diff --git a/evaluation/demonstration/ca.pem b/evaluation/demonstration/ca.pem
new file mode 100644
index 0000000000000000000000000000000000000000..3c3eb09e801ff29e2566b87983c14473ef458444
--- /dev/null
+++ b/evaluation/demonstration/ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIJALSFyHa6alS0MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xNDEyMjgyMjEz
+MzBaFw0xNTAxMjcyMjEzMzBaMFkxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21l
+LVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNV
+BAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFf
+P79u/Y0g+pUMxXuzUuF7L3Fo8pIyNigeaFNSIE9L86QOfJZEjuZE2tIdAbYzIAzE
+JEOGRremcqA3kLQaT6H6qi9YacChJEVDQDnCf9tDzxFKrLDiFPnFLhGDrdXaxZJV
+oSipmyz6iCCJV2FpHVcqofTWcmQJ5RavFJ78DA/B62B+Iy+q5n1DrIquZYMSqWpp
+Em50dY+wz0uAHDjkCtudyN3aqIZEqaR/NoMXzbK7aaJoUhD1Mj4aHs/ei+JFx4iU
+f3DW4zXJj9XfUa8G1DqcBl+qLqCuGUOnyW+GLutrk9axkUZCIpQNNfRvPQVxtCeF
+tuh9ZuwpTJXdUZUnZ8MCAwEAAaNQME4wHQYDVR0OBBYEFLIcln/y41ddl1EBHY9S
+J5efVl9BMB8GA1UdIwQYMBaAFLIcln/y41ddl1EBHY9SJ5efVl9BMAwGA1UdEwQF
+MAMBAf8wDQYJKoZIhvcNAQELBQADggEBADLIVXyUjIgg41HsuAzZXDQkGVXmhmmH
+OeWmGzntfW98Ct73N7NrOa+3R7ZVuwUdwRQZQPb7MtshYlrILN/rpB25iWXAtzfS
+1mLPqhbJtlauIFtEmV+/rGfgPrmKcAgAD3Zm0gvv9soSNwSp9jba29S6NNEkTz7S
+4/u0rr9vt4J74N6ggtpgmVPnku5RWg9XhIAB2CXAOa7rgDb0+1HDz8LTFCc0bCcH
+Dw9smQ5kkvWWFPi2Txk8xb9xXFMuuD8kSfxRhjOraSPx99B174l96xof0Yrcx3r8
+aPv3qkfiVPU3gmgTYSerXgNGX1rNVWQs/b1RoSmnl6GdOCSKA3xSAUQ=
+-----END CERTIFICATE-----
diff --git a/evaluation/demonstration/client.c b/evaluation/demonstration/client.c
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..80cc5f91ac45f0c0439cef615673d2bcafefe9e7 100644
--- a/evaluation/demonstration/client.c
+++ b/evaluation/demonstration/client.c
@@ -0,0 +1,379 @@
+#include <pthread.h>
+#include <assert.h>
+#include <getopt.h>
+#include "common.h"
+#include <signal.h>
+#include <unistd.h>
+
+const char *USAGE="client [-v | -V logfile ] [ -k keylog ] [-c context_list] [-s server] [-m middlebox_list | -M middlebox_list_file]\n"
+	"\tcontext list must be comma-separated list of context names, defaults to \"header,body\"\n"
+	"\tserver must be url including port, default 127.0.0.1:" xstr(DEFAULT_SERVER_PORT) "\n"
+	"\tmiddlebox list must semi-colon delimited urls including port,"
+	"\tmiddlebox list_file must be a file with middlebox urls on separate lines,"
+	"\t\tdefault \"127.0.0.1:" xstr(DEFAULT_MBOX_PORT) "\n"
+	"Input to send to the server is taken from stdin in lines of the form context:command\n";
+
+const char *ARG_TYPES="v:V:k:c:s:m:M";
+
+typedef struct ClientConfigST {
+	FILE *vlog;
+	FILE *fIn;
+	FILE *fOut;
+	SSL *pSSL;
+	int numContexts;
+	const char *contextDescs[50];
+	int numMiddleboxes;
+	const char *MiddleboxURLs[50];
+	const char *serverURL;
+	char myKeyFile[1024];
+	char myPassword[1024];
+	char caFile[1024];
+} ClientConfig;
+
+static int
+client_ParseArgs(int iArgC, char *papsArgV[], ClientConfig *ptCConf);
+
+void
+client_SetDefaults(ClientConfig *ptC)
+{
+	memset(ptC,0,sizeof(*ptC));
+	ptC->fIn=stdin;
+	ptC->fOut=stdout;
+	strcpy(ptC->caFile,"ca.pem");
+	strcpy(ptC->myKeyFile,"client.pem");
+	strcpy(ptC->myPassword,"password");
+	ptC->serverURL="127.0.0.1:" xstr(DEFAULT_SERVER_PORT);
+	ptC->numMiddleboxes=1;
+	ptC->MiddleboxURLs[0]="127.0.0.1:" xstr(DEFAULT_MBOX_PORT);
+}
+
+extern char *optarg;
+//the next two are available but currently ununsed,
+//commented out to prevent compiler complaining
+//extern int optind;
+//extern int optopt;
+static int
+client_ParseArgs(int iArgC, char *papsArgV[], ClientConfig *ptCConf)
+{
+	int iStatus=0;
+	char carg=0;
+
+	while( iStatus==0 && (carg=getopt(iArgC,papsArgV,ARG_TYPES)) != -1) {
+		switch(carg) {
+		case 'v':
+		case 'V':
+			if(ptCConf->vlog!=NULL) {
+				COMMON_LogErrorAndExit(iStatus=INVALID_COMMAND_LINE_ARGS,stderr,"verbose logging specified multiple times\n%s",USAGE);
+			}
+			if(carg=='v') {
+				ptCConf->vlog=stdout;
+			} else { /*carg=='V'*/
+				ptCConf->vlog=fopen(optarg,"w");
+				if(ptCConf->vlog==NULL) {
+					COMMON_LogErrorAndExit(iStatus=FILE_NOT_WRITABLE,stderr,"Unable to open log file %s",optarg);
+				}
+			}
+			break;
+		case 's':
+			/*todo*/
+			assert(0);
+			break;
+		case 'k':
+			/*todo*/
+			assert(0);
+			break;
+		case 'c':
+			/*todo*/
+			assert(0);
+			break;
+		case 'm':
+			/*todo*/
+			assert(0);
+			break;
+		case 'M':
+			/*todo*/
+			assert(0);
+			break;
+		default:
+			COMMON_LogErrorAndExit(iStatus=INVALID_COMMAND_LINE_ARGS,stderr,"Unrecognised command line option -%c",carg);
+			break; /*never reached - keeps compiler happy*/
+		}
+	}
+
+	return iStatus;
+}
+
+ERROR_STATUS
+client_CreateContext(SSL_CTX **pptSSLctx,const ClientConfig *ptConf)
+{
+	ERROR_STATUS iStatus;
+	iStatus=COMMON_InitializeSSLCtx(pptSSLctx,
+			ptConf->myKeyFile, ptConf->myPassword,
+			ptConf->caFile,
+			ID_CLIENT);
+	return iStatus;
+
+}
+
+ERROR_STATUS
+client_Connect(SSL_CTX *ptSSLctx, ClientConfig *ptConf)
+{
+	ERROR_STATUS iStatus=SUCCESS;
+	int i,j,p;
+	BIO *ptSBio;
+
+	/*step 0 - create SSL structure*/
+	/*the SSL_CTX already has out keys set up*/
+	ptConf->pSSL=SSL_new(ptSSLctx);
+	/*todo - check for NULL return*/
+	assert(ptConf->pSSL!=NULL);
+
+	/*step 1 - create the contexts*/
+	iStatus=COMMON_InitMulticontextSet(ptConf->pSSL);
+	assert(iStatus==SUCCESS);
+	if(ptConf->numContexts==0) {
+		iStatus=COMMON_AppendContext(ptConf->pSSL,"default");
+	} else {
+		/*Iterate through the context descriptions and create each one*/
+		for(i=0;i!=ptConf->numContexts && iStatus==SUCCESS;i++) {
+			iStatus=COMMON_AppendContext(ptConf->pSSL,ptConf->contextDescs[i]);
+		}
+
+	}
+	if(iStatus!=SUCCESS) {
+		/*TODO*/
+		assert(0);
+	}
+
+	/*step 2 - create the middlebox list*/
+	iStatus=COMMON_InitProxySet(ptConf->pSSL);
+	assert(iStatus==SUCCESS);
+	/*step 2.0? - do we need to insert client as middlebox 0? - TODO confirm*/
+	/*step 2.1 - iterate through middlebox list */
+	for(i=0;i!=ptConf->numMiddleboxes;i++) {
+		iStatus=COMMON_AppendProxy(ptConf->pSSL,ptConf->MiddleboxURLs[i]);
+	}
+	/*step 2.2 - add server url*/
+	iStatus=COMMON_AppendClientServer(ptConf->pSSL,ptConf->serverURL,1);
+
+	/*step 3 - set the middlebox access permissions*/
+	/*for demonstration purposed, we will set by the following rule:
+	 * Middleboxes with an even port number get read-only access
+	 * Middleboxes with an odd port number get write access
+	 * This is for demonstration only - there is no sensible
+	 * reason why this rule would ever be real-world implemented!
+	 */
+	for(j=0;j!=ptConf->numContexts;j++) {
+		/*grant client if included*/
+		/*grant server*/
+		iStatus=COMMON_SetProxyAccessPermissionByID(ptConf->pSSL,ptConf->pSSL->slices[j]->slice_id, ptConf->numMiddleboxes-1,
+				1,1);
+		for(i=0;i!=ptConf->numMiddleboxes-1;i++) { /*change to i=1 if client included*/
+			char *sMBoxUrl=ptConf->pSSL->proxies[i]->address;
+			char *sPort=strchr(sMBoxUrl,':');
+			assert(sPort);
+			sPort++;
+			int iPort=atoi(sPort);
+			iStatus=COMMON_SetProxyAccessPermissionByID(ptConf->pSSL,ptConf->pSSL->slices[j]->slice_id, i,
+					1,iPort%2);
+		}
+	}
+
+	/*step 4? - do we need to create a socket to first middlebox?*/
+	// TCP Connect
+	char* sAddress = (char*)malloc(strlen(ptConf->pSSL->proxies[0]->address) + 1); // Large enough for string+\0
+	memcpy(sAddress, ptConf->pSSL->proxies[0]->address, strlen(ptConf->pSSL->proxies[0]->address) + 1);
+	char *sHost = strtok(sAddress, ":");
+	int iPort = atoi(strtok(NULL, ":"));
+	int iSock;
+	COMMON_TcpConnect(&iSock, sHost, iPort);
+	// Connect TCP socket to SSL socket
+	ptSBio = BIO_new_socket(iSock, BIO_NOCLOSE);
+    SSL_set_bio(ptConf->pSSL, ptSBio, ptSBio);
+
+	/*step 5 - call the connect method*/
+	/*SPP connect calls this method but also adds some checks,
+	 * in particular it checks that there is at least one context (fine)
+	 * but also checks that there is at least one proxy (which seems
+	 * unnecassary but the server is included so there must be one)
+	 */
+	if (SSL_connect(ptConf->pSSL) <= 0) {
+		iStatus=NETWORK_CONNECT_FAIL;
+	}
+	return SUCCESS;
+}
+
+int giSignal=0;
+int giDone=0;
+static pthread_t gtParent_thread;
+static pthread_t gtSending_thread;
+static pthread_t gtReceiving_thread;
+
+static void
+client_sighandler(int sig) {
+	if(giSignal==0) giSignal=sig;
+	giDone=1;
+	/*note: pthread_kill is a signal sending method - not a
+	 * "Die now" method. Unfortunate naming
+	 */
+	pthread_kill(gtSending_thread,sig);
+	pthread_kill(gtReceiving_thread,sig);
+}
+
+struct iobuffer {
+	int iUsed;
+	union {
+		unsigned char aucBuffer[1024];
+		char stext[1024];
+	};
+	char z;/*force null termination of string*/
+};
+
+static void *
+client_sendThread(void *pvArg)
+{
+	int iNewLine=0;
+	int iCurrentSlice=0;
+	ERROR_STATUS iStatus=SUCCESS;
+	int iBytesRead;
+	int iBytesToSend;
+	int iBytesSent;
+	struct iobuffer tInBuff;
+	const ClientConfig *ptCConf=(const ClientConfig *)pvArg;
+	char *sCurrent,*sEnd,sChunk;
+	char sContext[MAX_CONTEXT_LEN];
+	int iFIn=fileno(ptCConf->fIn);
+
+	memset(&tInBuff,0,sizeof(tInBuff));
+
+	while(!giDone && iStatus==SUCCESS) {
+		/*wait until we have data to read*/
+		/*we should always have an empty buffer at this point*/
+		tInBuff.iUsed=0;
+		memset(tInBuff.aucBuffer,0,sizeof(tInBuff.aucBuffer));
+		iStatus=COMMON_ReadWaitFD(iFIn);
+		/*Read as much data as possible*/
+		iBytesRead=read(iFIn,tInBuff.aucBuffer,sizeof(tInBuff.aucBuffer));
+		assert(iBytesRead>0); /*should be as we waited for it*/
+		iBytesToSend=iBytesRead;
+
+		iNewLine=(tInBuff.aucBuffer[0]=='\n');
+
+		while(iStatus==SUCCESS && iBytesToSend>0) {
+			if(iNewLine) {
+				/*we hit a new line - advance to next context*/
+				iCurrentSlice=(iCurrentSlice+1)%ptCConf->pSSL->slices_len;
+				ptCConf->pSSL->write_slice=SPP_get_slice_by_id(ptCConf->pSSL,ptCConf->pSSL->slices[iCurrentSlice]->slice_id);
+				tInBuff.iUsed++;
+				iBytesToSend--;
+				iNewLine=(tInBuff.aucBuffer[tInBuff.iUsed]=='\n'); /*should only happen on \n\n*/
+				/*note - line above may overflow if \n happens to be last byte read
+				 * this is guaranteed safe due to the additional null terminator char
+				 * and the next iteration of the top loop will reset correctly*/
+			} else if((sEnd=strchr(tInBuff.stext+tInBuff.iUsed,'\n'))==NULL) {
+				/*entire buffer to output in this context*/
+				iBytesSent=SSL_write(ptCConf->pSSL,tInBuff.stext+tInBuff.iUsed,iBytesToSend);
+				/*todo - handle error sending*/
+				assert(iBytesSent>0);
+				tInBuff.iUsed+=iBytesSent;
+				iBytesToSend-=iBytesSent;
+			} else {
+				/*send entire buffer up to and including new line*/
+				/*advance buffer up to new line only - context change on next iteration
+				 * of this loop*/
+				iBytesSent=SSL_write(ptCConf->pSSL,tInBuff.stext+tInBuff.iUsed,sEnd-(tInBuff.stext+tInBuff.iUsed)+1);
+				/*todo - handle error sending*/
+				tInBuff.iUsed=sEnd-tInBuff.stext;
+				iBytesToSend-=sEnd-(tInBuff.stext+tInBuff.iUsed);
+				iNewLine=1;
+				assert(iBytesSent==(sEnd-(tInBuff.stext+tInBuff.iUsed))+1);
+			}
+		}
+	}
+	/*signal to the parent so all other threads are woken*/
+	pthread_kill(gtParent_thread,SIGINT);
+	pthread_exit(NULL);
+	return NULL;
+
+}
+
+static void *
+client_receiveThread(void *pvArg)
+{
+	ERROR_STATUS iStatus=SUCCESS;
+	struct iobuffer tInBuff;
+	int iBytesRead=1;
+	const ClientConfig *ptCConf=(const ClientConfig *)pvArg;
+	BIO *sock_bio=ptCConf->pSSL->rbio;
+	int rfd;
+	SPP_SLICE *pSlice;
+	SPP_CTX *pCtx;
+
+	BIO_get_fd(sock_bio,&rfd);
+	memset(&tInBuff,0,sizeof(tInBuff));
+
+	while(iBytesRead>0 && iStatus==SUCCESS) {
+		/*wait until we have data to read*/
+		iStatus=COMMON_ReadWaitFD(rfd);
+	    iBytesRead = SSL_read(ptCConf->pSSL,tInBuff.aucBuffer,sizeof(tInBuff.aucBuffer));
+	    pSlice = ptCConf->pSSL->read_slice;
+	    pCtx = ptCConf->pSSL->spp_read_ctx;
+	    ptCConf->pSSL->read_slice = NULL;
+	    ptCConf->pSSL->spp_read_ctx = NULL;
+
+	    if(iBytesRead>0) {
+	    	/*print out what we got and from where*/
+	    	fprintf(ptCConf->fOut,"<%s(%d)>:%s",pSlice->purpose,pSlice->slice_id,tInBuff.stext);
+	    } else {
+	    	fprintf(ptCConf->fOut,"zero bytes read - closing");
+	    }
+
+	}
+
+
+	/*signal to the parent so all other threads are woken*/
+	pthread_kill(gtParent_thread,SIGINT);
+	pthread_exit(NULL);
+	return NULL;
+
+}
+
+ERROR_STATUS
+client_RunClient(const ClientConfig *ptConf)
+{
+	void *pvUnused;
+	ERROR_STATUS iStatus=SUCCESS;
+
+	/*set an interrupt signal handler to kill the process*/
+	signal(SIGINT,client_sighandler);
+	signal(SIGTERM,client_sighandler);
+
+	gtParent_thread=pthread_self();
+	/*create the send and recioeve threads*/
+	pthread_create(&gtReceiving_thread, NULL, client_receiveThread, (void *)ptConf);
+	pthread_create(&gtSending_thread, NULL, client_sendThread, (void *)ptConf);
+
+	/*wait for both to finish*/
+	pthread_join(gtReceiving_thread,&pvUnused);
+	pthread_join(gtSending_thread,&pvUnused);
+	return SUCCESS;
+}
+
+int
+main(const int iArgC, char *papsArgV[])
+{
+	ClientConfig tConfig;
+	SSL_CTX *ptSSLctx=NULL;
+	int iStatus;
+
+	client_SetDefaults(&tConfig);
+
+	iStatus=client_ParseArgs(iArgC,papsArgV, &tConfig);
+	COMMON_CheckLogErrorAndExit(iStatus,stderr,"%s\n",USAGE);
+
+	iStatus=client_CreateContext(&ptSSLctx,&tConfig);
+	iStatus=client_Connect(ptSSLctx,&tConfig);
+	iStatus=client_RunClient(&tConfig);
+
+	return iStatus;
+}
diff --git a/evaluation/demonstration/client.pem b/evaluation/demonstration/client.pem
new file mode 100644
index 0000000000000000000000000000000000000000..225820738c361c5990a331f83096d2d2f7b649cc
--- /dev/null
+++ b/evaluation/demonstration/client.pem
@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWwIBAAKBgQDHH/fTFwKTMHDaFXw6LvyDMhHcXwbN3dfI+RGMbBqrQmb7M0+M
+vDsx5pVo/d0k4HzKnVuLe9mRUmxRWKrC6yk6R+ginrbvdPGEsP97bJxZdaxa4HvZ
+eVVs7I20gYbY9oHCw9fdMluaPgLKn+QTQz+Bu+xXeXVxnkZikbXRI4l0UQIDAQAB
+AoGALVj1amhKGNUmTjQoZ2O98+7aLHKjrQyBkO5P9cfExw3HQBvuWOGhJXsauZ9e
+1oAdS1NMvtZEtRitPFVSBjPh3lGPcJcYrWWQ6Sc4wldAMLZEOM3e8IhQKFDMtJz0
+bdw4YubZxbIZKY1/9u27HpMZ3ZXGIVziqSZ3mWyPEbDUbKUCQQD6ghyUVd+CMwlM
+U6mJmjGlS6TfykgD5eUHdpbif724jrYzpj0yp8SAAegmsfeH8RIpd3jmV41d1lcT
+UV5uYTujAkEAy318TB6sh1ApkupmQU2pQWnVt0kewZA/NCDZ6MPsa//cHuhbi7P6
+ZxmyZn+u+0KfiVYYeyMjv3BFDfeGn5PPewJAKE6hLJj4oql1mItpnxNpY5BdUgjp
+N39ZL688Leuh6j1EQeFAvZLTAknMQdWm33/BjVyE3oM94thnIFuaVyZcAwJAYmly
+xqGDEQHcyVehUm3LsH4NxNGRFU28s2o72M2ANo8MFsqLE5pcPKZ52AZiStPishm4
+Rz0sWbZjPyj5q41hpwJALbwQYxv9GVVY3hywyzK3t/6ToGmC/jvXYqu5pR+5Khs6
+rCD+hZMKQU1AYA4l6n5CMhRYmYk+XdkdjZKUylgcmg==
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICojCCAYoCAQIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCQVUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE0MTIyODIyMTM1N1oXDTE1MDEyNzIy
+MTM1N1owWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
+BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHH/fTFwKTMHDaFXw6LvyDMhHc
+XwbN3dfI+RGMbBqrQmb7M0+MvDsx5pVo/d0k4HzKnVuLe9mRUmxRWKrC6yk6R+gi
+nrbvdPGEsP97bJxZdaxa4HvZeVVs7I20gYbY9oHCw9fdMluaPgLKn+QTQz+Bu+xX
+eXVxnkZikbXRI4l0UQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBaCxFScRowAmHv
+d3DF8BugvtWZFq+GS4/BWgH1pAIj6ED6HrFnxZKrs8t67zUI888An1nmxAFNPPST
+6ys1VEW2z4xzZEh2EK/ZPiwkz9rWl9jjilypvIAeG4jnhk5OaaqE0X6J/Lx5rxWk
+iQmEslthAz4aysUD9kmivr0Cyzz41ZaJR8oMdRnXx88Qeq4Y3dStIIDjPCRfwaYu
+nA4G5P4fj1LY4vcjL5Y/Vw2bkn9gh4t0lx5LuCOh5RRyFYpygW2gyc7qSYI5v5dh
+/rsDfRapHgbL5bvfO+qkky2lKfmvy0e0QV0CzStq6CALaa8EbMz8cPiyEfcqmgVg
+45HRLZut
+-----END CERTIFICATE-----
diff --git a/evaluation/demonstration/common.c b/evaluation/demonstration/common.c
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..7f08ffd22a9d1fb71e4561a0ee2af62a8385f7fa 100644
--- a/evaluation/demonstration/common.c
+++ b/evaluation/demonstration/common.c
@@ -0,0 +1,442 @@
+#include "common.h"
+#include <stdio.h>
+#include <stdlib.h>
+#include <assert.h>
+#include <signal.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/tcp.h>
+#include <netdb.h>
+#include <sys/select.h>
+#include <errno.h>
+
+#define MAXSTRLEN (1024)
+
+static void
+common_Log(FILE *pLog, const char *csFmtStr, va_list va_args);
+static void
+common_DoExit(int iExitCode);
+static void
+common_SigpipeHandle(int x);
+
+/*function to wait for a specific FILE to be ready for reading*/
+ERROR_STATUS
+COMMON_ReadWaitFile(FILE *phF)
+{
+	int iFDNum=fileno(phF);
+	return COMMON_ReadWaitFD(iFDNum);
+}
+/*function to wait for a specific File Descriptor (file, socket, pipe) to be ready for reading*/
+ERROR_STATUS
+COMMON_ReadWaitFD(int iFD)
+{
+	int iStatus;
+	fd_set fds_r,fds_w,fds_ex;
+
+	FD_ZERO(&fds_r);
+	FD_ZERO(&fds_w);
+	FD_ZERO(&fds_ex);
+	FD_SET(iFD,&fds_r);
+
+	iStatus=select(iFD+1,&fds_r,&fds_w,&fds_ex,NULL);
+
+	if(iStatus>0) {
+		/*more one file ready (i.e. should only be one)*/
+		iStatus=SUCCESS;
+	} else {
+		/*something gone wrond or we are interrupted*/
+		iStatus=ERROR_INTERRUPT;
+	}
+	return iStatus;
+}
+
+
+// Function to read a proxy list from file and populate array of proxies
+// Each proxy should be a separate line containing the url only
+// e.g.:
+//127.0.0.1:8423
+//127.0.0.1:8424
+//127.0.0.1:4433
+ERROR_STATUS
+COMMON_ReadProxyListFile(SSL *ptSSL,
+		const char *sFilename){
+	FILE *phF;					// pointer to file
+	unsigned int uiCount = 0;	// simple counters
+	char acLine [128];			// maximum size of line to read from
+	SPP_PROXY *patNewProxiesList=NULL;
+
+	if(ptSSL==NULL || sFilename==NULL) {
+		return INVALID_POINTER;
+	}
+
+	// Open file for reading
+	phF = fopen(sFilename,"r");
+
+	// Check for errors while opening file
+	if( phF == NULL ){
+		return FILE_NOT_READABLE;
+	}
+
+	uiCount=0;
+	// Read file line-by-line
+	while ( fgets ( acLine, sizeof(acLine), phF ) != NULL ) {
+
+		// Remove trailing newline (NOTE: strtoK is not thread safe)
+		strtok(acLine, "\n");
+		if(strlen(acLine)<=2) continue; //ignore blank lines
+
+		COMMON_AppendProxy(ptSSL,acLine);
+
+		/*TODO - log the proxy creation properly*/
+		COMMON_Log(stdout,"Proxy(%2u): %s\n",uiCount,acLine);
+	}
+
+	// Close file
+	fclose(phF);
+	return SUCCESS;
+}
+
+ERROR_STATUS
+COMMON_InitProxySet(SSL *ptSSL)
+{
+	while(ptSSL->proxies_len>0) {
+		ptSSL->proxies_len--;
+		OPENSSL_free(ptSSL->proxies[ptSSL->proxies_len]);
+	}
+	ptSSL->proxies_len=0;
+	memset(ptSSL->proxies,0,sizeof(ptSSL->proxies));
+	return SUCCESS;
+}
+ERROR_STATUS
+COMMON_InitMulticontextSet(SSL *ptSSL)
+{
+	while(ptSSL->slices_len>0) {
+		ptSSL->slices_len--;
+		OPENSSL_free(ptSSL->slices[ptSSL->slices_len]);
+	}
+	ptSSL->slices_len=0;
+	memset(ptSSL->slices,0,sizeof(ptSSL->slices));
+	return SUCCESS;
+}
+
+ERROR_STATUS
+COMMON_AppendProxy(SSL *ptSSL,
+		const char *psProxyURL)
+{
+	char *psProxyUrlCpy=NULL;
+
+	if(ptSSL->proxies_len>=(sizeof(ptSSL->proxies)/sizeof(ptSSL->proxies[0])))
+		return ARRAY_OVERFLOW;
+
+	/*SPP_generate_proxy will generate something with the string provide
+	 * but there is no guarantee that it will be sensible if
+	 * invalid data is passed in*/
+	psProxyUrlCpy=strdup(psProxyURL);
+	ptSSL->proxies[ptSSL->proxies_len] = SPP_generate_proxy(ptSSL, psProxyUrlCpy);
+	(ptSSL->proxies_len)++;
+	return SUCCESS;
+}
+ERROR_STATUS
+COMMON_AppendClientServer(SSL *ptSSL,
+		const char *psURL, int isServer)
+{
+	char *psUrlCpy=NULL;
+
+	if(ptSSL->proxies_len>=(sizeof(ptSSL->proxies)/sizeof(ptSSL->proxies[0])))
+		return ARRAY_OVERFLOW;
+
+	/*SPP_generate_proxy will generate something with the string provide
+	 * but there is no guarantee that it will be sensible if
+	 * invalid data is passed in*/
+	psUrlCpy=strdup(psURL);
+	/* TODO - SPP_generate_proxy probably won't assign the correct ID's
+	 * to denote server and client
+	 */
+	if(isServer) {
+		ptSSL->proxies[ptSSL->proxies_len] = SPP_generate_proxy(ptSSL, psUrlCpy);
+		(ptSSL->proxies_len)++;
+	} else { /*isClient*/
+		memmove(&ptSSL->proxies[1],&ptSSL->proxies[0],ptSSL->proxies_len * sizeof(*ptSSL->proxies));
+		ptSSL->proxies[0] = SPP_generate_proxy(ptSSL, psUrlCpy);
+	}
+	return SUCCESS;
+}
+ERROR_STATUS
+COMMON_AppendContext(SSL *ptSSL,
+		const char *psContextDesc)
+{
+	char *psContextDescCpy=NULL;
+
+	if(ptSSL->slices_len>=(sizeof(ptSSL->slices)/sizeof(ptSSL->slices[0])))
+		return ARRAY_OVERFLOW;
+	psContextDescCpy=strdup(psContextDesc);
+	ptSSL->slices[ptSSL->slices_len] = SPP_generate_slice(ptSSL, psContextDescCpy);
+	ptSSL->slices_len++;
+	return SUCCESS;
+
+}
+
+ERROR_STATUS
+COMMON_SetProxyAccessPermissionByID(SSL *ptSSL, int iSliceID, int iMiddleboxNum,
+							int bGrantRead, int bGrantWrite)
+{
+	int *read_slices; size_t *read_slice_len;
+	int *write_slices; size_t *write_slice_len;
+	int reads_insert_index, write_insert_index;
+	int x,y,z;
+
+	if(ptSSL->proxies_len<iMiddleboxNum || ptSSL->slices_len<iSliceID)
+		return ARRAY_OVERFLOW;
+	read_slices=ptSSL->proxies[iMiddleboxNum]->read_slice_ids;
+	read_slice_len=&(ptSSL->proxies[iMiddleboxNum]->read_slice_ids_len);
+	write_slices=ptSSL->proxies[iMiddleboxNum]->write_slice_ids;
+	write_slice_len=&(ptSSL->proxies[iMiddleboxNum]->write_slice_ids_len);
+
+	/*handle empty case specially*/
+	if(*read_slice_len==0 && bGrantRead) {
+		read_slices[0]=iSliceID;
+		(*read_slice_len)++;
+	}
+	if(*write_slice_len==0 && bGrantWrite) {
+		write_slices[0]=iSliceID;
+		(*write_slice_len)++;
+	}
+
+	/*if we have just inserted the first record, this loop will
+	 * terminate on first iteration*/
+	x=0;y=*read_slice_len;
+	while(y>x+1) {
+		z=(x+y)/2;
+		if(read_slices[z]>iSliceID) y=z;
+		else x=z;
+	}
+	if(bGrantRead) {
+		if(read_slices[x]!=iSliceID) {
+			if(*read_slice_len>y) { /*we have higher number slices to move up*/
+				memmove(&read_slices[x+1],&read_slices[x],(*read_slice_len-y)*sizeof(*read_slices));
+			}
+			read_slices[x]=iSliceID;
+			(*read_slice_len)++;
+		} /*else we are re-granted an already granted access - NOP*/
+	} else { /*we are removing the permission if it is granted*/
+		if(read_slices[x]==iSliceID) {
+			if(*read_slice_len>y) { /*we have higher number slices to move up*/
+				memmove(&read_slices[x],&read_slices[x+1],(*read_slice_len-y)*sizeof(*read_slices));
+			}
+			(*read_slice_len)--;
+		} /*else we removing a non-existent permission - NOP*/
+	}
+
+
+	x=0;y=*write_slice_len;
+	while(y>x+1) {
+		z=(x+y)/2;
+		if(write_slices[z]>iSliceID) y=z;
+		else x=z;
+	}
+	if(bGrantWrite) {
+		if(write_slices[x]!=iSliceID) {
+			if(*write_slice_len>y) { /*we have higher number slices to move up*/
+				memmove(&write_slices[x+1],&write_slices[x],(*write_slice_len-y)*sizeof(*write_slices));
+			}
+			write_slices[x]=iSliceID;
+			(*write_slice_len)++;
+		} /*else we are re-granted an already granted access - NOP*/
+	} else { /*we are removing the permission if it is granted*/
+		if(write_slices[x]==iSliceID) {
+			if(*write_slice_len>y) { /*we have higher number slices to move up*/
+				memmove(&write_slices[x],&write_slices[x+1],(*write_slice_len-y)*sizeof(*write_slices));
+			}
+			(*write_slice_len)--;
+		} /*else we removing a non-existent permission - NOP*/
+	}
+	return SUCCESS;
+}
+
+ERROR_STATUS
+COMMON_TcpConnect(int *piSocket, const char *sHost, int iPort){
+
+	struct hostent *hp;
+	struct sockaddr_in addr;
+	int iOne=1;
+
+	// Resolve host
+	if(!(hp = gethostbyname(sHost)))
+		return NETWORK_CONNECT_FAIL;
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sin_addr = *(struct in_addr*)
+	hp->h_addr_list[0];
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(iPort);
+
+	if((*piSocket=socket(AF_INET,SOCK_STREAM, IPPROTO_TCP))<0){
+		return NETWORK_CONNECT_FAIL;
+	}
+	/*I'm copying this option below*/
+	//set_nagle(*piSocket, 1);
+	setsockopt(*piSocket, IPPROTO_TCP, TCP_NODELAY, (char*)&iOne, sizeof(int));
+
+	if(connect(*piSocket,(struct sockaddr *)&addr, sizeof(addr))<0){
+		return NETWORK_CONNECT_FAIL;
+	}
+
+	return SUCCESS;
+}
+
+
+void
+COMMON_LogErrorAndExit(int iExitCode, FILE *pLog, const char *csFmtStr, ...)
+{
+	va_list va_args;
+	va_start(va_args,csFmtStr);
+	common_Log(pLog, csFmtStr,va_args);
+	va_end(va_args);
+	common_DoExit(iExitCode);
+
+}
+void
+COMMON_CheckLogErrorAndExit(int iExitCode, FILE *pLog, const char *csFmtStr, ...)
+{
+	va_list va_args;
+	if(iExitCode!=0) {
+		va_start(va_args,csFmtStr);
+		common_Log(pLog, csFmtStr,va_args);
+		va_end(va_args);
+		common_DoExit(iExitCode);
+	}
+}
+void
+COMMON_Log(FILE *pLog, const char *csFmtStr, ...)
+{
+	va_list va_args;
+	va_start(va_args,csFmtStr);
+	common_Log(pLog, csFmtStr,va_args);
+	va_end(va_args);
+
+}
+void
+COMMON_CheckLog(int iExitCode, FILE *pLog, const char *csFmtStr, ...)
+{
+	va_list va_args;
+	if(iExitCode!=0) {
+		va_start(va_args,csFmtStr);
+		common_Log(pLog, csFmtStr,va_args);
+		va_end(va_args);
+	}
+}
+
+char *gsPassword=NULL;
+
+static int
+password_cb(char *buf,int num, int rwflag,void *userdata)
+{
+	if(gsPassword==NULL)
+		return 0;
+
+	if(num<strlen(gsPassword)+1)
+		return(0);
+
+	strcpy(buf,gsPassword);
+	return(strlen(gsPassword));
+
+}
+
+ERROR_STATUS
+COMMON_InitializeSSLCtx(SSL_CTX **pptCtx,
+		const char *sMyKeyfile, const char *sMyPassword,
+		const char *sCAKeysFile,
+		unsigned int iID) /*todo - check the name of this in spec - the byte that identifies the middlebox number, client or server*/
+{
+	const SSL_METHOD *meth;
+	SSL_CTX *ctx;
+
+	/* Global system initialization*/
+	SSL_library_init();
+	SSL_load_error_strings();
+
+
+	/* Set up a SIGPIPE handler */
+	signal(SIGPIPE,common_SigpipeHandle);
+
+	if(iID==ID_CLIENT || iID==ID_SERVER) {
+		meth = SPP_method();
+	} else if(iID >=ID_MIDDLEBOX_MIN && iID<=ID_MIDDLEBOX_MAX) {
+		meth = SPP_proxy_method();
+	} else {
+		return INTEGER_OUT_OF_RANGE;
+	}
+
+	ctx = SSL_CTX_new(meth);
+
+	/* Specify the cipher suites that may be used. */
+	if (!SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES128-SHA256")) {
+		return ERROR_IN_LIBRARY_CALL;
+	}
+
+
+	/* Load the CAs*/
+	if(!(SSL_CTX_load_verify_locations(ctx,
+			sCAKeysFile,NULL)))
+		return FILE_NOT_READABLE;
+
+	/* Load our certificate*/
+	if(!(SSL_CTX_use_certificate_chain_file(ctx,
+			sMyKeyfile)))
+		return FILE_NOT_READABLE;
+
+	/*set the routine to handle passing in the passowrd for our private key*/
+	if(gsPassword!=NULL) {
+		free(gsPassword); gsPassword=NULL;
+	}
+	if(sMyPassword!=NULL){
+		gsPassword=strdup(sMyPassword);
+	}
+
+	SSL_CTX_set_default_passwd_cb(ctx,
+			password_cb);
+
+	/*load our private key*/
+	if(!(SSL_CTX_use_PrivateKey_file(ctx,
+			sMyKeyfile,SSL_FILETYPE_PEM)))
+		return FILE_NOT_READABLE;
+
+	*pptCtx=ctx;
+	return SUCCESS;
+}
+
+void
+COMMON_DestroyCtx(SSL_CTX *ptCtx)
+{
+	if(gsPassword!=NULL) {
+		free(gsPassword); gsPassword=NULL;
+		SSL_CTX_free(ptCtx);
+	}
+}
+
+
+
+static void
+common_Log(FILE *pLog, const char *csFmtStr, va_list va_args)
+{
+	assert(pLog!=NULL);
+	assert(csFmtStr!=NULL);
+	assert(strnlen(csFmtStr,MAXSTRLEN)<MAXSTRLEN);
+	vfprintf(pLog,csFmtStr,va_args);
+	fflush(pLog);
+}
+
+static void
+common_DoExit(int iExitCode)
+{
+	exit(iExitCode);
+}
+
+static void
+common_SigpipeHandle(int x)
+{
+	UNUSED(x);
+}
+
diff --git a/evaluation/demonstration/common.h b/evaluation/demonstration/common.h
index 82ea9006f0ae07504ff44f9f9eda47755faf2995..1ebc06afe65a238dcb8c8cae8e788516178ea53a 100644
--- a/evaluation/demonstration/common.h
+++ b/evaluation/demonstration/common.h
@@ -1,6 +1,97 @@
 #ifndef COMMON_H
 #define COMMON_H
 
+#include <stdarg.h>
+#include <stdio.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <pthread.h>
+#include <signal.h>
+
+#define DEFAULT_SERVER_PORT 168888
+#define DEFAULT_MBOX_PORT 169000
+#define str(x) #x
+#define xstr(x) str(x)
+
+#define MAX_CONTEXT_LEN (100)
+
+#ifndef UNUSED
+#define UNUSED(X) ((void)(x))
+#endif
+
+#define MAXSTRLEN (1024)
+
+/* error codes are made of two parts
+ * the low 16 bits is a global enum for the type of error
+ * the high 16 bits is a local enum that only means something
+ * specific to the function that was called.
+ * So, an error opening a file will produce a global error FILE_NOT_READABLE
+ * but the local error will be used by the function to indicate which file and/or why
+ */
+#define MKERROR(eGlobalStatus,eLocalStatus) (((eLocalStatus)<<16 & 0xFFFF0000)|((eGlobalStatus)0x0000FFFF))
+#define GETLOCALERROR(error,dest) ((dest)=(((error)>>16)&0xFFFF))
+#define GETGLOBALERROR(error,dest) ((dest)=(error)&0xFFFF)
+typedef enum eERROR_CODES {
+	SUCCESS=0,
+	INVALID_COMMAND_LINE_ARGS,
+	FILE_NOT_FOUND,
+	FILE_NOT_READABLE,
+	FILE_NOT_WRITABLE,
+	FILE_PARSE_ERROR,
+	INVALID_POINTER,
+	INTEGER_OUT_OF_RANGE,
+	ARRAY_OVERFLOW,
+	MEMORY_ALLOCATION_FAILURE,
+	ERROR_IN_LIBRARY_CALL,
+	NETWORK_CONNECT_FAIL,
+	ERROR_INTERRUPT,
+} ERROR_STATUS;
+
+#define ID_CLIENT (1u)
+#define ID_SERVER (2u)
+#define ID_MIDDLEBOX_MIN (4u)
+#define ID_MIDDLEBOX_MAX (255u)
+
+
+
+/*function to wait for a specific FILE to be ready for reading*/
+ERROR_STATUS
+COMMON_ReadWaitFile(FILE *phF);
+/*function to wait for a specific File Descriptor (file, socket, pipe) to be ready for reading*/
+ERROR_STATUS
+COMMON_ReadWaitFD(int iFD);
+ERROR_STATUS
+COMMON_ReadProxyListFile(SSL *ptSSL,
+		const char *sFilename);
+ERROR_STATUS
+COMMON_InitProxySet(SSL *ptSSL);
+ERROR_STATUS
+COMMON_InitMulticontextSet(SSL *ptSSL);
+ERROR_STATUS
+COMMON_AppendProxy(SSL *ptSSL,
+		const char *psProxyURL);
+ERROR_STATUS
+COMMON_AppendClientServer(SSL *ptSSL,
+		const char *psURL, int isServer);
+ERROR_STATUS
+COMMON_AppendContext(SSL *ptSSL,
+		const char *psContextDesc);
+ERROR_STATUS COMMON_SetProxyAccessPermissionByID(SSL *ptSSL, int iSliceID, int iMiddleboxNum,
+							int bGrantRead, int bGrantWrite);
+ERROR_STATUS COMMON_TcpConnect(int *piSocket, const char *sHost, int iPort);
+void COMMON_LogErrorAndExit(int iExitCode, FILE *pLog, const char *csFmtStr, ...);
+void COMMON_CheckLogErrorAndExit(int iExitCode, FILE *pLog, const char *csFmtStr, ...);
+void COMMON_Log(FILE *pLog, const char *csFmtStr, ...);
+void COMMON_CheckLog(int iExitCode, FILE *pLog, const char *csFmtStr, ...);
+
+ERROR_STATUS COMMON_InitializeSSLCtx(SSL_CTX **pptCtx,
+		const char *sMyKeyfile, const char *sMyPassword,
+		const char *sCAKeysFile,
+		unsigned int iID); /*todo - check the name of this in spec - the byte that identifies the middlebox number, client or server*/
+void COMMON_DestroyCtx(SSL_CTX *ptCtx);
+
+
+
 
 
 #endif
diff --git a/evaluation/demonstration/dh1024.pem b/evaluation/demonstration/dh1024.pem
new file mode 100644
index 0000000000000000000000000000000000000000..779d3af0a69de456e090ae83d9d77134da1ca08b
--- /dev/null
+++ b/evaluation/demonstration/dh1024.pem
@@ -0,0 +1,17 @@
+    PKCS#3 DH Parameters: (1024 bit)
+        prime:
+            00:8c:26:29:59:c0:96:11:92:73:b7:7a:94:e0:4d:
+            f7:44:a1:93:91:20:1e:93:76:7f:05:89:d5:d0:45:
+            bd:69:bd:fa:f7:90:4a:12:ad:06:d1:89:80:dd:84:
+            e2:5c:5b:74:b0:6a:a0:e6:83:46:b4:27:0d:a4:db:
+            74:ac:a4:d5:58:6c:7b:12:43:24:7d:2b:71:92:be:
+            84:bf:9a:12:20:04:08:55:b3:bf:d9:1f:bb:26:cd:
+            ba:02:d4:9b:28:0f:24:d8:06:10:d0:50:9d:b6:5a:
+            97:fa:d8:60:c4:9a:d4:88:97:a5:db:f6:52:a3:66:
+            1c:3c:1c:66:13:d1:55:7b:63
+        generator: 5 (0x5)
+-----BEGIN DH PARAMETERS-----
+MIGHAoGBAIwmKVnAlhGSc7d6lOBN90Shk5EgHpN2fwWJ1dBFvWm9+veQShKtBtGJ
+gN2E4lxbdLBqoOaDRrQnDaTbdKyk1VhsexJDJH0rcZK+hL+aEiAECFWzv9kfuybN
+ugLUmygPJNgGENBQnbZal/rYYMSa1IiXpdv2UqNmHDwcZhPRVXtjAgEF
+-----END DH PARAMETERS-----
diff --git a/evaluation/demonstration/key.pem b/evaluation/demonstration/key.pem
new file mode 100644
index 0000000000000000000000000000000000000000..ff280424e3f76cf08aa4b24f82a7b2248f5ab48a
--- /dev/null
+++ b/evaluation/demonstration/key.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIvP6nFf62H0sCAggA
+MBQGCCqGSIb3DQMHBAjp+Ah8IsmxkgSCBMg3vftP4ScTpvUOe8tf9BCXigaRE1R4
+tFw8clAZXFl+wVQ4UvwMTxwS7Q0SeKkNAnQ4ogHWgEgtAThg7p+WQ9WHc21kSB03
+Nqo6lHfOSpCaIHy1Vj8uKugMOhr1Zk7ZNKy/6Qpgspu6mwNQMPtDxxuNSmY0xznq
+vc8uSJOUx7HxQCcWo2C5i3ETCwhvzE7KnrMTSAzccAPdTiTa4jHfT2NbEO6XHzzx
+VBsQftJQaz2f6/TBuZWqsrkVtQOy3Bg5UxLfBQ5mkTUncCMUs66yOKMwzCtNWZeA
+FiCZudoMDhb9k6SO4bPPUhj5nJQ7WESOpRKexof2s79ou9b8BaWhBuYtqooNLnDm
+q1uyhDz0KtLrmANjv/B/brZTVei3y/cXAECeWaw9gl+omvCa/IOxn4rizkC/xPBQ
+IlMzFTFYlhtwZGkfPEh93XdGEOCzJcXleImqbA2YuWy6DmauiCeNy+9KscHNhAuf
+4u/CzS1Sjlg/4AkxvUc/rTv4pNIYoqzOHTaoBZWNpw7vltj6Pr6Lav671d3wwZmR
+gegEcWg54lt6dcWFjVOzaP6P1PFJ9EYxWfRfX0/21pSupWS75HVW12gow05UfS+G
+TqFL+u0thA5japyUYCi3QX5/TF/K3XoaW4PQqmFKUJK+wU8f3clbX5BhMoSfU7Pa
+IxB6iflMhorauFPAwjDRoDQTAsICMwuIrdK4t/f9yVCzj3psqRGwEdULNdV/3+Tu
+DxnNf/5IkQrlTMmALz2fEXTiPPfOubDLHHLviI3pkWYvPll1YtwunQnE6GfK4ijv
+vX9Mj4RCWlrGVRiMuwo2iKhwLN4vEbYhfX93HeD7/f6fnayKyY20lw1NBVuedB8G
+x3g4A1vPkZkt35YGVoxWHP+BYmsr4GK8Kj6E1P1/xjGcvJtYittcIVsLtzNEYf0L
+NYFI8shQDnDfSYuVxEHUPF9mg6na+fO9GFfHqbbpAWKqtaAffgzqptjRPtV5utWl
+77kQZoiABZCx7Xj+YtZJkKissaRXI6k7W/edEvu/LaNP6LvkZWaxBdclvhvISs0o
+hUfgcyIU/Wm+jwLzbX/fpjRJjz/4bctA/DRipZuUSl9GFARFnVb5w64bkn/0oicl
+3jYXu59DY4U2+gbt3nN27hReeJ3UBG47/MIgiq8GCRNx4+3pvqk+ihlsbF6wOq6J
+q92wkafp4cV40v2SYvVjFEnfrhrko1k2+WUEFyCxwz0HeoEVMJvINFg+qnuRfJnk
+uEMiHk/jdAXESr7Wj9yw3DEkjoQsfqi3KHB7qjo0sAH/i6PdQBzdVB9X8071ag6E
+OgS6fP6JrSJ8N0iannWlEfnwr8IWxSWhn1DkOQtZqaD1TIk9c3tmsnSeSQRu5ed8
+Ou1ziATBwsIYlL4gF850NMk4Xr5hi9W4rEpWaFMV5wBT4MZhaBTz/x1GWQIFz7+i
+BvHbGSsPHDRiDS9VWCQFyQ+86o8JTQCP6RWt/rtUr7xZFKHOaGFLn9CguzSl7Dq+
+kw1IMGzzhyaYDgqiqwELD7x0rX8x/NzKJ+QoSK2IeW86yotUH0scpbp9Dzg2NfjC
+wCTFMn6Iv0eHpjk0RRQV1IuSQY/sp1MdZMIBJ2efzWQ4RIUDX+wFEX1hhkFm6l+Z
+8G0=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/evaluation/demonstration/privkey.pem b/evaluation/demonstration/privkey.pem
new file mode 100644
index 0000000000000000000000000000000000000000..9cd0db1ec077aaf22a28305d935b3fc134c27c41
--- /dev/null
+++ b/evaluation/demonstration/privkey.pem
@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIul43fX5Qe+ECAggA
+MBQGCCqGSIb3DQMHBAjISy7+pPPPfgSCBMhCfhubb0Twd4uFfpt63QCHvWNw2xX/
+K8Yb3pLHsPdo7VE/3t8fUjfZZ7fYS+zbVOP9w9LpSUNMHw8ITk9KEfdhEKt8PjMd
+OKbAGXmdc0xwo/5QM/yH6Mozra0GQXUhIbLuPM9W/DxZSQAVnUCk6RDA7eWcrKhD
+WVjIiBskmRM7Q54NtErcj0SqnazkrC0wRdhYCgGBGKtgQbLW+Ew0BZwh26OcF/c3
+wYGCjcKPohqzFZxux00D8D4IDV4lb3+6IPwJ82XpBIjwfZm03zdgy6YFXgqM8d4m
+C9l/LUsZkuRhGx571oigP0SEDPbc0i+vb1M3jjTAvhgv+6JMNZ1yYzbyqSrHzYmX
+nzTfNUXZIGmFoDknq5VdHk03772CNb2aeGPk6FWQOlblfTLWIenHw6U//Xg3t1RY
+B2b01S+bGC6ql/x54LHAwSS1OEO57PID35IGQ4Lg3oEX7hYgdn6XsBTLiai6u5gV
+IF5UJXPBd443F2YyBQWPjSqczmJ83s/1zWzch/CkJRHfKnqZPaqMIN8kMgdocrB/
+dYaUO1G0RZO+NkdlWprUpfmFzMFEKRGrHBhgvTLqBGQuu1rYWGfRZzW75AIe0/Br
+6cE1DMqGrQ8LNXrjAMPFFDskv0IHO1sRY72W6d6TyNfpAAaGbUaNSWxfCfA1FYr/
+EsPoRlu0hStOb8ooDOpoXb84n1w94X45L8nHXhNkFRHMM3zDHhmtJHismVZb+f07
+0NTev60U9e5BQ6W16DWgqOO73DIiYmIvL4by91bk9SSdI931sAqeNWr3j8+lDBAD
+hcKhbsW6oTDLeTjcQKsHoDLzQqzmGFGZuUHo72gwv1r1U71LX4vYeiW7RYMFvalu
+otPwUkJUbNLDfwHtxDJvsho5WAuzPt+JBo2DC1Wkr0WEAmDuxJZRnF/9KzIiyn/E
+UaU1ojrlDWoFskyYWjXdaeXzq8H4xlmXYEkS/nyGujXGl6bRZ6HOOhSuol3oPp7O
+Gd5XJW4oUA6a7jPKBYyyGI+ieUy/FrcIkNpDS/38jfLQPwjYqgzMVtGD8H1R6SY+
+8bmjLFqvG11G7Jcy9rjbXH7+zrh9IZas+TiYqvI0vUkb1ta44RlkRhwTr76VM0hp
+JexpAH15i27cRs8eqMIlkpw0Uebp/NNJ/dTQglhjlMLXiu4SQomnr9tUv1zIWj5i
+v4USiz6tbznfB58OYTFKraLGzuOztI8iMWBJuJvGuNTfx3Am5/dawNmb+Xrkuwxa
+A7EOHcjrwljj9m71UOhBx1eDrQGWTbQgJ/hFh4YeoFyUqvL/7s6qjV/zN9hpTl2x
+/3FW3cpN2Lpqn5Z8jhVkSwUV0r1EAc7UZf4jx1ZneqPit3Jsyi3AZF/aQI22Fu/S
+Md6QQm+iL3CPCroh52Gk7PbMt9N6B0uHFeO7s8HMei3DoQIuQCRVrPeXvbwCBt2l
+FHRyjq80dAHPVwHJ5ilP6l2iOMOffj32ZmD8BxWA21HX4JIMDRbKXn+BzmIgDlfo
+SKzm8uoAQ98FE6zsM+wIIBZkY1SbGoHGJm5Nfq2u26u+Qw5v8SICH1NKgXAsx0tp
+uV+IC6+9ZMXaYXaRGr/TJwDoa9a7rLuswcYjBfvzL7RVfiJGbsLaiKs68lZrQHoY
+kb8=
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/evaluation/demonstration/root.pem b/evaluation/demonstration/root.pem
new file mode 100644
index 0000000000000000000000000000000000000000..4a60a0c85726237e23332ae88dfabb766fc7eb9d
--- /dev/null
+++ b/evaluation/demonstration/root.pem
@@ -0,0 +1,51 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI0fsCjPB6hrsCAggA
+MBQGCCqGSIb3DQMHBAgVkCXDo1832wSCBMh4ldESl2Wp/KcrgQK61j2+XWQ7ODNZ
+9VYaSF360uPOxlzBJkQH60UG0DnSQaOznMudLw38Bb7ZHMc7aaIL532Cdm3mC5S5
+we4fU9+KH+g3aAutbNfOanpmZSkOcUxsYydrmxJWkJHi9CBCWGh+B6yusSEURJrD
++vB2E+lZqXkLseFVvlbkJ7gbqV2BqmiVic5eJSySBgB3g/670uWA2m4QsxI3UIiW
+cqb4egfmLX4E2lZL7BkIq+LnrmXan6sLetXzagwf3p7Zv3cn8F2L5YSWgcC2rR9Z
+3UrpLAmnkk7KcC1zQO7zdVVyyAAqX+q+IukKTn3aPrF34A2TUuPj9CuydRhdTeCI
+NQbplIO1eRYiKiwDJMCFmtKDfTU6NycUBkwaUtLtyItNREWnTevrrhKL5nNYH+eI
+kuw4PGVlKoiSjMiM7cpMinHo1Ok0BR3nj9zxcAokp5o6iL24sQPsEuG2eDWxbxmK
+VZLvi2ml6EEtZAI2+fZ3WRV4g07fhTSXMj5rUKhp/3OpwEY3wLCekPlgbhRtDmqQ
+P7nDioUyFaYBclIzzzjuvrEY6m7h0/Vpk2SiSS6EXa4DEsDaptLKwPYOXbVIUgzx
+EJQDTOupIOsK9KCq64Vxtp9gboMb+dOnZV8QnSVXAKtF7/urtR4NjtEF7065c5VV
+5jve/5c3VJpDL3avsu+BiN683oMkeq3tfUqgfSX9XzhlTq3HfhpTv9Jz7XQwCxQh
+RT7EgfIfBR0OXHJq49XF4AoDtZcs/+4sGB4vZZwvyLuHAcMa/TLJckuGat5q4yz1
+4GwLOTQYk6YNf7+a8s6ybs6ES27MU9sDrC7WMDpCbXXG9Vv+9I3vZaSQYxn9NK6Z
+d4eTuZrRkkzBiPBTe4/PHcse5cFlIAGL6t0B88wi8hf8BPUcve6AMG1cyChQZGgu
+r8qEkxB1FFbtQqY7a1jqOmRCD74PXWsYkOaTymsbnXhCqh2AoomsLI9s/kxwfoC6
+jEkjPGadjEWurokKiQbCRRAp/HocMDbaOKKQ0RruzvJkcn6HG2ESaXX7zuz66sTD
+bz1FKgN9kfqdtzOeBIeraZLcLR/8ECbRsufzwkW4UaJtwvPV5L5DsD2eNv296V7y
+UidFUtvWzq/HrtKrLrdG9Ij402NBWz4iKb4HBSuoNaQUPSvC58oji0k/e9kNwTQj
+H1botaohKJ5hhRX+cGkYtg57wRhb6Ev9JNNrxSIN/+H+tTxvRIYaz8Gtyi40uId4
+FVY0PlbKH8/lTYDhTYZ5+PbJkoIY5s1eyBKbt5/h6N2U65yvKQw342L1IERJRtni
+UYtNFXNXXuqgRXsTS+8clHCKdW5ZI6Ys8E41399mnYcRvkVx4EGxZvJhb9nI2hPC
+PCFZV+0SsTn+1L0BCiz3Bk6Nt1fBWj55XoVXoSSrm3CTIzdMUvArxGUKYe80+mhx
+4YjWDzZB5aERDqlHxsqDET1mSp+SKdbXgpWS5d3t6gFe2GgsvM+KvlNSqdxosVtc
+Q0e2r/gmPBIF8vqipDKIKGo97Pi/Z459+hB4Atwar46+WjMXcTbogIX7Sd61qINh
+emblQnoqnabvNJVj8fxz0ADlb8o3p4KkKE9kpJ1ey4kn+D/nfG6E9MheEQRcQ19w
+t0A=
+-----END ENCRYPTED PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDXTCCAkWgAwIBAgIJAKsTI6dE9mQlMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTQxMjI4MjIwMzIyWhcNMTUwMTI3MjIwMzIyWjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAlXQV7cHtFMIu3cXwGPi53V/MmCnD4hO5nQOLX9juUeKGxXXfBVUeTvkQ
+gGznoRHL72yazrCZFXcm0Bawfv+LtxxZvZvWP4/EXGtrO7UBPvdUCcJm8AHeLAjP
+Y4leAUghphNnolv9SUydDBLsR9hoWAgk6Q9vtIqyiJyaHBhr0fko3SNiSHcqO4PL
+lmeQMqKIMWgjtg2Com3QeKPI1II6B5xTMcxSrpvhYo6/JZFyHsTdtDTO0rTccCF1
+xtLzptRCer2tNyKwvoVrwK81D6MpK4aoUxizSQkBRrtqP+NPzs2gckP3+v7QJqQ2
+9VJ2TvFv70V8tPlmDLOT0IxmIvENQQIDAQABo1AwTjAdBgNVHQ4EFgQU5L5ER+eU
+n7UijUGllRuC21Jyo+MwHwYDVR0jBBgwFoAU5L5ER+eUn7UijUGllRuC21Jyo+Mw
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAJKGiEFW9JgsyYXWgdch4
+Kp8WbSBbkb6GTk3XnSgPlTyVajHekSy4keujn4DLck5Yc4Qf99beo41OIg4VBw+P
+iTx0C/ZHRELaovyPTlZMkSpz4x07AYzc2BbJ1CbW/0/c0gBVtxHlmE+ZrOYBKbGm
+FVAvEMwV6AzAAG8T17zEtxwFhhOvFfzq/TM59pvpq5G9nxUINLMJgENlFvwssGH3
+2MhR55AHTEU881h6BLjE2e2p0b7V7Y4hOwv+PwiECyCfIu5g3evE+kvnRvhEC4kd
+eLU+lYkse8YZEzJQk5GJhVp4wyjb3IzjB3WZlPIg+nf90vPP4Uo5+GFBAoSsU2fw
+Mg==
+-----END CERTIFICATE-----
diff --git a/evaluation/demonstration/server.pem b/evaluation/demonstration/server.pem
new file mode 100644
index 0000000000000000000000000000000000000000..ae9f9c062469db667312403e41bf39d1e1e9040a
--- /dev/null
+++ b/evaluation/demonstration/server.pem
@@ -0,0 +1,32 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXAIBAAKBgQDy8zc6Xe1UTbzGQODwgoubnnKlgBhuNna2h+xWo0FDTfwVdgkN
+/J05YHKb7NuR2qp6WzOWRCmFvQsViYRoCalZvMgYxa7G0cylJqL4iUKu6QF/qzYP
+yGHE1Jao+Zme/v/LQFL0WcIaYpld+FmTy05AKHaps/tvtOcBkgT9bMb3LQIDAQAB
+AoGAUswe0051dpizsCEmR/FFoPiD+/FG4jC/jn+ORQyITmbCdZHvjgu8jXRYOtmj
+DvclyGNSlnCOchy2LVXbgRVh2CBgkEoUbRQqzR/6+1L8pupul0TRoe8ptty/JPnz
+uz6LDqbJUk6+lSX4DVhIYjUxHkPBX5wlsq/wMMQI8WIQcqECQQD+SJs/ynWpEHeK
+DppqiOszzme60UgwGZ64lXg26HTctJqmR8uyVEzccS/mJNwikiNiqrZ9VVvQzJ/N
+caGtSGL5AkEA9JcGeRqNduf4cVU1oC/y05FQLXO0r2eFBQAsbUU2/bFQAkoMfdXP
+B9tTJXQVkh3sJDwfcE9HdkQGsIg/QPsO1QJANAPqLgxeMS07JrSCBdToN/q64U46
+NAypmRyKMMEwVo1jLSx2kI4KAvXsVGmp1jCKqH4/QjgZxgZ1kfLynZ23EQJBAJXy
+qMNB5gxJtmQ0qwWjn6jY42CaGOGYA1LHgnUTA92QAM8GepYCqEPW0Cib/EVyFr04
+JsYBtHvqxHchcDX0NGkCQE3DjUPc/mQai62zoegMZ7m6Xi0t7M77amtXol4/yrVW
+u67wvRq1Q0ylHFr1LKXSWhptCUQ4MgluecZHDW3uDmI=
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIICojCCAYoCAQEwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCQVUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
+ZDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTE0MTIyODIyMTM0MloXDTE1MDEyNzIy
+MTM0MlowWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
+BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJbG9jYWxob3N0
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDy8zc6Xe1UTbzGQODwgoubnnKl
+gBhuNna2h+xWo0FDTfwVdgkN/J05YHKb7NuR2qp6WzOWRCmFvQsViYRoCalZvMgY
+xa7G0cylJqL4iUKu6QF/qzYPyGHE1Jao+Zme/v/LQFL0WcIaYpld+FmTy05AKHap
+s/tvtOcBkgT9bMb3LQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB2a7xpBpKimr9P
+h2Ow5oeEhcEEbY+qo3trVqjeLvzMmAvvt3f1wa8ApnwkjAIdhIhDTFhv/iCRpU1v
+gGB6E/l+x95LLoicdvv2i7kJ/QPPjBrQ3zETNbL52oPo1ZWIs3LZtTJnEgchcC9z
+zzSpNv3LIfzwEWeW22AI0xPA49JYyxRVpuJQEJWminP+h8jFe+ESKvoKTxcuMvLU
+PcRYIojsjWPmoxEDWiVWKjVSikDybS6U1jsZ3RgI9zuXfg9U+xYOKj8capBi94iU
+sI1LKWSoSBWiZE8vkI2/jgDC+0QcDFo3pQEMLc8z+7cNLE8sXjRrRijoZkBf8TSQ
+v66L2tFL
+-----END CERTIFICATE-----