LAMPS Working Group D. K. Gillmor Internet-Draft American Civil Liberties Union Updates: 8551 (if approved) B. Hoeneisen Intended status: Standards Track pEp Project Expires: 5 December 2024 A. Melnikov Isode Ltd 3 June 2024 Header Protection for Cryptographically Protected E-mail draft-ietf-lamps-header-protection-21 Abstract S/MIME version 3.1 introduced a mechanism to provide end-to-end cryptographic protection of e-mail message headers. However, few implementations generate messages using this mechanism, and several legacy implementations have revealed rendering or security issues when handling such a message. This document updates the S/MIME specification (RFC8551) to offer a different mechanism that provides the same cryptographic protections but with fewer downsides when handled by legacy clients. The Header Protection schemes described here are also applicable to messages with PGP/MIME cryptographic protections. Furthermore, this document offers more explicit guidance for clients when generating or handling e-mail messages with cryptographic protection of message headers. About This Document This note is to be removed before publishing as an RFC. The latest revision of this draft can be found at https://dkg.gitlab.io/lamps-header-protection/. Status information for this document may be found at https://datatracker.ietf.org/doc/ draft-ietf-lamps-header-protection/. Discussion of this document takes place on the LAMPS Working Group mailing list (mailto:spasm@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/spasm/. Subscribe at https://www.ietf.org/mailman/listinfo/spasm/. Source for this draft and an issue tracker can be found at https://gitlab.com/dkg/lamps-header-protection. Gillmor, et al. Expires 5 December 2024 [Page 1] Internet-Draft Cryptographic MIME Header Protection June 2024 Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 5 December 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 6 1.1. Two Schemes of Header Protection . . . . . . . . . . . . 7 1.2. Problems with Wrapped Messages . . . . . . . . . . . . . 7 1.3. Problems with Injected Headers . . . . . . . . . . . . . 8 1.4. Motivation . . . . . . . . . . . . . . . . . . . . . . . 8 1.4.1. Backward Compatibility . . . . . . . . . . . . . . . 8 1.4.2. Deliverability . . . . . . . . . . . . . . . . . . . 9 1.5. Other Protocols to Protect E-Mail Header Fields . . . . . 9 1.6. Applicability to PGP/MIME . . . . . . . . . . . . . . . . 10 1.7. Requirements Language . . . . . . . . . . . . . . . . . . 10 1.8. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.9. Document Scope . . . . . . . . . . . . . . . . . . . . . 12 1.9.1. In Scope . . . . . . . . . . . . . . . . . . . . . . 12 1.9.2. Out of Scope . . . . . . . . . . . . . . . . . . . . 13 2. Specification . . . . . . . . . . . . . . . . . . . . . . . . 13 Gillmor, et al. Expires 5 December 2024 [Page 2] Internet-Draft Cryptographic MIME Header Protection June 2024 2.1. Injected Headers Scheme . . . . . . . . . . . . . . . . . 14 2.2. Wrapped Message Scheme . . . . . . . . . . . . . . . . . 14 2.3. Content-Type parameter: hp . . . . . . . . . . . . . . . 15 2.4. Content-Type parameter: hp-scheme . . . . . . . . . . . . 17 2.5. Sending Side . . . . . . . . . . . . . . . . . . . . . . 17 2.5.1. Composing a Cryptographically Protected Message Without Header Protection . . . . . . . . . . . . . . . . . . 17 2.5.2. Header Confidentiality Policy . . . . . . . . . . . . 18 2.5.3. Definition of the HP-Outer Header Field . . . . . . . 20 2.5.4. Extracting Protected and Unprotected ("Outer") Header Fields . . . . . . . . . . . . . . . . . . . . . . . 21 2.5.5. Header Confidentiality for Referenced Encrypted Messages . . . . . . . . . . . . . . . . . . . . . . 22 2.5.6. Composing with "Injected Headers" Header Protection . . . . . . . . . . . . . . . . . . . . . 24 2.5.7. Composing with "Wrapped Message" Header Protection . 30 2.6. Default Header Confidentiality Policy . . . . . . . . . . 32 2.6.1. Minimal Header Confidentiality Policy . . . . . . . . 32 2.6.2. Strong Header Confidentiality Policy . . . . . . . . 32 2.6.3. No Header Confidentiality Policy . . . . . . . . . . 33 2.6.4. Offering More Ambitious Header Confidentiality . . . 33 2.7. Receiving Side . . . . . . . . . . . . . . . . . . . . . 34 2.7.1. Identifying that a Message has Header Protection . . 35 2.7.2. Updating the Cryptographic Summary . . . . . . . . . 36 2.7.3. Rendering a Message with Injected Headers . . . . . . 38 2.7.4. Rendering a Wrapped Message . . . . . . . . . . . . . 41 2.7.5. Guidance for Automated Message Handling . . . . . . . 42 2.7.6. Affordances for Debugging and Troubleshooting . . . . 44 2.7.7. Rendering Other Schemes . . . . . . . . . . . . . . . 44 2.7.8. Replying to an Encrypted Message with Header Protection . . . . . . . . . . . . . . . . . . . . . 44 2.7.9. Implicitly rendered Header Fields . . . . . . . . . . 46 2.7.10. Unprotected Header Fields Added in Transit . . . . . 46 2.7.11. Handling Undecryptable Messages . . . . . . . . . . . 47 3. E-mail Ecosystem Evolution . . . . . . . . . . . . . . . . . 49 3.1. Dropping Legacy Display Elements . . . . . . . . . . . . 49 3.2. More Ambitious Default Header Confidentiality Policy . . 49 3.3. Deprecation of Messages Without Header Protection . . . . 50 4. Usability Considerations . . . . . . . . . . . . . . . . . . 51 4.1. Mixed Protections Within a Message Are Hard To Understand . . . . . . . . . . . . . . . . . . . . . . . 51 4.2. Users Should Not Have To Choose a Header Confidentiality Policy . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.3. Users Should Not Have To Choose a Header Protection Scheme . . . . . . . . . . . . . . . . . . . . . . . . . 53 5. Security Considerations . . . . . . . . . . . . . . . . . . . 53 5.1. Avoid Cryptographic Summary Confusion from hp Parameter . . . . . . . . . . . . . . . . . . . . . . . . 54 Gillmor, et al. Expires 5 December 2024 [Page 3] Internet-Draft Cryptographic MIME Header Protection June 2024 5.2. Caution about Composing with Legacy Display Elements . . 54 5.3. Plaintext Attacks . . . . . . . . . . . . . . . . . . . . 55 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 56 6.1. Leaks When Replying . . . . . . . . . . . . . . . . . . . 56 6.2. Encrypted Header Fields Are Not Always Private . . . . . 56 6.2.1. Encrypted Header Fields Can Leak Unwanted Information to the Recipient . . . . . . . . . . . . . . . . . . 57 6.2.2. Encrypted Header Fields Can Be Inferred From External or Internal Metadata . . . . . . . . . . . . . . . . 57 6.2.3. Encrypted Header Fields May Not Be Fully Masked by HCP . . . . . . . . . . . . . . . . . . . . . . . . . 58 6.3. A Naive Recipient May Overestimate the Cryptographic Status of a Header Field in an Encrypted Message . . . . . . . . 58 6.4. Privacy and Deliverability Risks with Bcc and Encrypted Messages . . . . . . . . . . . . . . . . . . . . . . . . 59 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 60 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 62 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 62 9.1. Normative References . . . . . . . . . . . . . . . . . . 62 9.2. Informative References . . . . . . . . . . . . . . . . . 63 Appendix A. Possible Problems with Legacy MUAs . . . . . . . . . 65 A.1. Problems Viewing Messages in a List View . . . . . . . . 66 A.2. Problems when Rendering a Message . . . . . . . . . . . . 66 A.3. Problems when Replying to a Message . . . . . . . . . . . 67 Appendix B. Test Vectors . . . . . . . . . . . . . . . . . . . . 68 B.1. Baseline Messages . . . . . . . . . . . . . . . . . . . . 68 B.1.1. No Cryptographic Protections Over a Simple Message . 68 B.1.2. S/MIME Signed-only signedData Over a Simple Message, No Header Protection . . . . . . . . . . . . . . . . . . 69 B.1.3. S/MIME Signed-only multipart/signed Over a Simple Message, No Header Protection . . . . . . . . . . . . 71 B.1.4. S/MIME Encrypted and Signed Over a Simple Message, No Header Protection . . . . . . . . . . . . . . . . . . 73 B.1.5. No Cryptographic Protections Over a Complex Message . . . . . . . . . . . . . . . . . . . . . . . 76 B.1.6. S/MIME Signed-only signedData Over a Complex Message, No Header Protection . . . . . . . . . . . . . . . . 77 B.1.7. S/MIME Signed-only multipart/signed Over a Complex Message, No Header Protection . . . . . . . . . . . . 79 B.1.8. S/MIME Encrypted and Signed Over a Complex Message, No Header Protection . . . . . . . . . . . . . . . . . . 82 B.2. Signed-only Messages . . . . . . . . . . . . . . . . . . 86 B.2.1. S/MIME Signed-only signedData Over a Simple Message, Wrapped Message . . . . . . . . . . . . . . . . . . . 86 B.2.2. S/MIME Signed-only multipart/signed Over a Simple Message, Wrapped Message . . . . . . . . . . . . . . 88 B.2.3. S/MIME Signed-only signedData Over a Simple Message, Injected Headers . . . . . . . . . . . . . . . . . . 90 Gillmor, et al. Expires 5 December 2024 [Page 4] Internet-Draft Cryptographic MIME Header Protection June 2024 B.2.4. S/MIME Signed-only multipart/signed Over a Simple Message, Injected Headers . . . . . . . . . . . . . . 92 B.2.5. S/MIME Signed-only signedData Over a Complex Message, Wrapped Message . . . . . . . . . . . . . . . . . . . 95 B.2.6. S/MIME Signed-only multipart/signed Over a Complex Message, Wrapped Message . . . . . . . . . . . . . . 97 B.2.7. S/MIME Signed-only signedData Over a Complex Message, Injected Headers . . . . . . . . . . . . . . . . . . 100 B.2.8. S/MIME Signed-only multipart/signed Over a Complex Message, Injected Headers . . . . . . . . . . . . . . 103 B.3. Encrypted-and-signed Messages . . . . . . . . . . . . . . 106 B.3.1. S/MIME Encrypted and Signed Over a Simple Message, Wrapped Message With hcp_minimal . . . . . . . . . . 106 B.3.2. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_minimal . . . . . . . . . . 109 B.3.3. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_minimal (+ Legacy Display) 112 B.3.4. S/MIME Encrypted and Signed Over a Simple Message, Wrapped Message With hcp_strong . . . . . . . . . . . 116 B.3.5. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_strong . . . . . . . . . . 119 B.3.6. S/MIME Encrypted and Signed Over a Simple Message, Injected Headers With hcp_strong (+ Legacy Display) . 122 B.3.7. S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped Message With hcp_minimal . . . . . . 125 B.3.8. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_minimal . . . . . 129 B.3.9. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_minimal (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 132 B.3.10. S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped Message With hcp_strong . . . . . . 136 B.3.11. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_strong . . . . . . 139 B.3.12. S/MIME Encrypted and Signed Reply Over a Simple Message, Injected Headers With hcp_strong (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 142 B.3.13. S/MIME Encrypted and Signed Over a Complex Message, Wrapped Message With hcp_minimal . . . . . . . . . . 145 B.3.14. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_minimal . . . . . . . . . . 149 B.3.15. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_minimal (+ Legacy Display) 153 B.3.16. S/MIME Encrypted and Signed Over a Complex Message, Wrapped Message With hcp_strong . . . . . . . . . . . 158 B.3.17. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_strong . . . . . . . . . . 162 Gillmor, et al. Expires 5 December 2024 [Page 5] Internet-Draft Cryptographic MIME Header Protection June 2024 B.3.18. S/MIME Encrypted and Signed Over a Complex Message, Injected Headers With hcp_strong (+ Legacy Display) . 166 B.3.19. S/MIME Encrypted and Signed Reply Over a Complex Message, Wrapped Message With hcp_minimal . . . . . . 170 B.3.20. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_minimal . . . . . 174 B.3.21. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_minimal (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 178 B.3.22. S/MIME Encrypted and Signed Reply Over a Complex Message, Wrapped Message With hcp_strong . . . . . . 183 B.3.23. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_strong . . . . . . 187 B.3.24. S/MIME Encrypted and Signed Reply Over a Complex Message, Injected Headers With hcp_strong (+ Legacy Display) . . . . . . . . . . . . . . . . . . . . . . 191 Appendix C. Composition Examples . . . . . . . . . . . . . . . . 195 C.1. New message composition . . . . . . . . . . . . . . . . . 195 C.1.1. Unprotected message . . . . . . . . . . . . . . . . . 196 C.1.2. Encrypted with hcp_minimal and Legacy Display . . . . 196 C.2. Composing a Reply . . . . . . . . . . . . . . . . . . . . 198 C.2.1. Unprotected message . . . . . . . . . . . . . . . . . 199 C.2.2. Encrypted with hcp_no_confidentiality and Legacy Display . . . . . . . . . . . . . . . . . . . . . . . 200 Appendix D. Rendering Examples . . . . . . . . . . . . . . . . . 204 D.1. Example text/plain Cryptographic Payload with Legacy Display Elements . . . . . . . . . . . . . . . . . . . . 204 D.2. Example text/html Cryptographic Payload with Legacy Display Elements . . . . . . . . . . . . . . . . . . . . . . . . 205 Appendix E. Other Header Protection Schemes . . . . . . . . . . 207 E.1. Original RFC 8551 Header Protection . . . . . . . . . . . 207 E.2. Pretty Easy Privacy (pEp) . . . . . . . . . . . . . . . . 207 E.3. "draft-autocrypt" Protected Headers . . . . . . . . . . . 207 Appendix F. Document Changelog . . . . . . . . . . . . . . . . . 207 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 212 1. Introduction Privacy and security issues regarding e-mail Header Protection in S/ MIME and PGP/MIME have been identified for some time. Most current implementations of cryptographically protected electronic mail protect only the body of the message, which leaves significant room for attacks against otherwise-protected messages. For example, lack of Header Protection allows an attacker to substitute the message subject and/or author. Gillmor, et al. Expires 5 December 2024 [Page 6] Internet-Draft Cryptographic MIME Header Protection June 2024 This document describes two different schemes for how message headers can be cryptographically protected, and provides guidance for implementers of MUAs that generate and interpret such messages. It uses the term "Legacy MUA" to refer to an MUA that does not implement either scheme. This document takes particular care to ensure that messages interact reasonably well with Legacy MUAs. 1.1. Two Schemes of Header Protection This document addresses two different schemes for cryptographically protecting e-mail Header Sections or fields and provides guidance to implementers. One scheme ("Injected Headers") is more interoperable with Legacy MUAs and is mandatory to implement and interpret. The other, older scheme ("Wrapped Message") is described here to enable interpretation of archived messages. The older scheme was first specified in S/MIME 3.1 ([RFC8551]), and involves wrapping a message/rfc822 or message/global MIME object with a Cryptographic Envelope around the message to protect. This document calls this scheme "Wrapped Message", and it updates the scheme described in that document, effectively replacing the final two paragraphs of Section 3.1 of [RFC8551]. However, experience has shown that even the updated "Wrapped Message" form does not interact well with some Legacy MUAs (see Section 1.2). The more interoperable "Injected Headers" scheme of Header Protection is introduced in this document, and is preferred over the "Wrapped Message" scheme. In the "Injected Headers" scheme, the protected Header Fields are placed directly on the Cryptographic Payload without using an intervening message/* MIME object. See Section 2.5.6 and Section 2.7.3 for more details. 1.2. Problems with Wrapped Messages Several Legacy MUAs have revealed rendering issues when dealing with a message that uses the Wrapped Message Header Protection scheme. In some cases, some mail user agents cannot render message/rfc822 message subparts at all, in violation of baseline MIME requirements as described on page 5 of [RFC2049]. This leaves all Wrapped Messages unreadable by any recipient using such an MUA. In other cases, the user sees an attachment suggesting a forwarded e-mail message, which -- in fact -- contains the protected e-mail message that should be rendered directly. In most of these cases, the user can click on the attachment to view the protected message. Gillmor, et al. Expires 5 December 2024 [Page 7] Internet-Draft Cryptographic MIME Header Protection June 2024 However, viewing the protected message as an attachment in isolation may strip it of any security indications, leaving the user unable to assess the cryptographic properties of the message. Worse, for encrypted messages, interacting with the protected message in isolation may leak contents of the cleartext, for example, if the reply is not also encrypted. 1.3. Problems with Injected Headers A Legacy MUA dealing with an encrypted message that has some Header Fields obscured using the Injected Headers scheme will not render the obscured Header Fields to the user at all. A workaround "Legacy Display" mechanism is provided in this document, which most Legacy MUAs should render to the user, albeit not in the same location that the Header Fields would normally be rendered. 1.4. Motivation Users generally do not understand the distinction between message body and message header. When an e-mail message has cryptographic protections that cover the message body, but not the Header Fields, several attacks become possible. For example, a Legacy Signed Message has a signature that covers the body but not the Header Fields. An attacker can therefore modify the Header Fields (including the Subject header) without invalidating the signature. Since most readers consider a message body in the context of the message's Subject header, the meaning of the message itself could change drastically (under the attacker's control) while still retaining the same cryptographic indicator of authenticity. In another example, a Legacy Encrypted Message has its body effectively hidden from an adversary that snoops on the message. But if the Header Fields are not also encrypted, significant information about the message (such as the message Subject) will leak to the inspecting adversary. However, if the sending and receiving MUAs ensure that cryptographic protections cover the message Header Section as well as the message body, these attacks are defeated. 1.4.1. Backward Compatibility If the sending MUA is unwilling to generate such a fully protected message due to the potential for rendering, usability, deliverability, or security issues, these defenses cannot be realized. Gillmor, et al. Expires 5 December 2024 [Page 8] Internet-Draft Cryptographic MIME Header Protection June 2024 The sender cannot know what MUA (or MUAs) the recipient will use to handle the message. Thus, an outbound message format that is backward compatible with as many legacy implementations as possible is a more effective vehicle for providing the whole-message cryptographic protections described above. This document aims for backward compatibility with Legacy MUAs to the extent possible. In some cases, like when a user-visible header like the Subject is cryptographically hidden, a Legacy MUA will not be able to render or reply to the message exactly same way as a conformant MUA would. But accommodations are described here that ensure a rough semantic equivalence for Legacy MUA even in these cases. 1.4.2. Deliverability A message with perfect cryptographic protections that cannot be delivered is less useful than a message with imperfect cryptographic protections that can be delivered. Senders want their messages to reach the intended recipients. Given the current state of the Internet mail ecosystem, encrypted messages in particular cannot shield all of their Header Fields from visibility and still be guaranteed delivery to their intended recipient. This document accounts for this concern by providing a mechanism (Section 2.5.2) that prioritizes initial deliverability (at the cost of some header leakage) while facilitating future message variants that shield more header metadata from casual inspection. 1.5. Other Protocols to Protect E-Mail Header Fields A separate pair of protocols also provides some cryptographic protection for the e-mail message header integrity: DomainKeys Identified Mail (DKIM) [RFC6376], as used in combination with Domain- based Message Authentication, Reporting, and Conformance (DMARC) [RFC7489]. This pair of protocols provides a domain-based reputation mechanism that can be used to mitigate some forms of unsolicited e-mail (spam). Gillmor, et al. Expires 5 December 2024 [Page 9] Internet-Draft Cryptographic MIME Header Protection June 2024 However, the DKIM+DMARC suite provides cryptographic protection at a different scope than the mechanisms described here. In particular, the message integrity and authentication signals provided by DKIM+DMARC correspond to the domain name of the sending e-mail address, not the sending address itself, so the DKIM+DMARC suite does not provide end-to-end protection. DKIM and DMARC are typically applied to messages by (and interpreted by) mail transfer agents, not mail user agents. The mechanisms in this document are typically applied to messages by (and interpreted by) mail user agents. Furthermore, the DKIM+DMARC suite only provides cryptographic integrity and authentication, not encryption. So cryptographic confidentiality is not available from that suite. The DKIM+DMARC suite can be used on any message, including messages formed as described in this document. There should be no conflict between these schemes. Though not strictly e-mail, similar protections have been in use on Usenet for signing and verification of message headers for years. See [PGPCONTROL] and [PGPVERIFY-FORMAT] for more details. Like DKIM, these Usenet control protections offer only integrity and authentication, not encryption. 1.6. Applicability to PGP/MIME This document describes end-to-end cryptographic protections for e-mail messages in reference to S/MIME ([RFC8551]). Comparable end-to-end cryptographic protections can also be provided by PGP/MIME ([RFC3156]). The mechanisms in this document should be applicable in the PGP/MIME protections as well as S/MIME protections, but analysis and implementation in this document focuses on S/MIME. To the extent that any divergence from the mechanism described here is necessary for PGP/MIME, that divergence is out of scope for this document. 1.7. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Gillmor, et al. Expires 5 December 2024 [Page 10] Internet-Draft Cryptographic MIME Header Protection June 2024 The key words "SPECIFICATION REQUIRED" and "IETF REVIEW" that appear in this document when used to describe namespace allocation are to be interpreted as described in [RFC8126]. 1.8. Terms The following terms are defined for the scope of this document: * S/MIME: Secure/Multipurpose Internet Mail Extensions (see [RFC8551]) * PGP/MIME: MIME Security with OpenPGP (see [RFC3156]) * Message: An E-Mail Message consisting of Header Fields (collectively called "the Header Section of the message") followed, optionally, by a Body; see [RFC5322]. Note: To avoid ambiguity, this document avoids using the terms "Header" or "Headers" in isolation, but instead always uses "Header Field" to refer to the individual field and "Header Section" to refer to the entire collection. * Header Field: A Header Field includes a field name, followed by a colon (":"), followed by a field body (value), and terminated by CRLF; see Section 2.2 of [RFC5322] for more details. * Header Section: The Header Section is a sequence of lines of characters with special syntax as defined in [RFC5322]. The Header Section of a Message contains the Header Fields associated with the Message itself. The Header Section of a MIME part (that is, a subpart of a message) typically contains Header Fields associated with that particular MIME part. * Body: The Body is the part of a Message that follows the Header Section and is separated from the Header Section by an empty line (i.e., a line with nothing preceding the CRLF); see [RFC5322]. It is the (bottom) section of a Message containing the payload of a Message. Typically, the Body consists of a (possibly multipart) MIME [RFC2045] construct. * Header Protection (HP): cryptographic protection of e-mail Header Sections (or parts of it) by means of signatures and/or encryption. * Cryptographic Layer, Cryptographic Payload, Cryptographic Envelope, Cryptographic Summary, Structural Header Fields, Main Body Part, User-Facing Header Fields, and MUA are all used as defined in [I-D.ietf-lamps-e2e-mail-guidance] Gillmor, et al. Expires 5 December 2024 [Page 11] Internet-Draft Cryptographic MIME Header Protection June 2024 * Legacy MUA: an MUA that does not understand Header Protection as described in this document. A Legacy Non-Crypto MUA is incapable of doing any end-to-end cryptographic operations. A Legacy Crypto MUA is capable of doing cryptographic operations, but does not understand or generate messages with Header Protection. * Legacy Signed Message: an e-mail message that was signed by a Legacy MUA (and therefore has no cryptographic authenticity or integrity protections on its Header Fields. * Wrapped Message: The Header Protection scheme that uses the mechanism described in [RFC8551], where the Cryptographic Payload is a message/rfc822 or message/global MIME object, augmented with a Content-Type parameter to indicate that this is the explicit intent. (see Section 2.2). * Injected Headers: The Header Protection scheme that uses the mechanism described in this document (see Section 2.1), where the protected Header Fields are inserted on the Cryptographic Payload directly. * Header Confidentiality Policy (HCP): a functional specification of which Header Fields should be removed or obscured when composing an encrypted message with Header Protection. An HCP is considered more "conservative" when it removes or obscures fewer Header Fields. When it removes or obscures more Header fields, it is more "ambitious". See Section 2.5.2. * Ordinary User: a user of an MUA who follows a simple and minimal experience, focused on sending and receiving e-mails. A user who opts into advanced configuration, expert mode, or the like is not an "Ordinary User". 1.9. Document Scope This document describes sensible, simple behavior for a program that generates an e-mail message with standard end-to-end cryptographic protections, following the guidance in [I-D.ietf-lamps-e2e-mail-guidance]. An implementation conformant to this document will produce messages that have cryptographic protection that covers the message's Header Fields as well as its body. 1.9.1. In Scope This document also describes sensible, simple behavior for a program that interprets such a message, in a way that can take advantage of these protections covering the Header Fields as well as the body. Gillmor, et al. Expires 5 December 2024 [Page 12] Internet-Draft Cryptographic MIME Header Protection June 2024 The message generation guidance aims to minimize negative interactions with any Legacy receiving MUA while providing actionable cryptographic properties for modern receiving clients. In particular, this document focuses on two standard types of cryptographic protection that cover the entire message: * A cleartext message with a single signature, and * An encrypted message that contains a single cryptographic signature. 1.9.2. Out of Scope The message composition guidance in this document (in Section 2.5.6) aims to provide minimal disruption for any Legacy MUA that receives such a message. However, a Legacy MUA by definition does not implement any of the guidance here. Therefore, the document does not attempt to provide guidance for Legacy MUAs directly. Furthermore, this document does not explicitly contemplate other variants of cryptographic message protections, including any of these: * Encrypted-only message (Without a cryptographic signature. See Section 5.3 of [I-D.ietf-lamps-e2e-mail-guidance].) * Triple-wrapped message * Signed message with multiple signatures * Encrypted message with a cryptographic signature outside the encryption. All such messages are out of scope of this document. 2. Specification As mentioned in Section 1.1, this document describes two ways to provide end-to-end cryptographic protection for an e-mail message that includes all Header Fields known to the sender at message composition time. This document also specifies a new Header Field: HP-Outer (see Section 2.5.3). Gillmor, et al. Expires 5 December 2024 [Page 13] Internet-Draft Cryptographic MIME Header Protection June 2024 When composing a message with end-to-end cryptographic protections, an MUA SHOULD apply Header Protection. A sending MUA MUST be able to generate the Injected Headers scheme (Section 2.5.6), and MAY generate the Wrapped Message scheme (Section 2.5.7). The MUA implementer can choose between the two schemes (see Section 4.3). A compatible MUA SHOULD use Injected Headers when composing a new message with end-to-end cryptographic protections, since a message structured with Injected Headers is more likely to be usable by both legacy and compatible MUAs. A receiving MUA MUST be able to handle both Header Protection schemes, as described in Section 2.7. 2.1. Injected Headers Scheme A message that uses the Injected Headers scheme has protected Header Fields in the Header Section of the Cryptographic Payload. For an encrypted message that has at least one User-Facing Header Field (see Section 1.1.2 of [I-D.ietf-lamps-e2e-mail-guidance]) removed or obscured outside of the Cryptographic Payload, those Header Fields MAY be duplicated into decorative copies in the Main Body MIME part of the Cryptographic Payload itself. These decorative copies within the message are known as "Legacy Display Elements". Such a Legacy Display Element enables users of a Legacy receiving MUA -- that doesn't yet understand how to interpret or display the Injected Headers scheme -- to view the removed/obscured Header Fields. See Section 3.1 for more details about how the ecosystem could shift so that a sending MUA could avoid the need to generate any Legacy Display Element. Composing a message with the Injected Headers scheme is described in Section 2.5.6. Rendering such a message is described in Section 2.7.3. Example message composition and reply can be seen in Appendix C. Example message rendering which strips Legacy Display Elements can be seen in Appendix D. 2.2. Wrapped Message Scheme A message that uses the Wrapped Message scheme has a Cryptographic Payload of a single message/rfc822 (or message/global) MIME object, which itself contains the original message (including the protected Header Section). Gillmor, et al. Expires 5 December 2024 [Page 14] Internet-Draft Cryptographic MIME Header Protection June 2024 The Wrapped Message Header Protection scheme is very similar to that described in Section 3.1 of [RFC8551]. The main augmentations this document provides to that scheme are: * an explicit discussion of how to obscure or remove Header Fields, * an additional hp="clear" or hp="cipher" parameter to the Content- Type Header Field of the Cryptographic Payload to indicate the explicit intent, * an additional hp-scheme="wrapped" parameter to the same Content- Type Header Field to indicate the specific scheme in use, * a recommendation to mark such a Wrapped Message as "Content- Disposition: inline" to encourage Legacy MUAs to render the inner message directly rather than treating it as an attachment, and * a mechanism the recipient of an encrypted message can use to explicitly derive what Header Fields were removed or obscured by the sender (the HP-Outer mechanism). Composing a message with the Wrapped Message scheme is described in Section 2.5.7. Rendering such a message is described in Section 2.7.4. 2.3. Content-Type parameter: hp This specification defines a parameter for the Content-Type Header Field named hp (for Header Protection). Its value is only relevant on the Content-Type Header Field at the root of the Cryptographic Payload. When generating a message, an MUA MUST add this parameter only to the Content-Type Header Field at the root of the message's Cryptographic Payload. When consuming a message, an MUA MUST ignore this parameter when it encounters it anywhere other than the root of the message's Cryptographic Payload. The parameter's defined values describe the sender's cryptographic intent when producing the message: Gillmor, et al. Expires 5 December 2024 [Page 15] Internet-Draft Cryptographic MIME Header Protection June 2024 +========+==============+=========+=================+==============+ |hp Value| Authenticity |Integrity| Confidentiality | Description | +========+==============+=========+=================+==============+ |"clear" | yes |yes | no | This message | | | | | | has been | | | | | | signed by | | | | | | the sender | | | | | | with Header | | | | | | Protection | +--------+--------------+---------+-----------------+--------------+ |"cipher"| yes |yes | yes | This message | | | | | | has been | | | | | | signed by | | | | | | the sender, | | | | | | with Header | | | | | | Protection, | | | | | | and is | | | | | | encrypted to | | | | | | the | | | | | | recipients | +--------+--------------+---------+-----------------+--------------+ Table 1: hp parameter for Content-Type Header Field A sending implementation MUST NOT produce a Cryptographic Payload with parameter hp="cipher" for an non-encrypted message (that is, where none of the Cryptographic Layers in the Cryptographic Envelope of the message provide encryption). Likewise, if a sending implementation is sending an encrypted message with Header Protection, it MUST emit an hp="cipher" parameter, regardless of the HCP in use. Note that hp="cipher" indicates that the message itself has been encrypted by the sender to the recipients, but makes no assertions about which Header Fields have been removed or obscured. This can be derived from the Cryptographic Payload itself (see Section 2.5.4). A receiving implementation MUST NOT mistake the presence of an hp="cipher" parameter in the Cryptographic Payload for the actual presence of a Cryptographic Layer that provides encryption. Gillmor, et al. Expires 5 December 2024 [Page 16] Internet-Draft Cryptographic MIME Header Protection June 2024 2.4. Content-Type parameter: hp-scheme This document recommends the Injected Headers scheme, and the presence of the hp= parameter in the Content-Type of the Cryptographic Payload implies the use of that scheme by default. If the message does Header Protection using the Wrapped Message scheme, it MUST also add an hp-scheme="wrapped" parameter to the Content-Type of the Cryptographic Payload. +==================================+===============================+ | hp-scheme Value | Header Protection Scheme Used | +==================================+===============================+ | (no hp-scheme parameter present) | Injected Headers | +----------------------------------+-------------------------------+ | "wrapped" | Wrapped Message | +----------------------------------+-------------------------------+ Table 2: hp-scheme parameter for Content-Type Header Field 2.5. Sending Side This section describes the process an MUA should use to apply cryptographic protection to an e-mail message with Header Protection. 2.5.1. Composing a Cryptographically Protected Message Without Header Protection As a baseline, we consider the typical message composition process of a Legacy Crypto MUA which does not provide any Header Protection. This process is described in Section 5.1 of [I-D.ietf-lamps-e2e-mail-guidance]. We replicate it here for reference: * origbody: the traditional unprotected message body as a well- formed MIME tree (possibly just a single MIME leaf part). As a well-formed MIME tree, origbody already has structural Header Fields (Content-*) present. * origheaders: the intended non-structural Header Fields for the message, represented here as a list of (h,v) pairs, where h is a Header Field name and v is the associated value. Note that these are Header Fields that the MUA intends to be visible to the recipient of the message. In particular, if the MUA uses the Bcc Header Field during composition, but plans to omit it from the message (see Section 3.6.3 of [RFC5322]), it will not be in origheaders. Gillmor, et al. Expires 5 December 2024 [Page 17] Internet-Draft Cryptographic MIME Header Protection June 2024 * crypto: The series of cryptographic protections to apply (for example, "sign with the secret key corresponding to X.509 certificate X, then encrypt to X.509 certificates X and Y"). This is a routine that accepts a MIME tree as input (the Cryptographic Payload), wraps the input in the appropriate Cryptographic Envelope, and returns the resultant MIME tree as output. The algorithm returns a MIME object that is ready to be injected into the mail system: * Apply crypto to MIME part origbody, producing MIME tree output * For each Header Field name and value (h,v) in origheaders: - Add Header Field h to output with value v * Return output 2.5.2. Header Confidentiality Policy When composing an encrypted message with Header Protection, the composing MUA needs a Header Confidentiality Policy (HCP). In this document, we represent that Header Confidentiality Policy as a function hcp: * hcp(name, val_in) → val_out: this function takes a non-structural Header Field identified by name with initial value val_in as arguments, and returns a replacement header value val_out. If val_out is the special value null, it means that the Header Field in question should be removed from the set of Header Fields visible outside the Cryptographic Envelope. In the pseudocode descriptions of various choices of HCP in this document, any comparison with the name input is done case- insensitively. This is appropriate for Header Field names, as described in [RFC5322]. Note that hcp is only applied to non-structural Header Fields. When composing a message, Structural Header Fields are dealt with separately, as described in Section 2.5.6 and Section 2.5.7. As an example, an MUA that obscures the Subject Header Field by replacing it with the literal string "[...]", hides all Cc'ed recipients, and does not offer confidentiality to any other Header Fields would be represented as (in pseudocode): Gillmor, et al. Expires 5 December 2024 [Page 18] Internet-Draft Cryptographic MIME Header Protection June 2024 hcp_example_hide_cc(name, val_in) → val_out: if lower(name) is 'subject': return '[...]' else if lower(name) is 'cc': return null else: return val_in Note that such a policy is only needed when the end-to-end protections include encryption (confidentiality). No comparable policy is needed for other end-to-end cryptographic protections (integrity and authenticity), as they are simply uniformly applied so that all Header Fields known by the sender have these protections. This asymmetry is an unfortunate consequence of complexities in message delivery systems, some of which may reject, drop, or delay messages where all Header Fields are removed from the top-level MIME object. This document does not mandate any particular Header Confidentiality Policy, though it offers guidance for MUA implementers in selecting one in Section 2.6. Future documents may recommend or mandate such a policy for an MUA with specific needs. Such a recommendation might be motivated by descriptions of metadata-derived attacks, or stem from research about message deliverability, or describe new signalling mechanisms, but these topics are out of scope for this document. For alignment with common practice as well as the ABNF in Section 2.5.3 for HP-Outer, val_out MUST be one of the following: * identical to val_in, or * the special value null (meaning that the Header Field will be removed from the outside of the message), or * a sequence of printable and whitespace (that is, space or tab) 7-bit clean ASCII characters (of course, non-ASCII text can be encoded as ASCII using the encoded-word construct from [RFC2047]) The HCP can compute val_out using any technique describable in pseudocode, such as copying a fixed string or invocations of other pseudocode functions. If it alters the value, it MUST NOT include control or NUL characters in val_out. val_out SHOULD match the expected ABNF for the Header Field identified by name. Gillmor, et al. Expires 5 December 2024 [Page 19] Internet-Draft Cryptographic MIME Header Protection June 2024 2.5.3. Definition of the HP-Outer Header Field This document defines a new Header Field, HP-Outer. HP-Outer is used for conveying the effect of sender's Header Confidentiality Policy for an encrypted message. It does so by embedding a copy within the Cryptographic Envelope of every non-structural Header Field that the sender put outside the Cryptographic Envelope. This Header Field enables the MUA receiving the encrypted message to reliably identify whether the sending MUA intended to make a Header Field confidential (see Section 6.3). An implementation that composes encrypted e-mail MUST include a copy of all non-structural Header Fields deliberately exposed to the outside of the Cryptographic Envelope using a series of HP-Outer Header Fields within the Cryptographic Payload. These HP-Outer MIME Header Fields should only ever appear directly within the Header Section of the Cryptographic Payload of a Cryptographic Envelope offering confidentiality. They MUST be ignored for the purposes of evaluating the message's Header Protection if they appear in other places. Each instance of HP-Outer contains a non-structural Header Field name and the value that this Header Field was set in the outer (unprotected) Header Section. The HP-Outer Header Field can appear multiple times in the Header Section of a Cryptographic Payload. If a non-structural Header Field name A doesn't appear in an HP-Outer Header Field value, then the sender is effectively asserting it was not set on the outside of the message's Cryptographic Envelope by the original message sender at the time the message was injected into the mail system. The syntax of this Header Field is defined using the following ABNF [RFC5234], where field-name, WSP, VCHAR, and FWS are defined in [RFC5322]: hp-outer = "HP-Outer:" [FWS] field-name ": " hp-outer-value CRLF hp-outer-value = (*([FWS] VCHAR) *WSP) Note that hp-outer-value is the same as unstructured from [RFC5322], but without the obsolete obs-unstructured option. Gillmor, et al. Expires 5 December 2024 [Page 20] Internet-Draft Cryptographic MIME Header Protection June 2024 2.5.4. Extracting Protected and Unprotected ("Outer") Header Fields When a message is encrypted and it uses Header Protection, an MUA may need to extract a list of protected Header Fields (names and values), as well as a list of Header Fields that were added by the original message sender in unprotected form to the outside of the message's Cryptographic Envelope. The following algorithm takes an reference message refmsg as input, which is encrypted with Header Protection as described in this document (that is, the Cryptographic Envelope includes a Cryptographic Layer that provides encryption, and the hp parameter for the Content-Type Header Field of the Cryptographic Payload is cipher). It produces as output a pair of lists of (h,v) Header Fields. * When refmsg uses the Injected Headers scheme (that is, when there is no hp-scheme parameter for the Content-Type Header Field of the Cryptographic Payload): - Let refheaders be the list of (h,v) protected Header Fields found in the root of the Cryptographic Payload * When refmsg uses the Wrapped Message scheme (that is, when the hp- scheme parameter for the Content-Type Header Field of the top- level message/rfc822 Cryptographic Payload is wrapped): - Let refheaders be the list of (h,v) protected Header Fields found in the immediate child of the root of the Cryptographic Payload (recall that the root is a message/rfc822) * Let refouter be an empty list of Header Field names and values * Let refprotected be an empty list of Header Field names and values * For each (h,v) in refheaders: - If h is HP-Outer: o Split v into (h1,v1) on the first colon (:) followed by any amount of whitespace. o Append (h1,v1) to refouter - Else: o Append (h,v) to refprotected Gillmor, et al. Expires 5 December 2024 [Page 21] Internet-Draft Cryptographic MIME Header Protection June 2024 * Return refouter, refprotected Note that this algorithm is independent of the unprotected Header Fields. It derives its output only from the normal Header Fields and the HP-Outer Header Fields, both contained inside the Cryptographic Payload. 2.5.5. Header Confidentiality for Referenced Encrypted Messages Some e-mail messages are written in response to another message. For example, the user of an MUA viewing any given message might take an action like "Reply", "Reply All", "Forward", or some comparable action to start the composition of a new message. The new message created this way effectively references the original message that was viewed at the time. When the referenced message was itself encrypted with Header Protection, and some of its Header Fields had been obscured or removed, the replying MUA needs to make sure that the new message does not leak previously confidential header material. This section describes a method to produce a list of Header Fields that should be obscured or removed in the new message even if the sender's choice of Header Confidentiality Policy wouldn't normally remove or obscure the Header Field in question. It takes two items as input: * A single referenced message refmsg, and * A built-in MUA function respond associated with the user's action. respond takes as input a list of headers from a referenced message and generates a list of initial candidate message Header Field names and values that are used to populate the message composition interface. Something like this function already exists in most MUAs, though it may differ across responsive actions. For example, the respond function that implements "Reply All" is likely to be a different from the respond that implements "Reply". As output, we produce an ephemeral single-use Header Confidentiality Policy, specific to this kind of response to this specific message. * If refmsg is not encrypted with Header Protection: - Return hcp_no_confidentiality (there is no header confidentiality in the reference message that needs protection) * Extract refouter, refprotected from refmsg as described in Section 2.5.4 Gillmor, et al. Expires 5 December 2024 [Page 22] Internet-Draft Cryptographic MIME Header Protection June 2024 * Let genprotected be a list of (h,v) pairs generated by respond(refprotected) * Let genouter be a list of (h,v) pairs generated by respond(refouter) * For each (h,v) in genprotected: - If (h,v) is in genouter: o Remove (h,v) from both genprotected and genouter (this Header Field does not need additional confidentiality) * Let confmap be a mapping from a Header Field name and value (h,v) to either a string or the special value null (this mapping is initially empty) * For each (h,v) remaining in genprotected: - Set result to the special value null - For each (h1,v1) in genouter: o If h1 is h: + Set result to v1 - Insert (h,v) -> result into confmap * Return a new HCP from confmap that tests whether (name,val_in) are in confmap; if so, return confmap[(name,val_in)]; otherwise, return val_in Note that the key idea here is to reuse the MUA's existing respond function. The algorithm simulates how the MUA would pre-populate a reply to two traditional messages whose Header Fields have the values refouter and refprotected respectively (independent of any cryptographic protections). Then it uses the difference to derive a one-time HCP. This HCP takes into account both the referenced message's sender's preferences and the derivations that can happen to Header Field values when responding. Note that while some of these derivations are straight forward (e.g., In-Reply-To is usually derived from Message-ID), others are non-trivial. For example, From may be derived from To, Cc, or from the MUA's local address preference (especially when the MUA received the referenced message via Bcc). Similarly, To may be derived from To, From, and/or Cc depending on the MUA implementation and depending on whether the user clicked "Reply", "Reply All", "Forward", or any other action that Gillmor, et al. Expires 5 December 2024 [Page 23] Internet-Draft Cryptographic MIME Header Protection June 2024 generates a response to a message. Reusing the MUA's existing respond function incorporates these nuances without requiring any extra configuration choices or additional maintenance burden. 2.5.6. Composing with "Injected Headers" Header Protection To compose a message using "Injected Headers" Header Protection, the composing MUA uses the following inputs: * All the inputs described in Section 2.5.1 * hcp: a Header Confidentiality Policy, as defined in Section 2.5.2 * response: if the new message is a response to another message (e.g., "Reply", "Reply All", "Forward", etc), the MUA function corresponding to the user's action (see Section 2.5.5), otherwise null * refmsg: if the new message is a response to another message, the message being responded to, otherwise null * legacy: a boolean value, indicating whether any recipient of the message is believed to have a Legacy MUA. If all recipients are known to implement this draft, legacy should be set to false. (How an MUA determines the value of legacy is out of scope for this document; an initial implementation can simply set it to true) To enable visibility of User-Facing but now removed/obscured Header Fields for decryption-capable Legacy MUAs, the Header Fields are included as a decorative Legacy Display Element in specially marked parts of the message (see Section 2.1). This document recommends two mechanisms for such a decorative adjustment: one for a text/html Main Body Part of the e-mail message, and one for a text/plain Main Body Part. This document does not recommend adding a Legacy Display Element to any other part. Please see Section 7.1 of [I-D.ietf-lamps-e2e-mail-guidance] for guidance on identifying the parts of a message that are a Main Body Part. The algorithm proceeds as follows: * Let newbody be a copy of origbody * If crypto contains encryption, and legacy is true: - Create ldlist, an empty list of (header, value) pairs Gillmor, et al. Expires 5 December 2024 [Page 24] Internet-Draft Cryptographic MIME Header Protection June 2024 - For each Header Field name and value (h,v) in origheaders: o If h is User-Facing (see Section 1.1.2 of [I-D.ietf-lamps-e2e-mail-guidance]): + If hcp(h,v) is not v: * Add (h,v) to ldlist - If ldlist is not empty: o Identify each leaf MIME part of newbody that represents the "main body" of the message. o For each "Main Body Part" bodypart of type text/plain or text/html: + Adjust bodypart by inserting a Legacy Display Element header list ldlist into its content, and adding a Content-Type parameter hp-legacy-display with value 1 (see Section 2.5.6.1 for text/plain and Section 2.5.6.2 for text/html) * For each Header Field name and value (h,v) in origheaders: - Add Header Field h to MIME part newbody with value v * If crypto does not contain encryption: - Set the hp parameter on the Content-Type of MIME part newbody to clear - Let newheaders be a copy of origheaders * Else (if crypto contains encryption): - Set the hp parameter on the Content-Type of MIME part newbody to cipher - If refmsg is not null, response is not null, and refmsg itself is encrypted with header protection: o Let response_hcp be a single-use HCP derived from response and refmsg (see Section 2.5.5) - Else (if this is not a response to an encrypted, header- protected message): Gillmor, et al. Expires 5 December 2024 [Page 25] Internet-Draft Cryptographic MIME Header Protection June 2024 o Set response_hcp to hcp_no_confidentiality - Create new empty list of Header Field names and values newheaders - For each Header Field name and value (h,v) in origheaders: o Let newval be hcp(h,v) o If newval is v: + Let newval be response_hcp(h,v) o If newval is not null): + Add (h,newval) to newheaders - For each Header Field name and value (h,v) in newheaders: o Let string record be the concatenation of h, a literal ": " (ASCII colon (0x3A) followed by ASCII space (0x20)), and v o Add Header Field "HP-Outer" to MIME part newbody with value record * Apply crypto to MIME part newbody, producing MIME tree output * For each Header Field name and value (h,v) in newheaders: - Add Header Field h to output with value v * Return output Note that both new parameters (hcp and legacy) are effectively ignored if crypto does not contain encryption. This is by design, because they are irrelevant for signed-only cryptographic protections. 2.5.6.1. Adding a Legacy Display Element to a text/plain Part For a list of obscured and removed User-Facing Header Fields represented as (header, value) pairs, concatenate them as a set of lines, with one newline at the end of each pair. Add an additional trailing newline after the resultant text, and prepend the entire list to the body of the text/plain part. Gillmor, et al. Expires 5 December 2024 [Page 26] Internet-Draft Cryptographic MIME Header Protection June 2024 The MUA MUST also add a Content-Type parameter of hp-legacy-display with value 1 to the MIME part to indicate that a Legacy Display Element was added. For example, if the list of obscured Header Fields was [("Cc", "alice@example.net"), ("Subject", "Thursday's meeting")], then a text/plain Main Body Part that originally looked like this: Content-Type: text/plain; charset=UTF-8 I think we should skip the meeting. Would become: Content-Type: text/plain; charset=UTF-8; hp-legacy-display=1 Subject: Thursday's meeting Cc: alice@example.net I think we should skip the meeting. Note that the Legacy Display Element (the lines beginning with Subject: and Cc:) are part of the body of the MIME part in question. This example assumes that the Main Body Part in question is not the root of the Cryptographic Payload. For instance, it could be a leaf of a multipart/alternative Cryptographic Payload. This is why no additional Header Fields have been injected into the MIME part in this example. 2.5.6.2. Adding a Legacy Display Element to a text/html Part Adding a Legacy Display Element to a text/html part is similar to how it is added to a text/plain part (see Section 2.5.6.1). Instead of adding the obscured or removed User-Facing Header Fields to a block of text delimited by a blank line, the composing MUA injects them in an HTML
element annotated with a class attribute of header- protection-legacy-display. The content and formatting of this decorative
have no strict requirements, but they MUST represent all the obscured and removed User-Facing Header Fields in a readable fashion. A simple approach is to assemble the text in the same way as Section 2.5.6.1, wrap it in a verbatim 
 element, and put that element in the annotated
   
.






Gillmor, et al.          Expires 5 December 2024               [Page 27]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The annotated 
 should be placed as close to the start of the
    as possible, where it will be visible when viewed with a
   standard HTML renderer.

   The MUA MUST also add a Content-Type parameter of hp-legacy-display
   with value 1 to the MIME part to indicate that a Legacy Display
   Element was added.

   For example, if the list of obscured Header Fields was [("Cc",
   "alice@example.net"), ("Subject", "Thursday's meeting")], then a
   text/html Main Body Part that originally looked like this:

   Content-Type: text/html; charset=UTF-8

   
   
I think we should skip the meeting.

   

   Would become:

   Content-Type: text/html; charset=UTF-8; hp-legacy-display=1

   
   

   
Subject: Thursday's meeting
   Cc: alice@example.net

   
I think we should skip the meeting.

   

   This example assumes that the Main Body Part in question is not the
   root of the Cryptographic Payload.  For instance, it could be a leaf
   of a multipart/alternative Cryptographic Payload.  This is why no
   additional Header Fields have been injected into the MIME part in
   this example.

2.5.6.2.1.  Step-by-step Example for Inserting Legacy Display Element to
            text/html

   A composing MUA MAY insert the Legacy Display Element anywhere
   reasonable within the message as long as it prioritizes visibility
   for the reader using a Legacy decryption-capable MUA.  This decision
   may take into account special message-specific HTML formatting
   expectations if the MUA is aware of them.  However, some MUAs may not
   have any special insight into the user's preferred HTML formatting,
   and still want to insert a Legacy Display Element.  This section
   offers a non-normative, simple, and minimal step-by-step approach for
   a composing MUA that has no other information or preferences to fall
   back on.



Gillmor, et al.          Expires 5 December 2024               [Page 28]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The process below assumes that the MUA already has the full HTML
   object that it intends to send, including all of the text supplied by
   the user.

   1.  Assemble the text exactly as specified for text/plain (see
       Section 2.5.6.1).

   2.  Wrap that text in a verbatim 
 element.

   3.  Wrap that 
 element in a 
 element annotated with the
       class header-protection-legacy-display.

   4.  Find the  element of the full HTML object.

   5.  Insert the 
 element as the first child of the 
       element.

2.5.6.3.  Only Add a Legacy Display Element to Main Body Parts

   Some messages may contain a text/plain or text/html subpart that is
   _not_ a Main Body Part.  For example, an e-mail message might contain
   an attached text file or a downloaded webpage.  Attached documents
   need to be preserved as intended in the transmission, without
   modification.

   The composing MUA MUST NOT add a Legacy Display Element to any part
   of the message that is not a Main Body Part.  In particular, if a
   part is annotated with Content-Disposition: attachment, or if it does
   not descend via the first child of any of its multipart/mixed or
   multipart/related ancestors, it is not a Main Body Part, and MUST NOT
   be modified.

   See Section 7.1 of [I-D.ietf-lamps-e2e-mail-guidance] for more
   guidance about common ways to distinguish Main Body Parts from other
   MIME parts in a message.

2.5.6.4.  Do Not Add a Legacy Display Element to Other Content-Types

   The purpose of injecting a Legacy Display Element into each Main Body
   MIME part is to enable rendering of otherwise obscured Header Fields
   in Legacy MUAs that are capable of message decryption, but don't know
   how to follow the rest of the guidance in this document.

   The authors are unaware of any Legacy MUA that would render any MIME
   part type other than text/plain and text/html as the Main Body.  A
   generating MUA SHOULD NOT add a Legacy Display Element to any MIME
   part with any other Content-Type.




Gillmor, et al.          Expires 5 December 2024               [Page 29]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


2.5.7.  Composing with "Wrapped Message" Header Protection

   To compose a message using "Wrapped Message" Header Protection, the
   composing MUA uses the following inputs:

   *  All the inputs described in Section 2.5.1

   *  hcp: a Header Confidentiality Policy, as defined in Section 2.5.2

   *  response: if the new message is a response to another message
      (e.g., "Reply", "Reply All", "Forward", etc), the MUA function
      corresponding to the user's action (see Section 2.5.5), otherwise
      null

   *  refmsg: if the new message is a response to another message, the
      message being responded to, otherwise null

   The algorithm proceeds as follows:

   *  Let newbody be a copy of origbody

   *  For each Header Field name and value (h,v) in origheaders:

      -  Add Header Field h to MIME part newbody with value v

   *  If crypto does not contain encryption:

      -  Let newheaders be a copy of origheaders

   *  Else (if crypto contains encryption):

      -  If refmsg is not null, response is not null, and refmsg itself
         is encrypted with header protection:

         o  Let response_hcp be a single-use HCP derived from response
            and refmsg (see Section 2.5.5)

      -  Else (if this is not a response to an encrypted, header-
         protected message):

         o  Set response_hcp to hcp_no_confidentiality

      -  Create new empty list of Header Field names and values
         newheaders

      -  For each Header Field name and value (h,v) in origheaders:

         o  Let newval be hcp(h,v)



Gillmor, et al.          Expires 5 December 2024               [Page 30]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


         o  If newval is v:

            +  Let newval be response_hcp(h,v)

         o  If newval is not null:

            +  Add (h,newval) to newheaders

      -  For each Header Field name and value (h,v) in newheaders:

         o  Let string record be the concatenation of h, a literal ": "
            (ASCII colon (0x3A) followed by ASCII space (0x20)), and v

         o  Add Header Field "HP-Outer" to MIME part newbody with value
            record

   *  If any of the Header Fields in MIME part newbody, including Header
      Fields in the nested internal MIME structure, contain any 8-bit
      UTF-8 characters (see Section 3.7 of [RFC6532]):

      -  Let payload be a new MIME part with one Header Field: Content-
         Type: message/global

   *  Else:

      -  Let payload be a new MIME part with one Header Field: Content-
         Type: message/rfc822

   *  If crypto contains encryption:

      -  Add a parameter hp="cipher" to the Content-Type Header Field of
         payload

   *  Else (if crypto does not contain encryption):

      -  Add a parameter hp="clear" to the Content-Type Header Field of
         payload

   *  Add a parameter hp-scheme="wrapped" to the Content-Type Header
      Field of payload

   *  Set the body of payload to newbody.

   *  Add a Content-Disposition Header Field to MIME part payload with
      value inline

   *  Apply crypto to MIME part payload, producing MIME tree output




Gillmor, et al.          Expires 5 December 2024               [Page 31]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  For each Header Field name and value (h,v) in newheaders:

      -  Add Header Field h to output with value v

   *  Return output

   Note that the Header Confidentiality Policy hcp parameter is
   effectively ignored if crypto does not contain encryption.  This is
   by design, because a signed-only message cannot provide
   confidentiality.

2.6.  Default Header Confidentiality Policy

   An MUA MUST have a default Header Confidentiality Policy that offers
   at least the protections provided by hcp_minimal as described in
   Section 2.6.1.  Local policy and configuration may alter this
   default, but the MUA SHOULD NOT require the user to select an HCP.

   hcp_minimal provides confidentiality for the Subject Header Field by
   replacing it with the literal string "[...]".  This is a sensible
   minimal default because most users treat the Subject of a message the
   same way that they treat the body, and they are surprised to find
   that the Subject of an encrypted message is visible.

2.6.1.  Minimal Header Confidentiality Policy

   The most conservative recommended Header Confidentiality Policy only
   protects the Subject Header Field:

   hcp_minimal(name, val_in) → val_out:
       if lower(name) is 'subject':
           return '[...]'
       else:
           return val_in

   hcp_minimal is the recommended default HCP for a new implementation,
   as it provides meaningful confidentiality protections and is unlikely
   to cause deliverability or usability problems.

2.6.2.  Strong Header Confidentiality Policy

   Alternately, a more ambitious (and therefore more privacy-preserving)
   Header Confidentiality Policy only leaks a handful of fields whose
   absence is known to increase rates of delivery failure, and
   simultaneously obscures the Message-ID behind a random new one:






Gillmor, et al.          Expires 5 December 2024               [Page 32]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   hcp_strong(name, val_in) → val_out:
       if lower(name) in ['from', 'to', 'cc', 'date']:
           return val_in
       else if lower(name) is 'subject':
           return '[...]'
       else if lower(name) is 'message-id':
           return generate_new_message_id()
       else:
           return null

   The function generate_new_message_id() represents whatever process
   the MUA typically uses to generate a Message-ID for a new outbound
   message.

   hcp_strong is known to cause usability problems with message
   threading for many Legacy MUAs, and is not recommended as a default
   HCP for new implementations.

2.6.3.  No Header Confidentiality Policy

   Legacy MUAs can be conceptualized as offering a "No Header
   Confidentiality" Policy, which offers no confidentiality protection
   to any Header Field:

   hcp_no_confidentiality(name, val_in) → val_out:
       return val_in

   A conformant MUA that is not modified by local policy or
   configuration MUST NOT use hcp_no_confidentiality by default.

2.6.4.  Offering More Ambitious Header Confidentiality

   An MUA MAY offer even more ambitious confidentiality for Header
   Fields of an encrypted message than described in Section 2.6.2.  For
   example, it might implement an HCP that obscures the From Header
   Field, removes the Cc Header Field, or ensures Date is represented in
   UTC (obscuring the local time zone).

   The authors of this document hope that implementers with deployment
   experience will document their chosen Header Confidentiality Policy
   and the rationale behind their choice.

   This document defines hcp_no_confidentiality, hcp_minimal, and
   hcp_strong as a way to compare and contrast different possible
   behavioral choices for a composing MUA.  An example hypothetical HCP,
   hcp_example_hide_cc is included in Section 2.5.2.  While the HCP is
   not strictly a protocol element, this document creates a registry of
   named Header Confidentiality Policies for ease of communication.



Gillmor, et al.          Expires 5 December 2024               [Page 33]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


2.6.4.1.  Expert Guidance for Registering Header Confidentiality
          Policies

   There is no formal syntax specified for the Header Confidentiality
   Policy, but any attempt to specify an HCP for inclusion in the
   registry needs to provide:

   *  a stable reference document clearly indicating the distinct name
      for the proposed HCP

   *  pseudocode that other implementers can clearly and unambiguously
      interpret

   *  a clear explanation of why this HCP is different from all other
      registered HCPs

   *  any relevant considerations related to deployment of the HCP (for
      example, known or expected deliverability, rendering, or privacy
      challenges and possible mitigations)

   When the proposed HCP produces any non-null output for a given Header
   Field name, val_out SHOULD match the expected ABNF for that Header
   Field.  If the proposed HCP does not match the expected ABNF for that
   Header Field, the documentation should explicitly identify the
   relevant circumstances and provide a justification for the deviation.

   An entry should not be marked as "Recommended" unless it has been
   shown to offer confidentiality or privacy improvements over the
   status quo and have minimal or mitigatable negative impact on
   messages to which it is applied, considering factors such as message
   deliverability and security.  Only one entry in the table
   (hcp_minimal) is initially marked as "Recommended".  In the future,
   more than one entry may be marked as "Recommended".

2.7.  Receiving Side

   An MUA that receives a cryptographically protected e-mail will render
   it for the user.

   The receiving MUA will render the message body, a selected subset of
   Header Fields, and (as described in Section 3 of
   [I-D.ietf-lamps-e2e-mail-guidance]) provide a summary of the
   cryptographic properties of the message.

   Most MUAs only render a subset of Header Fields by default.  For
   example, most MUAs render From, To, Cc, Date, and Subject to the
   user, but few render Message-Id or Received.




Gillmor, et al.          Expires 5 December 2024               [Page 34]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   An MUA that knows how to handle a message with Header Protection
   makes the following three changes to its behavior when rendering a
   message:

   *  If the MUA detects that an incoming message has protected Header
      Fields:

      -  For a Header Field that is present in the protected Header
         Section, the MUA MUST render that value, and ignore any
         unprotected counterparts that may be present.

      -  For a Header Field that is present only in the unprotected
         Header Section, the MUA SHOULD NOT render that value.  If it
         does render the value, the MUA SHOULD indicate that the
         rendered value is unprotected.  For an exception to this, see
         Section 2.7.10 for a discussion of some specific Header Fields
         that are known to be added in transit, and therefore are not
         expected to have end-to-end cryptographic protections.

   *  The MUA SHOULD include information in the message's Cryptographic
      Summary to indicate the types of protection that applied to each
      rendered Header Field (if any).

   *  When replying to a message with confidential Header Fields, the
      replying MUA avoids leaking into the cleartext of the reply any
      Header Fields which were confidential in the original.  It does
      this even if its own Header Confidentiality Policy would not have
      treated those Header Fields as confidential.  See Section 2.7.8
      for more details.

   Note that an MUA that handles a message with Header Protection does
   _not_ need to render any new Header Fields that it did not render
   before.

2.7.1.  Identifying that a Message has Header Protection

   An incoming message can be identified as having Header Protection
   based on one of two signals:

   *  The Cryptographic Payload has Content-Type: message/rfc822 or
      Content-Type: message/global and the parameter hp has a value of
      clear or cipher, and the hp-scheme has a value of wrapped.  See
      Section 2.7.4 for rendering guidance.

   *  The Cryptographic Payload has some other Content-Type and it has
      parameter hp set to clear or cipher.  See Section 2.7.3 for
      rendering guidance.




Gillmor, et al.          Expires 5 December 2024               [Page 35]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Messages of both types exist in the wild, and a compliant MUA MUST be
   able to handle them both.  They provide the same semantics and the
   same meaning.

2.7.2.  Updating the Cryptographic Summary

   Regardless of whether a cryptographically protected message has
   protected Header Fields, the Cryptographic Summary of the message
   should be modified to indicate what protections the Header Fields
   have.  This field-by-field status is complex and isn't necessarily
   intended to be presented in full to the user.  Rather, it represents
   the state of the message internally within the MUA, and may be used
   to influence behavior like replying to the message (see
   Section 2.7.8.1).

   Each Header Field individually has exactly one of the following
   protection states:

   *  unprotected (has no Header Protection)

   *  signed-only (bound into the same validated signature as the
      enclosing message, but also visible in transit)

   *  encrypted-only (only appears within the Cryptographic Payload; the
      corresponding external Header Field was either removed or
      obscured)

   *  signed-and-encrypted (same as encrypted-only, but additionally is
      under a validated signature)

   If the message does not have Header Protection (as determined by
   Section 2.7.1), then all of the Header Fields are by definition
   unprotected.

   If the message has Header Protection, an MUA SHOULD use the following
   algorithm to compute the protection state of a protected Header Field
   (h,v) (i.e., an element of refprotected from Section 2.5.4):

   *  Let ct be the Content-Type of the root of the Cryptographic
      Payload.

   *  Let refouter be the list of unprotected Header Fields (as computed
      by Section 2.5.4).

   *  Let is_sig_valid be false

   *  If the message is signed:




Gillmor, et al.          Expires 5 December 2024               [Page 36]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  Let is_sig_valid be the result of validating the signature

   *  If the message is encrypted, and if ct has a parameter hp=cipher,
      and if (h,v) is not in refouter:

      -  Return signed-and-encrypted if is_sig_valid otherwise
         encrypted-only

   *  Return signed-only if is_sig_valid otherwise unprotected

   Note that:

   *  This algorithm is independent of the unprotected Header Fields.
      It derives the protection state only from (h,v) and the set of HP-
      Outer Header Fields, both of which are inside the Cryptographic
      Envelope.

   *  If the signature fails validation, the MUA lowers the affected
      state to unprotected or encrypted-only without warning the user,
      as specified by Section 3.1 of [I-D.ietf-lamps-e2e-mail-guidance].

   *  Data from signed-and-encrypted and encrypted-only Header Fields
      may still not be fully private (see Section 6.2).

   *  Encryption may have been added in transit to an originally signed-
      only message.  Thus only consider Header Fields to be confidential
      if the sender indicates it with the hp=cipher parameter.

   *  The protection state of a Header Field may be weaker than that of
      the message body.  For example, a message body can be signed-and-
      encrypted, but a Header Field that is copied unmodified to the
      unprotected Header Section is signed-only.

   If the message has Header Protection, Header Fields that are not in
   refprotected (e.g., because they were added in transit), are
   unprotected.

   Rendering the cryptographic status of each Header Field is likely to
   be complex and messy --- users may not understand it.  It is beyond
   the scope of this document to suggest any specific graphical
   affordances or user experience.  Future work should include examples
   of successful rendering of this information.









Gillmor, et al.          Expires 5 December 2024               [Page 37]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


2.7.3.  Rendering a Message with Injected Headers

   When the Cryptographic Payload does not have a Content-Type of
   message/rfc822 or message/global, and the parameter hp is set to
   clear or cipher, the values of the protected Header Fields are drawn
   from the Header Fields of the Cryptographic Payload, and the body
   that is rendered is the Cryptographic Payload itself.

2.7.3.1.  Example Signed-only Message with Injected Headers

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   A └─╴application/pkcs7-mime; smime-type="signed-data"
      ⇩ (unwraps to)
   B  └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
   C   ├─╴text/plain
   D   └─╴text/html

   The message body should be rendered the same way as this message:

   B └┬╴multipart/alternative
   C  ├─╴text/plain
   D  └─╴text/html

   The MUA should render Header Fields taken from part B.

   Its Cryptographic Summary should indicate that the message was signed
   and all rendered Header Fields were included in the signature.

   Because this message is signed-only, none of its parts will have a
   Legacy Display Element.

   The MUA should ignore Header Fields from part A for the purposes of
   rendering.

2.7.3.2.  Example Signed-and-Encrypted Message with Injected Headers

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   E └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   F  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   G   └┬╴multipart/alternative [Cryptographic Payload + Rendered Body]
   H    ├─╴text/plain
   I    └─╴text/html



Gillmor, et al.          Expires 5 December 2024               [Page 38]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The message body should be rendered the same way as this message:

   G └┬╴multipart/alternative
   H  ├─╴text/plain
   I  └─╴text/html

   It should render Header Fields taken from part G.

   Its Cryptographic Summary should indicate that the message is signed-
   and-encrypted.

   When rendering the Cryptographic Status of a Header Field and when
   composing a reply, each Header Field found in G should be considered
   against all HP-Outer Header Fields found in G.  If an HP-Outer Header
   Field is found that matches both the name and value, the Header
   Field's Cryptographic Status is just signed-only, even though the
   message itself is signed-and-encrypted.  If no matching HP-Outer
   Header Field is found, the Header Field's Cryptographic Status is
   signed-and-encrypted, like the rest of the message.

   If any of the User-Facing Header Fields are removed or obscured, the
   composer of this message may have placed Legacy Display Elements in
   parts H and I.

   The MUA should ignore Header Fields from part E for the purposes of
   rendering.

2.7.3.3.  Do Not Render Legacy Display Elements

   As described in Section 2.1, a message with cryptographic
   confidentiality protection MAY include Legacy Display Elements for
   backward-compatibility with Legacy MUAs.  These Legacy Display
   Elements are strictly decorative, unambiguously identifiable, and
   will be discarded by compliant implementations.

   The receiving MUA MUST avoid rendering the identified Legacy Display
   Elements to the user at all, since it is aware of Header Protection
   and can render the actual protected Header Fields.

   If a text/html or text/plain part within the Cryptographic Envelope
   is identified as containing Legacy Display Elements, those elements
   MUST be hidden when rendering and MUST be dropped when generating a
   draft reply or inline forwarded message.  Whenever a Message or MIME
   subtree is exported, downloaded, or otherwise further processed, if
   there is no need to retain a valid cryptographic signature, the
   implementer MAY drop the Legacy Display Elements.





Gillmor, et al.          Expires 5 December 2024               [Page 39]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


2.7.3.3.1.  Identifying a Part with Legacy Display Elements

   A receiving MUA acting on a message that contains an encrypting
   Cryptographic Layer identifies a MIME subpart within the
   Cryptographic Payload as containing Legacy Display Elements based on
   the Content-Type of the subpart.  The subpart's Content-Type:

   *  contains a parameter hp-legacy-display with value set to 1, and

   *  is either text/html (see Section 2.7.3.3.3) or text/plain (see
      Section 2.7.3.3.2).

   Note that the term "subpart" above is used in the general sense: if
   the Cryptographic Payload is a single part, that part itself may
   contain a Legacy Display Element if it is marked with the hp-legacy-
   display=1 parameter.

2.7.3.3.2.  Omitting Legacy Display Elements from text/plain

   If a text/plain part within the Cryptographic Payload has the
   Content-Type parameter hp-legacy-display="1", it should be processed
   before rendering in the following fashion:

   *  Discard the leading lines of the body of the part up to and
      including the first entirely blank line.

   Note that implementing this strategy is dependent on the charset used
   by the MIME part.

   See Appendix D.1 for an example.

2.7.3.3.3.  Omitting Legacy Display Elements from text/html

   If a text/html part within the Cryptographic Payload has the Content-
   Type parameter hp-legacy-display="1", it should be processed before
   rendering in the following fashion:

   *  If any element of the HTML  is a 
 with class attribute
      header-protection-legacy-display, that entire element should be
      omitted.

   This cleanup could be done, for example, as a custom rule in the
   MUA's HTML sanitizer, if one exists.  Another implementation strategy
   for an HTML-capable MUA would be to add an entry to the [CSS]
   stylesheet for such a part:

   body div.header-protection-legacy-display { display: none; }




Gillmor, et al.          Expires 5 December 2024               [Page 40]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


2.7.4.  Rendering a Wrapped Message

   When the Cryptographic Payload has Content-Type of message/rfc822 or
   message/global, and the parameter hp is set to clear or cipher, and
   the parameter hp-scheme is set to wrapped, the values of the
   protected Header Fields are drawn from the Header Fields of the
   Cryptographic Payload, and the body that is rendered is the body of
   the Cryptographic Payload.

2.7.4.1.  Example Signed-Only Wrapped Message

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   J └─╴application/pkcs7-mime; smime-type="signed-data"
      ⇩ (unwraps to)
   K  └┬╴message/rfc822 [Cryptographic Payload]
   L   └┬╴multipart/alternative [Rendered Body]
   M    ├─╴text/plain
   N    └─╴text/html

   The message body should be rendered the same way as this message:

   L └┬╴multipart/alternative
   M  ├─╴text/plain
   N  └─╴text/html

   It should render Header Fields taken from part K.

   Its Cryptographic Summary should indicate that the message was signed
   and all rendered Header Fields were included in the signature.

   The MUA should ignore Header Fields from part J for the purposes of
   rendering.

2.7.4.2.  Example Signed-and-Encrypted Wrapped Message

   Consider a message with this structure, where the MUA is able to
   validate the cryptographic signature:

   O └─╴application/pkcs7-mime; smime-type="enveloped-data"
      ↧ (decrypts to)
   P  └─╴application/pkcs7-mime; smime-type="signed-data"
       ⇩ (unwraps to)
   Q   └┬╴message/rfc822 [Cryptographic Payload]
   R    └┬╴multipart/alternative [Rendered Body]
   S     ├─╴text/plain
   T     └─╴text/html



Gillmor, et al.          Expires 5 December 2024               [Page 41]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The message body should be rendered the same way as this message:

   R └┬╴multipart/alternative
   S  ├─╴text/plain
   T  └─╴text/html

   It should render Header Fields taken from part Q.

   Its Cryptographic Summary should indicate that the message is signed-
   and-encrypted.

   When rendering the Cryptographic Status of a Header Field and when
   composing a reply, each Header Field found in Q should be considered
   against all HP-Outer Header Fields found in Q.  If an HP-Outer Header
   Field is found that matches both the name and value, the Header
   Field's Cryptographic Status is just signed-only, even though the
   message itself is signed-and-encrypted.  If no matching HP-Outer
   Header Field is found, the Header Field's Cryptographic Status is
   signed-and-encrypted, like the rest of the message.

   The MUA should ignore Header Fields from part O for the purposes of
   rendering.

2.7.5.  Guidance for Automated Message Handling

   Some automated systems have a control channel that is operated by
   e-mail.  For example, an incoming e-mail message could subscribe
   someone to a mailing list, initiate the purchase of a specific
   product, approve another message for redistribution, or adjust the
   state of some shared object.

   To the extent that such a system depends on end-to-end cryptographic
   guarantees about the e-mail control message, Header Protection as
   described in this document should improve the system's security.
   This section provides some specific guidance for systems that use
   e-mail messages as a control channel that want to benefit from these
   security improvements.

2.7.5.1.  Interpret Only Protected Header Fields

   Consider the situation where an e-mail-based control channel depends
   on the message's cryptographic signature and the action taken depends
   on some Header Field of the message.

   In this case, the automated system MUST rely on information from the
   Header Field that is protected by the mechanism described in this
   document.  It MUST NOT rely on any Header Field found outside the
   Cryptographic Payload.



Gillmor, et al.          Expires 5 December 2024               [Page 42]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   For example, consider an administrative interface for a mailing list
   manager that only accepts control messages that are signed by one of
   its administrators.  When an inbound message for the list arrives, it
   is queued (waiting for administrative approval) and the system
   generates and listens for two distinct e-mail addresses related to
   the queued message -- one that approves the message, and one that
   rejects it.  If an administrator sends a signed control message to
   the approval address, the mailing list verifies that the protected To
   Header Field of the signed control message contains the approval
   address before approving the queued message for redistribution.  If
   the protected To Header Field does not contain that address, or there
   is no protected To Header Field, then the mailing list logs or
   reports the error and does not act on that control message.

2.7.5.2.  Ignore Legacy Display Elements

   Consider the situation where an e-mail-based control channel expects
   to receive an end-to-end encrypted message -- for example, where the
   control messages need confidentiality guarantees -- and where the
   action taken depends on the contents of some MIME part within the
   message body.

   In this case, the automated system that decrypts the incoming
   messages and scans the relevant MIME part MUST identify when the MIME
   part contains a Legacy Display Element (see Section 2.7.3.3.1), and
   it MUST parse the relevant MIME part with the Legacy Display Element
   removed.

   For example, consider an administrative interface of a confidential
   issue tracking software.  An authorized user can confidentially
   adjust the status of a tracked issue by a specially formatted first
   line of the message body (for example, severity #183 serious).  When
   the user's MUA encrypts a plain text control message to this issue
   tracker, depending on the MUA's HCP and its choice of legacy value,
   it may add a Legacy Display Element.  If it does so, then the first
   line of the message body will contain a decorative copy of the
   confidential Subject Header Field.  The issue tracking software
   decrypts the incoming control message, identifies that there is a
   Legacy Display Element in the part (see Section 2.7.3.3.1), strips
   the lines comprising the Legacy Display Element (including the first
   blank line), and only then parses the remaining top line to look for
   the expected special formatting.









Gillmor, et al.          Expires 5 December 2024               [Page 43]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


2.7.6.  Affordances for Debugging and Troubleshooting

   Note that advanced users of an MUA may need access to the original
   message, for example to troubleshoot problems with the rendering MUA
   itself, or problems with the SMTP transport path taken by the
   message.

   An MUA that applies these rendering guidelines SHOULD ensure that the
   full original source of the message as it was received remains
   available to such a user for debugging and troubleshooting.

   If a troubleshooting scenario demands information about the
   cryptographically protected values of Header Fields, and the message
   is encrypted, the debugging interface SHOULD also provide a "source"
   view of the Cryptographic Payload itself, alongside the full original
   source of the message as received.

2.7.7.  Rendering Other Schemes

   Other MUAs may have generated different structures of messages that
   aim to offer end-to-end cryptographic protections that include Header
   Protection.  This document is not normative for those schemes, and it
   is NOT RECOMMENDED to generate these other schemes, as they can
   either have structural flaws or simply render poorly on Legacy MUAs.
   A conformant MUA MAY attempt to infer Header Protection when
   rendering an existing message that appears to use some other scheme
   not documented here.  Pointers to some known other schemes can be
   found in Appendix E.

2.7.8.  Replying to an Encrypted Message with Header Protection

   When composing a reply to a message with Header Protection, the MUA
   is acting both as a receiving MUA and as a sending MUA.  For
   encrypted messages, special guidance applies, because information can
   leak in at least two ways: leaking previously confidential Header
   Fields, and leaking the entire message by replying to the wrong
   party.

2.7.8.1.  Avoid Leaking Encrypted Header Fields in Replies

   As noted in Section 5.4 of [I-D.ietf-lamps-e2e-mail-guidance], an MUA
   in this position MUST NOT leak previously encrypted content in the
   clear in a follow-up message.  The same is true for protected Header
   Fields.

   Values from any Header Field that was identified as either encrypted-
   only or signed-and-encrypted based on the steps outlined above MUST
   NOT be placed in cleartext output when generating a message.



Gillmor, et al.          Expires 5 December 2024               [Page 44]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   In particular, if Subject was encrypted, and it is copied into the
   draft encrypted reply, the replying MUA MUST obscure the unprotected
   (cleartext) Subject Header Field as described above.

   When crafting the Header Fields for a reply message, the composing
   MUA SHOULD make use of the HP-Outer Header Fields from within the
   Cryptographic Envelope of the reference message to ensure that Header
   Fields derived from the reference message do not leak in the reply.
   See Section 2.5.5 for an explicit algorithm to handle this cleanly.

   Consider a Header Field in a reply message that is generated by
   derivation from a Header Field in the reference message.  For
   example, the To Header Field is typically derived from the reference
   message's Reply-To or From Header Fields.  When generating the outer
   copy of the Header Field, the composing MUA first applies its own
   Header Confidentiality Policy.  If the Header Field's value is
   changed by the HCP, then it is applied to the outside header.  If the
   Header Field's value is unchanged, the composing MUA re-generates the
   Header Field using the Header Fields that had been on the outside of
   the original message at sending time.  These can be inferred from the
   HP-Outer Header Fields located within the Cryptographic Payload of
   the referenced message.  If that value is itself different than the
   protected value, then it is applied to the outside header.  If the
   value is the same as the protected value, then it is simply copied to
   the outside header directly.  Whether it was changed or not, it is
   noted in the protected Header Section using HP-Outer, as described in
   Section 2.5.3.

   See Appendix C.2 for a simple worked example of this process.

2.7.8.2.  Avoid Misdirected Replies

   When replying to a message, the Composing MUA typically decides who
   to send the reply to based on:

   *  the Reply-To, Mail-Followup-To, or From Header Fields

   *  optionally, the other To or Cc Header Fields (if the user chose to
      "reply all")

   When a message has Header Protection, the replying MUA MUST populate
   the destination fields of the draft message using the protected
   Header Fields, and ignore any unprotected Header Fields.

   This mitigates against an attack where Mallory gets a copy of an
   encrypted message from Alice to Bob, and then replays the message to
   Bob with an additional Cc to Mallory's own e-mail address in the
   message's outer (unprotected) Header Section.



Gillmor, et al.          Expires 5 December 2024               [Page 45]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   If Bob knows Mallory's certificate already, and he replies to such a
   message without following the guidance in this section, it's likely
   that his MUA will encrypt the cleartext of the message directly to
   Mallory.

2.7.9.  Implicitly rendered Header Fields

   While From, To, Cc, Subject, and Date are often explicitly rendered
   to the user, some Header Fields do affect message display, without
   being explicitly rendered.

   For example, Message-Id, References, and In-Reply-To Header Fields
   may collectively be used to place a message in a "thread" or series
   of messages.

   In another example, Section 2.7.8.2 observes that the value of the
   Reply-To field can influence the draft reply message.  So while the
   user may never see the Reply-To Header Field directly, it is
   implicitly "rendered" when the user interacts with the message by
   replying to it.

   An MUA that depends on any implicitly rendered Header Field in a
   message with Header Protection MUST use the value from the protected
   Header Field, and SHOULD NOT use any value found outside the
   cryptographic protection unless it is known to be a Header Field
   added in transit, as specified in Section 2.7.10.

2.7.10.  Unprotected Header Fields Added in Transit

   Some Header Fields are legitimately added in transit and could not
   have been known to the sender at message composition time.

   The most common of these Header Fields are Received and DKIM-
   Signature, neither of which are typically rendered, either explicitly
   or implicitly.

   If a receiving MUA has specific knowledge about a given Header Field,
   including that:

   *  the Header Field would not have been known to the original sender,
      and

   *  the Header Field might be rendered explicitly or implicitly,

   then the MUA MAY decide to operate on the value of that Header Field
   from the unprotected Header Section, even though the message has
   Header Protection.




Gillmor, et al.          Expires 5 December 2024               [Page 46]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The MUA MAY prefer to verify that the Header Fields in question have
   additional transit-derived cryptographic protections before rendering
   or acting on them.  For example, the MUA could verify whether these
   Header Fields are covered by an appropriate and valid ARC-
   Authentication-Results (see [RFC8617]) or DKIM-Signature (see
   [RFC6376]) Header Field.

   Specific examples of user-meaningful Header Fields commonly added by
   transport agents appear below.

2.7.10.1.  Mailing list Header Fields: List-* and Archived-At

   If the message arrives through a mailing list, the list manager
   itself may inject Header Fields (most have a List- prefix) in the
   message:

   *  List-Archive

   *  List-Subscribe

   *  List-Unsubscribe

   *  List-Id

   *  List-Help

   *  List-Post

   *  Archived-At

   For some MUAs, these Header Fields are implicitly rendered, by
   providing buttons for actions like "Subscribe", "View Archived
   Version", "Reply List", "List Info", etc.

   An MUA that receives a message with Header Protection that contains
   these Header Fields in the unprotected section, and that has reason
   to believe the message is coming through a mailing list MAY decide to
   render them to the user (explicitly or implicitly) even though they
   are not protected.

2.7.11.  Handling Undecryptable Messages

   An MUA might receive an apparently encrypted message that it cannot
   currently decrypt.  For example, when an MUA does not have regular
   access to the secret key material needed for decryption, it cannot
   know the cryptographically protected Header Fields or even whether
   the message has any cryptographically protected Header Fields.




Gillmor, et al.          Expires 5 December 2024               [Page 47]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Such an undecrypted message will be rendered by the MUA as a message
   without any Header Protection.  This means that the message summary
   may well change how it is rendered when the user is finally able to
   supply the secret key.

   For example, the rendering of the Subject Header Field in a mailbox
   summary might change from [...] to the real message subject when the
   message is decrypted.  Or the message's placement in a message thread
   might change if, say, References or In-Reply-To have been removed or
   obscured (see Section 2.7.9).

   Additionally, if the MUA does not retain access to the decrypting
   secret key, and it drops the decrypted form of a message, the
   message's rendering may revert to the encrypted form.  For example,
   if an MUA follows this behavior, the Subject Header Field in a
   mailbox summary might change from the real message subject back to
   [...].  Or the message might be yanked out of its current thread if
   the MUA loses access to a removed References or In-Reply-To header.

   These behaviors are likely to surprise the user.  However, an MUA has
   several possible ways of reducing or avoiding all of these surprises,
   including:

   *  Ensuring that the MUA always has access to decryption-capable
      secret key material.

   *  Rendering undecrypted messages in a special quarantine view until
      the decryption-capable secret key material is available.

   To reduce or avoid the surprises associated with a decrypted message
   with removed or obscured Header Fields becoming undecryptable, the
   MUA could also:

   *  Securely cache metadata from a decrypted message's protected
      Header Fields so that its rendering doesn't change after the first
      decryption.

   *  Securely store the session key associated with a decrypted
      message, so that attempts to read the message when the long-term
      secret key are unavailable can proceed using only the session key
      itself.  See, for example, the discussion about stashing session
      keys in Section 9.1 of [I-D.ietf-lamps-e2e-mail-guidance].









Gillmor, et al.          Expires 5 December 2024               [Page 48]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


3.  E-mail Ecosystem Evolution

   This document is intended to offer tooling needed to improve the
   state of the e-mail ecosystem in a way that can be deployed without
   significant disruption.  Some elements of this specification are
   present for transitional purposes, but would not exist if the system
   were designed from scratch.

   This section describes these transitional mechanisms, as well as some
   suggestions for how they might eventually be phased out.

3.1.  Dropping Legacy Display Elements

   Any decorative Legacy Display Element added to an encrypted message
   that uses the Injected Header scheme is present strictly for enabling
   Header Field visibility (most importantly, the Subject Header Field)
   when the message is viewed with a decryption-capable Legacy MUA.

   Eventually, the hope is that most decryption-capable MUAs will
   conform to this specification, and there will be no need for
   injection of Legacy Display Elements in the message body.  A survey
   of widely used decryption-capable MUAs might be able to establish
   when most of them do support this specification.

   At that point, a composing MUA could set the legacy parameter
   described in Section 2.5.6 to false by default or could even hard-
   code it to false, yielding a much simpler message construction set.

   Until that point, an end user might want to signal that their
   receiving MUAs are conformant to this document so that a peer
   composing a message to them can set legacy to false.  A signal
   indicating capability of handling messages with Header Protection
   might be placed in the user's cryptographic certificate, or in
   outbound messages.

   This document does not attempt to define the syntax or semantics of
   such a signal.

3.2.  More Ambitious Default Header Confidentiality Policy

   This document defines a few different forms of Header Confidentiality
   Policy.  An MUA implementing an HCP for the first time SHOULD deploy
   hcp_minimal as recommended in Section 2.6.  This HCP offers the most
   commonly expected protection (obscuring the Subject Header Field)
   without risking deliverability or rendering issues.






Gillmor, et al.          Expires 5 December 2024               [Page 49]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   The HCPs proposed in this document are relatively conservative and
   still leak a significant amount of metadata for encrypted messages.
   This is largely done to ensure deliverability (see Section 1.4.2) and
   usability, as messages without some critical Header Fields are more
   likely to not reach their intended recipient.

   In the future, some mail transport systems may accept and deliver
   messages with even less publicly visible metadata.  Many MTA
   operators today would ask for additional guarantees about such a
   message to limit the risks associated with abusive or spammy mail.

   This specification offers the HCP formalism itself as a way for MUA
   developers and MTA operators to describe their expectations around
   message deliverability.  MUA developers can propose a more ambitious
   default HCP, and ask MTA operators (or simply test) whether their
   MTAs would be likely to deliver or reject encrypted mail with that
   HCP applied.  Proponents of a more ambitious HCP should explicitly
   document the HCP and name it clearly and unambiguously to facilitate
   this kind of interoperability discussion.

   Reaching widespread consensus around a more ambitious global default
   HCP is a challenging problem of coordinating many different actors.
   A piecemeal approach might be more feasible, where some signalling
   mechanism allows a message recipient, MTA operator, or third-party
   clearinghouse to announce what kinds of HCPs are likely to be
   deliverable for a given recipient.  In such a situation, the default
   HCP for an MUA might involve consulting the signalled acceptable HCPs
   for all recipients, and combining them (along with a default for when
   no signal is present) in some way.

   If such a signal were to reach widespread use, it could also be used
   to guide reasonable statistical default HCP choices for recipients
   with no signal.

   This document does not attempt to define the syntax or semantics of
   such a signal.

3.3.  Deprecation of Messages Without Header Protection

   At some point, when the majority of MUA clients that can generate
   cryptographically protected messages with Header Protection, it
   should be possible to deprecate any cryptographically protected
   message that does not have Header Protection.








Gillmor, et al.          Expires 5 December 2024               [Page 50]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   For example, as noted in Section 4.1, it's possible for an MUA to
   render a signed-only message that has no Header Protection the same
   as an unprotected message.  And a signed-and-encrypted message
   without Header Protection could likewise be marked as not fully
   protected.

   These stricter rules could be adopted immediately for all messages.
   Or an MUA developer could roll them out immediately for any new
   message, but still treat an old message (based on the Date Header
   Field and cryptographic signature timestamp) more leniently.

   A decision like this by any popular receiving MUA could drive
   adoption of this standard for sending MUAs.

4.  Usability Considerations

   This section describes concerns for MUAs that are interested in easy
   adoption of Header Protection by normal users.

   While they are not protocol-level artifacts, these concerns motivate
   the protocol features described in this document.

   See also the Usability commentary in Section 2 of
   [I-D.ietf-lamps-e2e-mail-guidance].

4.1.  Mixed Protections Within a Message Are Hard To Understand

   When rendering a message to the user, the ideal circumstance is to
   present a single cryptographic status for any given message.
   However, when message Header Fields are present, some message Header
   Fields do not have the same cryptographic protections as the main
   message.

   Representing such a mixed set of protection statuses is very
   difficult to do in a way that a Ordinary User can understand.  There
   are at least three scenarios that are likely to be common, and poorly
   understood:

   *  A signed message with no Header Protection.

   *  A signed-and-encrypted message with no Header Protection.

   *  A signed-and-encrypted message with Header Protection as described
      in this document, where some User-Facing Header Fields have
      confidentiality but some do not.






Gillmor, et al.          Expires 5 December 2024               [Page 51]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   An MUA should have a reasonable strategy for clearly communicating
   each of these scenarios to the user.  For example, an MUA operating
   in an environment where it expects most cryptographically protected
   messages to have Header Protection could use the following rendering
   strategy:

   *  When rendering a message with signed-only cryptographic status but
      no Header Protection, an MUA may decline to indicate a positive
      security status overall, and only indicate the cryptographic
      status to a user in a message properties or diagnostic view.  That
      is, the message may appear identical to an unsigned message except
      if a user verifies the properties through a menu option.

   *  When rendering a message with signed-and-encrypted or encrypted-
      only cryptographic status but no Header Protection, overlay a
      warning flag on the typical cryptographic status indicator.  That
      is, if a typical signed-and-encrypted message displays a lock
      icon, display a lock icon with a warning sign (e.g., an
      exclamation point in a triangle) overlaid.  See, for example, the
      graphics in [chrome-indicators].

   *  When rendering a message with signed-and-encrypted or encrypted-
      only cryptographic status, with Header Protection, but where the
      Subject Header Field has not been removed or obscured, place a
      warning sign on the Subject line.

   Other simple rendering strategies could also be reasonable.

4.2.  Users Should Not Have To Choose a Header Confidentiality Policy

   This document defines the abstraction of a Header Confidentiality
   Policy object for the sake of communication between implementers and
   deployments.

   Most e-mail users are unlikely to understand the tradeoffs between
   different policies.  In particular, the potential negative side
   effects (e.g., poor deliverability) may not be easily attributable by
   a normal user to a particular HCP.

   Therefore, MUA implementers should be conservative in their choice of
   default HCP, and should not require the Ordinary User to make an
   incomprehensible choice that could cause unfixable, undiagnosable
   problems.  The safest option is for the MUA developer to select a
   known, stable HCP (this document recommends hcp_minimal in
   Section 2.6) on the user's behalf.  An MUA should not expose the
   Ordinary User to a configuration option where they are expected to
   manually select (let alone define) an HCP.




Gillmor, et al.          Expires 5 December 2024               [Page 52]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


4.3.  Users Should Not Have To Choose a Header Protection Scheme

   This document describes two Header Protection schemes: Injected
   Headers (Section 2.1) and Wrapped Messages (Section 2.2).

   These distinct schemes are described for the sake of implementers who
   may have to deal with messages found in the wild, but their intended
   semantics are identical.  They represent different tradeoffs in terms
   of rendering and user experience on the recipient's side, which an
   Ordinary User writing a message is not prepared to select.

   When composing a message with cryptographic protections, the Ordinary
   User should not be confronted with any choices about which Header
   Protection scheme to use.  Rather, the MUA developer should use a
   single scheme for all outbound cryptographically protected messages.
   This document recommends the Injected Headers scheme (see Section 2).

5.  Security Considerations

   This document describes a mechanism for improving the security of
   cryptographically protected e-mail messages.  Following the guidance
   in this document should improve security for users of these
   technologies by more directly aligning the underlying messages with
   user expectations about confidentiality, authenticity, and integrity.

   However, many existing messages with cryptographic protections do not
   employ these mechanisms for header protection, and MUAs encountering
   these messages will need to handle older forms (without Header
   Protection) for quite some time.  An implementation that deals with
   legacy message archives will need to deal with all the various
   formats forever.  Helping the user distinguish between cryptographic
   protections of various messages is a difficult job for message
   renderers.

   However, on the message generation side, the situation is much
   clearer: there is a standard form that a protected message can take,
   and an implementer can always generate the standard form.  Generating
   the standard form also makes it more likely that any receiving
   implementation will be able to handle the generated message
   appropriately.

   The security considerations from Section 6 of [RFC8551] continue to
   apply for any MUA that offers S/MIME cryptographic protections, as
   well as Section 3 of [RFC5083] (Authenticated-Enveloped-Data in CMS)
   and Section 14 of [RFC5652] (CMS more broadly).  Likewise, the
   security considerations from Section 8 of [RFC3156] continue to apply
   for any MUA that offers PGP/MIME cryptographic protections, as well
   as Section 13 of [I-D.ietf-openpgp-crypto-refresh-13] (OpenPGP



Gillmor, et al.          Expires 5 December 2024               [Page 53]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   itself).  In addition, these underlying security considerations are
   now also applicable to the contents of the message header, not just
   the message body.

5.1.  Avoid Cryptographic Summary Confusion from hp Parameter

   When parsing a message, the recipient MUA infers the message's
   Cryptographic Status from the Cryptographic Layers, as described in
   Section 4.6 of [I-D.ietf-lamps-e2e-mail-guidance].

   The Cryptographic Layers that make up the Cryptographic Envelope
   describe an ordered list of cryptographic properties as present in
   the message after it has been delivered.  By contrast, the hp
   parameter to the Content-Type Header Field contains a simpler
   indication: whether the sender originally tried to encrypt the
   message or not.  In particular, for a message with Header Protection,
   the Cryptographic Payload should have a hp parameter of cipher if the
   message is encrypted (in addition to signed), and clear if no
   encryption is present (that is, the message is signed-only).

   As noted in Section 2.3, the receiving implementation should not
   inflate its estimation of the confidentiality of the message or its
   Header Fields based on the sender's intent, if it can see that the
   message was not actually encrypted.  A signed-only message that
   happens to have an hp parameter of cipher is still signed-only.

   Conversely, since the encrypting Cryptographic Layer is typically
   outside the signature layer (see Section 5.2 of
   [I-D.ietf-lamps-e2e-mail-guidance]), an originally signed-only
   message could have been wrapped in an encryption layer by an
   intervening party before receipt, to appear encrypted.

   If a message appears to be wrapped in an encryption layer, and the hp
   parameter is present but is not set to cipher, then it is likely that
   the encryption layer was not added by the original sender.  For such
   a message, the lack of any HP-Outer Header Field in the Header
   Section of the Cryptographic Payload MUST NOT be used to infer that
   all Header Fields were removed from the message by the original
   sender.  In such a case, the receiving MUA SHOULD treat every Header
   Field as though it was not confidential.

5.2.  Caution about Composing with Legacy Display Elements

   When composing a message, it's possible for a Legacy Display Element
   to contain risky data that could trigger errors in a rendering
   client.





Gillmor, et al.          Expires 5 December 2024               [Page 54]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   For example, if the value for a Header Field to be included in a
   Legacy Display Element within a given body part contains folding
   whitespace, it should be "unfolded" before generating the Legacy
   Display Element: all contiguous folding whitespace should be replaced
   with a single space character.  Likewise, if the header value was
   originally encoded with [RFC2047], it should be decoded first to a
   standard string and re-encoded using the charset appropriate to the
   target part.

   When including a Legacy Display Element in a text/plain part (see
   Section 2.5.6.1), if the decoded Subject Header Field contains a pair
   of newlines (e.g., if it is broken across multiple lines by encoded
   newlines), any newline MUST be stripped from the Legacy Display
   Element.  If the pair of newlines is not stripped, a receiving MUA
   that follows the guidance in Section 2.7.3.3.2 might leave the later
   part of the Legacy Display Element in the rendered message.

   When including a Legacy Display Element in a text/html part (see
   Section 2.5.6.2), any material in the header values should be
   explicitly HTML escaped to avoid being rendered as part of the HTML.
   At a minimum, the characters <, >, and & should be escaped to <,
   >, and &, respectively (see for example [HTML-ESCAPES]).  If
   unescaped characters from removed or obscured header values end up in
   the Legacy Display Element, a receiving MUA that follows the guidance
   in Section 2.7.3.3.3 might fail to identify the boundaries of the
   Legacy Display Element, cutting out more than it should, or leaving
   remnants visible.  And a Legacy MUA parsing such a message might
   misrender the entire HTML stream, depending on the content of the
   removed or obscured header values.

   The Legacy Display Element is a decorative addition solely to enable
   visibility of obscured or removed Header Fields in decryption-capable
   Legacy MUAs.  When it is produced, it should be generated minimally
   and strictly, as described above, to avoid damaging the rest of the
   message.

5.3.  Plaintext Attacks

   An encrypted e-mail message using S/MIME or PGP/MIME tends to have
   some amount of predictable plaintext.  For example, the standard MIME
   headers of the Cryptographic Payload of a message are often a
   predictable sequence of bytes, even without Header Protection, when
   they only include the Structural Header Fields MIME-Version and
   Content-Type.  This is a potential risk for known-plaintext attacks.







Gillmor, et al.          Expires 5 December 2024               [Page 55]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Including protected Header Fields as described in this document
   increases the amount of known plaintext.  Since some of those headers
   in a reply will be derived from the message being replied to, this
   also creates a potential risk for chosen-plaintext attacks, in
   addition to known-plaintext attacks.

   Modern message encryption mechanisms are expected to be secure
   against both known-plaintext attacks and chosen-plaintext attacks.
   An MUA composing an encrypted message should ensure that it is using
   such a mechanism, regardless of whether it does Header Protection.

6.  Privacy Considerations

6.1.  Leaks When Replying

   The encrypted Header Fields of a message may accidentally leak when
   replying to the message.  See the guidance in Section 2.7.8.

6.2.  Encrypted Header Fields Are Not Always Private

   For encrypted messages, depending on the sender's HCP, some Header
   Fields may appear both within the Cryptographic Envelope and on the
   outside of the message (e.g., Date might exist identically in both
   places).  Section 2.7.2 identifies such a Header Field as signed-
   only.  These Header Fields are clearly _not_ private at all, despite
   a copy being inside the Cryptographic Envelope.

   A Header Field whose name and value are not matched verbatim by any
   HP-Outer Header Field from the same part will have encrypted-only or
   signed-and-encrypted status.  But even Header Fields with these
   stronger levels of cryptographic confidentiality protection might not
   be as private as the user would like.

   See the examples below.

   This concern is true for any encrypted data, including the body of
   the message, not just the Header Fields: if the sender isn't careful,
   the message contents or session keys can leak in many ways that are
   beyond the scope of this document.  The message recipient has no way
   in principle to tell whether the apparent confidentiality of any
   given piece of encrypted content has been broken via channels that
   they cannot perceive.  Additionally, an active intermediary aware of
   the recipient's public key can always encrypt a cleartext message in
   transit to give the recipient a false sense of security.







Gillmor, et al.          Expires 5 December 2024               [Page 56]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


6.2.1.  Encrypted Header Fields Can Leak Unwanted Information to the
        Recipient

   For encrypted messages, even with an ambitious HCP that successfully
   obscures most Header Fields from all transport agents, Header Fields
   will be ultimately visible to all intended recipients.  This can be
   especially problematic for Header Fields that are not user-facing,
   which the sender may not expect to be injected by their MUA.
   Consider the three following examples:

   *  The MUA may inject a User-Agent Header Field that describes itself
      to every recipient, even though the sender may not want the
      recipient to know the exact version of their OS, hardware
      platform, or MUA.

   *  The MUA may have an idiosyncratic way of generating a Message-ID
      header, which could embed the choice of MUA, a time zone, a
      hostname, or other subtle information to a knowledgeable
      recipient.

   *  The MUA may erroneously include a Bcc Header Field in the
      origheaders of a copy of a message sent to the named recipient,
      defeating the purpose of using Bcc instead of Cc (see Section 6.4
      for more details about risks related to Bcc).

   Clearly, no end-to-end cryptographic protection of any Header Field
   as described in this document will hide such a sensitive field from
   the intended recipient.  Instead, the composing MUA MUST populate the
   origheaders list for any outbound message with only information the
   recipient should have access to.  This is true for messages without
   any cryptographic protection as well, of course, and it is even worse
   there: such a leak is exposed to the transport agents as well as the
   recipient.  An encrypted message with Header Protection and a more
   ambitious Header Confidentiality Policy avoid these leaks exposing
   information to the transport agents but cannot defend against such a
   leak to the recipient.

6.2.2.  Encrypted Header Fields Can Be Inferred From External or
        Internal Metadata

   For example, if the To and Cc Header Fields are removed from the
   unprotected Header Section, the values in those fields might still be
   inferred with high probability by an adversary who looks at the
   message either in transit or at rest.  If the message is found in, or
   being delivered to a mailbox for bob@example.org, it's likely that
   Bob was in either To or Cc.  Furthermore, encrypted message
   ciphertext may hint at the recipients: for S/MIME messages, the
   RecipientInfo, and for PGP/MIME messages the key ID in the Public Key



Gillmor, et al.          Expires 5 December 2024               [Page 57]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Encrypted Session Key (PKESK) packets will all hint at a specific set
   of recipients.  Additionally, an MTA that handles the message may add
   a Received Header Field (or some other custom Header Field) that
   leaks some information about the nature of the delivery.

6.2.3.  Encrypted Header Fields May Not Be Fully Masked by HCP

   In another example, if the HCP modifies the Date header to mask out
   high-resolution time stamps (e.g., rounding to the most recent hour)
   and to convert the local time zone to UTC, some information about the
   date of delivery will still be attached to the e-mail.  At the very
   least, the low resolution, global version of the date will be present
   on the message.  Additionally, Header Fields like Received that are
   added during message delivery might include higher-resolution
   timestamps.  And if the message lands in a mailbox that is ordered by
   time of receipt, even its placement in the mailbox and the non-
   obscured Date Header Fields of the surrounding messages could leak
   this information.

   Some Header Fields like From may be impossible to fully obscure, as
   many modern message delivery systems depend on at least domain
   information in the From Header Field for determining whether a
   message is coming from a domain with "good reputation" (that is, from
   a domain that is not known for leaking spam).  So even if an
   ambitious HCP opts to remove the human-readable part from any From
   Header Field, and to standardize/genericize the local part of the
   From address, the domain will still leak.

6.3.  A Naive Recipient May Overestimate the Cryptographic Status of a
      Header Field in an Encrypted Message

   When an encrypted (or signed-and-encrypted) message is in transit, an
   active intermediary can strip or tamper with any Header Field that
   appears outside the Cryptographic Envelope.  A receiving MUA that
   naively infers cryptographic status from differences between the
   external Header Fields and those found in the Cryptographic Envelope
   could be tricked into overestimating the protections afforded to some
   Header Fields.

   For example, if the original sender's HCP passes through the Cc
   Header Field unchanged, a cleanly delivered message would indicate
   that the Cc Header Field has a cryptographic status of signed.  But
   if an intermediary attacker simply removes the Header Field from the
   unprotected Header Section before forwarding the message, then the
   naive recipient might believe that the field has a cryptographic
   status of signed-and-encrypted.





Gillmor, et al.          Expires 5 December 2024               [Page 58]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   This document offers protection against such an attack by way of the
   HP-Outer Header Fields that can be found on the Cryptographic
   Payload.  If a Header Field appears to have been obscured by
   inspection of the outer message, but an HP-Outer Header Field matches
   it exactly, the receiving MUA can indicate to the user that the
   Header Field in question may not have been confidential.

   In such a case, a cautious MUA may render the Header Field in
   question as signed (because the sender did not hide it), but still
   treat it as signed-and-encrypted during reply, to avoid accidental
   leakage of the cleartext value in the reply message, as described in
   Section 2.7.8.1.

6.4.  Privacy and Deliverability Risks with Bcc and Encrypted Messages

   As noted in Section 9.3 of [I-D.ietf-lamps-e2e-mail-guidance],
   handling Bcc when generating an encrypted e-mail message can be
   particularly tricky.  With Header Protection, there is an additional
   wrinkle.  When an encrypted e-mail message with Header Protection has
   a Bcc'ed recipient, and the composing MUA explicitly includes the
   Bcc'ed recipient's address in their copy of the message (see the
   "second method" in Section 3.6.3 of [RFC5322]), that Bcc Header Field
   will always be visible to the Bcc'ed recipient.

   In this scenario, though, the composing MUA has one additional
   choice: whether to hide the Bcc Header Field from intervening message
   transport agents, by returning null when the HCP is invoked for Bcc.
   If the composing MUA's rationale for including an explicit Bcc in the
   copy of the message sent to the Bcc recipient is to ensure
   deliverability via a message transport agent that inspects message
   Header Fields, then stripping the Bcc field during encryption may
   cause the intervening transport agent to drop the message entirely.
   This is why Bcc is not explicitly stripped in hcp_minimal.

   If, on the other hand, deliverability to a Bcc'ed recipient is not a
   concern, the most privacy-preserving option is to simply omit the Bcc
   Header Field from the protected Header Section in the first place.
   An MUA that is capable of receiving and processing such a message can
   infer that since their user's address was not mentioned in any To or
   Cc Header Field, they were likely a Bcc recipient.

   Please also see Section 9.3 of [I-D.ietf-lamps-e2e-mail-guidance] for
   more discussion about Bcc and encrypted messages.








Gillmor, et al.          Expires 5 December 2024               [Page 59]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


7.  IANA Considerations

   This document requests IANA to register the following Header Field in
   the "Permanent Message Header Field Names" registry within "Message
   Headers" in accordance with [RFC3864].

      +============+==========+==========+==========+===============+
      | Header     | Template | Protocol | Status   | Reference     |
      | Field Name |          |          |          |               |
      +============+==========+==========+==========+===============+
      | HP-Outer   |          | mail     | standard | Section 2.5.3 |
      |            |          |          |          | of RFCXXXX    |
      +------------+----------+----------+----------+---------------+

           Table 3: Additions to 'Permanent Message Header Field
                              Names' registry

   The Author/Change Controller of these two entries (Section 4.5 of
   [RFC3864]) should be the IETF itself.

   This document also defines the Content-Type parameters known as hp
   (in Section 2.3) and hp-scheme (in Section 2.4).  Consequently, the
   Content-Type row in the "Permanent Message Header Field Names"
   registry should add a reference to this RFC to its "References"
   column.

   That is, the current row:

     +===================+==========+==========+========+===========+
     | Header Field Name | Template | Protocol | Status | Reference |
     +===================+==========+==========+========+===========+
     | Content-Type      |          | MIME     |        | [RFC4021] |
     +-------------------+----------+----------+--------+-----------+

         Table 4: Existing row in 'Permanent Message Header Field
                             Names' registry

   Should be updated to have the following values:

     +===================+==========+==========+========+===========+
     | Header Field Name | Template | Protocol | Status | Reference |
     +===================+==========+==========+========+===========+
     | Content-Type      |          | MIME     |        | [RFC4021] |
     |                   |          |          |        | [RFCXXXX] |
     +-------------------+----------+----------+--------+-----------+

       Table 5: Replacement row in 'Permanent Message Header Field
                             Names' registry



Gillmor, et al.          Expires 5 December 2024               [Page 60]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   This document also requests IANA to create a new registry in the
   "Mail Parameters" protocol group (https://www.iana.org/assignments/
   mail-parameters/) titled Mail Header Confidentiality Policies with
   the following content:

   +========================+=================+=========+=============+
   | Header Confidentiality | Description     |Reference| Recommended |
   | Policy Name            |                 |         |             |
   +========================+=================+=========+=============+
   | hcp_no_confidentiality | No header       |Section  | N           |
   |                        | confidentiality |2.6.3 of |             |
   |                        |                 |RFCXXX   |             |
   |                        |                 |(this    |             |
   |                        |                 |document)|             |
   +------------------------+-----------------+---------+-------------+
   | hcp_minimal            | Subject Header  |Section  | Y           |
   |                        | Field is        |2.6.1 of |             |
   |                        | obscured        |RFCXXX   |             |
   |                        |                 |(this    |             |
   |                        |                 |document)|             |
   +------------------------+-----------------+---------+-------------+
   | hcp_strong             | Remove or       |Section  | N           |
   |                        | obscure         |2.6.2 of |             |
   |                        | everything but  |RFCXXX   |             |
   |                        | From, Date, To, |(this    |             |
   |                        | and Cc          |document)|             |
   +------------------------+-----------------+---------+-------------+

          Table 6: Mail Header Confidentiality Policies registry

   hcp_example_hide_cc is mooted as an example in Section 2.5.2 but is
   not formally registered by this document.

   Please add the following textual note to this registry:

      The Header Confidentiality Policy Name never appears on the wire.
      This registry merely tracks stable references to implementable
      descriptions of distinct policies.  Any addition to this registry
      should be governed by guidance in Section 2.6.4.1 of RFC XXX (this
      document).

   Adding an entry to this registry with an N in the "Recommended"
   column follows the registration policy of SPECIFICATION REQUIRED.
   Adding an entry to this registry with a Y in the "Recommended" column
   or changing the "Recommended" column in an existing entry (from N to
   Y or vice versa) requires IETF REVIEW.  During IETF REVIEW, the
   designated expert must also be consulted.  Guidance for the
   designated expert can be found in Section 2.6.4.1.



Gillmor, et al.          Expires 5 December 2024               [Page 61]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


8.  Acknowledgments

   Thore Göbel identified significant gaps in earlier versions of this
   document, and proposed concrete and substantial improvements.  Thanks
   to his contributions, the document is clearer, and the protocols
   described herein are more useful.

   Additionally, the authors would like to thank the following people
   who have provided helpful comments and suggestions for this document:
   Berna Alp, Bernhard E. Reiter, Carl Wallace, Claudio Luck, David
   Wilson, Hernani Marques, juga, Krista Bennett, Kelly Bristol, Lars
   Rohwedder, Michael StJohns, Nicolas Lidzborski, Peter Yee, Phillip
   Tao, Robert Williams, Rohan Mahy, Roman Danyliw, Russ Housley, Sofia
   Balicka, Steve Kille, Volker Birk, and Wei Chuang.

9.  References

9.1.  Normative References

   [I-D.ietf-lamps-e2e-mail-guidance]
              Gillmor, D. K., Hoeneisen, B., and A. Melnikov, "Guidance
              on End-to-End E-mail Security", Work in Progress,
              Internet-Draft, draft-ietf-lamps-e2e-mail-guidance-16, 16
              March 2024, .

   [I-D.ietf-openpgp-crypto-refresh-13]
              Wouters, P., Huigens, D., Winter, J., and N. Yutaka,
              "OpenPGP", Work in Progress, Internet-Draft, draft-ietf-
              openpgp-crypto-refresh-13, 4 January 2024,
              .

   [RFC2045]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part One: Format of Internet Message
              Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
              .

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              .

   [RFC3864]  Klyne, G., Nottingham, M., and J. Mogul, "Registration
              Procedures for Message Header Fields", BCP 90, RFC 3864,
              DOI 10.17487/RFC3864, September 2004,
              .




Gillmor, et al.          Expires 5 December 2024               [Page 62]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   [RFC5083]  Housley, R., "Cryptographic Message Syntax (CMS)
              Authenticated-Enveloped-Data Content Type", RFC 5083,
              DOI 10.17487/RFC5083, November 2007,
              .

   [RFC5234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234,
              DOI 10.17487/RFC5234, January 2008,
              .

   [RFC5322]  Resnick, P., Ed., "Internet Message Format", RFC 5322,
              DOI 10.17487/RFC5322, October 2008,
              .

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, DOI 10.17487/RFC5652, September 2009,
              .

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              .

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, .

   [RFC8551]  Schaad, J., Ramsdell, B., and S. Turner, "Secure/
              Multipurpose Internet Mail Extensions (S/MIME) Version 4.0
              Message Specification", RFC 8551, DOI 10.17487/RFC8551,
              April 2019, .

9.2.  Informative References

   [chrome-indicators]
              Schechter, E., "Evolving Chrome's security indicators",
              May 2018, .

   [CSS]      World Wide Web Consortium, "Cascading Style Sheets Level 2
              Revision 2 (CSS 2.2) Specification", 12 April 2016,
              .

   [HTML-ESCAPES]
              W3C, "Using character escapes in markup and CSS", n.d.,
              .




Gillmor, et al.          Expires 5 December 2024               [Page 63]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   [I-D.autocrypt-lamps-protected-headers]
              Einarsson, B. R., "juga", and D. K. Gillmor, "Protected
              Headers for Cryptographic E-mail", Work in Progress,
              Internet-Draft, draft-autocrypt-lamps-protected-headers-
              02, 20 December 2019,
              .

   [I-D.ietf-lamps-samples]
              Gillmor, D. K., "S/MIME Example Keys and Certificates",
              Work in Progress, Internet-Draft, draft-ietf-lamps-
              samples-08, 2 February 2022,
              .

   [I-D.pep-email]
              Marques, H. and B. Hoeneisen, "pretty Easy privacy (pEp):
              Email Formats and Protocols", Work in Progress, Internet-
              Draft, draft-pep-email-02, 16 December 2022,
              .

   [I-D.pep-general]
              Birk, V., Marques, H., and B. Hoeneisen, "pretty Easy
              privacy (pEp): Privacy by Default", Work in Progress,
              Internet-Draft, draft-pep-general-02, 16 December 2022,
              .

   [PGPCONTROL]
              UUNET Technologies, Inc., "Authentication of Usenet Group
              Changes", 27 October 2016,
              .

   [PGPVERIFY-FORMAT]
              Lawrence, D. C., "Signing Control Messages, Verifying
              Control Messages", n.d.,
              .

   [RFC2047]  Moore, K., "MIME (Multipurpose Internet Mail Extensions)
              Part Three: Message Header Extensions for Non-ASCII Text",
              RFC 2047, DOI 10.17487/RFC2047, November 1996,
              .

   [RFC2049]  Freed, N. and N. Borenstein, "Multipurpose Internet Mail
              Extensions (MIME) Part Five: Conformance Criteria and
              Examples", RFC 2049, DOI 10.17487/RFC2049, November 1996,
              .



Gillmor, et al.          Expires 5 December 2024               [Page 64]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   [RFC3156]  Elkins, M., Del Torto, D., Levien, R., and T. Roessler,
              "MIME Security with OpenPGP", RFC 3156,
              DOI 10.17487/RFC3156, August 2001,
              .

   [RFC3851]  Ramsdell, B., Ed., "Secure/Multipurpose Internet Mail
              Extensions (S/MIME) Version 3.1 Message Specification",
              RFC 3851, DOI 10.17487/RFC3851, July 2004,
              .

   [RFC4021]  Klyne, G. and J. Palme, "Registration of Mail and MIME
              Header Fields", RFC 4021, DOI 10.17487/RFC4021, March
              2005, .

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, DOI 10.17487/RFC5751, January
              2010, .

   [RFC6376]  Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, Ed.,
              "DomainKeys Identified Mail (DKIM) Signatures", STD 76,
              RFC 6376, DOI 10.17487/RFC6376, September 2011,
              .

   [RFC6532]  Yang, A., Steele, S., and N. Freed, "Internationalized
              Email Headers", RFC 6532, DOI 10.17487/RFC6532, February
              2012, .

   [RFC7489]  Kucherawy, M., Ed. and E. Zwicky, Ed., "Domain-based
              Message Authentication, Reporting, and Conformance
              (DMARC)", RFC 7489, DOI 10.17487/RFC7489, March 2015,
              .

   [RFC8617]  Andersen, K., Long, B., Ed., Blank, S., Ed., and M.
              Kucherawy, Ed., "The Authenticated Received Chain (ARC)
              Protocol", RFC 8617, DOI 10.17487/RFC8617, July 2019,
              .

Appendix A.  Possible Problems with Legacy MUAs

   When an e-mail message with end-to-end cryptographic protection is
   received by a mail user agent, the user might experience many
   different possible problematic interactions.  A message with Header
   Protection may introduce new forms of user experience failure.







Gillmor, et al.          Expires 5 December 2024               [Page 65]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   In this section, the authors enumerate different kinds of failures we
   have observed when reviewing, rendering, and replying to messages
   with different forms of Header Protection in different Legacy MUAs.
   Different Legacy MUAs demonstrate different subsets of these
   problems.

   A conformant MUA would not exhibit any of these problems.  An
   implementer updating their Legacy MUA to be compliant with this
   specification should consider these concerns and try to avoid them.

   Recall that "protected" refers to the "inner" values, e.g., the real
   Subject, and "unprotected" refers to the "outer" values, e.g., the
   dummy Subject.

A.1.  Problems Viewing Messages in a List View

   *  Unprotected Subject, Date, From, To are visible (instead of being
      replaced by protected values)

   *  Threading is not visible

A.2.  Problems when Rendering a Message

   *  Unprotected Subject is visible

   *  Protected Subject (on its own) is visible in the body

   *  Protected Subject, Date, From, and To visible in the body

   *  User interaction needed to view whole message

   *  User interaction needed to view message body

   *  User interaction needed to view protected subject

   *  Impossible to view protected Subject

   *  Nuisance alarms during user interaction

   *  Impossible to view message body

   *  Appears as a forwarded message

   *  Appears as an attachment

   *  Security indicators not visible





Gillmor, et al.          Expires 5 December 2024               [Page 66]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  Security indicators do not identify protection status of Header
      Fields

   *  User has multiple different methods to reply (e.g., reply to
      outer, reply to inner)

   *  User sees English "Subject:" in body despite message itself being
      in non-English

   *  Security indicators do not identify protection status of Header
      Fields

   *  Header Fields in body render with local Header Field names (e.g.,
      showing "Betreff" instead of "Subject") and dates (TZ, locale)

A.3.  Problems when Replying to a Message

   Note that the use case here is:

   *  User views message, to the point where they can read it

   *  User then replies to message, and they are shown a message
      composition window, which has some UI elements

   *  If the MUA has multiple different methods to reply to a message,
      each way may need to be evaluated separately

   This section also uses the shorthand UI:x to mean "the UI element
   that the user can edit that they think of as x."

   *  Unprotected Subject is in UI:subject (instead of the protected
      Subject)

   *  Protected Subject is quoted in UI:body (from Legacy Display
      Element)

   *  Protected Subject leaks when the reply is serialised into MIME

   *  Protected Subject is not anywhere in UI

   *  Message body is _not_ visible/quoted in UI:body

   *  User cannot reply while viewing protected message

   *  Reply is not encrypted by default (but is for legacy signed-and-
      encrypted messages without Header Protection)





Gillmor, et al.          Expires 5 December 2024               [Page 67]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  Unprotected From or Reply-To is in UI:To (instead of the protected
      From or Reply-To)

   *  User's locale (lang, TZ) leaks in quoted body

   *  Header Fields not protected (and in particular, Subject is not
      obscured) by default

Appendix B.  Test Vectors

   This section contains sample messages using the different schemes
   described in this document.  Each sample contains a MIME object, a
   textual and diagrammatic view of its structure, and examples of how
   an MUA might render it.

   The cryptographic protections used in this document use the S/MIME
   standard, and keying material and certificates come from
   [I-D.ietf-lamps-samples].

   These messages should be accessible to any IMAP client at
   imap://bob@header-protection.cmrg.net/ (any password should
   authenticate to this read-only IMAP mailbox).

   You can also download copies of these test vectors separately at
   https://header-protection.cmrg.net.

   If any of the messages downloaded differ from those offered here,
   this document is the canonical source.

B.1.  Baseline Messages

   These messages offer no header protection at all, and can be used as
   a baseline.  They are provided in this document as a counterexample.
   An MUA implementer can use these messages to verify that the reported
   cryptographic summary of the message indicates no header protection.

B.1.1.  No Cryptographic Protections Over a Simple Message

   This message uses no cryptographic protection at all.  Its body is a
   text/plain message.

   It has the following structure:

   └─╴text/plain 152 bytes

   Its contents are:





Gillmor, et al.          Expires 5 December 2024               [Page 68]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: no-crypto
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:00:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the no-crypto message.

   This message uses no cryptographic protection at all.  Its body
   is a text/plain message.

   --
   Alice
   alice@smime.example

B.1.2.  S/MIME Signed-only signedData Over a Simple Message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 3852 bytes
    ⇩ (unwraps to)
    └─╴text/plain 204 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:01:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIILFwYJKoZIhvcNAQcCoIILCDCCCwQCAQExDTALBglghkgBZQMEAgEwggFABgkq
   hkiG9w0BBwGgggExBIIBLU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IHRleHQvcGxhaW47IGNoYXJzZXQ9InV0Zi04Ig0KQ29udGVudC1UcmFuc2Zlci1F
   bmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWltZS1vbmUtcGFydCBtZXNz
   YWdlLg0KDQpUaGlzIGlzIGEgc2lnbmVkLW9ubHkgUy9NSU1FIG1lc3NhZ2Ugdmlh



Gillmor, et al.          Expires 5 December 2024               [Page 69]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   IFBLQ1MjNyBzaWduZWREYXRhLiAgVGhlDQpwYXlsb2FkIGlzIGEgdGV4dC9wbGFp
   biBtZXNzYWdlLiBJdCB1c2VzIG5vIGhlYWRlciBwcm90ZWN0aW9uLg0KDQotLSAN
   CkFsaWNlDQphbGljZUBzbWltZS5leGFtcGxlDQqgggemMIIDzzCCAregAwIBAgIT
   Dy0lvRE5l0rOQlSHoe49NAaKtDANBgkqhkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJT
   QSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAgFw0xOTExMjAwNjU0MThaGA8yMDUy
   MDkyNzA2NTQxOFowOzENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   FzAVBgNVBAMTDkFsaWNlIExvdmVsYWNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
   MIIBCgKCAQEAmpUp+ovBouOP6AFQJ+RpwpODxxzY60n1lJ53pTeNSiJlWkwtw/cx
   Qq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPKJ2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeu
   Xq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ2afHg4b97enV8gozR0/Nkug4AkXmbk7T
   HNc8vvjMUJanZ/VmS4TgDqXjWShplcI3lcvvBZMswt41/0HJvmSwqpS6oQcAx3We
   ag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMHbM1LY4X5chWfNEbkN6hQury/zxnlsukg
   n+fHbqvwDhJLAgFpW/jA/EB/WI+whUpqtQIDAQABo4GvMIGsMAwGA1UdEwEB/wQC
   MAAwFwYDVR0gBBAwDjAMBgpghkgBZQMCATABMB4GA1UdEQQXMBWBE2FsaWNlQHNt
   aW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYIKwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUg
   MB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw546vzfN3DzAfBgNVHSMEGDAWgBSRMI58
   BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAyl
   OvK6NEbMl1gD5H14EC4Muxq1u0q2XgXOSBHI6DfX/4LDsfx7fSIus8gWVY3WqMeu
   OA7IizkBD+GDEu8uKveERRXZncxGwy2MfbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9o
   pwtA/lTOkRg8uuivZfg/m5fFo/QshlHNaaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4
   oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwDR6chMZeegSQAW++OIKqHrg/WEh4yiuPf
   qmAvX2hZkPpivNJYdTPUXTSO7K459CyqbqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY
   1Q+hWDCCA88wggK3oAMCAQICEzdBBXntdX9CqaJcOvT4as6aqdcwDQYJKoZIhvcN
   AQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNV
   BAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcN
   MTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIw
   DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr
   +E3wP6XTvyi6WWyTgBK9LCOwI2juwdRrjFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7O
   xsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A/3rBX7PhO0DBbZnfitOLPgPEwjTt
   dg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6syTjGsgkLcLNau5LZ
   DQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj
   0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEA
   AaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAe
   BgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUF
   BwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
   ZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQEN
   BQADggEBAHOJojanzqmgaSN3/gqSQ4cbbmdj/R40BEPr+gXT+xiidfZ2iLNwYyTn
   euK6AChwKfnNvOFb8lV1iffRTF/KtmVEDMR/sYeqAH83KM5p3el2lVh4OHhyI0qN
   uz5oShNaACSioQ23WxHGVy9vsdVfnbhsplrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt
   9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnumghxwYToj1OyD5Gs4D2IJCw+fX5ODxh5
   2MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4
   DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYxggIAMIIB/AIBATBsMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhM3QQV57XV/QqmiXDr0+GrOmqnX
   MAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI
   hvcNAQkFMQ8XDTIxMDIyMDE1MDEwMlowLwYJKoZIhvcNAQkEMSIEIESMi+9/LUlD



Gillmor, et al.          Expires 5 December 2024               [Page 70]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   fGjj+6U50VNLFxbzvyVJ0wzwnTS114DyMA0GCSqGSIb3DQEBAQUABIIBACJHeayB
   UllC4GdcgdojTUjoeIy6UIbrSg/aKZgAkCB8Dwq0hdU10qiun6WKI/TxM5izpRvL
   UsNBGmqknPBMFhvwX6KCrwFk0p0j5Y5DZqX30deiQiGTUv3NiwZGTrKJ3JkyymFO
   HGbe5Thrq3inRLVfilEuIZewaJsnJhKfnEq9fS09icTJ5olPDAH6mZbW6hpYmU3F
   KBk2qJNqJX6bo60rCogu3wXDj0wxnqEXmeNDH5/+L9UVZur+EWzviUc8Ldd/kP3L
   DOO7ivs10bAWe8Tbw7NjuP8ZlVvzcvj3nXWzZzxh2ymDIOvyJA+t0LHQvsN/fbdW
   fC6Pm51fEkabbmw=

B.1.3.  S/MIME Signed-only multipart/signed Over a Simple Message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses no
   header protection.

   It has the following structure:

   └┬╴multipart/signed 4191 bytes
    ├─╴text/plain 224 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="052";
    micalg="sha-256"
   Subject: smime-multipart
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:02:02 -0500
   User-Agent: Sample MUA Version 1.0

   --052
   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses no header protection.

   --
   Alice
   alice@smime.example



Gillmor, et al.          Expires 5 December 2024               [Page 71]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   --052
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv



Gillmor, et al.          Expires 5 December 2024               [Page 72]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCDAkJYhqVAHhprkzEWP6PweksoYhj5ULTLbcfQ9Tu3C
   zDANBgkqhkiG9w0BAQEFAASCAQCJe818STb4M4utvQsdcQEH0CZR7I38uL5TSZF3
   llKmD9PuCDuV3GIkfdmZISKRuffBle1xaNc2av/0Qogr7OaFF485DAONVAEIQ7ah
   t94pwgAE4yvXXWKmFQkKid1tnMXbnHADKWU0YC+BQkgd/5J3zg4ESeMwOUm0+b3C
   GDaUBTIJhHfu9sqlt7jXa7PbzQEfemYZORPI14/uZSs86SLkPvNGUpWb4mN6olC0
   2h/U4SCpq8Oy390oNM0VNpoa+nsTu5yOFc34pMIvjwCJyIOYPaDnvw9FYgr2oOp7
   cdOgFcSJ8q7I+Tx2yg60VW8tAT7UBkifc37UUuVbnOsqeVB3

   --052--

B.1.4.  S/MIME Encrypted and Signed Over a Simple Message, No Header
        Protection

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 6720 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 3960 bytes
     ⇩ (unwraps to)
     └─╴text/plain 240 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:03:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIITXAYJKoZIhvcNAQcDoIITTTCCE0kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABkhXjCE2R5v6AnfDwZavtMgZTjv3IvN/oqM
   RXa8Ux3HsfW3Onz3NJYd9akVrOrV++agUQ1yr3Aga++Ame174SqPIRpY+o/f2S7D
   vU/ChmuqB0izBGZ0pIYDxy1YjtKjLKeu3KmC4vDQFVrUlBh6s7I5rf92UWgJN7eK
   OVPb1kdUABVL/krl6fwxJEbDy4n01C44k14HdnBbBocdO+eLZl5XQ1bcTqimY1fu
   aWaZGYgVDdNdyj2xiZy4hLSYoy+vJYur7fju1M0cSeLwYbQ64R9uJgbgV8UG6JwB
   DBdNF6WJPdugiOQZ7RJ7VtfwTARJS3sZC4h2IesT+wZYK1+qlhwwggGEAgEAMGww



Gillmor, et al.          Expires 5 December 2024               [Page 73]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAI/JaOhGB/OqAT+oMhHSbtULN
   MXL6++GGnRyd8KP+YVeqLHYCTbyKZ491pvJVdzcuO0lRTe3zZbnYast9Tfjln96i
   f3dgNOZAp6De3FnVkOoGHuZIKUIdeTe3335V1exB5sQTNKKJNUmng/6HfANLUNhj
   Eer4NOi56koz5dIBnhh6YCEBKtoQGcbhUVtimldrp+1P+4V87Vv6+Ihh3YTDsKd+
   BYNcwjbR8e1Mit4ZuXwd5pKn0D6uiKCjq2EOlbPrfXvjQrZvbi/RRNnN+OROopgQ
   +/qdpZAF3SW/wGePa8MSx4EWa/q4H585uCeu66vS9FdedWuYsj/pWu5MgPeyjTCC
   EC4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEKz00cOFtmQhqDpL0ngaQuiAghAA
   CT/SY8tAntNxBNl1CGUiYu+iq7PPD/WuBdGTfuiwl4cxmIsRTi/cOK8/0UGs/Cu5
   LBxaWswJvR1U0PdcgSCF11LbfsCSjlrXHAZN0SSGWUqEQDwpywsRd3FfvSKnkI/w
   fZGxio3estykcuAvqHQKM+GYncjbFUJ1Pb7py7mEoq2mMlZM/N3Vxuk2CGSAfhTo
   W23yuk/Owcb05VUkRiMqfuzMwKIpex7ZkrdJcJOrsfPHx5ZK5s57kAWuuCo0HApN
   tIVsrQ9JqxbV2mZtlJ2gz5r2QQhoH31+65KQk8WEdhbY/jkJer+GzNOsCRI8u0Jg
   MjcqsTRUWrRHUK1o5wGq9B0d4KNBvysbr8sUkFsv6XKFvNb9DDJZO1hB/XnY0KyJ
   PtjRR8dNHj1H4VpX5qSJyICsqYo+tP5zIw9W2I/+i9stJW+kXnvnMHSOHL6kCDXu
   QaUsx5KIlWkw4sBdxmyudMnfbBfetUQnaZfAKZgkw0o4X/4qf4GtR6MX36WUc0rj
   Qj51TRpgS8P+iIBTQvk2YVXx7mFpy7hHyvoFYqNob0tbwFKFWrg/MzPE4cNrlJ4d
   1bpY5PbCECrwXrB0GFLGnsHvsjcmXlfVX6LHbEI0kMyJlEgnihurobXHAgf5uBeb
   ECfZVpXzJTTkKBsniRCudUOBUmG11Ag8zd5OkjHCtDD2R6X4r1isP2jhgN62ejlN
   82gQ7V2VzsNOhLqiw5k5su9UIbCMgtHmzUG+UxudoGm+gt5YDKFgu49KjtRy8Xmy
   ZWYet/18X1W0qbXuhfrf8ExKQ2wMtcvgUmOrW/Ep9XeU8Z4LJCU5DICWJkdOqlpm
   CurpMZuH6zimt0bQcV0Vaa+hYvj+aXJMEr3SRC2928nXgV/Wdl1QZLQfuqLliNI1
   OQg9GS9hG6CxuG2DBAe8/9dbY2RML7+bLZgzGRy+a2zkYvSUum2h0ghcOMvzAWgk
   ci4pkjzEdF/serPhra6vkbeudfq18NW3qReSVCwjl15arhNkveLwG85aNZCUHPcH
   KRyukCvNtLeu1m2eK2vxwjA4zrpLXWEPKvRphSLD9CtZBNxocFUdKZy/ir91EyzF
   qvbWA40atU+GP4AsBwjOK3ZeHy1V2xN6aZdNWUxWsRyt2AF3StN8T6rkw/QYpT/5
   73QGTQpMUTY4sUQf9Wlg9HWvo44+H7ZVmv8CPMScwKC3YZ1+E0bPWz4ZE6OgW7qo
   tChRV7qtZ7PHSLZdP0DiSIai+gXmeQJBH6Tsth0nrq+J9D7J89H+HGQlasxX6mhD
   xJClpCkzu40/F2JIUyechixC+9fLqlsvTIxaqNZsf79Gf7Fvbu0E/WiVoqL6OFEr
   06qBNQI4GNMYQDDFepxVfwTYQRBBmwxzbqqprFaS2x6Pmd0aHQ6V6ixe8G8CrJEn
   0k38+vukQ50NtmWHsqY8u2gGiy5eN/HOVX9MWzOXLybq+UULSaUeS3Jx5W6uJImX
   preumWSD0/WojmErySEjb131jHbXmWFEqUfNhXzt99AOHyGwJeJ7lzz8pKWY9hbT
   r3fPZfSaAeViMfYgM4TJBuDsBcf5rNfYplMVjWiC1a28yp8XYuiUVRosvKMW7SaA
   ojGnElZoPf66h3UUqdGkSkwdQ7aE/CGV8TPh12KIHwWkatkCUHLlEBxk9zBnlhkt
   K6AsBqp/xKOMLb+e3JiLaqmMM8UNiHIBsJBjcPvxBKB3wb7FFgfEY4eKSBfYO1MH
   YtLTHJ1tgJsgx8qUlPsCHjW15vmlhV8TBchKbstmswDl7CJiMLqxfzAVBLdiV5LP
   cvK2oXxRPgCHL3qp+GM7qhLJVxsvMBQG/T4rQM6ORq0ZJRWGRlrrrWD061eQQ/eO
   1SP1yeNL9KINh2UUgkM9OyvL85HzpKsHbLp+VSPvPe5++OFYyw0N5WBt3kZesLWG
   pJmFsNVCDm7rbJUm+8Qm5/O+xQrGNP38juvxqZmuFT3MyT+npl6qnq80Q00TM/yH
   jgEIc3rvL7Z2A1Nti+NDvPyd+q/MbHfZQmm/YZfEnavjDVIO/XO2GoCxmKHuDYMJ
   9EQ/25UpfF4fbYhF8ZYhlqQNozU/g8BKNxOds+uiNgewBHYI0izDRftNMajSdmN1
   5t7JjOmS5txxwU5yMakl+3mWc333ZI0Q/2QRL7SIJXUnLpx2FgeNREWJfaJAJZKF
   PQBw4TdRjwK9+FZvdvHd08HFpOO4LMERsGlgwYULbsw+l5qQ8d5CX8knebgdAmJC
   cNzFCdLpJ41Weg/om4FejeB82iezgmiwTX68AvFrbvAnllvW46b3FZDban2PcQ+5
   72NpMfY36UmsdKcC28a1Ap+Hx+eMWK5w817SwMZuWuHDjyYIYvXuZDFJECxzA8zA
   reOAe5sZS5gCBqPjYMo751x52vs1SRVoYWfdr2hKDaeTWuC6DQR8DXsVMwaJ6J/N
   pLmGccihFrKUkKzOQMa6ZMeUERzjywcMPB5Px79D511lEPhmejd3U6rS330lja8S



Gillmor, et al.          Expires 5 December 2024               [Page 74]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   R7iuHzL4i+PsSfmM8zmjXGVG9pMmy0u83j9SHH2vsWbSOWavgsSJTn7LdUdRAxrG
   pmHnBMN+AcqIoodcZELxGW9uGbG+VB/dnr9HldQO1vH0hSgOuYknhuQ7IM4jhATj
   mzWctWxuEf3PfWShkXCLFDly4avuFvJLnIzRWXNHZK009SkLjYJhvKM6xZjM2fWN
   oRvdHFITiZRDolQGUPMXhQJHMTMtF/yBuDdC529FXcy7ID/gRuUjX7oXibsN2bbW
   FMx6122ijwN4vPU0ioO0HJCrPK1FMaOd3sUZCEuYqDoBBvUjDBox1BID7lVGtcRn
   jr0H7B7dRn6hDpTIlrH4hUu4WLgeyLYgKB0t/F1eyc3uxoxsSg8yHy9dzi/eBa3/
   xDky1/ZFZyjQyQaXOMv+1aLLy9cUxSdGfFH8o8ziFBr1FTbX+Pjx4YDOkqPZkCMI
   puG8KczO44pUwY2ZGx/u4WMeIY8N5MPY3hxoGSxfUyfZ7jzGsD1Jrc8NIELwwr9V
   ZzzlSVtfNwFV5RuXQRJIfFzrxoe9+FobCM/+6hKrBkJ1WxeCd7ZTvqj5plXLayVS
   bhx29NtpauqA/HCWQz6/26yTtL7Qv+KeltomquvHMVjdoHRCR32cdwLinK1q3p/z
   AgWk7YjnXhN2QZPg8iqhHE5MEOcVWAxnGA3NJYw/0ky6FAGxe+4utVicpJJCDhVY
   6wFtLpF3wygdlgv0uuTZRLKTc/U0170ChR5r43uSSTQ61HWXM5AtPKM1b/tRQ/yb
   Sv+oB3VlOfZzdu6ZlbgNINeaguYlDbV+Du0LkVL6qPoYbJsn1v8hmZXlkJ7ILEN4
   hyDg9Ik0Jx0QrezIgPVXPuRTwivXSGoFy2TLx37JfclnB2A0haHd12w1dkbG1+S3
   4+mc4hPpl6JXt9MrhjJuxvXzGO4x86zk0CNmeS/hptl7As44SQQrbS01fmI2bVQD
   W3l5N/TK9q72ARxWzPHFkcFFAp1B/mLMpJxMt2cq4stDuz5BOPq5/7YYInw78Q0r
   fZozLoHPI0ByzS/yGiNZfWD960i0BPb/tk2BdJYPHDtLeCQsI0DLTGukCA+gYSQZ
   wUp48ZL6JXG5Urx1AT+QZ+x37TZeRF0fviVJGHTfz4Xi/dinmvyc/SFIBuLbpTf6
   b16RmyPg4RJAqY9l44W6gWfnMK4d07mhymC0xrPZQzQJfm4iG8U277zFYhRNnDv/
   kPg3EyJKqXrF+ixFC95GB6lbzgBxS0DyOxdxG4cS8oVUc6gFkO+TCAaNpB61pR32
   ifn36SU/h8HqVwIQfdQHAy022jcnYHxG1IALb122omFwmDf+8GsrYl3lAChxg+1x
   OR9HWTyVAnjXHSpLtEpCMSM4KDYPqAYrVYHhFp3dRoWjoYMvoDYmtVLRG9jPgT3N
   XjLrPedjjX/GS45HTdwpiFfNUrdoEfvJceMU+BqNMU/Ci1GCFm8oTpA53CqbXKeX
   9iMNMnDeiQMZj7CAz6avlHR+pRM6X+2MMXJw+syi1Y0xSdxhagWoIciAlu31/6To
   frOBOLH56Iyduo62e1jAM4c+5meRl7ZU5nvP+R30maUDKri9hbqcu7wGSLc38+IO
   Etpt6uSKr5d1cyULtmFYMIx9koIE1IcI/0bZa3tc5GpjomLQsDMGXSIgkHO11QzG
   7uJEPIuonpPj3HmEtBNhyBwf6/BM3vLD5BDfV9tWqy25sB/phxKbZkdZQJogvFz1
   5g6tOSi7moswXuzKMDr9XpUhpEXv72As5CZxbXHppeVjG3dJID4ZvP4fIcNZNJf+
   TrgqnYK2wBmW+B8UPeL+uyO1Q5KawD+iCTcb/Z4JaRHiG42bldTfYfegmYlc+CV0
   wb+Ct05aggP+TCTVpCFTZUDqZlgkWklzEpw3pZ7AY9vkNdBoydki2E36rMge7lu0
   +8nUUDtg1XjbKzqaNOfEm8UdJX1uzBzGpK0z8EukYzgcA4ah7IAmgeu71kkfeMp+
   EDA6FmPSti0Ut4O7ZkN4Lid5vpE8QiPPhnFknBQkDqa8ESi48XBQ1V03nNtJw1U6
   CRPMgJBhnI+z3D9LhxM3Hqpg3k41IMM7FD825HxHh/Mdua4Bazb3Bfwl2HKtIt8G
   Bnz4ND1JS9KQ8bwy85Fu23fQQPKxiw0sy/KXqRsoy9QiZKgjVbtyal11R5HiChvC
   zPqk82csjnkUY7YkYuCQkZX+oo+f/qj9rY+YaX1prAJVvSmw1gTayQsrYy1KHg7K
   d5ZQunDCHOyeCobH1xoQ4XICZTzRANsdzbJrIvVb/FJm5Bk/ZcAuw73loPS2EtOq
   kvTM/Xmiz1WSGbEgDYnjIEjik2A0P1+jKzIIGy44Rul4tQBXr0fzlGfNWjWLjMY9
   MT3DIRJdtEe84iUAmu3+5PIPHmCTZi8rtbAbFR/Sd+NbJUnEtD68tSinkQzrUbcl
   jl1pKHCGNH6nvlkwUD7APAHX4f0oGotrEF4x8mwg7kUFR/R9j52NlKgKsK6x7T4W
   xKgCeE3r0mMEE6eEWyyNaR1tccfOKM/UYe716G4TRXzZTzsdXX0JRJKd7liENzJG
   RBnPez0k6A1yD+7FpRcF+MQ1IwslmESI3L/Fu7ojB2UV3HyoS5ktDZtZFmRQCmHG
   OEgSuJpq39fn7nfr8g7SOoq362dVBZ92tQo9tMKSpJeSz5nqFf7fChoxQTpwwYRi
   k1/ZpxZ3lAKA5SGuaABeDhoXsln7ph2IRpF00YJuY50TZfl2HAEp4AYxelf72ZDm
   EqCSYEvs1awZab+WRQWSP4QrcTAVr32PJDR4dFFbKGDiXsb4TTenDGS2cBapnxAX
   zupE/1Pu5gyZ8J9Q/PCUjN1ks7NrZ4mENiXrIm1qfRLhuh8YBKyCVrB5QhQCm6EP
   uXCEUFUPn+IgaQe2UdbYCdgpblvfXz6plQ95OHM0xILsk7+bfXuKxkLJY83Iw5Yo
   jcUYvsL/sr5y+vJpvpyY4g==




Gillmor, et al.          Expires 5 December 2024               [Page 75]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.1.5.  No Cryptographic Protections Over a Complex Message

   This message uses no cryptographic protection at all.  Its body is a
   multipart/alternative message with an inline image/png attachment.

   It has the following structure:

   └┬╴multipart/mixed 1406 bytes
    ├┬╴multipart/alternative 794 bytes
    │├─╴text/plain 206 bytes
    │└─╴text/html 304 bytes
    └─╴image/png inline 232 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="c39"
   Subject: no-crypto-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:00:02 -0500
   User-Agent: Sample MUA Version 1.0

   --c39
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="05a"

   --05a
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the no-crypto-complex message.

   This message uses no cryptographic protection at all.  Its body
   is a multipart/alternative message with an inline image/png
   attachment.

   --
   Alice
   alice@smime.example
   --05a
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   



Gillmor, et al.          Expires 5 December 2024               [Page 76]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   
This is the no-crypto-complex message.

   
This message uses no cryptographic protection at all.  Its body
   is a multipart/alternative message with an inline image/png
   attachment.

   
-- 
Alice
alice@smime.example

   --05a--

   --c39
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --c39--

B.1.6.  S/MIME Signed-only signedData Over a Complex Message, No Header
        Protection

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses no header protection.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5249 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1288 bytes
     ├┬╴multipart/alternative 882 bytes
     │├─╴text/plain 258 bytes
     │└─╴text/html 353 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:01:02 -0500
   User-Agent: Sample MUA Version 1.0




Gillmor, et al.          Expires 5 December 2024               [Page 77]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIIPHwYJKoZIhvcNAQcCoIIPEDCCDwwCAQExDTALBglghkgBZQMEAgEwggVIBgkq
   hkiG9w0BBwGgggU5BIIFNU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjMzZSINCg0KLS0zM2UNCk1JTUUt
   VmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFydC9hbHRlcm5hdGl2
   ZTsgYm91bmRhcnk9ImUwYiINCg0KLS1lMGINCkNvbnRlbnQtVHlwZTogdGV4dC9w
   bGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlzIGlzIHRoZSBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4IG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQt
   b25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUN
   CnBheWxvYWQgaXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRo
   IGFuIGlubGluZQ0KaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgbm8gaGVh
   ZGVyIHByb3RlY3Rpb24uDQoNCi0tIA0KQWxpY2UNCmFsaWNlQHNtaW1lLmV4YW1w
   bGUNCi0tZTBiDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD0idXMt
   YXNjaWkiDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNv
   ZGluZzogN2JpdA0KDQo8aHRtbD48aGVhZD48dGl0bGU+PC90aXRsZT48L2hlYWQ+
   PGJvZHk+DQo8cD5UaGlzIGlzIHRoZSA8Yj5zbWltZS1vbmUtcGFydC1jb21wbGV4
   PC9iPiBtZXNzYWdlLjwvcD4NCjxwPlRoaXMgaXMgYSBzaWduZWQtb25seSBTL01J
   TUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQg
   aXMgYSBtdWx0aXBhcnQvYWx0ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGlu
   ZQ0KaW1hZ2UvcG5nIGF0dGFjaG1lbnQuIEl0IHVzZXMgbm8gaGVhZGVyIHByb3Rl
   Y3Rpb24uPC9wPg0KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1l
   LmV4YW1wbGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPg0KLS1lMGItLQ0KDQotLTMz
   ZQ0KQ29udGVudC1UeXBlOiBpbWFnZS9wbmcNCkNvbnRlbnQtVHJhbnNmZXItRW5j
   b2Rpbmc6IGJhc2U2NA0KQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lDQoNCmlW
   Qk9SdzBLR2dvQUFBQU5TVWhFVWdBQUFCUUFBQUFVQ0FZQUFBQ05pUjBOQUFBQWNF
   bEVRVlI0MnVWVE94YkENCk1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZ
   bkN0a0RLbmJjTGs2NnNxbFQrenQ5Y2lka0UrNkt3a1oNCnNncnpmY3FWTXBMMmpv
   MDQ0N2dZRHBlQXJrK09uSkhrSWhBZlRQUmljaWhBZjVZSnJ3N3ZqdjBaV1JXTS91
   bGkNCnZkUGYxUVoya0REOXhwcGQ4d0FBQUFCSlJVNUVya0pnZ2c9PQ0KDQotLTMz
   ZS0tDQqgggemMIIDzzCCAregAwIBAgITDy0lvRE5l0rOQlSHoe49NAaKtDANBgkq
   hkiG9w0BAQ0FADBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEx
   MC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
   eTAgFw0xOTExMjAwNjU0MThaGA8yMDUyMDkyNzA2NTQxOFowOzENMAsGA1UEChME
   SUVURjERMA8GA1UECxMITEFNUFMgV0cxFzAVBgNVBAMTDkFsaWNlIExvdmVsYWNl
   MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmpUp+ovBouOP6AFQJ+Rp
   wpODxxzY60n1lJ53pTeNSiJlWkwtw/cxQq0t4uD2vWYB8gOUH/CVt2Zp1c+auzPK
   J2Zu5mY6kHm+hVB+IthjLeI7Htg6rNeuXq50/TuTSxX5R1I1EXGt8p6hAQVeA5oZ
   2afHg4b97enV8gozR0/Nkug4AkXmbk7THNc8vvjMUJanZ/VmS4TgDqXjWShplcI3
   lcvvBZMswt41/0HJvmSwqpS6oQcAx3Weag0yCNj1V9V9yu/3DjcYbwW2lJf5NbMH
   bM1LY4X5chWfNEbkN6hQury/zxnlsukgn+fHbqvwDhJLAgFpW/jA/EB/WI+whUpq
   tQIDAQABo4GvMIGsMAwGA1UdEwEB/wQCMAAwFwYDVR0gBBAwDjAMBgpghkgBZQMC
   ATABMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAwwCgYI
   KwYBBQUHAwQwDgYDVR0PAQH/BAQDAgUgMB0GA1UdDgQWBBSiU0HVRDyAKRV8ASPw
   546vzfN3DzAfBgNVHSMEGDAWgBSRMI58BxcMp/EJKGU2GmccaHb0WTANBgkqhkiG
   9w0BAQ0FAAOCAQEAgUl4oJyxMpwWpAylOvK6NEbMl1gD5H14EC4Muxq1u0q2XgXO
   SBHI6DfX/4LDsfx7fSIus8gWVY3WqMeuOA7IizkBD+GDEu8uKveERRXZncxGwy2M
   fbH1Ib3U8QzTjqB8+dz2AwYeMxODWq9opwtA/lTOkRg8uuivZfg/m5fFo/QshlHN
   aaTDVEXsU4Ps98Hm/3gznbvhdjFbZbi4oZ3tAadRlE5K9JiQaJYOnUmGpfB8PPwD



Gillmor, et al.          Expires 5 December 2024               [Page 78]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   R6chMZeegSQAW++OIKqHrg/WEh4yiuPfqmAvX2hZkPpivNJYdTPUXTSO7K459Cyq
   bqG+sNOo2kc1nTXl85RHNrVKQK+L0YWY1Q+hWDCCA88wggK3oAMCAQICEzdBBXnt
   dX9CqaJcOvT4as6aqdcwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjER
   MA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2Vy
   dGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5Mjcw
   NjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYD
   VQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
   ggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOwI2juwdRr
   jFBSXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP9
   68+A/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dK
   vIKp4cQVtkWQHi6syTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCx
   qqmjV3d/2NKRu0BXnDe/N+iDz3X0zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATK
   RGJWiQVCCpDtc0NT6vdJ45bCSzsCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcG
   A1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5l
   eGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIGwDAdBgNV
   HQ4EFgQUu/bMsi0dBhIcl64papAQ0yBmZnMwHwYDVR0jBBgwFoAUkTCOfAcXDKfx
   CShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAHOJojanzqmgaSN3/gqSQ4cb
   bmdj/R40BEPr+gXT+xiidfZ2iLNwYyTneuK6AChwKfnNvOFb8lV1iffRTF/KtmVE
   DMR/sYeqAH83KM5p3el2lVh4OHhyI0qNuz5oShNaACSioQ23WxHGVy9vsdVfnbhs
   plrWg9NQ2WbpCmK+2oMh2oYl0Z/wvXMt9cG6jbMvcdH4z0IOvg6mrYkKTM/RCGnu
   mghxwYToj1OyD5Gs4D2IJCw+fX5ODxh52MbNRYXTus2ZPRPM8JXNQC4GWv4km3M4
   rKnJDd6hnoQ9rNeozIcBVyybQYjfrgg4DRvw9Ksk22OH4ConlB8f7R7s1LM2cSYx
   ggIAMIIB/AIBATBsMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdH
   MTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9y
   aXR5AhM3QQV57XV/QqmiXDr0+GrOmqnXMAsGCWCGSAFlAwQCAaBpMBgGCSqGSIb3
   DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIxMDIyMDE3MDEwMlow
   LwYJKoZIhvcNAQkEMSIEIMhGVzAx/S4dUwqko0cb+oa+gXfmEqw2Iz+svSKpWzC+
   MA0GCSqGSIb3DQEBAQUABIIBAGtNM3MMhWZVJdN1nlfSk3mhNk6E+LFoOqG4aiHz
   e+HEQjN6bKft5zulMCqh7NKRpRmDcEE9RXDGKGYQ9BKBf6Od/04lolBY/xpPu9G5
   XnUTHN3MmqubrTSP3xxU5AozL8i7XmkB68VxKBQ2YpfcXBFGbuvlc6FXkbh2QtRX
   UgBZEp+GSxG7o0UVJRa97t6wblUdMwaQ1ONrtBsmrO46bThv4cgrlGBvz8tGfHwR
   4HbS/Rp+6jNAS0K9fZ0PQxy2b4M4braYg3f1n4q3dDH8N0XiUcwG8FiB9XQo18+D
   fdkZwTVUoDHWjSVdIREobdPI2wdpnGxS/AB1VuiYpcebi4o=

B.1.7.  S/MIME Signed-only multipart/signed Over a Complex Message, No
        Header Protection

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses no header protection.

   It has the following structure:









Gillmor, et al.          Expires 5 December 2024               [Page 79]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └┬╴multipart/signed 5234 bytes
    ├┬╴multipart/mixed 1344 bytes
    │├┬╴multipart/alternative 938 bytes
    ││├─╴text/plain 278 bytes
    ││└─╴text/html 376 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="452";
    micalg="sha-256"
   Subject: smime-multipart-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:02:02 -0500
   User-Agent: Sample MUA Version 1.0

   --452
   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="ac5"

   --ac5
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="813"

   --813
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   --
   Alice
   alice@smime.example
   --813
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit



Gillmor, et al.          Expires 5 December 2024               [Page 80]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   
   
This is the smime-multipart-complex message.

   
This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses no header protection.

   
-- 
Alice
alice@smime.example

   --813--

   --ac5
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --ac5--

   --452
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx



Gillmor, et al.          Expires 5 December 2024               [Page 81]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzAyMDJa
   MC8GCSqGSIb3DQEJBDEiBCBwnBPnNMORN+JxFvMbZIJ5PtqEBkyDbOtU1Ar5RuGl
   LjANBgkqhkiG9w0BAQEFAASCAQBRpXYXiiCEQ/lshkbhpH566H65wAf9rZbGn+r+
   o8vLTFSs84ER/EAHGhePmVDiObJS+nXIC7Sa5Y+tUe8JitKPXBQ2oDq2+3tN7tY5
   G398yv+LnmYMMf91dlnlyPnQujsEfPSLXYNToa0qBqp1DThm/pfn6RbbOqpZjYr9
   fdcNdErDql5+CKaf8R/JDW+hiLyvD0KCpXucWLHb1okt1Jpld4kkaA4wu9Idh9fK
   GlN20s+dBXoytH/G6K8NhOh3Qaf3lMP1R60gkvJVJ3j9jIs3/ZG4qH5qWQJHLvi2
   WLSxDhkYmZ+dYSCyfIauNkq7a0wauSpZj82elFA7HdyZmNp0

   --452--

B.1.8.  S/MIME Encrypted and Signed Over a Complex Message, No Header
        Protection

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses no
   header protection.

   It has the following structure:









Gillmor, et al.          Expires 5 December 2024               [Page 82]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 8690 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5430 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 1358 bytes
      ├┬╴multipart/alternative 952 bytes
      │├─╴text/plain 294 bytes
      │└─╴text/html 389 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: smime-enc-signed-complex
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:03:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIZDAYJKoZIhvcNAQcDoIIY/TCCGPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACdEWqIYhnnbhsQFyFwYMqTkNaMM0ouZTQa8
   ec8nVpcuS9opnjPUUFEIv4Qdkgj9V4aYW5f/imWvfVNxMB4DqnULnXK5JdBWgRyu
   dIRGt270UWwu1vyFU0gFvKOJLr7sV2g+1VafZ9MGddRQkZEs+ATdIOD3q7oPK7Mh
   0hMA8XsfpAhHVmQ3hvaEGL3nQWyMCmRRiWIxFvQ05iuqGvYeFc31OIUIr3x929+/
   Znn9uxNzMnIgr4S+vWGAFeC+min5rV+92ZoxPEUSE1TX+TI5a6X3aowSiC+lToQ8
   DFwo3X5ODpWqNZobTmySTdMYtGq8LJAKxtjbQphJlcAHEuiKQKIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAqjZyK9gZ2TtaE7FUQPOvu5kK
   EWNmIqK3ctcmGnNiiYlRN8vmaEWjryluaHVBZbnaUAohJDJ0Z34zBGQj9ktUaoVg
   tSLJOpJMCKF/mCWVJLK34M8WOK9wABV1wXEObdG+O9fGoPUwSggY3bF0E23lIixI
   YgG4Oc66xHXZ+7y+KN15asKjcYqzzSBPHIsXFJqtUTnuWsEGBTEHwydMhjwsJWGz
   Echt+6XmcHtTg5gj8K4hDf19LAQG2LPrRN+egQRsbF77IGjx8XiEaNFE8nFa0wOF
   b2hC43z/zntUD6GfxBFfLmOZKIOGfRcQZGyvQj5BjtG3IMH1h/VXqE4pe93edjCC
   Fd4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEKyJM3yqJd919lahblzKlQqAghWw
   N0wultNQeTBJ8hrbERNuiX5er3BrmjGdxvPeGSbt7RKMTudrME2heSnA2zZU7UL7
   szre2VkLyMjrbX7l+ZWF/f6jlLx06dUnVkf2NrvR6xSfKxDHrIeffi27ed2ET6eR
   T36e/UH1KRNWQsEyM4jzpSj7x8nOJb3T8eVb6FQ7Y3XaTKTUPGPS57Pu/NBN4iyp
   Ie5iVDJ5dPFSHvuixsWhVKTusx2Djc1xCBQwu675SLe21uzcD5jdQfk4p4SMJfDo
   NFzGjfjCw/nuwsil/jMp88Ec2BkWRzXx8zi3sHAFG5LkSJiOjMximkIW4woQOM7s
   76xXJww0Sl/wysg4O/MC2qJZ0uGNjrU02flindptwGAkozKEjZ3WTIpOP1K3qiQl
   nKYTt0UdItpAtULUyzsUcBf5gOzGiEMOAwkX7uzENJoZSMkAr2uLEM2o9861gf9u
   PnR/RAbouYiegx23G8a0yj8oW9Iug+eaaQqCEFscNUcoT6i/oY6Dg6M0B0nITqp/



Gillmor, et al.          Expires 5 December 2024               [Page 83]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   57uPwrTT1knZK/ESpL/3xa7mNeRaCMbxvSgMX9SiL83yrQR09mv73YxS0LXkH2k1
   0f5nWTn/Z/BTIiQp7LtOs3WBSaFgvAre4pUU61fDVeH/hi+zLqaxs+DDnmVDcaaX
   oYr966zre84zQpn8s7gDHdY9QoJ5aSuF7FQDnv6V6tqKFjQHZhNJ2fNvmqTsV+vl
   d2WyIlBTVLCYn/WBOWGuIay86YnmOon/SrcAOACyPMT1XQLMd51O+aQpwSPdeB4n
   V9eRqLAh3npzWLYbgVdsrSKBBV/KsmEYerBHRQgw8qZ4jTCuLb5XbkY/iFStj6hy
   pGeq/H7c9MfFAK4Q/3fOPL8OCcVUuhDe8Z3Sse99nEhASvWh8vFEgnLr86i6ztZX
   5kipj/udHTnkO8CjpiOTeLbtrk1YAUQ/cHWOgBgA3rQAfqVqKOqfz8BCOsmk76nQ
   zXPIp2aeH9iKUE0er1JqXd4MUD7/752/d6vbk1Cnl62Qq6Bfk8Yf3gB94K9kypD/
   J6kubsTtGacrIwv84WZMknC6GpU6j0y8nLAIL2il2ZwtK8kVeu0xm6kSK5wCclzV
   Kj4npTMiWNp90NBDwG2Is80P1nLqI/86A1DIKrMqRTFddZI9L8MP5Zal2Cg9EcGT
   TtPOkYv0wYusi+t8IVU0HLzWgQoh39emwrTed2m5/hd4b57Z0AXV+cIXw+WNf5c+
   jTMuSIG/i20KCEXxpV9ZoxJ0Rmdf3CjnnK25OTbbg4TM+WghVahzt1DZONDEj55g
   zucpp6qUW7ZnD+B12DnZjWIY1a5EJzV37vLAvAs9ginSYB+1XgGiiT/F11dK8aLv
   58JfYYceuQABCdiABW/76OqF3mWXft69U8+0czzuRzRFVNJ66aNTvH8CS5OSYMQA
   c2V/su7Iz/kM0QS7I4CQxV3qhfSCjXaBzRrjbbSkWl8PxtM77uWHeO+5nUkOqtkM
   NrCFbXmgM4cYkApO2W4AgeMs2uUCitIIHroRNl1Cy0Hk0gQzJUKCxwiIdseOWo6d
   OU2EcbDY83hGLHIPVc0U77x5j35qM08l4wU8RzQ7ViBXdODXLvD/3tjat1v7sG9w
   v3W+us5s0/J4UDHEmYevVVzxNJuWMSrG8VMe/RsHPA/XUZhMfVWjey71SjgzmeDE
   hMnmqJ+7Mey3JbtDyJcB3YLcV6PB1pWgJxouCXwDdYrCpaAJsyoc9FSWxQL7w85H
   +29cQ2vjpLFvUbTYBVXx9QJSjyAH71beHArdd0nMA4e01fbXPj655wdfJ1iTxQoy
   39PqUKJQ6VihJ9Umv9ykvFWQKNNeKVhL7CYmO0gQd8naSIKAq0mF5B9rcgndfpoO
   FWSM1mEdR6xhWrYEuUcb0QS3qGFR7qmcPsU6TzhfDdz8OmaCg5b97C/TH5biz/9X
   3xxqCyfCYrgi+lfJ2G+pRZkzR/igOecFGsUCgKOgZUpdYGw0T934vz3jinkRJ1VG
   Qu+5YeUvpRUAaODKGwiXkVW+N6LUTrWaS1lj61YaRJVAN2OMjXJb03GsK8X+b/+P
   wFtbTbO8M0gQe/wn3Tuzc2kV9Z9oyFnCKWs57VagmS5qbwG5aypD+QGBPuozvBwC
   fFnx2eZY8xw+Mo9OP/tM5F2PSYWS4Aw4xtS+btB+zdahqzFA5Oy4RYZe8rpvyxIW
   Lv7q2takDvBpyTxas2a9pTEcq8vO8D5KFPDn84RNOKnRrNihuDdAWywOZCl8c1Nc
   QiW/9yTcexmyMgrBxlYUenuOMQhaRLb8bJSgPFhVn4zLeZmMBVw9VOs4cYqWkJtH
   S+k3arRwDvtS4HkLm07q63UVsl3t5GfMqUfwHvl8avr+hPgbIGuKFcrJw5BcB/i/
   VEZAF3oYcMyiuZvW/KCdAgknhEwsIa+tdHGgTYemtRxH0fxiPeYGGnOdCygfbPoZ
   RvgFTKAAd03A4sl3qmXAtgas4ztMz6FBYwQMv2iOJHd0qRjSRmY2EpTCzxKJ2ywJ
   0K9miNeYOd4vizaV/t8osNrARbNxqWSx++hYtCNb+/0ZicETVIHEG9blxWnLAxVW
   H7LyZngPlrFfiiXpNSk19ZQIaDhNid7+qkaKAjsnyvc4oU3dNap7PNcgRfrMTHmD
   WkYGMHtUBcWdfqSjf8bXXV1JGyjZOoBC3ezaYKphVFVUyW4lS0i5UXK9KpUx50R+
   uSoDlbtMG5LaH74OW11hHPmSkZlSRxFgB8E5dt3E30fbl6SaL1ooGf+dB8ag+cDl
   bI5/gsmGOV+2pZrT1wPMoCQ7ny1/nG9H5yCIZtdIXAgIQXvZe3hdhZg9GLNR5GID
   2Q2YLtVyPLfKEvvIN7kg0bXxtkODc7j7LQ6kw8woRuBFOLFEbzbgMfxgflbdJJ9N
   BgmAwQTxmE58tKDyy6N7y+2uvs1JC+EwoI0kAiM9ddMZnUlKaau/T0YEyooKN+IG
   R/8ilFaIfKmWBtrhzwGQPhgaCwkk/v+rZ+gDG3/jjbYui2Pk5mrw9S9Qans7ZTJM
   NauJx3nDdZxX4TXbnIRZsSSyrPdqYMVLWel3KALYGUT88K2rh1HhxYBuHopd9Jh4
   iWdhMok1w672QGEyWBcRP9rfcN/gma8D6DTGHyzJKgIAI1nsL6TcpVSqokTiJqOc
   3QSH/FpPA2dMcQZTskkxUcjBcSAf1anYmtecRSaCyEza28ruNJBuNXvSSIL+wtdS
   hZ5eB0MeoIfEzBBOGgqesoTTffMp7Msa476q0c1Qb7DniZI0Nu6LweUShzYoaxlf
   +k6QpG5emrrEb6faAV5WSRG/APBZ89ze/lT7bSJhDP5Cn7EJ52s5bOsaSMESs+/I
   I7PxTXK3EKZB5DGPOVOIRGa6ihPJ+utGEqICn2aLZdmfe2lyWpzCtVhGyT3pbNNo
   ePRyvnFZU6ZKf7ntMfZUqCUF+JT4BmPyjDhHCQpwfgsaRhj2NzVoYtmkF+hRfyeu
   VRcK3qRZbvPUW/Sk4zv+DjZ6M75g4RbMaNRXd4oqQ69yUQj0knCKvErtJSsIlT7w
   RgeESsSdXXv0QuI8zMdvn5Cvs/lEsLoB6HCZvPsSyfxuhTGsRFhAbq6Tf7Yl7sJP



Gillmor, et al.          Expires 5 December 2024               [Page 84]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   3WoyTh0JXHaiJbzTyHgRAxFJ5vtTq+i8h6Oi+8XEtYVy4mE+RlkrxwCse8ktc2Tx
   Q28hwlT35iuRzCT7xjm2AXF4Ef+E54lu/zQ0/EgHIF/1tXJzmEwoqohDkWceDyXa
   Mqd1Ja6WP1nJBn68qMvNV9uFpsop/hAq3R2k68/nMM/fQaSIePToEP7lYOL0N4Kq
   yiJ0hbyLoVGMUAfSNX+pmmNWCoU5rTnZOMau9QxQNdWroMTFZl+HdQByZqqdaHLt
   qeSs580ScbVaFgbYY70UBj4p1Ti7bnx5Tw6qWgMOvk6EfCACixOmG43MaxBabMIG
   ZrT8rbObDvt0orV8HJQGxyt7wy5IH4sGvuQP/sW/iztkgWV92sKkcaPoMvkuWiVi
   eTLgN7l9xoUK0ei2KLD2MIMevTU00dvrGucx73Vm8/bv/F/ubL/zwce2RJ+GiHd2
   WF8+fB+/vu8g75IM+2hAzbHeP0/iE7QpZPGNlMeoVMAiBQp/3A+eB/f2zMdB3BuN
   9PGkdC8BVuRM/DnnIHAXWnSvPCjelLOwBKekyfBg20kgz6T23+qPLyWeUqdjQufT
   k7RCdWzLMLo+6A6GwgbqdqNXPehfHDuzhkObw05MVVR8hYgZBxt6lYEAGQEVhjGS
   GoVWvI7pMw7+VLI4ke2YU2vzBJHKhpZ6RNPSROoKbik2i0b8zauuaN+Og3L4cZRg
   r6jRbGzwjml8pPBJlhxYEztV4L5TjgOadbLaNFtFrrkwn7aZFqU95kPGqvqMQ5kr
   QJSWHBSnI2VlMo54cDx9YQXbz0i6i/JjQ5en8lvlgK6XNpjNN2DM7Ol+Gk/ysEOO
   JsSKEesq3mxv0+Nv0EOjYm+Do48bnLp1Bq6nuz5EWt27C8evtC/CjBNd/WF4KUxL
   bKiH4y4YPKeNJ4n2jXYwBX8TZBYrOvQMIijZvPalFNeXJwaSq5BdGQPq3UfheUeP
   CekuXMnysoUSGGkSXRgWzBZVKscsIitTErsKQheY6Kynv8OdR6O3yz3n9Goqeouh
   VUyrs1eN7JYY9tmi2A+jQCzeQWRNpXoNq/PLDxkdQyVefNunWwqM5MspjvOvTJVq
   L6nzi1zD4elhyRwqVyD2ErCcbor63Ql3mVcWph/oEfWhqSr0iFlfdnO/tNg5gEij
   ehns2cM0FpVzXdPKgPZtRabf8rud/cdxAa1JQLEAeouGxBGN2xbDJWcb+L3YXPu4
   Fb7ZffH7eYQA3+lpLBlv3uHxlWHyVsjmSRvT0BGXiClhxjtmV7Orq9+P9p23WKRk
   ms1NgAON6/Q+78OOpeAgZBjzmlSe+bCkbF0MX/RNMr5Hf+UerUfvEDah/HhWXkT1
   zdBRC9t0A1x1j6AZS4vw7kDckW4m5GFzP08uNNGn/YDT697M+S1P6kwzlpsdWed7
   +Rpl13YT8wN8eEcIT2KBcmf3JRkfPapJGR3KF1w+LWic9k+nOgdtXukj6FZ6ieEh
   JbvNK7fwpjrebzYPPuL3DcfaMInmE1hK5ISa74KHgjNnpj7livldxfGuNCJT9TVe
   wFvZGGfza4bIsDiLUk2pHzi0bp7LdggD3wo+7yYYmbG7talfdzE78YJZZqlPOMzg
   yrcWf1+RBmHyRsQszlewmSvbJnD3kA5Rk9yzr3QoaALeOCEvwqJLXSbPOazyccIR
   nfXvqwUyzTtbIYW4O++dYJXyZ6vdFoWATmc5Gwz5MqG1/No2MUIro7lep1b/2f37
   rwGi84lpdLntRas4yBGc/xqWmmJpxFVTEKULtMBsnvpL6bRe2pl6JwsqWvQXrp5y
   OnHPaBMtSk8ALF3QIVR/2H4bRGF0goyNVWRKZGY0FQaj07BjOAJjyxDpiS27qCcc
   j/HX6wKDJxNBV5SauBsPdclHpJQi0gef1oEqgCW+00cWN8J6lE52/n79fXp0LAkD
   2EiTfdlf/pQ78ChICbxsoDcsuKIuqGBSLsKQYstxzoavF+wKRTMslPO5zhpzMpy2
   HeHXrqQMNOeDzSovSYAy7xmY2G3vyNl9BmDVbUE22aTylWzgzFZp8w23W2GGD9tX
   PSa4B6L44cu6EHkW6vRKZAUtlub1Jrryx1BiY8evH05Si7QepjazDibJhUEF04HQ
   +k5Mgwl+WkXJScsbFhX6BLw66HW1rfO3EglUCc1UTl7pbLlgeyP4ZDzGWPtxfzCo
   gAYsALJXz67J+Ia/4rzDIVZOidFknHAJUCw7Rd3jsj5NnUV1xNnUfWSXaiRHrcc2
   D1r9FtfxS8V55C82D0D0sWII41OW3HGQ9oCA88atZtDMHM2oP5n83fRt+lPgOhnS
   LsRVXcokPz83YsK/NVor6r9NLOOWJjia/rJdYjhrMqzfNBjHj6qvFqwzURV28X38
   4pt6nG0m+SIc8+bFR4k7I78uXfrJZWn5ykN6oj7Ig0YHXloLW9ykIiCefiIzm8qu
   3eUD2JZQaR2563IddYyagxDOXKR4tzZEgos9HqDzthAeEv8Zgn34ZQnrfkTAcguz
   fFAOAVD7JE1WboEJwj5xIRM/V6B2HEQ4p0ZRqeb+tjmFwSxYYrqWtrFwWfPAOIXz
   bcHGoG9bVp/apVzW7g3JUKoi/RADEaxNxRVjQKKsAgsGS8y1qlOhLDAg17PO54pp
   4RLBqLO2Rcb+JVV41/MbLAGiY31siea2d3jAN1kLEPNnjiN37leh3taCO4k5L+a4
   XPyxHGkCK4DYeDEeVcuEp2JTjJsaHTvIfvGOSMAdtRDjxllagGM0h1XGNw3gY4P6
   ZSAG2BB9vJ/AgRhmjeYLB1kNYw+7hYWFCc1eeGIYb3t1YqdkEGD5vPJnp+qwiK8+
   +5SbF24l4uJKGUV1c2xeKn5LdW6PraIGKcB+K1l/hC4CRJ9fkxelZb2b8nSycHRD
   CosMkhIzkANuJagAnvwExeYQtHg8bum4jQve6rIHDKbBlop4d+f8HwLyfVES/IzK
   8Z+HKwnMZhnRcyIYrFPHsiM+K1uhdWLytmytiRCzMpDJdeQkWqNxHRSAPy0vzZiN
   39HhvqPWJcpSm5XYK9qb4CdUviS+0FkywYBOXxYGJvjh5muj+i/QhpCePzWEKwyl



Gillmor, et al.          Expires 5 December 2024               [Page 85]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   F7xzIJFIZOKH/YULprTPVy3Ohqz5zfdyM+BINR4nR2CVA5DcOO+Y0Fei8HvAPgr+
   spfaPFbmFjLr+CZLPnvMsKAgPNzwjlrDINMaXA8efYvmlleuQTelM7w//rHXZsmA
   JSMBIjDXfiwK340OxkyNwr/VzdpL1SDCOGnxihCSxCO8S4ZX/Rmu0roKm/mkkIob
   6DpirctVAMHl6KXUbODLWQeuyrYCSANEU8ahVWTISWla0sBdyYsM7EWkaUJY/6wm
   YWvqaCANUl9NpUnT1cBpEFA8cBSEg5ZIwE3uvOmTlcPE6U/SNGGqZSW9su5GE7PC
   CD08wIu6edZ4gO9ozf1OOLpmFM5aW6R9qyko80GMXDsxiJtkX4QoUpAx0N4QDidv
   +mTIgUYXgevV7fsgRtL57vTEc2wjz3wg63PtLlwKn7md/6cWcqhPvI9xbqFFcCpi
   u6R/lPKbZ59t1pZEFdhUSH7Rh7JCTmwH0kkmW3WM3BV/4RXO+4Zb9r8siIFDJMVp
   WeIBcE2zSJSo6KVEVjzK0+3TIWtOOFZ8MrkJeKP7FFl+54bDje6IJpnncLaOvm7s
   70Wa8TE2jA7g+GNkHIPBIG024otAQxx2MZ4hU9UxBF/kRrkto0BWtjPMcUenZ1bw
   pxjwIIRgXca4Dwghb0cqFqfKoWX2xpzbfXp/Q87YE7MJG2SXjjkDrcQ1yXcni8PD
   h5NQC+3mRMzcr+ImbLRySuNaocYh3h9kkjJFPa+WdIM=

B.2.  Signed-only Messages

   These messages are signed-only, using different schemes of header
   protection and different S/MIME structure.  The use no Header
   Confidentiality Policy because the hcp is only relevant when a
   message is encrypted.

B.2.1.  S/MIME Signed-only signedData Over a Simple Message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Wrapped Message header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4323 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 inline 646 bytes
     └─╴text/plain 228 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIMdAYJKoZIhvcNAQcCoIIMZTCCDGECAQExDTALBglghkgBZQMEAgEwggKdBgkq
   hkiG9w0BBwGgggKOBIICik1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6



Gillmor, et al.          Expires 5 December 2024               [Page 86]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2xlYXIiOyBocC1zY2hlbWU9IndyYXBwZWQi
   DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KTUlNRS1WZXJzaW9uOiAx
   LjAKQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCIKQ29u
   dGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdApTdWJqZWN0OiBzbWltZS1vbmUt
   cGFydC13cmFwcGVkCk1lc3NhZ2UtSUQ6IDxzbWltZS1vbmUtcGFydC13cmFwcGVk
   QGxocC5leGFtcGxlPgpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4K
   VG86IEJvYiA8Ym9iQHNtaW1lLmV4YW1wbGU+CkRhdGU6IFNhdCwgMjAgRmViIDIw
   MjEgMTA6MDQ6MDIgLTA1MDAKVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9u
   IDEuMAoKVGhpcyBpcyB0aGUgc21pbWUtb25lLXBhcnQtd3JhcHBlZCBtZXNzYWdl
   LgoKVGhpcyBpcyBhIHNpZ25lZC1vbmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NT
   Izcgc2lnbmVkRGF0YS4gIFRoZQpwYXlsb2FkIGlzIGEgdGV4dC9wbGFpbiBtZXNz
   YWdlLiBJdCB1c2VzIHRoZSBXcmFwcGVkIE1lc3NhZ2UKaGVhZGVyIHByb3RlY3Rp
   b24gc2NoZW1lLgoKLS0gCkFsaWNlCmFsaWNlQHNtaW1lLmV4YW1wbGUKoIIHpjCC
   A88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAw
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIw
   MDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNV
   BAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZI
   hvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSe
   d6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQ
   fiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIK
   M0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9B
   yb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG
   5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCB
   rDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREE
   FzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4G
   A1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYD
   VR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEB
   AIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8
   e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046g
   fPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB
   5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvv
   jiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ01
   5fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrO
   mqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExB
   TVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24g
   QXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0w
   CwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2Ug
   TG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgW
   Pk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18L
   ANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtA
   wW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4u
   rMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtA
   V5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XND
   U+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwG
   CmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNV
   HSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLIt
   HQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZ



Gillmor, et al.          Expires 5 December 2024               [Page 87]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF
   0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjO
   ad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6Qpi
   vtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+R
   rOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazX
   qMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEw
   bDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMo
   U2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11
   f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZI
   hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA0MDJaMC8GCSqGSIb3DQEJ
   BDEiBCCOrk0lj1GiG2Z3VRmbH0+SZhfGpt7UBHISWw12EtMv2jANBgkqhkiG9w0B
   AQEFAASCAQAmLquqT2OZ/DOlqK39a2tDIgWLFdnjJGlI4+PnL8SJFxBCjEuxsRz9
   LIGZNzhEApVWaNm8TXryceWGWwycFGxwPrU6Iwi396GR/GtGHwTZ/vthsGxHt7H8
   uy4QKHP6w6ENLLZu96wv8K7+yOzLl4AHuLEQ8GtcCtDnwn7o0dl4CBnF7d2HeDpu
   aHMe3wzBtrr2LtK4YYv5bfPd3RPqG3PGt3ovWcVmSB5BlH5fW14e9j3YfX/mQPoR
   n6eBQ9gn4JjaVkeba/Jul7v59/JFlmd5XD8DaA6IFPETVCAPgEw2O4nyb3lxxvrU
   PELNw/LDz/f1kKqIzpn2yC32NkFop34S

B.2.2.  S/MIME Signed-only multipart/signed Over a Simple Message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Wrapped Message header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4566 bytes
    ├┬╴message/rfc822 inline 676 bytes
    │└─╴text/plain 256 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="6e5";
    micalg="sha-256"
   Subject: smime-multipart-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --6e5
   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="clear"; hp-scheme="wrapped"



Gillmor, et al.          Expires 5 December 2024               [Page 88]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: text/plain; charset="utf-8"
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   This is the smime-multipart-wrapped message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses the Wrapped Message header protection scheme.

   --
   Alice
   alice@smime.example

   --6e5
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5



Gillmor, et al.          Expires 5 December 2024               [Page 89]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCAtj7HE6LFBWUGpVWhIbCiKErHipqkoXIvou8CvtcoF
   IzANBgkqhkiG9w0BAQEFAASCAQAo0/INbEKY0zvDirRzlbrxe4OhI52tco099vRX
   f+9394Tz7g+1aGNUxe3K1GODDEFW9RuDGRiny2TYR/k9VI+ZrfrMvfnzuzeXHasq
   uXbjhaL9muRIUK85FcBnXU78NirmUeI3vJNYJkgaOjsf4DIQIrmKbG7duhPzA9NO
   lVMk7X+S79nuECctTGrQF4F39T3Cd/0ikFUL4atobJQX4e/YWaOx0s5/9r2Fye11
   bDr7FDLHQpdENeDFq1Tvzvq1xIOxzrBg/VXaktZcVJTOUO2dk9+keXujnQGXN23x
   0jGON7vZb0HdkoNh5d2KsNZRZFKQV3tEZ0OFWuZ1ny18Rz9b

   --6e5--

B.2.3.  S/MIME Signed-only signedData Over a Simple Message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a text/plain message.  It uses the Injected Headers header
   protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 4217 bytes
    ⇩ (unwraps to)
    └─╴text/plain 239 bytes

   Its contents are:



Gillmor, et al.          Expires 5 December 2024               [Page 90]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:06:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIMJgYJKoZIhvcNAQcCoIIMFzCCDBMCAQExDTALBglghkgBZQMEAgEwggJPBgkq
   hkiG9w0BBwGgggJABIICPE1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5z
   ZmVyLUVuY29kaW5nOiA3Yml0DQpTdWJqZWN0OiBzbWltZS1vbmUtcGFydC1pbmpl
   Y3RlZA0KTWVzc2FnZS1JRDogPHNtaW1lLW9uZS1wYXJ0LWluamVjdGVkQGxocC5l
   eGFtcGxlPg0KRnJvbTogQWxpY2UgPGFsaWNlQHNtaW1lLmV4YW1wbGU+DQpUbzog
   Qm9iIDxib2JAc21pbWUuZXhhbXBsZT4NCkRhdGU6IFNhdCwgMjAgRmViIDIwMjEg
   MTA6MDY6MDIgLTA1MDANClVzZXItQWdlbnQ6IFNhbXBsZSBNVUEgVmVyc2lvbiAx
   LjANCkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXRmLTgiOyBo
   cD0iY2xlYXIiDQoNClRoaXMgaXMgdGhlIHNtaW1lLW9uZS1wYXJ0LWluamVjdGVk
   IG1lc3NhZ2UuDQoNClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2Fn
   ZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQgaXMgYSB0ZXh0
   L3BsYWluIG1lc3NhZ2UuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMNCmhl
   YWRlciBwcm90ZWN0aW9uIHNjaGVtZS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21p
   bWUuZXhhbXBsZQ0KoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQG
   irQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFN
   UFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBB
   dXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTAL
   BgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBM
   b3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLj
   j+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdm
   adXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKe
   oQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l
   41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8F
   tpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxA
   f1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYK
   YIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1Ud
   JQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8
   gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29Fkw
   DQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsa
   tbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV
   2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uX
   xaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1J
   hqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00
   juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgEC
   AhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMg
   UlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIw
   NTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX



Gillmor, et al.          Expires 5 December 2024               [Page 91]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   RzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IB
   DwAwggEKAoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwj
   sCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUBy
   Q+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2
   kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiO
   ucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dU
   y9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/
   BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VA
   c21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMC
   BsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEw
   jnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkj
   d/4KkkOHG25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn3
   0UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcv
   b7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2J
   CkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAu
   Blr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e
   7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhM
   QU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9u
   IEF1dGhvcml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAY
   BgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAx
   NTA2MDJaMC8GCSqGSIb3DQEJBDEiBCA01Jd9eAZUdVDiCuNxjBSFrWzGh/t0LEAi
   9j2ygIuHaTANBgkqhkiG9w0BAQEFAASCAQCHuLBqc4WRFrW6LLfReWLAgKIrTpMD
   iwztJGPBodgHsEWE4Qqh6NiTh9vqpGg6zFPFHLzsVG5V3xPFtAVbNGjlQw9f92Cr
   8MSxtUnqwaO8j3/xeeONMJtkTRGzQlPSzDUahJclB6Nk9OOgj9usEE4Vsp08x1p3
   XqsxahWrKcXapHnuT/MADIxC7XPfGSUbaccUyJ2s348yEFkrdxL9NTWWH4kvfWxF
   JcpKxPhQwvsuJKo31SM64j2vQnqCsBA7k2lY8VapYlQ88NsfHJJ7JAx07/QWpt4z
   2nfB0xQpHENQDCrrK1EID8Eq2oAVfy1xBwyN7bOEDxsIosVd1rEOoKQ2

B.2.4.  S/MIME Signed-only multipart/signed Over a Simple Message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a text/plain message.  It uses
   the Injected Headers header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 4475 bytes
    ├─╴text/plain 258 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:









Gillmor, et al.          Expires 5 December 2024               [Page 92]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="00a";
    micalg="sha-256"
   Subject: smime-multipart-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   User-Agent: Sample MUA Version 1.0

   --00a
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit
   Subject: smime-multipart-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:07:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: text/plain; charset="utf-8"; hp="clear"

   This is the smime-multipart-injected message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a text/plain
   message. It uses the Injected Headers header protection scheme.

   --
   Alice
   alice@smime.example

   --00a
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK



Gillmor, et al.          Expires 5 December 2024               [Page 93]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNTA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCDjBfBkJxdVNC35f7HFWD1M6TjhMn8g57GIC5YSWcFS
   ijANBgkqhkiG9w0BAQEFAASCAQCRvDfxpemF6ufn0hRUrfKZY2V/TqUatW386HtU
   vwGpHEOH/RLhj3x1gs/eEH5nuGh4i3jpEnn+jqeTTlx40x2q+0IH2+Ff/enYEDRv
   qnMphrag+bURmXrb5FcpTA51aEIvcsJka2aJRs1LAEd/wZjoZ+Jyt/mwc1yo5Vre
   jPHXdt51dxZ82i4o79TZhv9LdL6qvSLuSEPFnsBseUCEhMOxfhwNJPrGX3FxIDys
   kwlsJcliPiRS/K/T62+Izn65oOCzNIMAMmbQbGCjgfQZo9IfnnSVI1TEvriCDtGS
   fmf5RvdafW+h6+I0Yb7QZTgb4EXty0M66DajUo3qSl1B5Am2

   --00a--








Gillmor, et al.          Expires 5 December 2024               [Page 94]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.2.5.  S/MIME Signed-only signedData Over a Complex Message, Wrapped
        Message

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Wrapped Message header protection scheme.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 5741 bytes
    ⇩ (unwraps to)
    └┬╴message/rfc822 inline 1693 bytes
     └┬╴multipart/mixed 1584 bytes
      ├┬╴multipart/alternative 946 bytes
      │├─╴text/plain 282 bytes
      │└─╴text/html 380 bytes
      └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:04:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIQiwYJKoZIhvcNAQcCoIIQfDCCEHgCAQExDTALBglghkgBZQMEAgEwgga0Bgkq
   hkiG9w0BBwGgggalBIIGoU1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6
   IG1lc3NhZ2UvcmZjODIyOyBocD0iY2xlYXIiOyBocC1zY2hlbWU9IndyYXBwZWQi
   DQpDb250ZW50LURpc3Bvc2l0aW9uOiBpbmxpbmUNCg0KTUlNRS1WZXJzaW9uOiAx
   LjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvbWl4ZWQ7IGJvdW5kYXJ5PSIxZDci
   ClN1YmplY3Q6IHNtaW1lLW9uZS1wYXJ0LWNvbXBsZXgtd3JhcHBlZApNZXNzYWdl
   LUlEOiA8c21pbWUtb25lLXBhcnQtY29tcGxleC13cmFwcGVkQGxocC5leGFtcGxl
   PgpGcm9tOiBBbGljZSA8YWxpY2VAc21pbWUuZXhhbXBsZT4KVG86IEJvYiA8Ym9i
   QHNtaW1lLmV4YW1wbGU+CkRhdGU6IFNhdCwgMjAgRmViIDIwMjEgMTI6MDQ6MDIg
   LTA1MDAKVXNlci1BZ2VudDogU2FtcGxlIE1VQSBWZXJzaW9uIDEuMAoKLS0xZDcK
   TUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvYWx0ZXJu
   YXRpdmU7IGJvdW5kYXJ5PSI0MTMiCgotLTQxMwpDb250ZW50LVR5cGU6IHRleHQv
   cGxhaW47IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApDb250
   ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0CgpUaGlzIGlzIHRoZSBzbWltZS1v
   bmUtcGFydC1jb21wbGV4LXdyYXBwZWQgbWVzc2FnZS4KClRoaXMgaXMgYSBzaWdu
   ZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25lZERhdGEuICBU
   aGUKcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdp
   dGggYW4gaW5saW5lCmltYWdlL3BuZyBhdHRhY2htZW50LiBJdCB1c2VzIHRoZSBX



Gillmor, et al.          Expires 5 December 2024               [Page 95]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   cmFwcGVkIE1lc3NhZ2UgaGVhZGVyCnByb3RlY3Rpb24gc2NoZW1lLgoKLS0gCkFs
   aWNlCmFsaWNlQHNtaW1lLmV4YW1wbGUKLS00MTMKQ29udGVudC1UeXBlOiB0ZXh0
   L2h0bWw7IGNoYXJzZXQ9InVzLWFzY2lpIgpNSU1FLVZlcnNpb246IDEuMApDb250
   ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0Cgo8aHRtbD48aGVhZD48dGl0bGU+
   PC90aXRsZT48L2hlYWQ+PGJvZHk+CjxwPlRoaXMgaXMgdGhlIDxiPnNtaW1lLW9u
   ZS1wYXJ0LWNvbXBsZXgtd3JhcHBlZDwvYj4gbWVzc2FnZS48L3A+CjxwPlRoaXMg
   aXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtDUyM3IHNpZ25l
   ZERhdGEuICBUaGUKcGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBt
   ZXNzYWdlIHdpdGggYW4gaW5saW5lCmltYWdlL3BuZyBhdHRhY2htZW50LiBJdCB1
   c2VzIHRoZSBXcmFwcGVkIE1lc3NhZ2UgaGVhZGVyCnByb3RlY3Rpb24gc2NoZW1l
   LjwvcD4KPHA+PHR0Pi0tIDxici8+QWxpY2U8YnIvPmFsaWNlQHNtaW1lLmV4YW1w
   bGU8L3R0PjwvcD48L2JvZHk+PC9odG1sPgotLTQxMy0tCgotLTFkNwpDb250ZW50
   LVR5cGU6IGltYWdlL3BuZwpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNl
   NjQKQ29udGVudC1EaXNwb3NpdGlvbjogaW5saW5lCgppVkJPUncwS0dnb0FBQUFO
   U1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJB
   Ck1BZ1M3MzluTzNUcFJ3MjBkcXBiZkFSUUVqT3l3aXdZbkN0a0RLbmJjTGs2NnNx
   bFQrenQ5Y2lka0UrNkt3a1oKc2dyemZjcVZNcEwyam8wNDQ3Z1lEcGVBcmsrT25K
   SGtJaEFmVFBSaWNpaEFmNVlKcnc3dmp2MFpXUldNL3VsaQp2ZFBmMVFaMmtERDl4
   cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0KCi0tMWQ3LS0KoIIHpjCCA88wggK3oAMC
   AQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTENMAsGA1UE
   ChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBsZSBMQU1Q
   UyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1NDE4WhgP
   MjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcNAQEBBQAD
   ggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3jUoiZVpM
   LcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLYYy3iOx7Y
   OqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dPzZLoOAJF
   5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5ksKqUuqEH
   AMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5DeoULq8v88Z
   5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAMBgNVHRMB
   Af8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAVgRNhbGlj
   ZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1UdDwEB/wQE
   AwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0jBBgwFoAU
   kTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJeKCcsTKc
   FqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30iLrPIFlWN
   1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc9gMGHjMT
   g1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94M5274XYx
   W2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCqh64P1hIe
   Morj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOURza1SkCv
   i9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnXMA0GCSqG
   SIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEw
   LwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5
   MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYDVQQKEwRJ
   RVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92ZWxhY2Uw
   ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2af0+StijS
   NOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwORjrc9BaX
   4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z34rTiz4D
   xMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4xrIJC3Cz



Gillmor, et al.          Expires 5 December 2024               [Page 96]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   WruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3vzfog891
   9MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3SeOWwks7
   AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCGSAFlAwIB
   MAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUEDDAKBggr
   BgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYSHJeuKWqQ
   ENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0GCSqGSIb3
   DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sYonX2doiz
   cGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3pdpVYeDh4
   ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqDIdqGJdGf
   8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9iCQsPn1+
   Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyHAVcsm0GI
   364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBVMQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2FtcGxlIExB
   TVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kpolw69Phq
   zpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG
   CSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA0MDJaMC8GCSqGSIb3DQEJBDEiBCDSYbDd
   NXVAWmR/nZ5MeQ+IwdExaRq1rICm2KwRz3XsAzANBgkqhkiG9w0BAQEFAASCAQAo
   Z0zz14L5HsfuoPKmVovFfTaQ2DvhqKHN68aDbvHKJqJByoNsBGNp9DfRBha8KHOs
   ti4J/QAJEqHjfUm4jiLOHJX4SzzDTArwPQPIHkDk+T9Q9BDslFBPo2UaMoffDt9P
   jd5AOjUb0SnH7figvJfJ2vc0OlRrIQ0G+Z9PdcFyNH0jNiJ+SZiBx8J/Yb4xJfmf
   FNiaApBKq+0gyQdU/fT7DNoudjzC15WHYW8DSFjm7kW0cmbFZsm90F7FbuhqZ85T
   rOP9u1/BZkQYVFpuFUSeXw3g1mGpyZNkRip66NlvN2dHTxyiV7kxeuMevtSxGeHM
   0zgF2srbeywPACHnbUuC

B.2.6.  S/MIME Signed-only multipart/signed Over a Complex Message,
        Wrapped Message

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Wrapped Message
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5657 bytes
    ├┬╴message/rfc822 inline 1751 bytes
    │└┬╴multipart/mixed 1642 bytes
    │ ├┬╴multipart/alternative 1002 bytes
    │ │├─╴text/plain 310 bytes
    │ │└─╴text/html 408 bytes
    │ └─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:







Gillmor, et al.          Expires 5 December 2024               [Page 97]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="dce";
    micalg="sha-256"
   Subject: smime-multipart-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --dce
   MIME-Version: 1.0
   Content-Type: message/rfc822; hp="clear"; hp-scheme="wrapped"
   Content-Disposition: inline

   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="a30"
   Subject: smime-multipart-complex-wrapped
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:05:02 -0500
   User-Agent: Sample MUA Version 1.0

   --a30
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="844"

   --844
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex-wrapped message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection
   scheme.

   --
   Alice
   alice@smime.example
   --844
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0



Gillmor, et al.          Expires 5 December 2024               [Page 98]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Content-Transfer-Encoding: 7bit

   
   
This is the smime-multipart-complex-wrapped message.

   
This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Wrapped Message header protection
   scheme.

   
-- 
Alice
alice@smime.example

   --844--

   --a30
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ
   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --a30--

   --dce
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8



Gillmor, et al.          Expires 5 December 2024               [Page 99]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524
   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA1MDJa
   MC8GCSqGSIb3DQEJBDEiBCCvgSlcMngVAnJhSaGqFtmhLPGrR3fuKOm2RL+VlaoZ
   wTANBgkqhkiG9w0BAQEFAASCAQAhkMgxnYwB4O/pPxgYNzRUBzhISf17PhzneuWJ
   CNUB6V/vza/KfT7rO+OZIFSsg+JH3T7XrtQEGq+QSOPr0AAIGthkYiiDfPOV2Eh2
   i4JzWV7ZIVY6QfXSX4k28fBONk7ZIDjVudnaLCROvktqBXQCY4bEv1imS/0hQf4g
   jmVe8UqHvyD6XndNQre5x5rkRHMBAeafPTgWl/3RQP27+yLmzypgA6ekSP5WX37U
   6cTgm0gmAo4F45d7zoT4ierx0oI8EU/Ephjkr3TmRqnTn3+maMaZE8ktEhH6AD+s
   gphODpjMIdVXE0vCx1NUqujEqbzuM6qSO8QWLoA+QT+YX8GB

   --dce--

B.2.7.  S/MIME Signed-only signedData Over a Complex Message, Injected
        Headers

   This is a signed-only S/MIME message via PKCS#7 signedData.  The
   payload is a multipart/alternative message with an inline image/png
   attachment.  It uses the Injected Headers header protection scheme.

   It has the following structure:







Gillmor, et al.          Expires 5 December 2024              [Page 100]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 5684 bytes
    ⇩ (unwraps to)
    └┬╴multipart/mixed 1602 bytes
     ├┬╴multipart/alternative 950 bytes
     │├─╴text/plain 293 bytes
     │└─╴text/html 388 bytes
     └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="signed-data"
   Subject: smime-one-part-complex-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:06:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIQYQYJKoZIhvcNAQcCoIIQUjCCEE4CAQExDTALBglghkgBZQMEAgEwggaKBgkq
   hkiG9w0BBwGgggZ7BIIGd01JTUUtVmVyc2lvbjogMS4wDQpTdWJqZWN0OiBzbWlt
   ZS1vbmUtcGFydC1jb21wbGV4LWluamVjdGVkDQpNZXNzYWdlLUlEOiA8c21pbWUt
   b25lLXBhcnQtY29tcGxleC1pbmplY3RlZEBsaHAuZXhhbXBsZT4NCkZyb206IEFs
   aWNlIDxhbGljZUBzbWltZS5leGFtcGxlPg0KVG86IEJvYiA8Ym9iQHNtaW1lLmV4
   YW1wbGU+DQpEYXRlOiBTYXQsIDIwIEZlYiAyMDIxIDEyOjA2OjAyIC0wNTAwDQpV
   c2VyLUFnZW50OiBTYW1wbGUgTVVBIFZlcnNpb24gMS4wDQpDb250ZW50LVR5cGU6
   IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IjM5NSI7IGhwPSJjbGVhciINCg0K
   LS0zOTUNCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVR5cGU6IG11bHRpcGFy
   dC9hbHRlcm5hdGl2ZTsgYm91bmRhcnk9IjkwNyINCg0KLS05MDcNCkNvbnRlbnQt
   VHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD0idXMtYXNjaWkiDQpNSU1FLVZlcnNp
   b246IDEuMA0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogN2JpdA0KDQpUaGlz
   IGlzIHRoZSBzbWltZS1vbmUtcGFydC1jb21wbGV4LWluamVjdGVkIG1lc3NhZ2Uu
   DQoNClRoaXMgaXMgYSBzaWduZWQtb25seSBTL01JTUUgbWVzc2FnZSB2aWEgUEtD
   UyM3IHNpZ25lZERhdGEuICBUaGUNCnBheWxvYWQgaXMgYSBtdWx0aXBhcnQvYWx0
   ZXJuYXRpdmUgbWVzc2FnZSB3aXRoIGFuIGlubGluZQ0KaW1hZ2UvcG5nIGF0dGFj
   aG1lbnQuIEl0IHVzZXMgdGhlIEluamVjdGVkIEhlYWRlcnMgaGVhZGVyDQpwcm90
   ZWN0aW9uIHNjaGVtZS4NCg0KLS0gDQpBbGljZQ0KYWxpY2VAc21pbWUuZXhhbXBs
   ZQ0KLS05MDcNCkNvbnRlbnQtVHlwZTogdGV4dC9odG1sOyBjaGFyc2V0PSJ1cy1h
   c2NpaSINCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50LVRyYW5zZmVyLUVuY29k
   aW5nOiA3Yml0DQoNCjxodG1sPjxoZWFkPjx0aXRsZT48L3RpdGxlPjwvaGVhZD48
   Ym9keT4NCjxwPlRoaXMgaXMgdGhlIDxiPnNtaW1lLW9uZS1wYXJ0LWNvbXBsZXgt
   aW5qZWN0ZWQ8L2I+IG1lc3NhZ2UuPC9wPg0KPHA+VGhpcyBpcyBhIHNpZ25lZC1v
   bmx5IFMvTUlNRSBtZXNzYWdlIHZpYSBQS0NTIzcgc2lnbmVkRGF0YS4gIFRoZQ0K
   cGF5bG9hZCBpcyBhIG11bHRpcGFydC9hbHRlcm5hdGl2ZSBtZXNzYWdlIHdpdGgg
   YW4gaW5saW5lDQppbWFnZS9wbmcgYXR0YWNobWVudC4gSXQgdXNlcyB0aGUgSW5q
   ZWN0ZWQgSGVhZGVycyBoZWFkZXINCnByb3RlY3Rpb24gc2NoZW1lLjwvcD4NCjxw
   Pjx0dD4tLSA8YnIvPkFsaWNlPGJyLz5hbGljZUBzbWltZS5leGFtcGxlPC90dD48



Gillmor, et al.          Expires 5 December 2024              [Page 101]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   L3A+PC9ib2R5PjwvaHRtbD4NCi0tOTA3LS0NCg0KLS0zOTUNCkNvbnRlbnQtVHlw
   ZTogaW1hZ2UvcG5nDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiBiYXNlNjQN
   CkNvbnRlbnQtRGlzcG9zaXRpb246IGlubGluZQ0KDQppVkJPUncwS0dnb0FBQUFO
   U1VoRVVnQUFBQlFBQUFBVUNBWUFBQUNOaVIwTkFBQUFjRWxFUVZSNDJ1VlRPeGJB
   DQpNQWdTNzM5bk8zVHBSdzIwZHFwYmZBUlFFak95d2l3WW5DdGtES25iY0xrNjZz
   cWxUK3p0OWNpZGtFKzZLd2taDQpzZ3J6ZmNxVk1wTDJqbzA0NDdnWURwZUFyaytP
   bkpIa0loQWZUUFJpY2loQWY1WUpydzd2anYwWldSV00vdWxpDQp2ZFBmMVFaMmtE
   RDl4cHBkOHdBQUFBQkpSVTVFcmtKZ2dnPT0NCg0KLS0zOTUtLQ0KoIIHpjCCA88w
   ggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJKoZIhvcNAQENBQAwVTEN
   MAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNhbXBs
   ZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwIBcNMTkxMTIwMDY1
   NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoTBElFVEYxETAPBgNVBAsT
   CExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
   AQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfkacKTg8cc2OtJ9ZSed6U3
   jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrszyidmbuZmOpB5voVQfiLY
   Yy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOaGdmnx4OG/e3p1fIKM0dP
   zZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXCN5XL7wWTLMLeNf9Byb5k
   sKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWzB2zNS2OF+XIVnzRG5Deo
   ULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVKarUCAwEAAaOBrzCBrDAM
   BgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUDAgEwATAeBgNVHREEFzAV
   gRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoGCCsGAQUFBwMEMA4GA1Ud
   DwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj8OeOr83zdw8wHwYDVR0j
   BBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZIhvcNAQENBQADggEBAIFJ
   eKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4FzkgRyOg31/+Cw7H8e30i
   LrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMtjH2x9SG91PEM046gfPnc
   9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZRzWmkw1RF7FOD7PfB5v94
   M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8A0enITGXnoEkAFvvjiCq
   h64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQsqm6hvrDTqNpHNZ015fOU
   Rza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV57XV/QqmiXDr0+GrOmqnX
   MA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYxETAPBgNVBAsTCExBTVBT
   IFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENlcnRpZmljYXRpb24gQXV0
   aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3MDY1NDE4WjA7MQ0wCwYD
   VQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUGA1UEAxMOQWxpY2UgTG92
   ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC09InoWDgWPk2a
   f0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHUa4xQUl5JO6VqY18LANwO
   Rjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz/evPgP96wV+z4TtAwW2Z
   34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3SryCqeHEFbZFkB4urMk4
   xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQsaqpo1d3f9jSkbtAV5w3
   vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgEykRiVokFQgqQ7XNDU+r3
   SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAXBgNVHSAEEDAOMAwGCmCG
   SAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUuZXhhbXBsZTATBgNVHSUE
   DDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYDVR0OBBYEFLv2zLItHQYS
   HJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn8QkoZTYaZxxodvRZMA0G
   CSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOHG25nY/0eNARD6/oF0/sY
   onX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZlRAzEf7GHqgB/NyjOad3p
   dpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524bKZa1oPTUNlm6QpivtqD
   IdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp7poIccGE6I9Tsg+RrOA9
   iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtzOKypyQ3eoZ6EPazXqMyH



Gillmor, et al.          Expires 5 December 2024              [Page 102]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   AVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEmMYICADCCAfwCAQEwbDBV
   MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzExMC8GA1UEAxMoU2Ft
   cGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQITN0EFee11f0Kp
   olw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
   AQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA2MDJaMC8GCSqGSIb3DQEJBDEi
   BCC9T22TSfVitsPfqvquGs9miXBEDYvl8Hw6TLcBplUESzANBgkqhkiG9w0BAQEF
   AASCAQBpyvgJ1AidperdIwe6gIZalVIp/0paaViGK/7/AyVsZCTTbewtsHhumc5/
   Oq4+2Ki/nfi257nSi2R2LxjXkP5kPS/F2vInYJnCU6m/Iuxbe2/3llSeGFWiIXmy
   2OLVpmnnohFJdfC0ypLhV73PNB99ZfBavy8IkhNxKpbNmKr4YxaaIOShSqk+jX1z
   gnmDQtEy+sjaSEX1eiwB+bYgO0/V0KlB0lxu+m/hc5MotyA2+WG6L3IFJ9hZJIMC
   sYgXQ1WoB0gHfS7paSYSabt7Bn1ue/eGRztUyNwWFIV5fZQS1sHkOxhm25nPi6JL
   xNj1AL0xM38U0UpHrnARvbIVtyvd

B.2.8.  S/MIME Signed-only multipart/signed Over a Complex Message,
        Injected Headers

   This is a signed-only S/MIME message via PKCS#7 detached signature
   (multipart/signed).  The payload is a multipart/alternative message
   with an inline image/png attachment.  It uses the Injected Headers
   header protection scheme.

   It has the following structure:

   └┬╴multipart/signed 5568 bytes
    ├┬╴multipart/mixed 1660 bytes
    │├┬╴multipart/alternative 1006 bytes
    ││├─╴text/plain 312 bytes
    ││└─╴text/html 410 bytes
    │└─╴image/png inline 232 bytes
    └─╴application/pkcs7-signature [smime.p7s] 3429 bytes

   Its contents are:

   MIME-Version: 1.0
   Content-Type: multipart/signed;
    protocol="application/pkcs7-signature"; boundary="361";
    micalg="sha-256"
   Subject: smime-multipart-complex-injected
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   User-Agent: Sample MUA Version 1.0

   --361
   MIME-Version: 1.0
   Subject: smime-multipart-complex-injected
   Message-ID: 



Gillmor, et al.          Expires 5 December 2024              [Page 103]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:07:02 -0500
   User-Agent: Sample MUA Version 1.0
   Content-Type: multipart/mixed; boundary="099"; hp="clear"

   --099
   MIME-Version: 1.0
   Content-Type: multipart/alternative; boundary="9a5"

   --9a5
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   This is the smime-multipart-complex-injected message.

   This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme.

   --
   Alice
   alice@smime.example
   --9a5
   Content-Type: text/html; charset="us-ascii"
   MIME-Version: 1.0
   Content-Transfer-Encoding: 7bit

   
   
This is the smime-multipart-complex-injected message.

   
This is a signed-only S/MIME message via PKCS#7 detached
   signature (multipart/signed).  The payload is a
   multipart/alternative message with an inline image/png
   attachment. It uses the Injected Headers header protection
   scheme.

   
-- 
Alice
alice@smime.example

   --9a5--

   --099
   Content-Type: image/png
   Content-Transfer-Encoding: base64
   Content-Disposition: inline

   iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAAcElEQVR42uVTOxbA
   MAgS739nO3TpRw20dqpbfARQEjOywiwYnCtkDKnbcLk66sqlT+zt9cidkE+6KwkZ



Gillmor, et al.          Expires 5 December 2024              [Page 104]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   sgrzfcqVMpL2jo0447gYDpeArk+OnJHkIhAfTPRicihAf5YJrw7vjv0ZWRWM/uli
   vdPf1QZ2kDD9xppd8wAAAABJRU5ErkJggg==

   --099--

   --361
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-signature; name="smime.p7s"

   MIIJ4AYJKoZIhvcNAQcCoIIJ0TCCCc0CAQExDTALBglghkgBZQMEAgEwCwYJKoZI
   hvcNAQcBoIIHpjCCA88wggK3oAMCAQICEw8tJb0ROZdKzkJUh6HuPTQGirQwDQYJ
   KoZIhvcNAQENBQAwVTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cx
   MTAvBgNVBAMTKFNhbXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3Jp
   dHkwIBcNMTkxMTIwMDY1NDE4WhgPMjA1MjA5MjcwNjU0MThaMDsxDTALBgNVBAoT
   BElFVEYxETAPBgNVBAsTCExBTVBTIFdHMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFj
   ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqVKfqLwaLjj+gBUCfk
   acKTg8cc2OtJ9ZSed6U3jUoiZVpMLcP3MUKtLeLg9r1mAfIDlB/wlbdmadXPmrsz
   yidmbuZmOpB5voVQfiLYYy3iOx7YOqzXrl6udP07k0sV+UdSNRFxrfKeoQEFXgOa
   Gdmnx4OG/e3p1fIKM0dPzZLoOAJF5m5O0xzXPL74zFCWp2f1ZkuE4A6l41koaZXC
   N5XL7wWTLMLeNf9Byb5ksKqUuqEHAMd1nmoNMgjY9VfVfcrv9w43GG8FtpSX+TWz
   B2zNS2OF+XIVnzRG5DeoULq8v88Z5bLpIJ/nx26r8A4SSwIBaVv4wPxAf1iPsIVK
   arUCAwEAAaOBrzCBrDAMBgNVHRMBAf8EAjAAMBcGA1UdIAQQMA4wDAYKYIZIAWUD
   AgEwATAeBgNVHREEFzAVgRNhbGljZUBzbWltZS5leGFtcGxlMBMGA1UdJQQMMAoG
   CCsGAQUFBwMEMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQUolNB1UQ8gCkVfAEj
   8OeOr83zdw8wHwYDVR0jBBgwFoAUkTCOfAcXDKfxCShlNhpnHGh29FkwDQYJKoZI
   hvcNAQENBQADggEBAIFJeKCcsTKcFqQMpTryujRGzJdYA+R9eBAuDLsatbtKtl4F
   zkgRyOg31/+Cw7H8e30iLrPIFlWN1qjHrjgOyIs5AQ/hgxLvLir3hEUV2Z3MRsMt
   jH2x9SG91PEM046gfPnc9gMGHjMTg1qvaKcLQP5UzpEYPLror2X4P5uXxaP0LIZR
   zWmkw1RF7FOD7PfB5v94M5274XYxW2W4uKGd7QGnUZROSvSYkGiWDp1JhqXwfDz8
   A0enITGXnoEkAFvvjiCqh64P1hIeMorj36pgL19oWZD6YrzSWHUz1F00juyuOfQs
   qm6hvrDTqNpHNZ015fOURza1SkCvi9GFmNUPoVgwggPPMIICt6ADAgECAhM3QQV5
   7XV/QqmiXDr0+GrOmqnXMA0GCSqGSIb3DQEBDQUAMFUxDTALBgNVBAoTBElFVEYx
   ETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFNUFMgUlNBIENl
   cnRpZmljYXRpb24gQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoYDzIwNTIwOTI3
   MDY1NDE4WjA7MQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBXRzEXMBUG
   A1UEAxMOQWxpY2UgTG92ZWxhY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
   AoIBAQC09InoWDgWPk2af0+StijSNOR8K/hN8D+l078oullsk4ASvSwjsCNo7sHU
   a4xQUl5JO6VqY18LANwORjrc9BaX4MguzsbFXBe6uFh1mVpXmFxSpUByQ+950MFz
   /evPgP96wV+z4TtAwW2Z34rTiz4DxMI07XYNFUEOls/gkUP2GxzymsO2kaYWTut3
   SryCqeHEFbZFkB4urMk4xrIJC3CzWruS2Q0FHbBlfkgKN5wXVgkWFfiOucfCn+IQ
   saqpo1d3f9jSkbtAV5w3vzfog8919MxKI9H6l4KuElnAtJ7BtZcsl7dUy9u9COgE
   ykRiVokFQgqQ7XNDU+r3SeOWwks7AgMBAAGjga8wgawwDAYDVR0TAQH/BAIwADAX
   BgNVHSAEEDAOMAwGCmCGSAFlAwIBMAEwHgYDVR0RBBcwFYETYWxpY2VAc21pbWUu
   ZXhhbXBsZTATBgNVHSUEDDAKBggrBgEFBQcDBDAOBgNVHQ8BAf8EBAMCBsAwHQYD
   VR0OBBYEFLv2zLItHQYSHJeuKWqQENMgZmZzMB8GA1UdIwQYMBaAFJEwjnwHFwyn
   8QkoZTYaZxxodvRZMA0GCSqGSIb3DQEBDQUAA4IBAQBziaI2p86poGkjd/4KkkOH
   G25nY/0eNARD6/oF0/sYonX2doizcGMk53riugAocCn5zbzhW/JVdYn30UxfyrZl
   RAzEf7GHqgB/NyjOad3pdpVYeDh4ciNKjbs+aEoTWgAkoqENt1sRxlcvb7HVX524



Gillmor, et al.          Expires 5 December 2024              [Page 105]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   bKZa1oPTUNlm6QpivtqDIdqGJdGf8L1zLfXBuo2zL3HR+M9CDr4Opq2JCkzP0Qhp
   7poIccGE6I9Tsg+RrOA9iCQsPn1+Tg8YedjGzUWF07rNmT0TzPCVzUAuBlr+JJtz
   OKypyQ3eoZ6EPazXqMyHAVcsm0GI364IOA0b8PSrJNtjh+AqJ5QfH+0e7NSzNnEm
   MYICADCCAfwCAQEwbDBVMQ0wCwYDVQQKEwRJRVRGMREwDwYDVQQLEwhMQU1QUyBX
   RzExMC8GA1UEAxMoU2FtcGxlIExBTVBTIFJTQSBDZXJ0aWZpY2F0aW9uIEF1dGhv
   cml0eQITN0EFee11f0Kpolw69Phqzpqp1zALBglghkgBZQMEAgGgaTAYBgkqhkiG
   9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMTAyMjAxNzA3MDJa
   MC8GCSqGSIb3DQEJBDEiBCD+x3WbFH1LBQCmbRtNyvC8efR1PB3qCQYWUaMirsjm
   WjANBgkqhkiG9w0BAQEFAASCAQCLgYVVHSsTcIvqpEo+Bd24+T819R6cQr/V9S2S
   bIbkpBmfiAkrxnG0Q3qtgsrQWWuiO10svXsglU6amxdSkPjxcYuFPx+KBIQYkmsG
   jHO7S3pukCLvjPWWov7LcU8Ns7TTme/ePkLJaXb48zAjoATq0NddOPk31Izamdkj
   E9k6FnwSC/s27JwJYGeuNloy4lMb2A/teAQEkd192rlxlf0zZ01R3W7hciwvyyJT
   ScmvY5njTvg+VAfP1CwxkyC28BF31ij216b2YHfQ0rGEH/mNBN4c+bqfXkuOx/3f
   ZrISbly6chhrq72LOrzSAEOzUX2KD7D9+MnFtl/4LD3uqgzu

   --361--

B.3.  Encrypted-and-signed Messages

   These messages are encrypted and signed.  They use PKCS#7 signedData
   inside envelopedData, with different header protection schemes and
   different Header Confidentiality Policies.

B.3.1.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
        Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7995 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4918 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1030 bytes
      └─╴text/plain 322 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 



Gillmor, et al.          Expires 5 December 2024              [Page 106]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   To: Bob 
   Date: Sat, 20 Feb 2021 10:08:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIXDAYJKoZIhvcNAQcDoIIW/TCCFvkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACICxsTNP2Wfj+auCTPmco429F3wDfe8ssLY
   difpreNPKzAMFeYLHOuET5VJxkP3b9GpHtvqcJ/mCwyvisV1w4EG4kkHgk2NBjhl
   MrmXUrXH7z+Mqcuqagl58P53Em/YpSKt7X7BjjBLWrWT+qKiHCybXpw71sHdGVbe
   YIPvR3cTHvDJV9YpPQL0aKKPp8MduQFumcsMHy0o3kKlCGAVDrVbYRYv2fyv4E9i
   gE7nUkg0AWl35QfieEHAKK+DPs9a4yixOeuuudlS4hrNFgxTtFvRUsNyDDRNiyZz
   MWWyTqnz3mpL1ZLTwH0jsM+obTPLs+2wonCc1FmffRejjf5wYlkwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAedmJT3c6iYoIMCi92uEP8bcD
   R2GEzgDJ1JUnSpR1aFkOZjPtyE9EI4os4oOtGZi+QONIdE4b5k3BYhzLy6AnHiwc
   TbH5fD0g5y5y0HDpBaEPzvZWGKE16RIpjkSaKsur+7vtH3vaHWHYUGHXMowQ9rX1
   Z+V7OIefXiMu7nfyuH1FqjlT0xkIA/VjsoYBRtVemAk13vdX7gfM9G9/q5mU/C9y
   oJeZiLnWybo9SJLQoK0KHxl5zIHOnmK0dSo/Mea9Z3PDUZXEfDqnBTQNM/REXwu3
   KKu/778xHD/hs34BqyBHJCEtV0mhVVRuGkjNeXL0CVYx/kgQnA5orbkw8lGc5jCC
   E94GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECB6Fp5QtzZWOymWQQV3n9SAghOw
   /mG/cOOLerrDwP2wbVyTgI2U3sByAWIci60+GEnGCIBAmKiXWLaKoLGVLUzXCCBP
   oh03dVRpTja+qSUDEzIGnuWrs91g0EMZ6tuYvvJ7PnrjH70OHwrIQXgAVyEBSWCO
   kERALcU7YNPOfC4b+26hvTnGM3Ihy36yKIfoTJFYNLSqBSn9s1d/CNSlU9YeJhkf
   Sl3N6GHq53RRyOLGHEa2eQj7xcAxbGdgpgeE/JR4L2Nm5aA0MxYImLfa62lsUfGz
   2DFUnxxMcKJob6DxSV70qoezayWtcVeeOMw5KJ2/MPf+f6s1X9MmwUgSnml0OOwa
   36elt7xn65r49vxoI9YgBB2Vbi8dgqWMSB9x722JoRYWIYGQg0alA/LWRfcpy4Hf
   oC5TCJmkGqX44CdESbPhxwx9qR/BZSXkSyoD1R4kRZN/q9UYjJg7ip62tSZvnKoP
   xlaps89OtHfHVSe7068j14DHZ1mFluONSCFKyQ//iMig7TyJlWgGWCIwH5dO1bHT
   ijBQKJrJtu+wybRszKYJH7nZUd8yoeT4AaXpdZqdXnIgAwCDV0ji5YvrtXi+SYjw
   ZnSFjCjiJvPe+hM4YkK8prDEP0Shh4M652PnC79yCoBS44CHml5tg4eaQWhTZNFH
   //4T65xgTqhgXvooFi5pbGQ/V0Va+5uoTUMFoD1PMNdmQ/xMNWsRCMTkr/XNE6p1
   xijsFdgq6u++yTaIuMWjiAxrreUVQ5brA8FmodqmN3ZEkf8ynX1AkxHfNv4jPEvh
   jHhRdw81vNg2HfFvuGUUAHaZv5GmeQTGOhqzW/yqT0mFucK3FUF8Afh04OaqvwIm
   O5jIp92BN+kTwOoNOEAtJLxfZMBhLcTWQ/jvNuagOhhJy/+sBu3taP/2zD6o77ju
   s8Y9QXTKT1LmyimqS/LFNl0NC77YCex2VmnTe+1DhEZWX29PX5rW8a0wGXv24B5Q
   g+vWfbbV8EHot9Gn/0xB4/v3FEUOjAMaj0Qo+l2/hPNnrF8isdtb/kkLJltbOPAY
   Z/2EfNlZv50HBFDOXC3tnewv4uInWsSHgq6PVFtgbuOAyTq9cqOmjVXmK4VGIPxD
   b4S5BUXO1gkJnZEYaZYLt93tYub2yxUEBCzhV+COnEYZ9VDRn3B6z/QPqAzqZYHk
   gsr840WhJ3vrwp8ana3JMCeQqmPcf1GaCdfhzkp5uQWFj38gOlmb5dkV4LHqREFX
   ATg/dQ391roQuxxso4+MMkVu3CxIWkZG37ayiv/RBctK9lp5/X5wFsTl++/OH6on
   TOqzguE4X8QWOspypNgINPX9kSfjii/K1eQpZOmNtAC2E6a+GNbq2pe4mlcC5ecX
   Bam41X6rT1rwiOCuY+AD8ntuoS8GwCqsbBKOAGnhb2xbwzBL5vTC2PjNi9jNjHAR
   FO04KdAdfOyyqpdDJok4rcZt6yYcYiF0mpULm6C8M2zJgqj5CoKMJZiVwXS5QOel
   9efulsuvOJWNd0bPPtkpsApUSq/QNK5QKqXj7Kf28qMp8ldfsE3PGeqWOtwTfgwR
   lPxrv4v+YEHvm2Q5SPdtGwJr7CrzXmSS1zzRIVG92xI93P6bO8aX2RI782Q2ssMI
   DG5Fjiu9J93eApqR/eA/LlR3VZof7NC0tKKgmw0ZYDuikqEOuKBKoar+cO5XOQ/u



Gillmor, et al.          Expires 5 December 2024              [Page 107]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   92zSD4JtvlprPdhuybNfMUuhUi1B2e3jOw9ztUGpOl8lAuFUeDhu4dGHItrx2YYF
   t1Y0MYWNvjhTKtRBczjC5Zcw2+mJpPRAW7komA5jtnRG0l0rMH7/CrAg7hXJFLyQ
   kBlMZbQZTO6losQuvEhQ/xCWV+x1GtDYkT5Ex9nL1wBqzWE1K22C2Rwt+hiwbTL8
   P91WCgEjTs7RkUCGfKXAvrLHZEHpGtgOXl45IFj5fCHzBH/+Cs9P2GvgFypt28qg
   uz1RUMek3AxkSECgevAcH+2ERMpWnPEMc68S0Q928yWbT/AO1hNWfcUU4JGyu+7P
   hnjbBTBuGvk3zI8S6v9xhr0H0CaDSFkHsCHfaYJu1L2s9jBxGO/kLvfXtQdZclrQ
   ZEdYNGClgfhN+m0xZI7WvkkYI0iBkVoYL1RYpgex6l6LDFB/YH+pfdUBFYbztkyi
   fjl+SzawLlofI4eky1RaW2knnRcv0cGg/KKo2kliD68sHeZ5GOg89oiRl/d8dEZH
   b7O5Y3tALnACKT8hyTQLGqrcqcRtk+62V7dGP7JVH4D4Ov/knz55QjKmtjFAyHjX
   zA6VhQxhDK6rmTSnHXbmb2iTGpoSWyiX0y8HpjAMaiJCJAfz5unLcbkJJAiqAPbL
   tKmBg/D3uak2aF8CPkMqSZJ8auaIwH6KF6HweD/sO+RzOz5wifS0Yd3Ria8QjREG
   2pI9aIZ7h/QHE43saFJcxBN3EHbCHbBAeOpi9UKfR/O1a8AGoVO6HRFcOAGIZhpJ
   3Fv8yQmz35nkO+9fYok1Lpx5DYInTEvaeed6Y5r6aCy1q7ET5to0HVRkzkFcgFEY
   UtWalBcLuQNC3/Y4YXob23n6OLH8JN+W1RZCpmPB9raGcFq5VtarE+dGfaNOlVi+
   3uuPANMFyRbb8R494Ox9PyuOnkaJ47qTdUWVNVMHNVkDnRi6087TOIrDIrNhmABD
   BtULVaVB12j99Ls1StfgDgIQhe8y0VkcLwvylwlTZP8ZS2KO9VxeOGCqhBU3rjQz
   nJyHz6wq5+fnHmAXdtJL0425Nh/WqDvds0e7x7Js+vZyNswWTrGC213uQ/g9DomH
   2d5UPA9/b4Hk5JXo0TQfPGdCDwtNlOOX2xYHxc+4zyHWuOdf/fD0/T87VEurCZCy
   N/sf4n7sOvuQREbSAXFwPCsXMBu+pu2XsFidULqcCkRZISPVH9Yarw5WmunS7ps5
   XvlSTKu/zdlzJ2qAE9vifJSJ1c+jLe6FPy9GzG+6NMMMeAZSyM5gWtV6xyW7Jw0w
   KN/9nWsNyg8vN7W5Eo1Q/ApdLcCkAwQJifyBkWM92dj95YJzDnUCo3Z8UhoQD2i6
   rrhUiKt7j2dXGfXaOLQZhsnmncSzlXjifgtY8Xw/Qk8rqeH0ho5gUqh3cQxMTLo3
   VizzTev+CLH1muONlYJVOb3BhuwwfkGAqN3mHuCd4V/S4l7PH4JN3IivTYjd1/Hh
   GwWo9Ykk1dDXBOx0L5B0Yeq3hOPfG5+VShcwjQVqgsllciOdfb1AET2TkGmYM8Ik
   umZBp5SXG4F9I0QImMf+g2hn9ycMu9XgRw7dCJDD9hvRpHn9OWSy29M/+aJraTc2
   aHnRBO14piHjesFE1pMJjEqh9bNNAeYx0Kkb2YAImUwDtePgUo6g4AixQvN6uIJB
   QQ2BNzSt3h3Z58GH9oJ1pnzx1JEsn/4JQKYJm8HEuuSqEEwNxYo2jEfaeAf6gtfO
   iJMTJPWUa3QlPbR9+4zHs9mkfwQpGbXu/L5KEnKUgaPCIwk0dVnrVABcP5eMy+qO
   mZsjHdDnejwTwzS5oCPdnEl1QZf5y79WY9BoWcXJOd0K4Yx0eUfm3K0ccZRekIIU
   nYXk0FmyvPEBw1XGoMVXqsrEdzvrfLxq0P7DT4aJXKKgqxcMbcOIx2be+02WxTUs
   jhK6TVfO8Y5ce0Sb7KXWNDIUA0jjBCa8K3J6WCvg57dOZHbnFaF/rpbdsRjmhhGG
   fD5vyx0k/dj0phA+mcQYKiM6EMb/OZeHQ8q+0J9oHtKta5QPZ4u2z2GKcgsrm2ck
   H9R4OzX0nKFhgqK09M3iGfNLxVxwJv360czI9H5J6NlmBj0OGlu9e5Proep/POI2
   Iwifgh4jSo0RkTolokpipu0SdyUpFK6+dGC/qrHRwda5VM6E0AXnIbwu+b63QuTo
   PMUldLYjslJJ63JxUSZvP4zNIC1VVjn9BuD36AsKgtML8M8hMC6zvGRXJ6oRv9GQ
   DOWIS//kOVJR7kMFvHm6YNc6z8n5AiH9c3i4NGLZ/zmPigBqTwk6Uton/VvKouhG
   vf0nGjZy6toWMR5T0j+BhsA1CeEFqmWI8Ziuvte0+7eb4Iapfo9059irERYHbf2g
   ysQ1gI0+J5U6UEbWogtyD/Jk8mOPU7QAgD7F67nK+Un1UIZ6Aea8zU8Ct3r0mXir
   g0+6HFa8FpWwGqRmfqMTmZ5Z5hwpb9IfTQQEMWBSBQGbhOsJxv0p0UzRCRt0WjT/
   wV5Z2LFyeWIWx+DonVXeF+cW2Z8yYuJFMyrRyVblGUVeHw/RSWXSaecnE9BmnP3J
   V8LmjJ+dttLGnC9Cx0FJZ/t5g0OOoubSaOKLTJWR2+Q7nWtTeMu4uKnfFSyfkoMw
   yfsw1I1N0GwafqN9wUgym4dzXsiEnYyzmx0AHEefHvNsJLUAI1EbK8D2ljskF+8F
   R1+x3ukIH74Gm+etBCW7VdNFFiVzEe98a2PyOG0GGkeYLWK+Rd5RXse7aBN/6auy
   7agH12GQKcZPYMCOb+ylRajiIU8Fp1Ykdyl35XT6HtMlHZXNgrlSIy7qAp6N0Hov
   Elcews+kl3ZSZbJ+4ILJ6UWh1vWpyfXvYIS/wXMQXNNoqIfg4M+GXicH3ae/qFfI
   DTu+nv9KtUWO664sfcDXzkz9enW/uJEVjm4NkUkprHt8JieZ0gRe+W+d/+Ic7u5h
   nFyEvbBwcMoZgtnoSD9XGtBxvuLg9lnizfWaTdRoDigT01XObrqJgYJibMPQ3ZDw
   SGQA+pj500uUtXv4Q7vkiUfiRSbgqmtiKYwWx0WFejwSazpkH8PDluG6i3AN7HGy



Gillmor, et al.          Expires 5 December 2024              [Page 108]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   SQPJQotx2mJ9QOmgvEo8dh8vCOv748lDPohX+JJTH608/zD+ytM/EG0P6p+Ou+uq
   qy1glX3CkP/FzjaTdSby/kfpnBOgou6uAHmVEtto35UsV/3qeTlf5e5P75bTvGs/
   TEWT7wzzpegdVppzLl0XT+LwPs5TqvVVN47muYlJuIVgE2UffF5f0THAkbvQws3y
   iS5V06T44MnUvPfzXNEYNRvy4r4gKVdmKaAGVh1XhcOlU3ypjfvMMFQJ5z5MfYHp
   8tKlS21hoMH/Ctx52S0eKi5wyQ0pyuucrA5Gs1e6Ua8UY8DolFsrt/eGn1Ms0IRe
   kHuc/7UnQDFLqIN7lGL0lo3Yi2uiJeOopQy+Q4dTErcX0AEsW9fqPaU5pwYYhcHi
   vCF2flgVB9n9tsJ06H10i1chRXPDuGaUHJSLnfNMBRWd/hqsH+ZNm5zZAOPxu945
   pG5lHbxW2s/cqyqOdRJhfOzP6EuaXcgjfVVqMyWzZXHAX/jS6XRM+yaBhtEJwrr1
   qQ9wkyCiHYL3h/xGL9O3JuyW3hA/PUK6hv9UDJu8VIsjvMoFqd8SnhxB57USwjvK
   jKiTx2F9QL5ZMh+HqPo7Ktlun5q9FSFJ/cDqMqJ+DKmDoxbyqdhwnqM70T5QMmJh
   wNtkSL7f9dCn5cwuXGRCOHAp4t6BthyZBvuNONTmTcjPRkOrdoq79on9+GGd1+wu
   q+I8DT2L/xhO718J7oUy3EAeGoLpaUj/gojL9QOyqpclXeFdh0qVaLhhBUV/Qbvk
   HqpHGMp6362myQULU+Swn49kYRs8yuhknYmeAmEJPrWckTtEFRseFr3pDkeAQat3
   CnxqwTMWQOeibztSgb7rzBtzKuPNE5XVjb4nPeH+9y4B/0Oxb4upFJ7mOD3HBw1M
   5ZwWAWgf4pxgB05Q9svExdSwLw/BNaMYQPp1y3BsipFVhMK4BcqrfilV8uTkQK3U
   ls8av8nH1kpqIUN5Cffy1jH+0hQX0tHs50//W/M525aSQwhJ4EJyimJ9cIFjBzqF
   wlgey+7W3SoMhr/5I/Re0vbLbzzLUIpNNetVxHAZwfNIveofSYYJMvpMPOVjxrH0
   p38KCLMzL+2S0VLXslH3gkEI7kH56xNCQ9hPsyRK0I7IaYEMgz2s8wLY6eBXnK0P
   jakJH9HJDaReTVEa7zhoCQqHUL7Sb4A8R1sj6lYbjAsnVnQJuF6/VHYKrygcP1z2
   CCCgplB0B/YDrPTgZWjxGibofcOMIGHBbRqi1pKrHmvfWrq/VSsYfR7kuKLWlwNa
   LeNk3qEk5SkcVJH8VTdE4avPqTsB3kwWmev2RDVUk93WluywLjcASo7touf5E6i4
   1u4gMtpieDMnfFn61Eww6/VZqchSLjPHMEdd6kuCOq5SywPGyRTJmPXYfpscy2Hf
   4hNZ8oQ4aYt4kFCUAsPagSq8hteOGX+1CEz3ey2CbWgkNOm2R3zXkMcHcmB81yUz
   duS8x/QNUkUKuF2MGXTasDgibEwIBQejjyXc+IJXxZwGaITRxINqCwMAcz8qiLv9
   kHm+5wFENGaG6aMK89i5gJJvKjBMrffz2ZTVuT6FJq+mPV2C/JMvEWTY6aHvt1Eh
   ndJfcORe8xRELqTNc95d5gvEbEf3pPiPv73VaLzVwByqOGw2+B0lknGNsyE3Adie
   RI8tFshkC09aba8ElJtVOoIA+dV3qEgBs5v8+yiA50PipEOz1tae7STIn4m0isnM
   N3OuOs5TuM36LOyVOmONI4WIIPuxpYmMZXGcKYB2GnFl0c2rj9hnE889RZZELh8v
   Z5FTGiUBTlHBOkUlC846SOxt8OfXxi0rM0sQPrWtbRrTf93vd12ylkVM/MZHyMaW
   H4HpNi9jmoL614k3M4mVENcaa47yYTX3/aOpvPny5BidmoQSmz5xDreuzPv4Tiv5
   2GsFEErm6OmW+M37EXjvSjXQamf+EY8Cb96TtrJRD+/CHkcGzRJbOJBVga01YVwL

B.3.2.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7890 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4824 bytes
     ⇩ (unwraps to)
     └─╴text/plain 334 bytes




Gillmor, et al.          Expires 5 December 2024              [Page 109]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:09:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIWvAYJKoZIhvcNAQcDoIIWrTCCFqkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEfZpB80jBl2KhUJZD6w5rbYlznovLJ/GU1z
   dC1kpitjcbPu/tugkiP0rVjOfrnr80fR9NMytNbZCyjJb5ZZIKHr/iK8PJc6UegJ
   Yk+B89REQRrEoHJssUAvUTe0BbaiwxxEYYt+aw0s30I8txNpSrI8TwpJ2nN8pjAa
   3PyyOLeeuyD7u3NzD1QVvTMA7GoHBFH8tKKUg0RsIdvaCAYnuTZsWW3lAPt9BxjC
   b/Jlc3E8hJZg5qOYRe972MpB8j2xdfBWeTa4fqYZZyf1Jz8DMkhoyXCC9V9E02vt
   3oVtXJFV+ylKF0zT7KraY8z0HBYcui8co+nNbnHt18fSsCq0daEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEADFAx3f+RhXyDOaYhSzrSIeOE
   dH6eeFWbx1/oLfPnaeuIo7CDX6wx6IH78XZLBQasij22DC1qlzRGJUw2+rAFuw9U
   c8pZiDnKEAhrQgIZjzaMmv2WItUfi8TUpB6q5RXZOmWhSH4pB8zgda14XSlbmJKD
   aWhzw5stVw/UXdFaQbw48l5A4IyiZrRN9Tw2qXltqQYpfiMfzfzY2567Z1vbI50T
   JxK+AsW5+gFCAz6PunPIn4O7rOPM0pAVnoGtAfwkwrhFRgJu/mrDo+LrQyDeVZHw
   Uc/quFSUWXm/ea+vqnj9Y+ZTfUnHV+PAZQgsWbdswcs3BTZjZ0qzySw+7Zt54jCC
   E44GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEPMQh9B+sCDqhBlC7T2rKemAghNg
   BkTqzHPWigeje5K2mn9PfNaZcbXk19xHkbUomaRve/byQ43w2DQ6XwYRvhdt/D44
   1W0EsIt24+LxHx+8YS38Lf5KQwHVqzLS70fmq1Qqin3XwID/Z3yh29NeTylIo6Y3
   52Sp9+fng2Ge61npU0ILjgTU8jG0DDuLmRJ8+s9daF1mTeXvzvlXibNavVWGU8gF
   94quxMUjR6H+ooY1aRpz3N5P4YrBn66ZrC+rz2HEMOjcvKt1nlUhm+ihLf3TWFVZ
   /NrFtOgLS/WBjECpcwirqfwbzNqwF8Ali7a9TEXCP06iw/yH4aGAlViG4qw9knrv
   K+igoqe5pNPaWkTPciAZVNaS5RKlRQFewxijK7k9TRsE2ivgVWxLI5DiDySiseqA
   dd6btjBwWujx/Gfhnn4n2HT/RNWCZDixssazR0xf6ioWotJLrDpQxnq30gKLaidL
   Mr032cHypOeYBD1lPFSpCLWUvXrFXWo0od6aijJwg0CFDU+xkXe9NHmAWBRCaBMJ
   QVVxR/UNKl6THBVfUMz2qM7aGPROSqbmmdaGon/mQeMDFnooixcAR/QQyvGRP2kr
   e+ZaBHYoP4PYb0vnXV+1CeZia+O5GnVQV+IQLK8UeIxUiI7GHseMzzIY9Ymy31Ji
   mlFOw0cggLCwTxxDqO9QTgSHU4pPxaidaI0eWEBaLKZTTm6fgaY4VSteXxfAmyrq
   qXeHuJAq7g/kc55sdREOktAOixn6yRCN35kaKjLQ/HLPZpYuMgcjsfyxPohrAijn
   PD0p5xDzBrFC4fRCEW2VB4mDWpg1Og/tHCE343jYKhlaCGu5JONs9jlD3h/am150
   YabY3kQhcmUmU6cogciOqNRIlWr2ptrPD4zy3GaA07ULIsftWqxV225XxypoJ7Qh
   hXxZgkLKrafzs4qlDjh8sQ8fZTjIpwaxabFQdlzBPX8nrvSz/vL9D46i8jDQeCeg
   XOHg7j7JEST3k+rMOtRDt8NPY1Pu/SlSMWPJytAAvK3aIfRc9EB8XlYo0yFsqPsT
   HHllDhn5BAvY5Bzzhy+olAFKGMz61OlQiPxhE0HdsmZhTbiYkeFhoUHJjMS+5MEH
   3H0NKeABP9PVSObi9PQTYlbCRr0WM/EcUENljsH52gL76waJzaaC5cFowt4k+7Nf



Gillmor, et al.          Expires 5 December 2024              [Page 110]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   1ecX+oKb/iAx/YHECpZgDMPJW/Qe2c3GFgHHLnG+vfb3FeyOh5urtVBQ2Erc7z28
   D83XtTXE3nu0RFDnqdh94yDFTqZyzGUnD0w9Tk5+l6GSvuN2FYD3cTEk5HKR6BDB
   cucBa2WjJT9NQfEgUjtbiMPWOZ4eHfOpjXJqoZJig2mmHTeLmYzcvp5/UaExGAFO
   CPkPJN0SgUcbdWpfQ6vspboX7/PKocqmrFq9TjD/UKuur8u8whcKjVTENtDxwQWC
   zI7CHX999D6SxbPYzQojuNIkqu4dztbg4rNpCTX+PuqUs1x6MXKL8rJExgn6LftS
   ay+TNDjhu+DImW9+FqLtbL9Pkp50KKIW1ZLzNDUUUShXHhTx06sUOMBmRtu/In+l
   2GT9afisD2DTeE4COI3csio/9M3b9PqbWHaFvheQmh3IPOL9tIZ8M5ihztz/NJSj
   hjjoVMAFmNhkzCYQ7+cr0BGFovitrMAkvIl1AvBklfA9G5WJuLMnC9vemQUlVKHp
   8tPi0Q0cSr2G1ePBvXDzTNJttojQd79ESlKawr2Hpyt5c/c1OE8oQV+kj5+AyIVr
   noaXinbGCNByOGf1Wok4Trpp2Fnd3zid9yaN6JeccvYWf+fhCyX06x5ULteiSYSl
   BwrVDV3CA1b6rDXVwOwt92VVJdPBQGb+52Xo+b3Aa8OUJWz30L2NY/1lMrN8Rtbd
   IjlPjxIMrV9fZl4aErH4fhJ7LjJ5NzY6koU339Yc2KxZbXIgx94IGJVAH97jfPxv
   nSV+iAeZJSisKRMH6E+IWr0WccYv4FS2J7EEpjNqURtE/eUdxWB++oZ+cfGiGPmc
   nsNVGlRnL0YYi2rsOX6TjZnYiOCP+vbrpmqx0MadQG4WUyWR50RSSEPoS8WNFsUN
   rs+EanKamrLPTwtTXpErtO5GO/MD1dWu929ih72HATooBDUpPz0FFBTkVkVThmm/
   TMRJmPUbnX3uId8k4j60/QCpMWiURDIcx9QzDWGg9jX6D55WmXFQa6psqsTQga8h
   3/pYXvEKSQj1fMHo+EKbzmM1SMQUQOqZE7pxKHuPY06eQG38i6m+qgd8dRKgvyAD
   WM8Nypx86ZNgX5YX5tRkyKHlh+SvJ6oNYrnx7pgcMFs5JHaD8L5eE9ND7Cf9T26q
   VJzRAQZiC6HlMe9Eej0By6NGIxevoNRhH/mBd0pG576dkAzWm0vbtvY5jlsJ136e
   xwVcGwc7CEXpBZcJc8IlrhRdpJaiigvEed0eNdfBbRjKUkDnmXP/33/tH0U4/bJp
   pIf40irPLilVqw+u3ZEknEj/3URxNKg5zcyAPkjn99yX5GfkfCYoV8yEgcpBad+3
   2ZBkG9gnEe2v5LL+8kXcRSiZBK+XlnsMkanSNJIV1js6YigQc68TyxE5xhV9pYtc
   oLc43IANwOLJFM52m/sniiF+jYIXH8WeuceMkJydl4eS/PokqtVAMlnkUfS4aBXT
   mITZNWTVrVCWfioaY5FLPtonYLlf0WbvNSQPgJha+1w0HdpcXgSUNRXZ9V/YN9dE
   d8s9fT2fwWfO+yN+zV3fqK9c1Kvbg4n/IONG+GMmfmIKyUL1WzE3SHH6Yb5I/ora
   ukFesJgveM6JLjERwAu033bUx5Ceyv4yksQrex5EjXJZGQjafiiYhg1jBZl+gjn7
   8/y8Sx8/BMd/RupdVuwroaClI8xy4Q+Fgc9JLQT9ElRhf172cwZfDAS1vI5z8Iu5
   0YxNCNsPzuEqC7FwTqMNN077Hufnj4WpGfKOolEo0YRaYz+eBnwv9zCBn+dgTj3F
   m1hsQI9Mr/E4mxED4dGRDl6VYACaqvfE0eTsERcATLL4kdbUcSDMQdXngzpDVHqT
   /Il4xdkHI8dOXaBBVOQOMqHZV2sNJf4PHBnBJJLirqFCi+UqZ0JMPsEMpKPEDdGi
   D6OR0T5hikzK7GnFDNlRhq4hW5MuQ3fdXzKxmmNlR1d2QWwfWTfyQmmlbxNqwawi
   79/aMqvrm4xuWk1HQtPk2bKAAV/12Gu+F/RbOU8fjWNdZjKJBCGkFtflm3mwRu0C
   f5xkfFdyU7ZsW9ZYd8XgXaGvh232+Du0LrL6mGANvBUnk9y5OURRSANPZPMFxZ5A
   riiYHf24xwdaoX3mCzPzjYV0U4yAgTBUpIwEKlx1vAn1+dQSyApHPuY1TyOwNMID
   xthp9Ceo+IIboj4kU+RmsptNQd1GBLVVubvfoJSY+LwZJGUbno4hUEOPSIkuWE2m
   Ao1z98Frx0gcmKTcqnpD0n44p8uUzVN3CeBFCDaa1IuMSgRj4UqlqTFROTYGQtDm
   1xgUkIh05xSuqWocnpGDI86gn8FhbP7yCbcm2dhw7l2H+m1RgmpTT3VSVjFr9Iwd
   k7IZomVRDzi0zPGAreMLEJLT4QD2bg3qjdYhC61Jk2U+AKKGPF3eq24WpRIPoJhS
   SR4gj4lwrnRfdjRf4DDWpF3MFRne0M+1HGd74Zr3fBMdfkI1KizxGLnxMa4Cx4f3
   nwePqbuWUMZ+nPpjwuLL1fiIPsezbMuLzoWXfWCFGuxOO1koNe83+SOzFlKR+5a1
   79WQJjCEfC6BPpMGNO8xyZ1SBUy8CMbkTKQCyrzLu9gasELjmFvEC2XtSTsF5cvd
   Qg9dnQWWWt/+jtPEyHk4LyhhLV5RRX3luHdN8lQXTIGuPlFJegPZTZCcb/iFQAse
   XcktuWSvQ6Rs1vcCmg4zZSf20JuerUB0tRBciLKisB+SFRMf6T4/pbRq+IuYiiw0
   Z1waelejpvnKq8+AmoSCD0ethUQLN55GI2gNhXh86YXYDuuuY4vLzz8Xm3MwcnZy
   sKkYgxbfKP9SP/k18aVphRaZnNPeClIrXO9ic+L/e76cJQwvW+cJdgmmljbFmkVe
   VK0VGBX0H1TRQ8xpQoy8dD8ACQpQ2LKeXQx0FugHBFUJROcTj+yxxAjEpqZ6WKpl
   7g7Yx9tp44XB3wug+ae3je+9WdpWZjfNbH5lTnd9/Rk2ERCmqDydtv/luqVgQ73Z
   jB4xtWNlRJolGTf6GnYbUTjU+lmv42KzOMkf4KH8HC0vvM2xuEFNgZwDy8sdl92f



Gillmor, et al.          Expires 5 December 2024              [Page 111]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Rat3sdLmTcOZaTcgbhx0Ih0H/CQNfbybd5o0NOGVXvkbieZc4BHuJiCWUtaJmHAg
   tzIrhuKjvj/IYxdie50IjuVAd0pmK075O7NCpuX3gMqt1JTu1iyuXv8aZHfc8hKE
   s5udnFzGznXYmdqsWJaO5rFEPCLo0D3WjCcr2i6FxexcBvp5mSCIZ7wW2KRrpO1y
   o9GU7IijiseKnnKCNL7L5Dl2Wff8jJShtWQUXmWXtaLaT6r9ecDkon6EDsiURE97
   cu5DTSMLnS5Wr7hn5XwkUqanubGrToNJDd+MxmZy2mdVtzbkzr0X8byYstnu+dVg
   lECQNtdfKmquQBg7L/riHbpperJaOSnANt55uFhXB5wiPagvgKcODX/aMAeN0n8y
   BiqTeonSAv809qqyXUkfnnqF602lVJnskXIuOf4QgiZMUGYSPlNPSV6py1BWTdDh
   sOjmQA+5mReaAJj2y8Gp7TbY0E89AgQH8zw6n4g2+/nPpdeFZpYufy9gVy8KzrBm
   6LO2aYARrnsHu7xY3Ysj0pAqlvcSW3DAj8mkEqgRWcpDffKJIk6fLoB5ytMnXtfT
   Aos1mVo5Uj1D2yNu1czvEmknNtPAdrqBJsZsjX/DYOMfWOfthfcAevkvXuom4KDz
   WNz/Fc4qKPQomD6o4DNCfai/R8pWcLK2o1kVoftIXsn+I+d1jL7NjZV+2Kv7Tet/
   l7ir5T5oyONbwacu6zhTwji0ogfwH+8l9+EJ9qaUHIX+v8w6OWGfKxJ0dhXn8AFF
   SzubBIrWSvwOCUIkFB6wYhgDr6xATWoc10GUlmKg1KCcHf3zr81o6JhOQH4OBA6y
   t+dL/RGhKg+xR3avt2rch+04LMEGjuoKAuvxrYuWjmGOV4JKFJmrVmBdqTMPyjKE
   q8psXm0Bh6GOLbXEXOFF98Htvj076aYaFTlh+T8xY8KVsMn3l9EJ4vUi0YKBuggc
   5OJHFVoclJ+h0p1d8FaYh2UA22MOa12bF3lBlvetbC64o73g9bDkc+8qSup6rsYZ
   miGKQa7UbrigVQTTbE8tJJLHKy2MjxA3rE2fZA5RbaVXIf3IxUzngAAZHWa9XKyR
   W014dOCpebNZkxWNnAPnUvUS6Yvbo9wVW6rTsiU2WCtkX06LsRVSq86Jfh2YYtcn
   cOVkTdCGKHVfc7qo2WcLQGJqwksRg10EuiAmyAJu0hoTnq6p33RTNWrqmS7piYF+
   lFgv9LjKzym46jATDx/kc/fugzbMdZLDTS47xJs/vDcwbHmAQlLyLiKa1th+AU3B
   378aUqOUhOl51rP2SBvD+tYGqxMPLzCy/ttBD+WtfzTn1iBY40Wj5riW+FWjzI+Y
   9LrsoIuiDNGhjSY6OSFcymc45joelSeGLSvDE+9buwHvwUStUF7873VgfoyKbtq+
   eec1iw3WsUlq/bnAcKVjAOIMuQyH4ZuNV1QfS/RuArZsLA7BsUo56zHUPBppnwr2
   YEHA+uu5lD6t3TYzO3mHxDnV/UuiCdr5bYk2wtJpuzR9MXRxtTsnQxO0XCIIwVxg
   ur/QbuHwgCkZ9C5ZrjgP1dTln56Pf1nFMTLKT+Urw5pzRtA/cN5G675mR+SpgZo+
   vJZW4LiC2qXLZDxJmNfvSEBKRo9rh5OE8nA/NISI7zNQhXWOQ4hC9CSrKg1QnJ6x
   mcO0Y/fdc6IhT3TzOZ93ny/Ie72qvsM6npvbMkJzXBdjb/YmybUA9ijD3vbXnLBs
   8aYhsomM+ADjHlirT6mKIw8ps8hLr6YaJhkRUgwX72ROQGHlbCKo3GxWgvh4MZw2
   weZnnHKQjF1bNqeAkdlA54K67N3uSdnZxXSwQ/lEdBN1HORrCgkid/HdApjnR7TE
   SpJHaXb6Yj9LY7NhYTccCSU9TRMBbfJqG507qbuxdiIlHmU7PmxEu2ucsN4OFL2Z
   83h5DoLE9anX/D/rgAmCs9AUk92vEdM74Qq/ocwUiF51R6n0oHjzJ1vegXyZ1Yf4
   qT1MziSbiy4OtSRpeBltM8pNPOVBCfbk+OEIdCeeH+jvvVU1toSmie8bVZ3zvZHi
   ocmGMeV4ziVgG3hYjZhZe4Uzx+Axpj+yYQJKHhZXuiJTrdyBI9epTVGHkg7d/8I1
   u0bh+FztXcqNYK3PHSNriLpv+qBXbtOrF5uQTcXNcIbAIFWAxHUyyHEHtmacByT2
   K0MfMCpQw8BJit67gunfSWn/5d4x6wcY3SRE4yQKNwQEvhBquT0rqgJv/xysIxk5
   fgQ0wBp2hd4fysyvJbKeMhiXr/fYcm0qTL8dtD4fdKcISQOOos1NHGinQQ1I7K/U
   4YtUeGUij9Ybd63MzWddwPaY/vKTL4PoMvOu4E3iV39rb9DrZbQT0To/83pKv3Hk
   l8PNHYOOYyMuMO+wsECqLQ==

B.3.3.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.




Gillmor, et al.          Expires 5 December 2024              [Page 112]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8125 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5008 bytes
     ⇩ (unwraps to)
     └─╴text/plain 424 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:10:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIXbAYJKoZIhvcNAQcDoIIXXTCCF1kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFj1yu1O5JEfbIpvs+tM3hehST317tgC0day
   /S/bx5dBj5JR8pVlfwAuHPLwMEQJwf2RS/jCk8cZCQZwMnmHt0MBD0tf6uCZm+lJ
   nqN6K680uI6Olpit6hhOETomGB5FFEuBI54IBNfRiI3HB4V7OZ3tpx3THe5tmjQc
   lHRp/H7EHe8FT/2pfHk8MsuFaQG4XwwDFXfJo51tEq1aQUVk8jZPwW0CsJlVJSkK
   QOiz0+TGOtWZSsMLGvu8I+BUvdI61mZd4Z+oWfkEGxnIFynkiBTJRW1JerLP1MAK
   D48O84N7m1DfOzaWdx+S96Qtmbl9vAxr+HJhdFTlGp7aCZ6umWEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAjasgOeUnKp4VygdBwibPIww8
   lFrEquB9fs/n9gJPUkxvIv58IRQqhh1rceNX+Cuepnch06zqxR1vw2mSV4I/fOe6
   PPpm2dnW6c3W0WyFKDIfE9On0QKI08tD7fT9v5q/3WoNngCmaIKS0Pxfpp4Tl4Dw
   AXs2sQPnDjNjSTbKyaoH+kOTPM9bnjFsgQu+moLF1ckuWK4sA59vqDHMVlWnEJ07
   KzEkU7o8vsFJs7lp+lFgugL65KTqf+7fUAiamMMEEXexTv+Qm/czEpRaG6dH8K+m
   eAC8D54+ok20GtR18tu5uUpbtzHelIQu+k0o55Nv75W9ZTJDg7cRmzB9wwv8KjCC
   FD4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEE5C4GiwfjtUZ1FuC0w8MDaAghQQ
   TcyL+pP4MwtaTKxWXVgPb2UMBDBrY2cuGNW2UGoTolCC55gLytA/HlIJZePppA1w
   RghqMLdgMih6oMn+utQfldsi6VNszGckisHWf41slLN3hdVmqGHrB+aFOJqJN9QA
   hnYae6lugbSP72zllZ1M+EpWsHH2zr/6lbreGdRYwI9ABxaO2KvPeO+X45/lf30u
   XpBrledlyJVA0bTtLgKPyuvvRYLn3o1ia4usneJB6gOoiNYHi1P3HIB1cmeOgVDT
   WRYPtAABSAl55jKbSiEJOQliykJW38wmUvwdSxCVoHTrQti2Yytl261z4xL8DDym
   r8LkugcO1gG7AB9pGy9PspVdNBc+iXHlS4XbYN3cU+w4rwDJxy6GZFpaNhGrak9y
   PdU0doaaFXSg/rOmBgBbujW/r/ggP35RqX9kPZSH9o0v0pFkkVQBRErdzbHtL0Zh
   y4iwbOHoeQdAgvGjva80/dYhzy9eMG/Br5PexQpwipfMxHLb/IXSqB9ZNxvWdlC4
   E4kaiN2pSJG0u4LeG6UDvHvsUEdJQsby1kX1Sofj449cEKYB5wvxF3WErEGavl0d



Gillmor, et al.          Expires 5 December 2024              [Page 113]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   xhyRPyf2RxNDvWHhXH8d7iqVx30Y8McHuPF5/6OAEWrkDAmQ1wpE+iVxfU2oLyds
   Ds21f2Cz6Z6TPwKYHB7TY76dMcFzL3fBoRAqOPDd7cpEN8W8EJZpfYPH7r0QnZnF
   6fobQV2XxX/24fyqNXjjk8iK6+NsclZ4Ttni/FQcJFxVc4BazsQpnJ9LCXQqinDr
   Y3fIExHaZzLW/riOzhi1mwAy1qkAQ5viRQG9oFn+JA+4ZMXxoCbcNcxuDe1b/com
   QTomtcyO3rmTWQNAbTXCTKSGrHwPqeZNR+86wMeUV5Y5J/LR3dq3jhjxpraeCFVt
   ipZW+echQLLABx9Y8QZc74NEDdI/CYVrkLf0uEK6Gv2u7r/jYGj/uTO2fd/eRpYr
   VMfMTShyFQ78PRdupuDYSPviEdhS1+BNhwI/KlCtxqFaGs7v+yt8JjFqQbI2oJMn
   kjFhnE+IkhEHLKVLtI5yJW9rfdZ+WtvwvhDmazwHkPcF3+oPCdEerhSVjfO22UyH
   MsDnW3D46xWgyb6s/KWh1yIfxu/Id9i8qKjpApL4PmHmP9/NdmicF/J457nlHmKp
   xHJz2yhRY7AddOzFScTdN7RvHZANrXAcLlkQA5s2proXEq8jIgdy4sEjaKeF6P3B
   3vQNqNAQsei/l2+lg8b+ndk7sZMbuNzINSFbwNU+/BCqUGI/2qY/pSQgSRmocXhc
   5qtTDDLHUS7YDRaiZGgr4PZRQIoEO2NUAGs+6nOoAnFBt312/qUyNm0d+JULrov0
   rN6UCnBTr29BmMGO4uPPbpzRWTXL5v2vq+CfuhPKkpvVzskDbWpU7ZAsO7aOo9V1
   RzQUsWiPAMUFe8MT25XZwzpqTACPQI0BHwgLN4pA6euM/bVAPqV2R0mKl004EB1E
   Yv91qpvWbdx2/WFqNJD1qjzbh0MDxgvK8dQD3msQ2QT3/KKp4RvX9zsydPDWflbE
   i2ycWMmeZpqT6KNS4RuiEi0h51VfCh/Bdsw4wSQfS9XIT6+0Q0vGpUHwB6ZxQLgb
   KuVXF1ew9Kki1jkcujzmUNH2yiGZwMPXJbQTyWkINKpJI6pzDWL88Q8usTvL8Oc7
   0KgAbe7ce+54JcTEpUy/66k+YPj7Hnm7CZBAy9ExpMkk0v47QgdRYjCFrUiR+gaL
   B6vVzqlSZJ2pcPzDgFktVYAzkf0FaF+qDoMPpoYhno9mQ1l8joShaVWT42QaqkGx
   kLmBBrX8AU520gVNpnVxj0c+fRnELEV5sbM3UZ/60XaC2ol5aZPW2hxX5qd6MF+9
   JwwsfIzdkgTG+sxihZ7saraCxPlow0IE21FIqqKy3+7UOEtgea5ksU+lfb+pbNxG
   bhm8pYftCx6mS+Ir6qPlmbKmemJcUZFBXstn277E8bpmNLKYwhRF1ZXy0I36X5o8
   +oxdgA7HFpfOJsNuAbRdmhBBTfkwAW4gvvohCz5cFLiX/CoKUEXDSbG3yGQ0iraN
   KPFMyGvcGtr1qx1xX/WIvISWq7G1CwV5bqZJxwZrbNYN1v3iIZvtdro3jmDl1huZ
   sGKIeZiWZW3T/ZpQ8srZHZarKOgPW25U4BEPYP1SuUxJ0jB0jA6RcxYT83gEJJjk
   t10e8YJfcDNh3WxiLuVnqEj5BSz0opDKdLA0zMOo5DE0DfRYZqiWdhjnzFMLf3nF
   J45bpzZOy2la/sIwJCxAuV4HJt9gT+Mr7RAN5z2ACuTRuUkAfVO652fzUU5mJzpR
   kg6Yr1xlS1il2avD5o2RVxMz0EBM02KtPMY1W+uwr2O7xTY3OpkrhtGOpeGPvfkC
   Pc2985VhoihZhFOzuzxXIZ/FGAbIrZLApW47uIaMnQXkAVcQHnE2O5n0pi94dY/d
   hJJY7ez8TU9KPgAI0KAasKNb2VOL9lOyUhD8QpiQEIeCUFD/8dEJ3Tz4W34TnB4l
   4sicVnOYjgmkHQ/mklU/AdIMQuKj4UglYzoxXThaflIh/uMzT015gidmMX3AX8Qs
   FmV9hacjEd0ewkDVXjvi6K4G3hNvNPoAfYb6Hzeb8ddnlVSBMIIYTGYAKuZn3AjC
   S3UprteC84wb9F6lEV9Ej5b3OP8g8nvIo3v8R2CUObY957iNt66IQRCg4KDkb9pR
   qk4zyYrjdXhqY0eJXtD4xQMFF3+7kYdxJ9Dr7MCNruh+64XpxCfzs1dWSv1F5DYX
   c44BhDyOTjZ4O1jb6hjAk7VxuTLjXeyn9wmNtstT9hXzgaPDfL9XkwmN3fEXf0GC
   DwWVQAVJI4bgrgpRyvU68b4ZsxcEdwxWnJxgavRTnsWZ97rTXM3uSAxkbTtahgsL
   jRibDk0Z8rqFZcb5/Ce0VFxHWMTLCN8qdOZ2JCiqULrPxHD0N3Pmrmrwrirx6/Xd
   BwU0pe36FKyRHR3bLl08XW0swGyutck+521aj/p80N47tgmUU0wRxdBPWaZs5ipk
   N409uoXN4n3SasM8ZnnWHKtp0BscLiPZdYuY+o2e+f16T4lQfvrGtP0E1ChgKk4D
   pGhN3PCHRemkEow0HZhK7vwQuMq45j7bPI3C92a4K9Gv9hSHpPwt2+usqdPT1QsH
   XLukHZRuxbBUHcTJs8Vf+OvPkWQs5cVOv8pO6XECoB1xHUgqFXnM1e50BjmTcEBY
   Xq6vGxgghhRh+ecIYEa5toeajNSB5pOR51rRw6dSmSU1r6Fdn0hUtJXSysiI3vsi
   ff+TkIU8uTZ4Rv+GuN0dAVSq9vsBXrQOYoG0T9BrreSfBEnavCLPPX9GL+y9vMED
   2Q9KBD3dvgGJ1U8TaJztxxDn8RvmJd6Am2g1Gvg5f07Ix0l8bOtMCxs813TgRdN4
   kQqVk4op5wHZyHfVtXfmBFeTHI7OYGwX+dikpDiAGEHR1pO6iulHqku75PwLO9f2
   7FGzoUZZXj6IhuFuBw6DsJpXFI3FuY6PwTVYYqsjXcNb1dLhPo44J+nYypvFjFlG
   Zjedg6Y7RvVp2dVoJpyveMHqv1ZqHK48KPUbixI0CDq8y22dkCiVegK9xG5yghxw
   mDKe+aKLPiGzizPLKhVpLSjzr+gxjZ4jIi7K5kzLwgoPwrf0ocMwkFdAseN1UgAp



Gillmor, et al.          Expires 5 December 2024              [Page 114]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   YBqY/EyH1L5n+2eJ33VGwiuTOaO2vsEfDgd33Alc/9owmbXEptLKaDRSoUFu52yO
   UCBEgx5F7dmBAOXjLQgYsBwyJgc1u0FWA5ycAEQCVihXao3GJZI/S/I1KPBZeGR4
   xoFGpvgTV2AftDRUNKKeJ7Ru7CrHv8ve6mITs9Qia0KV8zqqfqwdJg69oY4xTFEi
   AuoEvOjLXVplLdd/Vxj7vTlcI8Uq5bBG9e2tligI84zACqKdJiWB0Fs42PXXwGh9
   a2yFdBYjFzXfccN1RbWN2GjoSnKJ86Igmw3S7dgRwTiIFvtO02hpqhbJyc/YnJ6U
   ksBNfiHg3u6RW88MLzKPqCp4fLAs2gUrcosQqtfBjkGYtwEswjbbwnGTkMrJF7xy
   5XWziyBKNH1KeY7QzBg5w79fDT1PJTk0L97+rw2lyW4bJANZ/+PAQrLdjPjlJueD
   y0a9UQLdK2jIuLilYiAIRKvtQHPcIp7eDFSj27t9ff2tadt+3EzN7kcDk9QbHdau
   n+JitCzx1cAZyQPjJlsRP9QI69962teYPFC2xpWDuyWczcKijNM8DMkPep5iUWPA
   tCkN5bdG0Iw5ZyMNOK4gtgS/uFdsXYm92PjMeKPKX3upLl8+uPnBDoHD0Hh2HP0D
   ms8rWnSLGw98gpdkfyvK89VdU2URyA9klkoV13jYBXRxem3p16EZSbsEwYPVg5Ux
   m99xq8m2jLgncBm/eosV8IXr6tWlraEZ5yxrfkHblyJCYHj/Rx+gBetTbdWCuw2v
   uT2+UneGBj8+0MbP/gOcYtCZuUoLDOJoqacYjZoqdTSsDCa1J54jFhGguFF4wE4+
   HPIJYwAVARjo+6XnVjkvCgs9nw+cvvBeidFsFKt4FYfpFT82lT7VP8gK2skyWKPx
   /NhpX5iqN4y7Ki1mEdJXs9fwQV9+fkcoAkT5SJ2XDdkWmfAAWFZ1QfmfDAAhx1Cf
   k8F/f0L9AZTgPFy2pV4tpZBWv1iC5rBylpZTp4bqDb2rZEISXRBZXNekmE8CV3Pw
   Q8q/x5bvhSdl2r4YIyWkX7xtJW8AGmNe3dsSZAa4ZAvMDRZMNOM1qQo+XPkH3zPa
   Zv4HLEQiBKeoN0NMlqu1ToIQZShVpEv09cTRYCVDkP0vkh4qoOyAQqs1Ee72oQgI
   Wq/iTYjXNPB4hTXr/I+6UPfcycTI5DZPN/TkaVkajkSpxt1ZYJ9Z1xTT20ygZgQ3
   yEh2RSVMIEf3JfU64bwNwnFGn/we7uqgbm0vFO7IIJEaa4ZDJP7pOgjgBQ3s7VsY
   0cXmiZiT2EGn2KhFI/5YPO8WrYNNybOq3Ww9oLYnwc4ktR9aA9qrK3zfFrLriDjw
   a4ikl9FOStgd15GYe+RHP2FgGoV+l/XISyU3jBmtFzRm4/7ayBWkiuA1Mqq7UH2C
   4miEFlytQTyRqUyXScM2OVQHt3/tEQt75AJax8Yfl/8NaOlpcFrp3oYcawHT4ix/
   4wrBsRDj4iOY4XcXo7vL+/bZ6jy4noAF2JhJRIHn5N6Jz/tLFtAcfCBFqaHnEsmx
   R2qDQ1HgCaKBcDKP7mMzn0+1wPJmoQrvtUnsdqe3g2YzTuaEOjZGNfgWQxUWDXAW
   gc0D8cLpaZaKBd5J3uNttYJl8GA8uJbq3l7TqOgiM3KCqOPQDMsK5fNeXR8gss08
   960mYLgrdFihYtQIZGwlpCBTGSQciiF4R9mGfPD8xt53hXYlqpl9iYBYCfVU6jol
   SNM3qoEI/z6X07WDKxEeAR0urO7Py4U324If3DGA2kmAND1L6IjtPdP/RjF+Wj0w
   u7HNSX5hFOI4XXMfBm61GP4Y0V8TFwKCGDaqsWgL2ysiTpLwlkLYqQWtPiwxyIR4
   SAK7G0N2FJSoRvYQ8wDYOj/B37pjK82URth9ok+3fLD2BdKb8yicI9saMSrziXQB
   E0tFTNcCgoHuEERln26QCGbUwOXvg33fEQuE+hoEHNlibg8yhKAwCSlEQxpFvKdu
   V5iLrKUypB+NT7LavjDiMapgy/4jCK7FzOiYpI7o7urNd8/jpnMrY0MM30yVFzT5
   g2zZWoHgS9p9skDm4qp/wBe3cHDkjKHPDVTqZvPMvhylIAqgk38PunJlrLA4pmFV
   /HDfUIHQxghKyMBVFsDYGwwJaKGDk0iJcTndgc1xxiVrBz3Vo8rj8L1CuygKzEcP
   uK7FjUlPh97Z0n1UzbNF1jDA2xFHkKknXiyhcPaytmwDRsRFGA3JapJr9A651p+C
   nigpld4uFSLQU0smA1gJr5nksNrEb9tc7N4op4mxt8X5j2lOfC4h5gHW5JNeuExS
   Br2/UwVrMgm4jVO3IDfpYec5l7xu4gHtBsV22AiWrDR2mHceP6tdurkf4cKXXLEK
   8+WV1Q1eaheysAKKA9yL8LvBCpidQtrIcFDpvws8Vs2hhlXDeWDX9TUB5qHUj5hV
   9kTJrOlUELJmpbQIguJRmL3pkuhf2OEXCGTV2DHxzy9QkK9Pua/0iX+/gLa0i6Vj
   IzYNg7c+enp4Gy36iRbQMe8+NmgJrL2P4CWfhuJFv1Trg+LSF13TisUdh8atnIYQ
   VsZFgGSqG/RjAIvxlMIWeYdHx7q4Dd/pjTA7n+SCOyq740ETPubVaWiMlpJTUask
   A7xSHnZeEJEyHBfqHVLje0zbjfPjMrd1Y16wLET57YdYu/z+Q+cReXGmys2kJJKA
   uIy6wCyaL+KHovl0/iSlx2JJb7luHenJRZsx55OnvpwNWHMMeGrviUE0+JjCKKzo
   19IpuInlzL7swEYdXhJTLolZOoSVroTF+mqk7dfjDbOU2Yc7wRSiqyV5RR832ULL
   zvSvd3utZ/F05Qfyx7GvUX369tJDTyuPOwGpwCAQICJUBZ1fVtFPN8rgpf2ohIQ3
   fNCD8s4zUNBaEIoGN73OLGAd+4oNeMq+2CcNd9WX0v6CwVRmM/MGG2taIw5L1qRM
   5ewPM5pyBdROgDwQZ5XEfsi153dNz1l79mMg0ctv0MUeASQhGIMdDBYoNzIcKNcv
   rnhfM505HRDkZ2DZC1xIcV+POerH1bIZGalBflX0Wdy6aVTRFjfgXGGvQdHGQwKQ



Gillmor, et al.          Expires 5 December 2024              [Page 115]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Yi3NOuGKejwhhFS2ELeQEeAe8RDnhiqNLkYoqOSG6dLkgxWN8QUZneK3mxbs7uaU
   Iwp9yJ2X9t2K5zyntQOoinap4zZxLt5XUELhfP7xfCrIUsRo2XC9ZwlU6ydJZQDQ

B.3.4.  S/MIME Encrypted and Signed Over a Simple Message, Wrapped
        Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7930 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4856 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 985 bytes
      └─╴text/plain 320 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <73a42f8e-8f5a-5c62-b982-82ace766fd32@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:11:02 -0500

   MIIW3AYJKoZIhvcNAQcDoIIWzTCCFskCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABheN6xKbAUdsr3b3fGb22mDISyDySh/bhaH
   msyRl3Spuu5kMmb5kHE8hzz/q82XyChoS37eay5vGHmxpfdorgDDE/XMhFKKcSQ6
   wH4AeyYNdAUp89PoB/aJZxj563x6xHDh8r5c+84TJRjVdXBmpCS7jrBiId1cEEc7
   lzpjJ5fXJPyoj4ahY4A69MEUHBJkp4ALTr8FAceG0ODtzXnKaKVqLUWBtYtLaW+0
   OUhG8TYmzZbbCkJEalF+5koxKlcpyMxLnZjAq72hemF1OZITpXUHgrERVkln9ll1
   OMXoAZhEvmA5TD035IDtdW5ME6W0Q+4iYmQ1KN1ElA0/nRtjFD4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAQVWtDv1u76hM7/jQRMbuHmvS
   ZFx8Gv5860ue38+4S9GU+L9B7q6ohO4QWZ3Xb6GeYOl+2ZMAqjjeGZtyhywnXuks
   XexGaMeJDbyPdYQ+ihwBfZihORMrqP3dEvM1mzbCOGcwucDjezEp3fzU7G59DgVD
   F8r7U6QmlCG6KG1h3CaBHTTM7OsPpfTdDYWVOUsVfVSDhw95qW64JAKUwCzTAiS2
   plqkJS3UKXcnY7LKD/at/PVeVu7KV2ni872PPT+YivCYK2mJtJ0co8dYNzfY1o3b
   y3geXXBlUSHTsiMMJStTc71m+sASF2bhiyK/43OwP1o+A/NIwNeYMwE9dzJnaTCC



Gillmor, et al.          Expires 5 December 2024              [Page 116]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   E64GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEKbPOCQ66pELiejugz+uH1OAghOA
   r3Z7/OeGE/z7j0miiivR8z1W4mBJAruou4Cy1T83JXCSbpUYQvHjndIm36AxGm1c
   94SQ9hMle0P9oaQA5XjIa1AIQC9wBCPz1C0s6ScHgVXOhCFl0vWcaAKSZvTIoqxJ
   wNDjpu0hb1azTQnn0NfKrqKc+o15NCB17V82h1fCIaX2sj/3h6KYeI/dD3mI1Yr+
   qKMm+oCrLpYMkCjga/99EszsnRDvJxNwEAbCN4i28e+EvVfrjaeFheofdJTZEBFe
   yvFyue7DUWurqtDWdbdPo1f8Ntnhf8ksVqgHq+ewpwNvEN4KQgaGZnOB3sVcLYLK
   /UZpLMT1Ml+kIWTIup6RTWOhc0OEoSz7jdZ5HpfFgs5DKkLajm0BmQJmbagWOUHh
   oQVMs6CpJ9JyfPncbrEeTpXLKbcs8Jw60pwyU5wBVUDg4IG47k/dl779ZanVjzAh
   fYPcoLhWUDZp7aTWZi6U6YcBbadR8/gAm4mvOpT426p8joV6/3+p/LO5Fz53JODS
   wBZlT4TWVxoc+1VzHxUwpuiR8cYAbjKNKT38Te7xtx0GqpF8rIZl4Nx5Sf44Y5z4
   2U5pNMcPR+nW9hx/5/gdWCWbEJSP0mrOZktKekgOkkjGeToLffVLEQP/ByWLo42X
   IBZh/bOzZYpbavebcii2iIz9FCuYNwjWc6+NqaG1JQPdL1XjMOUu6rkApaF8SuUt
   tqXOVoYXhdTlNk6S6w4oAgvVkqumCoQCvOvx7XZnyn6a+IjEcw9qbgrDkspiLQ8y
   Lc6/prtqjHk7BEVZeD4fOLsZ20wGFnVchdBjbDCqxipzeDyquwQ+DN+EeEHtuObM
   4W520PJsogRsCtU88aDcXvoPlHgyfTtBqc7sSKdPVtl6blFY+tO2EM4bWXJBj9/N
   lXULdEdsWNXW0/sse1PnRt0+Nds3CH4n6TovxdCbUBdLO6zqPG6OdO0Ah5H+aCCZ
   5MHhzDkeYWZlT72LUjrEB+hkGqzgW7LxcCq9cT1FTH+oOtp4Gr93KgSngTLvRDQg
   JC5CPbr9lvXzEuYja8OtqC+PfMKYbtU7ULeiFa4aavSpgt1UQdiUjKPfC2HkBLnP
   FzVu7LLiADJzdnBb9DCWkl5tJgqbsTLbVl2uTZW/Lt9CmgIwTULe4hLrnuZ8bdhe
   9qhqnQoNLNt6kQJzU1tybMUS5zszTvhGxdzHkniDHniSN2nhU1M7gD9MosOsroiP
   /PI2L5D+0DJpYknhJw1r6OalWXZYjhuR53jEO0JQmFRmb+Tf4LcUIMwSwhkGxlc+
   CffJ5BMC8/nrpYZszfSEJ4d9Q2A6Gx1fTFbhycwLUMs46WbJBfMRmxBY6rug+mXh
   oglwY7MUYn4B38e/vw8BnYCqizLDhpjH+0FNhlqpvP26N6+nx3MsPYlvZ+C5MHn1
   vGAujXGP53Y2O1ndr3dx3ko42pfZKker+4FeYI+cZoGaUES+Ja0rC53DtKcaTua3
   cQuscN29r4WFKRyhv+n5U5S/d3JGR7EMPkI3aIwW8xcxvDwMdCqUxBs7ZVLuKIwF
   QmjROMFQf8g6czbsTb8SqmcToVNPMjy0uAMirLt9kt3nC4Zp5iLOol0tiJnJzdwn
   WAxSGvBMRAk/5DSDzyvehrU+AE54DzJ9oHqU5NG4GELeX+zS/SLm6Z3Ah6xSfKAK
   qIssggpDH0io0k38GCRUyG4KxqbBm0LcdyfsxDkChcyqvRI+8uaaNeDnKxJx5GHs
   sb6fqBSUQIiV75ROY1dMG2fHLZo87tP3zLMmpVQTd3LBArxknacgdzdAGXWZywhV
   fFKlvGLuw9oGOk3mcuEHoKxg1+BTxXJtGE4Nea1OtdSEJu7rnv4m+TB8BCPLmMug
   SXnK4CMST69uC08vepaI3vkEr+hc/aLpl5yF4PP+2/YXsDYne2F5GFNyefWNxzcK
   ScqTW8zDI3s881jSWw2yZbokEm35LaEE3/GrgyTj8Ugr8CZJryERYOptjBgBf2wS
   lLmR7LLDasv24166tMKPboyqVIlgUkjj9baL4v+QvwPVcMLsClwtqcPOQjh9dXea
   wtEmTnnnjuSQhalaO/uwU1GV7J52gexYUUJ1k+tgOOHJCeFFcrTuogA0NSnEHtAW
   ts3NX1zhXVBAgLA0fSyO5rTd3Ls1A/bsiO3QHF27dm7IoZ3LOFrzN2ki1VKmHNOM
   slIAnHz5XUINJ2muSEcNj3uFmv7RScWeses3oIZLl82t5l0gtjq/eKC67WQ/zEza
   tvrRk3WCaAn4/erjGLUSJRbQcuJ5pYz79vEX1pLFAsElE9LN2pxOJxj559PFJUf7
   fqZlDZ2vKq+R59IR9y2pexQPUEzavTmjoF0zccPtLl2lA/WQPVabj++d1ygEEznr
   p48eYWN7TiWkBTetxwOI7mHRc8C07SwhCFxm/Yh2VwKEA7wlIhv8jZuWYasOcflG
   YpKrsBywrmeKfW+IL1BY4ky49rPi9QcXxka9sKdhGIgoEmKaywCj1sD5i7A7hXIH
   x8U63pATKdNWEvws6c0o6LXkAFRlqr5pBzrdsh44/qWmQzQyVl0Ad3iGc0xUHT7e
   hgw3uCFiGsIa2G3rY9XFG7y/q9s0faqch0+gqjhyBuxzIPMGCGVKOckpykx8ueFI
   oa1bGK7dFrSNke83Hp9UCvYRj8h9H7pKpY1klSnw1M63bNsch0awks/tAFWGALhe
   fyfoEDy9wFqEWRjEGY2F/FbBHDHzDhq0ffXteCcZJhQDwjs8cduoKI1Fy7koDk4/
   1MbYJblQr/fy59hZfEJqd8QtoDbRG8raSvun6RQBbM+yCwPDyGJWKH8urKlHKvPy
   gqUn2A4p3GOfaM8LMf5VWjJhRqqe+l2KNzBruT/OqkqfkaVaFmQ4NzR+w/u1+ZaT
   BvN0zUi3tuDlBeYjaGtZOawu8riQCX1FnW20tQsLVHnxn+T2Myu90+Aaa7Y157jB
   mGbMhYM7PF9+FpIEz/kpWwWjB7sWod9vHEB3Equ2ttwK3ljVJO2T4vfMJ/Xo/X/0



Gillmor, et al.          Expires 5 December 2024              [Page 117]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   6ull4fHiWIMcqrUXAghpj1Xpp1J1SrSTauzSVB9w7XnBnf0sQFfLZEqOV4WCjdej
   5Njl7dBWMhsXep3/Fam9BvWRPlb2AmVPWRFhlYfTr/dPABO3n6TbEcmE4WZfzCl0
   mnVDicrLdM1Vj+oC6Ko2cLMhIjC+Eeftx0wTn+CzVt5Ism3QApu+3bc64Y8QKBR1
   mHcju5ai+nBchOc5MU23X9LndpJdz0uh6NSIZT3T5EhG1qInIHRJt3sU3+N60xFc
   FqoI54rPQvNRyDdHQL2f4DhA+Zg2kSe98J2qvNoejW6yRl7dkSPZybrgbS+dw+23
   xVVU0vY6TYBiZe+S6s+IO5YaXKJwd2Ps/W4+ROF2hFEXrw8UY4J6wCv7Fwtudu7B
   B0bd3c82ZTvOYG2jpwqtRB9Xbj9/NoflDXN8obWt8I2GrwsYxbtlkxzFaWefubTd
   sCR3LoAcbRDwxVCIu5A57Wslt/Dc9WeDuewloyIbci0JU4umXljJ5TYRlMfPgGbZ
   tpbZoOwI1WYYo9TPPrgdh1kWcxsfW2Gf4ltLZFNb42RatAtTbpuHXNK/tfe3QGC0
   GNg+Ea8FSF+EjtbKJ046RqjS3u+8nwFH7VydOxRIKT4/qZG9/5BwlvnxPw/Ni2T/
   0pG2Vfelv0hgoBvol9Egh19M+JHB2kO9ZBZ/L3ggOSd7bNDC5kPdhPdeRDpKzlIV
   wvC0eN24QkHzlaGet+1xAUWS+AY80Gxm98gVXrgBhOEIKdps7/sVQ6d4AeKrz7fU
   Mrg1Ai/ekAeMqAD830ruhocee2xyYDY6uWxwKQxhA4hwQJ1zfIMCckjPq+3vrhjP
   OGOGQ3fhDc0USzMJpXjF2Kqu4swKNI0h+TgJFmQUaC/L58opsVDO05VWrDklcF6X
   d1jbEk22HOwA3n+49sZYNFNpUto8H76H3w8tLzPB+LwXA9lUGWRm6MKRPcuwQJT4
   nC65fSNxChO29jgn7TGTtTi1cQEMa7kqZPQdZh3XHMclKCm8aRTutELGiZEfAXTw
   65N5Ah8TW1xxCSyTXYNskEig/aqYc5oI4xp+BZ3UVSw7lAzcVXb1vvr2Ew2Ey672
   Olqy9Nsx0696rBwZ6geAO33NtLZOgAHdGLrgzsN3D2fTONPwTJfMnBYyPC7Y4yjf
   hnzc9hDWmPbrkhgfPl43Jpv4neZlojEEUc86NYRMahV0i2+eMHzICfEAhSq7fzuE
   BGRp9DVF31TVhXJBQrZdnYo23FZhxg9YE1D/ZB5wVXA+tqMIsSp5ntLvFbdi+lPo
   TnkyGI3eTCGthlbFZ/OQw/9coqZFmfT3xDCiSJVuG+wCDf1bSa4b6NEMuEAV+2rn
   S9OqIKxLe9J13W8WHf7inCPepOoxuBj6rJHdjcR595Y6jxWMz/+g4os6pB5y3JRz
   eaeq/xOuw0P9qolNZdu4ORP3Ho3JrCcJIiH6ck3JnwpcetuWRUWgkVSqCAaUJejX
   bNp0xxnMjHpfqG7VRBIlkQHuwF1WDDcjqE2r/NkA2aSYF/jhWRURAX2TIPyIZLIH
   JHK7BsiffJQLQQ9NDd/cb8myXbweUbJfaot4KLjFhyl+3dC98DbwcnvaMEbDXXow
   VcVHgzsJLZFMx8cwtMfG2lmRofzvlpZ56IGmazua//4teCxx4BklC0WcfxtkASYJ
   hTk9w867EnJDoKqeGLIlLhX2+A1B5D6ibb65zt2GKFk8UImJdnZXr99h0CWJNALx
   9KPlIwQxeGfrYopAqvWbwcYzwVcCeOlW9iNkqh3jvDcVm5ccmK1A1UW0mASeDJB2
   OekuU4/P2AJmgaNxYBh1N9BC1xnoa7mFm4W7D3juDZDDUeLhu954VQkW/t79gWgb
   UUw5OfNDScaKE+8blkBqHzbP/73APVFSc9ZF+eqpqyc6W+vWkmvfyYPwIOzFSmA+
   ZfrSKNgs6Z7vB/Wr65DQ11UHe4hb62Syav8Mk4buotKTqdAE+9zYdk5aJGQMPeBa
   xZbP2pOWPsADQsOBKL0x/L8IjZCpHto+ZcpvAMdMXHJtLKenM6mr894qhRseMFXI
   vMvFOOecw93CWmnKuc5INH3TernysKyfDhUJO257bth1RKJ7+RnfQtR6Vyg84ODs
   ZGtFnGEajPNyXuwL/x9jHqcd3LAFZ8voRmZ16FlzyU+umpmDJkKFnVMz/IxEOEJG
   e1jYGenXrz43goedK9jOG5PFmUFyhnsxCwpVh5P6QxQXYZuMsg+qYx3mfNpsEJSH
   YC4tde1cICPIi/SGS5GJkIyLi5KKrkQOrn6XZ8gO98zse2XaDHf54+LCBjYHSYhO
   JILlrqdUxLitEsnXI3RB4ZWItzK7zgrrTJQfNqmEZ8pkzW27S7O33yNzN4YGJvav
   cfd5Hmi8q9YFA9a5Cu4Lh7/5uNp1nAyGJ/cFM7RNa7Tykz1rX3hzeh5tTdQNXNYU
   StUZhiptg4tw7PwEQVdLmJOBjsZ0WBdbP3YRsbjdgWPamcappcnoiBHYG491XZCM
   NSipuroBbZTyg/XCUxluiagCyQwbUQq4GAeX6yzWODujyZsdCpbJWO03AeMz4pZE
   ShI6lfFFDK0eZgNkYOyGenGcVIKEBNRLZ/3lxTHcGLf3keCWHj14agBeh7Ncb0lu
   YdsVr77WH2s+WYzuw28KREWHGSy7KsqyIJyxsjBpYtqPpAbdk8ZymFIY9vDbNU7w
   2pxxNP7r2RckdhzUOVFLIwqugBNVdIZU0Sm0UWS7WrSUBO5VyB6t8WEsUUnyeb8B
   pUxlta6S6PgcBU8ldvackDlEvhCUeAsXeM28/jF1zfNHzF0wdV/aE6sPqVA5Sckn
   cbbjdcaRKoE1uxgmwoFBYZLaFFiiENTg5WAndR8eULw9wLWRwzKKgMkd+G253dO9
   sxYsV72p6L6DgfQIFChNaAhN9OPedqohIh/wYtmlPeqkVyw5SvJ5M7Y6dQbrQqh+
   NSxWmsBmPwESz1mkrWWLzR78ibWqPb16lVerxx76Sr/pk/AuG4LxybaEvVFHX0Yr
   7Di4XOGCpNpX1ay9bI48Y8V0T+Deosc/rtwis5IfPltRWj3KbfWt6NKghnXopm2X



Gillmor, et al.          Expires 5 December 2024              [Page 118]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   kxknYsHZ4EzgLFKE8Gaoqiu7LqsM2oyFEUr3jZgdXvNNF6MX2ZL7jdn5m/mtevoT
   3TxngGgaK7QISDVaFe5wNVfVjy6Q6WMj64z+DgKmNR2ydlhTyTzVBjG8mHNw3Muy
   DGnRGY1ZKp4WbvXsq5puh+yCsT+3712RKeDPMF/rbYD1xaRhUXFcZdxZXIvAoqWT
   LWa7n5dN2HhUXc+GFFsheGcsZA7npxEyHXOq7OaUpmyeGr2A2GjVwZbb1sOjh4Sh
   l6O2+28NrNjXSBR61zUyhlFORbIPlpt0s0qY8X4Wd/zKbDQhi7OHiMC5CiRoqJsO
   LhzX+gJD2vWardPV14aHMM4U9AW21WU4nmdEe/Me2ywc3jl9uNp2bWAFG0Iq+RFv
   QutWPwX+7R0T0Qoa6C42fWj6ZCQ/QpGcljpMbT0fNx470bU9IWnM2DS3DsN8UiBz
   aSFvztQopojx4gNAFqjrYu+EzduJ5eTC1iadUU+INmIBTzNHEa04A8FIH6bBUcp5
   mwHTH/6EF4a3Pn2QeZ+z4emqnqCYj0pd8EYk8XtpgIwexM/Wouo9XnrRhV8BfjFh

B.3.5.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 7780 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4758 bytes
     ⇩ (unwraps to)
     └─╴text/plain 332 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <27139e00-e05f-581d-a339-d2bd43bd0f42@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:12:02 -0500

   MIIWbAYJKoZIhvcNAQcDoIIWXTCCFlkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAAPEUxBMiR5wjFUYESXlqPUNRxKt8fCR3UYe
   hFL9TJG/Fw69gzE6fKRMIVmALWOfwN0HPoi9TdqeAiXAavKP6G1BMhjPmOYs6Ipv
   +eGggMdIIeriUAR4x8/6Im9R9bU6nZvEnADOFo3Ce9I7PQ7TkQh3X5MjDai8mCFu
   x9ePDUWYTPeQd+bKX2TwVXtruwNHZAaNdsV60CJB0finymlqt/X8pWjv/BK530Kq
   llrXJw1icXmhECNMgl9kLt5jIaSWZfA1mCA6InDR4LpiDhDq4zeEEWgLJlCBcnAU
   8Wn10Q5BFMFYmILzHLBJTnIF7zwVp6CJn9S+8hYJspY9vTElOQIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6



Gillmor, et al.          Expires 5 December 2024              [Page 119]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAgME7wQMBs1J3sFwgbvI8pGra
   F/zjlrN2RFSQCHKhkx6xgIuMqgOeBHC6ICpMORzFJedwKJu3Xcb0TNU3ZUrmsY0S
   u54kpzAfZeCFqmbf6ezP7K7LHwmfA4j5rCWEWIlUu6AVbqpS4/QJtbpznrLBJoKB
   ih/4z7qzYnOvgGNrjXl+g4ZNP9d6DMW1vm3AZZiOdPuJvVD3d7RqIJExV4tEXYBo
   hkn2TR68EpM4W5fBkwZ0t6gWFxsgX7VBC7wokG1Z+NFiOUcgogwYryrFLFEiSp/R
   zRHrKpIWnutJR3kUib7VzxHE4+K4z8l1KjFzqA3Z7N0fCjIdCUUFLVj+D6RPDjCC
   Ez4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEKsliZtATTjcR8uZDdM42y+AghMQ
   1Wwe0tD3fu6ak+kelBl0KE2ODHsJxFYIGKRBgRx0SQyscJcDNiogs8UeQxmhVvG0
   0TJJNv/Ousso7PlXxnO6fDSrOjF8Qnaoa4276Tf7VO7QBbdGo8SK/EXawXBEOt+y
   gg3j4aTYLfXogzmOFa3ZenGw5d8gvu2BgTk2IehW0MP5dnvfreENSI9dRaKlyCJe
   1s2Y7FWdd2Opbejs2TMrFaWCGFNKW32Jxw8pjLgDCV1y+YSC5LEymBUN7EF+1sGO
   Qmbm28borO2pi5I/7g8Qh8TDKZbd+jPU/xq3scapN7+ctytL9L6hBX9K06ASfOh0
   Nr1H8uu7ybPArJGClbCgwYYlAM/7M3gZrDF4qR1mu6lahT2HdM17pez+ax/CtLFL
   nD7fTqNX8udwyIpR6N045qWiGJt1L8HKySnSZ3opQhQrwYAjugYvYCzCZvi/K+DS
   dzDD9zRfc7/mCpsk9l0rtdReQHnLJ7i8kTWLQng9tNoXKUj2Opis7mSqArnup4+/
   TZYd4vihTcXERfoOgO5B65Q3zvmjEwaskzO9cvs4HVxMKeCDQVmNie4GyOXCWlM+
   gPSZJ6afP4zuhmuziBAHlZtHnFkAtjv4bgA3vRWb1TjdUqqdQMj2YBnIvWtZEpVA
   xm+ty0KdXa9yxNEPl/Yd7A5zdrTUINC33N85P9celsT8V0dYcyaVE1FpuQeqqtLm
   ZSWfzWPkSsPXg7320JcCh1GPITC+RVcNxz+CvWOJDpW1Qwd8oLxN4sMWHOKPeftU
   /zFgVWzXfNpH66hsbugOXshU9NZD2m1YBHBYfEW5YDxycqKqNCQGVHSCea88C4Ff
   lXnyA913yXAvi4d2yW4IOLk1nLz3ZGLP6+bmU805RQgfrkTnkz2Hc7ePSFky33cp
   74WGy5XLnsSatWZ26j0XLSfprBlDlSmbIz3aSeGjG1PG+ogMLvyZJXpHpy1/JZhA
   FYfODdvlqxqkeyh1rXKeNqdnfWkHLAaKFRIMtUkf/W/z5h+iJzWPYO0i6Wl4WtzA
   pUeJUWb0m3le/m8IKdV1BvX0bn72+4acbRlHfKVp5gQwbFUmP//ErzwRQrs6jQGi
   aA01eO1g3S4hFRJ8zYKLDoWS7v9AoUp53jZG9F9BeSrbm0pKBDzKvMFflOzBhsCh
   SJ4wATxVpUUB2yeDpZP3SS3jHqkUsmRMJZaIjA7hRyixFPirYUxBR+l/gRfe5WzI
   DtmWReXQNwlbkAgs7tTg+mIooWBbPs53HZ57A7LhiVj0j1Oh+tZb1WiZWyz0R6p3
   cHbEtosMqHCMun4BA+tdpfxiWjJWvyNQ1JHJsPLI3B056SD9L7jdI6s8up7AmSjE
   rLN1mSFew6kDCCenurghR+O8nZek1huO2/ZP3ka9VI77c/kZ12aNRBfHvaKTLMWO
   1gDo0AwWhT4WzL0c+Rj1XOZED+iCTkv8c8eOEjGXA8/zAGvjU2UAXdqGeEE2lJ/e
   jdtLCWophL5VXi7eq78QYCEWks8ZmIcPEMSms6x5CJi2C18BMHSvWAIzSoAsXLoG
   0+re7ZFPuGg7C8owHhtTmVBT56fNxlbN1cCRG3DS3wFShw2XxAkL3ILZHOkZV+/H
   d/Z9yKn25fOCTXkV0UDXyWLyo+UhNJufvq+lHc0/ulUDSrxGRQ0xrIre6Yu0pn6l
   TstUFVkupcfUwd+MG78ETNISp0l2VRRFOHK1BpJK7m4EmHtMMGVB+5ek4xx5XG9S
   Ihsn/2s64Fd4/RCztuoTNX5qMnelMxuxNqBl/symZNpLoZE26tP1QyEt/HDUEKGm
   dxx+rB6QKeurheyXw1dxs8aFoai/N+gglsJDoYEtr6+xVebbHsearsu9LIOvj87n
   e3VgNBfZmAK0Ve7S6zdI0WsR2uYQFk0mrnG/y9n2xGMKYEmrGoEK698KklL7f9ns
   YskmUzsZaI2G9+WEI88quX84BUWR3p6k814Wkp0FqJL+Xpz40RuDfOCe7Z4Pmvq3
   kL3KwL/Uxs9kh/qFyvXflgAETd6nNEe5G8XkgNHyR8KvGh4hfg7+WpghV+wv2SSl
   3ZvYoMcelokmNkqlTdBRgkZFXVkdIO0rcOdLfVZ2tsfieDcQixaGOQAdQr+7JEli
   XtuQRIphQyT3acYnkctIDB5KSmDDkK0ilSFmJZ2Vz7PU3P7fK5PMp4JvUlh3vmEg
   aECGAAgADzz1Tm6jgaXEhLXm/UyG4hvCkRlsckaHyDlBGnDnxFpNV7Fy3kUw5qag
   TZzq9PuEmAtq0FAvBZ5nKImbgKmwTgy92lv6Ii3N1mVRuwckWLP6ZXeu3GR7JQS+
   3aS7WRLPFvsYYKrSq8q6cREI0iMGI9SgYKkMGwJ1uP7WK4KuASQNeWBD5Vc2aaTD
   4nEVvKiG4ERe7plfFxrHVxBLlIT1Db6nlOS1c/XNP63i0tX4FwI2BmJNNwo2zmjc
   Xd3JMOiWJyIDyUVX9O4VpXj4zjJi2+86I1UvvM2Q15RS2zBMiy6PnTy823CSiI/D
   bzojNx55RavBNEDbzm0v2N5KI2AufNU25sgfZ2QJp0kWXFGHB/AnQxwnxBkByV5Q
   kwa9ypNREDHchLLWororxsJnwxXQCwwgEaqxbjWTdVr5hx70pFKe23k/+D86J3GY



Gillmor, et al.          Expires 5 December 2024              [Page 120]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   8PYknsuosv9VZJUblc0YQDU8FtIDmz9hKN/f46BYp2lkkXL6S5VRPZdsj9L20xww
   ZAmXlBmNGYqb94PaZPsbt5f2WxZzOEK8vawBL1JbPUmAcB4SDj0LMGnF0cRtIuHH
   A1AXoydkXKSZIPA5supJJ6ER3lq5gfbsAvb3oXV4srCApEKNWHO2GNtq8yJbSVWD
   jNqVOMx97+OeBCvsKx6Kq8NYMdiITW7N32PioZLWohMCMeziOIZiV1mq7AB2WRLC
   x0m9iD+uvVUOgV+gbKZLfacaFXZZVGghGGjFgQwkUYZ2swWVnYEax+8c8n6BSdqs
   WUoz+sPx4sSEzQeTPXLd2bs09AKAuaf+VH9Wo+zH8lF1JKrA8J/rifSsl6PaacUU
   DYKeZ3iKJ+DAZd/QzUoinj7+b5UtpcRsi0MF5EqxpHs1IfVh6NNxOTPk63XlAW2v
   +/o/DwssA3IeFb6ZR4AlWVPNI55s3pxS4pFOAldDH3yugtl3Xn7yYueirHV++saH
   B5YRcF9i62BY8U83rBdxdC/dcTwwmRkrAVfo28KtANAwyXEfHjYbnIBJUvtXPSBB
   7CHK/iJtdEVgbCsOM5tAy2Engs1nErG3abGpNsh7oKYJzSLbecv64mGjfsE7QZUj
   G3pkDdL255P6wp8cYCgZDds+V9wd4tjerEYDvYyIl/dD10OPeC7960V8jmk5P+hv
   IoGo9JDfxEKCUCNhHZG+lyKHRETlzVrnud6jbKy/+vPGWSeYjiuZpt8dxH4D36F3
   9f5GH1KjYNCSjUTmyEoixUR2Q5cOsJOBpD49rFbklOTyabdq5ouCsHxrNfjOuup2
   UYnwvGRKrgETI9dFBjLL/0AUyCQL1xCr7jH+XnCroybH4QqPl6HqjqisI/fFMf6z
   kEEmQw596UQgNaeGEiDBQ1Xq4zt3quVAPyUI4ZXFkx7rWMe9cD/1/cWQbTEfHmZ0
   66kpW4p+GYEYgMWOTPgvnbrX1TYofhSp2qeKIbIKW+zPzO7lgEO2AkbzpnRNExvf
   ULRkXorrvF3Gw67uIy4OOJUj7gUby4ZCwqiNclyFxLWu23Udm+AQf12q2g/jLiJs
   FEYVLDDWZGt85M+0GH/F0BTJ5JC5lwvulJ/IT0vmC6NJrxTXhaNHoN3K3ejhloEJ
   xTbxy4JuOrjd2F/EYpD943VuQm9mb1hBIVR8Lh/IiDDtzBZRNN1KOSIi/x0Z7bIB
   Po5iZkBmRRseFgxL/VklehSlWjolVNnu+oMMZxrrr0L/4O7PKwkFTwI0JyWqeAaK
   rqc0OmHZj8srxi+hhzp44ZI9IZ6IZPqu8BX62cJhMtmWNCjAOgN/F/D1DNiHNQIs
   wTjJDWZqe6Zp8nEHP1oC8n123jb2Ds7DxeDcFFn6CejAZWroXIUUCj2cgXY+8oX7
   G3IpdT8A/BGVz6U6o2uFVtKrnIoZht80HKQE9vlNT57XXv9YEtnTUTeLCDLXAkoU
   /tUNj5DOMHY6tTPl5iyMu10rqyzE4U63r6VUXfDymGOw7CYuyHSIsx5qtYmantGJ
   exPRs5o1dCsqlj2K1a0XJL1Fdfg07D/V+bYouwICgUs0OjUWfTXWUn1ZOSQXc39R
   xEiJgbeu9eLydShNR9BFzfoYLJQ8NYit9+Wop3BWh7s7pPYUzfiFdR/zsnxArhwa
   UHAFJfhUpd+q8t2CCmvwu4BIWcu4cQHANMIosvK14aP0jQ4Il0VjWlLY6kaEf6qB
   xho+iS6EoezC9w0zQeEb1G19LuOVYuHvo9NMsp4aBysvo0nZzz54M0JPqx2KF0VK
   SybWu+839aPCPYhBOHwhRg6OVKRhI+EkuR0D6IcPAgtkHKqbz62b/+Wom+cG1CTj
   cbOu0KyCPdiZRzgFE/jYGlfTSquYQSl6XG5xwwISOC4gEIoyTuT1xS8n9RPTE00X
   qoUHgop31Eb94+li4Fk5d78vQhOlV5Gs13YIsT7+/mbq9AepwglEZpRfdqAYFK8c
   YGO3o2RZR0s3dh8+vU5S2urex+oi4AaVTL+hhyo4zz6HHTcQ57nfQCessPsx9DjF
   BH4Z1ptbaYC/J8EO7EZ5xwQ/eSQubcJISs8Pa74davSIQbJABbJkC4wUJ+rZgF7g
   toeIQzU/jhNyxZG7QgQuqG6i2eUuzih6wEzoBEpFn/nN/YbIexTQ0aGFzy8BOaaG
   sGXA3vE6Er8q6+lthT4+PX4Nvv2sFnoG9B+bcf7bZLrt0NVnUhM4/CEGgBBlCC+7
   PgNe6/CfVkvgadPwULVgn2eAbzjpfUr2+B+ubwtLW06N9I3fJutVJf5CYkSscVvs
   sNVuFRqTVzqSO+8bFqDATGErBCrKBxV0iC2DUvU1IWP0gthC3Hhnf5dj0OLKkIJt
   GbiOFbZzZstH0ItKKbeUglB1MjEkuaToVUssPSh56jlB438sjL8eFhcppiEpj40F
   knY9DUZsQD9hpJffPqV/y6sqDVo2yXvyKrht6HW3kIZQTBH/dABjR6szJGXSeYfN
   cFZf/efQjjoEQPTN8csA7dxuNb6rTZzd63mpePYuUcoznFMZueD+mLfwSjVe249d
   OsO9qy0wfw8h6ztYAoZQb0gCBhi1n3dBKpZmUSqnjqaGK4MvRqIvxlwt1QxhhnS9
   tQdzukg4XSIdiETxHHQ3r+5oHvQYaldQimzqKwgBSkcUBG+ByrgRYiqgh2qRch46
   MGuFfjvdfqsdoHHDeVokD+Nye1hg356bln4W3XYs1DuDbKs1GNYvr/zV50yfWTDe
   JoSolWACN8khCmHRtaK2bIqHtQuTr/neCsOgvTS0JmNfDoyXHInCdvvGr7GvA+Pt
   zA1qmG7rqhWE36EmgW11JZrd4xMxsuhmAUfm/hzXTSNMphY1N69jBrFX4Rql8uSK
   bJMEpQcmXX4iPzCjwAEAsP8+6SjvEkLkf1CMvex16eVLdevE3Q+PfBMp/7dO43Bf
   COlu/sNCLQxJ/c7FwdWtQf+6EJex4y4O1iXTpB3aZqfh/VHzI06ogK4rpcOunOrC
   rcqcN89WLMRutpWRyWhvcBkWBhq4g+bNFIsG1TgEQUlVsMGfKHyGuvpNVJt3TQ00



Gillmor, et al.          Expires 5 December 2024              [Page 121]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   zxnnvX3hfHDnNm6ECUaCaReWqUJzELv2upLanxQablbRRXef2i/WU7s40ZvVjv0O
   vAT2Kquwx/fK2i2yqnOQp7nbrdipnm7C6ndQlEQGYAWCvnEKNfsRzjQagzCrZMl1
   13KUdFcqXYHEq48WDjpQChGoCj2pvJYsWirmMKbGwUoCI74DFlMRT0rdHFtSzeHx
   7x+g64EdTOo/tldr1pKn2EyFu2lFARX21oUUIdtg1wJ61Zg9Yns9Hux9GIHVXZay
   sXPN7zbu1E6s6/tmNOsilR3aXY6xmnwf5NVT443iTQSZq1Gyu0KeskWG+/w4tRDy
   AMfKN2TCO0KZEUDXpbEJBvi2GeHBsvgivsHUhgNC+f7eUyO/tvhoz3Mrr1DC7pZS
   3tuDhXMl1V1/mxb1s1z5Shr7wfnkbfIR+vHKU30kviPFzW4cdass0/mJ9GwpEMuF
   zKaHKEY4QaL1gdQ94BEqBhsGqaPPUWCQnrGaftvgpx2C4Ux/PPyqayUnIK3VHJWl
   3vQxnYvIggcGZK9NxBNsTdsKcOiE9tPuu6KLNntqM5Llu8yP51Pl2JUbqUGhBk74
   wh209rUITulgrPwmY5swJLOPwH6zs57omOeC7tZsJjhXFbl8A35Zgpoi94IuhlPT
   NRllICfFgZtduARgWl4qN9nfeZgPZNWRQYQD2pJR3KRkpIy57N8Mhe1dgAfRpFs7
   uydkYF3NiR9imQbr7ptieYwS8mXnLRDftYiV8+j2QqknZM9VhVAj5NyBT0bH1G/F
   4vBoV6EVcPIQHlwTuoBJjDkXgxIh9y60mu6sP+ngbK8=

B.3.6.  S/MIME Encrypted and Signed Over a Simple Message, Injected
        Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8020 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4930 bytes
     ⇩ (unwraps to)
     └─╴text/plain 421 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:13:02 -0500

   MIIXHAYJKoZIhvcNAQcDoIIXDTCCFwkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAHla6nXmyozkpMJZcnU9CdZDBexdvzfMV+lo
   rra5M01NXCG+zsFFYvbRfFi5/Aueh4IAumsze1IbXeHVl6G3lQ99Mc+A0a9pz9/q
   Y+HIK6kE+oNwbORzLPQ+dHQ4rOs9jVN8LBQtL7ZOus9Zoo+NQsOhRS6mY3sV11yY



Gillmor, et al.          Expires 5 December 2024              [Page 122]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   /u62SA0O2zJkPaQFz0dX+sGSeqnHLiR3PoFFlX0WdT0MYexBPVSaxFJUBtA9vAZK
   dmlFXdIXH8anusiBcqYZKFvFjiMuWTJ3jLyJwlkIsjxDnIiFt8+YIwwmhkDDAKGj
   DFiuu3NGCodSnFELxpvFX6FJCmvdd2RGnAP24ENas+AFG7VYsMEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEANQYNvUVxvU3hXTsN9XQUIxDV
   3Iuz5Qm+QT6fWc8smLeujpAviD2QN9sTXb5Wc8Lm/ztzUpQmtlEh6KxJQyO/jBju
   O7lm/uRJLzCCaP+2r3/foyY0zMq6tgrE651NZYqIm+zc6YMI+r3l7k5GqfeeZ4QD
   mhxU3IyNuCa/+O8u2CuHJiAOJo6jUQQXceVFeEheA+LuFG6V0eZXjy/puQKyhitt
   ioKnqvVt8ldnGpjnkbEut7so/dUyuRNI+4m1pgWVw9PwwYboyM8DKObRbse9Tup/
   0kw5yDYmG1omcVI5GjGSrJoxyWB4BxFv/ojTU6JBzI2DsN5llG6hxG/e7PgSnDCC
   E+4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEOYvC6xMCBY9WGWTB8/BC1OAghPA
   GGFQIU4eVViZrRmlBlWyucMWl78U6kD/jYSZwpRmdt8VXqN5MrxYpXuuEwaqA4dL
   UtHlBU/cbvZJ+VgD2dqWiyWQ3I98lu5OGjdWCh3/T3EFmJ74tojDSwPwUBh3NLwH
   6AE0y6BS/N0b4fSZFLoWx6m0M30pW5CcCFQOL20LQ/IFazOeOUm8UwPyI84oicOK
   9kh1u/t95AT0NLWdAk9N5EIJ8Xdo5td90NXCQS7E9XKFHHz4ctLqLfHP3uzHjIrC
   XZ4cgGtsiWtGm8LZph3UN3/X+JqQYjG5UvT1IU3+rNeQZ0TsiCQcYdIX7Wv0Y2qW
   66uCeviOV6tyCD1C6zTjT3Q9VOBblLdRW6kBDtWBnVRGXJNsKC2lT7y72DR9XoUX
   uKbvEaZHvCVi39jF90vKriEdT2ZSNvkNLxEVwwt3XvqBPql0QfnAI8n/PmhogBzP
   9n06PQSRYeRhrdRM6BLOrqdNSDVvFHXzshYfet/tcL6n461a3q0bQqO8y9c62fT8
   FumaHL0t0Ruqq/gH7K8FRl5JCrc93zU2sgNYZQ/l2hLZlj9wvT32RTiAM58BbZSG
   0NVPdEFxBHw0E9xX7tLwvVKx9znG7Umk1IniOVXw5V4tDRgfB+NcJo/oksEINoG7
   0RMVTyySSBeYhz5HI6yuyZ5M2ngahJg20uXY7By3i41F2/3S/htaDVShF1LpxGEG
   VY0BEF7TMkmGFJzTCVaEGlobAhkXNKtSJZVOb/+ywqn7tSsxhJfIUP3ue9uY9CqZ
   qGm2kRIPkdyZ77marJkI04SvSZYwHSLvOtoh3kveC8KJ5TyuI/Gn+P9aC4FYCkT1
   d/Ih9s/9AxOQzrYRDwO7A6NcOd7BMpDH8QcrBe2QmGGHA6jm0ppbhDCmaVBZOJC0
   N91zNbznTT1ySa01GJc+0zVAqjnFeuLVYc0gekZKqeJyabc8onAqiwWw5fLFkTP1
   ouvyNqnbt4xbOM7Sm33hDRcpTGbGk4rlvCsDMWPYlDarocII4Lq4E36S6/n+yffc
   EDH10WApz/kCNL4AHVTVmDHH0bg7zRZRFJi1aW5xXbAuF43bW/QacyviF8Ti6mEN
   CrtpljwPbF/IxnqN53wdwDopVQen/Nd1A+qEcRw36Gyo4g/A8su7LVVGd+rDccF2
   LAshQZHTPK1FUy0q9iUyrB2BBj0Qkmwhqkfe8V4ITw4bjNW3eQR1so0ih+2WrUFt
   LmFCJv5TtoLg1lISqccePoug/H0B+oDQBzmjoSa9rQLvSwFjliuuwnhhg9+8SuNe
   4QYiRSwfwUqgmDwqTeSY5ZlmDf1ZuNMGAjnP3wq0GQiKOYKBg7X7G9Z+HbBsEc1S
   bDhgITQsZBWE3KKQ+eR2+Xz0PqzkabTBJZAiayVGTTa35eR9p33wWLUYlxM2tIP6
   7u8ND4N05vRk+uq4zdyYT2ZjhBY05avFq0uJwdg5FB6pGdGRRor9cp0n7tEL79Sz
   4Xo3q8nw7gTIK+cmTF/jUTTZfMa1OR41E/a3WWnAihVf6Vln0MWt6gk/B5d95iYM
   2sPWzdvRZcK+2/PZm5y+n4g/wKWWLXD+hzyuSjn8BSzMu83KdX8fl5FrCU693p0K
   z0wPDRX2ojGjQM+ncx3lfWTNVTIcAXEDbOgTqKGBq2GU1ed/euAJ8XKO5+Ld46ND
   p88iDnOgI9yqGIkAdrb/9n5t2fMciGh9zTKHrqYQdHOCmrsMW7ST2sk7cigbv17m
   PxdRWKum3S/wA0O7b5ss7uNNL0hSF2e+wmAvJKz7a/Tp1KYMYAUgh/5+wVXBHPTW
   kc4kSq4cCZZ3cCf0uq8PkrrTYrMgCFA3P2BCKGvunBr3CfYR8v9qIb7s2Aiz8sOp
   7jpxey4flE/vHixdEbyUyinHVogRamBK2mQoy4ZeqjKlq3497pbL2EXFXnWYqz4D
   0kVZwvEc+wuaE17XQg52SOIIzZoYIWjz3SYoJu5+jKyFr5ykflrLxhoPZu5ZeJQX
   16Wu7OJCL4cyEYHHI9miY0MxdVnsCg3SW0T4sM++0pWS76alWCdEO+BaJmVFRn6f
   dnZp1I9W02AAYzmXcjzVZyKYE/Jvrp7j0z/B7bSTtCy8TbR6RNeMOrA4n+uxcCws
   81D4KDwg66U3hLp3BhI6t67HFFvnVTpFE74xtM7F2h4xTbcxaXxhlI0j6OQVUIXQ
   bitwapRYaqYu2r4gk4C8jdwzwVIUYJ5mjelhgLU4G2bXk97Lj+LeDXka07C1XYw0
   0T7/eDNly/iEKb/idf+hnEh93zOLbDsQPc1JMgnrPwQ5i5PsN8xdnJ23M3fBCAD+



Gillmor, et al.          Expires 5 December 2024              [Page 123]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   iHolg0SfR+6sibgBKY5rypCrf2j203PER8rX/Hih7tRMyJIjOS6TAqDhqi8SCLJB
   t84tCGNEgjbqp92f3zMfXxgrCNx3rrauaG5EDqHbK3aKQgLdSS0f+9entxHWlChX
   6VwXQaPugJFOvunaDDDos/KmV1yeQke9uWXoTQB7Gi7e3TkWJWTo8tCXGmxO9E4+
   sdg5IEmcL1wDKw+ml8nr5bf1wi9fxt/t5vU00U23z+ycDsOMtu0IhFhcvU77GgCu
   9knqBBtIw4sYXGW/zEDtA1BVZtQ9UlwVNyBLDE7YD7d+YzbH51Ny8T3U0gHLBGlJ
   ZpmyDZFkxc9chskuHkBMNaU3ez7z8IkysdmMCLmi7DKXqJ2sakVns/dNzCNebzBw
   BSmEJ7T241tscxRL5CvJYa+eCryZljpYOmHbRogYU5jLGlS7m2NGJwTXfgyhVVXv
   mftP5gwqQJo0MisnRE6iHndrTFOmdVW44qxJta/WKMJA9DvHRocJ1PjuWyj5nZZH
   NtE3+DtFgLE/9S4l/pao1ik+9ngjf7mtxLt3xILGZQovM9f6RsieO5OETnxpfLdB
   WOhe3+oE8bpx/hCy9E7ut9xja+aoHnn4GGCNIbuTMf4WR2EIyTtYifNnWJ0fajSX
   KWa49qQh2Gxk3FzhIi4TjU43/odybc1OKOr8xqEjHKBsEGTTqVUuQRAD7rGeCTQR
   JP70JsS4Uv4fL/9IKH3QFjVIQdsoJjowZQkE8grm1tGW3yej+4j0+OtPFbm0s/mU
   1wuWuZ/qZKu+3M6OByid2iFU1VwdWbAlHdEMv5vovIi/ZIQcQfa5mnkK6ShU6i4q
   1pH7LxLM/tR5cNs9JPxR4xqKiraavUEmm0n8fllfbyJrkYxfjL7zoc623Of1/Hqy
   o/BkTLXv25QigbRJB15CRXc+Gvm1nRR93DleQDYoHktEutm3GQwabLDSK/o+wDnL
   dCql8gk/hkft1MIg6FAT73SWNwpOsM7MfcxMEs53daDvJ5iArszJKUHGdS7uTtsK
   RC9CZA6/c5uWJZ3G/XxTBj2v6IKb2AAPs16SPfOZhX4ceGAtoX/4mxzVobO5aHxH
   Cq6XXHb+Ejxg9RMPU1oSkUiYJ5zUjHp5VrC5LtJtJU7/9Z1Z2ZxWGGNFWiuYtDWo
   kYD5rcrxOnkgSUn8SNV6G6pTIYn6jIafyib1PkD3wTYljcRYuK7w3xxv+W72+d4r
   IkbbB21jR4NOxZErp+bIbya0WZR599efz2CMLzCppvWFWsG1w5zb8iWH9HqCpuyV
   RmeY0ShC1uqnWZJSlqPw58FPdSnmNjMy7IMx+TIGgFGFTOkAMEkaDDhxUT0ARrHo
   jbS8Nv5IdeY5TTwVcgZMMXx4rm6lNIiDlj4udJyi0Qi/DX+PdOybBv6xrkwn90WF
   MlVXOeomUx1B2CsPQ3NiL0KaoGvtitLZN8AJcGYW4Fz88wVusmIDFs0JJFpn8X/4
   J6lghOXjcodxQhQmCTJ++6Sg1H8MHOlsoo/4ecPZWagN44USRoeA8QmskfmWkpud
   t9ZKhK1cSqftH+oUjrRhgwVKjcVzqjZMA10Pi6wDU2y375ILZKi+HDf+Y28EBrEf
   EICwGuI4g6gdj7G/2xcGSsuyFSKTFpOH0dh7J+H+rXqknbYuToFjbWKd0SDwNNx1
   wkKqRgRzXFQW/1LDMKBz6g2jLjVWgu+WzdAgS0X18SSMhfVxWZH7vKPmbabehRKM
   WEC6qP2Q2PXF3fd3IzQuOxgOJRlmvYaN1rhY2dqD6Jz7+ZVhiqWAP2bTF7qYJsF2
   bQMqy85LFaX3QR1/jjx2LWGQtB71B8eFFYNAl0N+pjd5BjHjexBsth7HGm4CSvdQ
   UbswfhvTuQM7iDNTaVk7Op+Khet7hQ7AUOIXeWHSvv1pwkWrYw6efhNPHIRYw+df
   eQYB/by3+C1/pI4xXNoDQgaSljax0lztwvNVfhatBFoD6fDOam8V5Pc+VBJln8CV
   A2IkN/fnjOkPj8niEIs0W4RlD0jMNbFHVVhESk/++Zn+lNAwsJaVEtiQ1S3H4CLl
   o/gUdsuf/XP7F6ggmf1pcj8hOB+UuTGLj4dghJbWiVGViBWnHUcsSonmTCLcBcIe
   dDpPLWtCaSr7swck0yQ/5y/0VFsYVZZ+YJ4FPlBPwB54hrUmm2UorE8UpyPOzmgw
   CnSyhruIKJusFskhJCTyiQcs9yQi7PdoSa8KnqXM0WIhUdlZQp7xDpIWAmHW64SZ
   1p+oH6HZB9SCAWqeK3dFR7NTIU819CoPm+dj+13L8NH0adzL3wVGlDgetjhM1b8Q
   tvEEYymLW3PVJaa2r02OdF54a5XOxDxWGSGQQWgArp/A5VxTdB4zvv5LPd1fP3nv
   74Oapro5BGvaHw8bvm22bG/FKoDVgeuaCMEV7fxQsnJY4lXeZEDuAnYy+t6/oAnN
   AKMolfT5U1bH7Mwx/doGNcIXzI4tV4gzXIhyHHHrcZNCXm8HJUvAmeaiPzVFg+zC
   ITwOvaf71iWnPvNZdlSiNFrC4jNPFOaHWm1dkI5AHtii+FGnCXzHlpqAzO7YLDmO
   jMQnWlK2KNXgmoaYwQm0f3A9LtAUhtNcqsBmLdqo08pinvIgJaGhtJTVqK/vE0zu
   clMx4yv/i0NpNDei42aUVre+vSxDtgO3sE6YqM1VrnP4Dym5v7J4Czkb4HcebP3i
   9v1v2DXQJb2AM9zWG+KVKUxDHHALpj9H41QhpXyWDZunHkXbLNuAhmbD9Tr8O+sm
   mDW/9O2N7HGQWhQ+JjP0emD4vaPN3ihSCPjj/XRSD4uuwLiWPYBQvvwBZlNushqx
   CzqMZKxlqO5mamDcW6i6KpgPYlYcMiU0KVFcfbeulN2f7pnRmCVMRBjHPnNNq8By
   /+HJ4sIW2glJn3UlE9aExUdf3uxOiCMZJK6LuXoli4ajKldXBfKU1+Vmpjq31ME1
   DTrwf1TGHjImek+SZRd9cu4v8523Rn531v5jcm/Q7HgSDDYmuY5NId6G6r22VdQL
   8Q6sBwxVtrjy06V7Ikb9ogVnUS2cnpou3T4KkaD5CfEcypRuk34c8HzNfKAUkYJG



Gillmor, et al.          Expires 5 December 2024              [Page 124]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   vZS2PmF240+niXiJuZr7NnFWesqjKTH1RZqKjDJgEKV4ZwtlzSnQcZh4T17yveYR
   WeQ4fpR+NMc2aEgrzZsr2CnvwrEx7FLBx4xdJ7HKCttxe8GiRhvphMZD1OZ/JLr8
   3+uuveECqcUH8oXRCmS+cWG7jpX5Eqq0AuJUdHjMZlPBvL34ybMBinDGOlOHmE7j
   9ddkaSjtQgJ7skHQavUmFOFkRWpmwK7Jd9ryR9zrW3QWCn+WjkmdnQ3J5NejdXIK
   jZX5opNod/PAbKQUKgf8w8pPuV7BwU4uqgEDMpvKtKY78Pxhl3VQqQLFqvGIBIzP
   gbOojLFn+nD+iu1tK+aiBt2cV8IdvyqfK509Y+KC8eCzTPwPhMTvry+dCF/DCYJV
   wfL6cFuwjVEgydAVT0Pv7fzqySs0eDBE2tijJIaFgfezherjA0Vk5pyEiY6pthbv
   v+F92AWd9Li3jftSML8oEu+PPsN3gedG+XHc8TVnBfvB4EumMkyHQsvJ+Z9zDCO8
   YWQ4EZsAY/c2ywSdAwNS1hD6W7DnYAZ91dO+eKYFi79ZjWkgOnz+5kN/OtjjS/E/
   YorI7H5DlbQBFc01osG0MA1sslyOoqdF6RukDGu+jyICarpwKlFYfCg+/ACQxbTa
   bm139+V6JcBojORX/cFyhhvo+PhYRAV8agj0Qjt07RlzFVLc08Tgj6GJzFE2PP8Q
   qTlVmJQlXFTCFBbcUgjKcL8dR/9kAkep0NriEhNkWxNlXHTCUzt0nM1Kb2sCx/sI
   +wB8IfY4V8CiZHCJHojVis5PKpnt/Z9oKo8Ogd3Z2Y3N+epd+wU8D2P1l/N1pbuQ
   OyjLi6xxBdPQfoH31y8RDEiBnvyg4OGtGV0B9iWLHa/53xfV9C3jbVspEdYXrwKr
   JpDrUO0qAEXJa+KYYWKIa3vCX6v8uQLCO5QsG7syV2gyXOMDNMBx99k05qsJJW7k
   ZakD59IZ2Qts7/ogov/k6JDRm1aYyBB4IE47dJkZZhOrRtxarQcTbT9vYQn8zyvh
   5ZQiuFPGI0d1E4MTx1Qbr1go0/qGJD36eNdrWwn00gZPwCxM7HupSej7/R6FXM2V
   NpVS8n+/I5MAygRATz5lTq4lFXWYCir3/oclsctmyNdPHXou+Of/ZeI1u5Vxjie7
   PRsXlkMEtvCt/xkUJ5gyOhNxCoJXWDfU1aVXaDkY4lhd96QsMSHgVQD+50Ndg8jU
   p1CEVG8QAqSdMbgnsxFQcv6jWSv8H/pYNJhWKS92d/21aDVQTTeq12Vw2N26z9yA
   T+/LbjfZEuqWD2YyuEHiWiub3dB5eWgiVxKoHl6le7HikiJFOTu14RTCNjUlDB8G
   NnLefbIr+GV87rtPuOMKnw==

B.3.7.  S/MIME Encrypted and Signed Reply Over a Simple Message, Wrapped
        Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8540 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5306 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1312 bytes
      └─╴text/plain 328 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 



Gillmor, et al.          Expires 5 December 2024              [Page 125]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   To: Bob 
   Date: Sat, 20 Feb 2021 10:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIYnAYJKoZIhvcNAQcDoIIYjTCCGIkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAD0jBGAom5YWH93yWSgJlrvGVo0VZOx+YDkF
   SFI6/btRY1famS6Cp6SUcGkobWHSXAmuDDNtP7iGp8Pat1rxT6PnGEyRAVCzLMWm
   FkdxqPmh1PCh4SQ7ewXzNZUhBJxbKjYn1aH5TR9tPZL918CX3/wvpIjwbPkjWUAQ
   m4/Xdsh/bEKUKwdkY6tFlW6DEduIKSgSuVWrxmHU3+FuH17Qxb2bVaYU33aGxG/5
   TOvVIOjvdYnSpGs59gjWYONxBTn2n9/QjzYsTVgU5mE+womez2MMUMrZcFmDbh3R
   9DT1w1/WsQ9vQkc9uRPhwZPmH2hn/FXlB7t6plp5q4+MmofgrZYwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAZPeE2qrWiIjSoridQCeiPkrk
   z5xQ3Po0fz8Tlmen+zDvN1TLbtkLBBHEZlrw31xjOQpTHO9utnCIdzc83IWe/OIR
   1h876Ds+9r3FuTZpYOu3ZYqX+NLIIi/oBNm4Zmq1wc6qWcJ4z2ppVPzLoKBCLlqH
   Jr66LRhECuhwfjXzY+rh/j4efPUFVUuebewd07YFb0O77prC66i91CNFRg9TQlP/
   DXQ79ipWMDsFv2IbGAoAm6DEM0cfSXWM1Jwd4dQ/+DByt22L1zqYMzYLHRO2Wyg9
   +P62tPmOvCXOi0elhtODpsqrlRtHqf1GR5ZL3T1rq5UtQfiDzaFVeCBv5NEcojCC
   FW4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEFI7eMZimyObfvTIo2+gOlmAghVA
   hOMPd3nlhAVrxwVyT9X7ReLwqei3SYmV6+l5hbvzi+3HTunmkbXCg2Z8WAXLIve3
   9GOp41xfiAhvrIWn7ZFvDBozuVBmhOLof1Z4t9BFTFJ+RHD+6wd+jkvivYup5vQx
   oI4TKomswmjLWF4Dt+hb1eV0ZCNYek/WMmiBq4O7nIR19y3pcQAnztYgGy7SU3yp
   RP8IuUjI2YqJQqtVvxuUaVTyq68PQqjc3rdAE9R6f5+IM0uu86d6+UBp/G8urHV+
   +163m+7kw5QzBI3jGjBazkfDdQ5OfnzQdnY+CXQA7smUT/2WFanEWWWZxrpmrfVR
   UJcERwNALfDNNIpeNMw7xInACJXoJ7FRvDUqzLFo4xCWf3XkJzHxdKibbGCxDPDu
   riaNPI25MBTvQqom9aYXYZbd73ikW7TIneOCkSLowNvw1pXBfJWLujH+Jbve/2ej
   HgF8z5/4ubZrKXMufK7H5pd33tjKMJt8HN7TxVFX3b2e+hec1WoqGcncv1NX8OIo
   9EI7FRlj4Hi7ioU6oIQvYN/mYFXfTNS3V9HXqvey4kD4bQEOey8OzhKzOyPEqOLM
   wxufT74pqGmw+K/+SBsVQyIVLXzRmn/PRCac6ehd+JsiD+qSSBtrDj+KRKKhmFBi
   iiZkqtertESrw3qY7dxAzJJKQ0alUObAAifwy2iRU9jTPbIjPGKRJhsnYueCWfcn
   N7iFlJgDd5wqk/866vOrJbR7GFeFdD0B0ihb6dzCHzdojxU10HIT5zzxDkM7+gyY
   kxuCt2w2vUj00BlxJ6GfpjBTkro0MDai8cGz714ahBsyRrRBUVgvk0iT76lTYyoR
   QYyYXq9cRoV4M8qgA0pkL42qKHZNw7+a2PswampNB1LBx5efGSMdBLVCRKRz0I0/
   +8nZRDaI2hVaus/bzD/rBgyXU2bo+K77tkcFsTSslKjw63+tGIN/aX485dxkvhu3
   EMf9xpd7SzMDIJyaCK70qcWJTOoHqrw9cht5QnrCx7UoSSZeHDD6vZnRUjfmXW4I
   8FNZH9OHAgvnl8ELrNKloxExcY3+91FFNErNkpxYGyjfRYqond4L7j3r7CaDQSBB
   9ECsl8QhxBZIbbww9pMEe6MsblJxvHq0wuuthmhfSBZbDtBUF/eiDU7QQbuInQea
   INshfrW6OLY9TC8nyBQPNxjZom1VbVrUSAITCmFCQLIiZ5CdUUQGhMNAZkcOxf2P
   X8BV5XKjciH8DUxwefPswlrf58C3o2PfJbE48qLpP+d8baf/Xxj2rR2Iz5QuMtkd
   EOVskZ1JBrd+VP/jD1Fo5utxC0R3zzxHaMreOeN82Clco+x+d9KPeiq29GO4FIl9
   m4Kn8s8P61WNWSyv0AN8oe0UMK8wpmbypkwJ4RVH7QeFy6H1W0G+FYSc4MtP9w0V
   ZGeAf7Lxedsvk6XpRoRHWCMf+wJssnoW6vQxbc2C2mD1LNzlJWCeAC8byu2O7/kO
   ZWKJS2fqtjXkmeV5ogKivnrdzM2todhxDxHk5aYcemSBefVHDhhut19AT8sf12Zj



Gillmor, et al.          Expires 5 December 2024              [Page 126]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   WW1wyryo8+sef8zV9kDkfOhIkChb2lBxeFB1TCWttE427oAX/3vj702kfISGj8o1
   7WlI6K2ufDi6wv5htWU3Gvn8VTrvW8dpQQlVY/ZburavgJDRWKlh/Xb+4HxmMBI8
   RB6MWBpcfvH4fq39pmPX2CdHcAUf9LkLycCWGw4Z+Jk/uSU5sVL9dZEJInu/Enkq
   PWXdAmrPBdLiE6nGUxvAaBjf6xTGm0yHI95gtJnRLgc427FPG7YXhZkuYuLFpF2K
   Is8hTSwn4L7Kg43out+VZ7TDFoltfMuxQ3QzHmm4CcG//lml2emnZ9j+9GLLS6FU
   KziigmchW+BYF1eHvtUI5xxHl4mr/ljVhekYePSbqehK9A+QctaO+yMTgg+qMcXA
   iJCRWHSz1ZxJyheyE3ChGYseRpaTB8Jc2GbvhwHqw1wEZB5jr2KCIrGfFHjxyJ/G
   ZQMMazhSlqyeDPjNWCpymJ/D+/SFPH7VWFj2ITYwCaOe2XRAdk4rJ1oqRNYaUjc5
   RTncFZ+AHgb9CTeCELjbbnV1WYZI2H0lbuyXPNkxc+ppR5YRZB0bMaYfoDgkQo98
   AlJfRdCLEMy9GdCuYjgD67qC5YcwKTRKn/2p5Yl18N1XZZWvOiq9NP+zVn8qtbMk
   bnuP/Tp9Ejqhc0cwN3nUwWGf9N/qdfUOKB4j9wpcbPJo2bmXUhI+1JmfNUMn7GuP
   gAC100MBakZfFW62Z3TzMtnzTjPWxD30YYZN8Z5HjKpwRwJkmARps6XbwQaZAOOM
   ikZv8l0hdRExTvGb5bh5XOvK8kk7KVF8V0ey6WlXx49wf8Y6Chf9GWM53SsxQirw
   bqFXINx+Qyz1mFUdDfrnZflHZx0UbP+z4liU2Tt8ZQWSm9/vToJ7Sloc1IEklwa7
   +bU9TVRZizhbN/40Hwue0pOeW5IAmgyq39BQBAijQ7jzxuNEBrbMfasNj4ZxYw9W
   7em20FbJs8qiTspT53KtPBRK7EnocfEfnwg2s1oRtn6NmjoaML+ADGEmjXywbFI3
   R3oognpH5d8wAIV9iYsj+kbqPZQTjf2Cep8V4DkGRrcBOWvjiAWvMQ61MPZi64ms
   ygb6HeLzMa9wbwtOUUmN8j7foJhr/7eCpfOc+X7OmfljK94vzZwNkf7ykjIquBb5
   gBktRPRFv8RQvEOs5mqLCA+kNuNUQiAcHxLmmyge5UTC2DlKtas4FpV8AGciQAFK
   6cd+vJuDGLn9BQe61in958pqt+VhxpzWAgB0wOvzVSrX+m3ISZKxDNFJorQUhS47
   6VrB7sNB78FpUw9n/eyOb9Osv46+ruvHH01TTac6ASQ7dt5yH1tYBQBZ9kVtMwfH
   njCJpISeSavsGrj1cv/QsjIi9K4xiXQWnOvAU8FTqHBaLn/d1tJ94bEQOt+hcAX6
   ukJXD6mqfqo8EjPcYXbctcM4+YOAp8xPNP036Qm/60MLmrb6XZtWDdfDIlrnmQ5I
   4sSdqoWkaBpvSi+Gib8l5QCAtMFpdiRzxLftUk+h46X+WB3svcUAlHcpHCL+plWw
   UQLGPthKikpSXW81S68XggA9sdRMmnWN7GVYvxHfiuJs1+WiG4h86TvBjulBGm9Q
   jtKGos/YROWfk0939qgCh19AjUlYV11YzwbybJ74JAs+wdeTvlwKfBokxat5Eipp
   BQaNJXyOKP8t0xIYEjXaWWmDxgk5JZR9lfws88FQrU8f6FRB08sSKECuOUxgefXh
   iNm9RlVrtIL/JUydEcvjoj4rZqSr/3yuOZaAWlP9mv24e9Y0weQaLeWWG4oUehMM
   3VxXWpCy0mku8cgeMgqDScDyAuvfizH4HIL5PbiC3WlQtpljDaS2gHKFj9IPPWRi
   lbp3NQuE5SAU+TUakDBVCP1rifZLMmgZkj4hcLIC55IVxuax515N0sImjpGxe0tR
   rDyAD/KPuNbWBAahMTXWBV4jWrNAi5Ya36GgRuUA8t4/kjX2uzLoqF41HgdcQhLA
   kQF5BHcBT7MXh3zm1Hack+dBHU0Z1ndv7oHE6iQx05LrnqnWfJMIwSfjo0f/Y/Vi
   DDcVrN8NFdM0Ef2bzzGhPnrNfyHcYusjJmTH/6zw87ssApkcicC5qQPC7lg+VU8p
   bXji90ZqCvVT2Lkagu9PYWyXN5pLOWZwMJTdlU5DMXqADeYeQC0VVbgOQR8qmk6y
   PXZVI+gpQJYu8agxYMzVFS0m0Ls67UEjiKmrauvoROsFY9U1oxuXoTp+GX+vNLKo
   ktLzThxUC4qNGKTQJbsLJMv/layReZpcZt2aZAMMD+QCt6RJoAQJfhJ+qSXn5pqf
   zYJocBHEniQ6W0FReUJ/oNUvcDFBqkrQdCpUOdxJY7jN28IU0YuRrD0w2aWXplJf
   G290/bPyj0SeI1XLyDyrWGMNPoIJSt15R7i84YqdS1REUSdtW0L6NgfTMVarpvt/
   Plmi4V2Uq3wwEQYsxGpb4eSnIzObzJ6iWZzjqQuuoGn+5barPMz/qr5Hva/tWr+O
   fVU3Du9b4MPPS+FtMf9etuecQlP068FjIFwCgu89LSgyQxeNxsj2Sl7rasML4qNQ
   9CycV0Z+OT2U6cCTf/ZCvHBJggTbNn3owtrtK+j9YFH6oVn1kAh924NRbsr+4ZlB
   tIs9HxpA7T10XH5cWOy/odM2F+q3+Gf7Z5MtxxxpXS0dnBv9O7e7tIExW8nEmnar
   fQMD/pK9BlM5V6BUtUEMGsoSmaTe/QzjcW6LtbB2luWMROUuSxjD2NFaN69Xg52A
   It0Xo1lIweDnCorvgaNs2J3bjVlZMp7lol8iDunNHfd78sEA/RbQpP9++v5plWct
   IYwSz0hwmYAB9ltbjNz5ts6kQ5A1J6Gjnumb23dmaTR4ykVwG40SNc/PgzdDRjz4
   SNW4r57CpO82huVsax8d5OeILGsqKZonfzLsZ4V9+04crnC3T2lwXBvTRCufs5b7
   ZoWoFt3e7Bdt+6D7snNUVznEiawKHhjA2g4LcTdsGrag2hSUFOXwJo2txPSQL1Ru
   gfyka+nW2kdAEzQWPBzpEeRIwdaladubE19K0lzla18BW6iytrPQaoRnX490Cq6Y



Gillmor, et al.          Expires 5 December 2024              [Page 127]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   8IyYqBJPhkXdinxnOzJyfnHkixSD82A85WWzptuFtxshVZ4WnrEdxp5/h+BqJNjP
   HnEV2GAA3NmwZMvlihEnIS81b/uFT+yiPX1rGo4XhxL6zqiryxfu3lQ5FTxGPAIQ
   996ZRwqHdngM2JblGhr4qFmMce41ma+2NRjacF8W0Cnw7ogECtaUAVB1Xe4mKEFS
   AwTqhFGqtvBsEu/t8593ffrR0F2BfhtRNgBO+xfRgLkqjb5/YaISBHkMRO1PTIrk
   FUhG/6JS2Bctj3cbKS89N9tWUlxKcpuf1Dpihlz8EUNKDdq3o2/OOTT1YWBDFF4y
   bKqzIvw5XznNjsQhFbEUdF13ldVZWwu8RzxJwro9IhVPXmJps+K1j+EmcrdnxVD+
   obXS173GBLyk2pJOk08TD2cb9vWcpDMMgLGpNpMKGiJqWQNXYiMfHhxGll3LSZ7V
   YpMH9lt0isgYp7GlLi8lIurd+AUy9O7DjErZeyuEVOC0dr1disGNAv23cUL7jMZA
   YZPN4NLCZ22w7tTa9idCwOM8bwmRGXoLVcvNXF15OTg0dxsFEGht4BXKeyuTMKSc
   LCPsfOTjASeSHwHGfJlL0Fm7vzB00UHJP9Hl6RmXXcAo4aMwnFrGdXBFV5MOVsNx
   79SE0AjRI9UxzTttHLqnojL0zIzNyryyxh3+9IbWYLkYflwVyF92l1NbVoqDUfx3
   8notPW1ZTEOGAki9eNtJxZYU+PKPmGJXz2vBrwUZpBCNFv4iowJJ7j580XBKnY4F
   IX/FJ/u9kn8CzCrZfwoMGJwThjGek1XQoSVLrc41qWABS5mDZ8s7j6qIScwJOpwm
   xUuACM36c4tuuYXvV/PWg1To+5lVabQZqaVb0TD/ggaPBLX2AbuQZztRAXai7B6T
   Rk61bXVwt8LWnFNu6TDfMhmu60/n8SMbyRn8l18qGbwGVqp0Ukc+63IrwOEMORh4
   SWjAQWGLnBLgn1Q6PAZUOSeqIV0d0MaQmwJ4XM0hsTGIMeSg7jcz54YTZr7UiSOa
   3k+8Bw5+G0DWFpzqav9pjHOy6gbSWpigiOSDNpDEednKO+jk6Bo8IAsXyPE3cEsk
   1dSQ9qP6XLxqHdVYPfvJWk5dpvYoqE+0BlUClX9YI0dNbWqRXR0GUekfLEmCNFq0
   DFRTWoL4cpFdiVAXhMOJcUt3sg601iD2oiZCG9bKmMaCBqrYNAKZg6E0G/Q/duaX
   T/r4qCLx/uDO2We15qrtljf2pM93N+m/BZoFEY4ahcif7OqgeYaAbnFXXHbh3w0o
   NYK2ds6qBSRQMuresN3JBVCXSlO2TKSPZPyqRyAZvjiKlDACNqbq5XQDob08h84H
   kdRQQp59Qvzjr9GZbHFCm5ujlRKKsf2M3EIRxzObJPzwb0ItwKF7Unr5M8nGJTGp
   u7t+Jt17m/Yn6TCY5Ck0uSW/Z3kqymgV/n0g6mUXznsuLjk7iAFacd5QQsXh3ojC
   Jx+Qnuk2oGK/yBVurfOd6sOSJrlsqVK+P4JDlRCZMsmiYQfq0v5viLfGbflUUgE9
   5DL0TVq1rK3Qw0nc6Ar40hIFgQvERKNw0Ga9/2XJjYOhPUm2g0Bv4SbYM1Fwd1dN
   fGeggCfvGr4arJ6nQA/XSZuJNve8vCem0UMrbqpDv430u6YjIBgz013auI1W5igz
   c5o7s15ij+hd/1L+k2w4bLU9vRMRUxJs5VTryMeotmtJgdk2DNswulXKQW/44Iyk
   N8ycy5h65AOiVfJGvE1vd7CzC76c+l0FGQLaa9SIyeFi6hQ7YrU/evZAuNeARYnS
   9vKO0d5kcLjDNApdfx7jqm68cAStF3VwUhxr0gDGzN0nYL2u2kTVRab2/3d8DzsV
   2/1VuWZdn0y7QN0I07enX2ii2W1JdkC4d5h6eEnhKAZ722T7Y0UJJe1Uxa8buFAP
   rOVMLy4EskKTTYsCueVtMp3ETgpa3qw4wzebju3KhmUpt83f630b1SkPOUvJV/ob
   7R6J9pT7LXzjoX3/I8JIb3A4eaaelFfWrQJqiRjWdyTFZL0q+QH7BRZNJvnG2UV4
   HLXpVBsRpHcKwlZe2xSwyLwxfqv8atVFaSSiIU36SXkc/Og49Dd+AR3i774/t8Nx
   p/Zb9A13D9T/AlgTwzuAo1gX60mVu03dasHYGEFxHKYasIzNfxfYq62CYelZVX1j
   nSrEmNgocGmQEtaZXuMgW9lzXZ1S4cC2BHOkFxGQaeynLhvQ3ZXXoFkyViMUqX1f
   qRmBdi2GL2kzcT1FgRvP10TgddlIN0UwHlzyRbxQek9a1xaw+L71vnl2TdcyTFWr
   8SLIY1dHLNBylS6l4JnZhv9Yx2LzxhvwY3zTRiBL5zHTxBrNNLBhlVokjWpp3Jkx
   I8a1Or1Zh1eFj3VZYHAJTBUBk6UUYTOzQz3TANJFtNljbROxFSO4g0U0IHpbq/dd
   8LmLqlEn9OyMc+nTpQS8nQK7zPy3mFMdyzDNiZPddF1A5LdWCbGvUQl4iLFJmMjL
   aLczfIQBLEXXJxugtCKUoL42vQP1CDiD+zC/MhTizdbQCiq2oun2T39tLu70t0iM
   C1yU375LzxEkpRayE62/oESDYhdySUQEZBxVrzqj/EAVx/pIf+q0ObMfyt0Hnehg
   ef6XBv5PFdye2CyPow3mZQ==









Gillmor, et al.          Expires 5 December 2024              [Page 128]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.3.8.  S/MIME Encrypted and Signed Reply Over a Simple Message,
        Injected Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8430 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5224 bytes
     ⇩ (unwraps to)
     └─╴text/plain 340 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To: 
   References: 

   MIIYTAYJKoZIhvcNAQcDoIIYPTCCGDkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAF1syNZ4ZiB69rEyP8oqqB9DtnUulS6KKXV2
   awNEG8xkqgzMXS7joZtRNHzDQtLBGE8N9B7NCGQOR6xF3BuF8clPkjqfm5xTAvYt
   2EsWGhEzN+M3Xszp0cK3KsJZY2b/TinyaT4xy2ui4vo84ARVY4ZSPUKzdsTr27Mz
   289rAPnJ4KA6WUmebMofnKR2i/JQ8kNGx+g8NpxgDhTg4aUNMrvsyXLdIbGcWqJu
   jGmydPBldHnA56EnJTgY2VzWWUFfzXOrgF7Vnq0b55WRGpOAdn6Oyq3mLxHAA72B
   CXP7JEMUP5N5PdvBfJaFs36FckudwpUNktDKeYJHoCO2rU1xA8cwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEALBb7Ir8ALmnVLXTtAxoNejT2
   AU36m57HvPn7PoBmxnhm8Yv/O1NxW/5OKOUgHSAOsnP9jr289wxh95FjdfIBNxQD
   gYFHsJ73KQev+rD0aw71c3akqkJhMSRU6d7ZxcMhJuBgCN1VRvh0Q8n5S0mgFoz6
   +69PAMB7GsANAKKtoTlumc02U/BD7RU/GM/Enq9ol1CxXRAv32XxIUGT4ERh4Ydq
   bRVNpSWAR3eaay4CN9dwAHtkVbS9cfGsxqGTG2PKWuE5WC1i9+ew6PD8jvV7MuBj
   A1V/6rxVkYtThEGQT+wE5qwADz34EAwi1RpxaSyoyU3Jv9AXwm2iixLjJdvLoDCC



Gillmor, et al.          Expires 5 December 2024              [Page 129]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   FR4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEED08gvwCe5wZWeU4qUeJUHeAghTw
   CNO82Fa9N2AtItaJfxpeuh7jKrZ2K3Rbndqvz4l5MM+LiFmgFsfmrGABLYtmCSjJ
   mv6Tf/K/4LJciCwzw0CyG1fonW4yKva8sZDu/grSS6PpPpnlLmKSHUBH2efukk1e
   zhs3wVFJYXOiYEaTj1Y3gI703Tux8dT0nBUnSYddmNhbHt8RQfA3iC8966Ze8b77
   g76576bReH6RxXvJCSXfWSj6tylf1X+ibR/V7h6b38XvvuIKjZVYaJQ5yMYpAYRW
   xtSXbzc6DxnCGughbfmOICJ8tP5f4MeVdbfq6qCeIlDSLDIrjVGYXdDozi9g5RoN
   7aozsyH1Uls1y3o5G0lF8w3PL/DkKrE99AXVkJe70OcmatzCAi/Tqel6zB2eCo8X
   ejWWu/BP4knp2Lg0khLtvVpH589BopEQYUrDEgMtr/kXxXkKRCru5ozHMMJ9A/OC
   rRN1p5uL66jKKmVRHixM+da+oWJTOLO6ys+p1UR0xSO9jVGTMlZTfvWtPKG9tKwx
   +RSOXw8xmzHq3Hm3x2NY2VY+jJPlJGmAbMntgOvWMd0R8QifCN82LH5zQX7TliY+
   4ICEHds2m14+hQmWls4gs3bGkri2vDMzfk5JHxPm2g8Ap8dZNG8uIArEEMOevCFq
   1/kL6+Xzg27NgOCXjUIxCwJn7Ug6v9AmRI1BRnsJ5S0mhBVGd0Zr0vSmhJjeCM17
   Q3/38+BaxByotb2gbNr5uJeymoir1tIgkvdbGM01IyspgmwZ22WOobqvkc64Pb5G
   rjYaQ1+kIxd1Ca+p/mTi6RasLN2vAPzqqd/oZg5yY9XkK/aWZTC/yp0LAfrndXth
   iiW5lpyp5x35zMi+is9ydBzFknbJPQ5neuPCWXagewGYu4GvkteK05Um3SoZh0bX
   JiiRaNOqkXBGTgwleEjrckgii3WgHjgsvPcXTDWo6/7fejXCJjVGQHgyqR8RVPns
   fdLTJxl2O2uWDCzpZCGf8BS6073DJ45iPnrhBcGYc6b/c5el3dvvuZUuXGvOL0FV
   3j5Ivd3wpcjXcZfpQhG6GtLksLQZMF181opoVWNrMLF4FBiGiTow3dXe9CSqPApm
   3UHR4nZhmp8SgjI5RBnr0urwycDFji+KM+CxrvgiPG1KWvStnSCrwunCjuetfZ2r
   Z2hDWfby8+h+f1igtkoji8TOiXogzBYelsYwM6c/OX8C7tz7JV7JSjAHauHZm6/w
   4C4SFfw+HTTL+SAU/+T+E1nx9mpMQ7V0nlvZ206e1HLAUvdpeg9R1tt0Y3A2GvpW
   lzP73ukgD354BGR5+V4DU689JgaaQDttK/rrbSeQLnj0vg/r/tPHRQZRpdV2hoEM
   ELh+mf4NziYE/zz9K4o49WBAEVPidD2IsNBLt4e/LhDDCNtvlxaVocGNfV/+t+8A
   ooBD1qWtDOqGOjE4jw7X+bE7W35vWCMlZq0QWrKh7aCSVtho0uVG28MUMDtnGYoo
   uMV/Wf/x7B3VaT6NV200+9+afLvRkNdurdsg5W7tGu0rIHESSlNYskjj3qK/wIsD
   s0pd+Q+5Fi0yGy8ELFTjsFKGBquUlQtaw03yGsgu+tqJDgEiuWWgwqvUJrNSwwgg
   iYbBe2qudNeSyFGKmYD4q2XZ7XYHdjNApHuhoeBhO9oh6T0q9T42x61OWGhfV9aE
   UAeAGH+kKhB6n45/yl9RzEuN6gB+gZ/ef01p6ZyzOLetFEL8moLBEidCxpRIE34j
   m4JQa/o8m/ANspO5f2NerwPuOfMvEvw8hATbU8RXWLUU1XyqX7FLSSg8XI8/HK+T
   2X25ZcQbxPFhmJzeuxbFlQLSgEA2TQM8DARD1gtedpnnqy+5l7ZGB8yZRNKcUBy/
   xtSsr2baw4OOc3kYoW1TmO9+WrApPe5qRSv12Py7kENeBccP+Kg+JcgnfUfvb9VF
   rSvUMOJMD83LC1lXXhcGj2LkyHSsQfn/r23YglsSOCpJgJUD64DAfz3A+/lpAP2V
   3X5o8RIK9kcGRgbZK2VYQqXel1kmcT+OYxgQ/trInPipKe+RO68VfFnKuhHlLdhz
   /va2XyzenRb/6isyqM+g5vyoPR0KYLdZFwcldEPTXLyN2J44JXZzUkh8uyjlCpwK
   nWWv6aRapOCNBNwwVNaekk+ODPFwhInJ/jjMzuZVv9WdVzRYT1rh+te1Pkj0oksg
   ebbwr1BKuIJOHpva/QMCIqqg8uEUANTpG9kdSdTpbcuf7JxZjRaioDIWIcW7WZDn
   Z4w1IyHlK+6OJ2V1jf+KWk0ZVX901o6t2Ni7SlacgagCxrlyM6Z1MwVpQ7NJhSZJ
   2040QClmq/tC1ObegWL9xNzR4+vYGSY4TRkKEAx9tj3IWwG//hIg/j1ayGXy6GrY
   5x+gACTWfrMOcx2LYHkAQ8OnDVEkecwlGM6TNyRszazENkTDtW1NT0IDB8fQRuc1
   8BnSruUYSqRm3mZ7nygyX+sQl2/qSaXmN15DPUdvoD6X+mNhEokqxLtaP/w36SfT
   rWlqC1K58Zh84HKn/5nkLqGlNSmglFjnaliuhXuDa0FCMNtl1W/I5+hu9C9jYUNc
   oHvjWImvvz+BPbReS7DrIilN9q67h2Pd6+YZ3B8wzzUyubRPlqz7GpBkceSA7nKG
   NqRMm4BOlHF294p1HAwAfb9usug46lliqNkrPCjnKKgzhjoaj0vA6DrskUv1z6zw
   8I5D1q2nIMpvyzjPnwv0dMRam7mrAReWu446yklamBZe28X4YkSl8ryEv1/TbkvV
   r//mF4j2CLsQ+3WM8vO+/IWAt5VFpLfnaZVzIOiYaqgIWBw8Ab0Cij2LmBuzVrtQ
   oF6Rh45Uul9IvoSYAUKYdWicHIeFd1YolTfB0x1zxevDpdQlTg9mKGUDEkI98wwd
   wxYa8IuZW38iYO9oeBuhlSztBXktLoIUA9/S04T4vZMuzRSh7MAPk3HQDGnKDekQ
   6/W5UfZ35ointy7X0qBwGlJSQ6reazESZenE8J8dxY1NEgszJKE+Et/bnMOJvF9f



Gillmor, et al.          Expires 5 December 2024              [Page 130]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   uicGRJfqlP0V8DNAeaXk/Jn/zews5EpnO6TV17fQSE7zoGHEisuV97lPHwHtqCOR
   o8ojUMrI4rty97vPU2YDeOZ7Wiwj1QJapEHInGb7qET432SdHx8waAxbu5KJMIi4
   imGabgEE5Jm9PyU60ptAv2OR6OKCQgpaM97QCzvLB3wDRIdtztM0mypQkLko7Ih9
   kivkHpMNngLOrAIqoWBsCGkyntu7vgOcYOv/026Suc3VK3ArmyA2dRt28mgV8mDF
   4VogJAWLyZhXkod1GtLBKJpAAJniVRGVulCM+gY+Ripc2TAzcxgyRDao8htmK5ci
   f1khXmO1JSB8g9gz9/szsVMNmQvQDSmLFY5RKaPDQDmtyqPeXZ0kTbKhtE1GvcsN
   DviK9jvsbYugnkuxgayP6NTPULELyL6Azt0tDZU09353c82lsU191+uEQP8yKkQi
   9RJ4cdfbuP/IEMsUP4nlk3APtQzjvvtbjUhJkY/+5Qm5XS6DHSBU+OLZ/fr4674E
   cHv554vi3t+mpOJjExOqcppOfZCIObyy52fD2zT7xbkQFobgNafU7Gpg+8OWzBAD
   U/bT4+LG8AhDIRCTgPJ96LrmJAj6rwGM62DIl9Xu+V2HkgS90zlTzLbsuI3Q8Uxp
   volvQh9bhI5M5inDG6o6HL6Rme94oOFyI/CFLb2BgsrlZAowdayweQbzLRaGxtyR
   K8VbFH/eoRhGAT0xylfLFLADELsqBJZS9VWCw3Fege0CHKA7Mnc/5Q/3djf2u9l3
   JOgfYoPbFfFDjQ4vwjGXVsoQOUyoNsGOjtLW6rlQDP485ijL3tFxeAnimAV9gtSv
   gl44zJknlDw/OfixTvnlvJDP6IjGPYJxJVb8Pjknvrgqk3tue85KOSYQQ/PEvMVZ
   SI8Or6wh3ZbRDiYqb1ZrBqSLwg+2df5BqD9CtE4D8g7lGT1CINoFHNw12nLlO4ct
   FmukaACL4xIHtax6T7vg/YqOK4+TjAk9QcBnE9QCXM6DzCCvcMiJIlU9KgLZ6nk0
   jXcX9tIDzyAJKc3Ikd/soIdka40/4BGQCeXoD3JgDlr7cLPHG3BD0LKthnBQUnqh
   TlV8/fO+Q35r+zAFMlgZnoylIPbQPzJsDUlmNrkqn/CZdOxMwAWoZNDU33qXWNMX
   6MaYT2gyqdEKvdejegcN0EJyaBQeLrmuz6LH4HCca1NzQLBkaG7KSaUv46w6NeOb
   etJL6Q0chsfGR+BvuYuXnmmAHISGqJfzBVEHJqfbbZkL2p+95Lh+A/au4X56ReSo
   fG8kz+X+KMU1Z2qOBli7xUgVaAWtqHe3EehhgQNSmoxk4nO0EWTybv3AbM+BRTOV
   R/BEzzwZ1lIfpTlO/9nmcQ46p3vZgoHVcwflN+lO4VmcHpeoDQRK7NcqncokrL6f
   nP+9KMkQAgVPFSp/K2mma05MoggxCvRIkr2j+UxfmI395gvOjIrb4v7yapOeXfdl
   acgrGMUxxs/3WQ4XnqgXaO5k0deihdR0mdqxkvmSn3VY8O6u2WH+5H7HQxMq2YHe
   Kwv9Ny84MqsUbT1NAR7gQbIDpe9zbvNMYSSUnJvMdvChAwGJ0eWG/r5Q/JOBhlNL
   lTanKHNJ6CY+8XDX6l7APkhP/bGzrZT4heF50sR7o6u34C5qjkcC4pb4jNzzy+93
   4IQANQZzn2lxCLITMnhBDgtYylEmea7YlLjn71wiEI2X8hsU/qltPX5THEJK5x/q
   sMiju/eX1eTuLxr9Hqb7s8j/GrUKQVi/UwWtF3TWV/hZWLqxeIp538iMZpO5Vggn
   SD7GBe0VyUcwWtnOzBRcyZ1L0p0clo0FeVg+pBs5XIqIWIotC2qZGq8XenUZ8rdA
   aTJiaXlWPhBv2ZF2DQMsn12EN8A8S7+fXFG6Wt/smHY+MS+X7YWAEh4q1luwtAKe
   XasNxj61EuxyqHCt/EBpwGQxpT3z4IAMqpnSe7D+qmTxDlSYAE2RYrhEv6lPIYk/
   VqufGumvuNbV/Qm4cZ4Me+pIMC93iskPUNgXw2WRRj+PobZs6YbK1E9Yla49lGRq
   iJ+83r1urI0xpl8SiCQOY2A9ihov/zLpRfy0YEfaqouP948JXSM1wPCIUYCfK8D0
   eGEnthEiZK+SGcvB9hUXYv5l4SgguJOZtGtTUazgk1HSzZwIF6KRiwvRcYi/lfU5
   NQ5GVLx0OqgWpCW5iqmvGPel11cCFViGnO6osl8qDMUBNveD6WBWc4hSzUz6MQvc
   zPGwSh5tSJmD5S+yMuxHKo2KYWAQAsYXFp9uy/IVEMZrWKvOEvU7eTfRla/YkT3V
   SVv1frzJmSspNTajvwNYWou+ji+sIoL9hNXZh1Z9tZoy5vkejGCvFrgmCw+6mAHC
   pCANUzYDH5+5XJh8GPsC+sQUKjVyacNkmp73aPkTMJdXqubjV54qX1wxhSQv5sZo
   JPDJtnWMDO7p1H7qcIz/qslV4LGPn8dPXKg2VIwV27AF4xGguylP7+f7Navkz0/4
   nV6QRGycRtMa508nbOeA1xOgte+m/VTArSwaJNbOC9lP6KKrv0T5x8oozdILXGxw
   l620/gd7in5mq8x/JpqjaS03mFqmGiMsTvizNajuDKTPOVeMNRW/iQUZ6OZ1v0Sd
   BT7adOvrzrh6CvuRH+XAxVFZ+AysKrksiiqchVRp8SdQHLNiAmsp1AmHkVzi1oFC
   OJXqISwBK2dNCXBQAlmzz+P/uInMLdrwyHHBYnhuc2pWh6tzw5Kk56pJDrwtqnA5
   amytKYq0zXB7rhQ9yczbJ9tXYy+ZkAjzyUcm/5471aEMfPomcDZOUEYA+f0W90o3
   5ftybm6t6q+BIQ90IgkLC+CfZGogFbjUiA+6g81z4P7e0C0z3Ojs+G3JP4Vda0/k
   t1m2g3sQM7+y8kf+G1qgcVpnfjpwn7IR3ht0PNpcVbfoMhqTL+Q3KIkNrQLrnyGL
   tWbP7qZkl0a2hukE7X7To0HRmgkK7KEbswo46bEP1dK3ao4awlOf8u57Yh0g/1zI
   bR8QwcBcc/TvlN6LfftG0AY88vUolLluDRabp3NvsHk2BooS0h8ZB5Iz2ennUzkv



Gillmor, et al.          Expires 5 December 2024              [Page 131]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   fPUq1wvhNVpjQRlTocxTbXXNOwD2kzR+dDootMCRSSHon8AxrJ5cvcLTGqy/n8zi
   Cb/u/ixiYYvzUReLtCBS+z7ZKyda7rpkKKe50ejoYPg4dBjNME0opxDQMhmJGU/4
   zanDcxgHdkIi4Um+L6CTGaV+5LfS8BjL7HlD6c63uIZlBzWXdCar+Ch3dstSYBpH
   79iGOIi4zI5zRkt2EoATCWbNLMjrzw1bDlVTjorZFkjA9lJGAzuzFMwdDAKICe+c
   BFbI7tdJMBPVODU5jNsrVj1vxjTY7AjLZUwZi3UKG0MvZYmHfHKHw1O9rmn0QH9W
   VI/1iEnlu7YHUAq4elCJvwptcU+2pWLXY2+xhrAnT9/hgRQ/oTpZkhC2hCzrRx+D
   Qr+cgOVAZEIiW4LkdND26NfqwPeR4mEi85U6bpm3KDKuHIRh9UMS+Ol9f1qJ3aRH
   smP5icqZYrFG57PXnTU/fxDJZMrVW1VtgFtWM+LUEa2VDIJR9pRRzpG0uXfKiOTB
   aDJEQud26ZszyWCx7t8lI7CZ/0nAU4qZ1te7J7fCvz+1F/0UZspD/Sg8sAjVcx+X
   f7cwMyvmLmR2rF3lRbp1Mhsu1qp71nQ8he/nT/us8WbKB3teNxnK9kfhVrDerrSZ
   1vl3QZ8PN9gWQ4yRhjqVgEvDjZEeLDZvV9GHtrwCgl4lCkoLRD/j0rB/SggPKzS8
   sp6PskwgP6/25XiAuN3c+rtte+ff/0EzsnX+y0ej9nBvxxlKY2WH+c8rydIReUma
   BzkdJgxgkASJV5IbdKgOvQrSu2hUIzTYEl0qBYJuD5pvCtVIN0u5Bv/uNRAPnpoq
   hO9+tEPZNDrPnHgM9xfd3+EFPZrorbf0H7vzuCN8fW3A++7I7duel+C0KgRhmdZW
   4m91xPD9BJuko0JJMiFrB/a/vs58ZWgCQtQLPyFvGzOnJpKZHEf5o/7moA3fJnk4
   I9rRq5Bdd9UYdmuNRc7fnlLqEWHOTddVp4wgkbJUijiSTLmlJGr19uJCvXyn7xwL
   N9lJOgPulTt+paMgD5fKPZRFNMqszV3rlJK0vKJYZ9g=

B.3.9.  S/MIME Encrypted and Signed Reply Over a Simple Message,
        Injected Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_minimal Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8735 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5454 bytes
     ⇩ (unwraps to)
     └─╴text/plain 436 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:



Gillmor, et al.          Expires 5 December 2024              [Page 132]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


    
   References:
    

   MIIZLAYJKoZIhvcNAQcDoIIZHTCCGRkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAERQcovzhAcwCSgbk+Cvznyx/UBXdy9+vH8j
   lcTMATH3fghqXUhbhm7gVR3uwnxHOQn2f2mIyrAbLrljBXr6zfghg9N8gGGtkAcS
   9Uyj0UbiVOEfxMjrJT3RJ5pM0NGeBkO3z+UQhjvjAC0Lc2ql5RuBenmqzriYoUgP
   J6k8M2Ro3OTf0TFxmH8saqicQgcazSi3Su7vw3guCo6VAazquki97RD3DN7/l11W
   gkjvwxNnw4TJzWnzqfOEgVl3pTQUZZoJwedJ6Lp6Lr89pZBGPE81giR7G9YSy2Wg
   baUwE2cr4wU90qqnOpH2Vu4zJ7QvheDEmBf77LdIoNzk7eLo5h4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAGhrYLfFJDFtJK+mucFRTVPAn
   Au/t8i9PlGUBa8P/ip4rBSngfYAFx3Mn6fLSBVlLTgi/NAx0Qohm2/WyLYAxw1VS
   16MpeK7MzeZzlMos2uiooZNLVKvUqON3xclKHP6FD0nGY7bG2eCAPpsGI6WhljAX
   ch2/mMj23BbOGJ/rz9ln0yAwvj1/W/TbaPLGI7tX02vYL2Qr0p0aBZVkUMUwm6ad
   lh0e0UrQ9gG9SoLcIjuu42Gn6gUm87x+vVb+X2SqGFDu3XHraxHv5x/7B4QhOPMa
   zxDbWJq2ONLnseMZwcyBvv5rDPJpIgUmGJkGX/U0tJlQDMwbezMBTZK7ign2bTCC
   Ff4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEERlcTkfo1YsKt5cToXzvqiAghXQ
   xMQgIAGpqL1JSLJB/rsINTXpOFoeQZWv5dzL02g9pHiCvbwW+PcK2gMfpBsswnAp
   G/8j48CjcqGdrZJNm07R2nxZ0L6TQi8KjqYj0CRV6XoZ++JaQrRthdViBQ6t5Ka/
   jYqRq8g9xTVs+aF7czaYve2PAl0i5thHhQknKggiR3bK9qg3APXI2n/xfvVDN6BP
   ZMDOeOajPnQ1IrPdGtYdJiRSWfU2zRYUG/s/MuRHopLMfU7wxDuIPZ5efhefTfV3
   nENlKNAz14AV0yN+w+kzLDHF8gfNs9vC1o2HijBdeAdcMuZ/DlHO+h5GNLMJLK0C
   Wa5rdt36pnoCCDMwc/TKoHLyUzqPEzo+3KdpaYBQs3Vxjh35IPNBvr78k3E+fm/a
   7XPsRm44Zes2TrBUa6/Zy3YFjk1VdxYv3aAsF2iUaAw8XlfvPqGYrX2bArUTZw8v
   5G2ZxmmBjSIcmTa0EIT3Ul5lITojDDibHljcoizsBB26YymOEHOGlwn49XYcmPmT
   mhazv+GYM2mTguVwcUjjpJEDvHXTycwFs/GBv7lvdl1pFC6VhzfD27XETpu2e7ZP
   X5OY0UdPzwOXM3jxmoZHdfT7OKfKU5TtGjV/nx8dKzLsH0vRk2bsSwgEykgVrHKX
   TferDf82DakOuugSx7lt1+FF80CV6KoE4/hqPqqkCUZ4ZFO90Vup0kYbQ2J+ew1D
   g5vg7Zptn4e57SVEJ0fUXPoCofRrF5C804X3aBycqYKx/wuGumwQH/c4oVz1EMjH
   GjvtqAb4pFv7y4Dj8LrKAPfrx2eR3W2+59wV2B4wj/BxI8qHAVhPjEGBXoakSGeS
   N4838Kw+vln5mu/ujJ3wYeOf2aoVmP8imL1bCqL2XV03icPkZDyN92YSiQs6LMWv
   v/V8/ULz/Dj4pNqjgXs29sm+IMLmkdIRzaJ4zmY9QWuN5IjRO9sV7kdeGBQjr3J6
   3+ZKHxwBiFvIzLl10I3uxoQOh3XS1vZltTn2O8RGBik8GPI7h8htJBx2qa8J5SY3
   Er4l9K0W7Gb6yuOLKLGf9ooPYUcEkJWaXUxVAKWAAa2PkRZy0Vikdq53uvJs2Mj3
   gwFrVLkWE2Dz2bFM+drSzIJ7BS6/BRt0wZjDdIht2WPkIWTGi5KEULYpH9Q+FVtU
   zswTJjezioMaB48L4TxtEfQa43+WN1OekeeIRELKdOnYFgSS8i379lbc+h5cz39h
   jIP2ccCOFcw0dtMKiUTLXYRO2FLRej2S5y3a/fmrjJLCvexuNUbdlRC2j5VtE6TK
   pqzFx6mN/KCEwP7Ug1XTBR7vTbzf70n8ot+S1piw/Pr5EBjvgkPYhiNibTP2YcfF
   QIT8f7o5PFk3PkaGLcv7EwbnkDCCI7m9e5ZBwzxRRzNtjzMal1MkH8/2nwVgovVb
   oasR8VGz+Ak6rK0tRB9JuhnNZhDjhEzzY9pzT6LPyB5aNA6cDDa+dln+NJXAWNz+
   H+iEmLS9ju5Cx1NRs4qofgqehQeyPHcggBEKnvbWpqZB3kkRUd73k5C0ZFYmbJ5+
   EfpS4QulVTBiwGcXf5UsKMvwcSeI/YEm05Yq/j8atT3TCREFGoiBRYKKUa0StTl4
   yo7p/X5U3LUZQI11w/zcNJii/ww8HhcNIlS043TPtaIw1aYn7NusbM0U5FNzTfKn



Gillmor, et al.          Expires 5 December 2024              [Page 133]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   DsNVJzXitjO0FoOX9KidJDrM6e0gaF2w2B5QEXxwYKkuRXdyYGVz/UfVYZCHsN6I
   uKvBj+74ySdEJG4gKA4UBFesHvOVYpqNAAb+BhWF22ImAqc+Pb8TPzI5LfmuB+me
   eltSWx9RQxnXhXjaOGaVpehBqkiKZEbBnPqOc/gxfKZls5NVT2IfhESlPodxqryk
   AJ+rjuAX2J/fjN7W/35NgwtGlh7cA846E//G9UBz7NaiMUY4c9oq2vrWYvKgHpeP
   Pv6xx5Q8YXo57O2pO6gNu7121JpFgnYLnCnWOIEjnTfIgbDk45qxScVJJWcGyqwF
   Hlc7sFruSVdJkN89SIDx27GS79Rx/0LEyfRg4mxDMGLhnvmSFHiDXaJYzfzOAnDh
   HRLk+lfPdxG2c55aJPY4NGxrFHBModlAhtuhJnGjKnHbhRutRvIDgJYTNsjfZX1j
   OcqgMvJxb1fB2WiXq6l69rPiLc/NS9pHHP81rXjiPBPkFjvhuNXTVyJHchDNO6yl
   ePANpB35lSW+swUtEJQu01adL10ah6QuLX8eNeDicwD/nu9awoDFbv+qeWNXbwmZ
   BT5lYTYfzYprYikPmNJyui85mufJ1PKrP8NbsK94DAQIobJmijtNDdcaJZ7lHjS7
   sCWMDFtpVrPwacqgtberY8VDZL3pBQ/m/aTGoAfjIi+Rdqoq6Ko+rtQA/3Uiaw0V
   NWa29ZURcpfED2stqosk+KNjnGgBgjR77AsvlNZVoKfn6u2GrC44NkLQP91xWTUq
   E3iqU9xgjqjm6IbppEn1HaAKkXCD/vsiR2FB+1SLHvuRTO5jknT/WGuDmModi/3M
   hz3RAnRrIUZGWx9GsrswKdRPHretwgdOPdVFafjWYXkDFkrebuzeS0J6QnBQRyv0
   t5EyCGBG9eZ9gyXm38tjGyXXzK5jb1K2syzg2108yG75s14vU0Q0puNK+i6ZT8bE
   /CRstFVVGF2L5HZVrS+YpGlbpQYo21OkPUGPpj5W5EzynrgA9oX+c71gi+PgAnJt
   ceAEUInWEsRkqJUdqlJkRMscDsjdn6nDU4hKrr06PT7HCTrKNxY8vppSwU+fVHiM
   dpn++BkXtsvmD9MfQVnNuXiHhwWVbNoYszq+MJ6yR+qt7FUAIwyPiNuqAamL0GG+
   McLFQOaJjDFio7JS3sozs2QY7UwJ8IzNxQ6UA5g8x1+S/GvjH7f7kw2F4dz0VjaA
   G28rAJII2ZZGCFr4WLSNgDB+NnZ16l1XYaLJYK0HQNyA5iGTcwBpvDdj7hcc/XGE
   IE2zTJ7QPv7StWBB9laqPiI2yf63Cs+AV9LJQFpG3pCspNVB0dwdb5p6d794NJ+r
   srtrpUdY/RmK/dY8J44NQBL44o6ZrxhpZ8bWZqaEJNIiDetNzb24QPK84gVYZV15
   YUhbLm6aFjf8mOa3Sph5TZ8iaR8LwJ4TK+ldWhDH+Nko4uze9jvWho5lmjWyE/AY
   6HP7m1FQlKvkHHavsi3OswEQei0QphzlbTUVIFdpShahjnZI0PFBG0HMcmBlotPC
   m+i2UtM3kXLK+Hd3FCQ3l3NmNzIoX/J70B9cw+mD72JNHHjbE1iX9p2oHI3UkQWd
   Z1QrOUD4XTQlN0hBBNOp2cSAC/WmQf4tieE3/jLkobuvHAQhqexT0burHi1ZfZXH
   0usF9GSj7m9VeQxtG87LZUaKyBcuE6cNFRM6qAeUV2xupipNZP+PkktexeGggxcH
   rCb30ym+2l/Hvb8GVYwjw+lzYoFHZMRN/ZbxN1QJQBd+G5o+JE3RUZLO7Z4ivFRr
   KbZOtRciqwYWtpf0NtWBPuEw5E0ARVSLhRfRmIzru/SmqBWNgUkOn6SOJhNMucW1
   nMfvbzpRjRTPVucSPGiKUU2IwKlRLrk/IBnFpxK9Y8VERc9lsH2dWO+J8c64spag
   oT3zTwCcRQylkQxqy6qPzIxZGnQbFJEfU4WbO4ViN6BkANVXuSmmrTrrbfm3n6RZ
   IcTdB99RLhfcdap1+5ulGzAnSvyN3vINVNscUgU2A2Ogr6rwaHrZxzdwJO3ZLmbM
   BnBf5QqG0jupLcclhuNJmxPHX1dj6FXPx/FrsW5Ap1eA8pxag7u6qr/WP58F+oSc
   1NXu+jDg/N0MBaWmQrw8jhf+oHokTk4F/Wps0jYShd4WLTVwJJ7b1DBQyX4ojiv3
   g8r/Am0LZ+K04GcLoetLxNyDYJBQhFsLHxhQTijGLLfEBzh5cpBElv2jCU+IvBeR
   n0Qu5SjQVRacaX7vYd9LX1G+ISy8v0dhZouOA7tNNgDaTwiIqMiqP8KXh4I5+cgV
   9jKvgNzOdIjE8HUJdCE7nYYhjpXTRmtuRXht/jEsYRCF8xWgH2ncc2OdiJ+5xc2y
   yNbQEXX+8yZ2I/PHSwua/XxY8P6D6txCwLk1fRVZUiUvpwRJKemp++Ggf+jFLT3d
   sV9qflyiRTkrTE4saYRDr5gsDL0x6laazrU/qC89uemF+HmcC7QUwEwIAacYqA0g
   u6w1pkDXkthpKQLDcfafiOki8ruCu4CGqf4/pRK+gBx2F4vXexHCtTrg2+I6P661
   GQ1gXxBmANrusHf87jemuVImOIHk+FGrEBAHiicsM55ivRBEahzHtSrP9qtk+far
   3Oi3TCXtoY7b0f2hWC4JWo8YbO5zhnHlwEQwICrkFwfuuQE/pls4DkMH9K5lmdOh
   QYte1bjSZkNq3TQIzv/Cajie0TJcMMPOXbngkKShxEB3Wu/DSl6o76viNTBj8WxC
   m+josNMExOPVEd6k2JTvFrJqwVjTGM0BcnA6YnQC+RMwJduWTwJZWj8VI0qPMj6j
   bhI9Z92PDLNe51/eS49TWJh2FJ9WCURK4+425mwzGMZC/T8dwqNqVFHnSWi4MBtK
   o8x9PDLcdK6W3hACW8JBImogHzvtEA3FezxMaiBVtbbQjVM4aL8MKKD5DcH+35xl
   x/wRj3neqOTpjCFfPzMIj7Czm7zYCPFEbZ56diy9WQHu4xOPjBw4OnUPfPWRNKeh
   yabUMMb3Iw37oL7t0IcI4nu3/OygpYIGvppht14xX2uuhQ4icpfigr0zkIxP9/gQ



Gillmor, et al.          Expires 5 December 2024              [Page 134]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   XGK0ulH7zi1YMINweFBwPRhYWWs/CIpDt+F4/5ZzxKlk6DEIYl4Byol4YQH202xU
   /X5HPHBm5fFIJvx/kR307B+jS2FcUlPXjNcUmbUdHrKhRw9aOSwp/amRdKSghVCq
   LkvbZwusTJPgPmL1LdZ6ACEj2qKPA4AjtdyuGW1kLwhPvaINsnWbmmCLifFzOOeS
   6sT960zuI0LuES9W1hnIGeDwxQXALfNcNUmDL36kQLc52UwEyyF6xJUD6yQnfStv
   RNVmRNH8YqMVsus71jiM2iALXjtq/JL3qE7V5O3pOGrdq7+aLRpnRnodWIqP/NKa
   CU3+/t0KcB/hGghmGfnpuPUzArupOUxXQDEBp6vdx0HD9FE4fylH1UN99qfSa+bm
   SzRQ0hVj0WO5nuTmlK+6do4de5MeXPAZMu+SGeQXKkJJWdGH78zzTAZqRqhhvc1R
   /znlXVoU+dgaQelWunIah1Wj5oXi4xJlofzS2DvPKE6gG6mmnAtp8qj9UEHnEcrN
   JBzU78v5jQLnGKFWiRhF9X0NhJURJXDDhcYh6yzk7lztbaBNLkIw/C2OAIk4A1FD
   Ixn04kTgnCidKFLuvRJzFGycRCHLVNTn9vet5oqovPlodTSEBE3VieaqHBZFhjfF
   A+Og4QU+Wgq+MY1HFgpPc1C+ZMfxSDNFltE2CI73jyZI4GfyAdNSqFjaGLqzmfN9
   vlmOXV2shzplYbFfiHgy5+JJYfpSQPM0KgO3nzEAm39hpebgoH/QLzrvoGgER2es
   Ypk4bcniR34H1FkvUam6p6snt5Xmlx0vx1Iba+om/BX0ruAyj+iNUtxUdc7FnTFa
   aIfcNFgACxdhGPyC56EWi0xk4f5n95tVdnMiAcWC2B6NecLt0vvNrNLZ5UkY1nZH
   IiK247prA1RmoWCL9+n59W4+KXmsD5TjTlDkQgGMby+VUt96J3GhB3avAVJjqnTx
   S8aoqcs23ZGVv7V2xlu4FWswbPrT9vOaf4MieMyHjgA+zZHrr85EcU4rOHVkuZuC
   Tct62iTU8S6XPE2U/HOiykEC58i2iUU3O0fgL/INoMzrwPkwfjmBP1ePNVZKzFwB
   SM9kPFVB9zpnYQyN41Pt15MlWqmOXmPkwuMYWbDcthJGTmkt99hlXaoq4sQyejI9
   NsJWBQwFgpyHDZ58oA4pDnrFtt+gStslp++KLMPxbsNwVw5zcfVWkJCrcrK5aTLF
   XCXIt+wGptazfIcm6kKFiPGm6/XOFz6e4X1HPA1KCgf11A1HlpD6rr/cMLwC7O59
   ZnII7CPgLyvp2thBlIJ5jzRVPTe7+CUfUUSj48zCGMEyAX+K+KppCya5z4BVXIJ6
   U2D1yLM9T+YyBCOS8radbEN8fAxWMNcpKQhMltds60lUw4VQZz1RIdoX7Ftul7Ks
   +sJtHbtqhrhaI1TsWz6SnR/cj4VWOf5fEcTir6h3pSv28ESIl8zexVrfkI3W+vs1
   rkTGS8OL4gk3MPaviT5ntvc5g+ePGS2936xGsi/nDX0gldR1A4qBUZSABcqTxFNk
   bB6UnQiIj1mGhpRm2cLMmRlq3tbB9pBOKnTRnLF+RgmIokE+lj6aqd1VuxIRSyAa
   HY0DZ8KMexD00yLVYJY9lg6meWtts+tooc/pzeJx4cwvMU0uhL4qdotW+qt9CXHT
   VAFGYXtl3cxz/ELgIG3OqGQvUFMPv8Ax1GBe/rQAMcLdP4sEgTusvRxMgJzYpQ6C
   PLEFuUPt+wfC3uPA8d1flvQZaENhuJSa3RxN3G9PQTdt3zgAfdJOfL5GtnQMQNJg
   UdfD3uPqK5BCmv8jI+68sAybk3wLsESXh2BTwfsXsmYRUd4c3SHZyTTWxSMJB4+m
   Fg3O/b0ZR3vLLiy2bAq8Up7YM3vZhDEyszJD20x5ByknOlH7TIsNNZGP/CR6Hp3+
   xYvgElh37Duk2Hp/3TYcPEDUeOZB/Dfh4gRtYCESsF5pVd1wATzaYwwIP2HFNiBf
   MRvpg7ahfyMHzdNfFYsOAbjBvcFn5Ip04MnLj8K5VD0oSzD2xnkfgopW9SdpyOQp
   RkAUmfBGY9TjjRkeBhud5eSEoEUR1lgbH5VUfQjHy7EmRHNFDPzrGno1Q94whxZa
   KZ4V5CVPdG9+tAyDAadAAO/n364limAUKwJRvvzIa4T++n2gok31WLiQsWdgg4T2
   tSxvl2efWpAuEh8aIN9SPofR1XQEMDXcJdq1lQa5RxQwB9+Z4kTPzSc8ufUFoqky
   dgwa6cH+jByfVDPyXG2Q/19knuX/6+6/lPFDce5dn6Uxl/TR7OroUixM6DWtlLgK
   /7mZ520v8T37nFTn5YqDIHCTzLmIjkJgBT4viwucQk3y+gWitjCMxqev57u8H5df
   d4lhPZWstN4qACNolAnLaNJ59vfa9WAeMTSOAAmsPrZGLU8Y5qGhAKFxsF2qWawY
   b2oQij229zkE3EhjczI7ruE7H/vx/yzpiDj0vsIdDQZz4/HIt2Lbfd4rk+0IsQcJ
   amM/cP5UYaBxWFsytlrB9MQFrr3SX3dH7D9nk4KybayHEO1Eo3+eOEIljVLus5z8
   xBGBvOCIkf+56wUybPe1+aH/aQGnWuKMQx6nQCnhqheUxjjatI+YjxROfXhwij49
   k8CM/iGTBBitB4wsG4jbR5VffpG8+vrsgFtiUUTL0B7zeyqRpqB36f9ED76TS8ml
   dwmGza6zUySbLPKRXkqn9g==








Gillmor, et al.          Expires 5 December 2024              [Page 135]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.3.10.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Wrapped Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Wrapped Message header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8170 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5042 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 1120 bytes
      └─╴text/plain 326 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0e210732-9184-5855-9a95-2a635560d3a6@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:17:02 -0500

   MIIXjAYJKoZIhvcNAQcDoIIXfTCCF3kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEOjOUiIMkscw575XdJgtFwOUy2Y/AbOC91H
   3FiDgiCsmEzXP7CLbYtneLQQRnjvVLLexesCUVm6nRTEohJVcJYHcgtDJMFVdCLz
   q0USctI6oLoWFFMLESjiCCyzDlnDdGBcxsF9eTufLG2snwyMDla9837GmUaiS4gi
   7GTCafAWdu11c5XIfNy834nRdphcHekNhkOYo4TLI8FpLb6KktZ6d/PO9jRlKwgP
   Z9x9MZ8pBfd70J++tg/YABzmmgaKL1iUL9qEZvoNanpjHE6s04HjSTP3eQGM+vHw
   53ur0wggTf3HQMaOSa6WQd6MEIWVTqWdcnP3xeWgCoXcZeuPGpIwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEABWLTK8IqxyVvj9e6o2IXK0JA
   0GGhSPF5ItSu2sR2Nl+eQ5izWF7aNMRvWOPwniqXKxJFFG1jbuxHYbFLVyaxILfc
   jeR2UoF5ybyLbGQTB5hl0fcp0JPlXWfsxNs3KeAz1eLFKoiwuD077Lo8V0fT3N2n
   jtbLy3FjZTweziaMcmTwRcdg/vUbkd5gg9DGAgM/wrk4EwHqBzX3uUWb8TNc9uPK
   QUW3qlvM295K3RB78j0gE3ojNDFzsPVs2uETi2MD8yNSNjm//ZnwSI0h3zNdF9VY
   koeDJQ6C4Ky0LqlBldV09WAgr0QgFOb0xrKsKNCVW6oMI1oSn7OUUz/fK3XFPjCC
   FF4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEJLXHqtHLpqKzL5UXG0nRUmAghQw
   HjcILt4osfPLuA7G9r8GRpbt0SqyWUOajTD4WMolyM6uBLXYXOPdkU9QlQGU7iXJ
   2q6ooTzbniRvovqLH233cfQKNLNtaCH1AfhW3fC3a0mukbc9C8LGtDJepZLrB285



Gillmor, et al.          Expires 5 December 2024              [Page 136]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   7IqYImCBcdL82aBnG1eExUJFHeSebFua8AHKliyJBEuM2sL+q3YjLgtB1L0WBGmS
   kcVppAQkvm/1SAhDwDwgJqXRV0RZKMGvtPm6CE0zgURo9WFFBC00LT5ehDY5YnUm
   dfLpiBsdGocd/na0YKk7nGoVXm/6pivyZSzVQ89Z4zeOVaBdgrBHkykJWdNiRqnY
   bGpEXgfdaH/O7FBgVQ5XJrqP2KpNeorHYTsxBw6tom0ZgYXt3kKVkRws+G1VwadM
   tqSnXofcqjPn/q+HY1YX1KNZcdXGfOpQ0XYpX5+B1m19pApj1L7L5KB1cz7PVx+C
   sCo9iuzBJoYGBmzoP/NxfFThHAZLDIWHyYnmQ3hL/n4VY1lwfFiACSzZujPQ7RQq
   PdTPb3/ar6K5zZzYRGG5cVJR0Y9JMR3as2m0b1sFMBE/FXyaZTxqt9HSrjkR78Ls
   /2B3fEtae8+ybIS5gED+yJ2pWgFjyrqSU9M168qMArtrs2/dtoY9VKUatoTnlCJg
   gVOdejRwS+/JFqPuDxHntiAptgcohVU9/VchmpG5PTtiwbKiSmbADNuxEEQ8ztTN
   GYfGDGNMVssbK3CNuPjfNdd0A9gqQf882dktuKudMZI3PxN3T6qr1UpT+FORtZH2
   GJ3BEXfWbYBesgopgnSTlKbPX3s73YbgCIqX6TFmBmBWG27531fuW47UAQ10umNp
   441fiDYD8wqKRAv2KboVIBidgh/6DLM/puEgeFtfAfpFyYk/cIf5EqNYe3Hj53hK
   KDLWsnShEnfhrf4joAZxV5iE9ABZp8Yymer9OJqoA6OHrc7COLxkR3c29caWqIN6
   qijn0VRutFGMA5rjmzKL/ELKM4+8OLzFkAFRi90zl24LgUsA90ZEkHnzF+se7n5i
   ucapWHWuEmpfZE50WKijBDpgr0Rt0RIGixI/1kIiZPg3gTmD9aBHLE3ePji49fpt
   NioBhTIVM6EakdjsjlZ5t+o6wYLm11QhLXrznmszu95LvejNaFJX5Dhoi4/z4Kd/
   4maaVPHZbHTw2HEzcYuPgqwcDxEM4YH+k41FWO8C7+r2jh1E5fruFpD305Amrz1/
   5A9HxInsh08SFr0iFRiceX/zQsrnt6vt6Rf3vZVB8e16kFqddslKHbWUJe6lZeea
   WvlTwFJVPGTWQYl/05ywPTVIwYtZnB0QpNM0yyLOSKbHZk5pwpKsZjM1nqzkvKpl
   oTpiwDYH+9vYPqAa6CAluJnnBo+aVF5Yi4pGrTdQaukVDzh0zxMSrVBRwQWBA7zp
   9c5n+ciyYm1fYyv101b3nIl6rAnbGNtAVXQDssC2nq4Rq3xS79MN+939SoUosMA0
   eGG8HAw2hIEq7cIq1DeaLoguGC1gGz9icvkOURHJVfhzZACIMEAuE6int9lasgu6
   v4aJJ3fm+MkThccKZp2K+Z1Xm3RD02mILjlWjDYAVqhY07bp9OUTs3/E8N86yaQ/
   30f+WiDKOKZSTDRCngZNj8IGaY8iu7h8j151Nz1iNyRknmV/QCdhwTiVduYKmjjK
   maIUU8pLtFZOH8sZZ+qxP9EOny/g8L659wa8LAXOzwAfPBHtKtgjt3QKfemvFjQt
   uzMgcZ3Oyxhy/LZzNpaJKy1QOqIl5fAiRUYtsUnFWBFDlZoRqtLZdw+tCfsoRllB
   UUOT/CX6rTjUIkO1PWt2ti45aWiz0N6dlwzR6asYHzne42SeTTZ5NEBhVgDc3CjH
   PEvFXm3OrZubvmk42Oqzz7lcSOkcyyaERWPv1VSRKJi/b2eI8oe1j23/tTmadMus
   jIMJKFRmp3R3Z6f0aTX5PXc1ckamMDqAf6ROVQa4pkVYKBW+LHegFDc2HAqCb6v0
   MkdI2TjRmXg8tX/FjWN4ecHVuW2+l8qVt5JiRYHBAZJxozF+d4Ykam25eC7jq5Y/
   qhhKO8MoUzMPm5Ufbb6bZ9+QORwR0dtuf2ZrVuk5pnenK2aC1E8OEFzJCHevymJy
   ET3aJz6gaTVw2ADF1/yrehKsjtu8Oru4aL1hWpHUEiHien+FXJ1vr2uuGkX6BPJp
   1aHGy0V8rBxNdQ7i5RKL0zwLHWI37qVebemi/jzAZuVQFi3AN3FJH5gsjlBkkq0R
   2GQaD+55u6Zi1hvyyVotOz4QOxZXeNRUlxyWlwmjlGGMTuxccgbR2cwRrb1Gw/XM
   WJdNpF5T7jNQpc9mMZejOIpv0CHfkn8jHG8aplM9yw18wMtFV8+BtDxtS025IRIq
   sBmHZJLy7tfHA//E+uL+2eWNmVR0d2MU6Tgdhko0iEsWx88C8fL6Xk9qDeCsP8hQ
   vUlEyy+jAvl2n+qxZQE2RhTzWv1bkwKcM9JiKJ6n1IDR8cM+0rh8k1iIX90RHVMs
   oZcItRYbZpHn62S6MIGcOzDSOHxx+Setj4FB0vswesoX7xriyfIN6Mn6xjOVooCS
   TQm/ZyCRiDumYMvFWTxSglJJ0IE8Rg7ODf6d16SzKptWWUP2kLFvBZ3sZkUDsCU7
   teFEwbikmUi5xZ1nbMQE49XtuMVXdmDf/HO6sbs2IBntsL4uzYnS4bG4f0BLNpuo
   JQTGBaGaWsjifY2ifFC610zV0A1Z4HbZwsMiHej0X/Q+HmD7sye91vwODw8D8AWD
   DliBg8EJrH8dMNQIveZ0BOkp9/bZPZM5u3nbX9hQZZGZK7GDNVN8uSJJIcd8M3Lb
   VHaUFkC4FQLJF5BxZbdvfHG2dILsMQvTEsjd4BSXOvSnNGidndcDgkf0tBV5WxbE
   H3u/xjzP70gkrpJPkrbf7HoY5rieHvYWGPrjUZISQlNE1PNse2fw/Z1KBACDTwiC
   GAfFKy+kCYkoBzna2qr1Dp78Yuqb0s8BWUdaTWy1JFfiqdBcLoZibVq4ZvSGo9oE
   SQHc8NArU58acHTYPplnVDXNrpYrHWXv+imuhk522tGwNsCp11rnvKvaXjJUgdXP
   mnLjiu/E13jccaRXWJV+Pqye0FdOm4qEpVJgLSVhMGiYcXT98wIyTmLzMos+DFld
   1bgM+pjEmLr26PpdmTeERKFl+cnChSMI1QuGSo/eRzJgQN/TG4j0rVX+W8TzSa2T



Gillmor, et al.          Expires 5 December 2024              [Page 137]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   S9SeHlFKL+pz89IwE4jlbxWWSiEo3NhT8wCb4tIFlEoymGajjqUvYnu+URYhQ4Sz
   /00nQFg8F7g3zWykFUEeumyNPuIYZUfCazYXXKbwX+3UT9GdEZmr10XU7e+EtUun
   Jvl9ypE+yb7l9NIDcFPa6SsFG7U9DbJHPEbN/9IRPeP6K21L7ah+l2v9kNfJBoEB
   7vj1DLCdFqTQRa7Er59ftP/B0VYpeuTuLUNUgk/EBnr8MkLECA0WBDHaS09YVJ6e
   SDAfqKOj/drBWlFtQ4ObQCNnooBpzhu5yWP0eChnaJYmOI+ubsBkbOi9K+siKprs
   BIYBVsjERFfvM0rBJ+hQTRcQaJGmC1H0dOXcCyDLpigACwbGSo6cHyQXsI7gWjEC
   F2rRBhy0m0oimMvFwwT9N9OcAxbDYAx+Q0LXy/kYOlLe5fxcsk4oz6d8s1bOJgQo
   MUcftakH3HFFEOtrRXFLLlHBE4Hvd0d0t5Qeh/VDvqEFA8qstciscRg6bCGcTTs0
   qRxe7dSl3DEQ3ROs5cQXNCFUkWyCrMjJMMfzLBLHgZcKNuPBa3gELruHiXRPE6rQ
   Nc/ZlWAZfgjLQTkqsbP30sZsSNK+ZZecCg6SLFWrxzYrfrvLAq4KZNGg2men5u8s
   C2FuaYV9l8UHsln6cZXjvtaC4yAyfbn6iITAMsLdGI2WIPJRkhZYwnuJT9gmIKqC
   XZzw6p0uFXGtQ66J6oHNfGLfZkguO1Gbj0jJDyhWbFkMASQAMcP6XPU6v4yT8UyY
   Y7V/dBpmhm9wZC3DQGogBD9aHIFvO6PwnzjvQG/G+1WqaonvR81YjnaU3b73R/Xv
   F/qEPtqMsTC+qvpaJSjUn0DvuO9zdHFwDD/r/mtdchzmvxn9I6zSBT9DwYagB0MW
   JHeb9eDL0j48UePmfFfMMIvrdDERtcD13EzKLyj/+OmMBFaM8VXv53kvq3RluDdO
   ktAnv7pqTQzrKGuoYM+sas2ClOX26FwUsfFEoS434Inw3iUMpWAe9x+/Xv+Qag0z
   W9dxeVPOkYxROW5ENUvhxGs+EVFxVauPIxHfy8ceh5Q2x+G6LMfBp1uNP6aqBhDB
   V62tF8oH4MsRzxyoEfR2jA5kng5fu3jpQkc5bvBf616PzqRMRo1RKw/rs/mHWmcw
   wCmpdhFLQhtuDtQS3iubz3WzRZpG2ACQh3MAVSM70Nn2l1LftYlCxCQvYaL554CF
   ahLbVOI+GXZtbnWeHN4rx+Ls/BtpSthtVguLxov8byCW2yjafFU1QD49UCWLF0A0
   TFequfG2XL46tV6LMVnFhc30SqPeZhTWIDfWgeZdS8+85sjTEVm22RIGQqPRBxJP
   bWYfr+5yYeEuO4PPtSayassAnQVDWa03WCEq88K6yYj48/65ESlZ1uHhPFAXywyd
   XVdndioabfNYuz9aDz2B+FUtMxBlTKZYvrvKH2/B88NeeibmlzRm5xdmsW9sKPVL
   m+b/D0lvYI4/s2erj1bWJCPQtPnO9czoHrdUFp+o5886KKYj/UylW3RR8pOGD916
   bqph2GWGFtxBWPnPqqcpWc7pxIQ0P3yXjMXAz9A6rnLeCn56Rj0J2c7Nh015NP/s
   JcUyn9972VdpeoyfvKw65H1L1bQjAeca/r8f0wqBrN4ktUKcYjrK+8bGdLw7vdRC
   UWiA6feWAFDCr50ZqR8ydyDqrga6gVtoLSJ5csa+SaNcad8Cm80m2z67mp5Dyrid
   8GRs7WghMB/O2okTKm7c8fHEjM1U38aBSR/y85hjpAYiMsFw1dZP2CaIHCS1VLYh
   NMVcHYx1ZMRwZSkOuf0rXTNFSe8/IibAPpUcD63F8iHqQgfuZtDmGacm791kCcb0
   awKAmm+IEZ8txkXTFJiExIWPpuYBjxCy9GYBiAoQ7dSbrcq6sykzE6AggbNvapQN
   P2RTUf/giqDcNvkALBpwZ07jmWcmZUbC/NKn1QBTA2llcODaInlmhGB0a22hGywS
   n2TDf3pcU3/ki4fOaq4EeKEqyv38Pjyj5XgMOayW+RAkmx1N1tgC1QkET8MTOYbd
   SLx9VfqvcA+8zMEcasIbcKaOFKQWgQBV51u+usskZVgy4D+HsunTcqQrkXqVVj2T
   bYphwaNwxLs2C0nTufRpKtticWq02faAs6u3Nm/ciCGTiXVRiTtYf/6q81Jx730z
   I1Orw35PtHVQH+/fXgFKEM0k87XvI6ogW4vK+DIAFQqXr0wrQD4E+amE9zAILhO7
   OWoWxfOgqOC9+nnCOH3THRbqrIukoW7c6zjDgIAqzQaanYTyDVrcHcDGPNiIP1JP
   Cb74Wrf/y6d8yfZg7EXKBFjsA2T/okRMCFYD00qyZW3FRe37g6ZS95fc9lz3KFaB
   3uWdUHAUDFFrw47Rlxr4gV9pTWq60HoYkoHIAg07BylrcPU7PuwOwwy31DFOoj4v
   PJRJfXvt8rJvQImSY9/Du1A3hLk8Kj5u+ud6k4fjGDp8+i9PTojm3ANonKUfWzAL
   uONLaLk4A8wUK9TKSeWtahpKFm3FbpNQzQYPQtgkcnFe6YB++qzjRlNT2URUbIr/
   nIhJ6Y3PPVVYKfLHrYaAJZimPEsOoH1odVuxLHRb7uFAGjfhrwL2iqH3YbjI9DHr
   aDPs64nGtrb6f9YPjzzKLgypkYZ4gsVMu5b7Znb+taa3ElCO8mHVdMkiaO7wDdeB
   TOVQ7h20mazK2lh7LGy777t2+bxGFosGsKTtCrIbIXnXSBW228svbbstJkcVQeQa
   APZYlK0eMIKrsZrtCF9kTyOGSqos5xEHbhwmrOYyj8/oXTinCgPUgPS8hMWyNbfX
   ZOJk9+e3ddh9W6Fxb8O2vtmpU/19111zedrWa+jgkb9pXzKl2RNjkwHFyOG5WjVr
   TZfrKENVe4/nc4zJMPgyNxyRLJaIzhyd1xk7o6/93aBcpMbw/BNVYvZciAkMsq4d
   rBKrQqEB2mZkI6Oqa8L3s8OX56U8fhtb7hLXT3+tV+lh9FSvHwQq7Atsc1TqxESm
   ulRoBa+JgpS7e/T0i4Itk2/hQjjcKrwUOQe5iF5TQxllpiqyQBTTO3Ybk7H7BM0M



Gillmor, et al.          Expires 5 December 2024              [Page 138]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   eRkNTR2+SKwCG/knuIwnasofHNPGXDFPkLHpsrWME1OeDlrybSs1fysmFZUqV0Qi
   r57QW50bsX4Otm9KSb5svdfBg3NN9noMr6B8wWxFVIMxPPA9WfVCoFRyXJ7MldSE
   LNz2miw3KPAXgNDx8RrUSI8skXzbRqs/Jdn+66saXmrqL2Cm7nnfZSurk0/swBCK
   sCWnquRWHJVOjA1txLEcX76NLyBxOxKqsGPSgJtwRQ5yMzNUhP4ke54Wn6e5Ad/f
   CDH/MqhxR9Gev/JQw3AyuLdIaxo/udIFsix96gsqG9RtsfUCPexbUuZl+lfZYjMf
   FJEBy+GRsLjSu4bFIVt1sSPhXid09z2/1wD3fzSkan6+BTfEvqLv2HiydvjfASMI
   BqFzHGbKP9z/S3s+nJ6FrzLnz3Q7pwTlPkYbbATgptzfrDZjezg3B59qdvgfGe7F
   E9yRhnhClWgJ/XKGf2jftUTLBY/EJebhjHJWirYSpmuFNN7ZGTOC6/Cr4mXgQfBI
   ltvij0UtMMyLYjSYU2dmutfA9Ww0bME5SL2/2sV80frZc4+SxxqmSsIWvo8alfRz
   MslpwFzazxna0qTZ0v4pG8pY7hlmAJ5rfzprGRtouJ8=

B.3.11.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Injected Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8040 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 4950 bytes
     ⇩ (unwraps to)
     └─╴text/plain 338 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <0b3ea6dd-0e91-5a91-9bc0-3d553f892983@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:18:02 -0500

   MIIXLAYJKoZIhvcNAQcDoIIXHTCCFxkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAIf8E1Jz5CRMcenMby4AQAPsE4ACm+sauH6M
   l/ZpoQGl+VF5Ct+GG4SAg4ElhCpCFrtLB1egscLCneeyWSF4afbx8l5AjcXcBYFv
   OGEc7AdC0FgO43MkgVP7/nMPpXANmh4UH2xj1aB13ZZdJ+SY1cxIhu+Gv90VT6Ce
   8Yt5wS42uPwhbYOH/8DIJU/PCCJtN4pXBoWWL0ghaeXCQwPXjNjyX1jRSMjp3DxO
   RUONUBNc5LIbvHGKLbyXJncLPKtVQdtvVcQ3QE2kOFn6Q9gRzvVw03ASahfWDNlK
   xvwFhJs3NGoKGltzmJEwOZrmDWKdV1MRk3dARP3EVwEhAUZ3XggwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh



Gillmor, et al.          Expires 5 December 2024              [Page 139]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAoEYJpM8AofI2D7XWagCsb4Mn
   2pP8LajzwurxhwWvSa4d07cexewF6pNiM3cMsoGq0BnMBXTvCTtT84P1oZITxNy9
   Uxxday7PoOabTBWY8UYhA1I9vMAsy1c23TTrsANyZ7NENBHXPZufuOONdDcPKePO
   M9QUPuGaggU5SLVtzahB8OVyyGmv3VwY2jSMbimJ7UML4Lhn2IKTtmbCefZzeidE
   o/mzGN9MfU6RgLJsSNlaUGcnKIksU31oJgVKRfoQV8Pph+qeZ/63CgxxnIArjq3C
   3k8psunl0AE/HXRvQJ5ikBrl0vdVhGtWVS5a3cI0fnfZqRpTAMpAU/960nnH3zCC
   E/4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEHAlk83CTfnzCyRK+GUvo2iAghPQ
   uKi7vnM9kwHMLT2uEIYW/IPz9Zdpa+0DjHMENArOKPZ7SFuzFCnrszq+q0q/HiZs
   1EzewHPt32kD2+w+vaCJhWWlUuoXYulXiHioWSBMWJoeSvuMKY4u8lgAG15hvAt9
   RGA5kGQLwl6ITCLXj8uGmgH9x5CnclGSYfGOBdO2Bo19w//5/k2npNcfL0/cflFw
   ttSuBnsA0wUnGrLs9zLO2hv+ZHzkeNI0fNXBEdR9GUAmH2zLuXWKR9aMyFhSYtXT
   pN+0OwfI+VJ6a1G3BKLBG7pSaF7gQcu/SeyvOOVu6+OLAskIhNMQ0MvNk/SQWWr9
   RmYPjr2dIe27s4cQaosSCYYmTrwndhCShCt/s1pyHcOOhduX1o0pdF6k4EeTV+yW
   Litcs7ta+fHYYWYYhRc1QuPfTQlc45ngeLJbqy/HIKJImEonjusyQF3rgcnqcc1v
   vE5WwIU2td12pYLARLzJAgpCmjFX9nPnMVTUNLG8uimVWFwJikxVeae6/g2JeRK5
   4zbgfoO7UGZbmrPWVknyiO0W1T3hsS7sqhKrwi76BQg7TzmZRKe4nlHY7K3sFvnY
   CzPugm3zIKT8Np9Ca++UM0O6rdOvxZSKVJxpXMABYoxz1IupZkqNaZ/JvcgZtYmw
   /zQ7ddcUGPr0zTCoSyhl4tjenBcaZJkR7U+1d0n2DHrAoKwkeyIf1IbVFhkFZ4VL
   dbuqtruLF4n11zUgBOTcNS979POBAJSgRnBW9lK6LBSY/Gfjzdz8HeqdT8t3D2aU
   Bx4HJbOeMvdiuuDQlp0qqkd6W2+Ux1HIDQCOcqYSWwSerwZTZvM9cuXuwSxQwH/q
   INXTqlMA8unBLexWattiUM68eWr9kJda2DI2OshN/cX7DHyJ3hm7pIQKjkaGbT47
   1Q8E8kFzY59MoZjX5k5QAVjl/LjNv2Atdhbsv0ob9xvh67Ur6NECBiFUx/o3qaIN
   yYC6QjG81i/m9bJ48Qxe2x7jhOZQ627acjhK/2SdQMZEI3KR8QfpWrAHfH32cVnu
   DDTFNVgoFHN6VAvgIkV/E4W/xZqnXV/mNuC4S/2/RZdO1gk0oNG8i4WSS4+of7/x
   flNJbeeJDxjxal2RDiWUEYcohvB1wi1SkgLcUyMIfQ3JF1Ensd0X6Kz7dpRVIXDa
   OGNMa84//73DzeIEzROVR7MnjkQKP7K4abqcDGyLVZPSxyXIxyBl0MjI6oWvWWx5
   YLgs74N/ve9UMPtb4c/yIdTPumA2j3829yu7155Y8wRELGGd7KLo8Qi/BomVxbBk
   irSrdZDqQm+oMFmGdh3umD6j2LkX5+r+PXQmmU/8c792ABXQ5+vUQ4jkQCfFECH8
   dwA5EGWzDNhF7AuSj9jVN0y5JTuTB8EgYLNJAbustoZEGokULYUUC7V+7X3Un/BH
   BiVXp/bk+cGQlWRMsbvqBX/sWzcm48lp8UIdvTm53ahVyZEMCO05ulm0IjQeLJdl
   etdcRmYTL7YLNZYD7DUHouXPBeXArutwJTkdpoKc143s+8u7Upa6Qs0bLeOzJdNx
   8sSqLiz15nG+m66udY/97mXnjDWZvaWbicylKB80VThVkQlAIV9D+vP5Q7CHjXEF
   rnuq/VXHoF5H6rq3oyeE4AdRuWA4y9sIOxRpvICN2hPQllqVzWVdcUEB9JrOGhIs
   r3raOMpRjf6Xx43Q8f7Ii3dYhNNaxC0qO3lO1ARfIDToWqxl5Dm2FCdpLTGl+lAu
   KNplmoVqtoZZVXbG2Z2DUgqawIMsC3uQGBXnRIUUHpnAV+N8CZ/zjmVdSuCE8tN7
   L7cYqzDUY0SGOoH7O0LSuf5IcUOtMEXW8CDVHt/3hWIDY8/2w94PZYsMTtjYNKzU
   eBzBFHb/zlBDqfPIs2m704Wrj11NQhWuzTVaovKHOdtjGxZHvLbKa5qScvpU9Xzj
   pAizjkiWH7YME+FB3FLWpxKaxh6yFZfZakJsslt/O3DRnv3EdDm9xyXEypeZ6IaQ
   2HvP7YxCyNX6q7l45OpBoWPp+vGRDBdViHZaC5Bs3RtToceSqKax7uFGu+41oqbP
   qS3SpRpmfvhfd0YPWTTtRC2MRW+4TartiOhQHT5qUluu0j2fCTCjcWQVsLlUHBf/
   KksONw2+HORecZWKdmVp1o2ySyR3qMY7FCtZ60uJVPgd4cSuAnYp9oBTNhGomWWL
   B6IFCBdfYyKPAJAJ5MmywQICd5d16/7ThHdUNhjxUXn3aJmX6rG2MqEWXxtlM3tP
   3AGldHWswQxIqT1CNGM4o53F0ihehqiZomy33CMIsLdk/Pa6wFqLAT3bzCrHUd4Y
   m0ohooLwTtShNYPAp3R/8d+3R1BuNm16Xa5Z596ngvFuPbdb0RR9Pz5ZX83Jn+Lq
   bJwcEhCMbt7vieYQiuR4iQRlgJwhKGJV2TpHuENSJdMfcIm4xnY/nV2t5lyllERR
   yB6KApO64SaoOeWMjTPfAX/WcNJw6qDqQQLmOSj5nTVB91vox3Bh0LkDonQJPHwH
   5ZbqBirRLYxg4/tlD+0dyYYZ7y7jO32iXAWq5pHbuEDEzNYSSNDf4AXX2LpqU1XC



Gillmor, et al.          Expires 5 December 2024              [Page 140]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   V/3l2oWbox4wAtoZY5dKcxHQxl2GUX0U7/d35vlVLV8iiNu3Umj00C+woLEkcMhw
   44Glrlrv4/9GV5gx41jXPvijvodhG/1KvEN8oWPmL9wiN8OuwjB/JjpbuQBVrxns
   8StMuJ0JD9GcmJdVqA5dXDNPtZeWJQQRjAsNHv95V36PgOKY8Pm5QGwqrSNfnE44
   EBRxaSZcgIyVHWikBprFooGN2+wJrDDehsJiIDvY4fAxAfJ8hEoDNISuBNLBc3ey
   UnLrxAjHGi6d/doG+SMbDRpFIqn1TS2RMF0XaEqCPBes4IA1gTZZxID3uhTNQ2vf
   un+r96n+DzSUaqxjNODjGNAHky8T5LLMlrAIMr2bykej8zIaD1B9J+RSeGhENmao
   PpMk5a4BqFYUO2IAZkqT0U3lzx2eR+IB+DbC3YbCoyFQvnemve7eM0ZF8471CAI6
   yhdlLzxpnchUmjQDp2b1oTBqiJ3swTaD+gZ5pE6X1SuzfXEZc8pqZE+j03b5IKyD
   uINDptUnCMO9trXRyxiHSz6lPoqX5+mR5ntjOjXUlP6q50f1Urc7NfxTqjV3JAlj
   2zrTGRdRmcTM21rVbBefALtFgUukUYir/E9U4Nnyq2oxGooLhPn+gEm5BlvNnKcg
   lOtQCP2kfmJIgzDzeConqQwhse6sOSbnTf+eGS+GAgRUY83GEvB436Hi/NfsnW6y
   k0Kc2O2TSQVjoBG6w8B84OzvlgqaPdHReH2aghpBPFwIJiHhYd3HjYVwLU9JSnEu
   T2wIxeVNSV4ruSNOnJ/WGPUaU5Q4sYhsKiO2WdcSFSgMF/pBN3GyL/gLoPTodRNa
   M/Xu+lkFo7q/DirI/nDk0bEwx9QutOVOzubxzViEORXfctxz8Xfp8kB4u9OLKdYb
   c836fAt0aXC8Ggekje90aM15KLtVBTPjaXlRdJDTBZxver7bokWrcQmyYRYXfIEy
   ffF+0dOJM3Z+qbNf/NKfhI5wiTe+Xs/mJRUBmTyi9aRKVtGnMArBQAMB7E2b8KI3
   FbDnChk9dcwDFU0eN6JIfaIdQhiSePxvLyC83umNwxJvX9/bNHR43/kf4JsJwgCe
   QX+g8kKzJhb3gTS+rEh+v/YKLTdKHsLKjIQlwvdzE5HokY/cCOBDByvAhpLAcmX+
   9Xil0uI6j+245o3z4tiHOgF5Sym880cYd15Mj5cn04xVsZuasO1vFNpt5is3PBhf
   DTutyQafpJHhBAEcdqumCU0EIofB0n8oTNiWPe4rxOGFuLiL6dg1XIQejas4P84r
   2ejXDPik1RWobOGQt7zzSDlaT4ndOJSERR4YsIshjJ31IWxoACaJrtj6Ar034hnS
   VByOwWOHOXFbWTRfdwXGYFV2OY0adZb7Tey/vImJDKrUGid7JqrCPm7P6WHMZ9/Y
   uilx8E+hMnfZIQ/8D3hx9VLUj4VYL6FTLZ+NabSBQHJ7YZ/PonpaXM50eVC+UyAP
   JnJ0/Wz5q1oK5vSFO0d6eJGS2qHA/vNoVPF6aEJfVRYjhzAtnIVWMljkgrZjin40
   SL3pqBJbRypvgKCDFNiyHrMpenawmbHDLJYsLwCwjTY+9OsZiYlONv/ni7a7x/Ti
   Xz4tk1M+HZFXchUG/23IV6x+QdMe40ggdvvyuC4Ww0C73bU/oGKtt7aFpkvnwuO/
   rjU3qiCY/LVwCsLq6lxWPwQ8MDYkrq7w9iIDI5wAnh7Z8afTx3TbwBdnxiknvuU+
   bcHlcrkL6EZ36PfxchX+kS3vja2GYrF4Md4zat6/fOvIf47yL50fI7ro75O952V9
   h2dQczWRlNVsHhvFgBzcXQFq+85Ev0A+MALchTpd8IQKlNEBpsULc7Kxs1YO2aKq
   Q3kljm9ZFQOWwIxY282ko/QVmgxzciDTFKWR2/q/WIyNmaQM7asjSIjQnavg+5D/
   aKvf7Q/P4QwrLZT3TVJrw+KyLjkMzC1tTOg4PbuVqHlaSd5g4gGAz29jPD2KbLD4
   omCl6t3MMYYNNTnOtv3KcA1EKEyWWybqgREkPVP8nivQUkTbogNdwXM8kZYPu0T0
   YxgugjiZhewLfAxwOEFg8YB6Pj3c6nhT1Wk3a0wNT8cBXDDXEAjSrqFV4wcX5oij
   df6knyiYICdCdeOfTJJMFVeERyCNmw2DsVAr64WpkNLLjOGXNJpBM7SWZYuE23Wf
   tx3DUblOtzjXk6R6/S4+uDI95Vm6Xwjy/XAV7Usr8WX75xMiMSHAsrXPLTCf5I/B
   9u9vm7+l1EP35J3uSqQR8yerjhgGOWgw9dXr/GGjPKAB0/Nol7lr4gGXcEOX5Eyv
   ALXFK1QVE+U+JtwVTOGnGFcKUaF0qvwc9eLodWdm1c5FGGH8Dpwyh18et1jqELML
   h02masDOiWHXP6vN/xdvdy2GjUF+1fQGgJTSjS4BnlifzySmsN4cmp2VlSJN+7TD
   35CfVAnESHy5Yzcdi6WPcYyA1eKro/hT9i7ao8jVCfcmS7ZmhuEi3w6VHZO2PW2D
   4R422edIpQ5QuXIIbrU2/HJf4oGwaIbs0Jvz+dXSsb10hLWuRjzoeT86Tu7caVnf
   AFb/JxJotRmb8oIeqscocEYY28auuIqQGAohY/gicDXhd46lePMKv13WcaGHxFK2
   c6J5DpFYM5x3sjahLHqEK9lEjhwxkSzPkGyazTlFsEarllnLuiIEfgYqXnJbXGf/
   74HyhoFAKQocJYcatrvL5PKsIqYo+KYtQfWstjU62BTHtYannzBLduhaEW5GDgat
   XiPUFaoGc5SavAZM5zgueAKaFobyktpTpUm2TY1uaVohunwE6IZCf2bEluiFNsiA
   tZs78t9q3erigpBCuvpgcFf47XBTWjzKiqd/FF5fd3Ohgy7qgH0gnPlaTqCM8g1F
   fvhLSEh0gPNh7MD0ASfNeyY0X4Qwpi8ei32jgnGPjsxbhg4mEsLxNzLO7/2t9t2j
   T5caRKaOTDD8y7OLLFhASqlA9KuCaxL8TBAWq/6GC6UkDiPtkovz+TSt+9iqkXFd
   ovxyFFET7qkF7MevKh7v8ZS/Ee3xmYhyxpj+3jnvgrXtGpVR8hvt7Gpka0Sp3cND



Gillmor, et al.          Expires 5 December 2024              [Page 141]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   jSKpWLwsDK1ETmq1HBkLqqXtIQNQ+Kgui8O7i8VY3LpiTWaeOMf0iDnDoshrgnF/
   VFvlxfZSwklwAsb3ZdL55xUQ7eBzxgaYcVZBwDuNfroEVdAENEmFokfqfU5ktGhr
   wKErFB1ZVILsgAlwfrBjDtcWwdTAB5gyk1uj7TwMXX0dBk8EXFqA71+tHQVWkxq2
   CgT5vSNzOUUuHVPVbAPiuRliD5kkrkY4EHncesljMh9pliKjdP3Z2SLJzUxCGFg4
   jL8Jq9ZXpsAzxWZ4386Rp3er1sJZYyUXNjXNoyNmf67eMnwNdasq/h6pzNmCavCy
   gIu+wO6uiD3RNgMfX8gCDQy+FczjrMT+lcUTAcRZ5Pr1ULlH4ukv+OYZwrTgtsDt
   QXD/UZ+aEyEUnILCJvklEspZLstuRN3xkgCPAttCz126m9Evi9mDH4MrapmcMrYE
   QGKkVpLXI34hOywn+v6HEPrnPzx+R2Wd07ZrCyoVaiGmt+FWa+4aTjGLAt4Uu5B4
   +jg/bSqQTAp+ac3cV1IckS/oFuzQfmCSU1K5BP7r3giQSXFnGl1onFxgUxdMQ8Dr
   muvaXERd+i5Lu5UlPMYvShCNJAc0AHb3VBCmKMirnILt7Uj0DxU6uq2z3mH59WvI
   4xI3/rW9HSxuOahl1P0xmwheZhdhhS1zj1qpcZOfi8mb5935yWtMiYiuvqniGJAT
   EtBf7/de2+BX156ysMv6uE9q4l39kzWkaTti2fR9CRwqxWy48qIwnO+JfSZdTfNr
   eUYU0krSl427PwPHYSHiuTNCSYoVDnU/QodPlqqMEchCxSZnvbgmlL79XvuYyJjw
   b+v+b9VVnZxkgFN/IcBGCdbs+I+Dz4CZUi0xTLJeDF2fLi9c0hAGo54wf2QTkFoo
   8nPyugKN6G+kGg8WsysXYP3BDYOMAW7MmFj4sb7YLixx4+fYvDyTUJYHIy0LuqDu
   Y/EA6Fovs4DQe63Nqrbggq9VkMfxZyNb+9S9LS74wu4KDwOr8yH7SE7+M3hVXJhq
   vsrPPFRdWXxcs2HyxdC2rhPq7saN9LHjQo+/OUgb8baH5CliO40A+rs7Uwsk66Kt
   rtID8QPn4xHW7jXvxBkIM8X7cuvWomfuKzt5Lp+uG/0=

B.3.12.  S/MIME Encrypted and Signed Reply Over a Simple Message,
         Injected Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a text/plain
   message.  It uses the Injected Headers header protection scheme with
   the hcp_strong Header Confidentiality Policy with a "Legacy Display"
   part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 8320 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 5148 bytes
     ⇩ (unwraps to)
     └─╴text/plain 433 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 10:19:02 -0500

   MIIX/AYJKoZIhvcNAQcDoIIX7TCCF+kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV



Gillmor, et al.          Expires 5 December 2024              [Page 142]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAD5nNEm/J8y7qGhLtIw7nHjytOrzwTbBx2QT
   XXEGBmbboWYY6+bU9BfRhTEYQxHi1YGHsapCuE3M5mYKD6oNkwvwtY7+xfMpEnNo
   Y3fJNkE7Ij2NvD5VfNBK1rBI2G7neFsIqCcsrl/lSowE9g840dXTCGTtb80tt+zS
   ZqNnWlnFUiI5W2djcr1SsF7T1NzgzL9ZuLRT/BUM7qxx7+SOyO2DTEi4Ro9uZxAB
   3L3vdgbEkz8Nk4BrCWQCyxVxG9Ce+y+CF0OxQunN9j96AWMpO3aGYcLKLjvaQIaj
   750ZVireCFRBj1aNTARwQX8HevsPUcqgThmY53jwmGhXENS7e6kwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAHaxR1Roz4Oym+ZCqo6x+BVWg
   QnkB9ISlfDbFWC6nGUU51uWu2lKZbyDmEr/yUrHdBWd3dfH78CPfw5fbwtz9XgIR
   jMbqr7bbqAIgnSPNqC1ioCMTus+mIOyogy+YsY+EsSBGLmfhXgqFvLnovlF/yLmp
   Nyuw/bgw0BIKyHr+yxoThwDim1V9RW/Q8OY5dJx8QP2vlbDVOjE2sT1a07te8QqU
   LPZiMcCLWL4HRrKJSUwBWwMdDBvbteX9bQfb3YmDskCjZjBObJLZgLbuUM+48L5M
   d8P+SX39OhI8e7l+/IeAmMeI1RVL18Lvitc3J+RzbM7xNTy6yoJnly7vwIQZjDCC
   FM4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEI/DTETJGdtswTpGNJZfr8aAghSg
   xBYql0IWCkFnU56QxKLxTPnsd8Nv5olJKsbyJI+g6m0phl+1pZYtsu8s9JKutCEa
   DAiVu3jPHeN93LYFDP032CiPqN6FZJu/EeyG3eFFn/k3ZXtEqCWoBat/z8yY2bel
   +8i6HY+Za3OhyqDq0u48JDllcJZdn8pnTRZExF+7p9I0dZGTc6MespS4/38A5C3h
   aYkQq2sGcwxlxW96JzjL5jvYF6/ina9rEYoqfeWJ+su8zcBIKOmw15/y0NtRtXfI
   8+nw/A2739o0FWMP+RSA40Faj1o2nLyYY9Ls4ly2itAY31dsEb2XTkcJ5gAdy1dY
   RHRIO2WE08x52tvBMF3AJfLP3KmSF2X66IXqW118j3Fb0b5g7yjEJHw+4GR2Dzxi
   oxqG4e/00V0QKyqO+aNg3d7+ViISkZqJN99rrN3HWMyq2dNAna0d6ioTzUIYQgIW
   j5T4Nuv2MluZw96reX7kq1MJtA44qJEgWyQKVuGRpLquLlBzU8/6vn7onjlg/EN5
   YUDsKH5XjNLorXLHTVjvqHVmwKFCqv9kprzTWVMGKMP7VTejasOlKy0hcXTO7173
   OZzYd57lr1IwnEAiPjjs8zRFqNL9ui2bUeEIQ51WWZ38MEg5QQAuPYX1r2DsEIgy
   YPNZclw0M+wIMBxazy+9XAQsbc+hVRGebORqMrNF4Z9PXyGce85Vz74M7us9K8f+
   spHZJjAFO1y7UR4NHiYi9EYruABJJitv/MKh25ItMr8UkmVu+kORpAS0k49ihPyO
   n1iUWUmmYO56oSeXFrwiESlYgbSVaj2GUh+1pzBYGikDMgalU3J16lAy/as6tkn7
   SsjllScPd6EN3TOLDrxsFmU9kMgD3rcMWBqHmzRvMeeISmCm9nRdauW91JdORt8f
   UpKL4JKTieyZoSqaAAubPK6o2jCXouzrLU+/QSy15Nl62jsafQQ+Wbs9dnQTvuwj
   K+b6yIFHccaz2E6QHMnno1Mxp7yZsNjpOf706fqlziBKbJYscCbfo8nIKh6Y6w9y
   /lxb/IvXw7O1Tj7MYnCrOVFZErgmfWHGQcUCGDKbqJ6vBw0T/WCm41a1KU+teFuU
   bVpJk0lcykdLOUqqutCIhiBodP6230RiLnsqtnvDhTKRW3P0Nvh1T8iiWnQg7rvH
   9cO+eQQKhQiX3vAglFIYRl8pfoG17iTzpfAt6xTtJu0miY2GvkGL9c2uVBlXXNNh
   ojMD+z45Lkbynz/b9VbvhZ4giHj/BmS6csmW0Rhk0TG+a2CmN8Z0wWeScrld77du
   CP2Kp7cMr0/Z5EW+d7TAs4GGtuTqhYfPgaWou6blUrfWrdbRC8jtzXU6mcGFe6Fs
   7xZhp3OuPys14Av/RR3eIa6pvWiPSLplRR0heXcwZ+h2n08FMNCZcoGFhP4Lh5F/
   Ki1J0yvaHyHOxcheKqnLVWPqB5oxZHv8cZTVPwG5Rvr3BPEMilXHF8bdWLsBwmhS
   keyB+kic/aEbqZz/UxvJSksrn2Th3+tstJc4CiaK6GSmWQHWAMyk0r1DtDzIsViI
   QvA274JXAInryOD5S7AECNarQIO87PcoMCKGtBDPgb1UE0aS2dchzoNUCmNm11TI
   2orFUsmQ+y8G9mnoLwVdRD3LsaYRQNh5im0FRp5awXoVmNtdV1JCpv50HpHOmhpn
   ucZIhKje4KhsKxNZ3IK59kGuam5mYHwppqbOeumsYi3u//210IIfbIjkY1Enqzh0
   aOTWtCrBHEbZMQUuS663+5goc49H+QytqtCS9nnOmy9PlxT/aRkVvisLFVNZBTzv
   YSdkJ+hSKU0IiOIoQRZJIXLH1WvHxbv/WGvflysUiEeF4JabC2WO1ybvF8qJoEMS
   xUuzN5WPjmIW49waSjIaxZ4CcfTd0Ek221NkSiieq+BIXV0b05ci9OIEZf1sLYMy
   DuVUQpK74XAtL/S420pRCfRVXEnxL4cbrPhn4wCwJ7Gp/HTQcGYcwbvDag63Tfos



Gillmor, et al.          Expires 5 December 2024              [Page 143]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   GYIB41hAp/P5R6JBrgCCmbaN5rMto8AyjBQypwLbYpwANXOD/1q0zjxqsNn0tWhC
   mcFxugFYH3s8KAN1UAx8meuCk/ZkYyl2muu+WKIxyUIeEEVEA3zcx4fibfZnR9eN
   FpHnuOFEbAvwKc5ECmALl4p6/KNAcb1r2d7NtfmLgh5OUIV+BTkQgX5HNZ6mk+YC
   E4NDBRL0NAGsxOMOz66izUFltwMTVcafx8dH2Skm86/S4wKBEggZNZdLMDKkBHMo
   h41v+Brip/wfCgsuwHT+s/sGazQBgcLlQaV7zx9WwQzGzxmaBEszkfiDTnmxE02N
   ZhrFVqO2jgrfcqZk1yYzvYS3pPg3KQuZfzQG4yJXb0NxLY+14hwv8doZNKTo6GgC
   UKkGx02OhlE+WrzlRO8ImvYeoPEy5vF4y7nqso9b+2c+a18dlNbUMsphC56CPVeP
   M/p+25xI5aFKuEGe6FIGi/EzeLbDbjnUYPm2uvPRa1+qpWE5guwXPZiZPrwSSdZ6
   U0RRVp+ylKtoaVg7S8yCikG8yziFU7o1o6Lw6G2ElOjoxBxHcgEu1d8ebxT/u4lr
   R1K68/R9P76fFly9y+wiC4f4Pbyd+9LsIq53dPBkIdAbqNEZEnDMwh+JFPpFn2vh
   emsz6yrpk4p0/wVlaD2tNrKV/eLNcz7qR8fbyV2blhxLFuWqcTXMb+QD3F/mIMlf
   yUuHVlYWIpXBIvDji7r/cuYskKaTJZWHPkF/6HaHZNfEyXFMLnNa0G87KOXHBvbn
   m1R154rdoWcv1mVE/pPnbVIRrOP6WmCwTAz9ku9jmDk7DcMdlGQEfVIUaEZgc8Nr
   ql1d5HNJ7bQ1HRT8E5KcYb0E5JQ4vlHSZbBdY6jlvwGoUFsoAtdPX9iylonfYpUL
   xO+AawhiaZcC3pXVbbyDG/SPPv0evdp/j5jKDP2RV4pvImhPoSN9ykgGtltz2jM3
   tlKY5MX9CewJmRKj0eBGk1AUTm+zyqSDUfvEEHpwWMtS2wEZ6KMrjF8J0lHF8KpP
   VW1xknc+C8avMdHyHkcgNGfyhmKoEJ1EqvIO9Aen30lC5fBGjQwxLsIg1PsPuXQ4
   yVH162Se6PPbq6B1fhnXO7yLUXROr3smSL4oqGJHjGPm6ajhcRrHZVTn2fE0eU78
   mfEKOMOtO9UFnH3xVSWcO+3+k2ONnlcMI6/Ota2dqdJVmxvvGeUJY1AUcp+qAME3
   qODncJcdhH0RqYd2C/f2a5ONcpiUBRV94EDBnUTIzym5TyCpVHGggs0/pA+acD8S
   T4SyaxM4Yf6lQu8nLKMldWbl3MquWi+GVIZy+wQH77OvMOOjgKk1Mj7FvGublj7X
   AJU3vKxAwcsgt56wq7ekMCVpQHKfS4fuLFBrBYje2ApBNoCS1VLptVdw2xXt6uze
   HtWz+5rABmKlrlzxY+eGH0icKIbpVKk5wocQNrVxEImi8udrDAiR9HHd9SRX4u58
   p0KAvO1u8ElbpNOIi8fENVTFVbN/ZvG43CPPYCCNP3m0F6sONvjnoMP/dlv8KVbL
   Hz5aTBoN79L0UFRciIklhvBY8rutk/PU34IVgavI02uqFmcm7xk79tAyaYL8y2n4
   ldTXo2O5PdU5dKgNQ+NEUJh6nj9wX02+UNt56DRm2RvaugpVK79ZD2CCb4K0UoDA
   MgX8TPMkHcKnYE0BXz9Eo/zQpPgu5tBxGpyXvUpjgorV/xs2mnekBluEVn7Fs8kx
   HT6ABapLAwSgyqMOVRQaWwtINKAqKyXsK+FTUp9rHxNSmAHqhI0JuugF2cxxUhZB
   qQixEc6s3FTDDSt3ygSeHsVr+ajqbsrXx5+my/6NZ0ZZ3G0s2lZHnxOjhtLul0DB
   Ne1iQrQXpwIBl5ewgiKfFrQd1EMwExY7bEqE64MMfMoXtfA4gbkvFDtH6z+7qDnV
   jsyIJ8PbXKVUWHMPOtdDWACRGRPuwQMmckuxm6yeUdLMnxJaBlUyISgn1VLy+p43
   CnFslrS4Yok8+bkl9ZIeZhA99bzqxrFekDiFevrVOLshroZY0Pl40dVUljXz08Qs
   YdtbuI0iVMgz8eXGSeY01nTfkDql+1KRqIrtGFy1J6VsJawIkaiypnxPaHDb1ioe
   t+KVm+V4MNb6LnFbURbC8c9nHeMLy8jPRApbbff0zBx3NK63BcTJaXK2BeNbI8mu
   XE89gTzOaOsWRPKJDCPz3oAb4hXDafVj6oBR5o5Fb8QOmQQjzpJdlKFW/Imv0h9U
   LpelcK5OJwRZAfanQ7QNUYTDwMDXSvKWOicdn/ITXeRrbOoNEaloEKEAiCpVOAFe
   +I7vBMYiO2CfWtr9oMc5g6euLEgw/L2ZP2zFE6gNtLbep9I7pu51k56Yrqcph5IY
   5AKkwGuqtgCfZ9E8YBbR/TJ6ohkM6W7Y0St239uHZw9r5szw8PgI410BOe5b5Pmk
   r6t3VjjearpNr3bKczF9Lkf/0uTfy9ytSATwjrnu8HFU2J04jFPHGm/nCPjasMkP
   PTSdOwD5PpTqymD9icsAozkH3EDtqRyxVc3SLeaps2t1yqLYzbR834DN+R5CLcB3
   C8BwhkpP0oZZu5dJgAUrqIA57c6zyeo9tDzTWjvx85qda+GTVa9cJhtoETU4YCiK
   k+FFF8dKLnAOsVP464K0I2g4RK7nqlJkcP3MarkXiMMW36ZT+uG0GOSVUSfpqz9P
   bt4TgpoLodccAbPKWBJcKHI0TZszg+aodvjuppaDwtP5g97iKb3uhCms+6S+68v/
   RY2b45H8XHbaguzSTKQH9cq8X/PSGeSGtkv+qdPQWKOEjvAdbNu0m6U4rhcWwX0O
   tC0c5sAZyZc/Fc/45QaI/7/TqgutehnW8k/PDh7lrFdBXIH6xckrr66HC9I8nfwV
   /BPjcSSg/8s7KC/p1dxL0l4DuccNUx+y4Adc0qbX14q51ODKQsHaTEs7/k59QOk/
   n0/ImIHXyWhyGg0aW7ir3WtkmCh1dNG3L7+/mDcwJeHuv36UINu0mCm9NSmgBeA9
   pAYYgPkwBW46VofI/XCQuDNBHJZ8iC+sYA1ZQEQ7KI9yHFtKe1rN4NtYQuzEyoTn



Gillmor, et al.          Expires 5 December 2024              [Page 144]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   hojdFQ59/Xj9llNG6lzSsvvvWKgE5cKP2P0VKeFiwvuV9Fl0s444SvcpDL9KkAii
   qyYsGAk5hOrj8T4mFkAHZkneU7WKT43DoCjSD9T2FaMO82v0ftXMGWiv72VRvvgR
   KFehfjbZh0WuQc5tOiZ7gCyQyEG2Ub5YL3yJSgA4VAjgryryvepr32rl+zWHnDgZ
   C+OU94i6r+dB1KhqLiu9TSVVvrnvZegmLUSjYIY9tmAW3MX0XRAe1pc0hNb43Aby
   5HNYrGKRTKRBWEEeH0XoA0B9Fql6uycsg31gzAu1VT1l1wGrLs7LhUTy4PLs1F0s
   LNpX8YoJ3xMMwub9lx+nqUZzh51pBkzX/+rxejcLrxb65itohCpVN41CIr77FKxG
   +A0SibCX5g2oRlQFNi4wOOhPDqU9v+bPxDRSh/HusHaUQA+fCCeCBc77UH3oUKBQ
   foDnBEMfvie8rNOMiFNgV+YLWCITgMbPrJ9wR7r4/ItlbR3Xw4bOtDV8PqfEm/97
   82XHJ5NbWb1ggVYlDPJoCoLF/3EsI2V69467TJ+fQXUdOdveURXusVXSO6bcgvaH
   GYdSDCiYgn+HcQeObsz/4TJbgzVnPV1uuGAfruaLk9WXKZOQhNqMnUJiNu1iI2B7
   lRDPKdXNLIFOGeIAx2oCZPghBuiYNLUp/JAZ1Ddvj9hCXkAFZHvfqh/SEh7Y2AWy
   eGY9CX75zazEPFsHnIe9YYqSSRhOfGyVTeeiR56F9jH21Dd1EL1fQjwAYviGApxR
   pHGkugktk7WaIkQIj+Kos4/NfnLKlo+k3H6tV3EJF7uxxslgXOOaTjZZVnrdOwfK
   VeP6oA4cEe7+pPLzOiFcnTXhBHPfG9I3LvrEmd6th0yK8WkhduoMRIBzkG6IUmjn
   YUvT73H8qxEWYkC5/0WmKjO9MmfED4N/HV4PtrGcg90iXACVsUGpkAYl7YAJebxy
   48pmGWW5y53TaqmJgtR0doO/I6YoVzkWrOdIZ6IMloumW+sktqawp7ocnEKAgAvl
   /5R9002voDETKJRfFg0p21ZQMnGnAN+RFuNxF5GIyDsibISg2Ix+1xwrRUg/f3Fr
   AbONTMjz6PFbmEG5e50U/ve5ApFm8jGfQY3k7DTfKn4LSZH0NBINRPH7svLBQQlZ
   IsABoPE0XGSKxEyAHjWuJk6hWK+Wu8hKVqmH7eMIq5DCCTE04NKcg0jpUw1lnKVV
   1E6FHub9G6OJg3lbya8gnAmUxcXM9e5Zx9nIAXqCjsMPKwV2JSsTWhJWZVh08ghW
   K/vNInh2KyMpFxeolSnVSLROhXd1uD6dj5IDPQQwlaSiQdD2v2+N+AwX/5gtL4rZ
   sn3VrHfwW7tJy3af+MVjf0BPbP8z8PRFs7Cvz45mUUmYwItF98jWZImgfk2Qz16L
   E9LdDsWJjBNjuepYp0Ap91uKShh1bWq+ylYrGN0vqVkGXPq37L71mtMJnIUgMgoJ
   pJKzZpan02UXfW3KSEq6l2c1rIu8swkSiiN6odH8jYUL7jaoZ4dR8pFdWHh9hD5P
   NerHAeBmKuFIDzj/piESY/CZ47KNZr4IHOKynEvct0vZ5EAPsfv38M9Bts1K5MaZ
   uP5/K2XIMrzL4YcwwLltOwEKjTdWRfu3J4ICQQG2G6FDDPMT4vEgZOHab0t67EfO
   h11ko8dsxiVimkoktCAwziW/+SMSxbpffWgB8UcH6wkNvRotORzetmQi7G97eCMO
   4lpqdtCzTlusidZMVEyVDDdyYptYZ+Wzd0SC6fM0exhoOfpAQ8W3yTtZthLc3dku
   9R7LQrRg3glCB4eDbYK/7tYskzVzChV9zIIukiZVgOxX1C2nKWZTtWP1pmpsP6C/
   1JMB0IDku1T0I7BmbvzgbXh9gV+efi2AGMRI7a+pOANbkagR3mgZVNFBWM3U4CeN
   zu1BdIUX8xDeXzr98/EbgrSfh29fbvPwSDQepAaLQtSSzBhNjVwgXJzPQ/qNSkDH

B.3.13.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
         Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:









Gillmor, et al.          Expires 5 December 2024              [Page 145]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 10140 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6498 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2179 bytes
      └┬╴multipart/mixed 2069 bytes
       ├┬╴multipart/alternative 1134 bytes
       │├─╴text/plain 376 bytes
       │└─╴text/html 474 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:08:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIdPAYJKoZIhvcNAQcDoIIdLTCCHSkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAIuaE+cBpt9AcnXx6qncG6nyAEoj2Jr2tlEg
   4jEUwcOJEh0i0GiMGHaWfTGN4rM2ne9cGoySa1Y7MxzBQgfgLlZHu7dDRyEwyG2s
   WL18YbokxItPoisVYRMZxzDh1Xrtv9jYp/b3N3Mdz7k0fzHecpCaVJXsouzHPAyS
   7fgE8YVC2FyXER2T6If0JP3uWSWbIpnyNadrF/4AbX/x1RVphcLD4QUBXMORy9Zj
   GVynee8lReJlhCN6bdncCwKlsgipTYqCWYWKl6AcPCYU7yPmpwHsCKL9a5becLVe
   6naNvr433XhA8gZxajo3moSAn9d08Y4Gl5SVa7tICUrKGeDA3jowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAhgebg1I6ozG2iuD0Q1mqb0eC
   b6lchhxvJhC7zrdXkWW6//KfwZOUTP/yChSi8KMf4nLZuExmkOB/V7HA0GmZb/OF
   JtmE1MH0ZbKWLOac3v6bMaFk4OmzqaUL8VhPe9sv3u77+F4nhjXcgKP/WalD8XeH
   pVh1ngIt3NJiMHK5YIWcLZiT+hv+DyiZ4v+W2l9yXlsAhADU0ftLqjj8o2dWUwv9
   3wOx2lNlZvLI7Fs5C3EPPH9CmoWAXOpX9VR6IJcwcTj9UDsilDdUyXpYjCIREWIv
   t1fJ9TH5GhfgbfUpgLympR4fhPeWR1Y0KA5v5lsy6DhKGXcgxg7OpVtC8eMY0DCC
   Gg4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEELU+2NzltuUjwoRNycQnQEOAghng
   RA/c/Rl7vn+jFqMrhJEAIEwqiR960ytY2bscgk1+1whrB0PBqvsXYQO21Xr9oJlh
   Qjau6f1YlTOhxng3nDARxSDPrR7Bx0cV53Lm8ZoVFW/77uVRhFfGgMSabQFAXgDS
   ADNT6ylD4y1kOqx5jSKEhxd6P3TEWBXQ62H1jk6RCJubIFkGEf11mWyNTv7REPHb
   mEeLTczQ0GcM1TK5uJA5zY4iwKAbtdspQceRAzkkX1Q5Ry56PBOElfcYMN+rv9Yk
   2j0DIYeGb5HboOWEEcmWEu6XgiIs2Cn9CYVb0rcITuxQUmGH4NmtwsbtpAngm7ye
   914kHn6NCxKnICqQbCze/W0Fx8/t95l5qoEVYeG0F6hMgZD03Xhd+aXSg7o0nY/L



Gillmor, et al.          Expires 5 December 2024              [Page 146]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Q5XGJyTBKZif9JzPTNz/Uc28h+sh7ddgnaZxboKUDTYCxDpfIH6EOEwafyCAwTXU
   pZwkmS1P9AptTQraKRolx2QrZfxqfTQZx8bs3TvzonfC0yK7E042jYg4dc2saUrX
   ETfa3fwKZqfcUOaiyEqZVerfYz7dqwEDtb35iKGyJi+k7CstwEDSrvbmCeynu9bL
   G1qP17my6ta8f2qBBsIP2vgYOJZ6qXrqhfVgFeydC1SPerk2Of/j5BF8Iwn24f6o
   C81gvF/V8zhh+xVJTaCL2s1P156zt60emYHyenh2QBc19SVAH+4fiI7sBXR8f0io
   1DZmXMrd7uQee5+2r3OQKUaEX4GbxBuAhkkEf3iAzrjwcas6Rx0tGgGIn3QUUt4G
   tU+IOH5y+2QkhXK2KOF5oHnTy2rScmSttOXyFvcEQgwxdZnR4yH1fPKCQ6ADAYJz
   xxDYm00KoYV4mVvVX/gxQzXsPzxuCncGfN8BQzrkjigwgT0Wi2Wql6SEjOPpYdTW
   3nkP5TSaidiW68esT8Hl8dEDVZeDSVoRoWz+LeA+FQ3sDIHDB6Gai9CxkGpzQCYW
   4M0XkizJltK5/9RuLYYQJ8bq5ppsuuzYyD9xNGmqzYPOZiCWoA3N4LaXZSsJYl11
   Z+DFPVjb3V3nFP6vYmW44Wn0tv1UYaw86F5xYdzZOmBXd5LHx56Kg2JKVP8D23LM
   G6TY66Zm1Fyt70spDKihH5kXYACi1DKGAdsbGvv49Pov4QeX9CvzekB7OH5xyl/0
   KbO1x0WTUuuT0+M7Hc86K0i0P+CZXlGEHLquM570MH/9FaFypO2FgjvfIOvo/OTV
   utlaXaBRq5b5XIY1LkyAIJNtLadabpnive6pPMPUJiNRY0Qa5UCw6lC+/m+45y/p
   Dt6CAcG6J/J1DJPxKsG57O+2VDre2Y6taaQtjjca2Y2xHDI3P6YIILIlMiwfGjG7
   EPjkFyaDiS4eY3IOaguIrv7lZFFv3HupPf1cNfqwEjU1daiKCrut+gwmKrloCmbZ
   PtCOj3obepTL0AJK13tvd/XKIE3OkFT5LUwSZ98UvtYSWdM18AMdY3jCLc4lWFuj
   X68qtEl4afy0pf6rHHqsBIzp73fxEOVDoL24E1PhLv5dwhMH8+msJDYdO6MN9uij
   gR0LDZljPJReZKbjfET17lUAaqJqOebHGTXYrXmLudXfUiAZaHU1ki1MoNv0l8M7
   01b1A9eZ0Vfkec5qUSdwY8phoR+ErdausH0mOKHwEqvDAlu9iy/4Ps8S2L0izwCx
   43J3qomMoIDYdQ0hvhsfmmBtUAaAFI23AiuRP5kKK8LVhV0sfQniPizDqtZPQjpk
   9W/LK2Asgr9h9JMaJw4wHpSEfCUzKwV4lnuq+FlaaVtXpNfQo+cEkX8chl9k29Si
   GU1hIolMuyKIKz2rPz8Ns8PTLPVfrqXQdh6jRSuAIAX8RuhgwzhA5YmajfeBD3mm
   OPOva+IG2TZlugtpfXJgUHNZEj+hru8aUwAQEdQCMhhIZaxMZvnv4uyByKViNp7s
   QOIj30ZLjdtGfc4aNV7LdDWq6hlZJGS5oqaG0zJI+3u7AvUYgb/tVZXY2G5FuyUD
   VRb63PearbIN6pUBUWguU5aw+LSsNJNHOy4tea2WpophaXzogJhnX3wrSaHj9NdK
   2hZdMHBXCdRABlB8XDeMBrAROYcGBAoyGKP7eVcR+TA4Evm3LJYNm7FyCqhWmC+r
   GL7snEXToT/bJ80FTrUeDRoL2QzxyHRkO9OPysDVEKCdQWphYwdqL1eJbWlYIIRg
   Rj20WNKXdNz18dgD4YyytQ4AV/+jAb1XBsGaORsOZ5GtLRvgWrhh6VcKIytwLhcW
   Xxgutx+aYdSrSE5yeSLS8QaswzZqv6zK4X7bLWNGRtDIgLYpRwlWtYIWzEPWROaT
   lqSA4IuM/yVORTftnUsaydnhgc5pruIO8dTJvuCUUsT3nGIBPXNNrM6pLw59nCmX
   eI5Qeo2hdXXLEpbLxWRE/u9tTmtAR7U26s4VrNjhEkSfX37+mYuGoPi0vKrRBrrz
   LsSJ8OvrV630s0WIrPOxToi2kam0kShinyK1DB8+8abiqb4z/8/DPwWeer4R8EIA
   GPA5og2xpIYL0+1YOLTxz5QMk2ribFZpdU79GDzFVs/2NWWPbCTWB7+an5arO7/e
   g7Gfpr6kRPCCqJ2VgKOcNy3ZA2n19G3YPB3AjOOitiaYkBwO/SdQipor4z+WpTey
   n7JQ6QBwHBhPWK7Bmm403lRtYoFLfM9UXPUxm3cLYueK363YTkASWoD8l4n3uSpo
   c7gHsFU/yuGryqEjgiavz7/zK4c3Gb549YeNUjXho3XWxlXfj5TBULUd7tubf9Rn
   KxNxRXZ33JQsqvnCiNT95yV1xnm/qi2SFWa3f9tWQYf4BTATC/gv6V9lf+EDQ1i4
   vTtchSQW10f87yIxXgiZmpTFlxw0BrmuY240QJ9i9tgX8ZFq16O7SEiLC7hnaPhx
   XrUhgDnvEUggQ06aoDI3vgLF4KJExYqWwnu776aXzC0hvOgDvkXscz6WyVu9q92X
   SQVE9UeFK9W6CtifDqI4iQHNewexCE3esVhERh4/owOt3H4SLS5BfSBikbqfY58p
   o5DUsIghmKtSope/hSqExn1hJSnpI/ErTGjRpRiuhc0NrBft2dGUKxnbX7u/AAA5
   8pF869xUMObXFEEJ4eybPLF7xL6CmR0E7XCgVsYuaC7px1BAP4j2rRihBQwDitTO
   7ebLktrBWa9AGEGQ7+pkweXmCclwYDpIRlEzAS4aMjnHCdNjre7zriD+LvS8mXWl
   e29COS4HJXda48xtc2Avr1PJidgcuMUmSd/JbPiCwBCq91vLA87S0VFYgHd/5oCB
   Vz3p5MrCBkrfVN/LWLTaXM0qHQvndgINEBVcbAX82ulX/vNbxmfViUvGtRmE6/Re
   mi8qlthxsAd2YSOzuJPrCUiBz+5wX09YRCcIyQSxU3lUEwFFmvHflYHVmQZ9uK7c
   E0U7xSSZSRT5agD8knv1+0itVsrbvTt9Yr6ON5KrtZRezXzmH9zCGe+A6p9faBpp



Gillmor, et al.          Expires 5 December 2024              [Page 147]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   1iER7/m5qrcN4limTRRIEOj0vGCMmuBXkOTKrNnkUnOpKqqrwxWDJovuvCLxvu8h
   NiFyBCg1AsfSFXignn944JzhU2nhbtK+W3e9fh2t3v6tBHKY6qUyoqOeJ6fUMykF
   VbygANa9u3/JteDYpk4PVy5v1ZTgRJNtpfR+FfUlb3EmT7XyLc8ZKUdPOcbmLt3F
   XHvBOShBQv3QeJ5VMVdYp6GOBnzZXJN6haXSt3Yqglu3JTOYqoehd3mBzBIjk0rO
   aQGQzj/nxUig/7kmRxoMwl7x7Yx/jxq95XLAsUBdQAD57hPARXdZI77A1CCzUDoR
   7MLX8d3og1J7T8VDR3zsghsW1XVoCsbO2c6F/kDqjJUTQegkTmgZZw3wZdzhUdxW
   H18IkRsW/porfeqqsV/uJkOUBIEZMH505BehCXZt6x2iF+cFk/J+aCAJKwXLlAfa
   wsOaoPxLNa8d2Y/+9Icn6YcQAGdNIPCMyL/g3eCsVgv0ehyVl56heMqLnd0p3tK3
   YItt4xfIkKrkvYRZFT7KGuKyFl6LB+mNTR+XztXP167JzcdFSpsVy1QM1gtyT/5f
   Ws1Hw4QmZkQAbJ6TuFONt/IFyOKkaURovXQ/CsnO8/LYOg8VEa9WPbK3rT/Iokjz
   GsVJCOTwjafOXk31h3O67fepFrY4kGKzUO3AvBeEy1JjBmoFg08gjQLgp3DPg/v8
   tZzds1V9A/gZ1GYzTmdDV7Gke37c/GzhodvsioLRaKgfuM+iFaU6HJhZXtFqiifd
   nP/tf17+B3xJ/0jGsWBTIu4xiHFhtb//tUM7eI/2NvFkWgNNy6Uymo6eOWZF3fvP
   aKMw7vIBMvGH0pXpC3+o8AyFbDy4eJ332S7XNScUnb2biHZaL/RC76AqZeZJekmZ
   2ipJDF76eymqjRXQsHmVraASinpOFhBGQ0IZj5HHm2tbxglbJaE1ItszJ4/+ZVtH
   lqapGNKqKkB9WcqRWn1KjYzQVOCk+6wXZZ/oisIn/rWNH5bvtcCUjd7Ji5NB7TC8
   X65InyNfCe8N18U1jv6uBdM+7fueJeZSDNlhsrouvB7+qjKlIZ3HtG1v1S99uhOD
   tlwmikSrai91W3WMYU9n/nJ9AjMMKD7XM/lgo4J+/Gv5wV5E9WiqT0ebvK1n/QyF
   PkHdaXszOuxHM8wqSLvQ2sWWKcL63yqnF190+qTvSJOkMFaSfK4LC2IOObemcHg1
   OHmHFodVIPyGWC3+hQELQohvgz8xj74k5LYGsjG7SJf0L8B5NBnr8zUmU3wC7Zg3
   /sPkFImED2RKAH4UocJMmPpldFimelsnVKmraCfiuxrebJkkXRD/sQBVBzaiqtLb
   TluyDoAd4cAPB8Fq1G38MZlckX876RUyAExjftVFntxnjExlAY77um74HeayXkaO
   JIavauOHP/mlwOf3+LQWTCXIkwLBZ2GhM7CpAMEcF7WYunl3VOVNxJ1WsY3RB10E
   hbtL67KwIzXQ1NJQk3fQ8s9HuI/Zs3ovPbNyRHD4oBJqdynwHdQqMMtkRmO2F7il
   v54QeDcBCmSdmM3AZhJldZGuESNEPClKaoBGiP979T3QYXt0zhq3aVy3sw1FfgZj
   nj3x2g0XXzU1sZTSk0pS2FbO4sCzVoD0plKYBc2somIZPfhWIea7oHCdm9VVs5HT
   bTUfLgnL/qLfG8fuozLuFO+Fs7RX+91KKmt/CapiMe0cMXNYlRMqFUo2F7KlDEvB
   DlrcVnAcxEQ/1ioCoqT1JHPd+2LzC9NAgejTYYDHBbuRznXaT3QPQfIDO8H+EfP0
   iZrmCu10D8DJGL7E16qaBx3l7Rn8JAnsR/SZ23K8eI1HBAevcG/zG3dirxlgnLhk
   LPdyUBbRqQrUrXspM5HA4KpFWT8i825MVmvfXJrwMPAILmAKQLQvnLr4s5VHvwlG
   wdts+c+azKxdzez7pyoWuaTis94vm4uoO/kgu5FPIAYgSnK4InGgbvPZ/RgPG97H
   Ru7nwwpMTxtCanM1jms+eLpNv/i/XS3n3QDbEvQADHO9xpoeUZVPk7Af4TI7foEr
   IW1tCY09/fIDeD2MFN4Dl3FGZ28eZ9G0RzpZ+5PZveJuSxEVBZ11FlMQyLMdXUzs
   edXiiiD7py/RurcSG9eN3R/axfFqVsgndCXpPlMxd1v1mATXwEIRIAvBtKsMnnmT
   n74abdKebB2gB/z+SBvTC7aUdfBTlaizFbhoCDwbWDHxRreUMclsjRBGNUraDSEC
   49XjpCa4MMcSW/i026qJL87UBYcOkiujCwWC4GRrfJWmOcdTcWnN0xAtdcrKW5Lg
   Z3b+/nBssn+gVB60lHSncsAgCoPG0z6baMj+wBDsk8ZwS/V/OR+wKV3nlYRRhtkx
   F3zjyo05CpL2RuvPb/lJ8ig7XnLM4zBiTh1l5jumFgzUgzVEVkQk8KELG3JFANJw
   Im6W2vTlJikQA1l/5fnAplAB6LPgXkU7dyeVSgcqnuON025ulRFXQDlR9BxLB7Fh
   ErxeJVIqGB1vtupwGqFtv1lCXYjAq+f/eGW6XWDL83EIxBvbNoVaswusc+36eSRc
   A19OEIhCD804dtjXz1ZIxOFe9u3/ZJGBJ58IhouYN3WuAjH0kOm3pq96VosRX2YT
   3Sx7o+MCaGs3CGOGHIyjr9PEa5LYe1A7ifWC6C1O35voxak9kQj+HVsFRMzGzptr
   Dlne2KiJeih015WaGRK1XQhX+tQ8zn01MXUQYpgKWIxvnMYzJZWjpj2Tp82LA0qO
   Z3zfSIByw6NLrk20G+hjrTLiDGrIXi5+mfdgK+20Xl/pfTzxFjIxuhT3Pay4AGQZ
   ttVSpB2YPz0vEGDFZJ32tkAF6qU1FuECp2MMlYGY1lgs+17X9WPScrZK6yEI/ZKY
   lKXLIM+3CHyU0QhKWEJADJw8f+EsRTHQ7QJCKup6geYv55nlMaxGQ248S0+BTZ2E
   9f+aTtEtxlc2jy1yW0+SYK8ygM0BFgvVoX01+ZYQP9bwlhZ5D3DWrcnwd8ee1DPe
   rYlOce1NybIoM89P1odZh2vaUyAGWkKMyaqV6Nbc6TB1xewh1v2qq+6Rz1E+4nmQ



Gillmor, et al.          Expires 5 December 2024              [Page 148]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   tPeY5dROAsFk28YdO+AYT62O2p7POtsGDQwHJCvWo+2kwiI5aic+pIFOdTdB9Esp
   4J9AqqHhNiRdU5wJ6f3WwbzGvTy00oYZNqfYVLz0no/XOylZNlCSPFMQWi03gJ7a
   54E3PNpNANUCLeKsA3YsqFdhaUL12OSXWZeyo+oxMrEM6Fb82Tbao9COanChfNzJ
   K0oKQ/nxkQIlFjYomdIkHrXsCPVCZlwSYyPIJ4Jmkzx3BNO0913N981r8XXUaAAm
   Lb4xvdiRsbv0PYDOKNQ706l7lsET7CunGsxVdwD5zz53aoLPmOjwYK+d4/GmtTEe
   rpfFls7LkrOS05jTshqs9DPK5qPqyDZYgWduq8xgjy+LCLoxSxZFzIKtbe68w8Lr
   wK1+CNXnokEKrxWpsscF3853zc58M/oitKxg1glh0KrfEpzyjmmKjRRfbPQCBUUO
   rDz//KpkUbI3gYuGtvOVxdEuvvD51kM3B+KJsa1dB8taa5r5/iDE5AGmn58AP5FT
   ltSbrgdWPYhGmPosTsYxU9QCVsJC3hxP+yauDz2WDxcdTn6Z200pM9MCWHFxEcFS
   fI50gKTpIsXIWa/LoBbV33HClsxLnzJyw1KMJtFbmrwb4dtEqcYR/1siVRcGTgjI
   4amtZPXLRmzyL8R4dSjIqYsKh5yl1R3vUZIYOwsN8lQHl6ZZKg2NFtOFzDNrxbBx
   RXELgKRvyYOb4y167wBvtO8F3ImZnZxJM9pOxYT7UCvN6Mrq2EYFSCjd0rhZ2fyp
   2JFxBDqs6nrBcUo2hL6GoyI37rMyESNcATWdTcY7GUs0S6NePx751XUnzzjReG0J
   Kg8AcFKTBJ3gmx3xH4HRtMhcJFz5AzQQMXpeMNTP5CDsv8fy3PDZUErw6b+FIxsn
   CIvD4KFgJIulbjCTKsT0zrFoa3KV6MvtSv18B5LZM2KNA6FAHxrf9u6lJ0jpzdrR
   hDqqkQMAUeKT+GFcYdjjpWcqVa1ttzY4mSfA0hkn4oU97PGrBZO3yfGwPPaGIfMo
   MyRFZi3w9De1MBvm39yX1ICVaBqBg1FwyTRqbfdu81IFrAq8UCCKoLYdTQRNDA2V
   iidwQMjoZu9MIP1ZztvnrC/m5FA/MYEesOa3rv1S35JP6B8dCS/AUo0zVW1ix295
   NvkAzTj2cc/6RVJmBT/qEhatGsbi7sqoe/D89ClqOx9N78o2T/XaBKbD3AwQVp10
   51FDCQQWm4P8zawnevL3R0hhkWQ6n8CH6qoifNptsA+8kse6q0NLFtM7nSNQZU/Z
   B+Z2t6WIz1D6VAP4QYbHD6McKzfBSLX4XJtuYaOpoixBozUN/1pTAizVtxJnnFY8
   4L3YxaLktyCyAE9Rg/yMGEqHlQDW283TYggACCvAhYtrQ3od3rscT3OFmUujb46Y
   6qoxfB7UW4cBMLGPKXtCrDeTJFlOoAfy4QIRXC28IqwsjuYh7UZZIW1mOOK63h3h
   /kvVLR4k1HfcXgQVQTeqqhP4pMzmksgeW7Rh8R3C0Sq2AG55g87xZPEfiQgf9AMu
   BcVHs6w0UWr6ikNhxpKjOeoiwEmWb9sbRWrIj/GmXymiZuq/jyTgI2ZUwESMYL7G
   YaK8dDzLawX6iCz/8VDJps0d0gEPRCPO/5Mdvc9IVo8Pugn+aoDpJ8QGoUz7yAGs
   nJMoRRpl+OOjsQ5llHcv0E1+U6Dic1NH4IVnKAKSV+El22wjLNTR6HxUHfidZhUq
   1nPyBhuUd9uZxz8HjI1h6PzzYpUv+YueH7JhobQnWAb8QRbrSGCyorGS6/jVw6H7
   kcd5m7pujzJxwLImV1Pk4OuN55RAErAwdDMjSK5sHMxtoVW3xoRYYIxsOjQ7GB5G
   q4JlpVrKqOs3SJEbPVIztegEFjrIzlFCZvgiO13H10znz/zU/0n8d0aPmxg7Fl2W
   lltEf3ejNYPSa3ZqAHaJFqTInYjMemkt5lnz0GqlQVQdSI0ZAHnVwaE2VGn8vnkN
   0i5nmbgqiT5qQCZSzVvB9Gdp5X1jm+5+IuBpL3BZD7ndfUEWGY4odwwxeWZj/gjL
   6cNH89L43i5VlS7Rf4fCez+AnLFmZxwxoGj3nSUEbnfccg8jzU6Zn9ylDFWfGPtt
   GLZ7TDfoEW5lE4fCI5yucLaRmACaa7S1lgqKMbIxxGxMLhiWkOktIFwW7Mzj8kYX
   g4j2EtJEjVP8gPO1GShPN+J0B33eFCPadmZ54jDHaHR8rzG3uMMcSeFAnQcKXUpA
   bvenXs8VUayxRAmK49amOEycVr0elgEAGEQhpgtAI3PBV0UrU41u/Eou2KvU1rN4

B.3.14.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:




Gillmor, et al.          Expires 5 December 2024              [Page 149]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 10075 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6452 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2089 bytes
      ├┬╴multipart/alternative 1138 bytes
      │├─╴text/plain 388 bytes
      │└─╴text/html 483 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:09:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIdDAYJKoZIhvcNAQcDoIIc/TCCHPkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAB57QrmTl/GQLc07IWXC25Bnpmm4lzxx+XIw
   vvKGm8tibDE/tWyebPw6eitc51Lyd4p7nqIAbeZZm8+OhfYrVOyLbVWfTWH19VoI
   gjDEyb9wPGVFUWgvk0Jnun37uL6XTWkZ7CsHrcdiqv0ustaT60L/ppk5gYyVvno5
   fKm4QosRnXyUuojnVd7tXmF5CTaAoSR+Awh2u0S9By3io6Kpkg6R36Ojqpy07IZp
   bm3eiq2/JmOkyqdvfMaRhBYyfny0+xkYRdedxQPifX2toiIMuKzWy9riH1rf3kQA
   XcKDFFgX7maESaYAuVQjC/3WMrNxFOZCKVk4p1EEnTAIPe0BSnEwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAd7o7/pe6a32BucEXYfh23xrD
   DsOsQsphCaNicaC145XS+UJ3mKLMQ1HcsMekQ/JOJbXXapamMYkDIFMFRnvDO/qs
   AsaagcDcyruzVoorJPGixNaI2vPJPzob+X38Trg0JYf0m1BvcREMnGeV35vZDJte
   Z22c4QjSao45wRJ3T//ADSmoArklSb7148JliZXnU0ijxMswO/CersNVWRnLRP9X
   Iwl16C/zdaZ8Oa2aRjkT4fzln1IViipJFwmlNz3jPwYDXzMpB6QhSdruu9hsd0m7
   iASC3XQD1n6mW/kE51mmY3tt/VUqTZgB0tgFMXfw7+/IYs4o3gzQokbXwXZSGDCC
   Gd4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECgORvhFmdiLhhtqAKADQKyAghmw
   RLLkccnJTOSeBwmdbVdZqVKJNUgnKnvA3oJR1lyU0N0MULMHcL3m0Kbk9CbcYxkL
   /XwEjlxhuIwv0QqufIGtuqvV9GHdikOtMcYn2EbFValWPNR1GDx80W3bIntlkxAI
   uA5eJWOlrTOs3g12AepfFM4SwpacbaAFbJBCaXjLedFFX4RHxdwL1RMWheyMN3R3
   t5MaLXblPcDdEPv9hiryLWMDcOXU6+gKZ6wL4BcAfcgK+QrCN2evrpR4rZCRA5gO
   htqlLcfvxCzyR6WI0idxMaCf/MCFxurBmP8dbLV3BncHKfK69ufMBXSvx8gvImB4
   BFR6jq64E39YyV+uJKuOzIr6bol6y8VySpXdoIyaGarZk0wOtk/txCzRURAZJvE3
   lPrxO0qEBxSjvcFZahLKWZhY9yHely4NRvZXwCvhRRQGDFVS2ORTKGbnSX7KpgYA



Gillmor, et al.          Expires 5 December 2024              [Page 150]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   fDdznJji1YLGuJWunNUf0dbu7vk4dphAMVjm0XWq3B3ACQzFzp6LRRxF16+teMUR
   ycIHi8e355Oj0OtcU/0ZvDZp5AHnNJWbDif7rQZsHXJp7sMI4e1CY9FH7IwkC4Us
   lWfY27MfxBDuVRlsrk7/JroilzfBvkpIQ5guHAt2l23EI39oRhYZ7DnC+9ONzsDj
   JDsAirDf5V3MF1FgWRShdFAxuAi+ZW3kxZrLKH8UbYP/r0y0rDX4LbmcLv/PTkui
   q3G2cuMLGFtC3K/q7H4Vf/7CAC3LtYCSmWiDTIl5vsz/LqI/Wk76cp0Avb2Ei/JJ
   KzyjD4pijc1s1f3qcPbHJhiutSMC/vDmxq3aef4+m2js9fQxnK4OYYGnmrti3ZoL
   l8wk+h1LoDn7syvzVx978zankxu3qBmhnTqqn4mNaenEhXLqTHkSpoImcaOiTZKz
   0C/GNzUarbgkbZyHKgBfjqTfBBFJwT/AG0b/lFzdmiqituH6rPi3NidDpNjJwBur
   s/2NeGRVHznUCBBZXE4MfgadjGJpyykvB4t09zMG4U4ZTBvRhMjkYSidSZWbXSXu
   nqesE2V0No+3vAWO5/XLa/gqmmq0Y24QKKkH3eOMBL0+yAlQMflzm0CIiMMfabt2
   aqnbUeBI6Hav4ZTbZ8YRX2FMWXHfQgbGfhqH56DDpcyw30AGVoqixQLwqPy6coVk
   c1PVncvWAQPYsjNQBKiTUAzN5MDq2pi49037r+9yHetQ7tbp1KJlOueC1SUfOTd6
   7yLWeooOYs+WehVPcPps7QJ28IIT/U//3uRw1H3ApRnbaxRvYxsxGgas/clVHFOh
   1N1xRGF0jEYaYvzcB8SI3qBnbRU8v89ck+D245y3HR1uZdTKKcf4cu1aW+xTwe+4
   dynyn5Th7bp5A4q0XRJ/iKOuePQs/X0iNBAlAHN0LPHGpUFknFx3uXWA7P+GkSr7
   vTCydT68HgbCSJOV/IxeJuempCOriqrUT7pM6S46e657HDgDKBZQgcDaqvG27CW7
   nDI8cQXP057zUTL5J7Dh/82wfqo1soL+MXcUlBf3Un6d4Dz3eSiOWnidm6i5iVHK
   qulSzmFPNxFoAxKhBavSGijLZd+S9yTseaO3yRY5B2l65FF1O+2YO3oc+Vl4fWVe
   z5zksr4MYG2/c1424MK4ZGMDe+gWKduectzQxrO4g3ccHdvCpi9iIsqCJ2NPItIG
   SN/1ktP+SFNr+r95qTHvDa9ldxISn/J8uGmyi380hLprXHeGa4DKBGsdnyJvab1X
   yt+lJmMeYa8mTVVSMeZr38H8lk3Uzngif7VdHENFcvqlRRmwF6O5RL3A1XD0Yxj/
   9stkKr4dyFOFTGU7xuLa6fpW9SQXl9geJNUSExKhOKAi4YX4d0+Vol4AX29rTmdr
   baVIaFReC1jWyvsuodnRnZGJxPwxVvpWb10GIhaWlc8n8duyfMRGEqrnVonSqfce
   GoLwSh6z0wdBS8W6JJ+EIRIEN+AWvrM69QpzfesYeZRaczPCfiTzOkueP562HdBO
   MJK7i1SyHX9Xzps52BTeTnPLm6gY5C1bwYphIcJeKolREPDxEBQG8HIJf8quoTHR
   r5xvTlkFQf3EtyKvizIwiRH1IdADuPhInGc21x3aS4CFqCEpMMOtEJc9MJvDQcvJ
   YZFPNVippzsZcY8ZU0/aCDHkLkCgu++wj10XUXLXXg3iiXeqYl36nMQKbpjENRRn
   lAL0koIlw0GhSpM3WmMmK3Bd7qk9uKQd6xOlsLXmfgDImxIDMa0vfYh9feCYHyQq
   VTUo+NJ+soMMr6ZL+5ciMplUBNFxdFAfKjvphuRsACbu7z6fay54qPFW7ERhwt0I
   Ibh3zX2kpmTExhBM9rmaN3VN6/mtQW3p4TkWYh/zuw0l4PNTrPtzsi5w2E3gr1sf
   b5KkEKruijjoWAKZfNSMtSoj7BHj3Ef/l7/+s3kPyhqEbRZxLlvdAdMtCMli8U2s
   qDFeUsjIrzlV/bJm2ZwUsaytP6Fglv5xsd8WnZtP54XBd7PyxHC/xaJyeN0rfYw2
   m0G+sIvz8WavOnZRh0IacNmZ8S9WCMBR88ND35tguTH9tSFs6/3uKeUrEbkWmC2T
   XtvCdXmMPSVodAdoDmcbVvfp/PCtu4tt7dFUWg3ApUXfFMLuefompBmx7oO9myop
   r5UY7i9pTcLGDReM2BNYmCwxe2AKaaSEcx/HQaMwQWQ2wZryid0vg3UErfVzzQI8
   z8Bm1QcAJs2NjPX2wlg1ydUqHhoa7fz7FOtfXANbVHN+xD5GadMLkaJwK9i4ozTz
   YSh6cz40pJ43+b7HpBZW6eW08UNyj9RwFHxYMTUFXXiHAsFxWtFZIyywiXDgXoNb
   1Ux+wqMC63Ke4WWx9DgdEoKQ9vqNYT2czPxfbpbvZTm/T6d5RShq6tuKkioYy8+6
   SgKbiH1GyduLNQcYPjuMCCSU11eMm9X7UsEqI42ulxqyTeA6Nv2k8pyujVAYX7zY
   1m9qrVk7tM1GpcNS1GlgSV3k1uNeeQ30oL1HmcUpO1RyYJQ2r5zPN78C4sGCFEDx
   /ij7ZTpROpAGRv6+vlw1lguM+jTFHRvIM6QS+HBvWxAURjdzXULKdVwkOvNRKQjS
   RHIO7H18aotzHwLpa5ycrAogmaXBzX6ICx6t3EuxLYssttrax/dZtWeqNw/X6k38
   MZYDVXPae76KYQ/OeqmNpGQqTC9e2MfeDF1BIhGUzlgWjCWX6EY4D/XNZEwp6EJ/
   BmIQUaYzhOtzLGra6EpXRXxoTfuFmASfOfKn9XrcNeeSuf1SMdaw65fVensJYIB3
   QuRf3TKmtmBEzFYfV/X+6oBYf8zKAT2aQxJ3iodaYY6TDeGnjWKhxHerbQ4Bjrka
   Dt3AlnfI0EWYqnVUAHuVh8w4iqVitFPkqnP6o/NhYVAO2+6KbcuHw0RQRubiubxr
   SmAAf1TnO1UIEX4BYnE/E3scNmksWQqSoOj5MbxCf3k1cWoP5bNDtD8rlRUxrFbA
   HIMi/PHzqrV7Xm773GlKd4E6ol6OkAoxYaCLpAWyqUNZI3y0+xG7SEE8XTVZBh+g



Gillmor, et al.          Expires 5 December 2024              [Page 151]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ltHcUmccIKkwrgc4SyLL8d6idVe+xts9ZysqsVwaMjgc97wImkEVV6yjnN0ceerl
   vVXLqppIZSQoGKQ4sxOnBmNBfFPpemd5m216X13gTOWE4oVlBcInW3XfEFOH3fUV
   YGr5dp5EhW6rQQaCq3R+nQZP2S2VXDRtLRGSE7QJeD43SmM5RTP/4GmWBNMBhM6k
   AdUcut2mIborWesJNga8HV748qgH6+wy1mKotfwb3ejCPX2sXxadtbaaTqcmaPvI
   LANKfAyNngoucNUgpJXAjgZeAjlIXv7GDR0ZMvbhF/5d/++pUGqVP7q15WbQ3SSj
   xTo2dJbvt8ZJIZ1AbGrCLHNJmAKp5my+RaT7E/nWYhBhKSv8Tq+gFeG/LejxcWnM
   cC6EuhRNlu1qPKbSrtOD+Nq449DLMS4Hd/F57ZtUob1JwE8RTGEKL/hArNid+WEN
   G9TMo8twzMdZOTYJFCPav+TVmEScR1b/bz9dFqyjdlOpxwYTD0k/CLELopB4csS9
   5sUnnQSB4rdDy6mu6t0M7ZHIhTHNOFPOS9mtDJoz+kZW89r4cNpGd4WKhymoSasd
   w5BIC+PDbkp25zkEiUTWyCKFuocQppBhQGxuhe2G7eJTTGr9Wdcrosd/AjfZO/Wm
   JFkVzzCFiycTTvKeWhZce8kn7jSFxS01wZuoWMtamxFwFYpR1my3l/QNdm7lNtD3
   lV5qgIQ24mpc7GoL9XgFu/J+qMfIHvEp5LoGIQZdK5CMnrrjS4n4igcmsC3lMkzm
   8Qdxziwwyinhoaz9u2vDvi/rj32YePa3eEtATGCad0mQoJzOJw+mEd0miSXcyaJP
   5aW6Yia/KT/ylbyTEGnjSR0xqnei1Rlifv3L2n0Ur+7kTRYTbKqsNOLhATi9sidi
   HCCUWKhddatf1w4ccBsFqyHhWVC+gOj8+laTakBQTvDSsl2E+QZAzd+28v0dqsh9
   tWYX5XKthicsX4dkMJ4gSyzeffixffIxvGaEhN0ayCKsix2JC8w/Bz92oox7CZxi
   rQPhjLYAKIv9f5rkDzdJYxhccF92uEyU4bfap9yCKrzcysihGj2noLlxUH0nK+Kj
   SCIlnuocijllD5izJGIgnjYj8XeefXd6jccM9SAolFS5s6FDIVVIYXDOSAPyjomo
   oR9JrkRkm5qIo0wmfJ8vVBG/yRo8Adjsr0/5PInJ20aulMtdT28Rs8jSwhhbM8tw
   VrNWdDImz86GO2mUibt/6R1lHh5RF8+z1u+m5lQIelKogESM6edcJF0+Y8oypRnu
   pq234RNbkC4/0oCdqEXsuhHL4LQt8nbn4iJnAcE2r26bYK3u+M+WLHzUSQWEZlMH
   ofG4h6x18K26+0Sz6WX7FoGBu+trK9ezCfI4w3c7Dx1QqzoLFztJ0P1SPToz2fmx
   C+ER/KKmIE4LfnOJlOA/rVNUEZP7PAzoph7ej3Ted24F4eDqh4dhH1/IdnQm0FtJ
   +Tzo5tLsZr61cxqLy5k/gZCrwABpHhvc0NvQ0kshoby95Y8ueKf+pSJwq0y0/Ca3
   WtzfkCrz5iWjB/9E/6OaeNYaQzlNwWXMVqYGF7E+ePBJue4wAxCYXhfkfWcAm4CA
   cvS9+QB+E3DfpA/vMbNbgZr36p21pMVfserPUllgfmSL03eK67H/MWS0WKGi+PS5
   LL4a9EXOeGeURLbyViOg5oBWUVZvWuJY1Tdbt1wfrqRU/nzU03bMSjrNFpdWzLSQ
   C2aSyc95bb093cG3PfKSYLKi966iaTqy9Wpl16MHxlwM3Voa6ZzDUul7E5osNnaF
   C6jEy1oNyJdHIQycvagYe+SK3WAF2tTv+GzvZQFKTa9/cWDO31j2mZBrFjZ8Kmiq
   SJgPj+zP7Htq7K6ITaV0FDzN4XoMAqMPNNjb4PYYIHH6HzPxu4l55dNpVljzFqw4
   iBJDDDLNsDJKjFVw45QJw1jEdyLQ0iO2ClIDdMrmeeoq1nA/ZpQKnoOdpDH64vgu
   fuRxdZSMATEAj3uMeNscHy+F2IaH7u0DI3W25F47znihZkOdPjVPlLkwKwGj5y2U
   V/z4nz+azHvygYPhh300d+jJT432q7QOGyxbCcS1duGJz6ECIt/MN8fZkAfYNevJ
   CqH7LJaw7MYG36mlLGObqPFG5bjBjlBi0d6bspcequhNLZuNNeVoOoHyjXjNGz4z
   hMLX9lIfB78RkwGv/7CeM0adHiECKljvXPQ7i3DBa0WMA2DM+LD8Y7504Y9zpSjF
   Tg5OVHO93vhgv8URqG5P1ZF7wVgDx3xIC5B2GZEEhlsgHFibO595IctQi35AVZjK
   oXEGv3+gk5IS4D2GwMHogzgPYrKn8zaQeZjSV5bwoyx5VLg0ep3qqN6MOrrwSi5n
   cm7PnBQ0sXQ6RAnBFHgofbpvbG+16NTPj0m2SUHvojBFBJVNAX232XWVD1jeCHQK
   X12ls/yn4YEyjhoiPnNXmix2bcrtr4bKGO+Efo8h7vT+ynand2B4L8qkBsTeUuym
   pMHr8uZzaSCRdeYFuDSZk9da7IW2Sz4vcJKRM7k8rRSQ78suRqiv0FkaiBKkXFGh
   4EKLje9ISGIFeOGK74rhC6ut73lgHp3YSfTrJR07bK2C3NDPs2To78RX7H1l8Btp
   lUZY08ExYfl+XXPIeN1RSZxWE13pP7jBTPwqL3rPgFLN6xsNraeca9YG4vFpww46
   2xN9ieZXPfhFHrDwCT1MLKr4x6cQmirxL6/ZMFP028bLoLe9qXjZ4uTce311As77
   Wh55wgD0R13uvpJ+hNsqLDiHJyv5H5HCnhlz81vSw014mzeK6gPbSKr/icEBU5Rm
   LTudATy2//MnEuykvZ8XMbGiw9a5ddPU5SllxCdm7pymJ+Hzn4Kw20yAVeW5RChP
   GRzImHnG1pyglQhN8lYE9x/9r/JOa352IohSyccWnxGoyBHkkhtr8FOS9Q9lsTrX
   0pPzQVaMtzcu8EVnALNy4ufBuyZxd/b5qTXgMs+TAmIBZheoFqAw7VHwpUYAcwNW
   /8TxtT6mSgrl++Q6RF8aKmHsHtvMaglW3nwzNuLRAKBFpqWH5luFxq+otWeBs3ej



Gillmor, et al.          Expires 5 December 2024              [Page 152]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   JZij1/2OxKjxSclHl7qO6BIpYxeaUrSkTQV55T/nyknFGXRTyHb6JnTwxhvyfk5d
   hiG8OIv3ZUYLG7WWfJqlWkZ5qd5o32YSVzn3py8zpzkL+hZnSVC5eIf4epy+XNTH
   Ha9yRB24eXxIzqfvxL4JFoxJ8tYr3NlGHXRrnhfzdQtc/UgvVe0OeJCwnGhWQ5u3
   gH4alwo+LbDoFp8O4rSu9qzcjleLsgFJunh+BWISfJygnalMOcI3nOXBPHw/GFUp
   8pc78sr3QloaNI0dGXSIAbrP4UZSE0Oepf35vYarmdWPWxlA1OnC9U/aDOBy/ugt
   Km7nuahmY6DZbC1WLYbKbpEOyRoqACJ4bYABD+mHOaRBE7MDYURivpLNjIeU4kAQ
   lpLY61cH+PSr23AoZznDTVnBgGagbp9X/i+MUOtbtRerfMwN+aDLUvaOj3aqkZrd
   vTRTuqVr6W8FZrmhFhLRrzSlI5dil3GVXyZ+WqCk51HWwkmZwwuzUwXeC8fkAchj
   S8B+X7A4r+3XRsu6sQkIeWdfkTiaRJ7BD/MnEut1eOc+ORoivz81pe0XdqtyIGHw
   xSIXpzRXEqAeY4GfuGr0/KKI9gI6/GQ9y2mYTMyi3IZx1aYw/AaJT83YtY+clWBb
   QDZrSwoH6g12hy+5hjbxFu4G6XUES8/RwG5uUdERJWGFRqkEX2MKmsGWurKSBRaD
   0g6twH/mVTc/O5WUok6n7xUrJDO6WKr7O8cNqYuQhkadhLboZWstP7UuG44d1NDC
   ufMX0Snh4NDpPpD8NzgXTsvQkm8JTej02XMKnEfIs7FdzGkc4AJAiuevsGTCYLjh
   x13Ym/PrmFwE05zdeOPxmG04S+ZzhTgV7w7XcmdMi4xei229i0gEqtbuGICrNUaU
   YbL8DFVTWTLW3wS39ZCD28kpibv36Kc/IxskFKfQCQzn/Hqit0hH92vexEhC4GAd
   atZCmnv6sfp5kLw6zm09WjLxFAtWudT23EGU0hU3vrnHKnMBs4w4T90h1WBPwR+g
   JdCAcaUNSElY4fg3uTowrJGtOg2wCVoy0vbVphR3P4GLEJ9SjoL/bWLx1J4zDLq6
   24VvfF9TYKOTSgl0GVIIqwtFA9/gwV/I3iaG6dWa27WxTlJeg6yAzROkRHb6po+7
   IQS9I6EGIi381OiHP9D7KMEqtqoX2wwrH70QeA3B/xf90wLlX+Yr6I9iB7V4Uccb
   0IniSo5TYfz87DUsauGq7PiPDz7maMMQGXKTSWhaSr+JBxzstEsUGZ9qC/BZ1LFS
   titWQNI2nPlQVWmNyfZc/eXzB3b54EBaqYYEqalscpJYUA/J/tXWJjdQPHvMDTLw
   fxRUSKTbGEwmNCDhFiPCl5WMSZ6v8e4cs0WxSaN838NnUO19a+KYAPICcTSKpzqT
   NnC6A8hwHB8tDCXoSvnciPO8AGB1Yfj8cv5h7eJeDzLfPYIkyy62pwOoxDxkzd6/
   AZpvP0qRnQokLMq9+faeGYtZtKk+hsaVfRQl+xuKr9bV2DdP1GDHzM5Ivw/ym2jy
   JMOebXRt+qGSgX9NsD3NXfQRaLrZMK6cduq4JMfSTxPHap0tRKP/kCLm7KqA+Cqf
   Iz4nWNuj8cKMrbmV9LKUxscd80eNr+WPHJ8vm0i19BmnFPyHne35oq/yAb6xq0vd
   n6B5jMrKl3CNWLRfgnoOMppxHmFRAYOQvNQ/XUfMw0+P7cTL3h/qBkISh2qRjXCj
   +wyZ8E0MOxH2PPsJA+QWNQhETcentaf1rqWReqe5pSzsUFOm91w5/MVdkyOSy7qS
   USPw6wmNHccv0v/cbRexBurfR3AELLKRBIrHl+tt7gYJfxlkmQBaZkSO/dvAppJe
   +GUX0zCIawhYkb4RBr9KVFR0CyYxl9GoOMyCsDYawiOxBmEkeqGqqHvCajznmlXN
   HK3TjIqBBZ6eDyCcie0BrVT6Tj+QawZGFrj4kvqhF4CtEemUEkAESIMzHhNuw5Ru
   u9iL8ceL776IJGQt6Vry4spuw92GFIh58pXENajt+k30ayVuqrQHPXwRGU8SDkD6
   n9Z/lH5qTX15a4GUzR26zySORSMKlIui/+cCXV7GTLKszC4zwiEJWcUYaRREiUDL
   vJL2BmA9Z/zzygyLOAQSuwmi3q1erYYvdSk9iJaUTRBH8e/LLr6Goaxilw/x2bp0

B.3.15.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:






Gillmor, et al.          Expires 5 December 2024              [Page 153]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 10685 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6898 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2407 bytes
      ├┬╴multipart/alternative 1433 bytes
      │├─╴text/plain 486 bytes
      │└─╴text/html 638 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:10:02 -0500
   User-Agent: Sample MUA Version 1.0

   MIIezAYJKoZIhvcNAQcDoIIevTCCHrkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAEDMBmdw6OGVL+A2zroRd2nlCAfmPdggwbM/
   A5C43gzgkveuqW/q0WAh8Fd9kx8eIk3t7zel8FCgEDVGD0TpypUN6JUhKNGP01Mn
   tfvyNC4Oy9aoY7/OROc3fYJBlDRmtF3xppT1VcpxpQimuqGt387LkYDhaHp3mcqI
   rNFRw0TeIyMhJZgUxk6sRnzA9Tx6HPmqwHiBJ4gGOdfbGy+E26fLwQlrS49zl0Sa
   jQ5ZmQt+/FYMU/VeRJL59H2tHzkzIMeVW2lPWovhsxf8dzNAlWnkc37Ab3SuXszt
   2VYDjFDngy5eQj2YSi7dnTmoy1enw98v6ZTqT9DSvXmjrIk3flcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAPt8c1FcjlmKfWrJUJbMc1EQg
   7M50y3VosQsrURjXU6FO4KStiNNPAc13MSfCebBzsFV0Q3LCfntdM9/bCJqVnevS
   HOOGowoRsMVngzpsc/EB1JNVYSRZqSrqBiOqd7JnX8YA1ANXh5tX9NfLZJTMXmh/
   EhXVxEtcwVIJ+skbwLbIi5B0I7UOaY5u5YfthMJFwXfxY8GUiTfqDMVD9uxJ8kPd
   seTdHDhm+x0ZO5d6ZTJCR+wSUmaOtHxGzagoZWE2TrG0ZGvfYYW63yI9kGgMEYQK
   f75/2Oe1m6ZrI6L1N76p8inoDtjkpRgjP9USNyNLsTS4M/VHGrUDJjKwtVDHFjCC
   G54GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEO7ykAwe9iqhRcxSQtZqt22Aghtw
   o7vVbBLJFU+8c1ux8WrG5HtCyx7iBhN3GDynUw1WxomH8m+NvZzafvEt/ppkaQRF
   Ry4nhLsrfZ8cgK6ldI19FAiTODOaFud2eWuJ1OGNpKjJF6nzcG9kM4lqt0VsmN9p
   JjLqm6RXUqVGgjA6grLWkiZdRGdCfRKi8TfmtiG3q6qt+IR+Ltq1UsA2DI30efQe
   nHQQv8yGB/j6ArVS5toag7nbuFKxkI0f+LFJm280vt7HKJYXuSfYSSLyVJnWc+vE
   ykGFGnDEWA92H0/I4WY4DfKBm3onoilUP6y46ElDhxl1bD/SXp71XwT76JXzQBPZ
   6w5ov6bPfdho6MbdQQL0GlsvBAyj7yxOSGSlL2pBNdp2ny1+2Et+CgXY4jhc10w6
   VhYgrrHSQ5ELyI5RMOwJMuiT6TeFpvmJ9GKmOrhvX3o1ewYkZ9tgf2f7ivoRWgW7



Gillmor, et al.          Expires 5 December 2024              [Page 154]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   LSDyAgLyhGwQUatz6j3HE+UmFaktGs64YwCvXbF95w6VS4fcHEsi8hdDSw+0fHX4
   2uNNjQq6q/V7Wf1EGn7XvR02IddESPYmokTflX96Q+hZX+czI0J/wbWmovXI6mnx
   7Gh2T4t0dCu/ZWKxqBid6Fybncktnv9wNGhBkYPuDrD8dYAx6uidyXtHG2F/WrNp
   1XhOsNjjoqoyHDX2YVdgBUQR161gpM/2C33VwoafAwdeDZe0mHc5vBFigejsl1HB
   N2J44gsDkhf1QQid68WqbKbFdxRQAUJ0c5G8KWMNMe19sOWNJ3//3PRErBMMvV+c
   sRivX3YgRrOm8/cKylKM5jgzjSvpokOWtt1ISxGCQnpfwUbDvrggncsafuAP/trG
   j7dn6cwv8qd74XpeR5bWuBcV9TCZqGu9oO5gHAaGEFOfLuVGaCJ74/og/wq/x9FF
   BG4XfhSM1USUdaaIce0M69C7TwybYw7hXFEMoJubC6gPiCPQym6bwA/AimR+PQ/3
   dpnrWjs7PGbQVD37WOBPnKKQfo0PVz5M1aIhyiwLLghj8kM2tOlFwfo0ntdTqygB
   mZFoh/QopEKwtZQwDoB5kptCph9dcmAb5O7efQX4h9gU3YL3Jy2FzrzabKmoZrzu
   pDepNor4bdJw5vUyB8tB5Q9PC1pENv9cPp+DNwLhnst3xHQOhrCYXxeoH7MCfToR
   0tezHaor1KNZIJlZUyK1YxkZ7aQXoxp4V/TeIRkfpY2bOhrbPsBPTin5Czlm+3bE
   klwWuEfK2dJRlDeYgs+NbZ1BxTn5JhDv5kvi1Th7hWQRDfFELb+wQ9RVRHxHeQkj
   YxcBo2I3XL69wSMOIEaQfKzXo3ziBmZF4oBefjPf1jnVeTiDAEPpN8J7dA6oBk4m
   CF8TYwAGuHX9ZVIC2QzC8vKnUc4FWA0yUtO15xy97l94blzaO15jxIZU1DfJlC54
   uPBrt5/6bf3AC8iwj9kx+0AE3S26fGsP/XMqRhojv+NOqTkJ9Gw/OKqxDIjSW2Fn
   aNzmsDsR/cenY3HugxrzQessEGK1K1l8WX3gfhzFzZt+D9enGGCc27fx8zp8lMRW
   VM+tRxzAe7KnGRnbxEOzG1XrvWFFR8xBsuJnMR1LNzxvZm24ITQB/vnUp6P/oxZ/
   fGfJl/NcRf5nwLx1qHPlItmdG4y/DJ2e+HDWdubWngR+hLD+ufid91Bi9XNxHygh
   JGdYbkqWlgANVQ6Kw7XJqeA8oIdUUUbGaqP5rwkjQnNuuNjOlmfb7F3ldLKP5HUV
   YN/bagUTm/ODdBfn2j1Xn4RkhkUM3UjHz2KW/HzlpIF8fF1dqg9H/EipMAQ3Up2b
   aXm8PwRTrGkWLXUZoWVKyAsRRvUO2GapkfVBa0KFEmCzfZ6hOvJP2M8FP13kFC0q
   IjCgTEBliD6J/g0+UV0/6hxhRUM0sPvCuevom/1yf30iMmD2dUdYwj4OWK+/Caw8
   mKrF+c4HPMai2S39DDNuzCSve6Kni2XNXuLbyY3mm4rMKBuXG/VfixNboTOA6J7j
   EwPY/UVHiPjYkFcv0yVMpEO5EPZzTq346IAjXcV/q39nLUP6ZEYgtDfNXU+TOg2o
   QO/cnjNr6O9PgiZp/JPAFx3z3YKEdTOxy4sXh7LAm4YzlxA8rP4PS6j2WDABfJYB
   6gJtKmcRTPSPy6u6BhjLFhoT4EH902Mz12oUgwRLPZbPuVWLZCUkkHCngnObPfun
   ASqSpk/pEEq26Eb9MvL1UBDOpk6Q26BbRGVBiO7YC5Y+rcEpGiTmM309fh7WVFkm
   9KyxJgYCtAux+rdo73fzPH1FdN5nNQo2fTiBC1TNNW3fH540PIRrjLOY9l0M0HUS
   WpqYwOcuTr46sEmG5vy+rQWinEM+zbLSrUMKq6NFrFBmFdsKulIus5RNwcJXw7Pa
   gwJWLpQMHLA3Q68RNx262n3xTwFAlJC8m+cYsHI4U5qs7Qp+UOMu3PaGA16D6IKA
   5LDLqYb8TnC3ZWQib7Hcd/eY2YZiqUoUyOSjPkuyKoEnfgDlw5nVQPka/aLgLh0P
   QWEKpDq8aZDoYArRq6F0WxF5kTcUG8tOHi7m6yEmf2wc+e/nwOy5eFkpB+d+xYRO
   bpelvs9J/OeHCxjBrMLo5BDqy6k+w76S7lPvkA1uPHdKAPC3vfuQNXXa2FmEAptl
   5grI6vf4U72YfdXhGgCuOx/Cb+6gEU+yvmeQqtPrWnQ8L9DpwjzWsU5XwGMB/Rok
   REj8/32AAJs0NcNQ9uACDp4sDqFgZOI+YsvFDZYbVCm9zOfS+AGzcWSaC/tSloqu
   ecECIQYKXeH8xSJK7KWb1dzZFUV8/Ed5lsWKYPvKv9RP1Sn2qXRj55Tve5Dekoei
   /HNOB17zfV6C502u+NyNfVvEDRm8ozXkJjhyLMG4v0Icz5lUJWtOzu1blb0crrWv
   RuYRdylQhQyZ3W1ClvmEr8IrlKmcO/+haGhG5JWjwpZgT0MmJPaso9rSkaCYg4ns
   KpFEgjTxzoCslb5hYSKAnOMKxQeg9QBez2WoAth3xk073kSd+Mo6IhXLKnNuiz/i
   VPWOjrP1F0h9vuVSqapTTbNR3JGOwMO+ofT2D10q8WKupYpGH98iPEU9/Lq6Q4F8
   tq2OmfLAMCnG32F56pyp/7uhj3NmX13WNsrOiA394ipKGyulPfHLyUc/RQ6aZ+N8
   XfoXNkVOVcMrGQLolX/Yfgj1yc3gIGLhXtZL3Cx6JtvGcfjUxcaYKERTrvQOStEl
   6YuMXf5Gjzfij7RL+tDUK8sLCp6g97vBw8rjhqsjtqPlHuaPeLWgxXtuypOKzvdF
   sR6XKDf9ZtL9Y4qPjifoWvH7F9OAsDpOObLOawleQGPtM4f/k/45H6no6BZ1DQnr
   fHTHKXOFEwF+1JB4kGlcMg7fmGeduPc4McSTlvOu0Sln59MTGvsWhbOhejlsS47s
   SWpqDwWWGAkcdAZUQLLf3zTa5k897l4wlvfd4gvrhiXMCSFuxi1yEpYzxu2fMzmw
   EK+M/h+DOXVG0JtKzprTUF9DbDGlgKEJIVohzuH2eJHJSAhjZuyys3DysvqZ0UP8



Gillmor, et al.          Expires 5 December 2024              [Page 155]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   DNs+5SZJbaUToQUHv2OoFaDZQC/ZnW4ht9V48FydKt/if/0qtkeEJ8Z6OaQr1x0G
   +PvMDBcZk0epR6KLS0E3yFtkfmL7GzT8GO0HYjBZ1//qohui0ibnPZGiedOh0mMz
   3w3lJtc+q8kedEiwCaqHFkPxidJT4lbpcZsmgxCsauNmnlTMXQdIgNhOp2IgwvqZ
   AABRzhiZuA8eCHTuuHA+KSC1ugtwggKEiy/G5azZVNvF5OdxUx7uDP4vHikgEya9
   jiShbbX+GA/aAKTMTPNSQxpwePhhuLbRgSaZ7MGFRQnbQH2kOn8mha/W5jiLPj/U
   5xNW+Z2Gk/YGDDtF38013NAcPJALeqcsLmWrX1xE2rBI6lEkwfGbc86kg64ut/Vf
   d74ffLaascoNMpYBLHBXuubY4+1b4bgAJXAbNf0lbf4W96haSQDmJoS2CU2/ZnSr
   Vgv/yV84rLApBzxGP5IrrwuX5sznzuiRYCRBrU9IviXsx/S/ye6yL1EpM0aXZmw1
   yAEIwsgT0X5mHWKTRVvzgKbeJ28oh6AvcsYmPiz0JfbbwHrhgDr0S/Mh+EoV9OSD
   ILJOy2Pie+/pTO4MexSQdnd+1IPLg+sd1tar6reWU14pq60UJyEj5s9vWSNnPWhP
   9U3dVYGWwyDcb53NRoqTvkPjk5ZG7Tf/qbjyUfepTQYMQFXUYa3zUXJoQXbl6now
   Bwfns+YYZE0hzaIKyj9nnhjMD6IyWZX67DgzDSGwSEodT6sLZUUR4/RoJSBt2SQd
   1qatHZBslgh0t9V+0ocM7i7QFaGTn5aTP0N71b87ifm8iTj8V1KyZl1q3wGtW2j7
   xeq5BXg7R4Us+o2O5j9JCbB7WaLSguxGDa/syzUrXjawFh6tyih+zovmlejofB6b
   8AeeFMwQS0Z6Slma4o/ZEUnYYwFofXIultFIyuxl0w/kiANk3iRxNVjZf0ZlsCqD
   VtES9zj8TjPf2nIJ7O0tvxw2c4UQSyMVW/l83EntBuSvQv9Bjpi8xqwSzcb2Cpy8
   IOUxWvbHgYy/F9rWdAsglONqFjDspb4CQkjzVj/YH9xHkx7KyRhucKi0MHJeRGqJ
   BZVsEdLo+h0YgfMtvcJbqbuBtF6IGOHRktuHhqTvc9kPSf7LYZftAFueqhw/mLpg
   ZSDJrF3kgd1cEMbQMNRucxFPE3mu2oGq3X11qJKf3FYAZFrMXAoZRHr4EKF0H96u
   5bNOK8vFY1KwXyCzPxteG2bhDm+ufLXFsJJ0Cp1Yos/CbcTrawoWQEfoCXcQ0At4
   qPG/n62SnIO72uuwwk1LpG+TX/bfghdUsSkfrHja7NXMXwkzUj2FcrvGrDcUwIyZ
   5PxrQgmBrAdZ5SjEslIUOJRtJ3kdGIvggg/tU+h+Vu8a6r3AeD/y/47ovSMkEv77
   NyAVqcaeLiMHab/kHDzYheIcMW+3bZuzYWJ4PHRIob6M4fgHlow1EyiPcAs2nANv
   C5evDdAkvRMOamLnezJUblbQ5zgRwgQ6nFbtiNiPworrASoJorvClXVQPQueXz11
   IvmlHSYLJRUGj9E+Cyvix1/JADGBUG36BizNrT8tWTMv9lpaFk7B3V8LXSk3oSxa
   TEXQ5/ZPFguWkT/FzLHE4Sy/3BHu7Rt3SGai+FXHqlrHKYUlyDUZhNcxFa8tAIGQ
   VwRYog0roWvO2rIoTEnTvE0kVcIIAq6T++WMkHMqgvLhN0lO6f5n3gtaLKbmB0Fx
   /LDiI1l6dRU+Xq7FgSL6x/9+5TEk12bYCyzoLcntW9vq5T2La6Cx1B3KHYBLeMUV
   RiS+rmR332j1dkUSMLWh2xXfxcM97m96+Synrdxxkbow7jIROA8nBFCl7e84odIS
   mamXnqQRAfHtpZ39CdEGqa/FL6jOYdTl6VR+5brvJYqOjkZOGuxhI9XSufLzRPGi
   vsVPJYj256WOB6m/cl6kVuF0mbn+Zn9BxBW9QXhhhqPqTiycdaybf4qabAf09Wg5
   +ci6xPBw9NdEfwupvNvM5ACTLcxAjiGDBOpvaWVhERF4Dek5N9Oc71h2xLoMYHCN
   V7T6lFxaoEJfx7u3/lkUlwZjRIibo6O9cohzPfrN8qy7zDL/yyojpgIcmSf2NT3+
   2Kj40ox6/eUkIMDDz3Nia1ZSsBFRsuj5+pWMMiqW66NEHaB44hV7Ka61t52fFpQi
   rNWpJ+Mnp/OnQg5aTvS8YFxF++TEObItooMnuvaIfja35BX/Q3/mIqUMP6VUZtjJ
   82eULjSg5OBgQn7VV4VCTS7eecwDpyaiYx5QKY9U336bV6OYwr55mGu5y0/AHDxC
   PuVhWKoIfmHHmnPB4HrIv3yXChOha0WRMRE7GTFSF8eufsjwQ1KJpLv4qmlMGoZh
   GhncXahnphfMK8TGQ0x8/iL0Lb++MpdxuRDhS9rxs1KN5J/hsH9TPrh4ORY+1bv6
   1MKAMXp/93pBXOg7npIptdY7USSNlhvPu77rq/M6/9W6wFyJWV5IwOgnYlJl5Con
   o10LMhqhkkXLnYWMDEm41oOSjCGdXepXkVJIPa9BP4g6N26mEeqIfWtxim119saw
   epk9WJ/Rehzj69i/SRjrXgWbW0hFCn6gamgJkxxzVVKI2Ysb8xrV1Ucsusu6lO+V
   zqgzKJvgzBZZ7xulBFo2AqruIvWtey5rKq/g4dV+0ZNzporBU16dVh2KaMFL2kpV
   GLvZe269D2Hw7L+mfJVzreCMYsmGJC2YDBsIafwm4S4kmP49LVFPEFEpUezBhokN
   gQUqskZqKjXt4bpVP1rnYc64DjLoZ9qZj5/Mkus5NN31Dt7qqJeCSjtPqU1MHEGF
   J3hN8bPeqUBkCZBlAyvLeQNU5sbJhWfKQqm6b1MUgS3NLVamhaGpyS/8IB9QVoOL
   v5uzJb8lSC02cFZRiffKYN5YOQ3qtA7C47itnkmi0ttuXW0lkHxCJncqMFb1RIF+
   BD81KRTyQruIK6/lywI1GhMN7pIFYcjhL0yVoHIgV2PXrSpmfGkaxge33MOFuBLJ
   IpNp+cphBuPZt4u574tlQIuJ8gfsEvULaEs2QI4qzTLz2HkeLY1MNXbKkRMqMqe3



Gillmor, et al.          Expires 5 December 2024              [Page 156]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   0P632pL6CxhPpvfzIDlsQkt86G0fmWMx8HSkbZHKUQlKmyUimazMqAHB1+NDbrj/
   mAIISY2AuwPKbajhmW8Gd5dbunNdFRhOq8OztpZD8iTgnf/y/K8rgtPdFNIv9Wsr
   3Jb5zXHpA+EfQGkbIyGDP4QhBklIxRoA2P4qNbRhkX5MfR5kNP5Ku/qLTW8pPjgK
   K9unbh3KpBpZo16yC2QSBosxGr0uNczuJQtyihECr/oKoelYf/gD2rr+WRh+ok0c
   4urSo9BbEi41cAioHJVf/RNnBJbcfIg5ZrquqN7IXaRvu8l3wpVM1b6KbkE1Trty
   k2aXPGWFvc+oUmHK94E//jsuwyvATniir00MLCrmEhMcDcch6lIFvK4QB0cSKZ8U
   CvN0ond7LSz5KmgCifS1jQIOBlaMYTb1H4LJITuyNNCevdloRQHmlvJe2fa6hXE4
   m2A/tRt/xFPCpkl+9vbL122FbAKcN5AO/2r5F9NYvRgpFFqxQW1w0YAfXbsz1zmr
   VYP0yifko67HZM9chCv4L0XftWnKZPd899YJjP50nBLiDmG6iLsa335bZiIX6UU0
   FVp7Z22sFF4t4s+RcYjS0XWFYc2WiNa7NFMVTCIGbT5ywbWFpUtKXUn535TUMlLQ
   SelmFvShjXHi06XDmMwCo4c8zpKujxcrTkV6IRyWLTjE60IKFEKkafjKGjv4HSXF
   I21eCOjdAJ0Jz/owBNuUDllTyVyis9KJ7F2ytyKW9wuU1AzEbnBNA8xM9UzvpzZk
   zcFMcKrJI6vlO5CO/jI33e6bd+L6lxt9iXewqkjwPBzYdOf85kR36Ko3/xebad1F
   iVEIdPICU+C50/ETEeJpDLWIDcuWp2eLKCZHPZc7ehcr3ayCsfSsS8L93WMCGxKA
   jd1EodqzBnRz2C+no82UiAjEG2YpMomNA0iLoYElwmbVKlPjlSuPboHCqewk8eWG
   PGmI/Z0l9RVX1Y5A2O5ivAmSiL4hU3HxboaV3xftyQy3j3wcYpILWlE3rTHpMBil
   10uKBrjmZ2Xibchn1FPHe9krK/H81Wfg43dstRheSJrUR0LPOzBOHbWBzQsWnkwB
   /W7EJ4ImTJYBvB9uexoAyFzFR+qxa6DKvmBJALfACokpGVGVwbrZ6Z86BpD9Tq3V
   vGtddO/JXy8O2N0WVgEMNrRWBqtCkrpeQZFl0rMj4IYPf3Frm8t/CqrqPNX8RgGC
   fIc1sgVjgUmFmfkWgInSHz9ELh1jHWOlBl+h5AlzxIM3+vocF9ZpskDt+oMCF9JU
   3kfZkU/GeruAFDo/QqEmDtHKDNrFbTnzri462vJzomQIwbGZhFc2rL6f89EGnYm5
   0VaFXStZJ86sAYgnWvIakYIH+watZn98SI1wVx7Z0TZ6OIEYQs4zRTI3MWvJKuNI
   pobSMoGuLE658oTkt+HLdYhQ23x2Yetd0tvByCjccW1jdFt+D9691cTHM/ifQImQ
   tPyErocF8LV+02JfCc5SQONt1IynW4bCfVm32H24X7xyosFhExL6woTEa13emsgk
   eXQMFoPZAydX8tGdG+iBdhXs0khEtAedHVOO6G2YS+U73DYxayGQ+NXE1UY8u3VY
   Jl4f9pxoLMtO4Z7AcbX+LX64InvotUVdrnCpynhIUEwu/Nhisxt/FwCGihVoU327
   yTspv85/k5BziMSRI0aUgI8My5/0M7ydp9zhcPoAE3RyotXA28Il3MBTdxVCH0iW
   6xeZ2S11AdBPd1iDHxZ+MWF1FMKnr676fFRGaIZL0ewlqU099hoVgoveE1mXQ96X
   x7KwWtxszsBWX7n4vy5KhR7JtorgNPn+aiUgRIcHimhFzjurwDymz6GHTK567pKv
   zuBPRoMIc2j/L750hG65G7YU0mBq1uUjrgxU+6MJzrYboqQ/MvMmYy5Dp6RlQf42
   To8keFZ9PWVObIA8DWKLBMOqpsQIffleFilbY/tdmBQMaiQDigmNtohYtFSl3HW/
   /lnm3pTVvJzf6sn0KOmNPtmlbWQxgzgVZGJwCc5aHXc4RR8pRKtgb3uDwGG44cd/
   Bxm7mPmYmQwPRbGdJfcPV1WzF3HCsi8GdVPrNUPt/WEYCU5D73iUimi3Lt0oCybn
   7oaDZxew9/AkWtq/TVDvG6C2oiBzckkoo4fxJJBEdv4Qhogw5gsqqIxdixut7xzI
   24/Ug/MuC56x1XEoE+CGSZIeRnP9UJ+9udtDwwMFcYXuL2ZWAWSpfVz7j2b62zIV
   jy42Tamz0YdncyR9y3e17LO0ntu/ATegVjZqefGa9/ULtyDaVkFj1Zn6G+FsSVLF
   7YTjVwKR4MT+Qc7MSozl0MCRo+v3BcTkLydII0sRuIrYNhJqliFeYBJOkq2gxiGG
   HqO92XcpZmG8IJt95uOyfO2QqtrfquEdKZ7uc9apGpauLwucLsDhTxZlm5UGg8LH
   RWEYF5DQhFC12iUkjw4bn8ice2ASDCwXeajBYD9HXaPghRePVOkglx6qSrrJEnm0
   JhoM+r3QGtA/0eZ1WBYg+9Zus2ThLbHBNwXxN3kcDHzLX9PVPikw9LWVNUXA/aZZ
   loIVzEP3b7vQdG9DrD2Rm898QXa1Cr3C0ImzSucPWjKRf4+Qo8AVgiK9uA1lzAUG
   GMV0+JL6pxHIi14YLVNHk2jGA1zUYF570Mtxfcnxf91H1zAj5JmZPzX7eQQWDsgl
   ndDc8AyQFVniyWQs29gosjcJmzhvc+HyjJbm8FRcvfkfnoZBHNLEtWYJydbw8TVt
   8rTrETA4hRZbhyCSKaV6Ng==







Gillmor, et al.          Expires 5 December 2024              [Page 157]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.3.16.  S/MIME Encrypted and Signed Over a Complex Message, Wrapped
         Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10055 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6424 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2124 bytes
      └┬╴multipart/mixed 2014 bytes
       ├┬╴multipart/alternative 1130 bytes
       │├─╴text/plain 374 bytes
       │└─╴text/html 472 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <95b9bb39-c028-5ff4-99b1-f179cb5d7585@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:11:02 -0500

   MIIc/AYJKoZIhvcNAQcDoIIc7TCCHOkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBACEQmq2Wf/JCpCfYIpu9zxr2mACNkvhVOSGT
   W60vMUZmX7J4hejYaElBBDO7KThcWfzOq/SIgKAB4SNDWl0Ihwg2ZuwKIZ2XsdDH
   nfw7ibl1Pv1dRMabf8LRdA/hHKA06qCW0W+EWZZkxAH48dtuH0kKRtncaTi2KAhD
   cCgNWChoR9yO8RcmSSnfSBeYQhyLALIgKLeHDcveO0iMj35Vsw2Smy+/VmOpSf5j
   WpWmpLrouJ5MMxXucrmV6D7ZXknm3AAd3jXFi+yVM1/wX+tE04SMb4mUa2OqkaQw
   M3aQyOPwlH+Xdlz52f2yaL5cWOQtfLHb0A7zvzwqpz4w4DIun6UwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAHXVIdCn/x/SbTAbxKpkKmJOM
   GKaalriGj/ynGb7HLvOEpkkKrMZQQs1Dbzs1Jz5cZfnLXpLq2iNiyXuI0Qf9iPlP
   tO54Z6DAnk704PZ/n7nkHMoqtiwC6cnBhnNHhjVA6gKVXW5jlttUi6Az0wLbDXi8
   ob6H3HuJwgGsp5taVUroD5kIOJ449PjqiUk5+m8QzTBscWa13ADs2n2ELqcxA1WK



Gillmor, et al.          Expires 5 December 2024              [Page 158]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   MxgmVM3rQ5hliG2l25UswdnsHQeQab3ihPnQN6Pixd3stJGk/vGdvjD7mmrG+tr2
   T7f4idbTfmLEOsYaXwawKE+0EFUmTRd+A0Cv4+ZP89Ggv337VIRifM5SDF7f4zCC
   Gc4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEO9V2DUQaODV/RY4Tp8YM4eAghmg
   W5Q9nePrOzVQ7/rtI6sZ8QKv0akLnlH+wMl33PtTd+OdjqM1iPlXPd6Q+gDTOYO2
   9WKo+fTd5i5VXfVREyXzDfEDneD4Z9NH16ElKp+ndKTY8aphijAriHniz2WUPhfK
   V+OwOX6g3TAXRzMA/nkJoQQNqDsgfRfXV8t29UEo98mo80MAB8D9nDb4l+wnonTP
   48hhJfXreKZpSBYaaPvnqUhLzaStHeqoviIT9GBOcOBcHodlZe203LYVqGcwGtTM
   HzhItBuPatSACeYj/W6GxkHv4LZHL/2xvaqvaaA1JZ5xkoPKM3uKJ01UrOYagT41
   0oRsjYRYKPwif89Qg1m2SKAuv6H9vl+N/1u6eVy7EfzzdILLZb7N02EWBfDlhlSE
   X8DZ5e7HHMPaRok+YTUeV8ysm0i62x/Z65dtSPWhAO7f408zokJfF8KSMJVmS+ql
   WzVuTXQcidhRsZb0BQkjrtsMvaBwt+3io3mXcd1KrTkk3Cb++UffHljUeYVlrYoo
   s/taRkooX+21HP3OpyIFL2oj+dNCsL2NOPokrnGqnKE1xduni3pmU92Gj1p5cGtv
   X49OdSQ/guDw9Zn0TrkADTXDUMgL1fXa+qtC8nn0n/pDTFf3SCAjckWm9RWeryMC
   jmjbj45ivINl+BzzlCYtpW/WpDJwXU0qbi6/Q0fMgTVYuMCj6uLh1zi8yB43ofGq
   m8RiwGggEmRmxhq845KuhodM3jYpB1TbNdtl5swkdsx7EpcoPsDDqSawVXscSvwZ
   k3EUb3fYdernGnzO4MZYHEoL4L62quYK+SG3Fg36qWzkF/S+C4FiATBa+7r5zlRE
   ZeJkIC1H6OCwB/z9ApQ/7yAbw5B64Z+f82DN6JsI22pBIBqLVQL4Ogx6aI3uRAU+
   +vytwvuJkQbt1y9NJ40c1urSxQogFFE0CSjlIpd/cRkQ1ogvsfPrxEmnMb8SyDC5
   ONzO1TkIs6yiHmRa14Skfc+vFXubGlUDm9jaejRc2+Qb0pKAiTeUcRbMYp8gRBDN
   O8mPhbUHPdAniLXoO4AHxIF5+bZ7IxgJ2yaH5KosNUMMVxUiGKyjLSEDB0+XGIAu
   Fo7FDZ3mmX6Tny+9oEWmu86O4pD+sWD4mXKirgzbUdV0j/0BAQeFAzkFQ0xxgjQg
   xatCqoMCNB6/bhd3oE3SJP/wT60rWeYCadSqm7gFe6loGWmzV34cngDMCHfQGBt1
   7KZ0FKEePzNDbku9OSJ4UVfne4MPHRCyHqSdzfXy+tmEL77spTPCpUPkYNy5m2lu
   jK8XQbMsxo2MwxpdGB3GIOI+oiVbwtO2o68vf4AM4gMjU4kfGD4+fgFlbMDwHji0
   9Y27sH/IxkwaD7a5YlHkJuQa3AdwCeaw4BarNQ0bW7jZJRruTa8MyXQz6A5O/mmJ
   +o/8RC4E9toX397PkrcazgOehrdFJhY+uZ0EvKodPqTeqYObtKnYxdK5jhcFpImM
   fn5yAVb5h/yWIZAiDXUiHuQJaPk7sxlvwWG619CngJCpQVBDIY+pOXJcIrFzir7n
   69QrjcYEn/y2cZMv7XJw2EsBHAoNcYo9YAYKp1NjRQAnQCDCmTFWnzg1Txlj2hrG
   K+AQaRHkb/jCgJQrJJNcDoM+6KamzpjftgeIBb4B/oEAdeAAEbqeB2iv/OhAhz7c
   KuZd8JJpRrnWqGHMP8msGDYSsJJrLLkb+VNlFWGyNsnhWhKAT5Qm+wyQig/Mz9LP
   x6Ar+RZVqhRRWSy5TBnwfzSRW5GeTP6hX0NvDZJLZ1jzLc7UuMqZCQLlBSlWh/SZ
   QWRo2RejRbCfgDvSFqjALh1JSEc9tulhtcxyeY1zwOomUWwDbQzrm0VmpSB8ljGc
   p4QS7EnSaoCJaHji7l29natKbLroGXFGK++EktkApmYQPusYlUlNxfl8Cu2o3YaX
   b0e28AwAaYmK6u1z9dDvy0V0gfvss2ksgwTETJ1FNejZlNdrX1LLCJiXusl6a0te
   RD/M+yQkDeMx2Ol0xPgEdBqr4808/1u6b4UJFHbae30J4nnuF/Vw7N+usG2mxDIs
   +HQ1ty6EFCq45aHRSxFNJNlYwXo3z4asEyZEhhk0J9Z5xEIH+43hCKEazHce/eIj
   5ssEOXyAJ0wVZ0BPTxYnHi7ymkqjiGanMx6tsXUs5n5tD/LiFcEOqxe7YvmMzrrS
   aIyBGVZeEP2bJlBymrupiEG2F5YSJ9btTNw3aHZIO89SMi+7YNvEKQYIltPLESIR
   aspNegu1VH3FyYWR35iH29fzD2IRO+GyPo9wR3xMQkB36Q8cxo6SFPHPqXq0v2t5
   y/Brz9vsUM4bV+Ry/8qFG0jrFAAW08LzJ0Sv2mz7LbmJRJ9OT5rfsCZhACLQcOaq
   Szr4pZ7OHHB60YFx2sbqXryV30gtniPU7fDTKxk2s7f56MvopkVxr5odARt/XOL8
   DQ1z/ZMYzVaXC/5OA5k5h7c2UtJhTPbqjJiL8TZpSFFyolOEFasAZnCT26bhvd2R
   OqrnrtI8jkioJ+BMPwxNRRUqFeoylLpLku4Rqqluw+OEIpg6B3RWs4PAv9stGfeo
   wBkuHWfvT+gW6C9O2lkDWN4D9CDmAkoMtalok5jAlxnzWqhLTnp5xPPR04ZF1rYQ
   FDdqQYyFXjA//gShEIIiYYUQEGBcQ6R/heb1sAUBZWgrqnqGKcDR0/Oe2y1BSdqI
   ezZF910mJYRR+iDV0lCXpmDVMjbEg4Vt8bVnwvoaWD+SpMJJ5QrgmjY5O63UAcza
   6icy1IZJftdHBm1uGmiCamn0vb+wxzxv2Trxbas0vh41HS30yyREp6yV1HhxC+5U
   UN3vZ1CKHGacwEp9VbtwJjmFY8NEJc47BhY45MQZs25lpYzyd5dJTdYTSFIQfySy



Gillmor, et al.          Expires 5 December 2024              [Page 159]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   2IWdzFMrPx1iYm4YHXAphDesmuX+V09JtwBpObWtveFUgbgalELho1MDmIDHLfQh
   EatSz3I+INNdIb+IdaB/7hqwCTvAFSvVAhatnkYp2l3a3hKNr8DDfX4mE55oNRWJ
   dJG78G33WJC1T5+CyWjfOq0bjIqpw7i00tvt+BjAiUXTQWyWO4hP6dg/I87+ClNu
   uO7a7ZxgWR47Z2B4FfHPHBG6JZ3EirBiSMc5XAvcDm9pLCggekAbbqSLxD57RorY
   KXavybJnvSaSb7fFT0KGDvRDNLdasFiG5qhbiTKUAVIqcKIocwnoxTa6LkG8SFEk
   5km6EGLTxKaKP3psl1JgvblzqT5ukibJSbUhTmCypejuw3UJ7E/OHLWijzf+D+1P
   EBE5dumSWYx1BIxc72yOymbtPKfplLdy9C22gz44lGiy4Nroc+c470lapUdU6eXG
   a4H6G9C0D277d1i3LexRucGpcru3Z8ZZnmVyyOlqR0MvyBl1nhKU3FMeI7X8bR59
   P6YBss+7T/K8XsLYFgI53v5+s5ngC+z+IjKJHzRJIOBc5uRmcvUSYniEHxmo5KwB
   v7d0mVdk7FZszeaQEknYlpYcTUQV6Q+KEEgPx5YeYpvOcuttyblCjt89ruQoqxHj
   kkav9+s2O+16CBVrzujfYDzBjgL2G8bJRC7LFiy7llWt5MTnPoQv8EC2nGWeRSsi
   dC7hiiud6Ta3OPyscz2k4ywsxU430Lcqk/ef8LHdnWQdjki4LVHIuvfc30G6Nh1t
   8nKV1DY3ClQHGISlQ0su00nlfG8dkwKcHeRm78VGtbIzn4AepNXCNwZD9Me+AaXB
   VIRyh/GuR8PtmRKKDvkVp+oD7nySVJIfNLoDVjYrg+tjAJJUBKtP0FCo0G+GUKg+
   yurHW7KocsPur+Ke1huNg7/GiGNdOQ72Rvf1VoOJGlEW9rXFTbvF0ApR/KGIe8EA
   nouvkS/+LiNzSuaDiwTgFXWJ7iOjr2AoVJ/QoUw8vLZz5MSS4DA/h1kaK8t8FRFh
   SqBCHJ6NxwCWvlQcsMsxKXA4WWHDEgN+eHBIkxTnFG3B7fApgEwyBIKIUsSapdzZ
   JoEY1uJfMFwPOiXnU5J6wL4AthaL0AND+yhxlKOGpfEQqsW//D0iNBq53C+JmhjI
   Vd3jsY7i8uwxqo3w3LGXJoRo7ikLKrBndJhkZY5OParDtjD6g8UjXxSAtmTf6FpJ
   5KDEMkDNXZQ+u+fE1GmJvYnBXPbB3GQyWy4FtCYiI5nKrO8DSh32ntMYm7ei9Ip4
   ftol2XDf1Q6qfg8xBbCX8aBagmbVd+qIFLSWoAYWqn71TVVGNGJInjuojULKgptI
   NdvH5Qj5jPentXEuXhhqCeUFX3INTNY+/eYDsvh2cItMHBHS4PSXI+W0kmdlJiHa
   01P8VX2hGYDI+689JKKw00xt2AQgop7QUje8wVwoWbAdJdFyjtZ5y7F2hOfQ0RMY
   xqYT6wPGeJDbkKZH2kTAVWbvcr8NXbY+3REh/5dxR+d4AAe1izOZKNi7Gi4KPi3D
   9JeF1VisX/Ue4zXnQIhkOWxiTUHBmlYWN02iyJ0OcARjC5umyxyuaROcT6+hOfHx
   BJ71icfzUytKoNZF8tmQ6Yal/iV0aowQSMTYvOeCM/q+sE60D7DndI05FRNxmj8v
   DxN1cgs2gu04XyDikXCGky0wNj8n35yH74Jj391bq69OlyTsLueReaKiZSNl738n
   skBz0UcOWjSBV+NPS81AZKRMg99K5/E/nNlG7/+YHdruc6CZ+Q9o3f7MYLB9qCEL
   M7Hrznbv8cV9pbQDoGUaHA+cGA/7GRCArmwqJXyHD5Cj5JmMC2ju1hviwdnWHHQE
   d71H+BKMsRcPcnJ/1iTPusjwBKHnTBMpkgncRDHddH172+tOV+BwJifMx+o7nySF
   JDRKZLnogn8HUloKeRbVJ5GUUxB5WVgRwWUyApa7wZLj4/VGGJX+ao37rHwz11WW
   UDJcLQHE7UnqXshkveWuS15FQMQGM5KlZFVXZgCZz5xwjgp7XesF+/xarTCYh/Z0
   5S16rT1XydiaHK3iQtStrLmimWI77ZJYPjksQtDepOejIu71rFyWSFUqHBa14gkZ
   yVbtg92EBjyzdIsukOBDlx8FPcRYV/rozOo5f5nMkwXWycz554WFznBzaX5zhGcg
   w8ku7IyxRi4I7L1bfHsN3s9jKjiQpJevwnlHRADFMqMPMTmZOm+KN01/M6ta2M/7
   1CnNWfyEAjXMyRLsDaDXTreNYnWYM/MjYYwy6eYZw+cQq9SWcDHJWQDT2EL1Ug51
   SATJYccwkFD6rc0A5Rpi2dgGOtRIQbY3gee2/fsxUmv9dIVk2yqD0JDOzbTlvs7R
   8IKdpvu3zTglaKkw5hTKMQRAMW9CUf3kTNJnX9M/5FZsWYLiHPYjlCpb/Gg7lXKL
   Cx028LW6ochktvFT35zRKvMLdf5yRRIKj2EyOyuUFyzbefCB6DEuNCtRMI3DwX+t
   ePW0j+JLPGJeXsVhwF2teh8ECdybvjBd/RWxVIDVm1jJS91KU7g2S1cM4n0eNotE
   6BJ7MlwDtLnFObILu/ul9xWFn44l5fl8fQ7VRjqgaTbFevvZuXtW6ApAc0eXhJcV
   Qg6LdlJYt8DAWun5lbg09uRLtoKeTr313EI694Dpi1ZzFIcrxIM5hu49dBrqcUL1
   hx4InLXIvFXP3RdWODdV1WXqqv/g5TOT1UxQ3N3gLE7Wqrrg3Y9qunqulBvLSe70
   Ym4US0U/UsDWfaK52mLT0X8UTV+7BuExuPep2b8Wb3049Y7FWxgEL5lbPJW14Mri
   TGRoHmRi4tKRUoJYAner6+RFFT3LKiqaRKWMaJJRxfp5VURqeqKrj4osqwGzO3EG
   6abugYMzHxAs/kythGLpD1OOZbQ4WViP7crdAHpupjEWf0KHVLIKpLWSn6VnbmK+
   Y8ev9TsqWjYXAdAGUfC+t4n08757u/yXNo/hqsAItF06gmFtzYXEqSGj5HdFEbBM
   KXTTO5TME1YSxUbRhrWCOfvDCKGyD0NBL6BqXDGGa8fmev5c8+PE71eitUUK4nGn



Gillmor, et al.          Expires 5 December 2024              [Page 160]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   +acbZsSkW9kSt9rhAdu4IcLoSorDg+YAf+QaGm/krzU2ggSkrY2BYakzLdOgehoH
   V/5oFboiBZdZ3s/GeunNcabvHC7+mCm344dHDa6gUNVTM5/TdlNt47I9tooeu/ML
   upbLTIetdH/eq5uL1fnw69DLNJsMQC8XDvzNIgpaSIqd/GGeSQpIWoRbIWwccFCF
   CIOYIqZjLIVgMZcg+PaG276tLAy1bg5u4+zOQSgHif5NiQhXoCsuQbW4gCaRwiMS
   D9IPsYaiSZwLTH+9UiSsw2yNcgTv4gF4U6b1RuGavYN5K2Q83vwDUkHTS7ly6Bnt
   s9wo1wMq3GAnTxdYGd6h67rwlqA4pZI97PWDXLYYnzZCtCVqA+yV0VyiaHYBjJKd
   vYlgMxJITWIn2yoWBzSGqNt+9MeLqpwfCbWBHF/owSPmKa9SWZjTFjXW9Ucggmiw
   DbUl4Gcjj8Quj7D1pttxxOPtPDZFWxDkaX31eXOJ9v4nAbQZqkX5+ePgup2My7+g
   bGCbQZzSUF93YItOj/ZWMYtTu0qykaNt6uonI4WbIUfwNoqq6j0Ijk+VUsyfyPXY
   OVqYpOC4tnwXSMfNkD3XGWZ7Xbv9g8Covx72ouAsJG+GeJVRzju4vyuDjBMMdxrX
   sefegdb620WvOJB0OzXh0b6D3J/tP70Bf8EifZDVXT6VWix1Yo5PAks+Fdk/ewcy
   AjE3pN6SWHOI2hzGaCdb9nfNDo1svUIqECQQ3llnx4S65jR/xgQzEGo7Tl+vkoMX
   V9XT/SySI+Sdd3gnRiMGLTdOnCc1cH16uHS9YQBdAKI1WEmpQvyHPdsCzFFRZo3s
   IAa28EWHu7L9bBpUEwERTF5eoyUCppycOuzVoLtVGC4STV+EWXxCC0zU12qSzp4S
   LGF1ShMewAZcdnr1yT1PXSjU20eAL6ktH9a3dJiPO2ynoKECAhcz4AqbC4bmpaMp
   qPMPbYuTmCaYrNwBBeslnphUF3E45KA9wC07gJuP4P/Q3tKHrIzdMBjNQpfPeLx8
   fnEc7P78YeGjWNhmLhARDSSPXgokFBVK7x91L6LpvDS/lZ6k9JFwQWhxngitIUSx
   y3oiM1BZe5VY3nZKZa3QqU/Ss7p68iGC9b1ny4HIHfh2WlsV4ghlXk2UHDRSM55D
   m6qrSx9RXVHFYSU5NlZOEYf+QghBLEiVBKazD/7fV6mfDoWaHoNcHkbD0BPeNi0+
   lhqaxfqRHlQKRkSVo9RGox/QS+u2tWQD0KJP/ViU1HC3Ndg1gh0+CFis+3LRSTcF
   SgAjrYOE7a8ZHUgNMMwEqOo5iN755obK6fvmLgUwXEF3vDNFoAg4z5XOj4/2TQFI
   L7qzCWU3oliTZrbb0CbPF/nDFtBi6B2Z4TaPYB29eR7RLpkwdL9qSiIXbMWbJmZ9
   7C2i1iXDwaO101VcjoPTsmrUQnX/nvf3Gi7ZVEPz1nQMzbP0hF2jC3UfBawfxyQD
   pTVTM9CjBarGKWpgRi5nyVFRbib7QuPsXgd+hW9BfkpotuZePi7wUxcd7aoXsKnz
   011HfT9mFqvBeOeVoORyB+5ZV7FmdtbOfqXIlQDTiBPVWDPmgZIE/AaK7OtkPn1Y
   903j6Da1cq+dVTAEaBdY9l3kyd7UAHIt+k30ZbqlEf9esQyg+6BTQaKcT44B9jrE
   SAG2lNGlB5E5rMUXOBqtlVPeDf8hj1UpiFsVXMGm5t/yQvVuvBvBHX2MZEH7hM3k
   dkZ8Mmmn5ru5zCChNRW69e5nPUoAdYRDFeq/VN6XHInkaZbfQqECj+wjCMgLJRa7
   x6r+49K/yz36rUWl/jzRcLAcNdBAR2X6VnaDc920zbEfms4hCAQ+Yj9HvG/1UOTD
   a/808931/7bwNFGBrgxYOj00t2epKHA2OUEgznltVZY5kCTGUVFxTYQoB89qCaVd
   LENGu7EjHTcEaqULZ2w0VbUv4aCa73abREcc+xIWD77D55YB+NtFrCTlpYuu26g0
   UndECkzySH7FVxRGNbW1l9jTuZtduS+xBe4ObytQuKSpts3bpMS7scxCDtu5QqJS
   0umHJMSOFJ1hVZx9NM9yWT3GQ1LwVo+1UHUEufiCIrMjPTTJ2VrbqJSDZhhY9R/F
   Oxuxv+0hKQiy2z326cXFmsvqlZgknewMUfRfpUNXIUqonknsNXKJuJmsvo8XCXRF
   fFjtnOmoU8LydvxRyELYT9kJDP+NwOZOJfPbHyWJ/EMLSy/FNZkVINx6/ciDb9Ll
   PvdJL4FQyAUpAeWNt0FMJW4FbVTx7fPVs4Lf/fRPiKGpoD8MJ+Fd1YzN5oNe3voH
   /vzNTmUa64KFS8of/t3xWQfWHxMWVtawD8AUQVBix7WatMB69P+q6Idoxlw/Gvey
   jtigfDC0LWFM6evxFGUxgtaYKqQzh+JQ2c9VhKRfvtryVVUEORbTFPZJjvp+Z7Dn
   lyAAZZjY8Pw09CWecr3dOQnlBFk5M1nQMnkxv0OkM//PTaMBpjsAs6x8nt3DUTfB
   hW3NYlwSf2Y04Kl2ttDOaooAGJKoh9x3dBOA+k6QaRPkTT2+xCkuKeVDLNFEmOxy
   K6Mi6DHoNkA+xL/mHxPu5y+AiSxFpGduWvXLLKl9Tu5rt9LxVME+x99PMwE5oLIF
   2bPGBDZddHL5r/F+HS5kLU/TnjjMVKGXrXAkfYUQewJJF6m3Y4Jsg34650c06yXp
   y3CXJjZSZg7v+c6+seRiqv7XPcdAV0lNPvCwxxLaCARCbZC+dziB4c+VJpU2wjMS
   PVi0w9wUP3EXppoCyfQ51CwK2Wf0yFqIzgI/LOS5HO8=







Gillmor, et al.          Expires 5 December 2024              [Page 161]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.3.17.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 9970 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6374 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2033 bytes
      ├┬╴multipart/alternative 1134 bytes
      │├─╴text/plain 386 bytes
      │└─╴text/html 481 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <23abef5f-8781-5c95-a46c-61e3a4464d58@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:12:02 -0500

   MIIcvAYJKoZIhvcNAQcDoIIcrTCCHKkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFQqpxusiPMblOO5o8S+BiVOMPjePl6cLAV/
   /o2hyG2MhxJrAsTcI8SLp/TLlCACigQ3DBj6Vahc8jyZU7QaoecOjnOtB0ijndOG
   z4Nn/z/WhynKcJueqOfzXzDIcLcoh5w9NC4ers4vdMhtPIOPvBdYxHtXe42xu+pg
   OtJXLeX3Tkai1UjyWhLl5yW3t4MNS/n1p3qmh3bVFS8cg38JMr5prL+F6g03HXEt
   m2xR3pMIVxZhcgkxBORwdvuS77cq6lchA7DFIAiZq9LlJB4EPzS/wmICe7Lmnii3
   wB+nB+7SiVGo/3uaR9JVgI2NPjRQio3Q/2S3JoaMIYzTVYDTzkgwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAO6CKa0bdC0UO3WqocZSMCAgR
   n0e8D2pgYQx3kvAppMGZA0WlSoIhRwiIr3z8vR8aUbHRLy7cjPYLa3OgeTUqNPwZ
   PuxWHav8cZ7zowQZvvR2dU6yu19E9LlB94sVNdgjBtJ4yAZ/nnwu9Ch/pAhOKuqM
   QLCDYfNvW4RpzkggUk90YdAaoTrRV/9s1dzMIship9TGHcIV2ISv9cXL3xDy55e7
   gP3hfgF/AfmL8uXeN4joU+FbGpwXdFbNKlUP1pWv5mDwygU72FvpXK+efa7EGjOQ



Gillmor, et al.          Expires 5 December 2024              [Page 162]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   5H8kedUc3oHHvUfgfdq1+xww4Hs255mDHSXvdwrQq6g2rL1a79aN4uAOLTf6hTCC
   GY4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEEPv0qva0yWfAIALD0aNFYmAghlg
   PmbapeLnhNDkz+T9ahZv2ieQuYu+uKApU2HjEh1umWUqo7djz4/VVKDT7nYtjdJ2
   7Lv81d4HIlbhcFchq0moCzqW9Ff6JgvWPQ5KBLBrHHIGiRS8jW5UVZLcCCce1qVV
   d6zoDR/Kg30SiNjsvRq4PZY2S6Kd4N8roISQMCAkUr2MxvJtqjzKc5zjmyYtF19I
   7kQpATuMkN2LcAkXPUVL7xMVs8PVYesFueZ4iB5NtNPADrmbkasRkdxUTU3TeKZl
   /5M5ywW4O1a6Kx2SNHBFswpsOkuRYJyYpaZRsffa5xG2lRXHWqHLYvOrQz0+L47G
   X2liB29h7Vbt0s9PzrfbsvNB3bBS9mQCRZUFoOszj4jKsXQtr6M0stMLuLEGdMw0
   QrLCZOGisRRwOoaEcscqHNddC4DRLK7FLor7CEfBtl6Qzn4NKKwoSe948nWP6Hwd
   QdsSZD4DeOJlRLcap+Dut0bNykFX3k1bdyPecW4vyhOOy6+pq5uTUY/f5johwcwO
   VIBQucASuxtiPkHX3rTCQdaIMGiMNrAsHfLLeflc2B32ByPPpwMS0b4uFYfQc5WC
   kXqBngMHR2lck853KnchP1SHX0xqQpBE3JCZrqQBhZ6c9cCEos4L7xYb2DItIHyg
   pd1BnGsxLIbzRnjCySgeNyL5SDHUafwbDq9jJ+MK5DXSNQTv8WOObHqIe1IbjjGw
   Yc2Ur4dgXYWvjAcN7d1hCUWtoWEeaVx73nhP2a1qK3cGYd2qsgnQVaqiJW0L/lS2
   8z5816F3xhOfURwvz9veW1GPR28BqFgvzRHFZD6w7eLUAwCTirmAYURnzhj8GXM3
   vHI0Maf5JMi1Uz4+3ef+89ffg6sm1qnrFziU/ppeheriB4UX76ulDBTohoNEyreY
   kiaGJWDTxqtZ2QLwTEteaOCO+qvQUHPmxNH3lyRzUnEcX9/MFYGfV2H6dlPw0md7
   Kp0Gt/Wh9Uk8EYVtyMJD91CK/MsbXMcU7C6/Y6Y5ZpsdPOtdRb4seV0Jl6m78V6Q
   lBrcb/aHKgEO95/4wzRnbLlsDJ8AmQLMCFG4Satu1ywY6GQBcW2IaAjJJUCcAPBW
   k4jQKmf6rKS0vfxxPicLtQyPtgeoi82lYiEjXqQw5TLVHb2zM0QdoPJbD4nAYV8n
   ez2mMFv8m1UlgBb/8ulNF/V+364V/pFEj9PrRQXKj4e4NTgHBBOzM9fS7JJeNe09
   kRI7o6u6U6uuoKKvi6iF8kvvXsI2YA/Ag3jEKdLUEKP2oWBBXamPJAD0xt38dFrC
   G35VgBQQG2xwm20Q5h04ebROXQgUCyCWiyngnofM7/Y5DLu4EasqXOkEPdIQJS65
   2IBqjI+KMnmQm7JHGpyqs5AJmzybKN4+pvPeI2WOTkaqUVpMyKIz4HlL+j+nRp1g
   vAz7uVKw6imWRNGuGQzJQE0aSn7rhkQpAteTVxbPeYn8rqQT0Qs5Vr+PbaeljcYd
   xBIjMJXTEQbs2k5i/XwgLzMi1LttsveHK8l38Tj3Yp8V5CIe/PmoW1pdljxiRTHq
   M3OOJOzltGCh/BHmYMSh+jzY5R1Ty4U+pf9WLkmaH24L6noylvtthH32edSifu33
   zof7GNa5ohH9DMEDskocVdRpvLkRRfhH6OxWLqF4oIgh2AabEY1SsWPQ3RiQqub2
   R7qqPPTxVcV5eSl5n1aW22vVITSjLNe6trBPs8WFTXeRF81Gdl3svWHZAGr4cWOR
   UEPLE5WCLRZ9O+Rb0UW5M466gZGd8Ok21EOWcNA92kTAQzRHN0WlE1w3iHeCNym2
   9Ywba0nbEToGupvlM4sZfyVV6ReGKGwg58dpAsAU8eoriD4ykJZ3XiDb6FGzKzPT
   ixDdTASW2C7GNcM6IIwHT+IA0nTDbWp7B/f/sXTRWQ1TzgT0/7LNuEOy5Hy6akOI
   i0ALjNt37nU+E7lt57jSB0YoxPZkY8IeTlHvDKwRTbyprKsidOdcKe/6EypX4p7+
   Ihn1nn43bU8AsTZ9Xsxo50nIVxMM62t08nh5fQjbkmyvJG4ubDhxfKNJ8niLE/eV
   G/N02retRcLbQ7O9qMUCOUoMpaVwv07w69TTt0nYB3N9aw3BKUopYl1P6IaIR3Gd
   cImqZos3P8edVREM8aNjczptKaMHf0daezDETkmJgOhgeo/pAh9VoaLh+gjLu0CM
   6zS0KAgy5zjQBn0e9hGp2hvBqGDz9OUvaKHNFIoT3rxg1m/a5JAwjakLFzei5XJ3
   mAPoqHy3P5Cgf3PRhLa/N/hhVaSc7VFUCY2SyISre148vrxrw4BG9F59cmGmtikJ
   h/4hMPtbR0k7XJm/Bm+mZF+2qikS4QVYOuX0G9qXOY4YhxdhQsTBh9UQB/pRS4dx
   NvZEgqwLRSVF+fa0hCoUNcEfNBlcMcOGCi/ko5Ftw7ml4MyfJ00pKF7f0PYOmcei
   ReX3zeC24GKR3nl1VyPHoRGBm+B4KwABX8igY83MMEY3I+5Vns63s8kvcwK/dXmZ
   lGbmvlItNoLrnC59EPIQO2LiCNfVAJ2bi9h72hbO3dJJqzxbxyOn8RYtDNrMT+Bu
   u52WnakJzN6RQgZ1BYV8Lz1Dlvth02pEaHbr/0yPvnVYMjle1NPcQ1U9HARAYnZe
   jeXA8R6r+Dspdym3zdh7r+ADHQEDiekjiGqMzYe0mGkgsNBeC1gZlVzbwZJyH0mk
   U5PcxXSMDmQKoUVzQRtUQiiwWTysl6pJUAH/lNx8pqZcHOPv+cViUQ6gF914KDzA
   6mZOGDgMgJFlPZoELFSN6qofP02rbBA+VcF5cKyvn17a0TEVjWPNUGZFFkrre46l
   9ZHHGktXNS1quLdx8K1KpB4QUDxBa1CsaMSE3fl+AyxSVA0HBoEUTaXbUWSVxmGo
   PJxU0Jz8TlqH+Lc4UPVY8k2jj5yEP5FkhNfNQvfxXkWShsz/YyYX/06DXv5OFOgB



Gillmor, et al.          Expires 5 December 2024              [Page 163]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   XvUxtAhXZpF33eaL900Dz7jqYQEMuqWMhzojmTpuXyzMpUSPOsc88lyIAGnBEXBF
   cdnTbXw6HEt0LJnKS8KUw77e5N2/DYwLXpElGjz52qGSeH+dl6qcxpYj5ijP72OI
   EZvPnQhnrA4D3G6e0uIMwR6DXwVXMlG6AvZvM1owFBTbd8ROFDdYEBQZBP98syF5
   MLqSnrPzjGds3mkhqxCISCzahcN5qcsjcWoSUkKhHLJEfQVDWLqcZkQ0gcW8j1zO
   paEBgpwD2H+saCmT+tAP3KRJmzwEKfvpDn9316uK9NSvSkMmzNy/CPMX0GoI3s40
   2y870B9UfXgpVZDwnwPscvAvJMf6fmnJrekJVdev6N0B1udPwnSWX70W9l6VO8bw
   WM9RATQo7BoVHkSockSU7dR8kiEk0Bk7FDjVQ1EOnDpVC8MVvOhwbtTNknhhSN9Q
   ZPaTSkaDC8tBSmVDOmQ/uKu2fO73ZKJCM3ftLkaHggeDEgUod2REFuU0a/GEcYJ0
   yVVb/NGPady/BsP56A69ZzgGlI4lf5M28r0A82IoSsk9GKpGLJ1EGenH7n17GqrK
   1hnE11ZlJiN53Ayf3D4aUOTvtXewRm4W8r2IwbzGEWJd6wKPIWOhmXsPYlgwEQqy
   hxcR4WVdfz6Zo/ed5StBuI88XXMS1g+mqd8sveBeGUAbDTRnqNAM5Kv9jpg2J2Mc
   tq/KG1EA2yvZN4qd99+8B601saflPI0goyu3XugMEEDGd71m5vQcgalowMECwnEl
   rVajVJiIDCieey3jjdc6TcXIhyh5XCxMbDiU9Y/6mn3PEs2Me6Y4YwPteFNosUiQ
   Z3E98yPKtdxX6Mu0gH/j2w+GuoO5EwCJS7C3yk2TcfkbYR7kdSuE5dOegtwF8mLS
   DFGbV5y4zbWrZAuEWtRIiVNNkChG0+X0Sf8llJD1g6ci9kTfe7fnTY1sNPYo+Mlv
   uONvHWTcRTTUibW89S3WLkFsIBawIxM2oN6+J0ZDjnoXdP6kzNCC8emI3dAZd9oY
   fh5FX15O2EU7MpTXipyvay1efmCucUZEHZ5JCAfQHLdjhmNTaLsL5Puwzasycdt8
   GYxBvDOTx+EtuJR7tWiridZUSMI+UAWtYODQr648dUOnqr0JxAuTnSZLZVDN8yZp
   WnTz0PE+NoCzl6Y7h5UfHFmKr1H7D0OdridXg6PVd1Vf6eN5tZvZW2ZkTcHWTL71
   yOjgSyvwmQGXwR3rDRmvwTXN866q9Q4hmLoXQkOJYRRBaXoXHyEme7ykIr8Uv9SC
   DSx/R/QFQwKh38NYANCYMVvqVv5gweY9uUT/BhfmkrnIpUg2nIcMKaAR2BybbFFb
   VT1+BmSSfo9OkCNEZGpBtLKXtFL1L76fjcd244XRzo6WMDMBpFD6E/79AJaj+iHS
   sLzfJWpdF53EkHAOC8qEWueyRO+cVqL/r0oacA54QlnvHuLpn4kJxePPA4Gq6O/B
   Qcv8G35QiIcacnWdb2qFOQ4RnOF7ZOVNHfHGxZszarGE8T3AHnZvYBnUe+bCzKtj
   111cSnxLNPrsJk8Xq8GZZ+SXWGR6eo6YDPSoBN/H0Kqg4dhUPJy53ju/O4PKL6bf
   qVvJARjMkIyjx94UjVwXVPgR44yBJzBiGmtv4TagUJyHFR8ZeW6LEld71o//KbMP
   VJTnnvZ9u8FWbZYaQROn2GPJ1NZFnvqMqYJhCCq22Npc2kI09NT5uAiqi02tta/W
   KbJduOM4pyqHPDNJhDAMHJHLapOHJRltARgm1gAqyjpGhOvIc18WrQ5Rmt2XoLbL
   uN5BDwqd0d+cHGsJWD1wZUjagasQTWPg2jeV0TJ+L2nHlouFUMGluaNKupGL789R
   66E07Zv8nb+BupZRp3in1EAHdkmj90mufvB96IpBfXYIBJrS5BK8K2HbBs+01zb4
   XOOIZIbQ3cIyOn0M/s8tTo7ftfskZOzZ7273o5EfqCHbDyVw8Jq4ZSHmnyTDUkTa
   isIwsPrtl4Tg2O9ntteY4Txz/FusP6LB7Mr8nrzJHbOUryRHDyEPpeQKFr1LKsCs
   DHdVcxwjfz6PFBmztYD7WRw4UaSfMD2s5OBBAYNm73dNLoOFXVg+eRFeJA3z48zy
   x0MnpD23EPBGqbgzRj8KcDBy1o3zn2gGO4oQBD2GHQZqF7D3zAitnt5jk9FIJpUE
   Y44oFrNteNot1iycG97OuqRqG2Asd4Ko0QKXhZSdsGk2kTmCiDLxWsZrVEj+c2cm
   lKXIL3e8p+Xv+18sv8+NQ7r4FPfKsG9hYWYbrddhgeDaYLwIVNlxfalx1wnT4igy
   OnjbPYCLlrukG39OcTDncm3xI2pF3c0CXQYcsAMOqPE/A3YHX+H0EIzgAY4ApgGZ
   3xcjKzM90tTIoKlIG2EJZDullsTWDSZmbF6JWdVwa+YUNVIDd0xtuPL9lTMw/LZj
   4BsqhXIbWw6Icw/2WJXgMbVHBiEdn1TAL1I4LiqXcwoGRMjoerq+LuMFKnXvJs9S
   BO4RFCDoW5q4bro8jl9Lclfr+qovnhpO4D8u3XU1d4AsmzZo3EDBK3kp8jXSTtfM
   Lx3gBKYViuZd+ew5E+TT/IP0p9xAaRo3HCtk6gnJ2pysbP+wj222HN5HzDpX1CTg
   peQ7iiwbAtoMqU07KxeoieyQzNc/d7QnBpWuRVODL7Jhc5LE2U/uKL/ZR3+e0gyo
   drqzmAUGFR10HeohrdtuT55f8MpAGQ1dxUu0EtTAAxSIC/9qzxPWMTmYeZY1Yxzp
   ew3sJFN3rAaIdoUZbhvELP3/ai7wKYHm2XndhzsXwJT2MDw/Ax31R1MkmkGZnn/E
   JgYA2qTAhUhWiP5GqA31LYlZVHSMVGg3oFhmO9g0KGhZm7qL7/vWBIRBMaS4EpBW
   a2dCn1EICEPZHntLPraPC3HA/Dmo1PnRhmCp2zFiqbPYeEQaFKsmLuRbi3gxkCRw
   MAh5lP4zRL5QNiKQQAcQoOw/Zx8QCUKoygZ5Y8KpKsZkuKbpIFPtYf5r4p9OGp0P
   vxofFVV6F0aXcJZC5Hbx66ocOcgACpmMuL4w0qbbwYkVzzD7yISq6EzCk8IHIvyZ



Gillmor, et al.          Expires 5 December 2024              [Page 164]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   qe5Yi1DS/JngycX8Q9/x/5EIsS4N9ZnoaHN1O52tXgmT03pZBrRBRpWMdntkC1XD
   aAPNQOAjX/84q2FhhbzrGibWoS+JpkUJUD8i1VEbdEaMaT5rzsiE8U6xRd3MenWY
   Ii7aRwm51nDjjbLzp8fbVXVCdCTN9VyWhubRw4Il6qZxsdwa4yBYsV9PlHQWSJzx
   UwMoe+/YdPx9ASJo2U1c3K5fL/se0R7s8gUd2564aKlcmlyRKeocw+7ytuFKt4gQ
   2g/bOgybhBFqTr2DxKWgWf4oSOdqWoukRhR2McCaGBYxzlJwTq8bKtGb2BbuOpNr
   rj7bNVkQj0JYIo0gALwRAme4xrObEqDgFT0vGbUPKMJYBumJ5+QxFN5bcCS7oX2p
   hF94iCJU9goIo7SmM+JVePcJr0ofUPuT0GoeAQVEMTirmhsk8irMjZBeRQ2tDLsB
   7gwwcp8sXFptfLXNFInOeMTRhMpzuj2fePLJ6sSt6spRY3sMWYJA8YOAunqGSF1M
   /XWkppwIPFbNiQQ0PIAx6AyglruEWtveIr1MoZLPswsCZmYecOfcj6M1aiJ4+U/Q
   VtNhdY3HB8z4LkIhFkTP46vMMlISt9eSMFTt3VZdkd/roQyp7x7FDqF2zz7nF9p9
   olhZtWkqJte6/vTVOZJM/oJLiSVTeoN8+abD+blN63HwWXDhIVT1NcoPD+CAgutB
   IV9LZi5VdarCSzeLMe4SOM9JoV8rWPl9XEjme7e7OLFrpBSCFDbz/tHF62Tkrn0o
   9hbEsurewk78nhtBR5+0md8hY+y65NSb/HqkacPE6xB7XfADdgvpU9oviNxJABm7
   hVqHKw1HV3RaXokh1g4AbE+4Z4hBpwAeAjMIDAzKs57oD91bYfqlXfpLypo0aUWv
   gC7T1n8vRaHUCWGX83YElyvtIB7G6gPdgqB2eYjlzuMWlQ5rk7nYNHg6OqEL//Sz
   xyEPznl6AvNiqpog9aOiv+GbfedhnwzRkRK4scXwSMC74SUQ7wBMr4P79AdtU8tN
   JV9EC5L3njcjqjeZSqoh1O7NXdFoN3vZYU7O9ISEvD/3oIRI/CDWwuu+C9xQMfii
   Oz29zf7OwbEpws16ZdQFRz7Z4xrph+RVDMAKYVeb7mrGcf9YGvNxgWb28ZGJ9lIv
   akcGqD+5PrfTw/kLv22L1DxOGcSmijpiyjevV/27+Xsuf3DLdo5kaVkNp/3V2fxc
   B6KezHXgSKvd8Yy5OiC88H+mwgUUSu150fGAqp7vCWPwvI7xG0rtyGWhx0sG4rpU
   r/R0dDRpGBj60cJgHe838RMSoRHIcSLmip7NjCgjCWFWz7pbfRS2S6lQiuUkJYKI
   fj0rVV/XCyr2p+B5WNiX1tzbnqMCOFLga+cA/7G2VTWVIITWYTHuymzcH1gOI3V2
   6Um191mXzfeBL2tFqC8AUZDrSghw0ah2g17jkWtYUITKwf8y4hFk9Aj03XKLBTco
   HLojMaGvmy8M2iTElLKEzXsDh7RBBaT2nMDtuX9lqXmm58F1YSVpN3UrH+xDv30S
   Mwq639ckeqXIYdHcA9JrLAMZHjJGknM3cpT5F/gPhTDInduBo4ydgVe1vYr4pIQU
   O9xs8lczr6XUlnz1dr+a6cpwfqa7zpj97XpMUlKpbG90QxBSsjVPCBqFP2Mt2krs
   mgt2W/DIwZw3s10SRHEr6Vq2KvR56Q6pD4syEErJ4y9rZtoXc3qYf0akJJsX48JV
   QE+9yUmJMFZXTodASxm9V5Bump6mgCGtBJKaotMHyTOaLS57E9vM+3pv/95jtE/r
   dPsGzZpjd+7eDCol9fCQuDv+hZ1A17oCy6HU6YHTbCC8DVFXUsEZN0TPBkl1JSHm
   v6JyP7y41PWRinh0nFmGXfqNqDE/5JRX2uF+kWMvHgCOFKagz3SeVuL+2uPmbcMM
   VMuCeXpwUE6bv7ELifQOyJgTDt+gLUL2LdnDUcSrmtFzafgSx6dUA8hvgfJfMk1c
   lZ5g5tWrDOgZh7MQWGH5EsTQBSA6XuxJ/0lKlq8br4H/B2UyUkOqDl3UZfDGIb+6
   Rh+G0bFGg0KvSx9kbBKg51VqW+OpVVZn6I9QM5o1kZyL2wVRC2PN9IqnKrpsWIX3
   zMrambBz2EiFQAV1rvb3eoMA22VEdz/iRwWpz3Oikvn/GUZS2QvqVWGXuLUbqS1j
   JPDLZRhlca8XKJOeETbQm4M1TBV4Wy6aayg8dX58mtO8x946TTTqCw6GWRnbrIm8
   0n1pvyYtdhhVF7E5IBkvHQXThKqpzsoLlwfPvVB8/WFW//iDW2c/VqGQP+fAR+o8
   qZXK8aDPCoJlRr49urQUfuPui0gW80B7JSOz843CQmbtlziYTFfHIf1VPQ4AlcWS
   Lu3dDdB/HWnk8hA3mBvHVkplzjrdhUVwCnvG5EmnEbJXn13ibvzOJyLvZfrobgdJ
   EAeWIz8w7NZWdvoe7xavB5xG0ebvFefJ/0JlfmYtYcKB3QqUddBNLV3Oxu0jG4tQ
   Or6zrlsTf9wgavilFYQxB5oPPe43DFDlhL6jejw/wTVbtMQ8TkCETaxONKVYUaEG
   vvxOxJmBZ7MeEk/zgQG1jWo/chqOZs1+Bjk+VMFbTxPlcQwDDm+smos0H+YD9d45
   WF9J2btPmh9UR0Jjh8gmHQ==









Gillmor, et al.          Expires 5 December 2024              [Page 165]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


B.3.18.  S/MIME Encrypted and Signed Over a Complex Message, Injected
         Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10555 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6804 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2340 bytes
      ├┬╴multipart/alternative 1427 bytes
      │├─╴text/plain 483 bytes
      │└─╴text/html 635 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <9cfcaae2-9fec-5aca-9a29-c98da35b262d@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:13:02 -0500

   MIIebAYJKoZIhvcNAQcDoIIeXTCCHlkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAANVV/KZ8/6l/dyLCA6PNX0Ba2t81pslb+dm
   uREfMpnsJ6fXSDJ2DcDbgF1Dx3ca5+W+e9rT9rwkAar/NrVYrbJm7KO7U0SNf43e
   eBiGugsdMdUBjaC3sMZdT9cuymMiPMCaGoXfK+kGIH/5yuvlwVaL3bDXDa09qv8r
   Pv/Q/mOWNH2cDX+ypjK1SIAitX5TYT7HmdxxhSSg45nEamkYdQ3NNEI9ESjDJUSl
   FPaKK9wHvS3Ep8t8jKc2vz/LTnGNkDvF8tZgbbnUtaCbmZ/eW8qwz0UsJ9Xpdhr0
   ntQMVAJaymvF+1eWQALoeOI9z9oQ5b+U9j82ER6SFjHkNVYWsz4wggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAp5MbodkzTrOUHqec4G1+g16u
   HNsRATuAayV5hLYbDqQe7zr4KnXPTPGUR6dVE+Qe3umaQjQxdcui5nwmkzJbXpeH
   tFMDDCqJKPBf4oEcy/EPAlJzDYyloJxKJ0Ig0ABH4WrafiRlLkR+IBoeTYweD4Nw
   IBYXRAa8HunCTmiUBvFnFDVox+fHQVyDl6q2JE7oeey0pdQNzVDHfN5BWw+6GwiU
   9PfsfTOLXgo20pLWG709N4YlAqA2j32FDVHcPaOWV3cujZ16XHCaiswZB7jWqJI+



Gillmor, et al.          Expires 5 December 2024              [Page 166]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   y/sWnNjWLtjQoieGR2Zl2SIw/sF/MoQB9rhS5x9tVSLK163cEL/vcuyFzaEPmTCC
   Gz4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEEVkF2Uc3yivJiA9LFkpPNuAghsQ
   3BlGc6Vqp9w4jOIgq5IVAPjZbWiP1V8kP2JlFbyIdb9Bj9LSMR72ZCRVa82Zo1/j
   Ke/uL4cVU9h5NVU7vZE5U1VUa8vIPxYlXP+dXb39W4FxBfFQS2RBfNkSzwnflWsp
   YmpmqHaWGFRye0K5q4dBGlbj8j9vWotm6z7WX4k06u9MogJxWJqZmolyb/EATquj
   Ywe7q+SoLPB4dhN80FXKfsOSLBEF16d1Un7/0w2PbClKDarfynXHn664oRXnD1+l
   YyzFnpjoP3XXJz3jg2v3Z8/EU+oDTLVTLK1k5OyONVUyGElW5QRiCrzydG0//XZf
   MFqvRz41ApG1uK1xdw9v/V/JxaUk6mfPmnP2RKcirWYNzvB087J4rugjV2i3OTWb
   fQpMICUoxYTQg6RKZKDBVMrqpHpmwDWjbZdn/XFUaCyfFvILZQGzEscYxkFPoSji
   6GJqJc8fi4WBu79CsSGooLmmLtvaJDUQKclbXFHFuP5i5qrWTJPM50WoxQzZKhmL
   qf7spnRxU2wkvshXQSHHBFS1UpPcgVENJiYrADQafvz6VdcUaG7Npu2BT2hvk3Qa
   APKnpu/6rTr0kvaFOl8iW8xyk6YoUSUXPnB2W/eJbg/l2AJeBBM2dgfWz0A4eNFP
   nkcITI6wXe2ewkjUYcq2TwF1e4OuVF15EWINXLfxG3yKJvqg3HJeCly+OIiQdT0D
   t/BZkEm4Z9LLja9pIAFNWEBaiccKgZ3Xx0RI33TGbp/F2QSPWwcoJMdvcV5Xoym6
   KRNcprKhIurcmfm7zZAPBDVQNV2JZ758vko/V0dxJK3sGa4E6ayNGuRrRCxLvWJF
   cADF1f3HQFmyZ1rALSwTmIuMwN4FT6NrMmEfl4V+e1faEhkw6RcS/DO7b61sjxl1
   uujttp6iY249/6UJaZYNz+CkwqtW6ccy4fXxi3lBWURFW/jqVYbOGG16xDMiJR1C
   chLXVWV1hJp7MkWR+qnWnYcXY3W1Oa/tRILgFkguu8/mJTk9CRxOQbpPEohkvE2d
   tP2cBaMjJA//Ue62NzunUzJDouNcw2pkkIj4V0/WINnaqx3vxxpuGGqNbp1q49pT
   IeL3JI1IZBd5K+p3V4U1IDaOzcq11jSccjBYxAcgdJNFccJNTEMGqU5jA+rMJLOj
   +0yn4FzaWfbCod84O7/8k3HJWs9b2kq0KQ2kEdyGJnJGOWT3uO5zpooKpOBWmBwU
   PJqMm0jgsve16mKOBhMknuDOR1beMpmhCwl1+MQ6z641zc7y9lNd6NmPeyX//GLR
   VDgJvoVXTLghEJIM6P0C1hzpMJspKJ72k4bwC6P/93F5XAzRA58cot91UvPWoA3D
   Ni5Eq/g52ex1gHAV8VnzuQDUpFF3gCfXFSjUTchg2/3dd6nrVK9P0ee1mlKxRHb5
   /2rgvbpg7YZ09koujWlZUGqN+BSn6GTuw/BwEvFaX2iyB/g4vurj4oSPrmnVK4yZ
   sIDYfeq8wCEsrvfvJyQHrXtJn9wyi3GYj7RNopJ0lLdzzQ5PQ63CZbe8hlrCuWfC
   8FRhTK4+wvUIrB+LBofOj9pj4WHG4/FvRkxkOzsYnc0t80s0B6p2DT255x9uIeU4
   ysHnsPWPlEjDoUjBltblm+NLQZE8EKdgrFW6iCUYAkIj6H/6w7UbV5+IzabC27o5
   o9zrnurII/tl3TRlnnk0FKhsADxuQMdr1yY25Zjw/pW5uFYgqoWqAwoMW28MOkql
   2mXq9g62qy6VPRTu4U5B4nxn1SV6aUAJ+4aZQ1KPO7cQq6Bw8KKwaxV+ytXoSJNc
   if6/Zho8RFt1QQucEl2cNijxET0ZipcU9X8jrgvb4RrMeZgXQl0sVakIw60okS3G
   zjxMvjoGXZl3uLY871N4V5v7q2m3y1oHSPU/XICIBa7FONTnivCC8UxBr8O0U2ON
   uSstP33iF+uM/sUleb50bK+t7uK4vNlML5CbRPtVPFnp2tM3pGK8vOeR9QRBeWpL
   IBYwtnrsuv63N35itKj48gsKfQCETGeMRkqLev7BXkgFpfjsHPQYafaReswYz5IB
   LihvtX1NJmn96jYGE6ts4uT6rFDBDYouwMD9TV2RNe+yQkDxpwFArL9fH6sSL5fv
   wTVjQP74gIf5/T60lzpgRGy6gix2w3cGaUI0FMjke+lM2R7J9gil3hCi68JRkcRC
   NA3/MIjdStJ7aUkENcOurGzr0jLywot7uPZbzsCusf1P+7yKfCohEEqlwsFcLorb
   qcj73euFSPSmJHloAfft3AQ8Tn3k2HRodXG6A5SY7268pyRF5KPuEsEV71Ix19Yu
   o7SNor52QBAI+OSu6uBiAVFeJddNUYM+kEYQszHG1B5A9RbvRB2InVa5xLQRBJQP
   gTVQIBcuH8KAWKT2OPg4cmmKO14YSRBrsuF7Q9ZVG4zPB8U/CzMNPvE6xOJKiyv8
   SwxoieVaejY4x1gyq9biyjZ6WLsNH2tSLNJOUie2uaU2Y/Flz6x5ezjaATZNtDzP
   gRJiXfktuhkiG8jbt/kzl6eW967a/mF/aXLWomJm8aPAp3QRua7BxWA6iBM3zEzN
   ZPpL9c8LJNNrDYEBDExZ8xlVUvVruRkmaJBm6J3Jh2sFLxod9cTji9s2ECOXMTbG
   HpbP7Aw0htH4ATxKOh69WzFfrnhhD0+ocpD6LZrvobrqXRlPtCOLZQiQlEIYvIli
   SbUcd4Evz7Zt6A86sR3IBtncW1fdHVQUxTM0Y/w1Jx3ucubuGY8eVRaHoGwevDKI
   ENwA+w3XOWejferSx2SWZTMgCDebjZ/329OSnhexa9TC/VaFrH4gqiQWmvw+edqq
   c3bsqMVhwFfHzsLj89MxZ7B1DzTWujBV44crdlvusQ4uhQyk92G8NT5WKdx+RlMP
   gY7CLEBjs7shJK+YDVBRmMymyjQ3+T1H+cHv1d9h5iZGgQtP1gXxYehVxoELuoMw



Gillmor, et al.          Expires 5 December 2024              [Page 167]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   vBVcWmkA+LW2DGcBCPuZXusY+N7HMXwPqylpjWKqY6upZuZfepzVyVpk64EDbGmY
   qGmTAalubi75b/m6bmua7QlBRpbmTjlRmKVaxeDjpD2tTbPv3t91JkU9S4lMM7BR
   kdSOajwq8bsxRU7SzzTVdY1++7g/eWyWHo2/AGyboaj6AZAnZo3yhgKF3TEJHVCU
   WeYahQ9SbrqcSLIm6RHeNk/bZUKBaf4tTNtaKPN4uqK7eSaXG6r2kNdlaQmCjw8f
   Qyo53LwQWdA3nvu36fNgpIC19qQFo2ke2fMFUDiR/Ax2vRxAQS8ljzsyW9dwVvA7
   mgzU/g71TywAlBI6kswbUUz1g8RL2dVxvkawa9oYuJC3Nd9zAbyrwmjoFB0qbNjH
   hpnOINAAk8M5LFXQCdfgEqjMMFU1NlI1eUpFso8Yo5AI6HpE36EbvKRSNTHWmtkQ
   nBSqyTVdgAdOAhr4ol0dqrJ3j93jeqFMGftaVzIwGNGPwGqOmNuD8o8cnV0X5Bh2
   mC2wcs0lhfmXTW4QMdmlgUHy2mmi0f7EGuq5cUA6SSJG/rxj+DZcfmrirkxga3/3
   q7fkOe0D5FwKvhBLuSTAaBBYofuZ9I8kW/mOTukPrqazky++vhYhbUxmmZKZeuNz
   e7z1LafAc1TTJIYpuaVEJW5SMOsNRgjVXc6XpFWbC5IVJRz+EV3P11jubxZBqini
   gzYm1rzgZCi5GGes1ZNIru8u+xbuuxogwpOxQvjEHoHlfWq6OsWRZYfQ+eDEUYY1
   f56GQaokmqxVcTjhFGv4SAeAPM363Z/1xDyGJtREPC89aNMC2fMBGhO1xS7R2mEP
   3NWAccxVSOY+bA+ec9w6ZlgL6PSDoQI+eRuEsP33tFP4kljdbns0PAwRXvH8LwuX
   ZdhHmk6TO8ZAFPiD7Ytqjt5UV4OfvSZl7iDNo8EZ2mlpcZin+0gh2bT26+jsuBAX
   +5UZKW1ciavgYQfs9+1vbrBuPOr+59hjZZ6E1MLIbrKN/5VMw+l0eZbPTo/5c2JY
   lxfAsGYphnzRq1wQBPnoHCYzaLoazAOoohGNELg/FO7ijqbqLono/7WVzXO+MPVv
   0/kDv+mXWXdYgw5nma/sEBiaMRgsL8sDtY0qvYJNR3yPCg535QYuZuo1cm91viU/
   KKVBX0TeEHgqjHvRRwLTMiy56/U4ATadOeWEriH+mMWc0p0tjo7t24KrZvAlNbq7
   /43PWTL+fo3ccWyk2uAOSxB9Qd6/HAEIboKZFgj9XJtpVKLbd2llA8jel8YQirbf
   jq1bKm4PXSEFOisaB1mvcwS9Fa4JLonpeV5/smQrW9XvcRfSN/pqvAiUZJaBBz72
   qcagJ86b+KwNO4lebD5ldkq54oI3ZhObUJPfWKtYRm/KGdGHVcfDOar4PU0mYa2v
   J5obnI0CoXTMOb1AbPdcNZ/Cd72piGhB8BCWFv1RZH0vtNFBEPmp/a+nu9U77MDk
   OYUm2tV47D/jTHmJp+tJFjbUcC1IDTYIfrlzTfrRXRbc7aaOpdkdFV+Dk2AMJpOL
   OwS0FBhTJXO8iHWq9Zq8xP8zJWwFTxYAdN62S+ZPNsTS4h7lTIs7IGOu9b2vgm75
   po5IX0henlGA/7dYTNt4xBHZQx8sm3l8zXS4zPSJUYM+H9OttrjHwoQzf6lzC65o
   mHVB9UT73aQAUMF0Mu2rTMH1HOaaM2s46fnoV4nSvuBojk5BvBYdlebfkEO9TAZO
   2VqXPbkS8d7f7UsgqlEq9xFAUE2m309b2Avdx1FWvbnUZXmpIdVGITekcxj/7p6T
   xM6A1xWnSYE4BbzijKtCkJNjuNOYQtktwwEG8HFhXBGjJQMEh2D5FbueYfh28KZ+
   lEDjhhf6j/bDosjTQP0JvrLJuoEmcVPtaVKo8o6wordN3+zuijgDka+rTJwSCKHD
   zr4hNrMbaoZ+39Hd9eT+E072dl012aaCH8EjxN1LW/OnFEcwcpAFnloAUcHIuAXh
   QXAb3oUjpHQGz5U0apU09DCqM7QDh/3Rpj3ZSgOMmCGgf0DEds4ezMT+RlaDUjDp
   4b1SLH+00gQQUEvejxFOGcZELRyxIYvfM2vh7IOcYhLZLaKqBzSllIVKgq9vNJud
   OLm8xTPYTbZpnDwYmwYOUb8jtmp0FKRtQl/LbYpF7/KCyr48MlAsFe+4J+koSg2b
   WAktsvjHky7yn0ENZLjttyw4jmihbLEZV33AaOJhUsI+873Dm0JzMFFp6gYheGgP
   ZGfyvvTk6hicjhmXQZyG5cLq4vHA19gqv5ioAVE98mQY8dLivF14T0wNAp9JmVxy
   iie0HL2oaLlutwEG54ChFFvzmxA24rp7MvVMbzICUnzvz3C/424R9IBDtVIPWaiJ
   4t2tS45r5J+/hVtl/DH2I4sHssS8l3/iX0kqDVSLRWdSe3ICUx+PSsEfsOUjJAKD
   FUne/bLVOedhfmJ9mKLld9mO6+NnFjLq1U7JiKn0Np3g48AdfWjRX7SEDj9On/vF
   c9A65k1NDcKZJmxtnwE8p28TYFncb3nsvFolDZEO75K7DtaRfqz+qTo6LJPzFh5T
   dFHVIkIIajo4KpqYca8PWIUbLVeBi/YQvQZQ18pB7dkGcUlVwY0YpExx6g5FYczY
   nwy0kov3wPAHeViQErUq+6HhGh/2RnADqUNA1cTQRtHQbrKeIobfeo58eCXu1t4w
   Ehrpa+Wie6nzyh3NFkRKmT+uVxl4AuBD/Q7rGYNc8nOP8vPKekD1wdae36V6TcXL
   ZJs+gJhxUWJY3Em+LnD8SMUWrefHon1K9Te9oifOHXg57KFSkZ971E59BBDIbU74
   w5f3xyUsEH0lAGID08nlZX/TS4d9VLWMZTKpTH1XoMy+6CMPYQQDqNw5Ozt7kwMg
   4QJiv0bF0qw7f0FevFnyVrsZ9enjdludibBWJ8cD0P7ED8pzjM8M9SC0FwctsrnP
   bSmIqhFmlRymmi6qGeamSHV2HWpFEi/P2xZUT8Vs6Y4Js+fi7VqMTMVTqoL+whEf
   w4YVG/4m3O6WFdCDC1IfnFAEVJyfIRqd4OgfdsbY39tUpQ3BPa5ACXPRczZRP0HB



Gillmor, et al.          Expires 5 December 2024              [Page 168]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   cn6cPLFeDC74eP9l9bx60k+WEVQQOtI+wsgUDNGiqnh815S7aeauq1MudpT0xlpM
   9MqwByZhrxYBqb4BYMYnvBiEhmzkyP8a1LxDyXIWR07/+vxVTVV4hB8rfWLmI0j2
   VFQDYvLS7F0DxKF41t2/rMajkciaOmU285XnTPtS+XigwSR3nbH5xGqxULE4v926
   N+fU3hgmZMWgTxhI+1Iqlexf6l5QfIJAsTF71aP1B83ikucT6PBzleUIk2x3oDYZ
   prcf+1iL9bKQAGdhGmPyp6jAf3XlVT0QKBXCsmfb5uYNmt0RG02TVZAUBgRMM0Iu
   O3VZ0a6VJiAyBdFrif2jeLWSzUqlPgmNcvE/861Lk/mqv/q/mJqjHuk+Te5BJEgQ
   7Am4NZYXJcov09+oc8HPICQaLDl/nPYApSlZ7n8OagZGCN2zGTsY7m4DVeSq8RD0
   hbXuDgYWeIo1bHHrUqZLwBlPuKl0MBEXLoLT1KVVJNBV3YBwwF/90A614DuR4FKy
   kKao6gCtnSet+C/ylH3q0u5LWZ7TuvWNdaxyaUwwoLlqqYmhb6zg2msSvMNon05I
   33pdkiG1FTo5D5o/yGqpIg29usTM3oOVf+y6UUro+jeXk1aVTc6ecaf91aXjGsmk
   cgtdZMz6TL948XFpzaTfe0BfY8BgHZ0VBRcSZLlrU1TKmaybPX5SVvRXJ1RMSOYc
   1j2ZKqW2C6ydTuq4ncMI39HKIuCqQx1h7qk6EG499ELdT3D2U6Y7oBtyncI+Btwm
   uCbL6gKzHI3obBTqzcTp+LaJb58E2M3RbWsMDGwnBmMYd+SfjsFTPpSnCQa0UYHm
   dXP2A3hhSsj83z9wO+XS5I+w+0cn0L0nm6/dvWxcVkgR8LSnmLfsPZvbZdgki1CQ
   c+eSELLZf5BpecfjUnTKNC0qAyKeDAB1dSB8LJsdfAMgyTPAzCuAXr8leHtH+BoZ
   fi2i3tPqx8JF8l4T5usBvb0dmb4j/PwofxLq/RegrQ/X8DOoEFUvf167K/yKYBAe
   +PTb2NuVkrU8xuxaGxNen1eU1J5aJsh+D7kS8+5Lm4L+pDsGnmTPgean/ra3ZmB9
   Mngv2i0pqHvcQgRt2RozI+XXl+dmCn5FOSjWTZ8dAkPfasxkaCb15rteMOWzIEJW
   B5vgrTaiWq+1VRFP4wxXqLb/AnOGL0RO9Jw5MdFLzW5VtDt8gejFMbvIP1LwHxfY
   TNclf0fMCRKUZ1KG0mLOzzgSHe4+UUbY0gElclxLlX/A7mJIc0OK/E1yGR7G2BER
   2y6ZwFyts/wWCD5p5z+Aslg53lYNDlt7Qu+FtQWwVXPTLTjXkve4WU4Kt9D+dDZQ
   bsTKWH4YW2Xn+lM1mRlYMJvL97Cbo+w9F6WZYue5MwzbPkq46q7KZHirHzBQ+peF
   CVr2EkVu5nFZmiJyGHJ4EnA2tKAqr8HJj5rPpO1bZOYPmIu/x5Ip6/ACnbclq+d3
   Zz5fnTlL8m3uE1H3SPIvMS4HHgv9UYGm5TfBC1kkBshvMP/7lJ4uc3kvX5Z8NwY2
   uJTf0/E8ZWqocZ6lRzJ9/BYTf58XxxlIsS8z94nJuANicEbfZrQ1xErN3ljOQJBP
   mvF3l9Q740jVAeKTZZ3E54L+jsF1GSLBxLILh8nSocaWsUBtaP7rUpGofuLcCSsV
   2PoS9W1uIH4u59UBfc6AS5j/YMccQferCkgf/bb3PVfRT2lQA28HyA+5JVWa8kOA
   k46U65rc7o36XPka4ROTLPcvD+XbmOHY1GZYd91+rEI9CrpvfzFCg1q7SjMZLqKQ
   YkYmw5jmatZ7/00GYYBZ8ghSgRA+wBNiS1fqO/LDO8VQ5UbBXaG4JLDbkAKtA6R+
   VdOa7LiWGnX5Q+0R65Vm79C3aQtWm1nrkNZGSY9m9QB3ZMm8dwCMAhdcqSZMJMDd
   U/iS8s8yF/lXT/OuYOFh6BQ9W0ATBucyH0/pb5+mIQkmIFLwLzx+yXc9CziNGIf5
   oFKVB6PIdhXShuVtmWO7e6bhBgfVEweoFSRr4fLJnwpRaEcAIBJWvV/1Gn4rOqGC
   CR5ltQ7wyQppKrIB2IGl1nZQGv8jTVUxE3oUeA/HI0LwY1fn1DycSinbRtskOKYn
   tlgAbUi9fq6yg0C0OqxxuXHaGwfDQGCZGwrTRgd9huxqPHMJlnbbnWdh7BExJ8r3
   qfBCxcPOprFNx/H9Qy+cFALphi5+DtCl43pD1YEEPc/xeIRv2kIZJbE7jFxgtvKL
   u68/OWFAdVwYykW/A9I7mFmdiPnszq75WLMcjg7+idpsxAoA99FMlLWV3p7CBuBm
   MHfax+2FjGLXV8XZLux0tI3lL87MCjpplmt6TsQOXkuOe0yVffCLbFB24WIKAslk
   mkp+WonzvBsXVZWnwEUtpgaSbOLUyyZFGk6+sXkzxy4gIoGTuFgl+v3edjRKaAtv
   bBNFxlcbmW8bqXJxFywI9L9nhkOla/HaLsn7IopQi3Twu2JPig8VCzaiBnt4Z3wE
   nOhZQAUC21Wqp3EXqInLTEbWw0altcBVq16VxTjjilPg84MGWWILkz8Cet/dSioO
   hjPnnTmencRlB1AGm72eG2ZYelf7AGAElNB1tKuyTbsSE1kV5qGPAxSGBF2bd3QT
   6yUPAZN5/PmnlQBvQ4GFrvtk2QuHzl3pEVXkWJPsqRYbnRRUFJc4HNgpJpmZCpnx
   iDmIKgKX/Guqta0LA59AoihUr7SiMjvPq++UcN3IWZ/1uw7OuowZKowP0t3AAN9r
   gu1FyE/2MkcC+QaggA5h2jwjyXVI/+xBpBpOJCUvIZpGlE5vsclNt5R7ZMgEVo3U
   YYt2l7Ffg6dglLLy+s0ZT+JPcIy8YfPhndJdnIEiWJ3V1I/N4Zpd3/Je9be46C6B
   PmgfOK8gffMh7JxASGhoRDEv9rF011IFMM9pNAHdAFOBYefpkSimUHgva6LUD1pZ
   eeLc4tve46nzVdRwUtTFsjBwvERuVoPxF6w1TNc0xqChaTOkgXMWHScuPhRX1A0j
   Qd2PiEgWeDxGlB7flhkE32JXdEq8cDPHAXldppPPop+v+FM4p6K1x2CML61RVc1z



Gillmor, et al.          Expires 5 December 2024              [Page 169]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   FsJfVOxYMWz6l2yNvNHxu82AwlkPSmVLuUxzXgF/f904dYRRJ8gQ/KJeSyq3xcq/
   dNwRwYAmn0Cry65WGa5CMFmh1qJfZuOlosVo0zIV8NcTOzH8Vhej3DPIq2yRI0QJ
   XYC5eefXA6Un1Z2lcUb2xw==

B.3.19.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Wrapped Message With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10750 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6940 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2501 bytes
      └┬╴multipart/mixed 2391 bytes
       ├┬╴multipart/alternative 1146 bytes
       │├─╴text/plain 382 bytes
       │└─╴text/html 480 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:14:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    
   References:
    

   MIIe/AYJKoZIhvcNAQcDoIIe7TCCHukCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAJA1dDo9VI+5UFcFDxXhMKzHtA1z5kW1Ta/K
   f6XhNQsxHo/KTDrwxq4WRJ2G0CigW+1MxwKllXPiYpLSYTS68aFotTjeojseJvDZ



Gillmor, et al.          Expires 5 December 2024              [Page 170]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   tImu+zeYliOZJp0FOwbpxmG5mrWu8r8qKKCo9ehmlMRrFOpWvNASkrhNtVOgYguN
   FmD9JOCvQKW0F5ehaFS5Acba499PhpaeykCG/+JDs5hPkcDCLRwV45zC0y8t8xL8
   exF8I+IWP4ydwtV4HGFbzlSHWqq3TS+y1WYQJLW7WyXft5uo8HphMTtAieMJtuN2
   gcbSHi6lNO1VBGSR0KqXdwOxHH/Rfxg4qIFkbNbPUxazBe2d9fowggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAjFXX6wtAxPiHtrkJi5MjNSsx
   NfSlRb7YIXGpS3qFUN/1lc5me4KfVe1Y3ikdYJSYtnYpMXDG6hEUOlzS9IJ74gY1
   zNbPNgV0AZ+l4of5J2fQZf40u3eXIKfj+7wq4hiav188ncUlgbnse+JPhH2+M+zY
   zwP/JI6EEjfaS3VN90tvvDq9vpIYvT4jKOlvHFgXBATvNEwQJHXL5Ad5TqgM4/+0
   ZrHdZJlyM9HuPby63vK0/vL6Lm/dmMyINN2+FvbO4mk2+6iEu3L0wQ2xA6+XMFeM
   M3gBn1FxRngECUGbVZrrKFYQPP/G2cu+1X9/bj0yI7k1SQ1rscGa/xOGt6OvzDCC
   G84GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEED3AtT6xxuTwhMxgCTBYT9qAghug
   58G2V4YO+FOXv5YNirBktQYjl9gbM7mxHp5QqScm0poVumKg1f656zIObH5khDbG
   RIIReLyvvxE6ubOpGRbHAZEopuCG5ODfy5kouWCvsRZ7Zwko1acU5wAUuIuWFel3
   0gx3NsY7GJ6xzwxINKcAa5vcPOtuLosb8vuUkL+wgMGwh4ffgNkfd4yzaLlQLp9u
   Vx79nz9btM/EMwa76JgZHeAfE4SUmfW6Z13YxE2dfUQ4lmX89azVuaS8VJF6+eMo
   bXksRqv9xbGELpYNd7kZnEhuXWj3WOA7rqmEyySPJdP4B3kLDmfbvwddN8IQKnzQ
   6eyktEIRHUAFSZjNbd0h43yOoSTnmBZO2xBUO0Upu6lPozLXc4d7FtnCkFWOkpxo
   uKUS8Aqb/tIOxUh/yvfc9B/8qeqeOPSmA/HryWnVTPdEBqHBes9dEp4pPBkstibD
   ipfBoR1BcggLLh6GrJJgApsDk3eHEhxcU1au3JKyPGvrOvWtznDB9dyfDyk6WHh/
   uZ0UZ/azvRxqNKpB0le4i+XaNhMWA7P7mOgmBgr2589UjZMBW8at+gEpN4F+zzKL
   qBvSKL9LgHKrcnqWERm5y4poO4eit4qqWyo38KULcvCoP8DhY96EbFPes2IzJkud
   Y/uZrXEyoD5re21rulEJyX+dC4IHI07GfLcVvBzCs4VrTIeR9bRXt9zjW24c+nyl
   f4jMWiW4aXQx8KYQp17my/Xq2nd9l446H+Ha9Q7fO8WdijAPAKF1qetbyr6HqJkv
   TavKV0icWZgyU0R1pmwdaOQzQJZtgGyCKvW4wUzFCyKc/RjJqDePv2/YGjaW/JDW
   7pEeOUHlPf81BAyefkd1NX4DTd3whemFT4RNcd5FcUBUzTvjTTXfmpkTl63nmxNp
   i5ykXEPAnqqXf0o+MiLZAAksxfLrdPm3zO5AreW2/Sf5VhItocZFHl4mCCiFkEZg
   x2f7GQOtLmLibFmWL693N3NwqedXESktO4MXEDTxIMcYgBQpyOAxf10U6FDUFgsd
   WqPt46JpUdErLvLS9ciy/ZGRb12FF7GwuKZsuSyBCE+hkDwBHcIg23kZWWxfuNVt
   tHREI/YIIlmjscEY7rfx9894c6bkb2l5bA6399ea+hrk92S4804Aj2ZTq4bVINwk
   X4/1p/OcZ4/tpePv438hhcxMUGsVnHE5gCgI+qck4B96qGVW469kvCuqStYdK11F
   WgRAXaO8/gi/ZCOFir2jJH+yIpecAYjxE/1GiGcxf7ShooOqbgb5yesHiQFH1Mlo
   gEfJfdul4ggBb3LM81DDtcvy5hDLZtyoq2D4nnCLYeayrnEoRCv0CfWSC50iOehO
   Otbu5N43UsbfLF9oreNP3GGOBoqoBePsInrFyxBNfURxzHKvQC2m74+kddxmZpfQ
   nPXTpQzU7/dotgeP2yEf2ZGRZK3uoMJGw4ZNbKmYXx8PAN8nxB8Ln5m8DqtnbYwZ
   Uo2hG4J9XzxYsHWY0M0AdvxCGOC3Xol/fqYkMEXjgki+5syfrMn3bO10OWijyVxS
   FEeOcughBLfHJ+SHJXOzPi/XorcPbG/0s5at6gSNbCajfyVClUfXxFoP0G2Y/fgy
   aAOpd6BF6boSA/oaEBKH3oEbXnELgYFJitUO+DLmt5TwYTqBYqRJY4xbDzH281ug
   7j6DT+Fo6QwzB13KYr+UXrffOMZsMAD3P5bWVMwZ2X4E+zDvy/957wZRy1Jbi9e1
   7nVQfDMcoERnLRgB6Xd4aK/1GSV79zaeRiIDvJ6oSNMxDa7XGT+VTVZp286uE4sx
   mwb75n14w1NhZ2IUvqVu7XSbNGU95jOI+7xdixIiKn/MZdpzHTzN9DwhxuiRW6fS
   9ShZBfPhgEPFTPIYsKt9efgflJNKd9w4H+wWoad8nFTrsa2DssUPcX+wmwC6uZ8A
   0dXkd8mKuYzdjX3co0cdRP2134EtNCF9gjXE5UzMEgjBYDl0VZLQ/Q0zibcTMF/K
   Blzx0+zmbzeOp6r8KTwm1Gkh/c++wAH2/q25Q89yFjaEaEreeIygeOj0SeGUWIYe
   +gcAWeUywemiRireWYBojPXR1mxuVt5cPjsUuer5j77z8Fq8ul/+ZzOltgYMgsoO
   RyoiaBijqzJeVf11RC1ZicE45DyHQV0zG5LLjym260dW2Jn8PHeZE7Xn4D3RscTT
   SNbGoyyarR/RZaZ05J+RbU31CKOVBz31Q6iNQvxO+tGzOJ8rGwJDEJZGJbIuHmSD



Gillmor, et al.          Expires 5 December 2024              [Page 171]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   zG0DGhbSl81AAKVNnaYaVsarY8MrfLy1STDZPiW52r+DNQUDiQ8zbOOSgDQiRR9U
   tKQvEfIHj/sdjciAuaIFcQqHXJsGS4FudbvV8zIz7MH1/NN3+w3olBKeEM1NEwRB
   +rfkF50PqzGamPxYCXpHgtsS+/0JRVmqbju5BPxWSFwr63BD7vPJUOIBnwCMbojV
   gsHu58dYaLZJN6cwz+KqnlvULxdxvdNmm5NyPO641cSOgWi4jmgyW+gBpCje74ZX
   HERHarRQcGT9lCRPoSfANiF1+fmNJkYWDrPWZSu//qjGsizl1SaUmwE3O8OBKIk0
   /i8d5LhwCqNh8UUDooqdILf+voE8imUdQNQZ/r1OocccxQ/ogoTS02tLvyejz2iZ
   pEA2tIiE7UC3uhcjcvNcqr4O2VYOhtnuiB4xpJXCyIVlWHI0otbczKhLAP7cWebu
   HQ05hcJf+NhFV5DbkdQ/ktQZckw9fp1lLiKe1TWX0XerWMKKqBbrmjJXnx7nRjZO
   EBy54Yl5O2cbZteolZzrXkiVIqh5eDeOm/1/9yK4v4DRyvvBMh3R3oXdzJh3wqwX
   h8zcwKThP1F5dMDj0Z9IyDyE6yfebBRzHniTmlJx+OGxMj6x3VVS2l/WY6TbEKEz
   nVUOPlTGKUq3ajxpI1mt4P+F0WH1pYPbTxbkQDHKMMAn+ygMx4vkHY2TcGIm5+lq
   u4GakYuJcvVd8EY8zOIVU0CCEfia8gsynylU1Ey8Cov7dgByKsymcDG25UXmgRQD
   TSYu7B20fW8Qb9FnCqO1sfUNwVDSFsuP5K0QLr0rjQU8GKkmxGVMBa9tYC4LET1e
   ZnCfGGKmk5Nvl4yDt5+qoDttA0JdO95M+xfN+lYiPFqkzLJ5awTYDc+Reo82e9Ru
   1+TkkREzGU8YgLEZNiQUXxaY81I14Y/3C9TtkVzfZgIAJ6fcwvYVehLgu7wvgXHY
   gtJK6cvpnMaX/f+08CYpQoGpfoA9AjfyJnDswtmhnmJYpcH7DaKlo9kkwb905+ED
   4dGoJn+xnZGv8fL15+gXy/eumiK5zqG4bpFsvHzU57I6hNcyGMYqDEPZOh79urhW
   dcnS8TGY5iee1e8WGpLjHLGOroZ/XSv1ZtsokMxrUJH6kUWHn99ZOKX19WqASHFJ
   lpcLJPnkk75mnJ8l7DI+JuLYVcLDOubgqe/ZipNKPrirW8CTzmE4kMyS4kjAdcbB
   1mFS8dNMFfA7XxJ0OJ8yLpMymwV/oegWycfnlftjj8e3Zd47X90X6c+0Cid7v5FD
   qyNkkcRNtmpEONNz7GMulLYReDEkm/8cSZzCoNEpmYamsz8EDFHFGrgQEsrHACj2
   Q6hwOL5DrMDMuoKUZLrZ1SIakssoPmqhrQ3fNiRWrp4J9tWsAdZjHVGDkU+pDjt8
   +oT1mcuuI21AgfJkXtiy3qjJnX+zWCiELaeLifG0NheEK8C838oOnA2ZiY+kb6rv
   8wpXrqPfyA2c3mO3Gv6ZcGMPTvuO2okqTqn1g3xy+hYBHKSPDX9k3mOPg2n/hLUR
   kG5R2krM12sQQPNvaVdxMLeYOh9vOQsSUmjiGAfbtVMdouZXLNwLD0FshbCVE0g1
   rNyO9aDLCVGsoLR/lsOfgvsaFI+MVM5p9pGAB+XzurLEG1LbD/dizuZidqZteaHw
   vHhiGyliCLsk2GWLJ+d5XUuBpDW8MzTzHTHrU1Cj8KgFBqbHaGxSt+LzimKjYaS8
   O89+en1kMlTjYdyTvpnet/FhyiucZphY5gDF9buD8VC+EzgFYjEmC12QkG26KZyW
   jgNt0alcj0pZd5V+wDbAxQpW/zl39wtIx9wIXCvenPnqPLuYVIDsnCRk0wXltoY5
   Za9Z/hGrTxjRk8tcFumNHEJK2WjLr98hs/QcXVsaeJFAMiqvP6UuClLeiG2TVAy8
   Uh3Ttd2BJx3Pr3or9Pobw4JnL6BrtchkigwQBtsBI+gc0okHxVsWiDAdxCKfwFUx
   zeODWakuXliZO//gbBgCVL0kTJLkIo7que4vcwknVkOHgb+Y/IT4mithKVpO5H+N
   Cku4NT7P/7wxVQARp2pfTYvjEaD5lEcLAXFfOPlDQWFPNzb4/k1iC0zOzvzuK3vm
   5H5ZB6ovv3Hor4cEp1SEZaOGDK66PBpM1lR5+eWBBOTc5L1L+4N17LY86Ik1Weee
   +biCv4T/cjZN6Md/nJX6blVGhx7SctTHGjmgCZ/DL5YEM16aUVTkBRnlMW1XbGmU
   8hxxIrFxkUeNjwBD/w/vYkVZSUqofJwaf0aP0V/5/AsF7aDh2hEdCmgdzSI3c6Sw
   lIgcFeji16dKUKtG7O0ojHS5bs2R0MAPpOA5/0W6pj26pcwc19klnoNes741WvP4
   R6hO3YOgKbd+Mrl3Elsti6wtENLu7X/FwN/Qg5oA+nL4az0mh8jlhMKjA2pj6Bwp
   Di5O1jjJ0JypAUEqf+VkSyPV/zYJGT/PFrz1PI/88JOdNqu0/OzM1o+21PZjU7R3
   c8BXKWzkyHtFsQ0JTb0eKf+oxA5IwjP2n6OjsEawvudFFuDkjD6d2yVjHFMyc6m7
   mXvKZ7kj6Ec6+sGeQs32v/cmfyNU45HAO1Z6Y0rSw02Gf1WppLJy3rr2vbmzMnWT
   HcQCZVF5Y6dodmBDEvlmxwR+dPtq6Til71Ym8XKgoagGgF9F+lvRaK0CH//lol9k
   o69sjgjWX0DUdFZupMuvA8aToFCULDakZ6P5P98StGHUZc4On41/rCdaRscVtS69
   Qc+jpCFQZnNxZCcKi7JMh+7ht7wFwxGX3h+nkraEF2Y170df2x3C+dNJSLh64pU2
   dhKhMLf3kFpcQuuvzPr9eBuqVaEFOKsUvBW0Xb+Kxq1L05lW7JbcBR8REqKMZJOc
   LxYrRjRYYGVykGvmTxXgHzfrG9RbX5WhUEDBXrD0av0yXlmxm5KMq3kTEv3mtbHZ
   yZk+fXnhKcRrvGncBnZbBGEmYEx8SA369l3AIfLZxLfGaBpFNJ6UJ96tibRjnuo8
   tyIs+8YLlbK99UierplPdajaC/LFpVIEK/M1DxTVbV1PSIyCDh6c9RKzdAqMsNbW



Gillmor, et al.          Expires 5 December 2024              [Page 172]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   m+86PRAGVw7R2KogaKgqnI8gU7W4x478yqb+en8nwCD390sktYPdVMmfgK3P2RB3
   zNbxUniUGTTAORyYpAFqiUMY/aXCXRViSAH6ViMnw68XZt+MF7Iloqug0+IMg489
   zh0ug7XRRrhjsFidKTt+PwuknGNmtwXbVkSkszOpbnNNSYJKE51BxoJ+2DgEkD0E
   pea6SR448rmwSMGcwIX2PoAwT/CdaCoPZwMnEEx0dOblQle+N+9aYJAMjgfq+ZpJ
   qA42JQi6kIH6Gv6T8Hrty4cmZfEjYeCwqes857gJhxqXgiKdcMUZIAcBIX6Ok4Lx
   YMDnUXhiBibbbSCoDZFNPNppjz72w8OxHPw+d0/fhp4v8g59ATX7rrXFGasdWkx8
   3/PWINeEZOWOuCEB5122uk0lkvM8TY7RJWfSbld9bP10OEujg3CyAusIFep/etnv
   x6cHXbifM2AXBSr+RIy9Zw5MPZjCVZvNry2sOquDWkRkaMyvexGFb1MIwMe/EP86
   2B5r+JF6MMJ7QTVPwei/RJNWRkq2SQKGr+fWF45pNjpZ5Xurl2pKWsWiz1eHkx07
   00gLceH9ZumIyzGpnTcibm9r8v+0HUSIRMdah1sGHzTPUlVrsXx1gngYdQAAT7hN
   IgPQ9iHqNcZ/ZuVFQW805idjP48/u9kN7MGIpkm4OSoL744Vyuk1k7n9PwopfNGf
   UEpX2cotu+5VQCWBIOb+2pPIoq10E774A64KH6zlSWyKvU0/kkE1hnGTcY4Y5Ahk
   a4l9i8KgmWzGRUjlOHfgYnwK4KqwciNFzE9XtroKcJgr2NWuOVDBu+M+EmtYlDRo
   +v8sO7oa76xTNyownDSvseSXsslpVW5eqcYSuoqS+AGoqqQWvyWrvngYvhj7oWqJ
   5sVFphvBFG09AVlVRfTmWwzkdIdWCKbtjeTnulINnvrxx4OlsAG59MI/JhSYidoX
   GaCL0O96h69G/c6HxwEsWP0vzSqxs7r4nOMMaHQErUz6BxCBEXImUwdoVbMC+GjN
   KfBvXuQhOdYblqMNoCD42aahMz6O3aTUsQD6hdyzKKyxyG19lCkcX6WK8XG7UEab
   P0N18lXByyPScoVGMu88BtC5ud1gaoKWgTnQmQhHq5fX3fLsQ/suL9RjxgmfMLmu
   P1Q5k4GVbb6QoFbwwStyRZHIsLjeL0RoBWlDsOdZZLRn1iokTQFEr8zRMZhnmS75
   9IZuushyyVtQCZOG1kYBl0W6UdWeDm2HRQN+o6I/jwcVpmEqMWC/1xzhelsZFZ63
   9PUsJWmhoj0fEIEsUB/p5OH9CdgpPfzSVx/xMtuMpCPniH28kThvVDKvp3KkRZ2Y
   26ipGzCKllu45acR2dy61+bDRfA5RFCbPmQh28z+ytno2gBudIyt9OZk1IXXqwli
   H6yR3YiOcwBHqdrDTntGHB+inSGy11G15fYWVDP/B4onCqTtuvLhJPqtF+YKPrcs
   gsKTQ8X+x0a9KQnxS5nbRdV7dr/9frgOv+99SX4t6USQXrcK+qD0RPovfnMNkFZL
   ToI4gNuQBxK/5YbfOrxpV5/jGBnWugpzmouVy5izByQQhbNKqJn8GKghGJRKH7Yp
   qpjkCHY07tlVhldd68zJHLw80Pc46+hUObhqSndYFZpwc9wyaeyC4EQ9pRWE+SaS
   1Dwdpk2/Jee2ALMvHHxzTzqYMGT8/MHYbW8A+68ljBxleizZtEjkwzKz/89V2o7i
   WXtJNzEx5vYTWx29wzO89xghwoum9+nGkFtCRWS86iALqLTQa0Wt33/hDW4+5NmK
   mvn1My9HyAsfabVmo9xqDcKb9RSKQnHg+HbZ482R9Fs6jXJmuZk+A6IIfYOniw55
   ENuyyRK4lltHYfEof2sfC+vSnUHGV4Ys9UCm++edUHoUB2y/Iuc1BhNC2kAvYTyS
   HKLkjT2fSOuO4t92Zu992icvVjwaUPlTb3q9Tyh6l+RwFKnZ60rD6Jh7AFlA4ZwB
   Aj9JU3pGwsdvEXCVCg8PX45vxHCEsMeza0l7AEsQPyYZQKr64CrqgQs8kV2gNJCJ
   MiwSNeMMAg4fTRYk1ragSv8d2YCztfsdjLZ5NWMrlJG1Tn4pNtDJfzWLKXguLZr2
   bmKeoUwfh70A8RbDjpIc3+AVh/y1HpRvn2h0FMtt57AyGZnOBLtcJphACZCdt7C1
   Y9WMWig6Wex4+Cfql/VQAmhd1ECubYs32FMZOWetCw2ogy2kHc+JWanJS4PeGi3L
   M79jOkyTMRwhrBXBVARxLqYsbKrBDBetj9uJq3c/Iop+4bL8Z0TL6N7yUeOHlSQc
   9b/rH1/w5g5QKenfuWE+9CSzNoytW9um1BLY66osJSjsw0mv4GSUvMRqB9uCJgbc
   CyHgxGfZIPvmTZAbzna4GZ4RWQ7w9RNX5nAyvASJ8ocOzQbT52h06bvbpzSaffFQ
   Vm9hBedrnSpqom2RqRiB89VVwLdBIoPFijoYPjoTiFWueEPmQpymJJyBHkeLW7cr
   y1KMzpIR7E4rLCr4AJXRj3+V53q9TCmmMKhVx8bzG49W244ZQ8lESubBDK0XN8q1
   NoJm4p0mehVM+w4ydCx3bm48wvrHDpT7DH+LS6jqW00Q8KStfCgqonvHBf2KGjeM
   8saM3TO0kUdJCAPmDis9EUUdWI7HokST71tfYpHSER6DxgXXIKYBF44ZGBDEiyiu
   NxwnZJBS8K9jOAy4JceqRg4XZSYaYRKdhH7dV1aPBe2HP64MTxNeCs8/IJf+IBwS
   Zbp+8olxQe4ZYyN/bYPSU8cPuWaNTnuxJVXBYzRvfR1zB0wXv7Q06cGLcXQb2L9G
   vMdAczhXcW4Og9EUkDi3i44NW53V7xZa/itAtwNaOGHI+JecQysQOlw3C+NGVqzG
   QcXy589/3B3MhJ1iCDc/AgyLULaSS9NYJbJX1eFPLhFhaK33QryGNc74kd96kmEr
   e7i0rrhSKjZ+6eiQGlZmHZSx3a1vt/y62AlZrU+4rhQlV6YJ+aXMJUWlI0+bBBxR
   dQz22bQjLs7kyvFStPczyiI67M4PY/4wyNxVHafJBpC4yy9q1E3LUpBHeqQP4diD



Gillmor, et al.          Expires 5 December 2024              [Page 173]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   QMR6eguPDbPGEchj7iV9cOvudVwGs3865tBRivVRWblOnyExDUgrGlVbJbYyQbwi
   2ZEOiDtj/PwLUxSGNDXqcdrqKfuHTtrJi5gftl2zDmelngv6i71tODrsfVDFoa5t
   0HMqjhTX+OI6N5dBG2m5Oh3R7hWLsAxmrczSs8NTcFh9mGZBZivQymEzqFgjBxkJ
   3mC8T9ZXStIPxawdnOnnXxTlF6w0+qalLkPFnTR5htmM8YZmtF03oXyPDqHYKpdJ
   VEU1xGw+t/IzhUb2Ou2kXaMDb7MX17XWu0T+y2DQ4gWPkSkoHG1WfX07Bsx3Q+j2
   4OXm+q9iPiNha2pQciuIPE+8E22hXcLFZTmC2BwSnXy+HLYBSkAn6aFYrklcDUg/
   HDxDZMsgaQ6JwnJAMSXQj40INJm4nMBcshsyDbsyemxliBrhmgs1ZPQezGJeFJqL
   wCektSR5thTOT3dSJrKkr4ZNKCobNdjUrtR/vAFz3jRfdrsQVh0lF8KyIQK9uiNT
   bYu/Cd+r04mw+qj7OAev7d75Jujz0uwhpA6Mf+f0yXfIPaI6A6/X+j8Csm0HqIhI
   JIO6euBiKqw295Ob2JcjmBcAHkQ7x8kvxDK3Cie+0xkTkUFDh3y89AsJK3rdjQmD
   95clDlSO+vXq6beORSMiIljy82ZIwwkiyvb8KBbKD4dfbDvwV3ayJ8hfhC715MUB
   mbXVwpSoD79wY/FmypKgxg6EWfk3NQbg0j6nSvFTu6dF5x/IeceHrF4WTRKcM4Sm
   LqbXAJEo0cw4LXpOOnDbxzRHkdtnZ/Wty/KmDq6waBWLBj/4a7Y8ayy+GB/JyHKt
   m4OYZopodsVef5fog7+NOfMV5qM2f6UUdWdJm+8UvoDnSRpSCF/bW2EuWxSNkD8v
   YRlxuHywxOpVsXmdj2+DIJ8YUslk7MgixQqt2uZ8637qJobuzeLrK0+PfL86r/ld
   IVSgpNX+yZiD/iw9Zw+2BmBdZGuDY3ylDk8QkJTRdltXucxpdv1V17vEO1oWGGa2
   nG3eedzd2VORsORNDTaL8A==

B.3.20.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_minimal

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10705 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6906 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2415 bytes
      ├┬╴multipart/alternative 1150 bytes
      │├─╴text/plain 394 bytes
      │└─╴text/html 489 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 



Gillmor, et al.          Expires 5 December 2024              [Page 174]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   To: Bob 
   Date: Sat, 20 Feb 2021 12:15:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    
   References:
    

   MIIe3AYJKoZIhvcNAQcDoIIezTCCHskCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAILUNliUOep3GEgwzcfC+q665xik3d8KXOpq
   9LojsRJWWg/gJuYusWnGk8TFwbCPKIxtgdQY0YV98kITbRKmGjvUgWqDdhllgURo
   ZWF6Nlt8BCx0lfsodEdJww1tePP55XQ9ykPLRdotOWQWmwRxGyft9xfv892MfPG2
   n3W0p/dA+E2eNS31B5P7v+dE1L/gm1/KkFm5BfydV0pgSMih7RLhLoDn1Ln5JJaz
   0ZucSU6tFcWV8VrbSwUFIZU7KXH6ZtLQhQ18/y9EAVhegSwxnf9yBnF0sdTJu9VW
   3mWBJO9vBdF0FsZgWenUREm/tgf5rCY9qYIHToQR9kA7ogBEyTgwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAM2Z6vlgM+ghBYYw62Ba/hW7i
   HfK6LPmy9YmgheFbe2NPA5qPKBQ1mhMYr1jsXxUPKN/V6EYyphe+1UkpkhBuIZsP
   L58JVPveXPUtR6B7pr/dBdxXMxpxSjpJhz03VedrQugqsI1jJdKbsFRqCDTqUTFq
   QkMgZG+bhgFP7KoPBw21mqoVHevgLfPOxB2h7kqvH+0e8NCltnp//S0bCnmA5k3c
   IZpasxraMZxx8SX0rmBo7tOoIQle4d8iQzN9oO/ZxfALRimO7h1a9s3KCnk9+p1D
   2OJ5jLWilcfYz53EgIXvfweVANEy0yjfMAjMhearh27H0cClFRAEHbGGYLMVQzCC
   G64GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEEPA4zp+XkdU7+PrLtnvYqaAghuA
   jtmKNzCkHzfj6ZO6O9sWvBAhPm+3GilXQpSW6iAq4w6yEM7GsuYrKK0gYoVAjnRZ
   NukGWu9Tak9GRHaySap9RNwgs4KxA/9kfNJ+g4rxm9v9cz6AOM+P3rZlTluNnD4D
   hJOx7yNhuTzhqHZQ3fvRdNEoY0qfZxdA7uxYnZlc1ncdePwd2BQjfuyDP3KL/QI4
   HN1ZI26D1g3ovFqnFl2O3Xta+V/MlL0FbjbRaMylQV11UqENYUdP73KH3Utbxoqf
   uDkVnVbz6LiUn8VwTq4tvIMVC2bTaHVwDOCJsLdT0VrM4lI7WylvaYBRIsORaLGz
   TNt+d5oS7l6HNGTNUzRcbazcW01B70rKSVA1zO6hFJq3swpZxt96qw2OO0GI0Rfa
   j2ax0sGbH/27MJMG9b66t3i2MQQJYIGb+XSniyFr1auvI0a69+7B/OwAV++VzxAv
   SI5Nz8Lz+s+4HWQc4xsfGDrXkVzRjD5/6Bj4EyMqaQC8FPOMCYP+JPJ6hISk6fbD
   UB2kTrY6J1+SzzCI9afmYlu8hBGAOz3R3ABhw8RhdWFdwf6/pnYhmt8Zj5g7lByw
   PX+JH4H4BKN+62Rw8gCiMN6PvLI1oEaf7beRuj4fSfa/kiEcrW+vc7xERIMk8ujy
   OUxF2PHzuzNxPvkg+WI9OsZHI1IhquULg+FhYZr8mv101w6mfA63eUtZCXIGOlGM
   7KSP6yOkBHMdZIEUElvIX8ynBVsmUyK+K1U6HbNeaH1w3e5uAUrRYwH/jnqI+fV6
   ZMflz+T3wJMmHx8R3bSS34sUUs9VhTd6uJ1FvxrzLraAzBeRKZd6yG0gnL+WayQP
   ysKM+Quq2ALziFS6+/Uuv8ssVQ2A/65IjZdP0B6AEX7uMFVpUF4wjBauYD81by2d
   dpBYmuH35DqSXgnzT5gKmVBX1uC537LXPq24IXY5ZWN9XWlv19bu0LVqKkpC23S1
   IdBYlY38nD734vQ56ip5gzDnB0+2TdfDHUDz4H0lhcTzMShl3lr4rnzBLnEcY4Ma
   6Tgy/ToDjMkpZ/AlyGkpkKOlXCqbfiTawVCccxJJhHeYIhDrEKVHIX2/mNKIzT10
   qe2E4qUtXAkEzjOj7DDs7nqJjP3eoZN69WiJL+xGYwzBy9H1o1eWH+RplG9nlLKw
   gbL4R0slZycnR08314ApyFGB23tmLJNnIUxWPeR+Eu34vohcm4k9rvbtfKOMAjsk
   lw89YKKJrWVubUfu4Q3xrsKoZ8H/u2J/omOdBhAQNKFwqvxprmycyGlRz+RhdIzP
   DLheT16f+MRVO+SdBs7Oix0McEJyyQW5BZA2poHfdfEoTAyOOMAQl/3j5gJjSsrg
   ODuV/1ikLhEEd8TKdfG92/C65dmxTTBnTs3atrUm34ZYEvwtAoGwOxeNEJfKmnEE



Gillmor, et al.          Expires 5 December 2024              [Page 175]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Wo2l01+8UTKw00Dvc0IifKbc/oLhLKjZYFF4DU4OSz0m7Zl7qN/m+gbThsZ7ukS8
   btMvcQu5bKckzTmOx2b4z4Qssvnf5viV+ns/2PVrWT8iR1wRoZtw06UBLVkxtrVB
   wyqMUcJSzCPR+C2kosoRHkYaxMjcgFjkw+N8F/xfu+cSB0gthzKDuxHbrfWtuJzW
   1MUEEpnmKhqGjxdrBVk+aA3uRIS60949jKQI/Oyaa4MdnccMLmrZ37cQPjW1OO30
   WnoUBYvQAMyK/iX3g2+NYRQE7FLwOlgVkHFzJmnd3MtC/QITzYXk4YgPKzrCNgS6
   1FRou4k0G3rbeAJqvRCE5ZoyiqvO93ZOokqa/ggUg0T7Rj0setaOCjD0yDMwlYv9
   iA/+byp2kp9cAFFY/tgUWSqRgImOPWsOY1Da6Lp6s+gAqQcR9cPau7aEa/g/5n1F
   SRqR4j9wg4d1AwmVg2Vq6qSTuk65++6zlPwqSsPXIWHIC4m17YEr2JSZUOCslJAc
   Btlrdi7s3RMMrlAGHW5Z//Qfw+Mb0U/9sCHz/HKU6QTMm0Oa6hv6APb7H/hFydo1
   Rev4vbP8h1FF3muX/n4CidGv6Qhdr5qGUPr0NuKPzOzJiNj27qlf+aW4Bcl3g76P
   YPSag0PcVwZS1Wv40ZO5ZRnStnnZk0sCcWFnMIoUlf3iJDLGT6baOya/0C0chRr9
   UqXKpNamEImrvzmF+gN1HiZeY1vheyGdOU+ICo5fuekPgU9N9GilJIqxWojarGgt
   YWIwjChweFq5FNHY0pvQmk3XcIarI8iNkFekVs8+f56ExtBFwW4EKUhRpa9pi0PZ
   j9L0Bo5+/iC+Ucp8rU7b7Vpnw3BYver3rO5M1iTbPOeqGgFaPnydfneoOOug8SWh
   pdVdQ9M6aldWioXL3YnYKIGQZ+28iQfJQKra2p844sjo6pOPWrDSWjfyvTFBkXaY
   CUJHMWOEvP3V0pYP4AJWKDZmxLrH8umpCptuJFDWQKmrLTh/H5/C1aLHETjs+dKy
   hwvGShAnMVT+73OEPsuKoAn7kpd2sXuyJUth5pvgLPw6t6LuIIg9lLjIyd1EYtCq
   kTx9MKhuCtpdl6rxrUSBzxQAP3WhPZejMIg0SSEj7r8QCrNH25BxOELEjU5gTrCW
   4+VKdzoECAa2eytn9U7Frkzr7Tn5Stu8Bow3QfjdQKjflKNn4lIocBMFF0cNV2zW
   Vrbs2bxStOfPap2t3jZtKAXmQIOrlG13kmPG2DBXdDlH0oOrPv/PA2YFMBuDibws
   XAjmA7vcydysOkc7aSsJ8w91PP5Zw8W1qdFd9NajgWAwJdfHYvZ9IcWRGmCVQ+p5
   PFbRyiTLatqYP1en5YSL3q4GiGDzXB0KBlHLFHRlm2juAnhcjqVjfabwgN2JO/0i
   hZa+F/auq5kmIgLlLjbhAqlHXbpZ43cz+CgXet+YyAy656B/nG412fK2my9QuKNX
   r594mNMXAytuSXyEOo+ZyJGbTP2nMpBSapCUuB/4kzDKRdBI0D4AF+JUx4F9et8T
   uNxITx+FVtoLhzpnlMI4fy4RbzHqeFcSW7tMhyQgviSkCRtI6UXOFoJ3lnSzn+ED
   dodZLsfmVLu3VHWu9mv9DzjUeCMfqjE5QxjwmArqCCf/Wtv54CvjRodooun1BHrc
   Cfcuf10KSu7C6Ce8JbZP619jllnFBNzk7/CTCA3CvTiLdVEW5mS1wcyKFWmjisnE
   GvKFh19yaCWihTpQR1xMIZwC38bkxSj4GKwitd8Nw5GCCR0guHyMPrjfo8i20fz1
   7ULn6VGt2LC+d676Vgxf4Ra9l07GOMN4JC/JebkuSDNMhpUoEIligqcsAZeStlV0
   PRQyewCGotppbXQxLicFPFk+QLZKnTBj2vRAvd2nBsXxfCG2CIiAJmwj46eE4Bkb
   SfSXF9ztIL0IjvuwGPDP8ZRQb5Ne/GfEFpxhBOQ7biFfoZQQqZ9RfGVZHhxmlHaq
   WSraC+5GwMGyD13sJKfZAUYIF8t/dqbvUZx8Hn+GbzFqgz7i4yUQ9j91NebZLG++
   SOUaWTNb67tjOEL6qJoBuse9vr1XtSAlBqyBtD5D2kuY26Ua6TUTvG/ZwTC6va6/
   D2H1hpJ/EYCw4+DagHNHogPwsXIas/rAF03OMuyJu8CJhn8y9hwEbuLdmMhMxYrn
   tI0aMlorfkFhdUOQ+2F7SdEbzRTX5NCBOidLgjJbrF9MNbGo9ttClweXUAtqPTbu
   HEYUsd3FqxVvZ0G7F1C9qaROnaXG3pLkrdcEizMwKohXnKmD5mXmkrCvzKAsVlyv
   NhiEMCStUE2o75lPKqZdvVCvyHw1kkYSeBatLyBE6rRSdld8KbDOXflppIdxZIz6
   C9zOVf74rEPK0eDHy7jG3xxS38v0zBQ3/9I3Xk8Y3dopN+1xQErdbpWVB9DTyanR
   XorDlFoikBfHbReVVrArHVk3phmwSXgCfxU5VMgWNjwISy4SCTbj1utf4mw4H2hJ
   TX5ia5oIotj0aE+15iY7/H9HjmMhsOFdOngYUPyCzUCA7EekZ06qvmVUIkS5+pxy
   MfFoIjPC35lfe5XuCKM2YjKPq8fAPL8JxsRa5h0ZO3UHeY0OmM5V4bM/doTA3xMp
   hcXojoI3GE170DRsL/R6iNQV0zlSUVveD9qkbFwaB6MLquqEEkmg9o4EYy55QeYF
   YbClwvfyTrRaV2vTO33QN753JXKzxvtkWNqrgiXR+h/nT+ld+AD6/Jq1WXPvIaGd
   cFQanTqnkbV2rQQE/ka2D4s7sh+Aa+H3c87dI3N8JTUPXOW+gwnaBY5AB6EsZ3cY
   QHrKxjlyvBqzF2ukQGajAb2LXwzwGKvJMM8naz9pYzTu99j2ya8la4cwImWCYak9
   1mmK501W1zobqvVIaoSXaMhpUcFfzKzzUHOS+eY/g6mTIageXH/iTZlTwGVuJtc2
   ec/yVkHJSwu/GWG8UKr2Um1rOoGrbwRwmzLae5Eh3p43RJgo4mVS12+70dkI70B/
   xA4B8qoZF1mUQsm9s89tcK5AKZOV/WYMh/hGNUMPe48MOcUDUsRWKZ00GslKk3VY



Gillmor, et al.          Expires 5 December 2024              [Page 176]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   /4vYcV/UZk7eNAvswZHOTz8eL6Zuoxi4pC9iwBqSsRqwJSX5n6FVowzRqX3TeXU6
   YDrq41jNthcJm5Iz7xvbBqJnIMSv16ISYAcRNvQTIrDrIMYUX/qYz7+OleCYT04s
   eA4MM+g81L2DmwDgDhq/oNrlCGYGdHXg/RyDEgiPjFe9+9BOUHXBMLnpjCUFdmbc
   XxF2JXk4R/c5GJVPTX0X5NWPEuNWYtAe9ELyHo+z95MyevM1UHgD8KJaBx3oqSbL
   T/LhLFt3fCzmTWQoJ+sU4yH+LVxPLKXsPR46t1ivJa7i3IaFAlpXUygbLs5jQnU7
   EenwJV5vI+G79PBQ2r9OTKY1Ck9KLmpbfxOfUZyyZUn3VkPqQTeUnhJc01AF3akw
   E76iLBR5tyGl3k7NmkgTM7KSGil3OBJ0NlFmlMNFKZ5BCljAIel0FJjVmrf8h5Ms
   kwft7sid2VpUz3Bu29tUlBKx8KES55UK+xAbIUx/4/TFWyRLQGF022cCy6trAozy
   r03dKl4r1n73g2Y3n1WNnWUWi4Ti9iXF8UiGh06iLf0vlhpKRLA+cSOa9lK8l/NU
   QN/nltsVxy5jstiXnMyPlqYdfqcds7evhfoUv5dRQevZqwaRPcpXWwrDDOoYUTUG
   VitsBUUFh3u72139IBx0/byPwfcez6oEP7o6lPp6+kAz0GnQB9fI9K4RMBGR4brN
   2GaqKXVmJIEoPNnJox95zKQXaUShbKxuuPZ1R+TvYSbwpEThKafAIrElG0DYClcy
   8dK/BJoqYf3MQWjL/3pAqbfJ2NxTy+AT5JY2Ym4d929RG5lxqLc3SN0kAVMiI9Yi
   762gqaQcNln1Jk3GLaKXtO2XpAfGwn+rUPEEwB9jmrpEG5sKo5Zgt45Sbsg9y8Kw
   FKIShj7Fy+JJCoeP4jInD/8H/Y4kPYWC5mg9hEQRT2Kb6Bc3Ri8DrhQFY0llQhJy
   +Cz5gfr4lH7WWY+WaVVhcuGCiN6gtZg5f8SzFX4KV2NFv5ljSd13e1xM6uyz97Cj
   YGnvkongvSL2Apq93OtL0Ouq6rXU5wcSsA/+DLRpuB00fPFTgwDmWZxiF61rJuhY
   FkT6V6eLze10fhLWtMWSZCB+KRpMJjwQ4wI6HNPUyuDNa6aUV+UmUB767q5tYViq
   vNfsUXte9DL9Q533232zj0C/A8eIm/kj4gvmzDv/fz7KYdl3UDBd3oMeZmcwO3R5
   4RrTrAEzuqsahJCke9QbTxeUfg5jtuwKJLTiKns+NablbLpK09MGylrlZWuN++Cf
   A+7ArUHz53clIdYANhexHOlSfFUX7eRGIaWdOlcbIiNQdZE5VIRp87r097wU2qGl
   mtaecKknQ98/BFeGdJ8BHuwyfETo7/76ICfK71ggOOaqCakqsOQuIM1k9n8ieule
   PjDI5KgsFkQCYb9OPeq04ehQ+9lp2wawm7X5Zbe7DVMIf7P1eHShjadIwwPwqDHp
   B30cS4zFCnmLQ2WiCrxUFxijAUlLwA7Ng6LOoJQUQIDLdoXAmWLG24nafXN8h5JI
   ij/S8Gkt6VHkc0nhc8M3W9ocn300s+YMGO6ixj7jYPNF84eDIsWEtDQX2z8xUZxv
   S0vB2BXhpgbhjckgHFjAigZ/X0P77+SCuEneOATwdL4+M2boP+MRJBayDapjbVnL
   iXEDmvIrDZ7Rcfas7RIk7OTFpGQgpYynCu7SmHaRU7Y4W3xFmFA455PY2AvzGA9Z
   GLBzN0Wh5BlKYvSHBLS6fvaeMs2gGjOWs/QSxEt+5vmVOgjHWb1oVkEnahLxZDME
   lkk/IEmHBZwpHKUs6F2aeBvFyMFxetbY28OigK7ffCKi3NrqdnNF/BEZTJIrDYbW
   foWyC0ifYX9tOd6NgAeaHNFF9/DnTY7iAT0exmKd4BQd0gOqcHzi+8Nll3VFvsxc
   VHpBEwkrlhCVZJls5C4AWS3yevvoEl85xqYDX88SBmEMkA7kFGuuNspqItpIkW/6
   i7+jXFWDHQEqD7jsLqYm84vDNJt6xD78GrFgf9wydJW6bJzhgvEXCFjumugTgDNv
   pS3D/Jp/4uD7Edg+f5TdAR+RodMSOCOOyXOh8Z67ttFgsrrtAa44vZQkDpftRBBy
   NmxX2xXCeMzeky4/zzgpl9qkBOtrTUos0KijKoEQK6eoafxUWFPOfIRftnyNbSRA
   s0oigOy5s/s79kOtyHrq4qjYK18h21iaq7nhGCwCy+Yfn7L05Y98LPbNfryeG6Lx
   jArBS4+o3BXxvUtCEPzNmw2lv2hG8JDPwISeYdAViShIisxT4tyDusjOyCsSsIcG
   P/RaZ/aWOp4AJk4xPFyfF1L0d7O/Dn7I5NVhhRdPnhEJyCokG5tR9l2ONO+w2KC1
   nwzlO20IqU45xcbt55Kwj0OBaOVNdajckku62BiNcmi3Ja1Gzy0K3HSvu/1hiE+i
   7qPqQzFhfREP0SuBk3dKNo8oImm4LdnnnlTxboRvsSDoxWFnGnelMRE4L9aY57b8
   D33AU70rQL0c0pSZ4ldMSY7vMgJMXfaV0i/6rmozr/3h4HSm4rGe0Z+6Yu/4KwfA
   gFIlmWxtEszIkHA3pGxB9udv/hVvXVSvVraXazoqSOQdZkvYCneABwMfb5mRRV1C
   PIxKz+aIyMgNC9bdkYAOwIoPpO4Ejf1PkmIixj7ecncxqKNZkHE/gsQQSn2s9C6h
   E3p1vdL9y1otnB3u0WqDlW6s0H/s9epd+dkHfj4mZbNL8XWkI7Qa1iVtp4t7s8TN
   ISzNS4itTo3JrnjPaXrP77sRKi0ps4kv1BMlrb5HqX5vYQtXO6PArxP86RLJVvdf
   cwtecvaaTSwq+hcJnxNmWtp/dFLXhMq0nnypP0aU+A905ZEO4dT4BWBkdJgZxCwM
   h5gjfZkf7e67EekQntpAuTYAnBE4rKjw4S+twsxGpze09LBvO9TJi3Ie7tn9SdKQ
   fSWpNG5iUGv/9i+Zod27AFkBh9GsNPnXJpFz1JGg7lXk0wHhcQoINfmvsN/yfbcK
   T0c+1YRru5w05cwc+TKexnFUkehCMzclhsgA2W4ifP+zU3ibazsEjozetjxBupGO



Gillmor, et al.          Expires 5 December 2024              [Page 177]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Vsi8I8lM2DC2wEJG8TQjvOYTWBx2FoCTjpifcqsaofaG+RbVhbOjvCcCBaxfTrSE
   n/EXOLDh/AGqyxDhGh3y13tZUWOULvs5t2wWFZAs6DzOsrf/BpdQZ/XczfTrQHSI
   BEVHImyNuQ/QaJbP0DFX97kFUJjfNWa14fvFMlOHBebeQ8iwA+xT+PH8DhaWYTFG
   J32V9g2ILDD7AZLAtX3DuggKQ+6ncU49Q9R+xBtDPo8TKNr0imz2mj+fokG0iKfw
   IJHjfWuNZ9SsqBaoWWP/ZaxaZIryVCiYRr1KkokbL6fwD621GHUBB3NZ/zszrbFp
   6F0Rk7hB+qhxzXLoFNfD7evh5gVsD71XtrUuyaTdc88Eriaz4qVIYznuq5NYN+he
   HB2fX0AK/uIf8zPKvuwFYLqWqx0yAyVrKbTNdmnu14bBYgfeYlrsnNoYB2yp9sBe
   xldfmHwwPkXjUXulNFex7ly79ecAhwJK0qySzBeisWO8AyMOuurCUTaVwM3XpehB
   V0xf3ZA4AXosG1cDAjmI+q/udMbM+w+wiu3XDCFv2bEULQfEb+bu3pRH/kIcTMU+
   YbqTZ0jEQXvm6Des/rgWSZ8Qh8Xq7JVTVR33mbWY3P1wE7v/okK6x5O9zdS/I1lo
   CFn4ggquL7/LBTo1aR/4mQ/0ZXK52Km+bJfIeHv7EPiTFv3Fnq4HDibbR0DO1RU5
   Qqv8r4YJZU9/cgMlASFw9I0Mi4cte+wPAWy3Bwt0ssQXGQG+/9OPF7JkaLqY8gwp
   ZdJNbRqLfXSmnKhIFmgBNd7z/dEr2+0pdN3Yh+ncmNJ3siuRb2rDvzIagNogFhJF
   Lladg5Fs+yygyhwKeJpERkOSwu25N4eeqwWnq6tTbnHdsRrN5buq4PBrsKfUctTo
   Ddz68c2G9jSYvLD63yPutXAeB7S7XlZdp7Np7dPjscUvL7vL2odtwPtm0hNDPF9o
   3rnIOEWtx8d+2HlEslxqtYJdJ/M1jLYfn2YUQMwr4tNfKaFtXjEUAvcV7L4BQNFz
   VgTErW7P8pa3HuqvYC84pqPExsw+45M6GFEdGpTjXa55rq1svTlb8CZQiwd5f9qD
   qFS0UzK94CTTVyrzcCUpf17rX+gE0I7QRMEV3a3dJpQoA+fm9GVu7ratVkmpnZES
   1Dcu1r0cN8rXjnHe9shxicSQ64XxZXvFeHIDueH+S+RT0iQjhyZ5sqSeQK55K4W3
   S+jM+SrBVwRiwMgRDZqPxz2sptMjglPuksajpaurMm5CX1MbmpzNbKMDhWq2D98l
   yd3H+P4l5SjSjxvd9hiG5AAAVeNkqU46tHmYlTpslSipzkWuQc4/kSiYlj1ygx7e
   K2izkGPSeKKexYu+XKRCq+SptNVU8riugxayzwDrkUngW2JUXKEF4KKj9bYYAE96
   qIITHglRMC4q52QxfgXCvCqd5DNGEnMkjqXcn0WnC0wV4fskHK3bSQX4XYv8+/qS
   fPTTjpINbWSgh0L8666EAQWGmnAHDTbHExodrkjPMluCwjFFt6w2LLGIJwWmsZ1O
   wVUjJ/bTpJcBF3WKgjla+w+lQtdeqgZfco/Hzv7g2H+pM+hj4tV427lIz1WUlbLE
   qlCQX6YFrJXOic+tVb/0q/ZjNOUGOJybKvAzgpVClNGBCSJ6lA+2cW5rYOJjMi9q
   MZrSB3CqXxa/L5EA85M9XZiTOYOigCEDT2MYFghWvvD0Y+OOn5SpDF/lo04NQm2w
   Gk0bh/iPoufWQRZXAP1lW+OnSx1+0uqvE/to96pr2+qvKllgP9M1AaSQT1RR5FKR
   Y6Gh0Wpm4fBianRMk+Em8Y/Yg8vRUsl4LUrukAgFdBg=

B.3.21.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_minimal (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_minimal Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:











Gillmor, et al.          Expires 5 December 2024              [Page 178]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   └─╴application/pkcs7-mime [smime.p7m] 11310 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 7360 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2740 bytes
      ├┬╴multipart/alternative 1437 bytes
      │├─╴text/plain 488 bytes
      │└─╴text/html 640 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID:
    
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:16:02 -0500
   User-Agent: Sample MUA Version 1.0
   In-Reply-To:
    
   References:
    

   MIIgnAYJKoZIhvcNAQcDoIIgjTCCIIkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAA7P3fEOfQIa//CtYDTmSiJlHMxE6X8XEDlV
   lHyCPHFKMzTC+WwRRyGDLkjCob+DjcWMGIUZ222apK4+EzCrQAg3TxnAgxmlAKDd
   Yzxd29YyJAd3mABiBbpGs/ZlapDhoQo1KnSyIA83UMhW7QOdSOngjWNJpzwID23+
   LOxz6ktQXNXYsqWlVPsvWvCNQ18bbzjaZ8l5wOjrxwZeCzdiV6Btz94BzCW3VYWW
   m4CzlnruwQ0VyNlq31duHIe7nQRZL5Gh83pGCkBRhnWR03oLIzxm5BqCNo+5gRxB
   MveBr1S9dcpjo68WQC1uk5YCNhLDmL9w2/3kq+4VfH3X3TzMhHAwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAN39sC+ny32jsQIaP0qx7Ch/K
   JCOB/qwNSguEYuNAJEcvrQf51BmQzrjgk05L3dxxpzKaYl4yscI+p+luKcLxlaIe
   aDw3B90ZZq3BbHvOqwjTbtK+lVbv4/Cx837K6d7qR1gFMVfN4u4W8Un6DOguLeGg
   Sk5GM7ic7kLvHE/G10IVXXCUHYrY4ofbFsWwXA9SqBzs5VlvFAZsKtznR0M7jPzw
   1dFn6X7Dw5BdIH2dvjeNk4r01szTUV3G3QawXsbOVVrfzmy1g/PEOYTsW4PS2yYD
   tfDfxaGB0LPt6xSwFHzrLhr0NPW3lunVfLg6Ocp4pmCz6SlxZdv90T4epX8kLDCC
   HW4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEC6X2/fqsNQaSpkIPuq7LI6Agh1A
   zIysOQnIWesgOwd5OzWwMRXT12L0+TvFF3bZUmRpyIR5FOmSUrkC8mwB0AktDOkZ
   juUrZC35+4rfjlz1GqakdC4B85MLSrsDoc8HsIBnm7gMewh1Vw2lK3E6aUZKKVLW
   0RRoX81tAav5KnyOB/XJWqMxX7Q6Hcnlqw+dvZzNmFKTgOaN5MPh1t1+U/Y0O73O



Gillmor, et al.          Expires 5 December 2024              [Page 179]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   tMCxE1Urrp9OFjiUu3wJccHFW/y8LFvRIeC0/i+aUy8W8woleoPXy3lWYXwhV9BL
   m05Ok+QJBqv4FFo3byxWz56abiWiS3XL/YeJEH793t436/xBuvlFHXgnPNxQnzoe
   cV37flpAq7Ol2MIumDCM4QoqNVwaht4uL+JDhwcqpstRj/33v5+uhJBWYRngtia5
   CkcL+0hcyzfyCXiMggY5cUdNemweeez42QPU8o+cpcK51JaEp6Gt8Zyrnt9qH3m3
   lsORYaVvgJzjznC64vtqBF81xNnUTRVVjHcurXszb6yokc2k9vP+9pkLmQ/oggC8
   aeggqPP3WLnlk2QsKvBGwy0RCleeNkfJuc/juz3oG5NPvPsQGtYypw+VlqqYUpKr
   6gOs9kOM+v6iaEk3Lj1w45u8+QLHdGz5NGEBC3ijVcWovt/AQmO4bhCYD+7+29Sd
   7QO5ZqxZsJz6Nq2CamylR0oidUZETRJwKu6zC1DCo+HxideIEQsXhqPjfzFZFRPh
   rH/bKT9T0rGuNEv1E2XUfkQoakARCcku2CIvzxQ4xx5dbg5uLMG/W+aYIKXi/eaL
   VMt0eulSYMe7bkzoFThzRSzm8DhYEkzGVp56z328uGQRDfRyctmWjjpbGE3RI0Ch
   8WB12TYWfIlw+xYsb8Yi26xtFknfea8o4KbvjjrSgluIyT4P1ptudPMIW4O3r1ab
   DE7YbgJGgn4AsLOtKFIJ0/LaLrY9Tw/IHV7BEMsVaoileRLabM+wa0zG7bhi+3Ej
   y98lCHWBpPXLUGdxpEK/tVSDLEs9Jl/rqUWeA2yIMQDuZW6JtG7VWFeITvqntp2d
   RFSjta/sQc1k+ioPwRJCT4PCQ1Ea1SBA2yWBd2okKy/750tfS5g1udLhbaVSCvuH
   ltKX2KN9k1kFO6fT8uFA77MrN04OQMbdHXZmA7V/L/+JOLSK5sqgKvs69rmy1vZM
   dUTBq+EXE8vZg72XZaWtIiU+S6OdOsq+actOjwB8RQwu7+Vt7MPheIQrkFmmAA80
   SHAKz0N+T6pYnQzNhMoPxWF5dkO+4jeo42K2VZnsEHRnxnv9S8FdJjTkykM+tUuG
   rqYCN1M6CYFMVPKfF4Kc9zjBu8n77A7csf055SPzXgWsoO3BRNXJzkL1BMjwTyeb
   qoCD5e6Kb1gerufCvEobyLxp6chUuTGiCQEMvpyZmn4hp7J3xp6nxoSySzaKEy2j
   n3H5L3vSiidmXMED8NRSOaqab5ncgoJcX+TWdwEu2X5YtZD0p83zp2yLLjUeuahu
   H7pewTNvJEJuYIVr/2Uap/YiS7KDkuUtAFmBuJfkh/WB+Lqc8X4eSfYZh9Z2A4yN
   NUpK7wm5WJTSjJTV2ivnyijJdsqk+YZWt7qqgNjs7O4tlpQrb/hSDy2EiRK7vwyG
   sdja8CxxS4EqtQuPGkUfvl8ecbeg9hKUix6gWhHVfclI8M0KYJi/QzZIDtuYKFIn
   L5pDC2cEQ0/ksk6nKm1jdtIgJfVzxZK4LQ2K1hQSVDrq5aEY9MVXims3Hcdl50BF
   6QNY9Ay3xIauyGAetZuXnKZussgkLz9sniicgyGKY2tgwjEy77/1k8TnJucXGyG+
   Xw8yyIOvcHBV2rDRzC6XMBgL0RH5/WOWELVERwDsiPQaH222zf8/Byoz8z8BM7ON
   IoIKMRilpyTKmNcNFKkL24jc1B9ilInwdyXOIO0hGRQM5w7gFFgNe2NlfbUOpNV2
   uCwHWPejgp29vniptnQh+ZG/8N9My0i1Fok4qamscBq6YZWp63Bj6ia3B35jgRWO
   r6C73Uo9g3xI5y/ZW/zqFmSSXCFcTBr+1nI3k6J34OOkym0fXsulIB09j3D9st4s
   pfgay6DvlYBC+lLFs7rQs+uxbrswtqXnl4cFhVBC4EIuuFRAQE6mx7Exx/EqX/Nu
   kiLucCszZdYg5ca3zoA9lU+dSbkP63G+e81jBSAmGWn2CYx1ntC/D7sO+XrsGUcN
   GR9pQ3mDyKS5sbAw4RKLFXAkqIP01puLDBNvky7X8KXgzbXRsX+fSa0gQH/a5QCx
   XrVKEOTPiEfbMnz2a0bjrZ7+azpMV4XTWmq2OgOFHeO3owNxxRLow8BH7L0SU2Lb
   n5ZMAWtrHl/G/0NU8jZ+oLGi2p6WkXwoTqCxUvgz4P0J/QAIIfYvzas8oujMtDTR
   xxD8lbn1LjJvNImnNWaPKYMPCUvePR/TWUGgnIEGw+8IMYnIRzhohZx+Izdu7iFe
   ykfVVe0hK8V1v5P5dP1LaHQkWkGJz2UQ0NPX/XiP4O9ud9dP/Zf86wV5/cgTpJXL
   nY8tSQl3+XaJQgFU5Kia1/Nwg87OUoI5WshKhdCIJdaJew9d3270pEwigs5zjoK5
   qhF4rAwZJuKdMd/GnzvQ81BJkcI1ugBDaoyDoU6AjLGAmIKxl57KBCoMB+bN3e9E
   hTvAdbII0bVprJMqjNG+dS5y3sTDsWIiQ0e5Hp9ud6Dxr/ZggCi7cb9rIrYw6zjZ
   l/01gJEICZJ3og/ztUEltDkzMusVF5Up5Kdor5Iu7A3N9hHP1FmdI9pxrRGJYWPb
   pq/p8zabBTx1rASqVRO40ebczTh6ioMY4Amq0IrkXI3YbrmsX3v9e6Ysym4YccUb
   hw9/mCKX5GZoOpLpvWe1WhfDs1TCrQDeWXr+s0I3KO/sAAUR2kQmur3fMgd5xVR3
   8G4H3S22uLYBnacNkJauFsGSDJ9dp+Uqb85zdtfoMO79pvbsHw5iBnnsLP0Cd5M0
   RLzDkjAcxHYPVfq4LawH0dqi9smk6ChbyNNO7TvFP0LGU/PWZfCFH9fjinytIuAQ
   VDNRIICElkraVS66kj1gOiVJVDIu8GPwCOzrnIWZHv1JzvalgkV/MT5aHWwiqUDf
   VzEwiWSr5FAd5ZXigVRRFTNn+VlsflrXg5GB7qsp+10/TBKUMRKbDDLpqPMeJKiD
   b869WwLa+jt9uy65lHMDfc0Vd5/LyN4kI2h/LCATQ0CZJzzF4peMQUdT8JVEjXha
   Xj6TlbhmaWqzOdHIBtmvJ2LwwFKJcLinJNPshs2IMhWxAkDKkjGlx+V0qo5mHgFm



Gillmor, et al.          Expires 5 December 2024              [Page 180]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   oOeW6q/81lP0sGfnu333JVyZghMqpVep3e1hcMxBwI+rbhVsIcS2LixXc9q+DW7U
   EuC8y4owV99sq+B0jRfS7XnzkVz1Lb9ghrs8Rkj5XBwlnR3OopsZs7YExOlQBSw5
   WefxrWzNV5egGNj5q9goXKBIBs16ZfVagCNyBF/NPyZGmk3c/EShO9CHPJy2vRhe
   aRI0dFtNhJgCh0ZqPEyUqtzMconLu0kG1TxtH/7lTB8nmxk9OW7XdMj1TUVSlHWm
   FYmq9whguRgjnmNZ8ZkRdLuQq00EHaTpY5qKgrKstfvbcj0C2+SFmwWc8ytwZw7p
   iyKt769qbRCY9fDJpPiDiZGuz1orowxEMjOsB3qHXWj9Gya++GsCelFyKbC3cGsU
   vRh2m7msWK1W+6/KT9WHZsyvLmZDrbuPZoTi5emNn3YTs69sNE7snQ8Z/JmKvdGs
   /jeenHvjK4zgNtkld843GBUC/Qw5u5zcgNWfK/Cu9Q3iy8bKRc8v2ZP2nGNYUap0
   bHqbwtWmCcDHTrb1TfBFqlH9JFTeRK08oD+EVNrZw6f6os05JsGk+wUdMlN/PAif
   x9oL74CXKZCTsKF+6PBYvNw2jebqtn7KgJpxx6kFBH5jJQCknS2cZGoCEl46YQtD
   3wI15sSe8rvEGLNe4T4+XBd3lilJf3lDcW8OkSlhnxbxDmgXkHqfNAH7hd0eHeNc
   hT6hagStPw4MclrlmyneSYGxxmKwpjvCE70zb/X8uHa0WcNcXOKoy16Mu2rMlsIU
   2LtWmhAr3FzFYBXF8cexKCc+xdnoNIryshU4xJ/yvu53lKjhmgtT486IHAzoNgmL
   QdvjFPyHK/YCBkkOWIJVNZLOYVzeLPPiVcID+TipVFmD6JXTGyVVJ9JLnHYCnTIz
   GstdimRXDNzTWoAM+hJI69h7mpZcS1Z96UmRcn/Jat6qSwidNmLMdLRdvmJidhiT
   39VO8yhOnIDF3CdKzSbiOSo9bAbiRKvb9gBzx72UPYX8xUG1kp4hoOzW6Gt5iQ/q
   n77Jw2na2Vognsda6sFMkUJiu+Bwo8DG3g8qqdNSOyq14eT9948nojBQZug9edXm
   1O8FNWxRLw2oiPCCOoQvGeEgR0kTzi2Jb3av6MSd3jl9qM6ZM5SoPfGz7trB7UID
   WaGrcDehg5SIDh9aEkW70JIZtt7o/304NyRf2eBFKPQyGqa669/wDjn1a696Hnn/
   +2iZwAUrr5qOhDlDBTyqvbMWbiwyIYIBrLFzMybwcVsAPmIcKtgH+VY1nfcMf6CI
   Js4nNHqRRr9ldXx8DsMmzj0La+uTcYaUqWnubnMZRtjnaTNn9Ucxy2+CZ2zmXui3
   7GdPJmGJgF4elrUp6uESazVhSsIjbgCUcJQ39EwiYWFI6Pz23RBGT46kg6PZUJnD
   Sg3BqGQLB8A85NMeI2boIBbpZjDSiLnMZ/bTB9qDHKUTT2UKI0YzwINbGDb09Jr1
   HqYXhPJd9XGtv4UThGl3xlcAt34cRvFjpic+ZjMg+/MEn+JwxVGk2Z/jcQpt+xS4
   TLxdqPy8pBn3nm6S5H1jpv65i8yIPZRyknUjHI4p5ocgeAN1JTbO/wtDG+/hWACh
   D2785kDI2520i6cRyqqXPurbzElMEPMOZFtWnDHrMIv9zkfe2/jkHRKldrKE1Yza
   oK8End4cfjO1XrIfVh6LX8LTcmzTN2fL2jR8eyXKbR/f3nBDJ6MI0auvbq5Rq8Zz
   f/EoL4b7RtgW72TRqERWQ8LN9IyzkpK0bchuDa9wX1Y4q3zC0H6z+LYngASLCc+w
   cZJ1FWhsoN9FXLAuOn3Tt48CY0Elc3mU7EnucWjm5e1YqDT1RaD9jNiGkeHiByF7
   PgZO0GxmujyyrPx7XTMObeL2/VWaURG69B/hpED+AHhHiABe/NqaCkwisc8rulVm
   gzrE4MIwLXeRanMeHvniYHkcEHBcUwL08ZkjJvyKAve+1MSwQYf/Ck3GjA+WoDbD
   J9zycYaJmMJphDHce7heLTVE7QelyAc3Q+A5lrycLC3L3VO092cbRgKsCVzz1+4X
   I/7teSIQbI2BE7t6qubhNspAocXK1UC4k2ql0/LGYrTDuGMIXweJ1tqu+ml9bIaY
   ddYcQM+35Oj6z+0QQkSg8ZBjB3cmNlVMbOdNqeLY9S1/jSOO4EnvYIBOWMZLwvif
   5sbp3TFeRZ7lU31a6dJIarSZRTeK4aiSEqlpVX17N69+NdlpnySB1VuGACXCQ/rG
   FsZFeSnCpkiH9H6BA30DqHJo2zrJYRT7ZVPt6pdxODSCBRYVqCuM1itoQZvFqPFo
   rvtVXb6qN8pWfVje/w6j1FJ8oX7ow9kVl4tIvkJwH4gLRpnMo2FnL27kcm9foFQc
   kbVHWjV+2SFLxf9ENgQXiobGnZVjFq94hZ2L8y50ZxSZyEQjd/+DOBGwg2RP/xwM
   Efd35PcrRbO+T7oSEB9By0t9ttkQC11EyIhe+cexpo9qyq+35GrYdz1TOIlmg139
   nQ5C4CbWudA7gBv539Sex4H7zeqr7k8hlRgg3U49FXvjqSE92/O5jdwVTQT2Q8EG
   fCz7P+l4CwYaYx0re7ywcgQM9kA8sZ/qjesE8IsOaECptW9ttdiZ0KfM1zZbkeOe
   oszxWXHhFH0+UuoRTangYpZyAVspC+f3xZ9ivjV6MDnM63j1L9b4aSRzI2cVt+iI
   jJjtnOMxy9Gup4ODMR5Yn3sqlPpvJKcDnDeRZOevWNBHHI1hNFxgOmnrXDtguhyv
   4GHnnG+ZcaAaWMweSyMfAKFclo8Y8NNeUiIXZXt0nL5XxCva9jKdcmH5CJYUaJKj
   +zge2oTU7nlqKtDiKKspECztuNpV9ven/IbUJitekR7ZXpl2sg73rVA4yjrfhF5U
   6LdxbYk3UNf9iP7r+gLzf+4gPN5DQnPVg+liCaILBuQWGIcSgmb08OYNe1AfrvVk
   rVENg5tVz8Zrwbu4Ht9ZvSG5IkKcxZ9/6MVKovkONaZqy+YPxblVippVmprF0/R5
   f0IP/1nBlrSOp0k2/h6xKOJ7nTXfRcrf0VEFo/xRiRooCUAVSl+3ntz+Rqwqaq+O



Gillmor, et al.          Expires 5 December 2024              [Page 181]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   sZ0WvFl2mVpuG5Tk2TBPAC5LSh5J9hKfC4XesurqAreNYM/QP8zwKMEIpafQ60ua
   paVsANO/bgX/VEZMdCkdWITD6QjIqRc+ojDHE52lQ6c9fRcUygHMuqip5XBUmOUA
   bFxR1l1YX3FfRoBW0WiKRHXPtfVymHaPiTxYJe4qSLvZgervcqv+sDb7dD1gvOrF
   MYTIemUSx03adZJ/eZlJErt/LKWlP05iKjZSKQd4WIfLmvATzQI0zdouAg8h0frD
   nMMq2dy4PbpynM9Zgz7HAJWDmjIL1SR2hzubrmPbG1A2C3EOX3Emk0ONe0k6DFDq
   RXO/FklPVkzZr1sRg9pteFU7jFIorbtukS53PCSXBB+ru35ZQJchBVaVvtFHF+2V
   NbKLTrW7YZIVBkF89x+dTCz9oJUf1X4BYtrvvGcXrWtjsSoLF8JbyHnpUhHmrr+o
   +EP9GQ6ylVVmJbF1+a63OA3VpYwBokaYfitmwZjEkmdVgNbsZqPwgtC8q08qgvca
   yM4aoSo2RFChwm45LHxSaxab2j2po0pZighxU+3qTWEnDJdC3eGa5q7MRupKdCK1
   bYIMu0kIL040HxXnQgXMVMjfZwnHgx6o15csxJ9IVeC3sRpvWqoCxwvCwrvLJS+O
   0DoGasKLD47jur6BGr2IFvT0rQlF5JpzS19dFRl8xyv8ewPYd5UMC2nuhfk/ieuV
   OgA6+gFJD6K9DUG81i3iyRgZ4xZ5gIiYH0qpMsGAjzbWDCREWMEXQWtWWmDWh7Ci
   Pz9keaYMBWsbTWY0Dmc5WB4VzfjVHL8wRALzcmhD+SZ+9QkDgB+fDP6Ym2ycFg9W
   NpmQgHCmp0vusititx2B3uvcpRcYx4kVC2N8/Qra972Dr3qOUOC8+k1wA0l0f3/y
   5+97IMWwfpFuL8XgU7V+e0H9Q676NdMYRictBRsAn0qsiSs63WSGvzKfXtYUA63Z
   ZZjsh91j01khOZtcRnz2h6NmcDKblqi1Bh2QUDrsa4DNqywWRa+Emxfdhg/FV+tU
   V+bXyMlj5rjj4psOacHH/aZhdffuyhDnDOXp07b5/ewVcyEYGdiqRXPzvuTh5Aa9
   /lLI/w+B85XyVvzTUNvTVCTHC6Jy4ydPn2bYQsZso4DzEuTfwDI0gpwAWP/bRHxY
   IhuIbZzIrosJmtUt3oYxMzmI7bCrJaXOoT8Xbsj6Z5nY2GlZsJS4bRX723CWOp4f
   ccG5QsL3/QOIMiyYOrchD/B9ozBuoOSRbJ6UTsaVgiXVHUGw4EM4gLREqTMnoYAX
   6f6OlNPZz88I0O/CeZ8JzRr7cxRhNcSlq8+cuw2gwikUAXLvs7cAqw8+/dL0RaAM
   N7mGE04bWvf/q/P9gn9gk7ZHrE6zmyofZEOFKvEm0KL3WiESLb8/uPJd08Jq3xUQ
   dNNia66MOh9FpVhggmvsBxG0dO3M1KfnJOCNSpr7Ixbei/3OZDarBwyrrsgg9ucq
   ZHqV1t0k84E/yqT4VY54Yp4I11y5IXhm9IOhrCBb+WmjBRIl6R9IJJFnVBGt5IqC
   29ujzbAif2YIy8PMFIqM28gdE5sws/GMMRCtQbGM9WTNnnGsfOIAiHnhk29BPguX
   F4ksdQ8rXt4GrMo7HzglgMGWntDc1m/j+HlaBpCPrisPAowhgLhvunchxxRtun+W
   V5TTaN4qishkWHNtIIS7zLpm8xKWuLbPfonR2D7YfrL6UuNPcT4Rgbe8KdVaY2TB
   BgsqsUt1wITbSwIG1/ZOGA5+rWuqZVyC5d2j8cbbPJObXiEtNw4JkgXDohYOlaEy
   sQBfgZGk4VWqfqKbkHA037tla79L1ZpjXxGBh4o/MoKE38x75fZGwdkA/4q9bW53
   TV3y/ChDNKBtELKS683S2EqYR+Ns+R0uMXOXfQ0CqiffqUJE/yI0AfD9Q7nfSvQJ
   fGROSULLIyL1PKDzXMemd+5zfne6nwGmdSD3epyQwfMCdoHgsGPsMtGct92Kq7Tu
   O1W12M1OHJLvVPnrewaZtr7VfLINJhfjp/MUtSTmrxXPIbFP9SYgnhh1mBr/kF2f
   OwyNmNkcD3LT7HKaDfBe7hnLBI0L4qmp8Xp7HLAY3hBi8KnUAjOioDpd7nBq43vZ
   Ou56HgM+unfVgG+4emFgbtxCuQxegPMLjiPVhbN14Iq1NKCdUxh1c0aG8bHMOYwk
   30fP2HuslgHZHs/KMGNGl8PsRhDhxAmHCFOuzGvbm+LbADG/XVu52HJxYVZfcuZz
   S6uoyotFNNVZ+VPj3coI2SaUcmt3rHFINTlk5BGSr8C0HL4Q5kjprEgEmnk4aMVY
   iKQ2nMfaftj4R97vUoqwlrwzorNwbo1rGrWB0FmwgOcrpl7Or7YHRbudEVIaKUn0
   D8ArKD/IUj8svB5QTyLOXL5UJFnLVN2aHXYfmOacHw2k3a8CvCsBUYspfDfq6VaR
   dRfRacEaz5LZ67TrUq9HK02xwri5bi8ZfohWzxKK24xf6Elz6ob/NNNl+N2+4+EJ
   3hoLwaatUNa0r4KuIrj7JjhzR+CBpaW82zHrAxEMFALmLLi1PEtPT/U8jhXNBapt
   OtbRd9ITPp95wcWSQMFOdEMTFeS2dp1p2vzRQMB/AMcRmq84RCQYgConv0Cw2fvP
   xRn4tBOPHK8s1bWB3aZ7mx1/0BeXsr/mGFv0DHtufV68qO/JsnfmzJ4ZwzzH82Th
   Pcaexf06f5RGy8XfoWBTJ2H1Zx5kyVHN5/PtVbpLMX/CHUUmJMNSE/dxdBlyK0Uq
   LjSiDYZ5H+pP1sLGUKsm7rNfwDOWhJMgoYFtvRFA3GykosoXnXM8hAhy8wFgX+CD
   PcLb6g/3oR3EDLnN0edbzpzcjnMTKd6ZkgGE1FManw5qO2qrI7WryX4yuId/tncH
   pKi89EG0p4Wc/FcaRyEO7UvozSFr4I9XQJetbMzXi6KGKTMYZLuvLs7vPnfYbzKk
   7aczEHjoIaAmN5eftrDKU+7DvdfEiu0TstuIqJpcLX9uiycbj3RT3M5VdOrDqaM7
   c3SoJuEQic1R/TfeB+7xDMALk2/p2Hh404MWCHTF/pfm8wnWziqHQKlwjGqkwkj/



Gillmor, et al.          Expires 5 December 2024              [Page 182]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   3inHneKxunLQ4ezyJWELY5OcSwHc3HNqJhPOJ9AVUaH9fRzSfEKFjnXKfVilh/HE
   /YxZwDsvTQk7dohB2uUdwxtLW+P69+BQY9TlwScEmbhb1KjlD0uAFPgJxqKGeQmr
   0S0+jW/9ikXMiJiQGBlsdXxvfVqLKh0V89IZgdV4E9qLSjiLr8mK5/SXcKwFk8mL
   mTeiQ8n1FgjoPpJF/ErtXwQFVrl4Vj9ZK0FSkP0ktkc7uYxPFlrOxfhg/Fh2jzLe
   a/4J4rSA8STzNkjrTLJS9tdccLEjFzxbuYajRgC3jezNGTiUuF2w7mfr+xFHaFIh
   VTu1mB5pSrqHrGsiO1pWwy7Qx3wY5cKyd4uAVRB+pCRSbrf7yXJNVqgz075q4d/v
   uTQusxVBy1t7vg/4Dyki5495Ij711b/plJ/uT3j1itYQpZMf+N+3PqaAouvddOfe
   7FY4FgnxH0x7pZJ5Lr0BuE2K7jGx0hJkBLfPadTJzJqsx2ITfEcGKF758NPgrIsF
   dO5AkhYQuuKKkKByB5dUoE6GQDFjPHAZwBTjM1ZdF2Ik8UCULjvi23AwaHiyCDI3

B.3.22.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Wrapped Message With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Wrapped Message header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10335 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6638 bytes
     ⇩ (unwraps to)
     └┬╴message/rfc822 inline 2281 bytes
      └┬╴multipart/mixed 2171 bytes
       ├┬╴multipart/alternative 1142 bytes
       │├─╴text/plain 380 bytes
       │└─╴text/html 478 bytes
       └─╴image/png inline 232 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: <38a0b7ba-76e0-5351-93e9-f44877e20e6e@lhp.example>
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:17:02 -0500

   MIIdzAYJKoZIhvcNAQcDoIIdvTCCHbkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFOfPlMfdbtve+sg23pKOFKN0tdXyAAibQl7
   06aJ8EfqJw/1qnKR+vouBvhLZPvStfTgPvpx5bSHX6CmhkbjuyImRGx/pPu8BUKu



Gillmor, et al.          Expires 5 December 2024              [Page 183]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   bVYN79CFqNtkuGTr03uWHXwP+pTe+qbZ3hEyeDPOW/XUTLQS2RfxZVBn3w+BAWjt
   9AG7pIW3zqWTE2jIBduB0mBM4ZvpjXIAbJbqS4hNWoswpyWMGXQEfsw3wHTQDZIN
   TZGd49AP48+4ePq1jHJ78TSI/7NHsY4B4GzW4QmAK4823eI8yCqeAjmFbJE26u7t
   8s2n2NlpST2wZkdcyuplVbXAkivPGzj7ZuT3BwblGKkGwiUZLlswggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAgN0ndrn1+mHy2eSL0gny1ekG
   cbS6M60Y+5Pd+sHJONQKhgD5pViAxKTYuzGfwhfADKwUsY2pInLy79rQwOhTYHIP
   yb3kTKI/btj79GGBe9IFXXNqF1GnYDTwJ8/laXPxFg4g2G5ji8CLr/AA8N4P4Gql
   6kB/Jrr/HrZMpzQAFaf4ECVKvmSZxMYfZvPWRA+HWI84VHodOXcuAK80SO6jHCkx
   SN8DPoZecsIBrzjsMnOHaTyChFlv7tayk/bU2y1pFtZm3OGxOGuUspIelTw44Tag
   kTKyMdC9S3DpAuN/7Vx7lO1FywlyM79N9/9x8AiyKd2dKANLlrIz9NFrqF5mjTCC
   Gp4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEElSDWK/rWsW1o6XPw2D0LyAghpw
   l7rzHiLqPSDoYdmYEBocWM6zN/Jg0m7/Qr/yfhwjrW64pjTBOkSuI0wVTw0ze1/X
   qxQDALeCd3Cp3VYmN9INpCLhb789QcSQdSXwh4keBY9PupbV1SzB7PFjtcCGbOlR
   oaz9hM1klBJBXZLNHR6ng3VhqNE1FpI/C5b6MQ6QJYOxSSkocfZXcQy6N/Ly/HK0
   9hL2+ac30oBCgGOKDPp7tvblz2UKAXKZYRxzT8+oD1RGOSlDnfIeID0s9D3t2U95
   dVUkovfeSMV/FQN6mHL0+Zi9D6AiBTCCNmm0whLubFLBxc4kIza/wp6UhB6KDy8f
   LnKo8JSfhUFIKouNHKItM+rEdoNBxjQ4CmGaGxB+Ug7W/zzqdgVlSxAoIXFokR7H
   BXeji8rZe7/E8rt9u7VDFxeasgSu2yb9WocQsFzMlCtRKyHHyhq4ml7AXFnywb7A
   3AOQXvmG8ILXYXxwCDUBCNT+KUCSaJW4RlABN1lgpD+xzrdP1Y2pvWe8nmyafNqC
   nPBG/oLyFFajWyNm6ID42iKFeZkG5jPhttFClXnoDULNe/JptOZrwvTnfbFGIxdU
   qAIRX5RfQQ3qunlSmEuxK1zZSd2o2meqXyjEQtgWM/5w3uHZOp8rQWtP8Yjjvq5M
   tA8Jdgal1VcSAIznzbMS9AC8LSQi9bonZz+L6sxCeHprWidTQqIN2Gyb2qeVa8tG
   JKnBPikiS45FbykUYLLsCVNeXShsEZx1LwNwrlZT/X0IHs3bFyASr0uQiBgP1DO/
   jGJ/nIPtdybsNCOtgZLMoY0DdPpIDSXs376oBf3IKkjawOdcUdKyGpbD2ETArDfN
   6NLB57guiNsjMG/QxZ/OUGrt+UDtwIJkRq1LdTp/i0dYoyVqvhdhNgv+soVJbEbb
   MfCx8KlBfWesBHPeSBAfXoiSndyIbU2nn84F5e0iyfNjuyRATPs8bADpqmLvYeFc
   bHI1I2B7F0HgalzhH5jQA8C4wZHUesdneRpuEYasB8hrN3vjqQakTxkpGINZKKM/
   2eVSLrmtGVn+8lQ048qUgO9GQP+j3N+c4UomObFwKqFwGEDsgZVSUCjpifJy1ROV
   lrBNlVijKhMo4pKv8rE8LZvH5+C4ZNi04dJA7H/qW4QPMwRXoVKtpVvtvddu2WDS
   OhFFNCJ95yZuBgNLZyNH13Whwkd4XUFTrxSQxjr1L4T8BiDrTTRb6MpG4BTyLV6J
   iyGfeM5rCR5saLXGKEZn0fRfJ5bM20unNG7fAjMp0nK8ZwwdTMaFx9ULnOOrGL/y
   65RwcvV6UARo/s6pGqqDRgbcotKwZ/RPmJM8t1W0ApwOQMA6o2Hx+I2refc6W/RH
   9Mw1uXRi10xGg7yieRBgbMbzCX7VdF0j5ueGZxBKjxwJb5rIt7yjvwKKcFzdvPnt
   6Xvfy6jl5aC1Y2aLYFHnZUrn6BJutfkXZNO7I8pjFJPjnTzqrj+fYG1aN9+Ealfg
   WNOAUJuCPZIUPO6bGe4++YPaoUn1U0ZaLnfoA7RX8UMqH/E0Svzg66ZUrqmhopsu
   PlKi6Jz6daQWjPqSPbweTlELjcuoIYqu8vE7lPiVxNnjNVkibkMSGdY8petXb8NL
   yY23Za6oSvHqQOWPSkbq3yuA393Qs8QY8JM3rv0F5SndHfCAUg8cLVPa8NGzMJTR
   xN3rD/svi6p3sxIPkc1rAlKajjMB+DvJgM5U+7Mv2SOjh9zjo0QLRIHQ5kxjQ36R
   2vYiaEK0PKZ7HZxait1vGPBGa+0ZAzDjaqP5obmC/qSMvtAn6TM5pzSLuCOGqZwj
   RYHmfQNzW4YPF/ZxqYiy8SyOrjcpJY5H5u/WjAOSuENiD2bo9s2seQW00HIczc4e
   gd9rH4jE8GHF8KSNs7BcCaREy+wC5uYCefl3V7WH54qiqcZSkWebMGXVqlqFAQr2
   3mokLGn4ibmAucNkBEnyTuAMfrKSe4zX6gIQHBmaokEcTd75a+Qkc1oBDSA5d0Kf
   5deaUORjE/8Ib9dxd8oJRtRhK7N8QdvuF/mk8gXZ9Vb2ANdxVeBt2LzSa4ycTbpT
   Mydkis+Vph2OBaoB1lSVLm6L9KdCShCM18KMdgFBPaWR2G9R7QwI0Ym97xXaW90Q
   +orfBzuE8V5uerS05nB1M0XBQZ2Mx0gVVsl085/AT5m6I64skih0MOJcijKtJs0N
   dcalaZc4iUdWDL7l0ww1REQ9uwnQrKmpQlF2awttr23JSzntb+8yjSM4W2ZIOxlo



Gillmor, et al.          Expires 5 December 2024              [Page 184]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   3q8WDANMJ/QPCJSdDGALLjP/1ifs0+AzsvB29tOxhIzPacayL7XtN9XUL7OqW/os
   2URcIT5a7iRowc8jNwNG5RyDd9riVWV8glncnyH39ijTnqa0VwQvr2xXDL9AiBgL
   cC0laDgfvh0XCdPZcLZte+d/Q2NuMEk+CxZqBM4xY6lBXMPE//w9zJKBjfP1B+JD
   kdMM5Bj2ep5oGokYPUQLBXZ96LlC4l9UzOdK8feEH9mGyXniaZjslN7bI18fe18O
   F3lfbDQwUQV8h6TOJxB8+HacZRgwaDt8l6cFB13t4Zqy7KPSC3eBaV5ynQvt9np9
   jb2R9OdeOOaCRuc+FjNbirkiqgPa9cJkrVeJiwU330RUW+phV4RzUdWtsBv3wsBZ
   bAds9P0IzceVA48LZlSm/34fU6i6RIsoyOM9s58PKhhK7toNvDse39ChgRJpFLjp
   YO0xmbuoGTTVNwtvgALhYZdLGft+YwE4i348kd1wH6m78g8nZXHXYt6hc2IlngWK
   +8ahsk2+20C3SCnCXPJ99EjWXZpNmMrJkpTXjCOyYPm73QjpTHNLun9eRkJSPlwZ
   jw2msgP1TBxRG4v9whEGJOUZ3S7yDWZLCuhT3XZyeHQSWOI8Omnk2iX1XG2One8q
   lZCxeXN+DwDAlgQ1SgwShhlo9Vznb16M8/RowIG79ZjsPhJr6YUKLFrWBVwZoN70
   PzRe7AcNU43r8vpJ9XibVwEOtmwFJq71rQiE/UMEddyoznAsi+U4hPcjZUQR1uq6
   FTj4/WRfSbBc6ee1zQwXvTOBL42fPBUAT/3cHHpd5XKMmugro9Vj0i3dGOaYPZfm
   nVM9j72u0Bdechxl4AnuYCbmHQPDmEGS/+3rf/OP6vyNaP1T85nuPGECgjmERQts
   1qV0SGIdTEUjIFNf4C+0YOR23IYup72u58TmoAmPvvuL39t5+O6U5qBi+3ZoZbvH
   2gog+9YijTmT41iqF60I4bRWoM4f8cqlo/PAfgp9tP3vY4UmGKucsvQ2w842/kLt
   VL9jPn6tIk75yawqzozwQ6KjV8shVrIeS6vUeEc4LmRiqStMbHJIX05jTcDY9Q0Z
   2F/ryiFv7w+SB2Aps1xMtjuQUqhTZpM52iXmJQi3Sld5TW2vGHHhsZyiVC7i+G2q
   sPlnZ0WMLxjbzQFx0NdFcryZvIL0ZlQFAY8NcrGDUkSt+ygZ3kQj8kTEb+0EH7iF
   ggBVXI6/T/AUKMrg0Df62L+MXwQZhcjagJYbiUuBPbxDLYzxQEIrYCD1u0gsSpyR
   nVJ0Nxdp6O8129ANAEF4BgAQdHDUqoXKxoCBwAcaog9CsViyfXkg+BW8NxfnFmCR
   BDfJiBUmFSEbaylr7O7yuGBj/IF3G5PRqyz66ma1qI8waBkM0/GpgP6cMv5rxmX1
   3uM83n3JDcgNIrSS2K9xkfVPyh0w4pQRUQwXOcxTTiLKptZFtUnCbPSOCc06Bnlq
   DzkyJVgcj83AHQT1kTF7rpmVFv59CChvkSt6xHiRF5oKAxXnPWRbFukYO1aSJANM
   0Tb8Bw5STGd8xroXgwjdLKUWro6PRLHwQ4r2smF5RP+Bc2EH/Fzl381v9yPDtALW
   BKI8QGo3WrvIH0WwbZ+gHPY736UODZrIUTpYwe00eHktpDD+43vG/JIGhhAtLMCo
   Ykx71gjAdi60GesjyVsObO8v5XWHXaDZkdo9zQvZqpcLG2DKoqHpxr7vqjYxpiIS
   ttu+FI1Ez4zpwnLzLm4JTKW7MR9HD/4ca70xcbUylL9DrJhuMo8Ns1+3WgrFzWHT
   dqL3kZjRRND2bzACQZhDZ76bLE9rde2Kli74ebREru9JQ7CPEdEGfHbCQUM+1lZy
   H12WgU9zDIcWQ0LrNcsNoHSIL8z6yB6QSnOt1h56k6SF61gIIxGo1lncskZzaNV4
   AMZWV5GSau0eHXC2qkhlpc0YTQw0Zl9VFjuL5R8VXCFRKDfxa2E59PZD3HufD0Vr
   4jvcSGN2jH7aMgmLJ78eQIcCfCJcptsJhp2NNerLB/6EYm4nz/eCtQsdhEj4on6q
   5ny70hO6Q1nZk13W/ZwTfvK4NLPeAAkepj5HRd3YuXF7eF2Qlei1zYuEOFjWru5F
   oCvLfz7XJLs+YyqSqBBwqGlcyv9RZN12gbY7xfOGRMJF8AmWS/hYVjj3lKaTD81p
   ujKB9m59yMdjCKE3MF5G6B2iI7vREYFgS/6HcNCJveezCUOgxLtUzm7oRRlr+M3m
   wIrVMVtB8xBsVLemut5V8/vrfMjF0+nHGy8iMv3OQRaEk06iOc+5thp8VCfTxZsW
   Kz1LSNoYv8PFHsgYZ9HW4qvXDQEW3WAap36wAeHyLxKxbAxnc07QQr46B6qNZ8ke
   blneBgjuethqtzSzL9CtnrLlir9Ty9S8POGhj2RlASXPUie9NeL2Fa98OKaLfTKg
   u8IYvePXqJgs9BIuJ2N810van/s67p8G5nOPOOxZH5xN64Ty2nOQtynXzSyu7wH7
   P9oYLd65oU0EolsPzuuN62/NIEhLfd+pRIHGPX3gWI/LOIyXu5+WW9AZz19aL+SM
   U7VcSfOs7eIFTKCBpC4Szgd2GUUifeDXXA0L4saG1wjFlxxURlBBTPMPXzWT6wGr
   HeAmihfKRcWQ37ONTTxZ3T7YSnaksyKaMw1L1eFgt7eSGXgsST/dGkw6GL3GHAP5
   eFFNGq/yB5RhzgyzZqWAHvA4niD1OmZWUoX6FsVwF7KN7KaOy7FSp+OCQFEAG2Oa
   OodpXqc7ykAk8V3KlS36ry7VgMg4TVox1W/klD+e6ZT5uCyRptKjH+t4SA2QAivw
   Y9Dr2jh648cWHEe1tLM2LIL3Yt9SjZ8Qc8bpZImNoxCpaClCY8oT67btfmJTJ8Uh
   rHzNt2ITCvefWiuhluZj7jNu1XkfsaHuxToK5nPHZCyofN1vlN2A01thgmoVzk42
   Xhp6fphyGAo5ZimTsLkBWyQln5wdc5pZv07z0jT+8s46YeDXJYgrPMe4ggJsn6BW
   OAUXHm24vxXTUo9QlXngiBdxW+FpNasqNLRRizdtQGrD7cDxrBCkFQmGq6vkJkZ4



Gillmor, et al.          Expires 5 December 2024              [Page 185]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   yI6FfXYgRmWzjeQ0OLGlJX6PQZtWZmEPyRHORYDTnJc+6e3qtqfntkD+Yv32l8LR
   p6FBmuNCZFj87EqZdXYF06pLpbBeWKu+AEFqLJY7YMJ7zuazgfGsz/Fkq5qWIhAU
   dR4uzt6vvZ8JYOpsoy3+t4sotdUZl4pjtbwfZzbwt+6jMRwDs3t1+tUFkER8seJE
   Ug7SwKvT0Ji3Ryu/MoNuIxYpNLZzHYdERXd1DWImMl1PRNMKkKSyP3+FbM9HlG9e
   FQbX0Bpl9WMbJHBjrVwE1U7MW92DyMli1dt2BB5aoz0aaPIVDvH3djxh4UehDgwh
   sIear1mlzchoREANyECl+EYdw0nMUvWGRqnBJgfnLfg2nUIaeLoh/2HnbT34cDSe
   KUJuK6VKzQQtfX1REsS2VZwYvFQV0ocRpwUpAhGZXFvrIOt8ibzeyqQtT7RXWZef
   STfnj1Keh8YCMaVULaWQg+jMtIyk7o5+r5uIrPhfIe5H6SjO6nQT5M+4dUUtT6fp
   A7qehxF87iuefOVYMms3upM+7NA2IdjiVhv4vZiCJoMWUOd8TajNgFXD1K554zl5
   dwamRWvia5yjwGSjDh/Yf8nyicdRVB0vC8jAPtHz5F0rGO2zM6l2AhL0puu+MxAC
   2bEy9RjcHfOxO3gSJMeAU067ifTpNCE/dtmJ3E2HlyND9OYo80wXI7Zy2UzC0E+1
   x0LRDxzrLMkjkZmUBRCB0vvcFw2QSvOuuFMWdlI6E6zjhWb37/oyzFp5CkM8KPml
   UlXhf7crkU9VqXRHZA4Gele8+un3QHx4E1+unshw+hG8iMhvIuuGANpe4Guce25g
   S6CEJnovJK701gTU9XE2DBlyzL7WAydDT9TiFB1QQ7QqRdtC6pCfYUZqJRr++fXf
   ToIkgP3pTv4z6pIhOIyOKSSIzkDjJjsBO1Dp3KKEk6qOV3C1c4aRabGZPDwvm0XQ
   DtnSCGEOPMKrvuCFOxa5Gcnt97DUOdfiR3ezPwG+HTnpNZ9hgfx59gLxi3XTH6hu
   IPM+yYisUy4kEThkfz7YN2Dd7pleg32N5PplI42sWA7SnoRxRy2sMu88UedPNduO
   QNK36GyCoqIjlRiVrZ63C7QwpAvjHqzsNB8+EnSWxVIXwDbV/wasLk6h/HJl7SyV
   Yt8776HSLcCzQ18XK30WzT0cqsmxQ4Sm/aeEsi77vVj/SwAIsB7qL4kwKQhxrjy9
   CdV5mjxkBzR3gGsvP8/t52MT6Ox6HrlyCIU2zYuoCu2XyfB3Ayz641PtnjKaI7p5
   X9JEa6XnDk5ygSO4rcP8Pz9uam4ks3pHScSoiD+5kZ4VxpQK/Z/+jnRzDROQw7s1
   eOBK24RmC4StYRvvJR7uPLcWl2QO26PV3AzMkuzWf1q5fV/DiZC/Vl1vNsgvRsek
   /WX0j1lNUZNh0XWONQV9J6RuoOWlaGYi2euTeuUiy/mcZWmpvY4j2sSQslLmVc5s
   Ej/JVQs5mIjazkt/7W54tQJKSaaaj7oz+KM9qgKbyqVJAqNk+8y5gXncBKX3dSoI
   ZwBGpcK3ug9M4Gc+o7XvYfEPLAG/TyLZlWL0YU2Iaxxb9iecO8wXXGp5d8iYyZPU
   ryGnl2rc9a8MefcQol1CDA7UhjwK730m+wVFns+9HogtBt2K5i9I24g2b53es5+a
   af04bw6+4pm9p9HOeLHAJeND97wHFZ7coNgdGHEC2aT9EFfg+hKla5oDY1DDncKN
   MgolQQNfJVAQH9JMxh7KrY3RylMvKofgQM66GSK287hMv/tbXyhpl+zUMyqkZ6FW
   xwF7LlZHS+R7SBbTd/eQ+zdL5Vwf5fNDMpW7m1y9o0rMT4QJSyZv2852QgK6LMdm
   SMsC6dPTD/zMtGVHJs9IaRPIOKYB2sfr658oYMXEtTWKx9y4eUaMpMCqLzXE0hRF
   leojVMAczzXX7qA+WC29FfQZENX/UP4WPHN+9D9PTv0fcrHfB25HIUyP8Y3twl5d
   g4yhMZIdPconfOchmvSSaB9DAErNXHt0jKLZnPlvw/Bg5EylZhHMGm7x9lmLR8D2
   2DtRukZZv0t1TPr3jQLGr3rp/n2kLxhL9Pzk6SrRsSRcxYhlROvkF6MYzSW61K0A
   Di4pwIZjYr+RGsDea9MgLNHk9l7XaZ1oK4JycsYwEXGmJnViDrBr0u1OaeFWLB7E
   oSY+gVymW2Ez0E5Li+vSi3t4gBzClOA+BMgWaEt5Hir/W/ZvqHxO32IA1kV7+l6+
   3FGHjveYLBeBWo1qVpG3jfEreLVN8d7/Tx6tox3QdQLf7KXQ1J3uydn2jh1Dk85U
   4mIMdJxrcItBm1v/pYwFMyki+sGcoJ/YepMHwEX20vlNdQtiVh8M7mN/mWvNKIXO
   2SG+AVN26YC5jOv27iqbOEjiMZj1keIkyl4BHbdYExKoikeOuKwgVhSH0fmN8C52
   k7CH68OodvF4X7w5HUMHv6+Fv2WnKonGMeaHkiXy4bSVx5PW41PqO2eKyFgvs889
   RQVr0R2DBBI7fjmlLf7VabVQE/Q3XzOYqD27Glb05ervqLDOmv36/9mdKWvVGyhc
   CWkEr2vwHnBagpM8hCDvdIgkMya6crNMUnfAQ3WuBUe5pfkzfdNA9EG7p0ymoQYw
   sMev0BNMesHHmCDkzUX47yFPeYK/BVNsEOMvRTS7hnY7N9tK1SJvAip7c0rx7+7R
   1dCNxUOTq5DtCld6hfy0AkW59OgNStHIXPkrmk/l3/AlKaxBHLayhabqxykcKmTi
   7JR2C2Un56ydywqlsPmcqW0szW2v0PccD/dHXmylMvxZgggAUzC1Tba6rBngX5Cb
   K69bBq8WYaZ6z58GRyJSSokH3Qs4HMdrJ1x7MnChw/Mn0Ai7nR9v2rw93EpTq4f8
   HCrFFFs8WvAe4Amb9IIemw3qikrh+NWmYFOf7VaHO8kHb2CAUg0wZzpYrPC03BKM
   mfigpB90X1SiBuafaPN2lPnsrQ5X1l0WBFXDoefNnfS6l0fPFay8rIUCfAJkaY0T
   mhYWc9sxpYP6ihb7fTcXNf729Xrizak+gL9ZhWC6f+aJ5iZcwgukNvRxNtMqHDAQ



Gillmor, et al.          Expires 5 December 2024              [Page 186]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   jSiqZ9mQRt0eZ6QgXGDsMqFmIEaxMdRb+9paucCRcjp0EBmUi2g+HLJTQZEV23TI
   liMXfiKZkHU65yjNvxS/UGjCpcwkR7HY27qDLR1r7X4FOaq5YivyjQoQi3cj/VE0
   btuIXxIJfP6bd+LKGIy2/IcCBFQ9/f2y2r5fCDM9vutr4c2cSYGdnWWRvTar+GlI
   fAJc2W9/vUsYIccvz3fBsvKqLbZF4agSNeFIwhPg3ZwRfUcI+KZQ7+c0UMoM3Lhb
   n7fXheqhMsjwXogSSDIbrancgcbuWof1cjJ8Kfydeu0/TP/9sSU9kZAb28erEjkv
   JF+fhlMD4HQFNYyfTVOFvkPOkJ7wvGlwva8cGlF/U0x8DVzII4q7dMpH+PFN1z0I
   5B3n7Ph4Pk6fnn6OPKXA5yygPEpR+wzAb6kH0gPzEBYoLy8WEsBPyPC8Us27LDpl
   jQq8X+clAfsln+ysq6zg2dlTVG4vSRaIcuAe7xPEoA0BOH2g+OlozpKeY5m89RTf
   RQ1yCf8GEJrftKo1/SrBCHXSaI4jy0SLcPEVH6Nc/VdBfw+N/fH0gjhr6RtUqync
   hu2JESlmyBLMquHAiDpXvRru6exMTi/3u4foNb0lgQQDGKMk3Q1DR1a8FqVUhxH+

B.3.23.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_strong

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10270 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 6596 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2192 bytes
      ├┬╴multipart/alternative 1146 bytes
      │├─╴text/plain 392 bytes
      │└─╴text/html 487 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:18:02 -0500

   MIIdnAYJKoZIhvcNAQcDoIIdjTCCHYkCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBAFdjhuUM6D0oOdfBDloQyHpg8YcEtkENHO3M
   7lcghFNbqCrX7ESQXM/Vbax60wWn49kEszHQcJR8/2W2u/uDDOC0pnssCvybqnVx



Gillmor, et al.          Expires 5 December 2024              [Page 187]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Zg1E1XA/CQPYxUJJq4U+GBp6zbpSZ7PgQ6lCwmlYxISGoWk21AWhnuxv5SF1+APb
   oBQsj/9lUoJpIe7ETyYJsexm/GfQZQM8X/cFVoeOxnK8rib+Ymu7Jd/tDbiHO9hm
   kQfnekM77mp7f8QaTGJdri2I2d4gE3xllOOqc+KJpyhXsmz0oloFP2mTKTZjty+g
   v4m+ugwvngkYmvn2/PZ8EK7PIF4TMP8r1prH9Q3fZDqcfK0e3ccwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAUmdISlcmDEbLMO0QOq3KUB6v
   fpPpQ2v8FOT+hUnb8nVPpP0UXv6xp4ZzAH47ksbs3YhUTP9fc2ve6H+SLkGPX6L6
   R1KfOYD8h0JH+vB2BZIcSdiiXpHtGecYHAIohL/ktRf7f02rHyuZqFwWUmCtmF6K
   3J44Nhmzii0CIuZngDBnlfhjFEtLdNtu4F/Jy5Rb4feiBlMjN3uyVBSDV2+1IUqj
   95k8Q3i12SLNvX1JMzWWd+AQMvKPMaNE/F776o8RWh7Gtb/EMYtqyq4m+ETK27IG
   tWs8RY3NIxTnxmH0xqpxW2OCUxhTT6T7Jt0b75Ndn6AR1SxUZJwROcr99D2TYTCC
   Gm4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEEA0fItOMJmuuIznitDSuizqAghpA
   PImu/gdHqI8w27p1uY4OCkAIAPpx7ii9ac5N66Mzle/woGplBdTW0GFPiFuwRBdu
   NSW1Y5KGWYtnHztF3vyJLz0TpH7DQbit3BPZDlyj0aue6hEmfbT1hBDjPDA8fWim
   /8lcy25CjwSHUnS45l9pOnZa1n6UHUgOLvrHr5Oy8pDkP69gD6bMrEEKB2VGSm2x
   BbGaDxr0N+TS2c31+nFPQyteADBanaEuvA85LkzlWav/5ugU0QM+XOus2bWkXRjf
   aetJknZwytq/kYLmiyNpaQFC6FB4jsZW5Ac9xrHW2TXmHAjjni/KeURWHDxbRi9b
   U//Ye5Lj4K/gjPT2l6C7XzmtSRdscizEYipusAwIMRe/KsxOuxTe/27AiC5L5LUG
   iZCA9Fk6LMYXJPCm6a7wpA+iy9cf3SqmrxmFvCbUmbdL8QVtE4HpSiH8dDogjMFe
   ektnGUzlXvQpvdBDkpqYHAv1OIHjvwUi8sA0wKE+LYTd+0ORQQVJ/ZibZkDVSM8B
   ZpR7FZvOd2yp3mrAWOyOugaoDcfwLxguk4ZrCxp98ZftgbPNEErgkv+9JFIjU5W1
   Ewblm8BC0qytkVNjUCR8Oyizuznpv73sN+AUw4RoKSYMMsZqe8vaJW/c9M+Z0uFy
   itTDJTYlcqhttdfHXxGAT5R4gY2pTcuw+iOPIa09NxiOt2LY4oZwUT+cFqlbfOo1
   4IZl+KiYhAIQONoLoUjQb80cpqqVFl1XvZhvotfXzob1yCavKsoBpOt3b9c2lTZB
   dMaumZ7VsOXOL05dLSs8RSNem4BH5H5uzqhfwoManKz0hEnkENLNGZDSVzfBYLE3
   NgkXw7FhrS7wz7Jkm4TrVqJfXU/DlGPwFP4UwkN9A8gIkcY9dHqFd7NJGNUfGgp/
   E01MGPlWOKFj8rFBi2ZJ1SZyNg3yDm380bTc+3r/2aglELwt4pdkWTJmKg6AbXhG
   z3FfJijIHplQF9LSSx0gSgMXdfXJeCQP90+14J3Yc7YV8gaurhgOffX+5+EZfldJ
   S4s97bY+V3ua8VQw1Rk+lTMrYw9dn9UIED99u+E6BU7RMSRBTu6CwMqY9PXOt5VS
   D4AC/VZlrw2UAJHAGX5EVmaGc/1jXQ8jaQnHVe5seTrXBk8QykBBuXCbIikyl+1D
   ydCHnSiuF/73Dtm1o3nbcOilw4Qia4bAOTji3vFwN4ytaiQ4Ufc+7MTzCNxeWwZg
   P3j5+VlWJ9xebQ/OM9svR/4f3tXOo6knuq2ipElxcvbIWzvVG3l/HUcnYkuEAqFb
   Bx7SiJ6ZVVdXabz0ToVt2dSn43zc/KtvQbZ6s5k/Z8KO0ukpB0GPSt0UsQ78mlLX
   LrTPp8H5yBJUi55glBxZzszUQgfU4nCdcnkGdARTXN34zTnc69ZwzhftrTYN3Iu0
   WU8rTPzdAebSsHOOvSYpwRWh/ifGRVwt8b4tkqJtjhwXGv6bNSrOe853qIMsf6/U
   lWTX1/A6sU52xJh2ZDlIjuRxIDJ+QGIkKH6D/pNnZTpxpWy6pVlie0+OEYn8RRaD
   7/zsLFbX4s2mJtur+8pV45lAMP7K2qNziCzHCuvMb1EiP3HtGcwJyBLKS0rV7kmr
   A8lDMniPbxkzfI4ZCNaC7it98oegmlR/oqW/8wNvccsHW1opGsGQzZ0EUTBWTQZK
   erJfr5FkSiEeZZ71fJ32ZtiKlDoDAHqCPErcU+K87RwzMYJmWTD3nlv1fQb+4/Z6
   66ZQo/v0AbcTYY1Gif/H7XjgVtmnizxOq7zYD0/etw5pSu2cbbVIJkGMaxQEh//S
   vaAhLqgAU/KfFft2CzChg6jhO0HNZSe4zYhxIRPTnv0HjEwGnhZph5PCOmEVdPQt
   FkwK/lK3dFvnDlpDXM3W2YP8LItnsHG5al+JJbQ19yY3GhFXy8HOFQde05fO7gm+
   FaOSqtORNX3x+6IROthX15iCT5SXIdHf6k0pZOvoRdzcCc6Ztx+qeIcxQ5nKd/kE
   OKD2GH63nZCmXiv0UErC8JS33x3yzmpmzsFXt9/qEUviJjAKh9mlo9F8puT0MEKx
   B6S+KTUraeLU2BVznb3NwpVZzM5sEtMXqa4HlZUlCAzQ0ceUpMAVmNkzf11CPkhw
   SFjhjX18eiIppzxHiq8AgIx2C8CDRNcs/P40OSYecXt/S/nrmXx1hy1RXMrG5pqs
   7RsqxcYfxwhxliupN5Sd0Nwrykz+R5Xys6C0z1am4EOnmdMHH1bmQibJt0zaIv8m



Gillmor, et al.          Expires 5 December 2024              [Page 188]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   EuRzkxtg8shdzgYZiXdTX5/ErHKYVz4GiOq4FEzoyQufQvdabBJXsMiTd+0HbyaJ
   bpjD496CyWLl4bHUdK2dV9avlA81CrdHEJlUkZwDw3XX91FKr3/7vhsecolI1fv3
   HTBKSf6Z9rowgYUnrxtBP4Syn0EOfDsNVPUW39MX5JYkctnL6dSwWsLY2ptpYH8l
   ZzL6jLGHqsVhRFxGsnJ8JBZmzMJg84cTdWufjfCtUifz0YYetVbq1wsyptdvnsQv
   haioq+b2D0Npx68pYjOfVxTJ+q+qrWBMJ66kFEFJ0LjP9JKn/pEeSRPqvMfp4nxO
   VqOfAQYIPvhSU3cWYo+ytQx9RsZbPB4Vf6g6VihAw5myyoXMix0fc7TfvMjF0HdM
   UcdSLEXqtQK9nUqNbGW/y/NNjyoH3dwQDRuY0b7XG5/w5juu3BMh4VJEBzBTSX+c
   vhhBfaDvX3ZtRDLvMVMXCAFicIozX0a1e8RIHw4/VXfyVpQMtI870RIRcgQYmq4K
   1l5bkqyXS3jvC9UYuN2yK0Si7vcsUjvcUceMc1Ghrz0OgGcrXJ0YXOm4rJM3nAc1
   N5AGqHjeUidMfzfzzJLqyOXcI0ciE344C9euW8s2oLNhoYzyY5h2++ZEA5IseNOR
   0QrBieqL6n7VxiQkXGEKGSqL+bhTIoY0yq+9pD6efGcnfCvtcaz05sNTcqRTBypD
   vHkFSTgXOO0dZHChDFFBwUmC0c7NBIyHHxUWfDSfbXdKEUcbpgzQsRQWwMOWyK8M
   XoPKO67dAnMxUyeRkfd0vyouK4DW+hseYSJFhCGfDJS/P+NkOeFPjjGlEvEGN4U7
   lwM7X9kjEMN96FxikzQxX8tXCa2pyL8HFHPBa+XaATVvS9Woe6U6JQARvRw9BM3x
   gL54iJJUkp5i3EwTOTWkVSz2+NLJ//Sh+pCxpQ8QpDnw8gNFdm7KSttfovVJBuAV
   Lg/QHTZAZckKg4WNO2otUV+IcOQ86z7GBCS9srv+z3DnkAN1Gg0hWgqJC0tVpQuY
   Do0u0UdeD2g70Rrlfte+tGB5M7ayv7mgVQx5IQTiiSPIBd+TMQIrh0+6BtK32VXB
   vS09sEV6TSIltKMNEVVyLevsDfbeM+aVt3CntbWMy00Ro0mJzfMBlWj3aeuX3YE+
   bmuRXwsaiZU8RfhBeEl2EW0D85wF8oli38QVBTdKS2jbWiero0wA8sQ+yp7Iucuq
   2GX46DByQOaYFQ7IiuIJLyuaHIc2XpEbc7hQEWc4jyPesP90PfypNnoMeroptwiZ
   LYbsfpnL8T/cqbMIm4ousP9RbFrAl19DxQI0bBa4TI+oNJA/bv8pYOrkjhcZlhG6
   +fPAbjLbgMJ47NDEHJjj9crAPGN5zJ0NHDEB5zmDqJ7n417scu9oQ14/mV8R+wjp
   bOVjlGKY5tnxLMVo1AKsSjm1/gpWBfc2Pa3YJ5yaXlQW+qvuAmRyStQB0dzAItu5
   8ZxqevRtYFAd/JJ6n+Lm1PwVuxDy+8gOG4S5v7hnhvVkm9WkJN/rYC96oCNTVS+e
   3gatDvdCldlx0fH8bGBMwbxbKVrg0dq5r2rxJWVkQfyJaSjZErTI6OKs68NzHwk7
   LsO8ofMnw5l7+w097jsy1PT2OAALrxk4QtbRvSn7bLXsskD1BACHoI/dLJ3OspmR
   vxNPV0KqnS42cnv9B+oESDPQyvxV0rtvHla14rnDRYNsNeb7buMA961jXrm0SMlt
   MPxjVqpSA6NIyQNmHkUnKqh1D0xMNTIxtVgIK1WgmD8WSQ7hTYrVKNOiFi0eO8d9
   0TdywRvtVZW2CX9/cK8OX5EDWtN4fXwr6USgRiL2b3jVgPpB7E2wvcwc1rcreobI
   fPhyeVPKobfKxjGnWNR0RaemDqnX3wkxl1iQ4seGoajeUa46+UyR298DS16aeLL/
   grSE1Zg8mqLhvi9LwqR6jBrm0vIC3kgcq1UtPUKjADzHmJo++nRP06/Hfwl20ucK
   87u19fImW+qvUjuqDn/u7rqxdhX5h3pe8YPeulGBH1xOuBVg1VZcypcbktyARbbN
   BZ9yjsavTnRm1K+OD7sC0tgK2GscMj/VRsJhFtc1VHyJ0xUyVmiuUd9ZmH57hDSM
   gjdQ6SC04rcL6e91vGkRvyUZpbExdkusmMT55wcnBlVOGADI+YVEbFSc9lONUmca
   zf0hvwmnmNmJPz+L3ee4N9fAKAM10cXZrRTReYTNF+25GgBVoRNVhP+IFk0brpF8
   kmU0PxNv/INQWL7zjehZCC5VyWv/WNoDkkTIsOdLb6dY1YHKVaHY8jf3fuGMOYdV
   h8P/RbdQLZFNB8IJxrOoJBJ8xt58UahDQ+/mkYueoDmtVqFNvtmltupwtSkX4N+o
   +I3QieY9wS63aFzQ5om2vnLPlJ/xHM1MD+J4XyfbQWetMd9HMTTBIvkDKdKhhTEW
   +qS6IjfNs57E0dpB43gCM00LA9b535htcz/7MGJlD7yMZEgffEuQ4lb52Sm3w3RU
   o4uRNXLMbxfH4s8rj3FD498/GgEWLF509BQmXYdeT13M3DCWKUJvaPShGadxoxuV
   AIh7t8l/lCo2t/TlfndRCgNMJylcDqW2dgoBIEZ+zu0glJSTQOVOv06Z1uKYLCLw
   Jd/ukXAdE8KX9IcibKNdljT4NepHIlvdO+h14F6eHmSNdynh3FYngCofeANbp/rZ
   RWPUhfb5VeF8uixmuGDwVvDnhtH4lX8w2AKDLDRG0nHdWXZvy7ED1gyMAE4SxDRt
   gtZ2AcQWHDS6SRTyMUDwA0/O+5+NQbyx5PeiaVRhr3a4VwFgyLI8vurrtPQYPwXp
   7JRmiZsPfzrkkxPPlnIn5PulbPQ3EiDdooPR7hbvUFFiAERjpFYfvpGDLukwTZct
   CHEpy35a5KjFnHm1pkvrabL6KejsPRjHerUnfkTY46wXYQKSTGX3AJOpwk8BuXfr
   BhDfT/NlN2SHnDzhCPbsBhonXDWQ4xNed7S+fi2OTZMOwCVuSIA/P3w+pwiKHGHK
   ePAtEhrbP3sGwfgjKHu02oDhXV38RyF5/cebCx2bmNPECL9g8f6VGPW/EROC6i0P



Gillmor, et al.          Expires 5 December 2024              [Page 189]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   nyELxsBwXo4AUWhtHmOlvwL3DuviAlwMXl4a/Y3EUnFdrmdZb5NYDFlzF7WGaN7f
   MUrRbfJCLyRYd1iSJIEQZSSxdIfzjBAeu7/QerJYiVwck4AFILVznGccpx3U+dKr
   hPSV7t5/m7rlUJdGRinMCm+W/ytcAdRpVpvrdzN3PVlwHWFWQAVIuz3gO4/I7V05
   vDLhZD25xT4Xi9ckcIlLAb16Vwe1MpY6nxvhLTlHxRI35y30qOctMnQ3ZVgXeKmR
   UA7FdFDFKvx5KFecJfvRNneXzV8B+SvQfhcE+osK7jngI7ykmfWdnsKeAZMgr/uq
   zbglPUhUlJlV4CSHb8uZz+wVY9b+jUvhIt0K5GA6VwZ4FbHfSR5uABPMtD1BNUOJ
   wDHsit0ggll3zuL0X5dOBzbqRaFGSzN8ZT+Ro0xm4deQwzAp4+3mDIjdYyTdA2kw
   OZard8q83nKQCZjxRk9eW8D9ryn1XoQNx2wBGZltoVXUZSkmPMcvKEIXZqFG6WJl
   bbI+bzYRkLUkomfyPR9uJtaanXxufrd5RT84fqQU6SJBV5A4MP1kSs0W/T62eY9M
   DfMPzdmg+c+twWfuZ3PsLPcJVPVSZDbA3iegxgVncMXAZ6keEMYyxVQjfaqoUDNp
   CXOKHTOLkgFTSGhOVbQPLAFHufBeciwr0VykAUDJ5kcjL7stvyLHRCe+5iAAr5hp
   KLw7LpvZT+8S3TgzWE0enWmSwu1sSiKb98iKRQpIbFnq28y+6L53QueNSMJBX6Fs
   M+ebG9sAXKgFRNXXlGi0bXnDmae0dwHsFRDhURg7gPhG1qlhN5CAa37lQzgnOQ1B
   /jYtBtF01nX7unelJGNu1HrQCYM5qxVpfYbq9uBAcj+1EYkyKSvcfvG9mjFZXxyd
   NyzuFiqHcGGwz+infXXirnO67ZylKyBT4EUe+UgY8XzLfQqv9BkNBOR4+xUrzwyo
   u9dCLFt2ZLQDQyF2g7DtEKWFgTf0TqylJmO7AKI5sp96z+fc0Dft+WxDxxuv+TYK
   XQ/OZxi59imKsR/Nm2Wy8pEoe0sArB167QT8WaZTg/DbpMWe1vAT+vupP7dZ1Qf4
   W9d//xUmTEXfowRfjdOT3aNjDh2F+Jfxx1CbLjYbIc1c5uGZ46EHBQsX87AqK6qT
   fNCNYoHemWztKj6HcYJKoAVLR5bIJm0rIot3tTNOfcyCzAxdcSBMTrxXfd0Tj7ye
   8TA4RAI5CcWWKhiwkSh+mcMuYDERu7a8IRoEuJa9Y9x81ev1hDs+DGGzmRQzC4c2
   434nvozDjL6mEHKFLnr0fAvEAEe/LeyrfBC8WRlzfY/EJhkw8/bm0d2FV7hp/tjI
   IKKiWmfTBXe2E8IRJvLVyt+9WuI+YuUXWg5U0w0H4p4cYp/tQwZekdXUhliXuub7
   kvca+2jp7jeG2CrgozgmHjASM9sM27eTgbRKWuzA1/fKLYHvWwOKYVIw/9WKjMC2
   Epsg+1LiACyE9gnj2WP4/zIWKyuBqL+5IeOJjoJar6rCtBxA7nUdeu4z+1H62k2/
   O47YMMXgDqk5l6Imo7eUfDt5atxUvplTKhkjwOLZ0trRFh2zGETG0ensk3duVJr8
   9IbcTmcMzTsSdtcNFA0gvCDGv6sUFwONjKgMy5foYqHOOnIXlpbwjZcyMc3bs8oB
   B8u/C2CkEJ2DZCi+TTNuVISzB0eP5POabQ4exfR0u2thxalv8OHrkWhWS7rwiY2I
   S07cwx1A0eemWVcKUHiVYtzOurvgdnfi+mYXUvrlTYnvkDfE+dE7UlVmABStThqW
   Rl8Nf1CLakAzSh78+tCzlpjhl3STRvVCLh4QeSc8nwldxVZqVTdy0CUqF4+rJEhW
   AV97NyHLqt3gOAJZ6ilET2zWoaVe7WWrv+Zw2tIrxVYPdUdna+L2T23E49Tg+4l4
   de7MZpIl//GiLt0zVhIqzGg3e95k98CUa1VDO5MpqDefUD3+HbiEJ2PGfghut8Ml
   wzK4YKpbamU7kSM83dvip5E9hWCzWUhYfELbq3RYMRARcsaSvkLRlRkEv96GWUv9
   p0ME0JVRNCCNWHNVW/92INRSemHtTIXl9xvvv2Pe89xUzo7+U3Nvaxg0DIqvf9Lr
   WtSnZHgEHo29KAczff2jOY+/iAbE+5/cmc2Y/u39qOLvb/7mz4KS7imjyJUErH3V
   wxiwt2Wyv39nQ8w279rmolkf0s328mK14LQE8YK4J+lX1nbBOzKBTBr5RvOONboi
   vO9u0AxehRDdNjcQQvI2C8LPcDlMuUJLYS6l1RnslGOccZNy3hltzH5Y99tuTE05
   vdaVNDFVSYRzzzzH4zLmYL+9nnPhJlnUO+V54i8ytp+ah0XaW82VoycjCL+lgUKT
   2gKzdIRAlygCvXNPd831pjPlWqQnMh7eVpUBAFq+XMGtLWUU8WxXC1jlSMH7PO9F
   esEB0h2PQ8ZEMtE5vY5Iu+vSgWfxLx0UJZx44q6I5M13NIBOaBF/VisevMtl9mU9
   OyxSbkUpwJsqMNptpZ5s9JTu7L94ofA+p5FvhF6phaj7ZW4GOCoGyThXMPn0hJni
   hYAyttrI+fq0i+E6Au07HIx2O3yWUF+9mrctTcPnrinfcojnWTxp1MmjbML57+Do
   5SObyZUUfLL5vorcVweOmPoy3uKQZZOFxpj1f7kdZWq0cpcokNkoL+W2X2TJ5BgM
   04GA0TftRyzf3/B+ip8/s3H7HQf3SBqYFHj/uLXTIavFKGw1Uxo6akOZQjap1DV7
   ClptHH9xM8UfGRPg+Q3dpQXa2xfIMTZkioVEh6xizV6rOj+O0+qd6L0Llw5wba6V
   AE765BartXwJ3Nc2RKYN4Ug+754OCASsrboVVfq31ziHuhiTlmCrwKs5hfKm/WOQ
   2qjS0R3RQ3zIoPi4hrmdt4W0/B0vVDYXx2PwGxHc4Kv9e+/7DMJq3OpNUo6DEwRc
   FN6fmNaZf5Wm/0YvP0WPfwfRSNRjIirrd0w7mf/XrgP/uXYdjztwI4imexORztZQ
   YU2Pf5DSkgaNztCIGR3WvJ+rYHY54ZX+lrZdB34f+bsK0SL9aDGK+kQ6EHQSSgD2



Gillmor, et al.          Expires 5 December 2024              [Page 190]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   yaBPAEvVoiUwj5zBcA8XwC/i3taj9B5pgtJETQF2BUGOCgKCySokQyfFngjbZoy3
   7STNWaALwNIQYw4vl10FYMQ2oCgY+J/7n2sxu6lhD/Au0ZR+1yiHpG2kpVBeF3/q
   mMN+2dK5cyVBeE0q7i81h6SoT07zLAdv9gum0s6YpBFWVsMADxJ4i2Qid4TSQLuh
   TH/Sq9VqqTULUY/QmLpBKzzTPH7InJgHfO/6cLffS0sfRzFHkNOoZoIolsKYV/Hl
   vvLWer5EC6yFbieF8GYtURASqJuSFIBzv2Bbdg+tOIIWSV24F9Nsg2CkCw2iGVji
   CGPRNVk/A+dAh6pMlGF4ql0XkOwkxMcVS0FXh4QmiuUU54nepISuElYyoHUBsAgg
   EKO8mfh52p+QZZWX5zASNgct1dtfHxpdw69fmCdm+MArEkjI0EHmB0LgMKav7S2f
   D3+5t17G+cmKTl2MEtaMnlkK55BVWUTdIeElzl7FNDp5FDj5/FMuzv4CHbYcMZrq
   HCRSh2WbxAwNF1Ev1vAqEULYpo72e3nhpeC6UmnGe+Nm9Hh/vQFR8DlNv8jvaSmE

B.3.24.  S/MIME Encrypted and Signed Reply Over a Complex Message,
         Injected Headers With hcp_strong (+ Legacy Display)

   This is an encrypted and signed S/MIME message using PKCS#7
   envelopedData around signedData.  The payload is a multipart/
   alternative message with an inline image/png attachment.  It uses the
   Injected Headers header protection scheme with the hcp_strong Header
   Confidentiality Policy with a "Legacy Display" part.

   It has the following structure:

   └─╴application/pkcs7-mime [smime.p7m] 10900 bytes
    ↧ (decrypts to)
    └─╴application/pkcs7-mime [smime.p7m] 7062 bytes
     ⇩ (unwraps to)
     └┬╴multipart/mixed 2527 bytes
      ├┬╴multipart/alternative 1451 bytes
      │├─╴text/plain 495 bytes
      │└─╴text/html 647 bytes
      └─╴image/png inline 236 bytes

   Its contents are:

   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   Subject: [...]
   Message-ID: 
   From: Alice 
   To: Bob 
   Date: Sat, 20 Feb 2021 12:19:02 -0500

   MIIfbAYJKoZIhvcNAQcDoIIfXTCCH1kCAQAxggMQMIIBhAIBADBsMFUxDTALBgNV
   BAoTBElFVEYxETAPBgNVBAsTCExBTVBTIFdHMTEwLwYDVQQDEyhTYW1wbGUgTEFN
   UFMgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5AhMPLSW9ETmXSs5CVIeh7j00
   Boq0MA0GCSqGSIb3DQEBAQUABIIBABtrEf4hqhQG6EnxJ/QUroVp2vxG6nHs1jw4
   I1D4yiCdn2uFh006fmcCpbEyTJc1TbQxJxkCnP1WS6OisMCR+wcM2qYq/CKaLYr2
   sEV0SzYtRGNr8/oha+oCLUexy+Qw5QW8Q7hOveTYBSX8ov2mVk+KSkeJ3Gl8u7JQ



Gillmor, et al.          Expires 5 December 2024              [Page 191]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   gxzIOcfSlh5m2gbe5/bFNn9jZlOYF2U4HeWNrCZQicwhzk98UKF2fi4NXNJUJ4UU
   K34J0MPs8UP3Qj4OluQlL72Op3jzKsA6hVAkpg8hgktHT4v2CtImqOwaHORNeJpA
   3grzcOUzt7u2BjsaKVfkplTkC5Y3e9u58gywZ0suJ3R3e5/+9mcwggGEAgEAMGww
   VTENMAsGA1UEChMESUVURjERMA8GA1UECxMITEFNUFMgV0cxMTAvBgNVBAMTKFNh
   bXBsZSBMQU1QUyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkCEzB8R0APhiY6
   HGLS64MvlsDXhpQwDQYJKoZIhvcNAQEBBQAEggEAfv6IBVu4GdTGYCZBFB6tLRxK
   hR3IzawNB1RSlP+ROC5dK4098FpS1QMIIxmr39ztnqqWsDeEPwiXWDR2UuYqqEqE
   SK2l0cv84sjUtOgGdkg4m7H3m1mz28kuu5NpdohWDejp7ljW+zNzcixOkiLaxYhS
   7jP1xXPz44iMW6Aiqi4GMDrqa7zj7S9tIz3UfFrZkv16T+RP9FoT/yPp5CVyQWqg
   wy1mepAF1jcowipHuouvlDrOa5imFflH49PDY9HY5u/tI7GvUc6Td2LQJxGGF9Jv
   NsOfY1ZXsiQTpQpb48yJesSSS7YzqDOAopc9xL3X2Hiq+bN0ZPUEAhkq+WnRXDCC
   HD4GCSqGSIb3DQEHATAdBglghkgBZQMEAQIEECDKZ0XV2DeFNy9GmpKmtpeAghwQ
   a1D88CV6C2SvpyvSJKu+FsGXdfpMF0tLN4u6RgyjNTjz1eUX0FMx3H63PVaqQ4YM
   IwDfpaijwp+yIudgirqEzZebwu8nlLssUbMJFCLvalxbuAJrBQ3aisosPuQunsO6
   Wn+sVrCV3blu9BHO4XNkwzMPk2PJrpnObVFHOwcdjHggSYQ0ILs1Qitv1j9MxvQQ
   5kDNsDVphAO+n+4TjgHf8N1LgY2fXCRHqTgBTuhoOjv3bU4jVRd1UflpKRXFZP+3
   TGFnqzlxi1/gyyDQShl84xRcHAxA+gs9Zhwysn6WKX3Medjs1PcA10h69zlTfgdh
   /KusKOPketfrEP4LvDSnzObRYJCaAA1gNEoK/JOuOwyPEWY9Bb/DbML3gZ5+gFEW
   /ZcIEtnZw5IwAb7goI+MJkbSp0RVstt/RDWBFrPPIBlgi6/3TJndQ6xDPSRjJJeV
   PCHk9pdvM/zw9suiujQLFpYGnlqnyRAbtZgAsFyk6wgsXJRnyLuC4fVTX6IXLpJ7
   CjKPWhqxPjdxcKhaH/N3d32BXW4bPNzutFZ75Pv52nw/UI9/CUIvJPfSEZqMWeSl
   B7x/Y/WqcDDRCd2LoBfeMlBgGYKd5NNIB+FuO3cUXwUdU2TlhheQcOA9nBP0Miy+
   ATFylSuVjRmL9/vh9keHsYFp1We1ZHZy0m2Fejc7qoR2Qf5chQkq+vuuPRJ9NhVI
   1MqrtCAPcOGQyxnhcbtQeff/6mPnXiAu4T2h2pKOPTO5Km5srMMpztn4vnzsozAU
   5/e/4EFU2Lq5qC6IdbC2Y9P8d5geRTw7DqLnMDaS6MVMOnBNlxhLzmzJfqliIugh
   I/bq2XM4dpH+1bcWedU7RYxt2QDYnDSNw7lKpFHtDpmo12SEdexAcuKFczHBR5Xe
   +UR3guaMhe4t1tIJ8pqzNU+ToxGCrAFsbJREN+0ESBSwIJYLZIv5q0eTebyHVy7d
   5l85KyspEf2m/Nd8sB7rnz8hniU6Gc8EQGdsSn+92ycfEnyCPwzPuoEkjdWq5ony
   shcsD20XAbwkeO0Ho3BBGD+OEboGpf+UjHv9B1knrF8dxsFyC3zf2gXQTx2awSJs
   /E/gKw9eyVbDTSmyls7/Itk8MBYpTSB+fpKMfsOTHKtGdqcRD2EoBHcjfNlM5oDY
   2CzBGR17+gcuskSwcMDcIJfnxvBCSr2uJ+AyTsDSameYCCGJFmN2BxZ36X/HBpFt
   U+QcmDNYdx3SNGiOR8qPD5mrvmwnYvxpOQEjSGTZVP91tuZpITXcBEcr7kSaHI6J
   +u7xccB68EtygtDZ2K8C4TKYRd51XqsxYa1ab+GfWtl7T0/aJNbDeTnDmI6vpMKQ
   m730bhO1Q7JjQPjRnTBH12NR4QqKfQ9V3m49Oat3igXSTUOU6Uu/DNrJQvMZ3Oxq
   PCdgX5eLgBYof2foS4bgnPHTbVjuqsvNf3lo6vyjkCxuuR/3/Qrgh3FstQkxgmmd
   c6LUgUaPX/AAThAkpeoBH9vWD82U58R6ejpxaSAACiS5+6ULvxWaixwXeM043Obd
   5chVpP5nBVTsd+r4j1yaIWIDq2F9GY77yWlPwfiFM/oJLmvziBGqXh/1uV8DrYbB
   hE4BEw75IO9h84IpEb6hlzyQkZYymaOr2cJLRUExB8mvpJkB8Y4fctvNNG7GtC/m
   ynOwOG+nXfZ/apCn/JbOLt75idEsrfQQ1qbx4hPN4c85kFfPavqFGuAtMc2UjN0h
   rdRpvn5kRPs8gC2Qk9HCDMlDOm5sMPzdPV4oROIgv4PEpJZMWDIRZ7Ld2LB2UsWB
   Hf39phVlQxsy2yjGc+nfnRYvEZVt5KUve98twMKZH+cYvIJCQ1T2pKs3Nt1A5oZ/
   w5kQ/OB32ka9nF3iyCIxfOGWWQMOKckQI0SDIkMRPX42IDWcIvfvIzr6lcnJYF8b
   2z4Pad02SHkOcP3DwWP4PZQgZTrSDuWkysVy04CUkLfHi0ZG9ziSacTJow936mEb
   EZKkEiBBDZtxbvXnbovTiWEarNmnCXoXYG+rutml3Vfvq3u/7Slft4iJCQlUhBsr
   93h1A8MfYM6KHQ2anQtR0RMQwzHn1Yrk9QIYdkNnLAPzF95ELcLD5ciPFII5jFTq
   cNrgxWTnDfMH+ftaBMg3Fc8vxrpWSyfHMcfotqsYoInrgcpwY6Qjha1u/dXhTDbY
   Ks4w5O3IoCZweWyrVs9YLGZ/40XNiw5NQGvZ99gk3CCE6D9ArIcFNUHLrQnricI1
   VhCSHRLLClG4h1boMxx4n/067XG6EZO5t/eSYu10s9W9LT7X+FwVuoSvBpPQODQT



Gillmor, et al.          Expires 5 December 2024              [Page 192]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   phS7Be7E+nFo/To2TvAvjFCqVCAy3J3en2mQzblMZSdjhC7ZHWtFSXSu+Y5P2vzM
   FVLx+2j8jI7/sil4Pa7ry8gseJTvljyYc3+7iw/RgL2dZVL/CGSZa7iiQ3tOImgo
   laqLJbTn7egAZnPstXduLm064g4Svte4i5JbYKhh4UxDD+sGfdqW27q2mDz7HPMx
   gQJY0eQRt6YxyuowXCJmOiudpAicXQbaKKKjX26fC+b1heqVUjnICNFwdzppWHI+
   ppSnTIqq46OJVmG1USFNh0Fft8q0r14WwPBvlHk04vFbwfSemwj3TSirUerUJBDO
   sKwR8cT70ONf2YEQQvdW+lePWunrr8e8cd3aCj7+2+pHF4/EqYZvpZuMgqEaOIp+
   RSMQbwzDsZbIfDHuCwzup3t5M7u7+uzNVHd7k3upgZaLTh/5vLRWAj85CEF4gnoA
   ut6601ZWDbZm4sk68aaB7tK1sXvlwc+qr7jXDwF6whQeqdLrK+tcDKpKn1v9E1GW
   SmID9qgMTveVE/C9jeu0GB3XKKAGns8HuDp+PdrESJlsIU9AQH21+K2Mz0zX0DwR
   KwNPXXbuLduCuP+VCqjz8O7Q6Fd7/9l/ntCBbXdoqhJ2e4FpRVctYSk/H8Znja1q
   GJQTE9Ai0vU21NAhvlAwoKDJao4J/8NBT4ffbwjr+IenFpeOzDUV5GqB1dIgBEXR
   h6tVVJARKl1kqcofZMX2u6rFwE9LVisGCrQmaLXWyFjwfQifSW86bdwBpIFVhuoh
   p1offiJnmMllHkkdiCqhicER7PILoCzl+iytEvoA8LV3Ae6JABpKVj2BUBM1YuCB
   /fl69JwZ4Laekn7Cbqw8IxFJggHJOmHoIv0kJDmF4uNWYnZVGGrrQhsuAi6nylTi
   27O1fokEsBjqoztyEMcWRGvted29Sli9u4jaYtQKe75g2a15J3MrjLEbYRynPXMD
   CbaiAIZmEYpP0x9zEjZk6DiW8GB0TgTwpl3ESektTtiYSBy28wdtEySd29wM6gHC
   USeRooO+lzzYV9Z+YalKujz/7Bs8NX4gMQjSXAFL/rCf5Ll4ELpQnkvFcl8YtEbI
   p1R6QuZ29cW10JnFa4v1JNPgbiSf2cHN821gnY1+nZvOEg71zyAw+pIULLTVm6r+
   uwcs34X9cT8d1v+Rh59WivXt0W4PVxiNXizixPj9H6cEBnYU85ZlYtpuR21Tu15+
   KalsbbC0U2jwIpSmylXnHgBojVj3VrcERgCcFEyNBCmKibyIALPcWMhQ3NKBKps8
   QI3yze8SWN3FLf0Hj3qbhK3UxP9hzW7C6CVdmjUPYNzo6RKcp/279AZBRn1MLpYs
   Br+0UhDHXGLrD1vphg3HGA3vABDFc/jZEBwnE8fhshl6tYX/EIHg4PX1/+XlI7F6
   sVhQmm0qDsKFZi1LB6U8vmxtl3EhWbnSwi5sk9W4c9rI13ULR9WPb8rwyyKKB8iT
   55M3Zw5Q8jjq8hAxstTUeTUCQeKjD6fo024j32nKKDwFMOnKynYBBJdOsXmG35Nu
   k2fx8pNhGeRhpK2D+Zjqvlef8vLFtTIq5s6hCY2QKwWekuzHz4VXLTQsg98xySvT
   eZhIuD2mSO69kxxhu6BTnvLeT5a5ejcqf4O6E608Mdyb//hp7D9TEgWR3/veRI8P
   UPurmyMoBIRRRCzzr21ZlsCSemoBTlminDDeOMK3vl7EsExeBWi1QoJgPD79kY5F
   8C6tLn0KvSUpP6RmgFEpkOlW78sKxGoK8SW2NVU7WBnzZ1xTtc5/aRC5fKafuxQ0
   5KucWBdQh9FE0RYtALRtp8Pcj8TMJ2uZoWg0VQZWn6DenYKmpscb3zEf1aq5bvNK
   snUCbzG1NDo9uBwMq9TMRr9a+mridk0Og5PtkFQzk+ts+AXwS2WigT7MWoPoa7YN
   c2r8PMg19Qs6xxi5TrmIjs7gBpZuA01f9Wm+LDLwGzIYWciXVKu5d5Bdn1Y8w26g
   d6duNdbbqZmDDRtJuT3xsUJNcZ4CvvdpdzCy7r4l9DwxDiEI4hWej8UhXqj8AHaR
   ESW2KstOjZvyfglwDBWyi7+Ln17BFKnkF7zic8+IaOVmXkvZTkB69KiWoItZqRmI
   ePaScBK0hwU/JxUEhIXliP2uzTBAFG1c08stFVn+6DaE59OFs/YVemp9B2JR3C8f
   vVxEB2OIfC3XDuFucrkB+vb3/pkvQwnEHf79XT+1y2Bb9EvorSeGI0VFIwtZ5Nb2
   iGwW7ayeJFXzBqHZYx0QuzRloCE8J2Yz9jpQT643JqlMVomV76M2Szr1Xu08Sfil
   qdefLopjlcdbAFn8zAjiTcJf16WM6XzM82LgP6S2s8Bq6iPyJM0yPhsCxFb/Q+Nu
   78fidBcRuA2+BxQglPv47Q54ry+ZClA4SdfVkxuO0iJuQ9CpKT6Gf+TPUkrcSk4S
   NvEN5dueig7jZCz88eSzjKt515R0m2vMBPI91nGcHz/ig2pRutJU+yHn5HoneUtT
   ILzM/CEiLeIG+17vQSnSyVV5+kbGL8XfPntYLPgHff0qglBiqlDsyBeIP45HZSpy
   vl0y7cs71EVnlZ4YGDiEYtagf1ahqNc6hyqgm6DiliCRuddiWfAUEVhRgXUncCo6
   dIVkbZEkt6+EebD8U7iGjryA6KJzJ3okbE8nHSrCZtWJYCQNahBg1+byQgNL/edb
   R3ywWnel3arYVPrGkJt2c8pD+d+cMj/FW5AWLfJkv4x0iwhZZzWNpSWqfdTxmHsV
   23jX6VgCs8jvg+znhYFExH6rCTaSRe66rVpKzBHBBD/zkvTnmlrFlqHFYwVRnHsa
   +CfvofJ4m8Dks+STHmLkubETAjAy0d8fH4nuJvcvsaFek5QeO+AVy9NsENYVOJEA
   onlT1LLKRH/GJUQPwCGfY0dNPJHlWKww6yDauBzSP4vybjI4BfM3rwM/EiTw19Ej
   +LbSo1D3NlqhzyyhHKDHNv+HeU7YBDXi2sxjjjoD2hDzVRhP7s7wjVQNfo94FrGe
   tWsvLjin7ldQsae9UatdE1Ikfw2ZBFDDUDPP/rWZh+sxQk0uUGp8hQO3w8n6ZZLU



Gillmor, et al.          Expires 5 December 2024              [Page 193]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   ThmDN5l2EwWFa4ye83qqRNkaU+CpmQP5ZNVC5xT17r9sxJO3HiHKNdsParMZSo+C
   PiLB1PS7DOY/wTWrl6rELMVEEioqFWwy9/HuQcTMCtJvHRHSbLNiloxA1+DJq2k2
   FtLa2zdvFX4Oq/dch7iOoeu5APff8rDJRoStdtqTHkobJQr5DEo5n+rSGQlSfi5C
   7LA76Jf5U6Kg0YCFi3y+r4UHAtZvL2dHVbdQO4TIRtBf9gIXlhUQ/tgmTJJ37peU
   mppU1/Dr5Auw2fBUpeLwKaNL2NPi6HUx7BfE10TWo/EF9+sHd0U52h8TYc3RasdA
   KGvOHu0ukpGHhPc5jk2GCHBK0jAziOhGzO6Rse3VllAxDW2Qt/7d4pAd8AapmVf9
   7cuLzwOKTaf/TyIIh6nTsdFPlwLHUCyWShWiN6Ko10qidktqqZidTtEgqhzG9xya
   VLK+3d9enqGbFWl1Bngkil6Q176KIvudiIRnNFVY/c5sJFvEkjhyCuWmZToU87YU
   8plBGdyBsz+9tCFHoLVQfuQ/0LQv2FmXgHupZSNFSonytIsFiWkUjsHxUIFOD9nk
   AKtYESaFTlCvPksfuBuGSpFObSZTqpREDTVnoCIaU0ssclv0do7dfPJvSA8t6uyW
   iwmGQjtixDQhUhn23LyjraJi9jK5FlwlkRhef49vOPnnyY4X1VqE/G4Pcb0pEvFo
   mzKdYuiRPoWxZXbgGDS5rnSbYK3ZXC9N+7Xuzo+kqDpTI6HzJ30h2tP6h/Zb8SBD
   PjdlFhWrvGn1PM6YBdwCNzMSlsGGBiwha96ZVV9t1Y/R4/TAdo5WPMY4Fx16/H9e
   doHh13uvJCApXMzhvn9bL5iJTwqP0/tPnFHBOgJD3vd6RlB5er9lTf0XMfAN0ci+
   nru74fKhMcx9zlwKqO/rCIXitumVvdESnnbbTe63GoN3Jtp9gy7BmQdFyXHczKAH
   VAIKpa1vg+rSRrENKPEOxp+VjSK2QaC8a9Q39/1HAKukJwfAOYCMtfKqs+iBVrPi
   DzMRTQKJbidJAjWKb5mXLHl/JvtBYatgnsp//WZeeshS1BhHPY8nFQBdlBTQ+xU5
   G78uFoZwTUata4fRissxOUEdrJuQlSSWzYPfAMm8xzg9uEc0ENTRmJ1BnPdMLpkW
   zn/HE2JeZOJq5f4rahHgd5U6JbOu7oOloJMgyQiXFQkyEPb08APW2Kjq76+6Ja5J
   ieVwu0niC0XZdqgX2YL3ODQ4d1GoRGAzYt6LGvK1O6HNlmDdJgFA4n/M/fDD2U8s
   pW3hlaZPTavPsfTp1iBDeRsYq7zwR2VmIxlKWj94giEQFdRCsbE05TjbbsJWvs96
   5OUPidxSKNFYhNd4VCDC0xNnCZEbLSjSLdAci/uWZGz8W7/TPhratWbLY83rprYb
   FubyMUKEGnIHmsxdkbsJmQ4VaTFjiOhWmtoo3AnOME6AxrWSASRET3XlRTr18bAA
   qWg6TdbEKFln/E2N0lecV1dFxRMu02cNe0WNQKUb/agt9hX7mdcRMfgiUcQbORz9
   W6zUAs/8PkghnmOPzy6GP336Y2FJC5U+LZ+aLrdgWdVnsthnerYMet+gOo6JRvhP
   r0g43D0qAuhPfU3UkC98+9i1OqUgzmXcRd3Z0yIhZ4cnLeQc6/OSgEay1URPDAec
   QvnRxCZLuXWY3isXABxSoPyokc9F6kAKVvyc0qnUO0VzOxbzXN/KNfboq/qJo7lW
   40nK+uBxP1AH1sVJXPGpaTNGCmbFCi27YbM53ikktYR3HXW+vDEPirFtT51s2408
   gxJNMNzFxg+RdnzNwgnyQlzH0lCZIXZLug2PCgV4tpDhygG8L/Vc5d3geBtnZKgy
   AKzK0hWSCX06kn8g6tVras6mfT5K08b0tDpza3gPwelGMK2MrAXgbHUHAKtsQQQY
   CmsSwjv1OVE17BHqy95VnMMBF4DUOczFq3nQM7Z7tjuoNxUtaIhF9iVWElUE/tqj
   UZU/0RPTnf/bsdIvyITgU0snG+mtVHr6oc/l3GImYlZHgIRjAWJ7qfKP7oe9nlkB
   9l6JSfllZ8tICMfHr5AVnjtu7xDEm8VVL2Xr/TNxjplv+lRlEThxuTuFsUIdt6AD
   96elwVbBAo2cFWmosBXZMgsdsWrovX5XjngXDDIFD32dwI7cADxMdIcNCrZFsNKZ
   Xvzd8aHc/P3MuI8MfqugwMIzSVQghCYxm2VKxeCkj2FBUnzRhcLhM+44uHuBPZoc
   USOCv2N+QnhcFC4GnD+gvfLJV3/fs/+L46QsDCNWOtSPAp/1sB/YDaoSWAcOPsBW
   9DsJ7Su14IVl+QX9A5g6J8W9fPueTPjcVNpWuJXrjNVeMmC7K3A/+JMbrOyocmvP
   t+cC1B81vPxG0BUCJ4af2koIcda8yQ0byNWruiaQBg/Yb968zDhPCBn4hgjSjkIj
   m7z/J2iR/OMCwDWHJxZjf2qPOYCeuU3IWPB6rvdCDFDrfx7pfKYQ/A9eChj1INmQ
   u2qAu17oxZ+msTO06yfknaQaoS0glSUIwZMj6z5WsZIh9ABF6q1oDk1P7ZFq2r5+
   8pJUMk7fOc9RqKwwWV4wnJX0KAJKcyYutx0rwoapdVIUdiaaU21v/b+kQMruk+ka
   Iu6KKAOiOBD/UXUbc0B9HgOV6Yzto5fiVR7fCcNxs2Use6ozai2HfX0m6t5CecCB
   RVeMHTG4tVKbQ5mr95Y5gKge2dL9Jkfr4bqSlOeiIM7PV0DzXGEtTXeJk5FWb9Ch
   0qCu9cyaru1XY9mdpoSeB6/zm43osCMMbY3HVR2bl9nFHXH2hLMo+Z8rHoPLRfnJ
   StCs/mZiEgDGK1sga91DYz/d9/1FnkcaVfSZl+JP5SCHFgJ1ohOSWEjhVOfJDjjf
   kChNFe8qFgCZnfAJbLs9r04GVtpHgtHO6TS/Ty7aH8QN05PqaDYVrM3ghilI85F5
   jLlop3oLdx95bcVIVihZNt0ESP7ZqkU7uKmemr/AC4ol3kcoLeafD2Mqwy6S/+o/
   HK/BoVw7P08jDkEgp6fcLgexrI9m39d/hNrfxovYNAKWfZnWRLi66u2mqQY6yYKy



Gillmor, et al.          Expires 5 December 2024              [Page 194]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   TgxdwwtHiLiXJePSwVdemriAWas9MQRWTDPvtJYGi05hDpkGvHeKSA+R9mUTPYoK
   05qfGSpLMt2aEq/7egWcvSqidfrJAJrMP4ZyBoL9BViHVMTGQ8MRlnkgCWJ7Ekb6
   asKeKHZ1YMFPCuJTghXCCon0gJFfpFxx1vcmwOpKjHwz8D+zEbga6pgoBY/PKKvN
   K5UVsRQ5KcbGJMnpmuktk8byl5YJPMzop16PvZdTHNE8ZUCy3ZcQP5ROd3jyTFkf
   kIKZ27NzG5cRyRZ40PqMUbxqGz3JUf6OZOrxhA/pISSDUP4wqPEb9eCLyLLYT/54
   nKN0c4+GlssvNp52HbSVzCx7AD8ekVOeRD1pRUfCPfWu+uz5BafBEJLvmqMo4/ew
   ddIytiJATL/IytdbEkkqFecJTwcghV7fzZyYoFfHuZEp+VYbecROJfArQ1MALOy7
   IZrexx4vjNqSE8xSgibF6tg88gBfd16w/IU710RHvqjyVQ2Z5C/vfhY9imA0QxAi
   Vvoaj5+8+OovafLvW1kV+q6J6Njyo5xrSCd0iLldOUMNuUVyYbotNiUiivqh7OpS
   wG2Hdhb3R16/TQjN9mSUy2cfKav6VSVsHTtfvsxoD0hDS5pvrMC9Xt0lp6hA6Enh
   CeDxwFBTxWqRcxRRvlkSQtN82qy5+TIKFP0tTDqzUEyN2VuALpz9Dff3iyPmtoAH
   /Gsr6k+GwEgKbi5BzfgcFJfk90xZYHZN0Pcgw/ARUa1HC+CmjTNx1OI9gae8yrrN
   EPvLpggUSxJXAseyUS7YNsYyR1zh7/y5v1e5Q2YcBMADWOCuoYnyH7pl1/iod/Pr
   RLjFVSCELqxZoRwuefMSgYrID17mns2Aiir+LfXR9SI3MLZzP9nf8rI1lC2zdS4O
   IRiWTJbN9LTRdt77i6NzclSzRU0rPC4e2d1ctl+XATKjYTS5XyJaEmGoFhR3dU39
   eG1A4PCkw7GWl9bKhv+iov5gEursK952jLeL0XUTtJ9Y8lsto9W8EwMydoyGGJWH
   CJ1Rg+X3JCMxJP01zXxOjbQ7RoTn2txsNw6eoE7b3Mr5DN5C5EIut98WVx4UexT/
   Kr6mBc5TlZGo4OGnXxxGbW1OxiCXzUbZwGAFg+wmu+c=

Appendix C.  Composition Examples

   This section offers step-by-step examples of message composition.

C.1.  New message composition

   A typical MUA composition interface offers the user a place to
   indicate the message recipients, the subject, and the body.  Consider
   a composition window filled out by the user like so:

    .------------------------------------------------------.
   |                 Composing New Message          .----.  |
   |          +---------------------------------+  | Send | |
   |      To: | Alice        |   '----'  |
   |          +---------------------------------+---------+ |
   | Subject: | Handling the Jones contract               | |
   |          +-------------------------------------------+ |
   +--------------------------------------------------------+
   | Please review and approve or decline by Thursday, it's |
   | critical!                                              |
   |                                                        |
   | Thanks,                                                |
   | Bob                                                    |
   |                                                        |
   | --                                                     |
   | Bob Gonzalez                                           |
   | ACME, Inc.                                             |
   |                                                        |
   +--------------------------------------------------------+



Gillmor, et al.          Expires 5 December 2024              [Page 195]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


              Figure 1: Example Message Composition Interface

   When Bob clicks "Send", his MUA generates values for Message-ID,
   From, and Date Header Fields, and converts the message body into the
   appropriate format.

C.1.1.  Unprotected message

   The resulting message would look something like this if it was sent
   without cryptographic protections:

   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob 
   To: Alice 
   Subject: Handling the Jones contract
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0

   Please review and approve or decline by Thursday, it's critical!

   Thanks,
   Bob

   --
   Bob Gonzalez
   ACME, Inc.

C.1.2.  Encrypted with hcp_minimal and Legacy Display

   Now consider the message to be generated if it is to be
   cryptographically signed and encrypted, using HCP hcp_minimal, and
   the legacy variable is set.

   For each Header Field, Bob's MUA passes its name and value through
   hcp_minimal.  This returns the same value for every Header Field,
   except that:

   hcp_minimal("Subject", "Handling the Jones contract") yields "[...]".

C.1.2.1.  Cryptographic Payload

   The Cryptographic Payload that will be signed and then encrypted is
   very similar to the unprotected message in Appendix C.1.1.  Note the
   addition of:

   *  The hp="cipher" parameter for the Content-Type




Gillmor, et al.          Expires 5 December 2024              [Page 196]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  The appropriate HP-Outer Header Field for Subject

   *  The hp-legacy-display="1" parameter for the Content-Type

   *  The Legacy Display Element (the simple pseudo-header and its
      trailing newline) in the Main Body Part.

   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob 
   To: Alice 
   Subject: Handling the Jones contract
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   MIME-Version: 1.0
   HP-Outer: Date: Wed, 11 Jan 2023 16:08:43 -0500
   HP-Outer: From: Bob 
   HP-Outer: To: Alice 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: <20230111T210843Z.1234@lhp.example>

   Subject: Handling the Jones contract

   Please review and approve or decline by Thursday, it's critical!

   Thanks,
   Bob

   --
   Bob Gonzalez
   ACME, Inc.

C.1.2.2.  External Header Section

   The Cryptographic Payload from Appendix C.1.2.1 is then wrapped in
   the appropriate Cryptographic Layers.  For this example, using S/
   MIME, it is wrapped in an application/pkcs7-mime; smime-type="signed-
   data" layer, which is in turn wrapped in an application/pkcs7-mime;
   smime-type="enveloped-data" layer.

   Then an external Header Section is applied to the outer MIME object,
   which looks like this:









Gillmor, et al.          Expires 5 December 2024              [Page 197]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Wed, 11 Jan 2023 16:08:43 -0500
   From: Bob 
   To: Alice 
   Subject: [...]
   Message-ID: <20230111T210843Z.1234@lhp.example>
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   MIME-Version: 1.0

   Note that the Subject Header Field has been obscured appropriately by
   hcp_minimal.  The output of the CMS enveloping operation is
   base64-encoded and forms the body of the message.

C.2.  Composing a Reply

   Next we consider a typical MUA reply interface, where we see Alice
   replying to Bob's message from Appendix C.1.

   When Alice clicks "Reply" to Bob's signed-and-encrypted message with
   Header Protection, she might see something like this:

    .--------------------------------------------------------.
   |  Replying to Bob ("Handling the Jones Contract") .----.  |
   |          +-----------------------------------+  | Send | |
   |      To: | Bob              |   '----'  |
   |          +-----------------------------------+---------+ |
   | Subject: | Re: Handling the Jones contract             | |
   |          +---------------------------------------------+ |
   +----------------------------------------------------------+
   | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:           |
   |                                                          |
   | > Please review and approve or decline by Thursday,      |
   | > it's critical!                                         |
   | >                                                        |
   | > Thanks,                                                |
   | > Bob                                                    |
   | >                                                        |
   | > --                                                     |
   | > Bob Gonzalez                                           |
   | > ACME, Inc.                                             |
   |                                                          |
   | --                                                       |
   | Alice Jenkins                                            |
   | ACME, Inc.                                               |
   |                                                          |
   +----------------------------------------------------------+




Gillmor, et al.          Expires 5 December 2024              [Page 198]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


            Figure 2: Example Message Reply Interface (unedited)

   Note that because Alice's MUA is aware of Header Protection, it knows
   what the correct Subject header is, even though it was obscured.  It
   also knows to avoid including the Legacy Display Element in the
   quoted/attributed text that it includes in the draft reply.

   Once Alice has edited the reply message, it might look something like
   this:

    .--------------------------------------------------------.
   |  Replying to Bob ("Handling the Jones Contract") .----.  |
   |          +-----------------------------------+  | Send | |
   |      To: | Bob              |   '----'  |
   |          +-----------------------------------+---------+ |
   | Subject: | Re: Handling the Jones contract             | |
   |          +---------------------------------------------+ |
   +----------------------------------------------------------+
   | On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:           |
   |                                                          |
   | > Please review and approve or decline by Thursday,      |
   | > it's critical!                                         |
   |                                                          |
   | I'll get right on it, Bob!                               |
   |                                                          |
   | Regards,                                                 |
   | Alice                                                    |
   |                                                          |
   | --                                                       |
   | Alice Jenkins                                            |
   | ACME, Inc.                                               |
   |                                                          |
   +----------------------------------------------------------+

             Figure 3: Example Message Reply Interface (edited)

   When Alice clicks "Send", the MUA generates values for Message-ID,
   From, and Date Header Fields, populates the In-Reply-To, and
   References Header Fields, and also converts the reply body into the
   appropriate format.

C.2.1.  Unprotected message

   The resulting message would look something like this if it were to be
   sent without any cryptographic protections:






Gillmor, et al.          Expires 5 December 2024              [Page 199]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice 
   To: Bob 
   Subject: Re: Handling the Jones contract
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"
   MIME-Version: 1.0

   On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:

   > Please review and approve or decline by Thursday,
   > it's critical!

   I'll get right on it, Bob!

   Regards,
   Alice

   --
   Alice Jenkins
   ACME, Inc.

   Of course, this would leak not only the contents of Alice's message,
   but also the contents of Bob's initial message, as well as the
   Subject Header Field!  So Alice's MUA won't do that; it is going to
   create a signed-and-encrypted message to submit to the network.

C.2.2.  Encrypted with hcp_no_confidentiality and Legacy Display

   This example assumes that Alice's MUA uses hcp_no_confidentiality,
   not hcp_minimal.  That is, by default, it does not obscure or remove
   any Header Fields, even when encrypting.

   However, it follows the guidance in Section 2.7.8.1, and will make
   use of the HP-Outer field in the Cryptographic Payload of Bob's
   original message (Appendix C.1.2.1) to determine what to obscure.

   When crafting the Cryptographic Payload, its baseline HCP
   (hcp_no_confidentiality) leaves each field untouched.  To uphold the
   confidentiality of the sender's values when replying, the MUA
   executes the following steps (for brevity only Subject and Message-
   ID/In-Reply-To are shown):

   *  Extract the referenced header fields (see Section 2.5.4):

      -  refouter contains:



Gillmor, et al.          Expires 5 December 2024              [Page 200]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


         o  Date: Wed, 11 Jan 2023 16:08:43 -0500

         o  From: Bob 

         o  To: Alice 

         o  Subject: [...]

         o  Message-ID: <20230111T210843Z.1234@lhp.example>

      -  refprotected contains:

         o  Date: Wed, 11 Jan 2023 16:08:43 -0500

         o  From: Bob 

         o  To: Alice 

         o  Subject: Handling the Jones contract

         o  Message-ID: <20230111T210843Z.1234@lhp.example>

   *  Apply the response function:

      -  respond(refouter) contains:

         o  From: Alice 

         o  To: Bob 

         o  Subject: Re: [...]

         o  In-Reply-To: <20230111T210843Z.1234@lhp.example>

         o  References: <20230111T210843Z.1234@lhp.example>

      -  respond(refprotected) contains:

         o  From: Alice 

         o  To: Bob 

         o  Subject: Re: Handling the Jones contract

         o  In-Reply-To: <20230111T210843Z.1234@lhp.example>

         o  References: <20230111T210843Z.1234@lhp.example>




Gillmor, et al.          Expires 5 December 2024              [Page 201]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   *  Compute the ephemeral response_hcp (see Section 2.5.5):

      -  Note that all headers except Subject are the same.

      -  confmap contains only ("Subject", "Re: Handling the Jones
         contract") -> "Re: [...]"

   Thus all Header Fields that were signed are passed through untouched.
   The reply's Subject is obscured as Subject: Re: [...] if and only if
   the user does not edit the subject line from that initially proposed
   by the MUA's reply interface.  If the user edits the subject line,
   e.g., to Subject: Re: Handling the Jones contract ASAP, the
   response_hcp will _not_ obscure it, and instead pass it through in
   the clear.

   For stronger header confidentiality, the replying MUA should use a
   reasonable HCP (not hcp_no_confidentiality).  Also recall that the
   local HCP is applied first, and that response_hcp is only applied to
   what is left unchanged by the local HCP.

C.2.2.1.  Cryptographic Payload

   Consequently, the Cryptographic Payload for Alice's reply looks like
   this:



























Gillmor, et al.          Expires 5 December 2024              [Page 202]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice 
   To: Bob 
   Subject: Re: Handling the Jones contract
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   MIME-Version: 1.0
   HP-Outer: Date: Wed, 11 Jan 2023 16:48:22 -0500
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Subject: Re: [...]
   HP-Outer: Message-ID: <20230111T214822Z.5678@lhp.example>
   HP-Outer: In-Reply-To: <20230111T210843Z.1234@lhp.example>
   HP-Outer: References: <20230111T210843Z.1234@lhp.example>

   Subject: Re: Handling the Jones contract

   On Wed, 11 Jan 2023 16:08:43 -0500, Bob wrote:

   > Please review and approve or decline by Thursday,
   > it's critical!

   I'll get right on it, Bob!

   Regards,
   Alice

   --
   Alice Jenkins
   ACME, Inc.

   Note the following features:

   *  the hp="cipher" parameter to Content-Type

   *  the appropriate HP-Outer Header Field for Subject,

   *  the hp-legacy-display="1" parameter for the Content-Type

   *  the Legacy Display Element (the simple pseudo-header and its
      trailing newline) in the Main Body Part.







Gillmor, et al.          Expires 5 December 2024              [Page 203]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


C.2.2.2.  External Header Section

   The Cryptographic Payload from Appendix C.2.2.1 is then wrapped in
   the appropriate Cryptographic Layers.  For this example, using S/
   MIME, it is wrapped in an application/pkcs7-mime; smime-type="signed-
   data" layer, which is in turn wrapped in an application/pkcs7-mime;
   smime-type="enveloped-data" layer.

   Then an external Header Section is applied to the outer MIME object,
   which looks like this:

   Date: Wed, 11 Jan 2023 16:48:22 -0500
   From: Alice 
   To: Bob 
   Subject: Re: [...]
   Message-ID: <20230111T214822Z.5678@lhp.example>
   In-Reply-To: <20230111T210843Z.1234@lhp.example>
   References: <20230111T210843Z.1234@lhp.example>
   Content-Transfer-Encoding: base64
   Content-Type: application/pkcs7-mime; name="smime.p7m";
    smime-type="enveloped-data"
   MIME-Version: 1.0

   Note that the Subject Header Field has been obscured appropriately
   even though hcp_no_confidentiality would not have touched it by
   default.  The output of the CMS enveloping operation is
   base64-encoded and forms the body of the message.

Appendix D.  Rendering Examples

   This section offers example Cryptographic Payloads (the content
   within the Cryptographic Envelope) that contain Legacy Display
   Elements.

D.1.  Example text/plain Cryptographic Payload with Legacy Display
      Elements

   Here is a simple one-part Cryptographic Payload (Header Section and
   body) of a message that includes Legacy Display Elements:












Gillmor, et al.          Expires 5 December 2024              [Page 204]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Fri, 21 Jan 2022 20:40:48 -0500
   From: Alice 
   To: Bob 
   Subject: Dinner plans
   Message-ID: 
   MIME-Version: 1.0
   Content-Type: text/plain; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A compatible MUA will recognize the hp-legacy-display="1" parameter
   and render the body of the message as:

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A legacy decryption-capable MUA that is unaware of this mechanism
   will ignore the hp-legacy-display="1" parameter and instead render
   the body including the Legacy Display Elements:

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

D.2.  Example text/html Cryptographic Payload with Legacy Display
      Elements

   Here is a modern one-part Cryptographic Payload (Header Section and
   body) of a message that includes Legacy Display Elements:












Gillmor, et al.          Expires 5 December 2024              [Page 205]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Date: Fri, 21 Jan 2022 20:40:48 -0500
   From: Alice 
   To: Bob 
   Subject: Dinner plans
   Message-ID: 
   MIME-Version: 1.0
   Content-Type: text/html; charset="us-ascii"; hp-legacy-display="1";
    hp="cipher"
   HP-Outer: Date: Fri, 21 Jan 2022 20:40:48 -0500
   HP-Outer: From: Alice 
   HP-Outer: To: Bob 
   HP-Outer: Subject: [...]
   HP-Outer: Message-ID: 

   
   

   
Subject: Dinner plans

   

   

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.
   

   
   

   A compatible MUA will recognize the hp-legacy-display="1" parameter
   and mask out the Legacy Display div, rendering the body of the
   message as a simple paragraph:

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.

   A legacy decryption-capable MUA that is unaware of this mechanism
   will ignore the hp-legacy-display="1" parameter and instead render
   the body including the Legacy Display Elements:

   Subject: Dinner plans

   Let's meet at Rama's Roti Shop at 8pm and go to the park
   from there.











Gillmor, et al.          Expires 5 December 2024              [Page 206]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


Appendix E.  Other Header Protection Schemes

   Other Header Protection schemes have been proposed in the past.
   However, those typically have drawbacks such as sparse
   implementation, known problems with legacy interoperability (in
   particular with rendering), lack of clear signalling of sender
   intent, and/or incomplete cryptographic protections.  This section
   lists such schemes known at the time of the publication of this
   document out of historical interest.

E.1.  Original RFC 8551 Header Protection

   S/MIME [RFC8551] (as well as its predecessors [RFC5751] and
   [RFC3851]) defined a form of cryptographic Header Protection that is
   similar to the "Wrapped Message" scheme specified in this document.
   In fact, the scheme originally defined in S/MIME is a subset of the
   "Wrapped Message" scheme specified in this document.  The differences
   between the original and the updated scheme are outlined in
   Section 2.2.

E.2.  Pretty Easy Privacy (pEp)

   The pEp (pretty Easy privacy) [I-D.pep-general] project specifies two
   different MIME schemes that include Header Protection for Signed-and-
   Encrypted e-mail messages in [I-D.pep-email]: One scheme -- referred
   as pEp Email Format 1 (PEF-1) -- is generated towards MUAs not known
   to be pEp-capable, while the other scheme -- referred as PEF-2 -- is
   used between MUAs discovered to be compatible with pEp.  Signed-only
   messages are not recommended in pEp.

E.3.  "draft-autocrypt" Protected Headers

   [I-D.autocrypt-lamps-protected-headers] describes a scheme similar to
   the "Injected Headers" scheme specified in this document.  However,
   instead of adding Legacy Display Elements to existing MIME parts (cf.
   Section 2.5.6.1), "draft-autocrypt" injects a new MIME element
   "Legacy Display Part", thus modifying the MIME structure of the
   Cryptographic Payload.

Appendix F.  Document Changelog

   [[ RFC Editor: This section is to be removed before publication ]]

   *  draft-ietf-lamps-header-protection-21

      -  HP-Outer mechanism replaces HP-Removed and HP-Obscured.  This
         enables the recipient to easily calculate the sender's actions
         around header confidentiality.



Gillmor, et al.          Expires 5 December 2024              [Page 207]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  Replace Content-Type parameter protected-headers= with hp= and
         hp-scheme=. The presence of hp= indicates that the sender used
         Header Protection according to this document, and the value
         indicates whether the sender tried to encrypt and sign the
         message or just sign it. hp-scheme="wrapped" advises the
         recipient that they should look for the protected Header Fields
         in subtly different place.

      -  Provide a clear algorithm for reasonably safe handling of
         confidential headers during Reply and Forward operations.

      -  Do not register the example HCP hcp_hide_cc, rename to
         hcp_example_hide_cc

      -  Rename hcp_null to hcp_no_confidentiality

      -  Provide a clear algorithm for the recipient to compute the
         protection state of each Header Field.

   *  draft-ietf-lamps-header-protection-20

      -  clarify IANA guidance about registration policy and designated
         expert review

      -  emphasize that Content-Type parameter hp-legacy-display=1
         belongs on all main body parts with a legacy display element

      -  clean up/normalize pseudocode variable names and text (no
         algorithm changes)

   *  draft-ietf-lamps-header-protection-19

      -  improve text, capitalize defined terms, fix typos

      -  Clean up from AD review:

      -  updates RFC 8551 explicitly

      -  add "Legacy Signed Message" and "Ordinary User" explicitly to
         terms

      -  tighten up SHOULDs/MUSTs for conformant MUAs

      -  expand references to other relevant Security Considerations

      -  drop nudge about non-existent Content-Type Parameters registry

      -  clarify IANA notes to align with table columns



Gillmor, et al.          Expires 5 December 2024              [Page 208]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  explicitly request HCP registry

      -  add references to other header protections schemes, but move
         all of them to appendix

   *  draft-ietf-lamps-header-protection-18

      -  only allow US-ASCII as modified output of HCP, adjusted ABNF to
         match

   *  draft-ietf-lamps-header-protection-17

      -  More edits from WGLC:

      -  clean up definition of "Header Field"

      -  note leakage of encrypted recipient hints

      -  clarify explanation of LDE generation

      -  clarify how some obscured headers might not actually be private

   *  draft-ietf-lamps-header-protection-16

      -  correct variable names in message composition algorithms

      -  make text more readable

   *  draft-ietf-lamps-header-protection-15

      -  include clarifications, typos, etc from comments received
         during WGLC

   *  draft-ietf-lamps-header-protection-14

      -  provide section references for draft-ietf-lamps-e2e-mail-
         guidance

      -  encouarge a future IANA named HCP registry if HCP development
         takes off

   *  draft-ietf-lamps-header-protection-13

      -  Retitle from "Header Protection for S/MIME" to "Header
         Protection for Cryptographically Protected E-mail"

   *  draft-ietf-lamps-header-protection-12




Gillmor, et al.          Expires 5 December 2024              [Page 209]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  MUST produce HP-Obscured and HP-Removed when generating
         encrypted messages with non-null HCP

      -  Wrapped Message: move from forwarded=no to protected-
         headers=wrapped

      -  Wrapped Message: recommend Content-Disposition: inline

   *  draft-ietf-lamps-header-protection-11

      -  Remove most of the Bcc text (transferred general discussion to
         e2e-mail-guidance)

      -  Fix bug in algorithm for generating HP-Obscured and HP-Removed

      -  More detail about handling Reply messages

      -  Considerations around handling risky Legacy Display Elements

      -  Narrative descriptions of some worked examples

      -  Describe potential leaks to recipients

      -  Clarify debugging/troubleshooting UX affordances

   *  draft-ietf-lamps-header-protection-10

      -  Clarify that HCP doesn't apply to Structural Header Fields

      -  Drop out-of-date "Open Issues" section

      -  Brief commentary on UI of messages with intermediate/mixed
         protections

      -  Deprecation prospects for messages without protected headers

      -  Describe generating replies to encrypted messages with stronger
         HCP

   *  draft-ietf-lamps-header-protection-09

      -  clarify terminology

      -  add privacy and security considerations

      -  clarify HCP examples and baselines

      -  recommend hcp_minimal as default HCP



Gillmor, et al.          Expires 5 December 2024              [Page 210]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  add HP-Obscured and HP-Removed (avoids reasoning about
         differences between outside and inside the Cryptographic
         Envelope)

      -  regenerated test vectors

   *  draft-ietf-lamps-header-protection-08

      -  MUST compose injected headers, MAY compose wrapped messages

      -  MUST parse both schemes

      -  cleanup and restructure document

   *  draft-ietf-lamps-header-protection-07

      -  move from legacy display MIME part to legacy display elements
         within main body part

   *  draft-ietf-lamps-header-protection-06

      -  document observed problems with legacy MUAs

      -  avoid duplicated outer Message-IDs in hcp_strong test vectors

   *  draft-ietf-lamps-header-protection-05

      -  fix multipart/signed wrapped test vectors

   *  draft-ietf-lamps-header-protection-04

      -  add test vectors

      -  add "problems with Injected Messages" subsection

   *  draft-ietf-lamps-header-protection-03

      -  dkg takes over from Bernie as primary author

      -  Add Usability section

      -  describe two distinct formats "Wrapped Message" and "Injected
         Headers"

      -  Introduce Header Confidentiality Policy model

      -  Overhaul message composition guidance




Gillmor, et al.          Expires 5 December 2024              [Page 211]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


      -  Simplify document creation workflow, move public face to gitlab

   *  draft-ietf-lamps-header-protection-02

      -  editorial changes / improve language

   *  draft-ietf-lamps-header-protection-01

      -  Add DKG as co-author

      -  Partial Rewrite of Abstract and Introduction [HB/AM/DKG]

      -  Adding definitions for Cryptographic Layer, Cryptographic
         Payload, and Cryptographic Envelope (reference to
         [I-D.ietf-lamps-e2e-mail-guidance]) [DKG]

      -  Enhanced MITM Definition to include Machine- / Meddler-in-the-
         middle [HB]

      -  Relaxed definition of Original message, which may not be of
         type "message/rfc822" [HB]

      -  Move "memory hole" option to the Appendix (on request by Chair
         to only maintain one option in the specification) [HB]

      -  Updated Scope of Protection Levels according to WG discussion
         during IETF-108 [HB]

      -  Obfuscation recommendation only for Subject and Message-Id and
         distinguish between Encrypted and Unencrypted Messages [HB]

      -  Removed (commented out) Header Field Flow Figure (it appeared
         to be confusing as is was) [HB]

   *  draft-ietf-lamps-header-protection-00

      -  Initial version (text partially taken over from draft-ietf-
         lamps-header-protection-requirements

Authors' Addresses

   Daniel Kahn Gillmor
   American Civil Liberties Union
   125 Broad St.
   New York, NY,  10004
   United States of America
   Email: dkg@fifthhorseman.net




Gillmor, et al.          Expires 5 December 2024              [Page 212]

Internet-Draft    Cryptographic MIME Header Protection         June 2024


   Bernie Hoeneisen
   pEp Project
   Oberer Graben 4
   CH- 8400 Winterthur
   Switzerland
   Email: bernie.hoeneisen@pep-project.org
   URI:   https://pep-project.org/


   Alexey Melnikov
   Isode Ltd
   14 Castle Mews
   Hampton, Middlesex
   TW12 2NP
   United Kingdom
   Email: alexey.melnikov@isode.com



































Gillmor, et al.          Expires 5 December 2024              [Page 213]