validator
  {
    rule
    {
      id "A rule"
      for data
      filter
      {
        type name
        name /SecurityTestSecRule/Basic/Longer
        relation is-strict-prefix-of
      }
      checker
      {
        type customized
        sig-type rsa-sha256
        key-locator
        {
          type name
          hyper-relation
          {
            # there are 2 components between SecurityTestSecRule and KEY
            # in the key name, and the data name begins with SecurityTestSecRule
            k-regex "^(<SecurityTestSecRule>)[^<KEY>]{2}<KEY><ksk-.+><ID-CERT>$"
            k-expand "\\1"
            h-relation is-strict-prefix-of
            p-regex "^(<>*)$"
            p-expand "\\1"
          }
        }
      }
    }
    rule
    {
      id "Another rule"
      for data
      filter
      {
        type name
        name /SecurityTestSecRule/Basic/
        relation is-prefix-of
      }
      checker
      {
        type customized
        sig-type rsa-sha256
        key-locator
        {
          type name
          hyper-relation
          {
            # there is 1 component between KEY and key-id
            # and the data name must end in a /Data* component
            # key identity is a prefix of everything before /Data*  in data name
            k-regex "^([^<KEY>]+)<KEY>(<>)<ksk-.+><ID-CERT>$"
            k-expand "\\1\\2"
            h-relation is-strict-prefix-of
            p-regex "^(<>+)<Data.*>$"
            p-expand "\\1"
          }
        }
      }
    }
  }