h/1rOZNmSuUPou/8NB71F9Jm
   1rYt1Op9TF95Z9D3oFwsmCjhRAZa/tlk7SicT8K+LJSGks+0yS0KvH9EbsoV9jMC
   vBMzfXEEVINk5qvHNe9O7T5iivAf52jnTYMwVP5UwvNnseR0/q5/Z0dseLwqYbqS
   BS3NRjHaV3c0Y8E+Koc4+1RrcE3w6mv0Fsu3IApwQj4AyKd7JDwsfzs2iv2Upe4v
   RMCzS7Tww4gY1SIejqlr27iXgi0kR4ehLChh+k9WbyewNYWQWfJqvqzfT39ormMg
   dTJDCQh08cUVmBflMKImg/Tf2ng+3SvbnD7fkb9mqfCHzfQlmSRrwp7amGRj3f5l
   CfMywN5Bo2si9UrKVgZMaMnl0pIXwziUbSqiGyE9/8SqdLtBtVR9/x/XFUL4eEEQ
   dUUCk/9qBkB3Ml5vquva6BUVj1hhiKFgnnpZ8eI9o4RL02UfBJRtgBzicI9IlGOB
   +Dfveo85TdQLZB3duuEo1RMrnSKre0Ki50xp7I80guRkie+++71s3wixp42GENXb
   pesxCaAZWreIJoVqFsqJLkpDHrh/C1VVc/DlMfYROf6rTKLdFsuJy1bxEEOXwlQ3
   DkNIgPoy7x38a0TUj59t2H5xbfbQj3rRmbSuhVWIYgeGL9w/N4NXYmW0iXs9QxHz
   Yl5/X+cYWrOV9zLhHvjhYAA3z8pevd3v7HgYvyayHH9FAOQOzwtiNPlDijZ9zVQy
   XxDTlm9Y+rTdVxj36dzUd/EVAmuIgH7HA5TdC+2fwfcoMN+4cyFBNVw/FhnvhqY0
   S788MBOudK6UPbTyPte9szSqkdVRLzTtjiURPGf3DACDPOVu7bzewbXN8f+KHjDK
   aSdLktQiFgbzdXFsCZPOYHQXbs9zvztTU/xC1iGjvsDK/A+exn8QuBuLnumKZzZ6
   vW88zNPu1JdZIqdszjEQt5TrMnSVBgxcB3TeerA8GQCmgZ1gnN+Jy5PIQHTz4oLu
   mp8ZPBWd8DRsT59LltNwyKTDLCYTiN2Xx1YOmfpUQDKnnvmct7W5usjD8VntHWoY
   gJ3J+Rd8xPdQsnW4/HCX3uTjgp/mUTqCYP+J+226n0ac+jdfDmi/otRn2jE9zvKG
   7gKpFu/gGfXZvY8OUSdNP/h8+VCtaUzbDqkbNkIIsyhArupkDBvSJCW5qxybXB/a
   k471+F9nug6jdyIi3Hqp0FvubcsSchYA1UP9EtUg0ae9hDB1tRY9GTlAaOBd2xbI
   zvvEBeEcV1TlzaY9B6XaTG3VIt40i8S1BrDlJh50jc/qG3B7X3Tk9Vvyn2N6otF5



Gillmor, et al.         Expires 2 September 2024              [Page 155]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   nidTIwwJ+HLGt4h6c+YsV1WZlPZDta3n6/HNh/+pAdwSP/2t43PJMgJ1OlSlxR1I
   C/OUgu7gNndyg9sm0j8rpPUz7p5s7cTPIzGkyZ1VzEAcl9dv2RFB4TV6z9h/BLWI
   TUfx0RcH6Ny4mvPiQKUADuMHGNZoOHXEpsIQPvpqL/XDXeEZCgKIH7nZIaoirNWO
   OG7cJU3F7Ko0EejbSsrG2HJVrDd09Tlfr7HP6/4Tu3h6qoxlTuINjNCWs9wUqdxx
   3HNzXc+0JAKE1xiuoat5Y/aGnfabVUVB29ad8yFPtG4cv3ftWHM/N87Uezeni6f4
   vsZhKLoo6FcJ6xpmWD0Y0Hys1YtukQs8IhuKNYBBRTNFGrBlCqKJVn7MIsziVld4
   NGgmDpVQ6sgIr8EbIVVsQC/0WgzON1hsfLvweYfd0I8AaVfPWd39Q/y8DSlLq/yq
   of7KgAyObSxxqumY+hJwW7lVufGFiRiZDYi1bdoRaVb0qVnRF5pU7YkXYwby6wzF
   77olQUVcEoXMJvtWLnu7h3mI7fQ5F2F4a9bclLGXDcNMHsfh3JaIlhXkmUbEyrgF
   EBOuotyT8Jtz4a6rSG8vLCDEjfw/DKFm/2vtAg9CWb8u1Tj8Ir0j/0YP01VjNtKe
   dQmi+Grcts/5cYbhewOIaoaD00N2Hy+7MQLMDrHo/NFlrCHtLUT+B0I7acnjAdit
   v202eROGGQa9YDjmZ8tMhHVGYko46yepO8AWm5RR4vVd8b3CbvFbzJy8wIGIBlsE
   5Ds5rvWqgzKcVVlxRneE5k9uJwY7CeL1DnVX5Sks4mZoxgabfQEcRl16SB5RFmSW
   y1CDnTwMg64WCGG8XCWMnjEydtEGK2JoI1b5Zikor9F5Wiqhq29Ropv+CjekM7MP
   F7lW0+C0iB9PaQsn47J5WuZhdt85RfLpCm56r57z9eMctbGfmhUl3YMth9J71xOB
   NZyBXUnAzQ7qIaOuFJ8ZxZT3V55hYAokF/Ph+6W/rHcSshEb1nzUQ8Yf4jqjLmcl
   S9I1cVf2xkwWTS+6+xOMoEuqeGK6TF3brI+s8qmnimIIxYsspnpznNun6fXcoXmh
   6TOKCAoCHh3wWPk1ucj+JzK5LHDUhoBzccx1co1Vf4To9Lc3X07Svh5L9ZouJ2IM
   NHqP5tv7V3dCyPfiLo4R0LGfQ9o3x4vQq1Q9Tt8VPi++Z93H7SqIy9/XNYAMtp2b
   erh0i5Qc7p1zFgMN+oL7cO/r+jM3/Xt4uBdenLklWs9M9CC21Pg4vLvs7f5XNj9F
   nKSsAqo/zxxnqrwsfLCEir4nIZaOSmQvFATKAumiIq/Bmljy3yJaNFhNuo8k44mi
   6C5rChBO59FkqFJI6s3s0BW/ARDMpRzwZzLqEiaYQxXrvh/YWatmzdMcOGjObivG
   R6cgEjJ3ycfymZ4cl/dQVqqeNGSfcuumI3eimiIg4txhUFaSQwkp8WIl9n0yBnFm
   ygdePhIuatf5n9yuKNLbTxamloG4Kd9m2iHGp9oYETf4xt9icTvNa1q6kEjkEj29
   jAl7hx7ws5uArlNIu5Yo9dmgzQ9c5DToQr3TPsNM0SnNR3S4nujNc5zyAybkgD9N
   oirZ0yz3BMyWadhbVACK26hYMEjdM/eE6Va2M8yg2aLXU+d1H+hR/C4RN0v50u7L
   xnBmTU8y+AY/vbl4042v1TcvL5IC0vOG5moFRgUziCcsncVcE1h5EBbwcK52dvWt
   OCE0JR7HV323h/mBe2uMdCrsvRSdIO9/VqTU9PbVbl3xGwz/mXpQrRjf/HLk1Bxx
   8PNZU6gLQP7Ktgo9RTKV4ZgEcbsFrg/np4m0wb+wQrI4d6XXlvHMPit0ofu6M/e4
   FoyKwg0Jf2Bcfq33eCeTa9tioa4G7d0ML4NqZi6sxaGG94XMMzu9nD6ewUN8hlxa
   mhn+uLGFiE3y1EvhI3ICCeJnZNfbPU5bXq8zuwqp/YJUU1hoshBna+VO891W217v
   koo01YxZB5GE/BvngnYDUPY7cGyutF03uRofOHmc2Q76mWl9hgdc1tFfCO950nre
   d0cNqrMsmtryp7tJ7FpsD8QE2t/jWG5PlCk+m/8GbeRk2qimvkch0M2jSIEUhLTr
   ZNxIQ0dVtrMTtsLaATMTG1sH/AiY+Ajuzhbp10G8YVilyIYpxx6RSpRb6hpvLqC/
   xZy4kBsoJfcppiODphgcRLyNg+8ogdHwg7LXqT8vHQ6t3wfASSVlwetnwCQvfB8J
   XjnBSSUXoTHhqhvpJ9SXxHRiA+XHgFYc6BOAepLYWMcuIzvxTweEsy6feQynVKWG
   p9DiKuvc/v2gqse50u2E+E5rPQuTj8/SLrGUbw12i1TkQhUIYZMI0HYBDFxu9pyD
   u1zx3DsnSlLWTzJr//wkr3lJd5L3WUerfEp4gAaq5hGCqkSZs4yC7YfnjiNyGWS2
   FPFhOo2EhGBGLHCO+mSSYxMNkRi+sDUMzx8d1jVByeM=

B.3.18.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.



Gillmor, et al.         Expires 2 September 2024              [Page 156]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10380 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6676 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2248 bytes
      ├┬╴multipart/alternative 1425 bytes
      │├─╴text/plain 482 bytes
      │└─╴text/html 634 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <9cfcaae2-9fec-5aca-9a29-c98da35b262d@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:13:02 -0500

   MIId7AYJKoZIhvcNAQcDoIId3TCCHdkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFyXL5Bdsrj47hCSCMZg5HssJuT0Wkfqzrt+
   Uauk+xOG9fu/C2qZFlc6itV0sTYKogOf2UOEetIXbj4ad9TeExHOn3YdEbbKBp0a
   KnYn5zyuaRc2VmBGwCrAcPaGLHL59ul93+Quyvp6t6T7L+y+rvgtOh6tMsCH2yVp
   TGUj2FVg6FxB4kg63f1FB1ofpU10wSB8nn+dUzUqxD/Pwvt0yxhB89ea2+3C4ncH
   36wQPHM71la9981grPRH7RHBcWdyvny0LPipQ8v9p8bweJyVQ4oDqLdByO4XuNzL
   XqZnTKmhXugkRs2pShYJa9P/YnVf6fPhc9mlzl2R0UXZ00ezMZYwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAiAf5NTfAC/vD/MMeOHO+9ciT
   ntt01b98dS2zwaGnUR9B567tVQjWS+hXSWYZ7BSdp4Mnt1QyeIsFadrHZp9RGnXS
   gxfzpCBQm640OPesyumvXNwJnjIsgFScVJ2cfyFhdH8DM8yKCdBZc1ueiaTDTHXb
   efDBndblmGaJESe99TIzSWu7dqltVm81u7NnPdY7yM1IHPp8Ij0mxrxm/5pXN9Nv
   ZK0QlvoE2pBgdQZS2gZIoevepePkveqNYsMk666ThBmSR3RAelucLaRhCdGJ1utn
   my00M75Rn6A9UlNAEUa6HXXqqIx4G3XeRFvwjEX3gW+sd2+qlzNaIOK5VKVPDzCC
   Gr4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEOSKKKhbXhpNDoX/l0pLf+GAghqQ
   fImfWw1xwLL9IO5jrbrEB+Nwv/IEPx/eZR77kGkohfz/lD2J14obHrkGO8DF+6l0
   d1cXUtVeJ4EJeQdugoF3Zf4lulAF+skxo/0kbTZuReffOaGENU3beequQ0fi8yzd
   UDGRc+HvYpmKFgy8YXdNexYYXaDGxBCvHx4WrPmczGeLE3KdnR8BR663OxU8zcV7
   zmG9LH/7N8JimcVvphNpKpbgC0W4vck1wsJ4HsQ5/5XQ9bIrXvWxDLqCL7wNJhFy
   MDHc582aczLwOcb/RVr83VN1JDLGe+FR/snhhxpM+yFNblpXcZiDnzVwpr/kVE55
   B8Z5P/9Vkhu+dG3opNmronOWOgoUdul0H4BaebYmIIRzvFFWetRSYmh1IZeJ2s4u
   dCc1GclveZBB0fmXWYRjFlmbEKdo5vVN/wbilQaIfjbm4iQ4YkZZBmRFhsSqv1pm



Gillmor, et al.         Expires 2 September 2024              [Page 157]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   GqTE5pm+A+4oscp+dnqMGDl0jzAWnyN7tlbkIW5vYlcnoDdRpT2r93ZRZ/sFggog
   pkooYY5q9d2Vw+ghVPS19wToG1RoL8GuQ6SRTq8FN+vuJjT1dfyNhsYp7ia9+ttq
   Y5KdR+3e4u6SmVLWudC9k4jsglndrKNqXvVyd6NBPQpmeGaXGXhtQkzy3FBBfcsq
   mjwgKUmkpqsY2a8YZqRce2PgCuDSsXeYZvVfs0EDj17XnPadzjIBdLl9oUGaaD+i
   3q6j5y7xbyvjGc8T4TJCss7z50Louuxw/g5VBHHDz4huywugOR3SICAOFn665uTS
   zSXXuNi+jII1aLOtPttqmOmPa4KXHZhQFiT/F8D578Wnt5hGV6fwHXOjvvi1JrsJ
   k5X0Eid+vY3THdmE0e+IWOg5ViTK1j4Yc6I36CX/Ek8k6sjjLl1qKgKo0XXon2a3
   2MdZxnNuSPvx0EZ7b3GE1okJyChNPguG3J3yxOLeb24pQ+jDLmka1X/pLALIEZtR
   HUks6pNQ35eYoULzB2Sc24t3Xk1C2As9dS6xVXCxpoC/2f+SDOMJzCDi+3Cig+dU
   SZcqHGNmKdp27ScsNmtgeGp4qKPB9EVBClSYHdWwuAlhj9bOuBC6zAEMfr4FnL1r
   bH/K7K1HyHjBwrIZmfvbEOMF3CYdX3kFwUnv71sqfwW863DrJpW6o0Fyzi9zecJS
   MHdj1mL3t5Yp3u0+z9+MVJpfgJfv3GDwoM+Cb4s2+kH/P101tUdZcAyohu8gcylq
   eJ1mfgRbBSILwrzLr0egML0guHdXWp1LncSswqYm52zcUWuo2M+gz2/vD+6t16OV
   Ax1GZQE4Vwwd+z765wfiQAv9OodQYhrdX0zblgdDSSUCrlI/rc8CE40qZQM2q+Bx
   ZVzvFLQI15SgQMZ59IjZRcNcOsunqtnN6VqUrbOvqrdYBFHjd9VI5qTL8CtvEcJW
   EBw5nsz2dPYXYjbZkQsxYGVxeEKiNyOt6XhFKAv2pFiiECi26XbnI1Pcq0BU+8iM
   KTv41Ku2lGp+DVFtSxaBY2ge/hyYpFp5zTPelPSvDw8VEnAZn4BzFd4L5Qb5nNGh
   MOsOg2nbU2CFZJg7515qTODfgdeCDJkAbDjG+3g9Tp9rMb4tNsZlj82OqoCHY4eE
   iHgw96FAF1vR3BSk7w0rNgAbCEt08fBKaDqp4XOivsNk6ows/3E3DyCuZdpW0hWN
   RZ+fdMWVgFaZa7hJAiiQxeX+b3ClbHBuEeRIPHns93uAA7Y9+Bicm+9lp5lMwefe
   yEW2wH9V/d1vOPUnUIV6VSe64vB1kdbfexY8/C6z3owe6KyLJHiDnLK8sA/wHOrP
   3pXMZ9ldHweG4pPeUmWFfQWgYDufiH2uRWSe9qLImGdL01yuKvt5bV8OznIGhhdn
   wW8GGIwZtzpL9IfShYVk3RAAEfUVO1elB0C22fNaQZJZf0FAxByW3g/nkVxMW1nF
   9IRkiMWWYXK8f73YVrxfCn/NpJKxfkm60r8UrJKapDbbqbQ/phLVPyEufA/12/Ql
   qKKlcxvTUIyJwnmMCUAv5P57QpWCmpJVhRzKJGgmquf2bjq2UKdtnuMJNcD5kVlz
   Xa+4oeSEFahhkDzoeJPCGrc8s/+OfObp69YMMLrlonrbaAOuiVyRL21tUpR4Nexu
   YVEwHRAkwM0L7qL9dMngEv/p65OqsiXXMuhn0oW2QaWP7YOJYCvrIZCDEsMiwzfW
   TgDArodbZ6Z+X4PLf9xLALXZEGanQwc3Z6nz40EnJAYN5FKodLjMGUyXAtYfkUTV
   zF0e2RqVSRQ03/0Sz0nQEjgo07UhHIytprIX3JKqNENqzQFp7TON9RpTTgykmxTT
   6Drz1yn/daFZubp3am80Hg704V9CWHGKiO3E/Pm09UcQSb6cPbTe08QVZd3O74ne
   unrho139pO0UdBSiWAllRcAcBiH2Am4g4ILgXMX+E5JTTUWCxUbtMtK7QXX+YzYu
   BdwnmvzNr4nLgM24Tcq5c+lDqT+fxMc8jyOO6IegdtABgGUqGdW/0jfDWID+v9Un
   FTf82vMpYCwZmeCX7/N4BAdLHBa6tjWQdN0kAhZ8QWNXO6X5TGQStEtpW4zrSe3s
   QWjJNN051ajQKX58QY95z/PntOWUrTmWC+pJJZhxFVWBAFOFlNKNse0WB6OFzbqZ
   C1rN14gCb6twVR/F8nIJqICeOQHMBS9tFyl+FksXg5WwmrA4kflorihZ+I9AbhBL
   PD5jdJJagZeLYP8XlW0AaaSHa2p5V/cdDumDz/rnkzpbiA9VN8/pLy2aWsvQE1qE
   R3Fxb7N8bU+1c/FG+ekaiC+mzBfaOq7WimFqk7rKV0gfSeHXTQVolkNceeIowKDY
   9YeodW61yVClzWyPfh4x/icE2xzD+0hjM/beUpfUOCWlehut9dwRmjujhwK7ZivL
   rC4ex1D5KrT9npqcB+cO0wy1ghr4xjn9xpiBIFmo4NJ+76777Puu4khUBuV/zYav
   fkupDpG7Ml9n0eX9x9oXQSLeEDagQXnqOVgxbOgCsJbssADsy9Q85mDqc4jJxc/Z
   MunEcErg0lNIEOeu9wx/yiNu2ioPoVvIUf9qRzh1i6cZzpZOVkpsfC7KaunfyU9a
   BlIuZaI5ZclbeuLxjC0O5tCCLzpltdLNBBXAQzQEDz0CNDExsXhvsmQ5oPWwbHbF
   IrTTyWl0UYhiqfzKqcqjL56sd4cPz0AEbxHRbi4TGWjG41lFkgtTjle4wRK+EGWm
   JtzZ8DwgU6szLrEc/R36Jc+vFNDI4+UE4tQxOioR7/yRlJeACjiWcliK3G20aM8h
   s0Yt90pHZc7C0c3v3ls5g4i8l15DL/qK+4Q8PJNotFG9ScytPiMd2SRNcHK0RAHz
   mgEe5+MJUKxRcTLM9kXYC5lcPnl9yjRoJYVB68kyaC5sxs1DqS2cTTN5h8LymUGx
   pM1PUGdmKF+AV6ovcV5lYTqm4FivtYFfYIDfC7wSfgC9trWeFZuhNIjzmWXzYuTs
   o80LVeeBRAfMgIbFS3fBQ9EiUs4IIuoVGoG64vg5HG4Fxpia1PHDdHJB8eT0CZ7i



Gillmor, et al.         Expires 2 September 2024              [Page 158]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   XAQK/ml/DHino+SE3bNUIArL27v/e59Fc/USW5BeII6hrsmRhJgmzDf90Aw641nS
   DKUdWYJVyMGAoS0hv8AGvxDDh93kSjAw1NUHieLCA2Ac6H8iv64napmdaeI4AOJx
   DyRjzUT/MWJijxmfnUlkszqQOIwq2ClFHKAO31P5T3e6CyGIp8H1wM6IvYIiGu59
   w1CXpHbhCxMS/BeZX8SFq9mIMdyCu7HUQFaxkbpRh0uMkMJ8p7ej72XGbNY0v/Ur
   1WrQyRdOUFPympv4tOXFygDc0rjOR/Kwnlh0Kxk3ocm51mDUvWXpTrraSfQNIG0W
   R1YUO+VCoD5D/F0MZ5cjPYBHF6EkKysfZ3sc1LkEarkW+iONWsOaJ2Ax77fz23ob
   NaG9SYBkHV9e+xsmVTMt41RgtTsF8ptFxmJPJQ5ERDp0Lh//nPtmXYqtIrzIs2qK
   2AuPwR8QjqHZ+wjeo/xkjBsyHnQiB+nxfH2oQhwp8umEs9Kjan3qa68fITchKZ6f
   z6IzV9w4qn9EdLaM713n04ZizXpN6SKOYQfOsfDyv5uvSPKH/jeskupt3JBLpqLv
   aEXzY2DNZApFdvRmbjd17t2DuyX1zh9bs8tP2IpMaV+6T2cH8AiNVUumoVzCFJSG
   NFb0eWzhP+EFiLojHP8QfG7y8QX3YjbpGSfnapiXV3/nPg5xCaRZC6ryz1G/c1j0
   7HDfOmMxdllF/hSAi+CbRmGAsp8WI7cYH2Q+lwGiSwOsOYU22t1ivqdRm6cNux/Y
   BeUDqWOfYPdGn/UM1FGxKWvdqCeyrA3j5k1PTFO1AeKY/+QGRnASsnDC8UUP003M
   VbiMD7Z0uB52J6tt/mpHcUXnZ2LkoLrAacFdi5wxbz/LnN5A++QP+rkh6TMg7puM
   FgfXQCg43+hYhbrkvwmiBFAJz1B91j1LSL2G0HzszyGcKNL1s9YoBKjb0xx8wIfw
   eEfuYuoQstu4Ea788+n7ozmNS7kFQ6hYtPhCmUPhjUuTrWtWV1F89Zf4JiFihrzF
   WUFj51aAjou8wzB0kf6peInRy5xJ4rpwZIizM9eJruIvDD+HmMwU2UGcYjjpXN9E
   yi50cJEQQZoP7JB7fw9Emjq/WGlODxRlezbmOHUfbqbbFVM/KP11iJ75OEQdKw1J
   M4iTZWZ24e/aEqoGZ/R87dfG9ZKuu8o7i3QxOvn2cm57ywdG4NQV9Xj74FdVrLoM
   U5nTKeimdkYc6BUhNDrWeoTzjfAWbGxBomgWoy2+mne6f4hVX08Kxv2YTG+yDeAn
   iGxK0LiUW+F9GkqUlHPqAejMoIH6Z2zTyuTVJVc8ig3gUQLfCO2AJz9c0/pQILgH
   npBgpq+4WdW0Yip+9lr3BP5KGU5mGHde1wxxmL3A7/p6tMaCOwOExhfIKIwUtE8c
   1CXT+HUS9zjONA61tTVTPZkEY8KIMr6voINHuUCvbD62P4W9ZEbxWuSoucc+XHo+
   Bqk5r4vFgR5G3emt7qGsFennb3siQu/aB+jENycjzN7RnlRCYiZvJAlqy3dLEeE9
   S/M1IfCWSLijcJMHgMvm4akifigl+wCrNq+S15End4xTAet/Ur7rzh1VSfQHxRM9
   OVP5rL3vLgbYnHNOnBWgM8FV4hDBzsfLy4CRvNUvYiJ0eyqv5Wsift+4sSj3nwLO
   COoNx7+oqX1ICOo7yiClW/DhakIVI5Ydm2TsBchKh9dSg+W/Ez6C2ph2v33x4ZBP
   ucurUokYNqz7U0VSSYEtB/lEzBCWAM21PXdMphtWAObQFtO5/8l6nDY3+QO+y0Au
   81A5nhgzXIEoDwPafSjWJ5YUJf8tnftD/CiSH9KbmwQ1sTbvXAe49Jtdx28Jb+Rp
   9E3QBexiFqpkkwAPi75CIb8yPVjauqBO8kJQcA0yookzBya/ouZC5uC1VmACNrYl
   8BA35zxa+/f4kmffuvE0abmUCTGxwVwJOan6uvaVqVMIN5Hjlj2TZcNmdqZyCwMW
   JIAAldAI5bTEYkUdctqD3CrV0eqQL+b/LvlOJZD58R+1iaNsQaUGpdsycW2aBfUc
   XHiesdGlYCS/J2biGSDIrYYKho9ANkNRtMOXRAUR/dUaVikL8jMN2ka89RDyX4lN
   gdQH9OmUQP1oQcKImACQcB00QLl62WLlnEKoP2P3VemkyMGRSditD6QPkfutnOlf
   6D8LCYRTb4/p91wzIxdov3XvpbaX//koMOWHWaDgDsBPK/MmRwPp8ym+yE+tuz+S
   JI3Nv8L5KkshFraFsEUpPcx41njBvQV0h7vP/hqwwnbFSJYPm380LK3Os4rD1g5G
   LNyaBIaNTPrc4j78SknD0lI0KhA1JXSKX2Ul5TMmgOOyuP5wGBUJjAHpYqvTnZ7C
   fUihEbg8mBx243NZP/XrHlOXtNzGv64BJdGNx8bmwW3guuo4fXG5aZ0AFzYlHMCi
   UfFtEWAlB//GVpj4uxZ5B5nd8zNiQrMGL7B/xYGilhAhDYN/JLwgnNkFWP2Uo8dU
   2MPzCBuglZLvzqXQWBRl2M8JX17iyXKfKie+592lWocB32ZSclBCrpc9cr1vzWfm
   YJyC1GvHkAAY/b4XvRGrS4NmvDLgjzWNzkDCru5dEc9+oPvf+/rsyP7709Hsde0Q
   qAP2IwEF/YHJDIgVwqEIWdWHRbkfasLiqsEyXHZ6BGNFBaywfQCaZ4Y4dVUzryDC
   mtz4YgXwsvOHcaY8UvHLU4c3/+FwYM+0Xs1C5oYbk7D68KNeXxw1lui7WSBySa1f
   IGcm3OM2tZfwauLzXHwSRLy5gtIZj/RH3gfVQZ06ys4S1kzIbJgo81K6ysgyDIQl
   iHWzSxPnGUVz0GOJ2rHb1eYyPzPJlqqJkIgajvDh3Zdnb1HK+GkIJGgXhgQCaYdQ
   1hwIJzHOX1R/usdFxyGA396uz7cSTejY7D9SN/taXdHUJp+TJi1vm20xMWwHvpkh
   uyjbjVJTmyM589Oj7dyTSBGbRFdRl9y6ekkMCdDi7Z6jYyEi9pMvMGUnWO42mHTL
   ehLtRFG0LX6vVF1HJocqMLvcs/yInAPWnfTtgBbe2O28/rfWpkFnVTEkmEobl1pP



Gillmor, et al.         Expires 2 September 2024              [Page 159]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   mhWSue/ldrOM9TL8TYtLF8+zF4+v/E11vEfBlBiRLZSA8+D+uG3gGMDq20Lg4XOV
   9cv4I4x2KSYKivv4MnwJd9ih9IodTr4sdgeLLEd3CTl5/fziP5jb9vfD+2c8NhzY
   Qb7/0YPqtPZwgNrp5dB9n2qNm9y/cVhYf1C9pauNnLSdNIXBt5yXRu4kzNv/B56K
   FtbDalYVdfLbhSEcW50DqpBFDKPzbtGdpCsOP/+ViQE1mtNNuTJYwQW4eBtIGfiT
   37N/PvZyKn+9uoVDJaNG6iTeKj1WB/kNz+zdmuag3yxlkttcljDpchMFqRlCUKDj
   +SPrKp+DqlGC0TpvO+3JiN567WDV9CvjdfttHJ5zpGPe31C4Muu0VYASuN3UrCXB
   eQLee1ty7rk61M/RlgIizC8JAntPx4hfBb6ujZnyrujGRowG/TLsdQNODvj3Fw8r
   i/huor6VwkJwC/FQxvjTNWcEL+MUu7cBv+O2Pd/gL70tyQP7eg0QENUcyUsZ5NXl
   f/BJLERQWEsr1O8fRTbkWLHN6/nowUZ/0c3AqC/SNHTuMky0Lcy5+33Xhlktb1rz
   6TRBojUl9yjD+DnbmpGY5fDKhQeOUV+ydFSRUCu/1X5P8mkU5+kja8KIWP9HTRDu
   3QtuUN/MGQ0iok8Hwr/3U9spCp1E5KsxWfxU+M/l0KIqKWPcyW1bX8JUZMRMmL5s
   qSiZIbkE7yuXFrZw+ubzDnoCZwNM37F685nJ08Wuk6giK6wl/q7tcKAv+mMmrq8+
   2iKIrT/oWIA5iHkEGI56VrvqetNLoWo0HKlf8ZjsBd3Xc8SIYn2eWticKy8cH5n1
   LyI11qNjphhUCz0b7wSLOA7d51cZ7yCPgWs9uB7bMlHzefIjTGVNVT8ktRm9/4VK
   OqQugt+L5OOKRvZ6UpHXAz/Mkd0Y8lcM39nD/hlDfxA/oIoEM9Ze7NQS0sxD+PCG
   Pylc9Z61hys8KH1onuv7tyIZ1a2CITXJzPl1cIi/cqbrUdBK6XVNla9exfSxVH2l
   XJPUcB3UIvSl750KAXJXVT+Hh+63LCzhUZaVVwPR21tiYZI9exGKh3n2H+Mm+H8g
   ODkrO6y+WnmhCwGFZLGUKJA8f2qq2HfJcL2RGV6C71ACc5PGQG5zbqUxmEXidQmj
   cpykjsFcy7CsBWI/wmH5vX4A1TNl7FFE2Gutasn/JICUXE2yoeabr35F3SbFMnLa
   A+x4+MPbsq8eR1RK3/X9eGooP0fkQbuQDklJ8B9md0TlyXVn4DTDSSsxNBK+HRBM
   Q8GBkIVisBV5lAfEeqIDYN6rklhEwAEi4Ulc4Uv0IN24vMdaeX55wE5o7JjNFNcT
   c7qoChUxRP65LsjoTOxM1lE6Ra7302PwaJZK3dsmLIE+7jaqdm3w689tw6sr9Mzc
   hTK8nUWfkXWK0OiLplESVIUG4E14xARjYgQMltYlrA/wgFLoJkVBAEVMvVL6hRoL
   JOKUTBDqwU9jvu7ZhgaseyOQ48+yY8yPET3CM2XCDIyoGAbc58qIC7vn1meuL4+F
   otjxJW1xn2T6WoUtTUi6yCCRHHe+xcxlSvt1wr36M7i7IapqGlUdrRoKZsiPWHDP
   liEPqlY7105hK+pMZg58OmFB1eRkSZlrZDzRZwCPErT7vGnZX3InSRtNuhjx7uTB
   qN7yqv47r/xMPEPVshGj/KQpEu6+PtMZn8OmFlCqN69yPhc4OVtNwyQwWHBBZ43j
   Gx8v2IHL60HGy0yhdcSz5NdNdsBwhs0Yqn72xxMKYY/Ax/kVO4GP8kW1lF2mmvPq
   a93lxxKUnuKRY1Jwl1gPnJOmtLm4WjPqSXxgY0D9/vnDgfv/9PXjK4hNnDNvi+Ji
   qwwAW7nLMF4uVkirCndrt1dhIDEaq/Wju+gvo+pCl1ggRZJyuQhCwm2swB5jTuGh
   c7V8X0KEgunWe+QXzMMBddU0MAIoHddnA1d0KqNjIRfnIw0Eb93j9zYK5U3cDjF6
   LKmD9of2rbA8mWc7DDSiN1ZglQQf+wwLzJ7yctHadK3dzNZdMiToQb41KtuKXdxM
   sTHmhXcbeC5cPIWzbr5tQA6AtbusfwgUFek+jh1b69cw3Ibm8nCu2okSbJ6DEaX0
   7/Q6D/wQCWV1HSQRpzCV1BESRzg823D/VPK1Cnx5qjlFupXyPHlh1jlBEongTwwl
   7LrfK3UGH4zgvr0aqlaMgDpOofQ36DvMge8Rmho1dlMRHqSuIzRhJVYL2zlAWaz6
   unVy00hr5FlR+5FCynUNxu9XjofqNp4032Ihd+0IiOqORfObfPhFMLDFQgWCXnO3
   W3LZR8epSit76AEYaw+6+FmrDPVmQGab0JgEOLctPNyYPm5XoVLM3/675GyKz/3E
   dx0HTSm6BLyrY4h4FMVaI/nCu+MkizmdZx8jDd4nSHya3NdNOjphJv5nW//WlEPO
   6BOTjzVrI6YvHJuqkC3FssUY+VWZRC/+0iYlDYnaBWU=

B.3.19.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Wrapped Message With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.



Gillmor, et al.         Expires 2 September 2024              [Page 160]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9970 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6366 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2082 bytes
      └┬╴multipart/mixed 1977 bytes
       ├┬╴multipart/alternative 1144 bytes
       │├─╴text/plain 381 bytes
       │└─╴text/html 479 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-wrapped-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    <smime-enc-signed-complex-wrapped-minimal@lhp.example>
   References:
    <smime-enc-signed-complex-wrapped-minimal@lhp.example>

   MIIcvAYJKoZIhvcNAQcDoIIcrTCCHKkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADCscHA3WYayfDB0SnAjLLRn3cTsjsbLknQh
   iSnryqFniP70VlHS0exfVjnkyz5YxHRCrqLuXfV7EB4GRaieVzIkQTUEnhfBB+oM
   jXJzEZWi3Q/O3b/5AMsV8vks+gCf3eND5y/dxgFuzgTrYbE+M3XsfkiI4f9MaK9G
   96uzaT0E1PLOCwQYUuWtPCffle484roJwg4++H+jWYpGvWhM1fGUu7dbNX779ErA
   pAMmOS4cywx9W20uczJ2Vzaa7OAEbgXrSinji47uAMFNVb/g2toeXlm4bITvdjd1
   JhBqQoxgIGdVLfmxG9aZzKIWWF9D62cEdnyCu/t7A2knMCPkAqUwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAedVmzC4JhhBlJEdXJ0NgpV+6
   StlCpr1ktO3ukPWbOBwWuUoMKcyt8aCN+XHtdVUFNqSAqJPHtcTGjq9JC4qUn8TY
   tiH5BLyu5JDU1d1f9FvnFgbHpdbiiFKF3d2F8YRYEa6IrU//1qJdWisnlZBoYBKe
   t07G6mMgL/4cGfyMGGbWxIBLZDImhxr/JvPS93jGRJChTPDnNbYKtL4t0rMquM8e
   pE4ya8MpWXZwXZh3qGz4pcBrGPY7oEkho9pzOMmoHU/sD3CpmXyGewWHTOqZBqHQ
   wwZkg8DeJseAai2r5yUxlf1M4cZ9LTcgUQNFOu+vOLjEL5eiG1zgmNhx8axcvDCC
   GY4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEDd1zb1BMvVv1ZjclFL6tSSAghlg



Gillmor, et al.         Expires 2 September 2024              [Page 161]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   XtLH7SSnyPyftXAjx/P8qkLeTa7PvaM2TOhUL9fQsc6oNeqG4tLomIbN32XajG2N
   kxPAX9J8ywwHaFjs+OIXgBGKdyYDmdjRAnfI91lo52ywxkldXkiYJV5mfpKkIAp5
   NBwYkfgyLSf3Qed0+6FGdLBXwBrNdv9yn4zn90qwkGRRzG8MQOlMXVGJnqzqClZ9
   CkHSPpeKS5vUH0WGlJOtRoEjadmLXG9dJyYHdFm2v/Y65mvOhmCnIfzieGydzTxS
   kBXRFttXEsPoxOjR6jX271KbVu1O5hAr3xxrO8qtrFUZ6ug9VvqMfwpTupsYiVV/
   NSqB1KBHxpocubCF+84BUBlN6nE1qZFdc23gVaDcqDd59QETfiCj6cvkuI2vrZYm
   6RSK3s4mt50glry85o7TqAKqZXuGqRgEHMx1mBlXQcVzoiXai4NR0AwKTVrm0J5h
   tSqs6zbd8asTjJo9+CcykzxVcx29O0z0mRDb1z1dAFlTFAQsvmY/TfKj0kiAl9MC
   Tc6To0SUagvUV4G/2Sghh0zdDihTK55dSG9jygVOjVsnRtg36A4bYef7lA4jNUbk
   dz8AsP6JVgHwysQs0n8JVkNMEs1i1hR0Z/05BE3PqMHhKSzlKh55zb6MoBJquyqr
   7RF3w1mXb+tsM6yUR9WimlOgIon/GTxR0LHKkYeLX2wDhQCr2PBcIbAGIP+W20Bb
   qjvjPxcjfOAQzfxsTYGUr/mTcaLZYvVN9L3wg2u60pqZ+67KszKn3U3Efib/+6aT
   8QV1weqEfjZRyc8o+S3g6JES/zPhCxykoo5DmxltrvTOhK4+0V7U5SrUbC+S/oie
   hQZd+pk3AVS6x0ojtAQWoBWKDZvPSQ3VXPVN1wCnt3muq/xV540MqKtZ2XRkuCwy
   Cez3s4AyhdX1Ko/8lsJ8isSWsqG51iT0DRGjooFMFMz4NXmNZXE5ink2Ba6w80XS
   CPmVQ3SKnuKaUGmknH5mAQfUrzCZrSqwppTuWNZ9xTTrz//kSiBSv7aAz5GVcm+5
   fzLWdMoMoWWn8lnhEU0jX8vmZ17I5onAO1UjLNBTyomiZqz7PD/iIvEPm1XqgZpe
   mJBYmIZI9cSB1lQFlI4R5GBhBTBT3fyPAT6iNkVmgWgL4KGOK32tz9XAJ+UJP4z/
   pAqPyMKXcKsIq19YLJzFgi8ACRtuAC5tQI61vkd3N96oHZxJ2T7QQ+n3skFXXcud
   v3buX1+N8M40VBFybsx3dAxUPuAtkb/tiYcXHL+9ivc+ncXZWm1j53tPMiodDEvR
   zBb2s02cCX0+k3mdrCgLMvw1xN/874+CJ8C98XDijhclLL+/vfe6VfH9iJhoW/Hu
   5SLt+bTcr1bcmbgBkFwUO75vp/9YIwFW1MQDa99PiwVYzM7GDkWtFZRGS8RUXaHh
   BoCi9O8wzibGTjskFvu42xccfqpOjYrFLktMp31G9JMyZvaIHxcY1dJLIrB7m4fp
   Mx5/mxfxmbjwJziG3Y0uTOupzJtzb94GogLA4VyG3D4EzQyUWLMsvwSrJXSWuMHY
   ZTgb7qqjb7DVK9YVpmmqAb2JhVJbPRSlUc9yOSSr23KqrJ9Z+z8/8BJWEc//kMZ2
   91NnMsZ9X9rPAuuQOjylvqBR3Gy6Wm+dRnqyPp1/NWnYJTKrbdM61VzuMlNFtxKn
   d6eZqj94N0BQxvTn++F229TILgz404kJSvKGZc4af6aE18v4VMe95pYdiD8vle5E
   mLbAo/5jMu6EnlVz//U+0AiCa1oZlBUNXweK6PNHSAUKF7RY1d3eMBqVDaIiYJJf
   dKkMtK2bGUsrTMbWhA2l0p8q0Iz7LNpCjXBYzDevLdWzn4vZq4obaja3x/YOe8jT
   iqxC4CZ6drM4eHKRjgHjTqnxKXZF3/++w3JpdNnUYe19nCQTCid3DLQKYtrmuoSJ
   SsJJKFqkEC/lnI4Hopo4MQG1KDgaHBps06IVvAm9TFzd4IErtQSjgRYZkp4i+SfU
   TLYzVQP/Up96jphXuQGmv9veks7oNiFATyGzsUB/iCW7ysoNpcHN7vrXv4+3KyDZ
   1d82+dqbYTk7HiFgAt9UtKoNRazBLF2E5xcax8TjEHsLNAN9nX4hwIjgyJMqgXcR
   9H+v3WHYsgyCHHGxE15b9/PLwuBDiYAKOQHCjHqujotRSpWqmiFP7D/QQUCGvsEg
   RhtyC8KjJNtFmd/4PVGbct1mTEyMuk1Phxg/+uj+iEr8cHmdKvL6aT0VQ4dp11E2
   jCzdqos0uW0ssSBJHfWDG9Y3NtZz+AeToty53LZGT1gYWHIWSjIMHoQSFcp/9UEp
   rzoT8YxaNUjXs3IKzvfwDdtdVm2hmukVZaRcp0qMNAlZNnbznq0u7Pw8jeBSc36g
   HhsPJUgWLzlW5xr/BpduJwrmxFz100MXZKV9FFJXVXM0UMJ2P2FrZRqnaPAifmS6
   l2GBGfBcgTv0b3cAussB+lEjaeZuqQMwThMuKotaWY5UKqhvSKJIp07NOBS5kQQ6
   8SoXh5ekYcesMwVTzx4btEEJw0VgKFli4S+eFAtOy9tcBv4A9aIzdYZ8blIMAg4p
   5+uVv++0G7OuS2FB1x7ANX1gsXG2HJ+IbwfUTmpn7XsI8e/dNe9P+F2h28390So2
   Yp8YdobE4Kw/G2E9VQ9mvRK3BLs4nTcyYouHzcz41GoVQkB7MQrW4iiVY14BBCSW
   TLVklqRXNQsw5yN67YRGmmFPGnIvsOzswlGOwzBu15sHXTFCN7p1jEkI2udfdoWe
   j1Z/RgMOvLOV5H1Han0Kxsqx8IPcw7szf4Ccd1JGKHEVPkD0Vviga9oD6dC/vftu
   nxM7l8ResIQuLIxTpgL6p1ZUxbGhsShurTdHb9fuPDaSv4SBeYXV+mWyNSA1ydv4
   6sjVDSUCPiTm/fmq6XFHQwi8DC839RkrEls/YpHKJ2xuhSr+FvqMkh8UVuFyxMiv
   OXnbBkHLAd9jnRjy6TgSU8EafYg7pAmqcBcyVmrz1WYATaIodA84xeCctSpT34Du
   +z6lsLddbwkgK/SyFKLjrSPNmoeJjHtRe+LL0yO9ZbbR6YunaGnKIEWS1CSBVVNR



Gillmor, et al.         Expires 2 September 2024              [Page 162]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   fV8Fb6XAMHPbH/xVSBqy+slqT4IbcLlBAytHkgNzCYgUKx8RQLFUbiEcrN0TMbBt
   OKQUvQHoJXY8pbwHRgPCgUyNQwLEYdVuJBnWt4bUOg6hcsLfM0tfhvxSMgWF4phh
   ZOwP9rq/8LRik9zw59PF6rIxFuZ3WtXfRcLMGDq/hLJ/VNN7eCqQyTO/DIzPM2cO
   EBOP04JVcYqcTy9FuaiJNE45+lBotjA1HdDwTPWyWFv8foLSwwgG8clN7Z6LiOT3
   PoBIBvNhT2McZ/GhOMXMr12T7I3zHtpvh3XecfmOlGsNijZU3yxcygRkisHDbNTn
   fAYo1U1TdgtTvqy/XuWFOdK/+/t7sT4owjrLHYXeeZgTszYqL0gZdTJh7vhZ7nnN
   p70NLf0bi+eIUbCHhy6rTawucjnxOoc0SI7q64GU2dHSlNYb/7wNSAm2DjcobNrq
   iIVyWNd9g6a8JQOMBfBQtrbGGwfDfcCiFW63V+2KGWS+Wghq5mB+aXWocUoRgv02
   yrQNuRUwSZbjTDgNsSE+5aCLCVIppoKwGU+LY5oNXfE7NTERx7zKfgv1G2y9df5p
   2rSimOUEgLFJO7r74BzcTysTOpqF1PsRYZgxiwGHFgyKqP8YlvZLeMkdDYwUtu9v
   Rlfru/e137/rlvlEKPfGoKPVTwsM0S6Ur95AZSr9O/chy1xSp2wLaoaTY20crx3H
   G7DDYH+Ldx6fWw1T6oJzNYq3Y5Oxfir22F3QVwsXs1WhrQhjHs5qgG1ucSJ8kh4V
   nCW8kkdrvAs7H5wuTmxR9hatO73vnpBNWOoAmWO2kLLuVs8y/2KLPPjpRP/u8ol4
   o7rHFsestbznvbcPaoAtKFsEyUbMJewR3ApTuR2pubpZ95cdJqtc1ZHYyPl83W+5
   zbyNqwmmcDQXvTocOqYh1TpxS0UjXwHgSCxjKbq1kiR9YqCiMR8ZlTm0oCm0LV09
   xm/sArkY7g5NDZdLIpjTxlBtwSWe9KDuTHWv+58CDPeXyDz/429g9A6TzJ9mqS+S
   WtmU9uh1pxs7yqlYAWSDUPY+uCAO2DFett6tO6RqUbmXEYail3Z4wc8qdzgkf5+R
   TGlnB9lDIN81rUmhGGGpWuhHKQ7YC+n3hijDWNyUbbhSYQGXZgzOz/p5eO8GAvZP
   wbf76FgkjFBKykXx15lPQn6WJHRlS1KjjgJepf2jf5zBt35mSW82ngOrv0R1Ey5o
   WafAkxvdx3Ouoax5IAdb7/gl5Po6fvsFQ71GFTY2/skYJMIltZa32M/4qPkdIIa0
   urUs7R42M/46LASI4+e08inNtun0we42AWlqYDwuFPfxE3ZIZVzkc7+26Lj0oGGK
   QrViXejF2czzJowh9FQDHMZ9DQZOrksGev147v+vfnRULMWkCGEUEbuunDFJiO2J
   cL2wtqrf4H67YJ5lwkn95OLoCqHu34eXz24jMjVyVDBMJS9wH/jIfk+7Yn8Llbab
   Fv7AMxx+iOePwwF2ZNTIXLvwRqgtN7FpbOtCkoQZkDILEjLS22bCOzGt6eCwOv+I
   KoP9nl6KjEutLUmU133RWyW8BcyImgDUzaVo8CsjarznJLFizNYS/lwWSIzj0Eyb
   ZnlZ+f7AAqwM+hE96lOhALUhReVYQfyxwAMxN1Ik1cmuFsuG2gFgRr0CaYCQOYff
   RyphlYLKlxMyuEM9b4UCZlCIfFXwDnjx1ukJjVXuujVWE01DVsA4pSzIupCiq9Y6
   pA2ywyaD2nS8vLvrydpG3elvkXaSp8wTJzJgOxJ7McPtZWNnaRt7Vb203hn318R7
   Qe5NiZwmBFtSdSCIeEvmZ4l2ewKSc6wDaJJyvK6C6/0ism2cyU6n2bmESxt0oD4L
   gYSfQa6yhoks9O0Q+vmALnw3ocupHg4CkI6+9Y3eLsx8U2NqAYVnWSuFxQ/E/tuc
   7fAcsJouG/u38MSE4eB+4Yrfn4Nh7trE87HrwtOZPn8fWosPY1g0Qn1k6vg4IxY7
   d0iFtCJmjnsxa339pl28C1EmOi0Z0wcwHJKrMh9Axzk/pQtYP2Vl/ggMh+lBE+It
   PV/Et9pjlzsPBNvKOu2C0t1jQMo5TsEGX/fg1IVYNcobDxls1tWWu7xWkREUOQmu
   Oz4jWzU61G4Oo8VOeYquV68onBYIWCxsiZMTdwpPkxK3rtc+LIdFByDac7QPWJ1F
   NXNsr/9pF3viYyD3wcmKng4X5gtC/adM3OJUkAacrH4nPEjtCSPKLceeJFVlZchq
   yeZsZJBE6X2CvIcUIIRGrSIaFHOPvzwlk8jgN/2FDKNvFhVxtB0KNasckImhZGUY
   TF2oWkq1IVQQeZzCZezX5yqaq9G7RmiegBL8k6/CJaQs1VJ2t+gc17Wb3JR3uatx
   ukfZE//8iOWuFvJXDiKgkLryJev4v6e39nmF/myEKjmM1YLG3WnE2lrCKkwkZVq6
   HJqJ7sflZ+zzeBPQTFsaccuOPxF8wpXFzNNTNA/a2W+gjbSXZQTJkIVujtaE9wNz
   /TnybvsgGsTi0tGMAJXfCJL+yTp/EnRDM0F9Gdt98p1c5Jay9N6tNyMitxCo2QQZ
   vjp0SBc8y0QUef09TUDnwQCb9M/aw3J2f4HtzLjdyPFRKAVLBvwEp2J+IZ9hpBPS
   03yftnWko5nBKAzK2NVlsWjiq/A6Pgev4XOi8HRsJvZzVDuDLioeStB52XguORr7
   qVbMYwUg+BcSwPLrVH3wLoRq2UV7cXvB6WomYNh3/Iv1DLdrVhhVd++P8jznG22W
   F8l7vfIuSOgzzM9PYWyLDfYEh9XiKiJAWpDr4QKx/K41rRIc/+UNNhnbLR4QK/Zb
   Y6JIyh6H8ZWq8es8aaWKYE9PhL06gMGZyf7gw0jHZLo/5GyI+tAhPMIDdeT/aHRs
   klisHJ67A8WsNrHWXft7jNTKnVm310XIR9tAv5TTWYXntA0ZO87f0YEwrywYKNHf
   w5icQ1Up0wWRjNATgW4887N2yKqPdLNgxHaMdYxn0eKKvbhkJNadA4A+vGKcnVYm
   I5ZdUp+AHaVArDf4oH8xmrP8o9Ty9e7boxLZGzBHTif3UzuAvD5B5rZNnJVSZ56W



Gillmor, et al.         Expires 2 September 2024              [Page 163]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   VXoz6LxuD/NMGElVUptqxCr6miaxeHC4Lc2CV+5FxGKTy0Jpi6098crFfngKr7Tv
   WEgWHbsjb3JdKT3rarCoxxxC0ccqI5hlJJ55UvCn1rZAVxBla4z4eG/UlIfmy3iR
   76kNbWNqrG1T5rr7OwtxqhxBSrTRXC0AW6j1HM9YkvVcqoKgS/Mj7+hDVUdq1BtW
   /DEyeBgAeQTekmMj1N0eclRqMmP2VhPjgKvXdsHvi5HRVI/sLELkBXfnZIIyiVR8
   4EM9sJyJWrB7zrK/ZSjR8eY/xYi36iS24GKufZKkIg+q7+P4lSBN9xGp998DzT6g
   /31E9y/7n1Zb8sQZtN6wa2KV0Aov1t9YWPkQ1xdouaTp4MCJwPpPbD/vXrgXwcdM
   fX05EGSuyqyyU7CDEG88P/xyBikToGRygfNKjagD4Yw9PW/1KswtjaFFIqtIPh3B
   IeILYznxYvIp+FKAyFESPJioM9cI2/ge5u/SyVNK3PZ5rfkZmX5EjNdbDUGmQBCA
   XjYgyEEjAfVptQ/rqdnkedOXnkdmsk7I6xX3QkM9jnhcNgzGWXsFwa9smwXubWfL
   eW89gdes3PFXps5gn+VZNr3POJnvcd74q8cVuGDvCat8B1AdEeTDsX7BtEvMd/9+
   EfqJ+pQIhbvU6NIy6+9suDFhzJIpncPMZ1oLAC+bdqjmRM5eg/7okLMlFXDZtqzs
   zAX94ijUP+6IwzISHWlmoMc1vZ4zA6Z3HfFtdY+uAA5rRutmqtejv5FsKWENpq4D
   fW2IFljoOOBkq7AAKds13kFR3UmG5Cw016+EQ1mUPYIpaZyD9SPxlXZ7djtRE8OV
   aOdilENelpwX3WGUY6rQo57iKWa+7hMw/rkdFxC5Op6wyGyazUKSk0QDlS/7MR9q
   R3kKRrdSaVq7X6pRXsJJQsGQd2zjFXBM09i+ClRgjBWWP+8eSdhBk0xEoVyiHuM3
   3ieTp/uPStDzz1UJZVYrd2rtF/VHVA+M17mrIkgA2eofShiezCw3JhIV2GN0cnI4
   kfNo4wKuH0lsJVu+CYWw1gEaoH+nB2//H9R+fxZ/Luh/fakxB1KfIFe96YIVfc9m
   AW6XsEVfnQqhTWuCU4evFM7m0pjZS3MH4eL+usAB47MpFZqCPFJTMA12KxxOaAuk
   AaHg7cmiCtpQGMdlY+YUNBac4d47szdRhvDnGRyJpGwCYiJRQp3DZKvtwoodJKW3
   YW3K/MTdnDRPwuGhVKb2AwcPwSC7kw0azROvVY0nTH0tRkOkNBWhtXhHYORaxSZR
   0hUAe6X28GGPaObt3cvduQJDW/eEbG6z5x1bvCvim9qhj8ahoWm2eLoSgmeJLa9X
   p6L5JFGTLVaC9L0nIJraVcr70RGEN7DhubGufRQe2AViaJ7DNRUuNmbIOVumP1Q3
   gnta0wo8bhUTEpZDLRJQWfbZxtwi2hXgzEqMNZS52yFAexyRvqZN+0rVVAAKbV6/
   aJ/nwEK3jIApSCvgUOu+BzHGp6Xq3xcCcA9gRWWYbxuXWmgPgcRNiFU1Mg/HrEiy
   y8YWqwF4FwzmZ9sJGQVHkJSzIbxa89JGX7QpjhPov70b4wD/JU8vBgXDHDHkR1vK
   aEqRdFbcv2G5i4hTl7y5pxXYvJaLM7BnGDBvo3bbQhHYtBqlC2VkHexvUpmLRVR2
   nTcexYO0MssxeYPvSaLQCWO2NZ+0LwFKx/0wXA3zcUsQnRQmghHsjessCCsBXEng
   wpJcU2qCG1G1Nkz3dnAeTyzNI/h8hpauW07yZA4tas5l7z6j5vSSwMD4m1XHKBPc
   MHQxE+GaHiMZe2FxtA5GQgkggstNxn3W8UcCNqSDkPKUNmHzPKlKL7MvM6g5Hidz
   HGKj7NY/LzSQftcu5h31i2YfA1ImptcUVZVhOf8T/halWo9Gp3F9+6TUvhvP9dVP
   T33eCEPxBkz3RwUZSEmZXRuJbh3SSiFtFwn5RA9p8XZai/wurfOZsp55ma7r0M3C
   2fomu+tcQ4BZJzMRRWvzHd084jIrY6gHcWK7PpelEgWDFSIcU/istOXimAxATUBY
   k8RXxpbTVu7csDQBFsKEbdqsCy9QKwjOGObJYThkAvTfVFDutEiT6VlTN9kVIpQE
   L8qjyRLqEAnBssW7z4JE+qINP/BDb1TM7lK1lSH86e4U8I/DzEA5OAx8ujATeVmN
   Fqz/blzI5ggbe6R0pFtRD4sGPn0azCNyM1ks47czVaSjI3cEN+yU7GBXfAWriRcb
   2sQs7tzqmILnTXfytItquZTBPvsOIIM4TGIzzQ3yLdIp01nzzBZ7zWeYNZFbesTw
   /r/tl+q/aU4an5q3sgw1mN7ZEjp2+bc62mRJ/cC90mVJvXpPfG/wuzWdOBi680Na
   DUGS2zNJPDLnLwQZKaN8HcB6FiXhMNrVIF4bgPoPoiRoAiU/psIaa26CKdso51Jp
   y9DdzQLMM/7PZT1w9uRk6lWBHGnUJXqGJMoZpJVblhFAKUZwUa6MREZMBqNbYszH
   e/YMYKXibjeYXgEA8ln+Pw==











Gillmor, et al.         Expires 2 September 2024              [Page 164]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.20.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_minimal

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9925 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6342 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2009 bytes
      ├┬╴multipart/alternative 1148 bytes
      │├─╴text/plain 393 bytes
      │└─╴text/html 488 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal-reply@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    <smime-enc-signed-complex-injected-minimal@lhp.example>
   References:
    <smime-enc-signed-complex-injected-minimal@lhp.example>

   MIIcnAYJKoZIhvcNAQcDoIIcjTCCHIkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBADE6mU323yt3WjthHoiqYZZ7xRs0RSluUkr5
   I1v1OlSNq5YQ95dD5vNuhMvjt/EtfgCJ7AO3aJNaldxCo/jIwbq5I6odTQZ7aEWN
   BkZ1KMHtu+gDoczq+jPyGvpYXl4x4yUtSwbp0I8nm2VMoYvNY9nBaqaXuraOLnGE
   VeqcJ0lh+hkyb0rcx9cxLk92xMk71/HQK4lYD2uMSnec26UemFmvSbijnBoJqqhi
   wDG/iUN6/7yO5UYnku7+66Ub9Jj4pdtjMXAyF7LvVBNcQ4L+aXMFJQQTJ0K6Rfh7
   bgogVv/ijZtSRmB6jKJZ0wHruSgKIGFi3GdUhFxf7URV+Xc6/QUwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh



Gillmor, et al.         Expires 2 September 2024              [Page 165]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAc8xsqG6RvJzmyeWC4l7tECW7
   cLRsPjr0ZP+NZ9j5BjhHOOA8KUh8deF6zC99DixeMVHxTWgYETK/yAKR6VASWglZ
   jT/PXeV3uwjFKFj+VfMzJ7OZmToXAJN5d1PzYeWeLjN7qRxo0/DvyjmvNcfwXI1/
   uwiTkdmokX8dyMk93E5Y1wwQ3fKQMiRIt4gngU8r4+qMZzpy7oPWQ72EukdIySkv
   wga+KasO7PeTLj8KS/dQ7DxQ7BLMjVF+1zbQ1vTujOPQmQ13u7+sNe7YbsIpMEmN
   R9CHHVfml2QdRm7KQhKJ0TMC2YeW/alCrLGnJ9eK9QzlBfcUtJn9hWVsivj9fTCC
   GW4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEBQNnirHKPkL4TpSNOfBt7iAghlA
   yX9nf2uy06ybPSZFJaD/uxbWjJNQfItZY7VyFAQBImHBg6MOT21WdzkvQA2njMSF
   xQx2zKxBaPtnRUKQCYyHaEygqrCT/cUcJx6nVSoEntZQcTTrgSiDL6TxHgSyp8O9
   d+VfULsu82GGbdylE6wesW6wZxJUCuD1DJnfonJZUf/Zl2Lvif0ol2csXjaYpbTc
   13GtrcWDVDg+uqb57moD6y1inulseA1viro9dBUT9mki6073hZAO99/kbDfgSdTU
   KJ9qIZ19sjifNaoDN5noumSWzUiUSjIT03RE/iATAyjnrhW9Mwzbe4PtxzfHJujE
   m5hgiQHyk1h5wv1Qi2vJ16joL8nSmU1871i92+x8S6dFBhpo9l8+mFSvWPCO+ZaS
   4TPoqFfY27sAjL+s0h0mHE+AzkQ2aSK23uowh1vTyFxY4VANikyVIJWNW3ULA5Uv
   iNirhafgxPwS5p4xiymX2ymqM/t7V9//sePvuVDzQolEzO260iOlsFqTd0tun4Aj
   P3j0FrvkXv9BDEbq/alL1qkH7+9CyQtoRb0/hjCe+ZClWU9T6b4Z7bvsOsibnwPB
   koEXLPuPMzxQMe1Q4P5jOdcTukoDJMX5nVjhHbQwZ6P+SSaKRntO+uJcGnUCeyG/
   MM3PHMzQOP3QcZUgpZxG1wxNQHmDlG8OnLS+VNWU5HQlaKg9xkgZi/ru7a0uPRLq
   GWI6EYurZRSBOfjdqi/dAwsYSAmekybCdBYPMDhNK3MnI2alBh6YQ2ML2KHDfLXm
   9sHgMA/0CTP1AbVgp49G4QhjfPK5XMEKqTqoBXILeGxwMABWV/QntYrdcj4oShx9
   wHz/47YxRSALjvS2ZBATEavEzkIVSm0Mhvjv8mSPjkDoth/UvMIeiIKavyqpZPJC
   b6NVrnkYhiINruDUheOU/N4pPr6yF7Q+DdoJfmgRmIry4G8vj5j/36GDqs21hllK
   rtNsC6A8hqBK1XvLobN+WSmVjolH9xjHbJ/TtAlb6DGPr4n5lsPx3vHU8pSc6vR6
   Bz9OT7wm8UYvRdyRUWbl6jQW0FhO2jgsnKEXMuu+5JUR1J2els32hfPjBrr7B4px
   MYnh3O7OXTjyx/ES8tsOdukPqbFfBlLYbdvTNVjyvkJA1aek4+3o/XeC6Iuzuook
   EECWH+JSArJpgH7n75dnpmQTGRu/ZnhqhCHrXUnIsKIIXpThI0WOuzXCrufxz+2Z
   NtAjJhfrJCxK0+miSLeZv2bsxN8Fb5YKNNYpzTqH+6nFHqbZg1spkQMvDFuo3jP7
   LYrcE0I/WwbcQE/xIC3QgtimfkPodf74l+2ZsNarHX2SB9ys3DoQZ1e0ryX7HeL4
   WImseW9kY/89f4Hbya3Q1MoASes8pZcoxcGaQM0lDXVYwRszcpgD8OxMA5BY7z7T
   r38uATXNDwecqCb649/MYQMCvRX1OyUQvApPVY1hf9N7LKlawCJPMLPWEuHPEs3z
   cp9K+zVWmne3o7uZ/Rxo/YwQoLt5lBT991YtjZ8b2AWRAuzfLu8C+sugpE3WDBlk
   SdYxzACoUonQRa0QAPx4O9P7s/HKprk1JpzmciaNVV7qL0YVm1S3RPp9wI0HidgC
   CSKcHq33Qq23do2+mKU1eZ6QQIm8ZLwgGuAnqSz1wo/SGSGF7FuCURzVjSabITsa
   vYlb2Sey0OodZyFyjoc8suyDbv3qUDRusFck1yAbAJithEuzwh9slgVhP+QCLOGp
   ga4rgZgb/mVIUqfBuqzv20+IKfeE7Aj0ETpokFjW43Vaf688NhdPqtYVYle7aHpm
   VZWx5dRr1Cp/sV/82MuTgpI6fdxi6oOOoITeOB/xOYVaYROSPxG2g8d+gxI5fMUP
   isKIGVPdgfH/oyJ330J+rO8eH5bdwQ4ZLJx8VNNZ5DQeJ1deeG3g/KLDKDXaUi3c
   wmIRLwZ9ORAsirq3GQuVqgV0h5WRpxE9trhtLBUuuNyxC1lMcvwZPQUfWqNLImQ3
   z/5kNguw/qmuzVcd0Zu66X/PiOyhIJINvlbrGtGQm5PVlZc80XAtxz/UjwZaf6yv
   +tukIzP8XHo1NSYi0I8qyro/DY3CUSdZZm0e0AbTSbX6GwDLvo4jqg2ZjJMI/aqa
   w+lbBrVSVvS8LsUGviRYCIjQTq4q7rGBS5DDcdO9YGjdLn8swV+kZQ+Q6HORy3FI
   CNq/9f9GLn8On1bKFLDmRR3eA0dCP/FcMa+20/tfhweawpFcw4RQEVt5qWxSTwRu
   1lBghRZ1VMyvz/c8Jtk1bTavZcF96jliuqRnU3svEV60fiiTkvMemb5kReBnH1m0
   F2rgLSsgdPzLZX7jNnvZlojlciEOVfqZU6ieS+yEfEDG5DKEZZ9bMUYVUUyM/PbI
   uVTl4NuNHc0VkNz5D68iICSXZFEugGH12xb812GRpU73qve+Vwe1CapVxrXCnOP0
   MEYCu/ENIBTy/LTrfOE+kJPhWj56LZq2eJ7wTHwd/fx1Rjsvth/1qMLpWBbWWdPd
   IKcskR1SLU3VgYOoE4Ph1gaQpd4IjGFFfBbgypjmBUA7DlaQlBzwbHCpetKTWDcc



Gillmor, et al.         Expires 2 September 2024              [Page 166]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   3CeCEn7AuFzFIL5PdFRbWZzR+Yoqlz+Z15cznBEwyU37fwNWIpUrFPbRp7j3fh5e
   j44Zz4yHkCB4iIvszmOO+PGIVvQW2PIZB9JPsyQ7mzONb9S3qxD9VHs3+UCmTD91
   IpJWdQBCcosDWgIGSsl+Xi8ty4rp/Q9ec5v4u3fOxqUX2s65N5eRwup2pfNwexyc
   H6qsqFVkP9Y/bth6PdrO8qYDxYAP5iwKvQqh7/5vaHdJGOdnm1zJuiajmYTXKjMu
   hOEssRlZdT2d/ivnZnSQyCKkKxSIUIIyWb+UrDoIe+GSUWtplaoVG8mTc3NfxBa2
   wPyJ6lpIEkNQABO8OJPfj1QXvqBnr6fln365yIKoG9G8va0MDgjGFYHk8ZFfxO8t
   MgpPS+W5jlL56+i1qb8V3dixzZxTD8prgd/xBU+fn5559La9faudpl+U9TwJZJBm
   Q/WH4V8Ql2sd0qATT6XUccYu0CX524eGUh7bHELejrjO5EW2W9N9hBiNy1InsPbP
   UsCBCUujCF+VEe4oN1UuMqqbDOkVgd4d2AcPuhjfYpg7BJSwdxaTBtkJHXYTpvmG
   7XhlPj9YCZio+mU9wmHwD8Fv3S/V01tBYrboQtFu9Z+q4hJ0sY+ZE5qtmOpb07lM
   TFq26vAwGAOFFtx3xvf9feM8yLL09PigGmKg15RwlVovasdEPajMy74UwhnMMaQl
   P8XQldV0YUIaGT1uvoMGs98gXJogJ+1WObrglKhFVsPl0wGyPEHfhnZ4HX+4IMvd
   wiolUltWUtdMY2rsgsz6Hp6Gc7+Dke3OzvVaL25RCwyHX1D9Nm1ohY/8dSTcr3/9
   DtvBTypw9GZofsmErjJuig4UCUZe3llsLXzqxuaWlYd9qOUJaXugCNtmkctc8Xsa
   dXMfxAZc2igIMDDT0pVCufCm7DoA5zsnocDXWXTTf4Dza9Dk/EqyK4brFecXq/sE
   Fq5csMWmyHysJAjEswhBxPKz2oIvVhRSOLpPIdlvrg17i4UasneOxMptLRWMLC0K
   D6x6o9R74e5QydItuawdeQ7VaHcPdOcmJfKqW3RgOo4qyPUxUnnYYMmMTcH9p8/d
   FKJhhr11ECw6hp7g8IwFsYV04pqv0lgAN5wfwu1C/VRf2n9zA1m+lCfRCldfvbtk
   W7N0qD61af13Mt5HdcuTCUNNg7chnDPAMQ5PIl/x1slZtigWaAigxIGmVn9eAW2e
   YLv/ckPed6ovZlEnqw5qb3b+JBf80hVLjekgzYI5OE1kAiEs8fDhH9UIOGN2rv3o
   V7gn1Aux9h8mBJKvr4KvWu2fouP1cQXJ1X77Thdj3asxyd4q7UrnAhzLNWGXYS+h
   0jwLb496fameKx7qovgnCEPp2TUbJunP9kk/aZloVgunNe+W6c74lw3X7a0a73oq
   LTdPZ/fNkWdpj6tEw2ufJ5Ez5TZ1RtNCdh9H+uk+tbiki61qmCSjwZ6wgZF0P9QA
   VkO6aMCl+8oXIsTbP8R5YRq8YTr+Tkft3WmUGRY9ssBweUJWJZCt4nMWMzzZ3M1E
   YOOhhZnreEVxo3Hn1RAF3VUGHrkrR2k47jF6lFI6GMvMZBqYW7vGeSOjZW/gfOoZ
   QGn2AFBLAMH8oCJoVBT6N2MMyIQxKBQrk2nQ09a4DbZeLn3IBJgiTYsv6w/Wrr0H
   qTGflN1O8OHaCcBGqRE7lx8OwKkltPOkYcQBITV6Ha+c0wT4xV4FY6SB+Q7wRh0z
   5t2FuqHaoIjvLnGPip/93GEnpFiS3qDoROFiN3xDkOM60CENAd1Bh+h4ajDm7eTa
   b8wqsBqU9X2j1LOJYepG81MadrDvMvYnEPqJ7zPY0MZYfL5pRKA78+DHdeYuCikJ
   ELq81GjJboHOI4ZLTH2smh3cBDcI5dqv0ZTo387037NnOKT3KEfimaP6cQbEWDmN
   L48gAVsGndEOQiea2j5nas7VszypAH4XlCZ/AYgQP80IzKZp888D4tMTw/lx8be5
   EMU96NzWvJciyw5aQ33c1qJrF5UB7JJINYhQ3b3iVrPWScv3GqHYrgZrNO4Mvbq4
   jS9wFUMGc1oAbd5p5RnJ5ewZxOJDncuhAG9GejZbJ87Dgd2IP0dqn9DtHVjuVb0E
   XzuNNxhuBpKk+dwTDRQ6vNdC10fQg1lyZiiwzahsR9bqHtpbWQD7+8MGS6Kh1Yg7
   r4uc+MNjuJvc9pMLAilzq1ejKb9JZcWa3v1Yxlf+8AmF80ZaDgiLKKxEb1oQlhIt
   WYd5b8S75fGrQugw0up4268p/X97GKLmkJQz5YeSSEKRA9ycHpxB84nmFd9hMFNX
   U4m91cwpxSkrkf9pDGaZJ9R6kYigj1tvlDuNtGHxLDJXELHr9IVP8shWsQwQUipT
   wZ0sBWwNpp14/OlIvbfErvBe/pCUPMiQhjLsgFEKcCLt2hs0iWW8yfTcCTEKS8m3
   7aNOZJjkjKvm4/KYO2kvqx4sXt85fXxfCbrGWUFGGXgugklcKo9jMC2WzY/iEcsB
   0pkzkOLLAlYxfPc2HWmIK3jz69hoQwYz0DAbwtQQoChb/bbueyM/gwJxUuor4BYP
   bWKXSfcdWDLBUFNK316JHb1nZ1VDxMz3Miqtc6vZrW9zfa0Gj6KRooDTd+TzprGc
   uzdj2WJKJusQcU4PK0SiPCF+hMpFzvcnH/8d5JwD9BhJTn8ITFL7zHc+ju5k0Vtu
   2c/ascRhbbnm6roX/SeZzoDs4kcYzQioE4GaDxyuzfbEbNt0We5I0pzdiV/lpd9Y
   NqdrIRm1D1NjuBpDQSZGkEwCtd3y0RuYpR1LcQg1HI6hvhu5Ov6r3cBMXsQPycOn
   mvjzTOZb4uv3Hd6uck1fGIqarFfhfoLPuqIvwVXJZJXFxkPEi77GbaVGcRHCGZC5
   aMn+VjvRJSiAs0IESspjH/bQTIjP2hnrqQoYsd33v9dre4enTrOgzRQyo1GXE0FO
   MsNT1r7QThBw4LdjPV1h1IchoebmOAixwh+HY9ahXkUoPl84z2d6P31ruUpbd40p
   l8i3THpExutzeAPfQfsOhU7K6USyHT8M1a7NacGVqRISBGbMVg3QZEj/b49c5h+M



Gillmor, et al.         Expires 2 September 2024              [Page 167]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ymml2xXYejmQFVGLiM+3FnwAX9o+k93MZdICMi3UQHCVFdCb7fRqxrzrRLagLuXI
   oW/M8CD1CLem2/wMINJwzpITtFRRZzB+op4ghtnLuIeOCIOtdRIrBTpOK5XQY+U0
   fSmY1FfQ+FEBlyh4UNwarnSBdaTtAs6jyXzkDqtU6FYL9PxqilbTruI9Mk+7zOXe
   p9N3hHMZwNvN40PnzQgN2Bw4clcbbqPHhozVfmbWsAFINw15FrrFzyAgeBfF1hQU
   k3D/Rdq6H/07XDqshc1fjgZZmev78S9Oj4cNC0lxnxihU3/KA09fnBMHSYp4J1RN
   +Chdh6sIm6tObJgKEzm+e988A3AgFzcYKVWhTX2nJ7qlvx/zb5RqCD2vVaBhS3Vf
   0S5HrkC5r19alwLbsL1LbGNw8dkcL5lnhufvb3zbqS9k0JejpJfs5JEM5bM9jcDr
   bQxz6W9YWClAHnHDNB6K5aZx4r0y17cO4QVbUSAzULYQnCfJ5qyUvJ8/j3f7eNRZ
   dmdj4Hkqda+Ct6tTJ/KPvefpL7Ci8QdiuSJN+P6pbO4s/9Z6PQjNnobj4StX+hA5
   hxXc5dIQZ4Xdin8A8ujAbj0VjhbsBbu8bAIrfldPOfHbAG8onYF34gtzLLyC1o3g
   PWOpqGcmGZkXzxwN3N9YfPEZ+VZI24EEE191fKQKyz2UE2/FiCa4cGdtrDrrfw4Y
   RK9Eer1KY6nvqF01VzyeI1qxUv1ciTi7jd7Rpn+q92CGVkquO1PHOgMkBtWBiBHw
   ep3X/eZGdV5WWZm+qnaloOd/TxqiG9vymJkPzycrrxds7LgYlK5pLijT9fJUAyfL
   JCnVsFVx10YiUDmWmwSmRp59M4cTI+0hz5T7m8VIxB57bWmhkXEg79rQm/EczvoV
   zvO6tj4B5kFtxKKuAcYrgpZqdN1CQln0ae73eCdIZl6goNWty7N5wLaMhf6RsB+t
   m6Zga36Ka98a+y6J46ttp1tvpW7wWpUMsDN0LRRgdCflYQAWM78YTuK6Aob4DMlV
   kgeDqA0ESmLbgB0c/mah50uNEPQD+/X41i8jV51wj3LV0nxyyzf3ehne16jvMu1m
   Im+2vGokh9POvMPhIRJmPGt8QaoW7QyUDVo5G+n8t8WyHQBT8ZpCS1wg0MIuSMIZ
   eHP2dr1uSkiNIQ9fwnQRO0qQgL0K2iALtGCLE3BBYy1tKxDyv2K9jgxGvEkpOfsB
   CBajFmYED6+/Ox0wTnT2bHzzy7p49vqE+EkQRVH08z0jzLa7KNEAMoku+27oyWWO
   fPqiMZv6yoOkpG3LRgg9tHmPbCvqWIxZufAzZJuv4/W04+Kq2Zq4uicGtIQyx7Hy
   KyksxWIAVi18/bwt3MzjZTU3cav/kP2FLDos55ioXC0ZAC1dqqrMDZ/OqP5GsjZB
   WKJQpgi2L+zs0SiXbHdLmJTEDUQp4FsQSFE8HFlAAnHd/xx79VEOJPwubSWVXDda
   dfGweNmFhaqacc7LMFraCty6uAjFRGeBuRc4nlISbhfPbAr0AgOmUduGXh/QtmMs
   hpcs5QNGNWeuFMhKDimpGe530DpPXWZtf6ERioKuacZVCEzmBkmHLTz8K+zml5yf
   lHwx6n8s/hP95EsHZpQLl66mrWpIowCODCyHAgrtCqLMRtxO2f1O5KqCGPRXvxzm
   He6Tiq/O4Eiz2NrE1GsykFIkXaoB/uKNEXYU4MYG3hglCoPN4BdQrPhkwf03ApF4
   aRZ7qbZzkiuKGAVMC8oFGWS26yIwoyxDP9OaLuzake3NLqVV/RwhDLAQtJDD9Qbc
   i0q+ACKRSlXxEKRLj8u/8zw+MAPE/zcVg+tiPH7dS9sfERMa0PKlfvWhfVVEiCAP
   2j64xuWMAHgPMTleDsvLk/fvpVLfPo2qp/tC2ybmH+obUAgA3aD/repVvtH1BDLV
   x+r5pDZCpfTCgZKTYzSoWYCOfHw1L1DLbBe4lMUCSWPIQtOxLTTctv1qISuxMq0W
   5JyRfNaZ5OXYgqIhUwpZckycThFt4q2IfJ3cS06rqgGu47kCVmFytVWLNSuczkhE
   PDBGhv6uMVk8r0vk+Ojf8wJh/wL5evIY77qXPUIyufVPfoWJhy85oVVnJFqbDwX0
   eoDk1VYGvi+0yhe+gQKMmXWE6GsHHPhRfWDkNnAPPRJ8xQqqtVC4cIHZ3KOHofFr
   vYG8JnwCpdy2vkv4PtCLds+/jDIRLRvuCWD/HVk9Ove4eQH7Bjcs559eInQ+JSgd
   Tq60srKAY1feM1cm3XeVOlFJst1VGq+5DzD/XUIVjVzbEPMHKhgwZj/Dznt6AeK9
   KNj8apWhYaYA4jt4wYA2tHyU3UuKvPEIr8+BOf7YLwDAWamXmlS/94454XUJHuHh
   DQ6loKR0cuX2BY6Ze7J/WVyyUQM/qt1Q3RlTQwd5Hb+3MG8kFvn9EW2vnkr41jLY
   AOzr+fMQyX5H4g/Vf6g/Ek6KmNAiNVgW7exsz7ZQXlraK0CExJkPDzo9Q1e++0qh
   O2XX2kr2FICjb5S8QoS80Z1Mwpcc+J8dAztfk+hLj+vN1t3gz2F2O/rB1XGXkVlK
   XAtfo7GngbrG5PnKE2Yh7x8nTYdOdmWXDRnrvfwgo+q4mxeCiJbiZW+gohm2iV9T
   FkwZ/AS7MDpR8pCDpvQfRyoTu68BmuVCuc/9VaiRz/icIg9jnLAYMyfCc5LhYUxy
   spUrMiLp33LvsTd2GhmNnMXh4mWnIZ0Hj3HnizJrRzBhOrA0V87w0wUcDUzWfdf/
   UNFtOX4IzMcaSTDxAjDbDCkem+z6QugMYQ55x2FEmMLGjP0QsBZp9ESbpfJmqWJS
   Ak7nYxqVtdJzFWSlG2btA13H5i6yynX335T7tlEm1cAtVcraXRijWOWz7ZoLtgZ0
   MzgK0bU8ViUqT1G3bmwP1qFyjM75X8AS2rx7olard3CV9l8zGppn9ljQHcW5LByi
   zYHKnN97GVhKnRExnsrTQIe6OrvtrkKtOoz0rPG0gSY=




Gillmor, et al.         Expires 2 September 2024              [Page 168]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


B.3.21.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_minimal (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10510 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6766 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2314 bytes
      ├┬╴multipart/alternative 1435 bytes
      │├─╴text/plain 487 bytes
      │└─╴text/html 639 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    <smime-enc-signed-complex-injected-minimal-lgc-rpl@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    <smime-enc-signed-complex-injected-minimal-legacy@lhp.example>
   References:
    <smime-enc-signed-complex-injected-minimal-legacy@lhp.example>

   MIIeTAYJKoZIhvcNAQcDoIIePTCCHjkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAGR5655q11dQrEn1+qj1lo1Gr+bLsb6vwGIH
   YA/sZqZfUPrdFQZRoIqGr+mw9OFYhsaTjR+ZiK/19IZJUDSXOIqAN02kCRaLbe1R
   822KrjNTYSKYNUI8mEMu1s8Mm/J3Rf6LDss3ZgcKKxDg5XqDtBG39VFTXgHVq5p5
   xYKt88FM1CHe6oMOBVnCEKLu9aNm6iaQx/1IPGUYpQfEY1VEFHEyJeD9UenyYR+f
   O7UYzlXOk0l79OlIxspqqbRbehwsCVirzy9XfDzWFc1Al4GTtMp8n+7wm7BchMX/
   7S86+FiypOQFv/nHoeEgE5Z4Cfm/m464/q86fJ80tv4iTNQ7mGIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh



Gillmor, et al.         Expires 2 September 2024              [Page 169]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAIK+kWhO1GQu8sKhJuZfl1zGB
   7uDFNxt/SEB+I31lUgQJuK6BjfXoFhDy0j6Wwi5KFfCOGip5PdSd/UqLIdl0TJD9
   R7/j4ZIVZL2WBKNY5aFEoiy4v6/RAXRYY7VNony/vSeH0ZTHyC2zC2mn5R4BU5Ry
   pcNTni458AedkjLZGhyh9qbf4XOBMWT7Se3P//h8a00rJsPpguLEr9eYk+SEmdor
   s/dvtN2Fa/c5sgf8Ha2j8zFEET0fe5727t3b4TPhLamne94RF2Ban2hYKyGthaOd
   E3slE24n/cJP9iUtz5FBFeL72Z87rQS6QKkRJUjyuutwsA2HzgqcRaizMRVhyzCC
   Gx4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEIz0JLuCYpHS6PTGPdIo13qAghrw
   yOPDrc1OUUqt5eVulaxY+qP6Irw2lLxwF7HtbaDzcOiOv7rG7l22glmfKvUf3vYS
   k6c2jZYBxR/f4ngS0oTGiZaRnEbD75gEuKOpwlmQDOc8Yv/NqU1t8Iqx8fq75VaW
   51SK+rw+BZ8AW/D+AIOKJxjqX89NFZaAkJEcohjAGTRz4wrUoLEpwFE5V6qzSqgF
   jJXm4SoDXH8ZAGmAlVyxxobZ5P04Agqn5CXxYkdLV5BoVhkzFizP6HtnKPdlmaMI
   Ct0AajBvWjdC+vZ11igU/txiyp9io4VLFUNQjROGzk5p9gFWwQ6tWIf3tpsqGU+n
   cqhiSLig6DvL8I0v4Tl5fYW8j09rOSiEIaBGRL6PsC4U6D5xeE7FosGOlK8HVxfq
   IIqoOFr4f7eq4+cRxuegtLn/podCkfmfKfMFb5Naqsarc5r/63GMSufptc5RKROZ
   8ReYolOJzNzgYUUyMzerv2J6Qya6ybcVHBfLsK9j2XjGtfMG5MiXOHOb3gJEl5H8
   yWsNtiew4FXhStzWLwFHWJjPwZEQExqJxMRRmlCfJroW3NqCE1S8AQCseTAb1jRm
   M9mVD78fG51p98iPe0JHYDrv3bsB0FaPhCaVhnxt5cdsqU42kblavmH6VPUqoygx
   QgKojyvQUllzyZ7udh/M70eWVag731BLa62h5zCQ8V3F9Jly8s6r67da9h09dq3K
   5h3oxWUBcQh0rqKMWd23X1X2T5D46LoJAQIqOmb//askhoNr9BKL9y5K2gFQjI+T
   quMLP6ysZd+oszVbRtyNfKyFyJNmkS0s0NZ5FgeLLc5h3y/fOM0U559PZvET/fEP
   R89dIDTt4lCRrT7N90YESQ8N+e/hajahnQDS78VXlq6nnrIerI/WLXr8eKQIL0Fs
   Quw/A7YQ4DOytsxOLUENGRunIPBePzu/gF37Dd8lZdcviTIBToLylhIOPIMw2C0f
   vaqy+xwooSnwZNQMh+FifuBOOScbhHmHKUjaymT/Ybx+A/8saXRN+SfizVi8tLXb
   XI4faBkFoVbYvuQh4PYHogTz8W3UjWhyVtmCicL55kMk9TSksxu5SGn+PpIFovJF
   zuxSk0Xm+7it3gIisd++sZSRA2a/dYyFPOUnfOIBl5Nsq//H5sL7IYo9ynujUd2R
   AI1wtAyymPt/+stRjbSq31b39Ilb9A8rFyv2Dhi/p66Z6XLTSyM9gvCdBgxjvcp4
   opNEUsriap5zFtvDC3YvPm1YaWo2jK94mDa/F7VmJ52R32NGrTPf3h1prs+ma+2c
   wJRT/P2gVip86VOxTb+KgJSEGbIHhdJ9+gFjTNq9y0dgwhLqvN3rWFwU8H/nTa3v
   ymRTNEi/CCxcKctLgSckRZ5mMCjEJMqtqF13tT5BdMtUSWd75Iqu/uambE1iJ1/i
   9O3ZRB36f2uHGILpWfJTOyL4wsW3GqqteXmjBx6qyXhJ4pNc01y4HF0XIiWXKZEE
   0dIY8Rpx9c0Tw056YP4qHXAc2t/jJqTM9M6hB8y7Pdnh5XIw4ltCc2qLXuZwKdqi
   uWHnMzCVmIykubDh87yZgzZb8BaWZbjYFnwXFsV+XgV7hiBGMBoQYRWFQQO5synd
   LzvG8WKcBdTDTawuwvz2riK4n0p0YVBNTnJZBXsvS3GG0Jhjto5c+pZ1rLmRAUnu
   eosO3ZOboZ6bZGt9goGHAydoIiOinUyMEtAEs9l0k334nCnTh79FZAd/aEInLupq
   dx2aNBzv0IdCPiERuWvMu6QLHQ7vyqoU7ibu0eLWcS/IhJsnMXLj//qxlCedax/5
   rerO59X4kK33h4IY0Qlo9CF9Xs1CVhpVnVwuw9Hp3C5i/fTdq+yR3xdQ8CAJWJid
   UfZb/nIbU246OJAnRvNii7LFW4Wwywv6uDbC3zTeVR/KUJ4Zg2uIMcpLCUSVXK6U
   vTviCdljyuUxDoPjMPpf/s+4kCkR3ALqyZJMf6owMTBw8sQ6U3H75UNGertSkPEY
   A0sStLy/K5wtqoHbsANk8iUNFmlUdVh3yEAfzz1gNxuW8y7xCN4ihlaBF6UBJf3x
   PggNcA7802kUcJeAfQqC1k8WGodnaCy01XQA52xF45pdJ2HzGHRpKm2hqRYBjNOA
   2kS/8eTiufFmqHvoaXVvNspEwNaH+aJrsk9Tm1Pk5m/lvjB3kYsGofuUp94MPYAv
   PG96GHJoPNs4/KRx8ECBQgjVruE9oZj062S4EeonEIQOipulAj6CXxYiQv5L1YO+
   HOOgVlAKDa506Yf0rcQF1ys7IVDGokVScJqCEYzIOfubhrw413Y4Sl6ka+ZgLKq9
   DLzuMXkNMqL7WqmkK4pLx2kHvLqqLP5XjynagJHWNm0zYO8JDgWHxjbQxmaoNf49
   oIFXdzESzLnz3T+lK+OSyJjq32IJZbCWCzWcc8PX829b/KnO/a9VD/UCpMMz6E1E
   aSxE+ywyGo/gpW45d4ZRJxzWBTo0BVvhrUC6NYjseSoNLUorVmWbzkqpnfO92bfi
   L5Fu4YnKbh6VCxnEUOmAMaCzXIWOlLMg5Myep9JrNnVPb+PYKhQm9QwVpwhxKwsG



Gillmor, et al.         Expires 2 September 2024              [Page 170]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   +/MKZ0eOjMHd6jk9GZxNDV0VuCcmtiLPuBW9+AxcAxjU5h4GH9fmH1ZMJDsIBDaR
   qt/D1jTognJK26lx8KmQ7yI/zUAKzOlwALxBBnV3f26O0LQfqrA2MpTvdt0YKPCR
   brmXI8ROZjGX0H3HZ607P2NRum/9hJAQxl/ZR74gu7FpPUUIJjr3JEHQ3icNcS4h
   9icI4wSS1oFngY3ONUdVH0tvCEYsMexrZo2rk7qasTFHoHTrbkjncbhw/dc0LXCX
   79wCmue63UbkamFUz5827rDiRpEd7QwWg+RexkYeZ+b52Iloyti82ivolKeBKp+f
   vsF2Ni+mag0zUPrraO1g0QYmOklZiCm+GtYNp1t0ROT1Yhlcq0743B6qvRBkqSM5
   wYqMR+zIVBbqK0Kme1+C9AfPF4K6vsGmJKnRPWHXdsEt0NzwGM06HhUhKXSKPYTN
   EKdsM2Et4dWFjHDYBiijVna47yQbHVCm0a/1l8tA7xQTETyZoDdxg8eoWS4NnYSM
   0nUOny1bKIN+N7Qj4brWegRmOFDvxas9He/msMOoYNMVWXMoKc64UfLL4mRcq7fK
   YVY90E5YKanWsNDku0NSbK9zIlQTz9ASOuvohQniIPGBNGO/X9JAgIsg7hy5/z33
   58b9JyBpufXxeCUP430eEm3HHQkNWk72BxsuBZKlNp28fdFgstOVsjDXFdmUpFtf
   0jbiQ+GM+GwCCYkfX7mSV3kCAWdLHJLOCEVjlXZbhtK6y5o0G9YP81m5nQnqyvyM
   nG87JkhY1MpzPGKIKTxRHCPTKrGqxkVEIOVEmvZAqZ3fHXzM3cRvRYER6RB70KYU
   C0gvzTAgBr6W1OErYNKysjD+QG8FyfzbfYH/zXumG8jiiEqNKFU0YOAxoAKHIQYH
   a2Cz4Dzcbt9YdTf7V1FSFWWZspRivCGCmqsFD+pbz4Xc0REJf+fG6K4ytaIJFJqY
   fVkVe+Ecdt3oo7N+LL54jA2MBrbktXhpnHGmD3WAksG/JMorMTKpcKEM6JOou0AX
   q/TeKF1fUKP/6ig5fN4HwCHRwXxGNThBvFzg+gXUvZ8IddtYEqOpSqJ7z1PvD610
   vqBFovrswn2E6hiLMgwS6n/P/o4HHbLXVBCca9w5sApMsnfAQK5DzLxKiUU3xUjP
   FIsFIVxWMJ0aCi9UulfTA5J7IOdCeo1dJ2j3BmAKfHsNcvN8MfuG3gHLX3w6n+Bi
   oXQVQqqD7plihfXccgxYk070CtCuxi8OMB0mWFvDm6BHWEJx6BNNoCOdpVFTiF36
   g0Hb9aVIcO6pietUr45MgwlAGCB05Tj9VGOROnErdQZChEjOw7LsoZfNT1x5wAnz
   okTLIbvHcKKNUTz5Lb9WwEl5o1DRxmHfa8e0jYk8PrjDfJ5hSL2n/ug+SCb+w7dr
   hzFsIhhhAFPt5Ezv0vdad3LAG8aO8pgr+K+AbAtwth9Oa6ufLMMeUkR3AQrbTL4/
   svQX+yVkQsbEp65SgN4h4g46ZJL1yY5i38yXi5a8nFusWbLH/gW5qHLCN6103FuZ
   NQP5L84K8HiBs7ykqVE0qdl+GsjtNKUND0LxV6IsAobLtcX4WoYUE8d2FnfY/I2a
   xII82SmhXgL2Chyymz6odQNf29zfBVY0NZS82NlJroHHMrwvI/ys5odtjNve9kT/
   xKCjWAqj5X8rcnmch+kL24HNpFntNbddiPdfVcV3q5+Ma2V1A/ZH0BokPsjl5yrt
   CDFK3+4x5bRnFbNuMWUACVeORO0JlDHMWydG8jhqFv96lNsYnKrVQShJwjMWSifP
   I6VaR8kHo8ZJP93NNpXy7GnXeByF4hDTy+PDS97u1Zu2eXo9/5txg4Ted6ts2tVa
   L6nBR225Nne8tfasxOLnp4TyCOFbvAskPLQzFIAUv72Rh2iGxPq6S6300grFXD0J
   kiHNjwh+IxuZ+lp1GsK5oafrG+dAX09APDibR8X09iBhWtIJD9Rs7EsW1EX61/T8
   y6kV5CGNSxbFjiYgkNWF28EdSy18ipmd6a1wczNJ/uqvfxef/Vn94KqwrHkOwuIq
   UwtXr2j/Xl8+0/RBVeLARpvILQM37pWKB9T7+/09QyAAEdyET375Zs0Hr9sYcSgf
   w/3vb9HX74/cAGQVtQz2qeqCr1cSgKBd8riVirakIvdgGI83DoIim/EcHD7rKh4B
   Uyb2Z0V5Mi70uncXn4MHsJwrpfiFZmgcXUfOKE35gNAqbTNi+m01z8bmQ+VO8qF8
   Fj4hW8JJmfnLxwjfE/gh7RjYOYrQM+JEtY8PFY1x6A2iJ51TKsCOXFGO5oOObngv
   01rRy8LFOLncR4f3syZhymcccrR6obIdqwdcz+l+zWDoLxoQsLQKrTqKnJez5GXC
   kRXQ4YNJ98Ly8M+wcAz5bZCeqoq3e5BCCB8Z4g+I0ryLKirnFvSbXxlQWCIqV7sG
   QDRFPve+moQkBjw9UfVdD2C+ofjPUZd8m87tlbKdxoz3lYSGVNy12b1McsNUtQRI
   Skyhri4OiIvcheXuaAEXZ4YCW787ABIyc54DLvlXSnb22Pr/OJGLSjGDLu/U7Fe8
   3iE90fCDPsfUU6yAsfNLRr2LcZhNrw0F+siRcEHe/naDOuntYq3W3UB5Vji8k/bw
   5kvLoTUEIEb/UJn05uHX2tco5qIqdTyR2WL8BCLekJdpvzg52M+e88BX4S4coJ+w
   MlgyXmG8TkSXT9GLGua+JEyE2qk5pG9dmhTO+K1CqKdrJX45N1CEh7C617sWC3rg
   rdc5CQFh2gYv10Z0WJ76wn+LA5gUTU7pvhgdeDCES3dTwyNHjCFYJedBH0jzFG4m
   oJrThIYxfMkPTBLa6htHIgutpdOG6GD9nP7mKimUXq1jP1iaJMHTaQkoRGYsvP7y
   2O19eMvOQm6Ppm35lZOMpJnAO0UwHLMJJwH1WvTvhlvKjVKMWKscd79fybBk6XIt
   hFbWKRHQaVQ7YvPUDjYfuyAhnJt1016fRiRN1MApwTTHg3tVZE2QoTfkKfM4km9h
   +VQdyiUwkbpg5rfCVhQWI0+imqKFWoATjQm0+352eJB63jgvH7o9myg5RU+AK+6D



Gillmor, et al.         Expires 2 September 2024              [Page 171]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   ssSVGjhp9vgOC3KbGY81dHVhFjcWEApJ39REOxe4YkcCeaYTDMqhldlhzIUWNbPZ
   EdCnr1GaZlEGeMQeu+Q0mIBM60ur/Mwr712cwMtzmbasFiC8zARsbkZQZh8ujXep
   yMiWkXXGPKdYClal4pjoBmLrPaOXlrybD9K5mKZEOpbpDPGYzgE/C+tvPYCP8KpH
   MGmaHYUwWdLlIPI2YDOFL3WAW3fA8ugJUNdnYV7I2sRAOql9JOQZaYxeGby1VJZh
   EWRSybauamQJ7TUORdboivZOuJNoYKP0wJUIpEiK7ZgJR8pvP6HLEoSyXu8dgVTS
   gi39Nrfe34xH+TMpuDp7K2f1orTNMVe6WMryOonuTCln3KxD2nCXr5pT+AtUzmZm
   4O1YzwDgIBlyNgSpxX9FML+mFqfT3mtfLm9Kt5YiF4/SXiEFi6Go9VV4xM/znwIg
   RlaORawjDtZ+CzPsRU9v8Dr78xHFhiAp0ohwrzmOVHGbZk4d9jtI8yHqLmPEpKHi
   mV8vvDNgBbzkpst2Z6ahBMa2hvOiI3JzE59PUXdg4GBQz20pieW6ghRaIyIVJVg7
   Ot0cZ+wp+04X9pyUtKaEZMDfQMJO3F2Z/dvSP1538NsZieYj4PNuFlToGG3AbB6a
   Ccs3wK7TzG4bQtRnEUk5121U2zm5uxoUJTOrfS1iOKs5jGXN+mxow5H3D6QEGYgI
   nZbhB5BUuRoiAJe8uAbUnT4r7aSB/LFxV6NP4HaF0qJv2YCE5KdV2//2dHNgL47k
   pqL9CW53XRjr3xUnLO8+GjH5MWNfVwVLatSLBNgQrLSwk2IrbHjEHcECrN9Ctx76
   P4/CkOcLqx7wSlFVu82Pm6UHQhb9Ke4K075tNRDAjIDJ5v88/zbsu641AyfVXxma
   ifHuNKgYhd9mklIEjXfTvJPouyI5a9FabSs7kK9S+awuENvyhSJ6PQ0+MC+J5eW0
   yW5SJqcCIXSkIKNhUTdVLUmEgj1a7KRrbDjYF2u5GSa/sey7l92laHnoXWnC6W3/
   rGt+BsbuJhf+MqZf24zVWUcFhMJW6t6a/jguD2QH7opt9d7NLvzLNNStARxR0NAQ
   0hXx1dj3fk/6hrVO2IsuxPSAysG1TQhrwEuNsp8ff/cJhCjlXQ9JGoiWYP3+niaT
   ZrYoaTbPRA/N0ELG3Kmdsinzn8+EClAKsh8cy8EwtNdl4MGiZNr0tZVJ3Y1YPzFj
   wRr27iH7c1IzBfcK0V2oxvO/mEYhYxLffIUid5ph23QtSEa/4r2/m1HlLMD3ZlCx
   /6XOyeDx1bQBjnh0SEVoElS6ATwS14sGE/DrNdVhotrdDHEBv6u9vcOzob5o4us7
   mWBGFo28ypruRWxRaQ++H3ysrW1GPZY7lOjLjm0BwRiMg4aY7LxbbzJU+tF3mRBm
   F5Brb0zRMKiniZtP5zKqIPTBIfvuymfQbrf8pEElVnSHgd8ZFWRUeBFgIFGHli3c
   VdL+n+tUTjXUXRSkGKgXc21AaS7sU3ziloPgi2mU0TsJY20F4kWznPtUFGn36zbm
   QM7sH18AFw+rskI6R9kO9vlBd/SqBMxPl6Egy0u+O92O3iNKbildpyiFSynhd4Yj
   oR0Tzr4KZf4KQlzyclbVgsrGNJKx0L6SmqYIchkwaP71VoZPdn+XYr37WSPM6U7l
   SkRkJMkxr++p8qqnY60BHXQW7u3ZBJgkSXuJk1zo1q/THVeNe/gDA99Qt2bC4YYZ
   JD/9naGv4a6hzT/oWXvCOLmcdp4iN9Q8Z7Oc7GrQDLq5GdBnIogVIIhCCUY3WBn0
   XTlLv5tZMztOsIxYEA/UsxgtMU0C8kRX2PhYSWFFyRKiF+I1EwZ+7NjCDtRI+1+2
   hIG6DvYiOxi3FBZtyZxkBaoggv5Ah3wOPf4URjdS7s6HjgvLdHMDJkuFL6q0dUsG
   fSn7+jRCAiJGkf/MCMBEHlbZQpnY1xT+LB93rguGV/PkoFFM5nZ0c9ZjPCVZ/ewv
   ItqkF2oXuidYmLd3STxoHlMF1P5/qNrucwYrAo/M7dJlWl2zMwE9Dr4+VJlOBZkw
   AUlSd14XGTI0Lfby+cCS6RhSMf8XqJ2d2hxUX1hNgOAizsVpl4HCTddKCuVfyp1z
   t/HlEZJnar4UsLIcWsgB7vYRMMMA0XAhIn4RMi3Y8HZga3/jLwHtGdPFYelfVwOc
   6VVefVA+21vmXS4nKcOFgGWhLTQ/u+xhJMfY9mAzZSH5f74KK5FcNspC9/mOUQmv
   tDVcoIWIJdxoHVNWcSuSVW8+ISl+25wST0wShD3sKaTVhgFPuQGbej2wCgirZkPQ
   82FCxLDkzhL+goh85EGV8FuxMoo6gb1krFTxDF7MGdEv6RwOyj0PxLEgG/ctyu0e
   Y46Peb435ScUFXTa5jU6yGOjHrzzjNN74wArI5FtFI5qgTDcd9DSwZFhl5Adbj8l
   TamIMutl3IE6n7v5kuTnqEAM2y4He5d0Vnv/Ms5+lal2LaPgwpykbz3WdScD1Kxc
   +oFUTNXGfsi9C6/DiWdAB7btcMmXVA0KaFPql1HtUAoP+qxrqwwL3aa3+rtC/wbX
   EqG9W+6U6eMBbPw/li++M1aiAWSq7e2Ny1T7i3wy1V1cpSSFhrn2EX10ISlVmPwn
   f9yzUwQ6yk3r5CaOXg+LmqWrebMnqXmYtHICGrzkk6c25sKY424S/d2ggJeCkUp7
   MHhl2qWj0rUtei+DKx3SjkHXhct2O+t5E0zmaGQgGKL5C1HR8ODX/pmRH5qWILUs
   F1K8Uf+NP6Vwmf3sYpyWchMKWRm1AdDibSGfh1fMarEh9kpxEXuGdcvqxIXfWfHm
   ksitbzmnMzHhfXy6UtN6VTp5BfYma3rD9dgAQxmkgmGKhEkKnEu6RLq7MVXwh6Kq
   H63f1dMdx81Dphv6tcpD57BS2748MbIkGpVGekpwg/HQJb4YY9bPOPTpMKzrZ09w
   aWdf5qJ8NK638ZEpOYFxoq7lEAOjL5JrmRmhX9OuxyyIhbR89v1IfnCPnozN0s9D
   DRqTLEi63UbiVMfSYTJzO1Di0sFoQfMM14/8vqwh4NQU3blC9GcMf/hOQyezuKvx



Gillmor, et al.         Expires 2 September 2024              [Page 172]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   /UHnm64IeGuF2Q875R340q4T5xF/iQzMb6uBWAHCfVB3kDrETQ/nSGPu9qLWMkeG
   RkCBrotadhbkddytBqM9LaqIWPA2ROdr5W3PU0h6ZLUzh2hGRiF9pQ+wLj7lYmIX
   5FXnT3n2KzCEVc6XHpU9c+6PAa2nYfIgcsli8I1yyxJERzDeIBNh7m2ihYHyFQ+1
   GGkjF2pWvVIN2hB+KS961UAwm+1vvRN9wxl8YSpJ5T2BKNkg0pucDUYP7KYsiRd4
   4TCHEqK0JeF3CzYYt9NvKHCulQMa49LARmcEndoKMS2975EqTpq0aP3TpnS/81Uc
   E94iZftUsFKhs0yttvYS/fw2OSp62hmT2JIab230p4jd2wpwP8GA1KHzWwjjbRjB
   F9vrhTYbWntat4k8AeEKj2ZjHJMOGmG3sSx33JcaBwWug69Pg7nEcxdP+GxbGyTZ
   fPCC/s5GOgxtUc+Xk/sv6wI7gbdlBYAQnBVs4wUVNMw=

B.3.22.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Wrapped Message With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10185 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6526 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2198 bytes
      └┬╴multipart/mixed 2093 bytes
       ├┬╴multipart/alternative 1140 bytes
       │├─╴text/plain 379 bytes
       │└─╴text/html 477 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <38a0b7ba-76e0-5351-93e9-f44877e20e6e@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:17:02 -0500

   MIIdXAYJKoZIhvcNAQcDoIIdTTCCHUkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABOfkRzWpe8+giahAB4aK4FyKBN6535VHc1c
   4f+nf8otkhBtrdwQfFeOuErPGeHzRvmDmaMtJFf1J24hsbhV4RbQ+mbxJPxoqKT5
   qOYSj218aZlRvM4E3Y5Cy8i6iFGDOKBVSc+RHv+UukIOs9MhLC3K/Tmf64MQKYL5



Gillmor, et al.         Expires 2 September 2024              [Page 173]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   sGAepPWv36xSQR3VSrmioM5SuozXl892mtuk207bpPiTnXXs4LHCgZptWc85vq4S
   jtS2AKUMUQOcUvyOoK1qQsERyy5BfkXE9jkjB9O/ba/No5LUBnhfhyJpmnfEeU2F
   JB1dGcO7drxF3FQNHgvj49IJHYEXndC7L8LkDvL+vh3XSTvedLAwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAqPKO+X6DScUv9t34OnIzHRne
   LvUyO32lwpOwyvc6rFSLrBto/WGpAGS9NQBGFlk7roGzXH3BTMnzpF/sFj8rntQT
   jHHqm6Cqvam9gBlnyu5/tihN9eHBCjF8M6OYksj18TomW99tm3KADcoe3AvpEOEg
   39AJIsiS8c+sayVKEG8gyeaDn/m6AK1AqeoWXJ4yZtVl3B5J/mC8Td9m1dPQe74r
   JuInHR5tM1DKLe8Lq79zs3SwcJgNZhKt9IH75ZxDTYEI7Bpqa2ZF4R31ElXrKR9A
   fRa+/fqrMjTKFm4/1jeqVD5owrjK9iv/T3caGpI8WwGUopeOqBaeyYeLkjo0GTCC
   Gi4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEP9IzMSducnaqC0xK5rxgoCAghoA
   ZXRVWTctm+0Vn4Pow0nRtA7FkfnVfUCkZNfwHuZPpjNFDLiFPRrl2UjvMLA20Wr5
   8cISjkBlm/wWzoW0XAZStAlX2kvEluvdKTjS7ly/kexutYDc1f456v9+H+IQZkbI
   xTjniKhnD7NKlkkjvzRRcZ3D9MFfJMbS5ISvHL1055I+9vRzHJIbwExwL3ReRhHo
   lcjdrMRzs0sTsRYEFyf+xxQT7yCTfz6xglkzAfRq+kilCCMbcJCXZOH9lkv3HL6d
   oTWJ6RItWpALJQk34MlHJkHKU8yYnaIyKcDwu/b2wMgVhy3hcVzUIz1KoqUOfm5y
   gotJrpJOQqGqjfuBkzk7S/R30zLLlY0wAXbEhiJsCepYrINeYrizMB5rwGGS7wP0
   JPGBRwWUkXjPTlzhAkGRwk8pmFaiBC5KzF3JJ/mXwNwCT4lfgu9MX4uqhpUUs/FK
   16V+LjSonYGATec9K9405eSszRKTi3z8BYtlHI0ur/e/P/easCJcbO9zd3okONCC
   83WKUaqw7VBLbxCkfVDYg3S1VmdpHXPnrFUqkn/NGAKTYhJS4Wdlq2rKF0FPiC1S
   6qux09Kh+aYJYX8SjbcFDBFl+1UjmIBAhNMqzbUaYo1jtNIjxL5fqCP+Z6Wy4izt
   lg/zO3zVPP+ZGi7i0D5eBNYMBfHMZojJUSK+HqVvd80569khEGoQGwdm7SrjRLbf
   SKcPu93aAucALk8S5ur0xmR1nVbDpiu/VDYIgz4Vi4RFV4rjvU7aa4UV5rj4XJSS
   IpBM1GYJhZO29ZxPGC7e8Ji1sC1nYl7gnT8aMWeNKk4GN7ATWFZ0qoaENepGziUI
   yRr/ORn1umEmrTGjv3HZ7cbtovm0r58JtiUX/2CLaFAwfPjcp4GVfDqtosrKdUIy
   9xk/rM0vJshXr0UoEhfuJa6yqiH8Fl/49UTCdDQgcKUEFkwza9OromsVngEFljzG
   AMTOPDVQRXcYc7DYaqzDiaIBXKYrt/zcdHpKeOYttHY707OKrzNEZTZ9y1q+k0jc
   F6XuXMHWWcFN+Ca64d45ABOyooyxgYWRwQGq0OKoWY6eVaub9b6O7eeTe7j8+HKb
   LPQCop80JFHFOFOhpGIaCWY0Oiv08tzFNbP5DNsktTd5ADOg9ZK7WqIhnIPzOG/A
   N32EEjnoMQIHVj9z0Vwthm02Ltnqw7buAj0B9gtua4ccM+taallZKHKBKIXdoAtr
   L+35BH2lJ+OFOhKnKG2nLooYdYPmsaApQboaGy0bEnu3FFICix9yn9ZbG1BD1IR4
   GQthFIMiyxnkxSndAQCu6K4I8RGY3Tm45tlugAgvopmd2ze5SGnBWOVIG8/+LImJ
   mcP1JFMn0EUdkWG+ckNJE1Q86C7dVpOLAl7Kkp6QWBcjmN1+WQ76JdmTMEPox5dV
   cBY3xtbYLkOHHebwqmnbq6R5GGD3dB2mU+41JJHzOyx/gqco2Hb8MDhbOtx9sb8j
   zQlRc0NHrDzbrxRWZkuFlUPJq0OtxWqVOzqdII3eUHhV3gziuHW7k0XORJDqx2OR
   jm7+dve04VHmoKmCeeDU/iLcGlB4ukErq3b4s1uein7z59KFv5oQPY68zlPj40Jb
   J8bV/fL8vo7kEmsoDALXYSetTtQY9h1oZ1jymzcz7gJAu9JQmkq7f6G3rzhabNan
   el2tnTWLFJXOecpKtnOJzH8EzRWVZcelJKhgrUgzAwQeSazXXMCeRUDOe66EhMCT
   0pBIzJKvuY0zs46nwzRdC/HxqfdX4aj80wMoKjxlB5rAdB9b9beZXiZXgdY7kupg
   53UyKJOt7efeWiVrsrjk6quek6AuuZtgLbBHuRM8kIPtEil1cnGvZU19Z2igoNs+
   F7U/Arn/COkl+OQmCCqLC2+nqf5UvpwSXsX+d3bZ7b2osYrGEU2iA3sW3ucJn11v
   Kf9thGwNgiqgGDkDhejtYUD2PVvmeBpsrkUK5BmHWlOu1hHvliL0KmZOg5xUCdLK
   wkUD2hntsMBoVw9A8KS22ZzIKm+3U3tUtrEcp6WG4kcK0EQH5rrEU5/m70+sbSOs
   TpXfe/0pOU4XounNi+K/LchIMe6VizL58vm450DW99JRKRvssJpjY1llXHVHr5uH
   joKs+9xTapfStY8WKwX/cd7J8B2yQfxU7iy0de6kGLfUZLgw0uur1xrbOzVkO4FR
   q5BWOWgFKX8GUC14SFKGbyxhQG1V2Up1o4UloLt7SNwA/Rd3Tcmxy9O4YDe0yHfL
   VM8JBR6dOBGhHvcYYjEd5+lITNFFkxLglq+MfFBi8eb0qfHzNexCShN2C0IRk/16



Gillmor, et al.         Expires 2 September 2024              [Page 174]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   KX3OCOmrYZAusQXk/SlO/tdvUFaDwvmtiPBbuVaeTmiBIwMfLlqbkuphykeTSgWm
   dCU9uBNjhI0/95BexW7+ifLjVpksBbKiyAdHe6+lcnszoNrZWW5P9vzqoPLLUjR8
   DDbmEeW3ud6QUGZ7V8qL6Q6cxBpSllDvqIp7Srf9ue0RTcmv39gIrhoEszybmhZS
   pMIInSaJhuYzYfXJS1rNMVIhms08DVO/6k7pm6QA7pMwAI8rntSEf9Z70Uzr5Wg1
   eCSuOxHqL71pU49wNap8r3YYK2PuMUtGEzw+u9HBf+F86NyqDfhmVIEtl4Q35jQW
   /6gpJy+hibsPLpPi6ne8bnvkdNV3dxFoV0o/rD5aiQejLs0HvthxsMY7qpnV8LoU
   FW+fN154VyGg7znerTYHyoOlG7tmsxs/ejYaT0gG1rk2WE+9XAGpkZhapB1LUrCu
   Y3fF0CPaNfC5kYOy3oNAambJViYrZw5J2zjaL4wb0FRjE3dmpHU+M1ffRK86ke/S
   MGai7HW/uAVZA0QpUxUzxnN/zH1xHNISrgSTcFeYCnBcx1eMxoARVges7PPEYVKy
   QapYffxV2BKZag4215PkxQmppYwpO+gmCYg2fF/Ilu2PN42BmfTe40pPrWSejuDC
   CD3coLRnsgTydRsMIAB2XaApMepwEp6Bp6PyHU1BYRZBdqj+MuxVG2+MBfLYOSlR
   B4V6ZQ+AAlUFu++eOVC5umDr8oCisITepnc62S5eQKp/40iA+JUjD/SclWNrGGO4
   Dy6/2MC05EgKhQxNB5TmUlq0Bn7/JZ0WI+zTBypsMzcHuiBHKylCAvB3FU+W6L0m
   XEuLZeokayYotg1J1fLOqZSZiX2RPfub2x3lEPer/NsXISfmfvaKa/2ZHPKQjmRW
   FC7447gHXyrU1SzBH4SHPAoplCZMAhA3N439zGM90brtlAq6XVeAxkiv1rOAhd40
   BrAD7ScUBGhPPeKp5zY7p4HSe0hEYdIumVmKOKY6Jl6X7Lia1pj1us+Va7AEAhTv
   HWKDWr1ryafbj5ixrAxR0fKltFtqp84ywO9gUdf6Mam2nY/BFhktiyfmP4iBXDUD
   gAAciNotDXSVMwdA4rbCGDf3TdX+rJg4ny6mGNY57FljXK8SdnLpyhb0EEtyr/Ot
   75LCcXgBPmPN6y69pRF85ezLeUMINmzmLUQqTVupRfU4rFA2NnEUnFtbpKp1AY/H
   pdKfuP6khZU/fCXRoogGeC2LkIsofCiIJA0hf3FShVH8z2hXhjsNRtx1aLUSFxee
   rYEG374iuRjwcPkZC6dxzrcSpWHfRwS9nsVLVvXFSkazr269OWfWiMDVUtm+XS1p
   YefZr/+SRGnRa4Xwj9F7b+CC7bHT+otFr3IAayy+RXVAifjHypRUpBVTpk64mp5H
   ux8FF/qhgbLjP1PN16ZB6LXVl/HD7dK7Gkqlsfu2GTmjpQwSFx/SMXbDv1bfiQT5
   8tR/nY6ZvL46jp0BTxEgezwWX6+SvFaQc/AgMo1L5JdJIUCX3+QUOKE0hVP2PMaT
   GjVuRivkEyWzh6eKk9YJqdmB/oCptKFpdEOzh5yqgtPcmT6JQuJ6pJH7fA65E+i2
   k9beHYlhd9pzcQiy5Tw7AcXsRX7SOQrdddg/ZK60kL9b6458jJLLTH1R57t89O69
   qGiNl8bdrFenh9TiqpbwqTAcmLHIKU8Nc+zs9Wbk0eqeMLMpEU5R4TO8EI6ojrZt
   gN0hQw6jWCbA9a+plxiF2ShRYSaACdvUybC4hSfMH2fcG0s05cjchKvJbu8W8k09
   tKedeNatpRXT3DJWAgKIHh/oWt0Lu3ulGCJxP1f7ip8E8l95wrnDFFfIx/0Plrjj
   vJpL7nmF1HoXqVLbTyreDAMLGBMYpXv1HH4ef5vrz1OA6r8jqoDwo0pcLQzzZC20
   4rLCKSCgIC9+6Cy8cfD1tGkoMLb1BRM+8OFO7pUwpt3/B5fnMQ+WsHxOcVYbcs26
   17zUgFWV4Aga3TpicWqc+EUAhYt7DEbQ3c773y08sRJFiHhacpBrI+7aDFJpbFkj
   SpCKzY5ReQxbdZiGcbxic1GGaUNQ/qFX28n/RvgIWgAOz7ytsme2pcEmp+jJLT9D
   JJ88hzFliK1qLGCRwj3iVjROpgnAjd/yPpwB8TNyoEc5UrDNOBoRlRX1djWQSkRF
   onCJ81DfXJOBNvttb0AABLwvqiA+jewXyRnD22gxx/m+uD/6jHJ+U587W/Yhr2Tg
   OKR2zhLxgz01Nc52ik8geeCH1KtvWaKWYsUg4CdINQTvtBhM0LtT76F0qW+AP0eO
   yrNlF3ZfynT67Leat25Zy8biHCLaO5ccNMG5SEfzugj1zGosW9w/g22cqZ4k3FUG
   uWagQYAZeaP7GZNGR+Mf2/x8YTkq2nUoeHt0Ehk3YQ8NMtgcE53T5Pa5op4sEQVZ
   Mr5+LscPIMKOP1Q35uNIkhYMXtZp8/VNuERa3UvMv53NjC3THU/TGjfO+Ye85wss
   sGmI68EltTkYDhB2GIdmd/CD68E6Y/u3xhShP9zDqBUh3hHHjJbFF8DYpA9ACBtl
   Ad4OVbllFXoAfY4ZtQ1UaOBgkAkXyQ4yROFNMpWhS3RbRUsez1ie1Sg8PKSLy1YE
   bbvvuQGkaYBIvNoJJhcdFc5ELqdz4F6vXHSljzMg0O7leyL6TSFs5nIjvXSa3MsF
   AFPGWuoKZAdjmwV3CbUgR7pzUJNBtJ1KlasPUd4sIAPKxP473AwUjYyfMX/2tWHt
   DQalwVph+pqad4n/GchKN3K4Pte6RTT7j2LG34+WOud0T+LILS7iVnw55PsP4P2a
   qh5Yt2Ed2/wSN+WnPBooJPIg35fhI4AiAocKjA9B01Rv85BaVi5UpyviB7YiZNxB
   sU7BCMYnMlSLqwQgL9HjaBlXzUNzPaU8zkzJVa+/qkah/61CkCp4FL7QNNnbcQgi
   sQW+C5Xi2QB5tDWNmRkRF9cwCwicpERhri/rQZqq/WV1BiDmbCEgujxfgOo4mCse
   80XUNsOqfRz40UAMIPUyZwaDiLgl8jXjQ7JTyJ8SmOggvnC0CApua92rToZlM70m



Gillmor, et al.         Expires 2 September 2024              [Page 175]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   CPzt68j9JSfxpyrGqQpa2c5CP6qJi+eJGfUoLtmc25vt9sYilZTciekJmNDRMMyR
   7zDppxLNGYuT5Ly4afWq30QOUsK/CsOxd8JNsZ5FFNbG7uh0996CxQjjFswah9KL
   6Xp60mBNsYuD9ocaffelf2ShqF2KSJ/bkSeYcAIJ72mOl8EXPn+zKu5BDoanCRCt
   Y0A7rxp3N0Ga4T6JQNOrtN1w8mFfeUWSwi4PRYJFqDkb1VKvapN3oCovj3wqelwL
   K0p00yFDML9/SxrmbFjioKf1lKhIRV0IA6t2+n4wuJciyUY/lGQqnn6qQje1GtJm
   NpTAHHMgM7ejBJL6Zpmq6Nj4xnqiaoAuvd09GjqlKpfR38j5DW8BN1VfJ+0fPo0D
   nhLpYtWLA7cudQFWKBUNazW6YcfZeEzKExDdEab6CJ5bhzgbXEiw4Qde2snuVkZa
   MpqvXgCtKkT6Vvm8embkJrNWw3ge10MRZQHUoBnv7D+ai+CveXKEm2sBMLw+qN5p
   93ZHIW9LDyeJn9Xc+nuZBzgKxoA5UXA7hkPfOt9BVgIOcaNlUeMtguYf1VjZdKCI
   LzXvK5Uz5ZKIUK0WuXmoZHXPcCFfH/3VSpME1LgRXxfWRi4pYyuxFFW0gRPNCizK
   MSHIUDYbyzdTPI7Ivp4I2vUTjLVuiQSjYKs4SFc0EKsP3jFxPQX1vDfu0sC2h2pm
   kV3Wl5903AEwsj7VXg5zUzLMJ+8Kkv6/dVvevpu8+mIpuBQ6nv6roYUl2QWeqPjh
   18as6/TS919xm3ujanRQN7bxBJ8LBHUJPiuUe9iIj+2YqvlYQFj0GdKj1NTn4kSl
   KFTg1Q5tewpiCiHnDok48asnI1TDZQrcncQfi/bQmG0BUwZNij4v88DYhfQuxek7
   hRWqcFqRziFxXInHI1+ABF0Vc1nwZeAiwwanRSgPlUzxMDRIkFWkmpnQC4NoDNaY
   ECsnUX34Ffh/0hx40cjbpVxpUcQuJpTiN9EIXtJs41DKbwk3wWe9VfQCjji1khsh
   X3KlX+lPY1/UvqHHfxHPaTPKNtrjYtWnASxLoVdF72olBWGSatd/QDCRy38oVNFl
   9oV+WwH6ISalLQJugqrcO2uVyIzsiKwFnFR5zqb5N0MdYSu9hXZ+j7IvL+ixFSMh
   AKuGK1nNhKE91UfJq/rJojV2brpAa2PVuq5Kd1pY4MN6qEUY/UrocyPxV9cwpa5d
   IF/XPAfHFyBpXfV3lBiEOCvEpUc8TGNuIl97O0bifFTjPf8KolGp8X0Th6uGoj/b
   WWZyVRoOa8nx5W2q1abeKQlwaZoJee+HkLeuWqRklVb7kNsjVH6bJiX4zQErsyts
   Gyz1psT/kms1dHiclEFAUKvqYPm05t90d+sL9QoB7XxpM0mtsMtgC8n4XXdoCf7w
   iSsmnrQqIVPmGBKGUBimxvWyCN6mvWgi8ElgmBWtvdGlsPgAqr0nZrGs4gvd1wu1
   Aw8mhxEE/brrjPs7o4BVl3Q24eAfr7ANJRQabPapOie4EWeXyUdaljkKsoLauboR
   s+CjiB3TdNdRv9zfSBJEocFnQ4MaMvdYXKDVZ6ayeYVkRPcBPlRCMpwHtr3KrBcH
   1uHpRtsLV2SQcl6cn/EzQY5Lus6aGyB/KDSf+ONAuhv+BziNvh8ThGFB4L41xIYH
   0nNdek9qtNOby1pJ+DAV/CSQRfdRrTMQuTKI+T5WqB8BVvvHCqQBP78YYz2Do3K3
   2JjAVe03MdmMvDDMfDICdYmKt2Lc0p6oE60at1O51zB/WUvnGcPKTVuJHlCnTQls
   wI5QG7ALhT0MpoVmmJUstqgQElIeT1sQPKf1l3g6HpG1V+42V3Gp2Ne4oMGni7pr
   cssoAAMOeDMUJHObx2B87iWUUpKC6UnlaYFlgIixrbiqba4q4ZYrHdDxV6YWNNQR
   Dr1kw2XnPHdqRW7F0rvMCYITEP4Rc4DrzMhzTHI5Esp50K2657QkYinOWb07Ki65
   fElI7MGkjkfc+ToLDUIz2J9irtdTCZSlQDIcgHISCHq7jfVYjdt73ffVhUS2Nsw7
   dlL7RXl9TzmeyYTCpkqTsVsz1ncZruj0fUlj6m0RmFQynMmD9lzn8o5+HRbIfODy
   plaipknwoHZjhRYiHqooZo/0DOYHQXA+0vjkQqquJKz9rkDeannMedtBH2Uq0aFW
   jPT2PlEVsP59lVXjwWwo2jTjk6F9AOaSb0LW0cwYxJJ08Ev+/NWiD0WMEBwmoJ4m
   cLxub2XHm2XUdgiXz6EUYReMoMzBSKfehJAZ6rkUxV0i7ZYRLBi+nlRN0XIkTu+o
   4UKMLReeTMcKW5yQ1x6e0aQcRxw39FLgcRjF8e+feny2rK9OGXUojgVU3+1LAj15
   dQSi+dw+RqmvntcMqmeBhuEWf/KYbqvTiIRqMrPNnYE0CfRL+y0xS7QVv0GVr3YL
   WMOTTwJZ1wK+JDkrToS5UvoGolPNDzi+md3sYV93BYqbMvzXvzIGF1wq4+h8OwH6
   0p7TMxaQK0nHVh36+FW0AZpWApF9NTDBMFXsUiWFENHs8wU13XBgwRBpDuoBqX0m
   AgLfBgtXspJq3Qv2qfX7/ltEhG3FP8pJT5iu95AKQD4zm5UaIxqpJLCIO0eagV4/
   f26RrrdnNKJDpWuT6tkE7tD2bKg6d8HJXh7FthEODVu/47P1kS59flwTswKpUP5L
   Ye1gxEg+T+gzcvaoJK5Ymqo1bH5dCEfF4GhZddT8bGDJ3twRgUHir9mpqVtn3C/7
   /ak9jF6gwK1MnJo2QD+OM57TmqhDIZfEvYRn1fiIaMte4As4msonmsSUlKG9i+uZ
   i5c0Q/1xIoUZ2AZGMGvYlGsAZomj7hxiEkfauxUESHU+BjrC6JiTzqt40oltn2YP
   q5FdnVsdCilp3vMwiH8K+vS570QDlU3Cd4qD9+Kv8UnFyJ5yc5wF8ryIcT+Dz+3G
   bRihn7DAjcklJohqpif/PnDzBQhUWkNc6Du/GE9llNGv6iEOJbRqeyli8WGMsJBj
   p2zTWxHy90xvXqpg9Jci9JDg/ZQOe58RS8hT1u129qRKPkupf+L1c6GZqomxZ4us



Gillmor, et al.         Expires 2 September 2024              [Page 176]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   h63bK4GMIjTOkYzWU5RrDm2Lo5EXizbVfUtKLgaZolxtVdPpbVNXcQNJXEPPjvrZ
   HxJUUu7gfacXyeJwqj4+9Mkh1FXZ4QEaueqe+ZwrwAXlS+cN5PNNAKcEmYXnjAD7
   dDs75K+hx3/LtHe1lbmYPjG0WwyaWFV5Tpz84PSz7FR+tmFbjnalqwLxNBmCGDDp
   vClISYOwoWcJRmVxqZqTqWUqOAOggiz0VW1l+RO3z0TYbJLJsAci+AczKYRyzLGC
   W4LqUchjKmgzXr0Ul7ERgR9v6doa0p+ajGrPf1Ys+VJZE5Lb1hMO/E/nrFtjCIGS
   AAiD7/MLA5FRO0L72brj37aIXMrrZ9fWZMo5EwzRT+P7hzGMcICyH+l/52it05q5
   K0r4TYYD3L9oTEpytBI7r3hmf6hr59aez9xbWhHaQYU=

B.3.23.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_strong

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10140 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6502 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2125 bytes
      ├┬╴multipart/alternative 1144 bytes
      │├─╴text/plain 391 bytes
      │└─╴text/html 486 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <c6774fdb-3ef5-5293-ab2d-eca8b66b4bbf@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:18:02 -0500

   MIIdPAYJKoZIhvcNAQcDoIIdLTCCHSkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHw/91uDg1fJb003YLEnXot6ooUedmQUuwrV
   0+AAMXpx+Ag22aGkQndo1Enr51SPudU674Rqcmd8GhOYv/SN7k2hJHcVJlNB1Bqk
   KBlndk8OZ3CmHiV04gDZUaH0CvHsXFS/SV2fixL4CuPjl/KolO1AFuOU336iRXTe
   cxiI6UL/n/feSVf0HNqSFgdnQs1/3pQIOA/33mSJBN9gLsZIohefKGYgzhjIO9EU
   T3PKk7A59hZhZiso1DMUSnuHOMRRHGbfPK1e9mMe3s/H8LXkqRXFeb9Dvme3R4pC



Gillmor, et al.         Expires 2 September 2024              [Page 177]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   GHEEsT4zJJqOTwYC2o1qn83v22k1Tych2daG/sMgDp+1nYV4KIQwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAPe52qnO+vt6h8MkYH5DP9GdZ
   UkyDSFBx4fkz1m1OivGHVrmeMAacHrU0EIthagq/gIoX3VL6+t0czMIm+l9svu3a
   tXUyCjDjOFS3gXmlwxg91rYWunzlMj7sMBRt3RjvZXUKhluL1kz3f10J77Y9GoG8
   rDj+BnVM4GHuKknTTSaQDYsXnarJOFTLMHFTMefuAf4bSxn/WyNU720tNYG1M0/O
   pE+SZPEA+we615WjdMvjwsBZTlhQKxV8mFsAmsiukjWYAWHn5ZaPS0xA8W80NyEh
   GF68xjy1tYBwLExtii2NqD+4atl6aXj/odar1/FTLCG4fUJeBWH3/ea6keEr9DCC
   Gg4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEGkoJQ9zwq8mv0aBdHyfuSKAghng
   Z6pgVbu/KHUwPthP3sxFazxNC2ZfrvCGWwuFAxAZQQr5D3WhHqUYWhWoMRP343rZ
   NjZzzBNA3KqDRoZ3Oj50M2ekjBb8d477Q2ytFz3wuC6+0jxFOl7y9OUQBZnlBI2z
   HdqO2YJhdmlaLKoRThsXHCdSzr1Jxlsp7fhkA83CcKAi7z3T890f4z8q7pu+AUvG
   v1MFYxQ+d63eZTucWXdjbbxgzN9iQGlP4kq21IeccX5Fr6gzwwoTRcQSxj/wyTRX
   pWjoVWfWedOoiMbAXsol20+idiam88MhdH0kSpxve/DAF51x14X7mMJJFogrsNao
   ebrrzg+hojwO9CMJvLFBNVlmy3EcdrFpeFsxUWKlXnc1UycAv5jNHkERmz5gK056
   a1BQFGkD38VsiH028KT9uNbpInx1FNsvfJ0u1YMrA04kuYcOvbuBDnF/ha8Tdj+v
   d6No2bO5O+jf8OTBlIe1khM8jV/Cy3pYqixAm70gH+USuvVjvjLhBp/EJ2xWA/mv
   MbvbesuyVERZpnvoQlA3bayJAV3HyDZ1oJdmEM7/ynY6J1GpQaloTQcfvFbhUnYa
   ooV199V2kXAWIJ5cKEWFoLFHv3wgYQPK8lBpqxKlp4/ZqGpnjG6I7liFNxDc7mzU
   dNCK2fUu2XbSuXz1gz2XNML77LkD/0Bbv7clktiCQ6nNCd+Zhb2oeGO/WO1c1m/a
   5ZFI3pW07vLNIAaOTQx1mBUOc7tvYi0PVmnj1k+6UshdT2MJyUagcz6yPRWJFtfg
   LaPNphyRVTYPCAoY7TmfBNoy9VssOAbbxq8JjJOL4aV7mS0J56BHzLUNH4GQMYso
   nEr6b75sRMoV1sYAinDf0fg2gAzWrdAOO6XjNQ6rdgrYbHPN7WqYhcstN+vTuGAP
   Ze42pN5L7ayKXKwrTIvHB2jliP5pKNat2jZ/MiLCzfzEvSgburwpYVqkk9t8ZvEE
   ICmsUK+vaF+GePy0LO3/G1bVBFPHGdFBTB3DAbo6R1hF+sys2/xR3Lc/8+mPJThO
   3gAoMXTRRgBxF4pTgilTGF7JjYbSQybNZ8f4Yl3IOZ1uStTTXa0f85G0gYpTR3dI
   cCk+fTDU3UALldQEr8sBm/hdWxYJ6yL5kw34R84/vL7yZhs02z3rfVV1/WNfNF/i
   TX8Gl4PYT3IZo6AeSZ5Y01Z1/xx81D8t/azHhX+ln7LZVaZj2M/2/tqI22wWNjZb
   yiORjDSjeJ5TvyElqVIFXYw7dz8vK0GGzjDTx/OS50hlmVhJ1rfY/IWMrHNhSVAP
   H5vcjQ8duMhbPIWj1/w3bhOL6UWiI+X04lcElTeABE/ZLfgA09EoN4+kbXWGBJMM
   BYqWTsp8/tKqZQC1jWS6drh8v08jP7aMRNbLNcYS9ZG4fpMdTJ81onJgDeLdUks1
   uSH1CpGop3XGbFvOHN1YS+m/ftSMRvfJUXKIixKHRLIhhclwaxKXWzvfn4Q4Tsli
   jKK8UeKOTXI2bdaNGkDGVW2Abo0YdiDqCe5v5lXHiPecPxoGvzU4TT3625sKlmfi
   4f4X4f9X+E7e+6iSIf8bs5rJZDEnE7AwDLqGpupCYO618Oyuq/VDcnHFMCsgvvCJ
   yaBk9nRIYJfL7H0uJyn6tjlCqbu42m5zCM4ONiQ1GNl40SgJykTKe5opSy5nkDDy
   BMyBdnspo1Ql9HOdvLtL923VfPD1coS/MjSg7kRVPqOJdo7odN5sjUD9ldnFI6he
   97w39ivE9zeGQkWMe9gQts0fy4QN6bLxrqSbtSKpLvd0afpbaE7/zyswtPu1yhsj
   AidFKrgOqyuiRdychkA06J1qSsbiBpvkOsFmeADqdKnG7lg4e3tmGME0rooIBfHq
   txCMG9QzMebaQVI6TqzA2xs/ta2OrokiN15YzjjHhLgwXN2Sr3eOXxUR3LNF5SZI
   HrzY+oBoamyDFSFEJLAHfOJABA/bruPwCzIzraXq7YtkOJNZGSK1CvMpk1orMVrx
   vdMcoGCT/UcGOLakk+3r6OeuHO0T4UWwO9/vEyxWWqUZusYiiR2hlZTgBae8F4nt
   QLhb+sZquSC0a7tf90228eK7nfmUjXyhk07wTZkFL6vdxPvdzfrAVDMTMsEOl9aw
   XcXgn7cMshA1qoY3GJwnFKvvHwZD+x81crpVEMXUblnN10nseH35EWm3DHvHJr4H
   ET+jbiQfXiRs/qEZAvPIzE2c4UUkEYyKPF3fFNKJ1/qWgAh6o3yURYD49ayP+7gW
   wJYQ4Y04aaGPxURZxBAXeVS3t7oK7ptTa93isM8fxGVJZofraeCX/I8VIgdTXzzC
   QI0smZydy+GKcQi60U2/S0eoQ0zmCd54Fh+Mg7YzJsyfxGhCoIVEkDknyP4rMBr3
   71BZD05pxqWsFRoHun8Aw2nhb+TIUNAHK/6iBHqlRNljhEsfc5d7yEZDGvA1RVDX



Gillmor, et al.         Expires 2 September 2024              [Page 178]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   oZAhXBxcKz1GJGd1At/hzZDmj8MsxoIhRN6pCvBrN1x7OxJybtnp/6dKtE9A6VRM
   ek/zdWKIdHiZ0nNnp5SBnamRCx+pHECFtTuQyVmcvzbH2X/itmxrLPIAfdLk11tW
   Qv19Vo57I3MKfEWPVWVsMQs6gDk6n+hfSplhIKHS1jv49llB0RELdp8Av3ijCVae
   jjAqi23xwAFUE6EtniNwwGyFGKMdbHRRNgsNiaUS49VP44x/60ae4cfUQ0t1qLXW
   Z/fmGSB1LeQUqlnv1igfRW6u8bL0bRwrN+jOPWmxxAdS2ipjB3e8PIbNHDi+sYtW
   B8SRWcQ1pDUEtyY/hGl7pqRtxFBgRZWxAQWMXwVh3lcexasEd6j2cIRklCk/70rf
   H5zXVSw3LNDps90Xa0k9TnP5x1Yt1L89SDILylDUlfpzhwhsyS3V5fhoGCdxbilS
   qjA/pYvqjC4m1IS1ytjj3bMUvbP3x2etnqoVSGAtaH9ewHfCEndFIkMGIqlWee8i
   SC8hvNR8TcWIANzWxqlUF018EMQEN1OTAjE59K8sXa4gluyXjbN2K/DibdbZG7hL
   XY+oQxLsW8uJdlZvfiuqLnmu1sNogAgrJCvq0XTG6dx3MuaTC4UcijGpWvS0r1Xh
   FO+4qmScEs9tg5xXRqRRhbu5BXAJ/TRlZ6vaSKUoeLQ49MC7CeBO6XTKHSPPo6x5
   Fjdyq189O62hnqKFa8MgMfwx+vpyyA4KSVPN36Wl8EPmYNABkTMlTbL1+SHwAMVX
   qhDuDNRZv7ol76CYrQrBqunwzGhV51vhkdT8uyqV9VtdfdpL3gpQHbqqIjSQT6/k
   iDfMI81QLdHXv028jFSNl/huldQ6GluOI7tPsBWVoIcaKCFOz63dHfOQzPupT4wO
   ZmDv/Yae7wLuhhDCFoe26A4mAWufXCkfdKouP7GygaLVzi4V2bYVmVWO36XDNDyI
   6PETY9bQU+fOHEhMLKdMpkblLZiWTclv9PIoR4dwKnufsnncbZsgAPankJmBjP8p
   tHvDrctJvqYCZHSyTqT5IWgOAp3c8K/RxD9lwiFvCkEcA0uZBUqTLwZJ1bbKLxEM
   hLmtBn412q7ic+ud3zT5O2fAeuAw84tKKKbpT79jxiaz5EOATiBeEYmR6MNxux3u
   TDvBabBA6h6Sc6NbQB5QpU8knGmoGyJTm7nwNPsJtud7oQ0pjt//XIKAGE4xBLAT
   qB44uBhwJETObjkeWKqVV/Umnv/TYf7CZaKIA5udixJwglOLldPAXgNXRZVX2+2K
   ArZABmju+eEKLZGqF1LIXO/20BaIJUbpK+DSappBovKoTGdSTfr83OECfVuP0BNu
   +A2IkB74WzoVJm0orGRhzJZlJlC6X50Mqc0+RXTm2LBaa7kl8RfnUQpRrl4PPJ6Z
   JL93AmfFZgGLt9N8ITg657MHvt2rtZpTb8c4vBDsbg8kuDH/CMyZFt4CpG7TMhTC
   neVVRYNHwj/d7Kd+9T6UMly9LGMnJtP7yXPWu1dLGLv0qklwRQCfVN6ePHHLAW1O
   b4Or6tL2kURqCL0QkIVxmJx3Iypyq4mRSnWcZTJ16hvWVW9P6elXERXUSWf0GHRg
   9JNFAENt+p+x8rocnrV4+AOg952uhH96f++0szz6T0aM37SKfUfAvJV8XdtZwyVj
   a3LAh8vJzhfV0WfRv110UxIZUVP4qM1K+cTpj304bE0hi1gQL6+26s34Vrv836SG
   Gae+hYTGX1NFjReMi9r/X4YY9EDpKC5eETSnnZYSkP50163vDsVtTmZfkSXyT3vY
   7p1UaF6AvZTdhapMKCelEq0yMiOMNSIqXC3VX12bd4miHuP8Z6FgKIn8vtc2dNPc
   d+d3EA0+Gpt4L33lokogHAnEHokiiZkvWJHyw6UDunRmJ3p0AxR1zmgGbFGLeuYV
   BTPlXlyYHRHuWI+TVL+QVc6c77Q5QRvX6RVLxeqSW+drnkHCtGX4eWz082xy6lS+
   SBoOxt2JVPYvyiCA5cTkALyVhlbak9dHMPVeO4U1f45c8mApm6xPT20l87vnVBxd
   gWwPxVaC90X1qXvaTvowO8yvgLQPE0+eISkRCm3X26Wfyck8W6HsMrUEl8Boa25H
   /Txq2TdRTjkIkaE8ek2YOMdv+JFnkxbgUEijJjRt5rYDzD8M7yTePkrq80chx2WX
   0qUjD5dUkXYXsGAB0CyoE7RRwsHuzc39c3NMuMzKm6zBY2Q8jcC9N4ANzS22iq95
   1nhN5/7dUkByuRMpXNqhKmkP6AA7h9H7YNeG8hdlmRB+3BeFIdezv9tlPGs/mtdZ
   lmsI7yfIPDTXF/7gF5KpcwAhWQ9uMySeTHBZwrLP8mNoTcoH/0r7PRGUOR5Uvf9A
   5GnEH4BhgnMKf4MB/TbhkNMoCB1Jh2NFiQ+HlnJRxRoXXjZdIQj7wF7evcwHIZxE
   I/BSUSCrLeYOsO8QnOLOHbfiJZMlthyqFJC2Hc22zmeIu7wNRMAlyQZMv/0z8qAk
   Wd1MTpT2jFBn/uVFwuEBv6vbKC9Dm9NADBS9xg0P39FmhYtzCmrWuG/gQ+JP9RIe
   vuw9wwjqxH+VEUwSxNtSAOFPyHlm2ggWSQuTBRFflSfj95PUMn6kgNFwaIxzLpow
   quFfqhz5HIzdjLlAYFOzl+MepHXGGNm/H8UMAV8tO1MjBIUqbVjbGSkF1p2oSVqT
   +9q928fB8cDHy8rSFVUjEMiJT9uEQHBr7Xk3d2gOHBJA2iivjxcYe2yWa5qJZ1WB
   ObKTXaLVbLvHac5XdX1vNtzzF+qo5C5UGRng93IIbFYxw6V1kF6kQYJMusgceMLN
   9aWDHsuVtdQR+mNP9FOKktTQ3GzYM/szBDi+ZaPmkswmnvA80Q4Qbrxp//TZFLKd
   HlTiqPTk4XgQwS7k4K4kv16K7Fn9snqqUBq9ODaxrEfvH8JS6pvuIvf+wvU0ID9H
   23jaZ4wj1CkmzWj11G/jWBHiMhaXc8lvS6C6lOKyvVFoiJWOvSdhqM2jgm2TYBSS
   NI6hVgLpAQvFNgZuKopRgHJt/OQXfQBCUA0ijEBxBJ1ZDzk4xSxo5bsw+85W7Zz7



Gillmor, et al.         Expires 2 September 2024              [Page 179]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   vzePF0LmT7Cy/qkGQW+RO4ID96w8Lq3+qX0aAi5oPwvA7G7Jtp+BhPucvehn3z5r
   bl/aMEcoIgTd49gpcYZLqDPaD0SsOYBicShs/CtwqdoYDgwkzi1WfQK3KIrsJxPd
   Us2VG1us7Els0zQKz0pJuFUzlxdyz0339tuh04Kc39DNPzv1acwkPHMVsYHjOqmD
   zeWxpxHpiVJYX1V/CEHaOCtQHu79WJZDHDWaiaXopVp9V96toArzz9nZffM+pSJL
   Gqv6P0DZbGxecnSXqQNw8nucoEK6pXSoofCpCCqWFo+xi29Mv3gA982UDEDubW7D
   zpc6b3luSYEw13p7VMqWsbWsitzjt9MBq9g354SWnTMoF5yabvRoZa4gj2j3Of8Z
   9pEkpEgHO2cQHEgrHvpFuAiNHk2qBmFiIp0/MUIeUOXVsrD9mUzoTe2W9YYeIAu9
   4yE1cT1apMhOoFGurW35lkxbRlGQ4zy+osgikbuK3kAsk0HHkibRR/sXLMrHgy9Z
   gdi3Kw2aU4nyzzMqueoK3rtC5u1IEfHMsRU1E76Q6TfS1gcITGDXwZJ1T9z3pfa5
   lBet5lV9MCBpOpQkvxGt0OKvmVcqdXVSz1ZF3j15qkyz20pn7uyUWrl6r4ppqIPk
   KMkiOzlCKIIWfnnA3dDiF8a6otgX+bYGgBwxOoZ8GIzIhqLkrJNvF5ufeZGaGSCo
   iNT24WGBcnKJot6Zrr2K4mo/eNuvTrYv4dZt/rmWBUdEyug9VK0fiSGfYED9hUDA
   uxGpRXxIU1Fq5w0HlH1tNH4mzQRIIMdS9nw3xCbvPDIwOlodalk6KDXF2fy6Emgt
   xSCLb8AlWS8/S0VtaDornyN1ApTvXWX/tDSUa10swZpJBNB35vrYh8NOcK49j7Kb
   ldEnsuzSROZX7hPZvwc9z9jS8IqNuX0nPr0mNLi1gpxPOuW3UMDNr6gKBZnKqcGo
   HnWDll2Air849gN1EAXcGcORuWb4O5dOhu61csSvYKvaEj4Mct76vDaeFECb5Pzj
   yUQ4Z2UFpp/KsnP3B2CE1zdxu1AstDRdO/x2dcDWLJjUy3c2wM+U9nvHvbxTnM12
   gx5UVlM21UHeM4kiwAhYKjOMsnpx/HnNk8kqP50OBlWwusS3JTr76tzBtzQfocqW
   HEOMvMy35x2Bh1ql1PRTSh9c3mgSpXIPut0l4xvNBtVKh5GG3rTZf44qJkMbwy3d
   C36hOWWkV/z7y5e0xERArT1CsFP+uDdGny3XGUPi0yj7jz/XFy3UnxzsKGVQPaO1
   E90Ezi8eMNRtx/gBy0s9KwgUvam+3dG525ylGvbio2mrgLuTI2CKZiQBoTICXkP7
   /A1RGp9W4wI23/Xt3hDW0XuBgvoJb6UxlNabXMBoV8MQF/KfWVJ7nnhqQDrRujuo
   ya9Id5L57bLdP4SEHCWLvPERMDzRk9wpeVgivKN29Q2hhAU5RCgO9KjXWd1moJku
   4FAlTZErCqfkIHdLTN5GKeL+kYFIfUV8CVlr6D6MVwpN5QGzX2Y/+iat7iS4C4dY
   MZlHqMwkBRdxyjBBDYBiXGILjhgMGQ8HyzV/sJSYv3pDS4WfqhTW3mSNqQ5OcVz/
   3uGZeNe6ZkbE9EyGe/rRVCiBT5HkCpabG1l8Bj8MO+Rl9CM7ddVvO23WbaKt+Vw1
   f+yzK+LAELR3XfAfqJPo7nK1UE2/QOLFDw0W4/uPbb61lRkp3lMW9NRznAQsUAuT
   HgLQT7Q9hn23wBTiQwiBS3kej4Gi6wVW2Cj4o/8EPR0qn6ne6nhGhgcYHpkw1Uz6
   Ql9vjLyUFKjEOo0NWOu6pgyDcfW4uGNzvsdxcnvRQ4+qVyHeXLEM5d2EhAw+TzW9
   vWDpgYTTa/ZIILvJv3f4iKNZYs5PeUJWLX1IPQbrPPKFevufJk3ld8K8QRuxtNvx
   aKp+scqFC36GXvCrGsRlHVaawBCGkCL6DYZVTDtaWIwztIvCXu0zOR9D6hnsbmFn
   t15MSUwr2B8GWm1I0yVgxp9U0tF4uTDUfo9BLnPpJ+2QYjUEPXvlBqjEaw3iQsBK
   h6XPNfRJqrRXJCbpCwZSiqSMKPgh88PB3F5Hjr6//UgVY4ZlwfYLSUgyZFIKBmKZ
   8LAdeMKui2WTsIlHMlTv+yWcbf/6m1F6qx9Rbl11Q7OxGAP18JkfVBdNuFqu1iLm
   ir9x10Y+8j/GcaYOEwC/CHxduAqprr03sEz45oM0kSD8ZfhbHfuYH/QrbEdZQd87
   FkCzNVdV3ZjGiaOI4o/0CpmBfhU5xN5G4tXY9cCfIXEpkqvO3/guoOlkbNWBHJJU
   WGLKvluSpoa6C9bfnaS9xr4YZjolD1W9odFC9uE6aHyMNFKTt71YT2sTMbVG9Ylo
   BWKv+DQAcai6BECVv1bvy9UyhicbzGLFXRmFS+/pGSi6h40eF7uEkUivmlZYnN/B
   yKL3yEqV7CqpUYrBmAC5RLj0pgWsBER6B9wf5gfRL8LMZp3lO6g/w3yjgH434L9H
   Su/VZmVjrCzZIOxE/ZG1GGMUc61+Z3D/9lQMeVdWs94YhoFT4nn5SREDVa4+4YWw
   sUokqK5i6los9mYlu/SJPxnwdCZxk/GyRRqH6Kk7IW2iWVXO8DEn2+n5szNLhv2E
   7OazywsBB9jEH+CfJk1mgC2gL7RbN4TDguMZvNGmtK3y50or3wRDMsCBX2iWG4r2
   9HYAChFcmbEWlCL3A3y5MGIFTrrfIYmKAWB8foM6hhWWFVVTTIxPqlvSZ6QXz0MA
   VA7VL5TVxltJotzLAbCKoYSRVmtJSEhsxTXHcWPX8YUpZvop0/dWsY6uJBkaadjv
   Xdp6MyF0WPqs3TYKFjZCHueaP8vq46vr6jP15h3tpxi5Jj+TWgqbOGmmn7reJKvx
   xNFpPHjydvLC3FbHoda/sE+cbjDup/bbjsUdZIVGulg67sMZc0Xk+eIIw3RIzcso
   f+c0AJz+6bGZ/k8xryPcGO1pud37J6F0nJZH9TrEAsjFJQtVmZoYbHDsZq0MVHw0
   J0YksygeZn0aYHVA3gxfVcG2PbQpeXfnZyUsQtfjZOoEH9Wh1vh6bSFs+5TFbIUC



Gillmor, et al.         Expires 2 September 2024              [Page 180]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Twxyn5ssf2yjxTrI+kCxlRfIe7r5/etsBUjQzpKju5VlXcg5msTqO2xj0QFKyjyZ
   wci7X/lzVJvf6T/v//ItTWzmUFEJ+Bux0vo1jqdxlsgg1wPyAEgKBoXVM4E4OJCL
   vjC3vLlb8Yl134JcymIrLk1D8etIJdhNMsoil6oy7yFtyxmqHjJ+9EqbJRhef1au
   JWP7++n1NNtheB5YoLlGoRfgxA8pIpDrFlUxdYKN3mBX+IdaTk4f+gXoNpTXbtRD

B.3.24.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_strong (+ Legacy Display)

   This is a encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10790 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6968 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2460 bytes
      ├┬╴multipart/alternative 1449 bytes
      │├─╴text/plain 494 bytes
      │└─╴text/html 646 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <acced3c9-111b-5a4f-bd80-34558da32b4d@lhp.example>
   From: Alice <alice@smime.example>
   To: Bob <bob@smime.example>
   Date: Sat, 20 Feb 2021 12:19:02 -0500

   MIIfHAYJKoZIhvcNAQcDoIIfDTCCHwkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAAqBquNyGXBsi563D5scoeCEhSWiHeZcEBof
   53CMvSnOVtdWust0R7xoMAJyq8ZDsQ/rIWOAvgm3xYi/8hVHowZtCe+dZozlkiG8
   yLla7UpcJVoqRZfMKoHwgySP0vNK+1BhgSQSPO6z1ilT2HBMeMBwjJ+6y9/CwOnr
   hRXiQOWlBTBcLF/P+rpuAsFtv6jdxm/jzXEMgQe5j/aConPchgGzKHy9XiCc2YOz
   RZDJs5Zc7cmnefTA3f0IH0QaO41g6ST8EnqimWsec/eNaAEakZOZZJRYAhgLXciD
   1qjuByWAAn4h9KnKXWg3VtZpX3I40YMPLw319TGAJGnP5kh+DScwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6



Gillmor, et al.         Expires 2 September 2024              [Page 181]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAdhmdRrcVpFpMT38ZFuEl25Pt
   kTT7HYAcrOSov7Fuohjk7kukQyTQCG4y73sHeu/FZ1IPKzxkOU3kfBEbJunPykkc
   VuFJPQJmrDpk4j5dvSqikvqU9cP/GliakTrCBiLdb7DO5jsA/8o+3OmN4S8F4Mjw
   gA6BY0DOT97FeTKpMohtlGhGpTtrVe8cVe1C2QPD0rKBYEgwJ7t83mzyaaj8Yws1
   sUAkjFY9hoTuwLspdiTqKbuUvEZaEaKrhO10WYqoTpLPjbl33KCo7fhtwj8zeVbR
   Gb/1JbKsc6y/raPG0sTZXrCMQRmAJzEaNiYAmYaP6qdL0VuBQNDhEEf2bPopuDCC
   G+4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECnSfmBIh5urf+GVWT5DQ9mAghvA
   jKFFJHAo+gcmKmrsfGJloYSxEavtMlOlVK8qttlITxGFRxoi2frbYzKjM0ELjKkE
   0QSux6e/uGdvnBtx85/O0x+zECTF4jTU4u75oU+pXgAKDHkHQvn/SAeTaDMR2iKU
   W1KJXpL98HqBBmaKzXGpXXt0WNKG2fnNs9+xOqzC1TkyUTTNOG81N0fkosHCBmdx
   VY8Uslp+BjRKQ3DYIEHi3e0ktMCkSRh59s0J3rOpyAPeL8xtQF1SzjCSBociz/8H
   OOECaDJ9RyrhkD9E8t1oeTWF8PD1VMsGq11F/eWPSGnDvKL0fvHPmq5nA5KMb9i0
   4wgwRigvIn4yadhughQigM+wveRj7EpCXzaGeMusjc5Gzfau78VguIoIVPnBInwk
   cYAm4hLR4SjksWjKctCREwCB5HhYmrCl1adob7AkLSfVbGEGW+wjcOByHSQtLeyX
   pjsImxrygb5WpczagBwIEt6AYk6kgWMsPtHF1FYtCHjdfv1Lr10zgVPuEHROM9gA
   0kWUnfSEdckaLw+c+YAde2q2NCt52wq4c4hcAvhJnJP0x25HWG0DOsoCp74zx5jz
   DuUvv6q77RFZtD/+ykYLYXHhMysKNq7d+3jUuQ1I3LStZ0K1xxeHsKN5l5AGNK7V
   3HT6LAo1W4oOUOBh/+bZRm6fPNMLsoTC+WHAiB4rOTUeljz7PEqTvpeDSbHbpORn
   Oh5UKUuwTEH6FmfFUCMSlbeqyJoSqhsa1F5ccEJKRzKVR/ujYRcLJPoxRTVEWUhG
   agsyQ5893TjSixMFyvB2ZFq+I1JdL/NU398OiwGWyg6FCck/UndwbV+DVrQ2pfgK
   s1e97pSnL3w0JjMXpxs5WLWsf9wy2eTajsVMA9RWaHKXKPcIgTmIC6M8q4jWxie7
   i4ZfrIVAHTbKaDaL1bGn7Y6nL2aWj1pLke9kE/gngZpKWEiAuG+MjY27lAbNZB6x
   zJLl8Btd4VuzhmYnJCPBZ9q+YGV1TVtgbKeq5c9/O6T6QvkEzUlQHUwYKjXvZAEL
   ZbGGzDcXVuWoBbP1fbzzpWKuhzqrN8Jvof5e1SBuKe8nnQFUAKiHxzf2shWkQvG7
   gPkhDJdcWXErpohhnnmEzE/deIGWRp2Kmh27/FWlFfKbF4s/UiYI2za6jNRmCSF8
   FoTtHw0U23YdKfSqg+qx6Cr464wVlV7jUgBIfdMdHk9qx+lNb3vnBpYnhg2tVHkb
   aCUfOQxHN7FHySdDTMunZSJ4DLHpS+e4ufY6jEmUwdgz/j+qTTDon9mwH3liyisj
   o1nd0vA1ftBh4qfnjV5PQJ+C9vYhHU20V/uJt78jGdFP27qN3lZPj1Vq1/gPT/r6
   BJzPXJx5FUqwhEkMUE6B5hD519hNNrrAltvS1jugJGsoGUwbw1qffE29nGxTJKch
   +pMJUOXRUDelO5a75M9ui4r2nFb5yUhJh/KwBxTgfsuzQ2kZVkSv1GRWzFOKeV/U
   SoAJXR7mmxpKqcf0O2XdQYQq1kO71iIGqxTQefTGNIsv+VSCK9VTjbD1RHBOOft2
   lxW0GyLejwtfvRuFBozL268ZfyUI0xfqVRm/mjT27zBNoBDVsF3K8AGvuJRCIoVe
   Pw2akifn2+n8w9n3EDNkck4JDxkL9RQBULMYkxAcUwfxdXzPT/ixNHiEqj7VCu6k
   qTLPr7Yt7qLe/BbndIs8u/rDc5SVWmdjzX3s0po7uw7XiII3ZvxWVmBhi65rJUzD
   bx1pzA1+lrKGcnCetEPpnZuirmb33CKBrzLNXH5XTE1UfLr4g+kEWnFJL/ZvIwct
   VzxwIGkeWfrkpdR27chlbGwXyZGeqhR7SgwYoev9wvj55VKfGajWsb09Sw6l3FgS
   lQ9fmgKv536pYlSYClfFSshuQiB0FVDlagtnb45FNGA2HaNtZuT+IWfwBpj3O8zI
   fEGrm/NzhFFGnB/R8xqX3pB4nEQgbZ09Kbw7Bvd7XQ+2v6zQjHy82TP2Q2+vnDJN
   fwwwJJ2mzT9QPcTjUu84RAT9ritBJh9QqU/pskeJJ+LW9s37uCExICMnbaMT0btG
   h8JBUYpxJ92M95l1NSgv9pnex7PfUTdAq6CEyqnN2K5XFZQ9kVWYABucxCd++sO5
   uLOTbepB3MRJopgKpMYThCHaqd/MCc+J3oO+Jw/g/zTwlq2tXiNw/smN1tsRO47x
   ec/I9fK9VkxzXa34HQ6uhjhbzw+pzNUimIlCCr/ZrAGGyUx+GqiAZjUWXuRtETFp
   iYUpzM4+0Dnv5ziQQNTWizAFWUTW++FmHpU8Nza4zqiVUkuxsFQC0I4zR9f1C6Ch
   2oqRkuFIa2O3tf76D7h+BwoBKlNm0yWjZFDpb7lfbckQJZUQ9CbdpLdzYlSW1jyD
   rO9sRMtZeW0rE54k0XMyZ08MIUbvor1Xiif94QdhtWMFz2ne6rjBfgh4YF89QDtA
   zjRBS0UeHXzv2N5LnYLaArADFGbhm4bhZVmgdQeHiPW5EaUF9PbaiWXs1E2dz71O
   DIgZAaz5ij3mWgRdu2uqBio7Abibsfhd0D3ImyEoB1AwiisV3x8ucrTLjlm0Lt4f
   UX1tfF7hDqRnKrtgQFe94pruaA8aWD8hMhLyycnOWhpmBHbWEAe2KTh3xC3XpVbr



Gillmor, et al.         Expires 2 September 2024              [Page 182]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   V8IQdjSxY0AY1n5ktoAZG26Uoi1V34I6olmCyTTLKqbJv0KaO69Qszj3shoIJbtF
   k7WeKn8xgSuqjl5t+n/6F+pl0e4Tszh08+d2F11aBY27gGzxjf7HGBbXY6OhBZxg
   vvC4DtZj3iYmzFzXIRgbhgJLAjvtXRftxs90kHlHAfxlAgnrJWmUeVFzVIf2/d10
   VmJw/yg/u/d+HhFDl8XXR8YRUHjCAsnewhs9F2I6B/abUpWELATTnL+SPYxdF0kC
   Ip/+ziCiOZ6uiwNwiecu+VjzrZ0iGVARGHHHZOjTxlPlOcIsryOPOrJ6vGMIusyr
   cS9GYERRszavcaAQqYv/SF8Zi9VcuJA3ymyIHT1MaAghJYYzVcrr7NHWrU6+qf/S
   zL3zJj3OGlUftX70tN41cJG9THfciWKIlFgn5AdKiqOhqR2r0WffWy4E3/A2tKBe
   AESRwu3p0K2UuCniE7UAg2P8C9jS/OdKQ7fepdUEwSCRJxb+jmm9o33NLvnkTItw
   4jsHHjDfF4HxVx/vouoJ37SQqArYThgLcaEWHRrNtmx/vPtYf+MrYviKGdCDgncs
   ocBKiCb0Uzi0NYNjnMp3j3rr69jZfxOHI4WsmJlM3ANsyopuI9c5NeXEZIiB1Sne
   GAxPbcpIXERxd3HJ5gOB8+D7amyejIvJgqUpQIpBBYCYLFSIHukonEUt+Bj4HcfN
   lBct0KTFVaEZsjhPywdqKmzWUuPn6Y4IVoEeQnxP3cSkk5vhgwZq+pfVk6CMPnYx
   ihmcuEiuzddzFL9IqaqJ57qni6yduEbo7AqGbaSDE6ISXtMvwjQHXNbWEAMbnQSU
   BbmidJA0BYy+GzjeKDX2SF/wejnmucBvVGBVPDyZ8bhj0ZH1jSBRvoeqxCnP7JkT
   K3SFIWvTx4iulzpuqxyfQNIWFazRQRyrQqmVk1z/u0Ot1mlrozRKPVDhFA6CwN15
   djcA+pBv7qMXDPSjNwgZLm4mhlwpuQM1m0frNdWjLjvo5X4k4B2SCLp2eRYLw/24
   hi4Q0gs3yNSbV3VODnCj+VIpLFnwoOD1QyOH2GrEnREjJKSjqzCGbgBkXcvP03oE
   dSioL/OvppL4c5FbQY135rQ6YtN8Ibww4QgCt3BEgPjUL820Pod0u/Fs5nOmOd0Y
   /TAPlSUASRNoX3huZXPvPws4wHXtymYobUeiTz7O9iJGN1htySDhq6hHNBbzoIdh
   OBSI7/j1UwOFLE6gAGIkxqxBRCKur/xUEia5MLfWsIDkd+MiAqRdtyHLZuVx4J5K
   SgF08VucGPJNSkxMWpx3OM65CBMc9t7HR2EaMD230L5iF/maNyMH5X53OHib1Zg4
   y8PaUdClk6eoJc5qVzDf7a6xtuSr2d1R5gymyzG/22dLIpIL7o0jwcfrsAZrMou1
   LoDtYkWxf8gHHMD4AmsrXY61PBECvrvI/s4CQlMvr8pChdtQJcuSH+lvuGUqqtFO
   KnpdtecpSIAlh0Eemdhet53LcpT2EUVY7Ns6N7PMHCgtQHOTPLJMkKRw4c3FWxpH
   230C19w3+Wvwnv+EDp6Eqza5QahCU7Yey1teE2EY+ljaOFqe+j1eTysemllwz46U
   wOS0M6X1zJhwNR1vqag7Ld4ZgtAUFjQjazR+Ko2IK9lx6x+gxXkRDBtsdtUrdnLA
   e0SVE8JdYQdJ55i7xhh46npC5ld5xX7igmlWFWpWj6V/5RoTKNYCdYo8UXK4NJ7B
   yLYfK5yHF9KnLd9dTBxUuvOKYvdvKzgasfDhCd+SFwxLlRO1JM8yDxmyy4rZEUwt
   f+Q9DTtlbINMcIowXtJCi7afhzQRsEnDy1bzuaCi72Dor6d266tnmDNTIQdLZ0jl
   AivVD66/kTLb6Pp09BzZRY9x9P6SBHZ5RI50uyVJjSrmlSFjAKxxH/KqkpS06b6f
   RBaSy1Jj/oBOFqgEehDZtyhFSKAftkd3qrfn9YhObhP1tDwgOrUtSXrSpazqSzcg
   kS/zcFjd9e5lwPH4mPEOrrZuRJzWwrC2G8iZtAsVR8z3Ns2AWxoSDRSbE8IWxJYo
   u9DbnvvJV4Ri39N0u1cfadWiNePn22TMT5bszIrcqA1XiAMobfKoklxmAgPWlnAK
   AaGhXgvumPCYp6+hNItX/PGIdO11iXyURVW9Jq/q9CotmaRM1j4q3JoHuleARjjW
   Uf/jgzmcEFBYYwftJJ6BJQtqhJ+HiBCVmJ1aFKNAXYcSfwBLaamN6SCQ8hXBuITe
   TDqnbMo98r7amvNaI1iwXtgYtz+FkfRZOwjgBDVJfrELmeoXbM8Ioj/zvnqUW8Yl
   cMQjkHetmeIqGU2Ay9GduVQW7xV9Gc7kkE7SIpnm/dQTL62rkPpA0qG17t5cPsBW
   FUSCjbJR2RSlL0UcgZ1z1X6peuCN7XZwA2AvPPaZ8u2IWEqhyneOyms/4Zp5cr1L
   ZfycEWokZ33zSGU7D8OPIXDkEcMas/a0hP7zYh+zQr7yazyxMOpncl6MNPJ4Ekeh
   Dp1f6Rr/at8JRAdz08iJujlWmcbdycUagg6v19gS1OmD5v7gcScZH0AOzYcYpntz
   f36dd3VZfDT2heEkp+dmlNo5jiP/ZxANGy1qU+Dcq5vp/6KyHn1QZBMHw9KEfIAw
   H04zUBXDBtiWIsX6UqW5bHR+nhKaB4oHpvnGPFekQZO1+5v/UbkAwJpEd3nPa96M
   Xgt1oX0WRl05AYfge1OzJo64KDryolmNNXAqw2gOzN9blHOeltkiNIwFdIU9gGHH
   HdT7F3M6OoInXO7X7b2Vw7y/7Ze9pWTnACP5k75EXXMgd94OlclpR99OX805kwdg
   yFc6ZKVqEK/5rHRHwL12RfugI6Z43aY5nVtTQpJCUgw6HS4PzAEbNrHAQlEd+BZn
   tGXvbtfO9ps1l5AO2HRS2YzdlrcQJqP5wD9gyT1hIzoTn6Z7eyIzYXGgte2GChFa
   iC6V3SgPAPi6XheH50GBjllKFjPoFRYiNJsqdJF8Oy/Ywo6ile8sByRx9jiASUZi
   QSDxdMqt3m9ATbZQ3JoEGGuUohA5Wwn7ZhUDK1sfxp61h/lD2npjsS98hYuBdgck



Gillmor, et al.         Expires 2 September 2024              [Page 183]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   a3jYMlyR9oh8KVlpSQ9ebaz2XXqmU2Egn9IOHQdQJ0wwqD7K5yneQ04/a1v3/0zG
   jaliEfbgS81Dj4+iuucJUqTtS50K3H88zr11s1vr+KtFA0k8TESWk9ncDc2Uo+0w
   jLIumCCdXZk+ZiUbD7bAdTYoCBKaPPj2RamY5K3/CYxRGdhuEra38Uyfk6S7Tjyr
   UXvfEFZZVdP3UFvOO0Pw/p+iXnJusPZ7vZw7Zg5SCnO+RXtVnq18OS/HP9LbvX8g
   3jgjABxluBtH2HmWyLiNhxZdG/OtgRzVYnBExVafqaBRtP7qNxIl8u36U2p9IFn+
   99UNm1uZOup+yqVGzMDH7KUSTf36Oz9QpEghKwyohmK6u6s9FO3zHNVCkg2rvIOG
   6iY8ro2q/KC4ioShoU+KM8DyBzAe8t8Yz/c06ipWlae+cMsBgulhqF7oAyyRJUX4
   LMX1DAILi2FzmA2Cu347axP3woiquwG9GYiC+a3tfgzsnvVBay76JBPPUh2myy2L
   1mxv1xewOjE+VRfBMGo6bPouwNqflQGnDhWLwKyNzIAI7AiL/BHK7xhT4Be7+xWH
   7P/Pd+9OZbYC4heifbXg/y+wYHBLVENsM9sM7qCbuJSACuWQkNBBHJUQC1IZeGQb
   Z1OdcjBQE+JNyJO8mo4cNhfIWlmJNH5lOjHRAzVO2qerF80ucHQF7xWGV3qKg8P8
   x5MAQDTiTiqKFGOHj5onM3Z6rbmRSRdbn6CJu165GGJjx6EnfXlpMG7IlGCFHv1U
   CVlTnop5onytADFQih9LmjNvpHxonEOQ8wuEN9CiKEvFo/kleDiI/qRQhEV+KrX7
   j/zsGEYFjMMbY6Uk40cPpZ70CwS4P7coHdTJQIX26inNN26UvQR9u48mhA0/ezuD
   ttm0IHs7uK9IHOm1MBjSmEJxbDEvwND4srbjlQ0cv84bSPX3HHR0HGkwtPE4zqNq
   Iw6eOpYUsJDdNyToq3A8Q+omzoz30YUzeBBRVvbf/Mwrd0Ci8+QcT9DbF4qUkVYT
   xwGPQTnoLt+5DDPsfLESLb1gXyxkYFavbnSlvNuAFl/AzD7C2T9GRvK7x7pleNrA
   mwstYUVDPAL83egLxxqKDYeS7IPFZal3MJXO+/L8fr5zm+ZLh/fDFcHSTdkW/Mnh
   pZfTjjc9NL7O1W2bpKUAVatptOqqsDNgX81mXd2qetYTvVdc0rHrxz6moG8qtb2+
   tzbi888edf6l5de8UTF9u4rTgN82IACEZC/78eeaIVOjOgUaQi/qY2yxtjFPOCZB
   l5Vwe/KkUMonf4btXlMAU0hSr83gQbhZR0ikKc9R42MwucOOri3mWafVmjN/rB+E
   hoF4756QzdkT7N93iGToMeiicCu+nHZ6Mf/4wcOE2GzQ0w8LGMI2AxMxW5bBJTEA
   /g5Eaug8JQ4dQ1srdw5Sn9CvaiyGOLvqiYMDj26YfPne75m29HmfFTgPI6xphEc0
   Z/MCRP5kMXJuAm89d0KUZmXmRveNoudqmZ0VEXYzO86wn6u64Pj7RoN9N4gQYdZe
   CZI33gShQfhpGVKMHK3lKc8tqB0I4PoPZF9QZu7pYa1Ki9VreFv4SA9X4l82NEHM
   sLOHlj+7Mr7k0zLXaFOLO2X/uLUz+58aKeho9TnH72j0Za71C7BoIcsVhdvlvHDz
   +nw8bmeCHZA7mrThb5DUSG6J8TTDcAqAHxwD3R+vocAJGNDtE/6FvPHIIUmLXOkY
   Y+HPzvJhx4hN3plTXfLeB7ERgBsAQnnJYcZ/91sNNsC91ubbyC6X7Eu//V102nvv
   Qo4M77evEo+ZW9vxyVxF+GjEuceiSCGztxKFFBhb3Z4XNNnClGP03GbAWAdnyI4T
   T09QA7A0qwK5t4BtS57fuE8VgTEE2d29JmXM2J0vYqr1Bu7VWVvK8RjieqWi6g64
   pA1NJrfACyitfbibkU51shu7pqrNKOrjiwewADLyUH/8s+HoPJCFellNqialOvMN
   5Zy2nYs7lGfW+Be6iNvLBef2vvVhbnhRMbPCwMuQteJp3Vk1u98n78rVY0Q+G2wy
   xGoJ5j020LCkboH8IBIsp0tl9Cb28x8AFTQnwWnXpjtmNAWwb9bakf+XvpLPkTlQ
   /31+cHHBVIWzPBpbq8am8Ct2Ha1SRcOV3gFlU9jg3Us1pYdX7p0gqaQRgJOumcCu
   /3tE8jye4VDUYwHmCiIsO8mnyFGNq7qBb/Iq4AXegXMHTN/loDVWqlKaPoq2t23X
   lUWly0KzV68q7jYQSyJCSAbhXl/K/lyY6YiRPukCu3cOjE66SFuVFeVbEPqsNuvU
   cgTWLyDibMP3dzP1YTjVtjsdxs9kMoJcKyRG6uPVuD502Q/zrF+tB14Fu8tBscjM
   q4xDg5OfcXVH1HAZDDqaPYJEANRVVAEfiOapnrHC7lW/Wit1gCGKyHtwpXNyGZqi
   gTdtdDQMIOtKXYcbA4qzaFRCXHAisVVALhzznSlcGPwKZuIKOR3FprlCqbENzOwJ
   959ySW84J3qoiNCgA1+gEJhXzCoRmb74+J0XwQxGJNz2EdPaQ9zn7fzS6EaBvioN
   imKS94YwzD0bw4viUNxv+V9++hs/3Q5UL/TBrCTtaoUpzdkGGR/zoemj0S8LYLO2
   6J17+U2N3i/Wcnpm8Y47LupdvbL+zddh8WQkmdJ7X8sHVfHsUzSLxvYWnIQzdETY
   +7xxzAY+W2309MSTJhGHR+xOcLe/FB013ifpZo5qFRNasTWVLuPBZkwF3eFrSjCH
   bnGre4WFFWLrOYR3VfslZxczYJinI93N59nQUDN0FSTuoCT5ioIS2GQklWoAbzRL
   /7erGVX40mppmzB/tQ9wxXQoKZdWUyAJMRk1wV4XhnpUJScxJE+2HtBkaUi6I4/G
   5wUs4i/cHAfrWkSJOSII9zKxlEimwOGc1WcntB2+UCCb7cTJ2I5V6qmhAFK2ReX+
   0Bcm8j8gmRJtEEKFon5Pp07CR/8FMr0X39D7VQmpc6t8hyA8xPhWWiRDdLwibMtj
   7ZSNtVfiNMBofj+7k/INPNSe75DIuGaO+yAhizYYIJAF+HqObyMv+eBImiM3A6IT



Gillmor, et al.         Expires 2 September 2024              [Page 184]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   464xi2PN0JG0VHkQb9ONF4GjkXXUe+4JKu9FkyxfaNFNMkhKgcNcEO57TLwyhKHk
   vXGp/TDgY+3QMjhS5ufjVD5rOZZQyNclbJ+my41wu8BR2Xkc+uhQaMJ/jOjla3ZN
   fgBmxL2+DylgC21hg5X/OFA0KsA5iyJa84lq2k5F/KlGhWkyPgpRSbrEtTWWQ1KM
   cbhQI1v1D3/9yZLcrtLr+JnDmqX3Vl71zzSwhwPsbDvf+c5zOEXagDgXWhlWs+sI
   bhh1ozpomjyrER6lwPwRIl1JcSdAgRugUvMIGQ6OosIEodRPMCI37esvBv/0XAmX
   gsaJ9xT2a4TxezWjBUQInTcv9dRcDXidNt3py3F1jBqx9MkTnEbrYKOXZ1wk71fS
   FZQ7IcPrdKjwY7id5j9ABHQfQWy8bRECh3woq42JisX17wmBXlmtjmeaPUkZynKA
   taPBG5IM5jRqxHntADcWQRXg5UBB/ssj2ziyd8xSpIZnikMcJQUZAlOWprCXm1kC
   LBYanEAhce71K/o79v13de+Ynox5v0smvsMF9RU7+90Yzx/2dWzbMSwh4+IDoAZ3
   fYUFootr14wPHVA4z34Vuyc30BR7UMv3JvIXmU8awdENHUf9yVGOTbMhu2MOkp5O
   9//u36yzJCV9X6CcF8I1NrDaoS7OSzt5kWvMm3t3nGZAibf12ZGdeVK0+ypaIcVA

Appendix C.  Composition Examples

   This section offers step-by-step examples of message composition.

C.1.  New message composition

   A typical MUA composition interface offers the user a place to
   indicate the message recipients, the subject, and the body.  Consider
   a composition window filled out by the user like so:

    .------------------------------------------------------.
   |                 Composing New Message          .----.  |
   |          +---------------------------------+  | Send | |
   |      To: | Alice <alice@example.net>       |   '----'  |
   |          +---------------------------------+---------+ |
   | Subject: | Handling the Jones contract               | |
   |          +-------------------------------------------+ |
   +--------------------------------------------------------+
   | Please review and approve or decline by Thursday, it's |
   | critical!                                              |
   |                                                        |
   | Thanks,                                                |
   | Bob                                                    |
   |                                                        |
   | --                                                     |
   | Bob Gonzalez                                           |
   | ACME, Inc.                                             |
   |                                                        |
   +--------------------------------------------------------+

              Figure 1: Example Message Composition Interface

   When Bob clicks "Send", his MUA generates values for Message-ID,
   From, and Date Header Fields, and converts the message body into the
   appropriate format.




Gillmor, et al.         Expires 2 September 2024              [Page 185]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


C.1.1.  Unprotected message

   The resulting message would look something like this if it was sent
   without cryptographic protections:

   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob <bob@example.net>
   To: Alice <alice@example.net>
   Subject: Handling the Jones contract
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0

   Please review and approve or decline by Thursday, it's critical!

   Thanks,
   Bob

   --
   Bob Gonzalez
   ACME, Inc.

C.1.2.  Encrypted with hcp_minimal and Legacy Display

   Now consider the message to be generated if it is to be
   cryptographically signed and encrypted, using HCP hcp_minimal, and
   the legacy variable is set.

   For each Header Field, Bob's MUA passes its name and value through
   hcp_minimal.  This returns the same value for every Header Field,
   except that:

   hcp_minimal("Subject", "Handling the Jones contract") yields "[...]".

C.1.2.1.  Cryptographic Payload

   The Cryptographic Payload that will be signed and then encrypted is
   very similar to the unprotected message in Appendix C.1.1.  Note the
   addition of:

   *  the protected-headers="v1" parameter for the Content-Type

   *  the appropriate HP-Obscured header for Subject,

   *  the hp-legacy-display="1" parameter for the Content-Type

   *  the Legacy Display Element (the simple pseudo-header and its
      trailing newline) in the Main Body Part.



Gillmor, et al.         Expires 2 September 2024              [Page 186]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob <bob@example.net>
   To: Alice <alice@example.net>
   Subject: Handling the Jones contract
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    protected-headers="v1"
   MIME-Version: 1.0
   HP-Obscured: Subject: [...]

   Subject: Handling the Jones contract

   Please review and approve or decline by Thursday, it's critical!

   Thanks,
   Bob

   --
   Bob Gonzalez
   ACME, Inc.

C.1.2.2.  External Header Section

   The Cryptographic Payload from Appendix C.1.2.1 is then wrapped in
   the appropriate Cryptographic Layers.  For this example, using S/
   MIME, it is wrapped in an application/pkcs7-mime; smime-type="signed-
   data" layer, which is in turn wrapped in a application/pkcs7-mime;
   smime-type="enveloped-data" layer.

   Then an external Header Section is applied to the outer MIME object,
   which looks like this:

   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob <bob@example.net>
   To: Alice <alice@example.net>
   Subject: [...]
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   MIME-Version: 1.0

   Note that the Subject Header Field has been obscured appropriately by
   hcp_minimal.  The output of the CMS enveloping operation is
   base64-encoded and forms the body of the message.






Gillmor, et al.         Expires 2 September 2024              [Page 187]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


C.2.  Composing a Reply

   Next we consider a typical MUA reply interface, where we see Alice
   replying to Bob's message from Appendix C.1.

   When Alice clicks "Reply" to Bob's signed-and-encrypted message with
   Header Protection, she might see something like this:

    .--------------------------------------------------------.
   |  Replying to Bob ("Handling the Jones Contract") .----.  |
   |          +-----------------------------------+  | Send | |
   |      To: | Bob <bob@example.net>             |   '----'  |
   |          +-----------------------------------+---------+ |
   | Subject: | Re: Handling the Jones contract             | |
   |          +---------------------------------------------+ |
   +----------------------------------------------------------+
   | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:           |
   |                                                          |
   | > Please review and approve or decline by Thursday,      |
   | > it's critical!                                         |
   | >                                                        |
   | > Thanks,                                                |
   | > Bob                                                    |
   | >                                                        |
   | > --                                                     |
   | > Bob Gonzalez                                           |
   | > ACME, Inc.                                             |
   |                                                          |
   | --                                                       |
   | Alice Jenkins                                            |
   | ACME, Inc.                                               |
   |                                                          |
   +----------------------------------------------------------+

            Figure 2: Example Message Reply Interface (unedited)

   Note that because Alice's MUA is aware of Header Protection, it knows
   what the correct Subject header is, even though it was obscured.  It
   also knows to avoid including the Legacy Display Element in the
   quoted/attributed text that it includes in the draft reply.

   Once Alice has edited the reply message, it might look something like
   this:








Gillmor, et al.         Expires 2 September 2024              [Page 188]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


    .--------------------------------------------------------.
   |  Replying to Bob ("Handling the Jones Contract") .----.  |
   |          +-----------------------------------+  | Send | |
   |      To: | Bob <bob@example.net>             |   '----'  |
   |          +-----------------------------------+---------+ |
   | Subject: | Re: Handling the Jones contract             | |
   |          +---------------------------------------------+ |
   +----------------------------------------------------------+
   | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:           |
   |                                                          |
   | > Please review and approve or decline by Thursday,      |
   | > it's critical!                                         |
   |                                                          |
   | I'll get right on it, Bob!                               |
   |                                                          |
   | Regards,                                                 |
   | Alice                                                    |
   |                                                          |
   | --                                                       |
   | Alice Jenkins                                            |
   | ACME, Inc.                                               |
   |                                                          |
   +----------------------------------------------------------+

             Figure 3: Example Message Reply Interface (edited)

   When Alice clicks "Send", the MUA generates values for Message-ID,
   From, and Date Header Fields, populates the In-Reply-To, and
   References Header Fields, and also converts the reply body into the
   appropriate format.

C.2.1.  Unprotected message

   The resulting message would look something like this if it were to be
   sent without any cryptographic protections:
















Gillmor, et al.         Expires 2 September 2024              [Page 189]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice <alice@example.net>
   To: Bob <bob@example.net>
   Subject: Re: Handling the Jones contract
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0

   On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:

   > Please review and approve or decline by Thursday,
   > it's critical!

   I'll get right on it, Bob!

   Regards,
   Alice

   --
   Alice Jenkins
   ACME, Inc.

   Of course, this would leak not only the contents of Alice's message,
   but also the contents of Bob's initial message, as well as the
   Subject Header Field!  So Alice's MUA won't do that; it is going to
   create a signed-and-encrypted message to submit to the network.

C.2.2.  Encrypted with hcp_null and Legacy Display

   This example assumes that Alice's MUA uses hcp_null, not hcp_minimal.
   That is, by default, it does not obscure or remove any Header Fields,
   even when encrypting.

   However, it follows the guidance in Section 2.5.8.1, and will make
   use of the HP-Obscured field in the Cryptographic Payload of Bob's
   original message (Appendix C.1.2.1) to determine what to obscure.

   When crafting the Cryptographic Payload, its baseline HCP (hcp_null)
   leaves each field untouched.  But it also knows that In-Reply-To,
   References, To, and Subject are all derived from Header Fields in
   Bob's original message.

   For each of these Header Fields, it observes whether the origin
   Header Field was signed-and-encrypted or merely signed in Bob's
   original message.




Gillmor, et al.         Expires 2 September 2024              [Page 190]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   In-Reply-To and References derive from Bob's original message's
   Message-ID field, which was merely signed.  The To Header Field is
   derived from Bob's original message's From field, which was also
   merely signed.  So these three Header Fields are passed through
   untouched.

   But the Subject Header Field is derived from Bob's original message's
   Subject field (by prefixing Re: to it), and that Header Field is
   signed-and-encrypted, which the MUA can tell because the HP-Obscured:
   Subject entry in the Cryptographic Payload of Bob's message.

   So Alice's MUA generates a new external Subject header by applying
   its derivation rules to the HP-Obscured: Subject value from Bob's
   message, yielding the value Re: [...].

C.2.2.1.  Cryptographic Payload

   Consesquently, the Cryptographic Payload for Alice's reply looks like
   this:

   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice <alice@example.net>
   To: Bob <bob@example.net>
   Subject: Re: Handling the Jones contract
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    protected-headers="v1"
   MIME-Version: 1.0
   HP-Obscured: Subject: Re: [...]

   Subject: Re: Handling the Jones contract

   On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:

   > Please review and approve or decline by Thursday,
   > it's critical!

   I'll get right on it, Bob!

   Regards,
   Alice

   --
   Alice Jenkins
   ACME, Inc.




Gillmor, et al.         Expires 2 September 2024              [Page 191]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Note the following features:

   *  the protected-header="v1" parameter to Content-Type

   *  the appropriate HP-Obscured header for Subject,

   *  the hp-legacy-display="1" parameter for the Content-Type

   *  the Legacy Display Element (the simple pseudo-header and its
      trailing newline) in the Main Body Part.

C.2.2.2.  External Header Section

   The Cryptographic Payload from Appendix C.2.2.1 is then wrapped in
   the appropriate Cryptographic Layers.  For this example, using S/
   MIME, it is wrapped in an application/pkcs7-mime; smime-type="signed-
   data" layer, which is in turn wrapped in a application/pkcs7-mime;
   smime-type="enveloped-data" layer.

   Then an external Header Section is applied to the outer MIME object,
   which looks like this:

   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice <alice@example.net>
   To: Bob <bob@example.net>
   Subject: Re: [...]
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   MIME-Version: 1.0

   Note that the Subject Header Field has been obscured appropriately
   even though hcp_null would not have touched it by default.  The
   output of the CMS enveloping operation is base64-encoded and forms
   the body of the message.

Appendix D.  Rendering Examples

   This section offers example Cryptographic Payloads (the content
   within the Cryptographic Envelope) that contain Legacy Display
   Elements.







Gillmor, et al.         Expires 2 September 2024              [Page 192]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


D.1.  Example text/plain Cryptographic Payload with Legacy Display
      Elements

   Here is a simple one-part Cryptographic Payload (Header Section and
   body) of a message that includes Legacy Display Elements:

   Date: Fri, 21 Jan 2022 20:40:48 -0500
   From: Alice <alice@example.net>
   To: Bob <bob@example.net>
   Subject: Dinner plans
   Message-ID: <text-plain-legacy-display@lhp.example>
   MIME-Version: 1.0
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    protected-headers="v1"

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A compatible MUA will recognize the hp-legacy-display="1" parameter
   and render the body of the message as:

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A legacy decryption-capable MUA that is unaware of this mechanism
   will ignore the hp-legacy-display="1" parameter and instead render
   the body including the Legacy Display Elements:

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

D.2.  Example text/html Cryptographic Payload with Legacy Display
      Elements

   Here is a modern one-part Cryptographic Payload (Header Section and
   body) of a message that includes Legacy Display Elements:











Gillmor, et al.         Expires 2 September 2024              [Page 193]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   Date: Fri, 21 Jan 2022 20:40:48 -0500
   From: Alice <alice@example.net>
   To: Bob <bob@example.net>
   Subject: Dinner plans
   Message-ID: <text-html-legacy-display@lhp.example>
   MIME-Version: 1.0
   Content-Type: text/html; charset="us-ascii"; hp-legacy-display="1";
    protected-headers="v1"

   <html><head><title></title></head><body>
   <div class="header-protection-legacy-display">
   <pre>Subject: Dinner plans</pre>
   </div>
   <p>
   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.
   </p>
   </body>
   </html>

   A compatible MUA will recognize the hp-legacy-display="1" parameter
   and mask out the Legacy Display div, rendering the body of the
   message as a simple paragraph:

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A legacy decryption-capable MUA that is unaware of this mechanism
   will ignore the hp-legacy-display="1" parameter and instead render
   the body including the Legacy Display Elements:

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

Appendix E.  Other Header Protection Schemes

   Other Header Protection schemes have been proposed in the past.
   However, those typically have drawbacks such as sparse
   implementation, known problems with legacy interoperability (in
   particular with rendering), lack of clear signalling of sender
   intent, and/or incomplete cryptographic protections.  This section
   lists such schemes known at the time of the publication of this
   document out of historical interest.






Gillmor, et al.         Expires 2 September 2024              [Page 194]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


E.1.  Original RFC 8551 Header Protection

   S/MIME [RFC8551] (as well as its predecessors [RFC5751] and
   [RFC3851]) defined a form of cryptographic Header Protection that is
   similar to the "Wrapped Message" scheme specified in this document.
   In fact, the scheme originally defined in S/MIME is a subset of the
   "Wrapped Message" scheme specified in this document.  The differences
   between the original and the updated scheme are outlined in
   Section 2.2.

E.2.  Pretty Easy Privacy (pEp)

   The pEp (pretty Easy privacy) [I-D.pep-general] project specifies two
   different MIME schemes that include Header Protection for Signed-and-
   Encrypted e-mail messages in [I-D.pep-email]: One scheme -- referred
   as pEp Email Format 1 (PEF-1) -- is generated towards MUAs not known
   to be pEp-capable, while the other scheme -- referred as PEF-2 -- is
   used between MUAs discovered to be compatible with pEp.  Signed-only
   messages are not recommended in pEp.

E.3.  "draft-autocrypt" Protected Headers

   [I-D.autocrypt-lamps-protected-headers] describes a scheme similar to
   the "Injected Headers" scheme specified in this document.  However,
   instead of adding Legacy Display Elements to existing MIME parts (cf.
   Section 2.3.4.1), "draft-autocrypt" injects a new MIME element
   "Legacy Display Part", thus modifying the MIME structure of the
   Cryptographic Payload.

Appendix F.  Document Changelog

   [[ RFC Editor: This section is to be removed before publication ]]

   *  draft-ietf-lamps-header-protection-20

      -  clarify IANA guidance about registration policy and designated
         expert review

      -  emphasize that Content-Type parameter hp-legacy-display=1
         belongs on all main body parts with a legacy display element

      -  clean up/normalize pseudocode variable names and text (no
         algorithm changes)

   *  draft-ietf-lamps-header-protection-19

      -  improve text, capitalize defined terms, fix typos




Gillmor, et al.         Expires 2 September 2024              [Page 195]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


      -  Clean up from AD review:

      -  updates RFC 8551 explicitly

      -  add "Legacy Signed Message" and "Ordinary User" explicitly to
         terms

      -  tighten up SHOULDs/MUSTs for conformant MUAs

      -  expand references to other relevant Security Considerations

      -  drop nudge about non-existent Content-Type Parameters registry

      -  clarify IANA notes to align with table columns

      -  explicitly request HCP registry

      -  add references to other header protections schemes, but move
         all of them to appendix

   *  draft-ietf-lamps-header-protection-18

      -  only allow US-ASCII as modified output of HCP, adjusted ABNF to
         match

   *  draft-ietf-lamps-header-protection-17

      -  More edits from WGLC:

      -  clean up definition of "Header Field"

      -  note leakage of encrypted recipient hints

      -  clarify explanation of LDE generation

      -  clarify how some obscured headers might not actually be private

   *  draft-ietf-lamps-header-protection-16

      -  correct variable names in message composition algorithms

      -  make text more readable

   *  draft-ietf-lamps-header-protection-15

      -  include clarifications, typos, etc from comments received
         during WGLC




Gillmor, et al.         Expires 2 September 2024              [Page 196]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  draft-ietf-lamps-header-protection-14

      -  provide section references for draft-ietf-lamps-e2e-mail-
         guidance

      -  encouarge a future IANA named HCP registry if HCP development
         takes off

   *  draft-ietf-lamps-header-protection-13

      -  Retitle from "Header Protection for S/MIME" to "Header
         Protection for Cryptographically Protected E-mail"

   *  draft-ietf-lamps-header-protection-12

      -  MUST produce HP-Obscured and HP-Removed when generating
         encrypted messages with non-null HCP

      -  Wrapped Message: move from forwarded=no to protected-
         headers=wrapped

      -  Wrapped Message: recommend Content-Disposition: inline

   *  draft-ietf-lamps-header-protection-11

      -  Remove most of the Bcc text (transferred general discussion to
         e2e-mail-guidance)

      -  Fix bug in algorithm for generating HP-Obscured and HP-Removed

      -  More detail about handling Reply messages

      -  Considerations around handling risky Legacy Display Elements

      -  Narrative descriptions of some worked examples

      -  Describe potential leaks to recipients

      -  Clarify debugging/troubleshooting UX affordances

   *  draft-ietf-lamps-header-protection-10

      -  Clarify that HCP doesn't apply to Structural Header Fields

      -  Drop out-of-date "Open Issues" section

      -  Brief commentary on UI of messages with intermediate/mixed
         protections



Gillmor, et al.         Expires 2 September 2024              [Page 197]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


      -  Deprecation prospects for messages without protected headers

      -  Describe generating replies to encrypted messages with stronger
         HCP

   *  draft-ietf-lamps-header-protection-09

      -  clarify terminology

      -  add privacy and security considerations

      -  clarify HCP examples and baselines

      -  recommend hcp_minimal as default HCP

      -  add HP-Obscured and HP-Removed (avoids reasoning about
         differences between outside and inside the Cryptographic
         Envelope)

      -  regenerated test vectors

   *  draft-ietf-lamps-header-protection-08

      -  MUST compose injected headers, MAY compose wrapped messages

      -  MUST parse both schemes

      -  cleanup and restructure document

   *  draft-ietf-lamps-header-protection-07

      -  move from legacy display MIME part to legacy display elements
         within main body part

   *  draft-ietf-lamps-header-protection-06

      -  document observed problems with legacy MUAs

      -  avoid duplicated outer Message-IDs in hcp_strong test vectors

   *  draft-ietf-lamps-header-protection-05

      -  fix multipart/signed wrapped test vectors

   *  draft-ietf-lamps-header-protection-04

      -  add test vectors




Gillmor, et al.         Expires 2 September 2024              [Page 198]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


      -  add "problems with Injected Messages" subsection

   *  draft-ietf-lamps-header-protection-03

      -  dkg takes over from Bernie as primary author

      -  Add Usability section

      -  describe two distinct formats "Wrapped Message" and "Injected
         Headers"

      -  Introduce Header Confidentiality Policy model

      -  Overhaul message composition guidance

      -  Simplify document creation workflow, move public face to gitlab

   *  draft-ietf-lamps-header-protection-02

      -  editorial changes / improve language

   *  draft-ietf-lamps-header-protection-01

      -  Add DKG as co-author

      -  Partial Rewrite of Abstract and Introduction [HB/AM/DKG]

      -  Adding definitions for Cryptographic Layer, Cryptographic
         Payload, and Cryptographic Envelope (reference to
         [I-D.ietf-lamps-e2e-mail-guidance]) [DKG]

      -  Enhanced MITM Definition to include Machine- / Meddler-in-the-
         middle [HB]

      -  Relaxed definition of Original message, which may not be of
         type "message/rfc822" [HB]

      -  Move "memory hole" option to the Appendix (on request by Chair
         to only maintain one option in the specification) [HB]

      -  Updated Scope of Protection Levels according to WG discussion
         during IETF-108 [HB]

      -  Obfuscation recommendation only for Subject and Message-Id and
         distinguish between Encrypted and Unencrypted Messages [HB]

      -  Removed (commented out) Header Field Flow Figure (it appeared
         to be confusing as is was) [HB]



Gillmor, et al.         Expires 2 September 2024              [Page 199]

Internet-Draft    Cryptographic MIME Header Protection        March 2024


   *  draft-ietf-lamps-header-protection-00

      -  Initial version (text partially taken over from
         [I-D.ietf-lamps-header-protection-requirements]

Authors' Addresses

   Daniel Kahn Gillmor
   American Civil Liberties Union
   125 Broad St.
   New York, NY,  10004
   United States of America
   Email: dkg@fifthhorseman.net


   Bernie Hoeneisen
   pEp Project
   Oberer Graben 4
   CH- 8400 Winterthur
   Switzerland
   Email: bernie.hoeneisen@pep-project.org
   URI:   https://pep-project.org/


   Alexey Melnikov
   Isode Ltd
   14 Castle Mews
   Hampton, Middlesex
   TW12 2NP
   United Kingdom
   Email: alexey.melnikov@isode.com




















Gillmor, et al.         Expires 2 September 2024              [Page 200]