idnits 2.17.00 (12 Aug 2021)

/tmp/idnits43800/draft-ietf-opsawg-finding-geofeeds-10.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The document has examples using IPv4 documentation addresses according
     to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
     there should be IPv6 examples, too?


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (May 17, 2021) is 369 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC-TBD' is mentioned on line 383, but not defined

  -- Looks like a reference, but probably isn't: '0' on line 745

  -- Looks like a reference, but probably isn't: '3' on line 692

  -- Looks like a reference, but probably isn't: '6' on line 792

  ** Downref: Normative reference to an Informational RFC: RFC 2818

  ** Downref: Normative reference to an Informational RFC: RFC 5485

  ** Downref: Normative reference to an Informational RFC: RFC 8805

  -- Obsolete informational reference (is this intentional?): RFC 7482
     (Obsoleted by RFC 9082)


     Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                            R. Bush
3	Internet-Draft                                              IIJ & Arrcus
4	Intended status: Standards Track                              M. Candela
5	Expires: November 18, 2021                                           NTT
6	                                                               W. Kumari
7	                                                                  Google
8	                                                              R. Housley
9	                                                          Vigil Security
10	                                                            May 17, 2021

12	                     Finding and Using Geofeed Data
13	                 draft-ietf-opsawg-finding-geofeeds-10

15	Abstract

17	   This document specifies how to augment the Routing Policy
18	   Specification Language inetnum: class to refer specifically to
19	   geofeed data CSV files, and describes an optional scheme to use the
20	   Routing Public Key Intrastructure to authenticate the geofeed data
21	   CSV files.

23	Status of This Memo

25	   This Internet-Draft is submitted in full conformance with the
26	   provisions of BCP 78 and BCP 79.

28	   Internet-Drafts are working documents of the Internet Engineering
29	   Task Force (IETF).  Note that other groups may also distribute
30	   working documents as Internet-Drafts.  The list of current Internet-
31	   Drafts is at https://datatracker.ietf.org/drafts/current/.

33	   Internet-Drafts are draft documents valid for a maximum of six months
34	   and may be updated, replaced, or obsoleted by other documents at any
35	   time.  It is inappropriate to use Internet-Drafts as reference
36	   material or to cite them other than as "work in progress."

38	   This Internet-Draft will expire on November 18, 2021.

40	Copyright Notice

42	   Copyright (c) 2021 IETF Trust and the persons identified as the
43	   document authors.  All rights reserved.

45	   This document is subject to BCP 78 and the IETF Trust's Legal
46	   Provisions Relating to IETF Documents
47	   (https://trustee.ietf.org/license-info) in effect on the date of
48	   publication of this document.  Please review these documents
49	   carefully, as they describe your rights and restrictions with respect
50	   to this document.  Code Components extracted from this document must
51	   include Simplified BSD License text as described in Section 4.e of
52	   the Trust Legal Provisions and are provided without warranty as
53	   described in the Simplified BSD License.

55	Table of Contents

57	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
58	     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
59	   2.  Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . .   3
60	   3.  inetnum: Class  . . . . . . . . . . . . . . . . . . . . . . .   3
61	   4.  Authenticating Geofeed Data . . . . . . . . . . . . . . . . .   5
62	   5.  Operational Considerations  . . . . . . . . . . . . . . . . .   7
63	   6.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   8
64	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
65	   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
66	   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   9
67	   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
68	     10.1.  Normative References . . . . . . . . . . . . . . . . . .   9
69	     10.2.  Informative References . . . . . . . . . . . . . . . . .  10
70	   Appendix A.  Example  . . . . . . . . . . . . . . . . . . . . . .  11
71	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  20

73	1.  Introduction

75	   Providers of Internet content and other services may wish to
76	   customize those services based on the geographic location of the user
77	   of the service.  This is often done using the source IP address used
78	   to contact the service.  Also, infrastructure and other services
79	   might wish to publish the locale of their services.  [RFC8805]
80	   defines geofeed, a syntax to associate geographic locales with IP
81	   addresses.  But it does not specify how to find the relevant geofeed
82	   data given an IP address.

84	   This document specifies how to augment the Routing Policy
85	   Specification Language (RPSL) [RFC2622] inetnum: class to refer
86	   specifically to geofeed data CSV files, and how to prudently use
87	   them.  In all places inetnum: is used, inet6num: should also be
88	   assumed [RFC4012].

90	   The reader may find [INETNUM] and [INET6NUM] informative, and
91	   certainly more verbose, descriptions of the inetnum: database
92	   classes.

94	   An optional, utterly awesome but slightly complex means for
95	   authenticating geofeed data is also defined.

97	1.1.  Requirements Language

99	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
100	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
101	   "OPTIONAL" in this document are to be interpreted as described in BCP
102	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
103	   capitals, as shown here.

105	2.  Geofeed Files

107	   Geofeed files are described in [RFC8805].  They provide a facility
108	   for an IP address resource 'owner' to associate those IP addresses to
109	   geographic locales.

111	   Content providers and other parties who wish to locate an IP address
112	   to a geographic locale need to find the relevant geofeed data.  In
113	   Section 3, this document specifies how to find the relevant [RFC8805]
114	   geofeed file given an IP address.

116	   Geofeed data for large providers with significant horizontal scale
117	   and high granularity can be quite large.  The size of a file can be
118	   even larger if an unsigned geofeed file combines data for many
119	   prefixes, dual IPv4/IPv6 spaces are represented, etc.

121	   Geofeed data do have privacy considerations, see Section 6.

123	   This document also suggests optional signature, which authenticates
124	   the data when present, for geofeed files to provide stronger
125	   authenticity to the data.

127	3.  inetnum: Class

129	   The original RPSL specifications starting with [RIPE81], [RIPE181],
130	   and a trail of subsequent documents were done by the RIPE community.
131	   The IETF standardardized RPSL in [RFC2622] and [RFC4012].  Since
132	   then, it has been modified and extensively enhanced in the RIR
133	   community, mostly by RIPE, [RIPE-DB].  Currently, change contol
134	   effectively lies in the operator community.

136	   The Routing Policy Specification Language (RPSL), and [RFC2622] and
137	   [RFC4012] used by the Regional Internet Registries (RIRs) specifies
138	   the inetnum: database class.  Each of these objects describes an IP
139	   address range and its attributes.  The inetnum: objects form a
140	   hierarchy ordered on the address space.

142	   Ideally, RPSL would be augmented to define a new RPSL geofeed:
143	   attribute in the inetnum: class.  Until such time, this document
144	   defines the syntax of a Geofeed remarks: attribute which contains an
145	   HTTPS URL of a geofeed file.  The format of the inetnum: geofeed
146	   remarks: attribute MUST be as in this example, "remarks: Geofeed ",
147	   where the token "Geofeed" MUST be case-sensitive, followed by a URL
148	   which will vary, but MUST refer only to a single [RFC8805] geofeed
149	   file.

151	       inetnum: 192.0.2.0/24 # example
152	       remarks: Geofeed https://example.com/geofeed.csv

154	   While we leave global agreement of RPSL modification to the relevant
155	   parties, we specify that a proper geofeed: attribute in the inetnum:
156	   class MUST be "geofeed: ", and MUST be followed by a single URL which
157	   will vary, but MUST refer only to a single [RFC8805] geofeed file.

159	       inetnum: 192.0.2.0/24 # example
160	       geofeed: https://example.com/geofeed.csv

162	   Registries MAY, for the interim, provide a mix of the remarks:
163	   attribute form and the geofeed: attribute form.

165	   The URL's use of the web PKI can not provide authentication of IP
166	   address space ownership.  It is only used to authenticate a pointer
167	   to the geofeed file and transport integrity of the data.  In
168	   contrast, the Resource Public Key Infrastructure (RPKI, see
169	   [RFC6481]) can be used to authenticate IP space ownership; see
170	   optional authentication in Section 4.

172	   Until all producers of inetnum:s, i.e. the RIRs, state that they have
173	   migrated to supporting a geofeed: attribute, consumers looking at
174	   inetnum:s to find geofeed URLs MUST be able to consume both the
175	   remarks: and geofeed: forms.  This not only implies that the RIRs
176	   support the geofeed: attribute, but that all registrants have
177	   migrated any inetnum:s from remarks: use to geofeed:s.

179	   Any particular inetnum: object MUST have at most, one geofeed
180	   reference, whether a remarks: or a proper geofeed: attribute when it
181	   is implemented.  If there is more than one, all are ignored.

183	   If a geofeed CSV file describes multiple disjoint ranges of IP
184	   address space, there are likely to be geofeed references from
185	   multiple inetnum: objects.

187	   As inetnum: objects form a hierarchy, Geofeed references SHOULD be at
188	   the lowest applicable inetnum: object covering the relevant prefixes
189	   in the referenced geofeed file.  When fetching, the most specific
190	   inetnum: object with a geofeed reference MUST be used.

192	   When geofeed references are provided by multiple inetnum: objects
193	   which have identical address ranges, then the geofeed reference on
194	   the inetnum: with the most recent last-modified: attribute SHOULD be
195	   preferred.

197	   It is significant that geofeed data may have finer granularity than
198	   the inetnum: which refers to them.  For example an INETNUM object for
199	   a prefix P could refer to a geofeed file in which P has been sub-
200	   divided into one or more longer prefixes.

202	   Currently, the registry data published by ARIN is not the same RPSL
203	   as that of the other registries (see [RFC7485] for a survery of the
204	   whois Tower of Babel); therefore, when fetching from ARIN via FTP
205	   [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the
206	   "NetRange" attribute/key MUST be treated as "inetnum" and the
207	   "Comment" attribute MUST be treated as "remarks".

209	4.  Authenticating Geofeed Data

211	   The question arises whether a particular [RFC8805] geofeed data set
212	   is valid, i.e. is authorized by the 'owner' of the IP address space
213	   and is authoritative in some sense.  The inetnum: which points to the
214	   [RFC8805] geofeed file provides some assurance.  Unfortunately, the
215	   RPSL in many repositories is weakly authenticated at best.  An
216	   approach where RPSL was signed a la [RFC7909] would be good, except
217	   it would have to be deployed by all RPSL registries, and there is a
218	   fair number of them.

220	   An optional authenticator MAY be appended to a [RFC8805] geofeed
221	   file.  It is a digest of the main body of the file signed by the
222	   private key of the relevant RPKI certificate for the covering address
223	   range.  One needs a format that bundles the relevant RPKI certificate
224	   with the signature and the digest of the geofeed text.

226	   The canonicalization procedure converts the data from its internal
227	   character representation to the UTF-8 [RFC3629] character encoding,
228	   and the <CRLF> sequence MUST be used to denote the end of a line of
229	   text.  Trailing space characters MUST NOT appear on a line of text.
230	   That is, the space or tab characters must not be followed by the
231	   <CRLF> sequence.  Thus, a blank line is represented solely by the
232	   <CRLF> sequence.  Other nonprintable characters, such as backspace,
233	   are not expected.  For robustness, any nonprintable characters MUST
234	   NOT be changed by canonicalization.  Trailing blank lines MUST NOT
235	   appear at the end of the file.  That is, the file must not end with
236	   multiple consecutive <CRLF> sequences.  Any end-of-file marker used
237	   by an operating system is not considered to be part of the file
238	   content.  When present, such end-of-file markers MUST NOT be
239	   processed by the digital signature algorithm.

241	   Should the authenticator be syntactically incorrect per the above,
242	   the authenticator is invalid.

244	   Borrowing detached signatures from [RFC5485], after file
245	   canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652]
246	   would be used to create a detached DER encoded signature which is
247	   then BASE64 encoded and line wrapped to 72 or fewer characters.

249	   The address range of the signing certificate MUST cover all prefixes
250	   in the geofeed file it signs; and therefore must be covered by the
251	   range of the inetnum:.

253	   An address range A 'covers' address range B if the range of B is
254	   identical to or a subset of A.  'Address range' is used here because
255	   inetnum: objects and RPKI certificates need not align on CIDR prefix
256	   boundaries, while those of the CSV lines in the geofeed file do.

258	   Validation of the signing certificate needs to ensure that it is part
259	   of the current manifest and that the resources are covered by the
260	   RPKI certificate.

262	   As the signer specifies the covered RPKI resources relevant to the
263	   signature, the RPKI certificate covering the inetnum: object's
264	   address range is included in the [RFC5652] CMS SignedData
265	   certificates field.

267	   Identifying the private key associated with the certificate, and
268	   getting the department with the Hardware Security Module (HSM) to
269	   sign the CMS blob is left as an exercise for the implementor.  On the
270	   other hand, verifying the signature requires no complexity; the
271	   certificate, which can be validated in the public RPKI, has the
272	   needed public key.

274	   The appendix MUST be 'hidden' as a series of "#" comments at the end
275	   of the geofeed file.  The following is a cryptographically incorrect,
276	   albeit simple example.  A correct and full example is in Appendix A.

278	       # RPKI Signature: 192.0.2.0/24
279	       # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
280	       # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
281	       ...
282	       # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
283	       # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
284	       # End Signature: 192.0.2.0/24

286	   The signature does not cover the signature lines.

288	   [I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a
289	   Cryptographic Message Syntax (CMS) profile for a general purpose
290	   listing of checksums (a 'checklist'), for use with the Resource
291	   Public Key Infrastructure (RPKI).  It provides usable, albeit
292	   complex, code to sign geofeed files.

294	   [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax
295	   (CMS) profile for a general purpose Resource Tagged Attestation (RTA)
296	   based on the RPKI.  While this is expected to become applicable in
297	   the long run, for the purposes of this document, a self-signed root
298	   trust anchor is used.

300	5.  Operational Considerations

302	   To create the needed inetnum: objects, an operator wishing to
303	   register the location of their geofeed file needs to coordinate with
304	   their RIR/NIR and/or any provider LIR which has assigned prefixes to
305	   them.  RIRs/NIRs provide means for assignees to create and maintain
306	   inetnum: objects.  They also provide means of [sub-]assigning IP
307	   address resources and allowing the assignee to create whois data,
308	   including inetnum: objects, and thereby referring to geofeed files.

310	   The geofeed files MUST be published via and fetched using https
311	   [RFC2818].

313	   When using data from a geofeed file, one MUST ignore data outside the
314	   referring inetnum: object's inetnum: attribute address range.

316	   If and only if the geofeed file is not signed per Section 4, then
317	   multiple inetnum: objects MAY refer to the same geofeed file, and the
318	   consumer MUST use only geofeed lines where the prefix is covered by
319	   the address range of the inetnum: object they have followed.

321	   To minimize the load on RIR whois [RFC3912] services, use of the
322	   RIR's FTP [RFC0959] services SHOULD be the preferred access.  This
323	   also provides bulk access instead of fetching with tweezers.

325	   Currently, geolocation providers have bulk whois data access at all
326	   the RIRs.  An anonymized version of such data is openly available for
327	   all RIRs except ARIN, which requires an authorization.  However, for
328	   users without such authorization, the same result can be achieved
329	   with extra RDAP effort.  There is open source code to pass over such
330	   data across all RIRs, collect all geofeed references, and process
331	   them [geofeed-finder].

333	   An entity fetching geofeed data using these mechanisms MUST NOT do
334	   frequent real-time look-ups to prevent load on RPSL and geofeed
335	   servers.  [RFC8805] Section 3.4 suggests use of the [RFC7234] HTTP
336	   Expires Caching Header to signal when geofeed data should be
337	   refetched.  As the data change very infrequently, in the absence of
338	   such an HTTP Header signal, collectors SHOULD NOT fetch more
339	   frequently than weekly.  It would be polite not to fetch at magic
340	   times such as midnight UTC, the first of the month, etc., because too
341	   many others are likely to do the same.

343	6.  Privacy Considerations

345	   [RFC8805] geofeed data may reveal the approximate location of an IP
346	   address, which might in turn reveal the approximate location of an
347	   individual user.  Unfortunately, [RFC8805] provides no privacy
348	   guidance on avoiding or ameliorating possible damage due to this
349	   exposure of the user.  In publishing pointers to geofeed files as
350	   described in this document, the operator should be aware of this
351	   exposure in geofeed data and be cautious.  All the privacy
352	   considerations of [RFC8805] Section 4 apply to this document.

354	7.  Security Considerations

356	   It is generally prudent for a consumer of geofeed data to also use
357	   other sources to cross-validate the data.  All the Security
358	   Considerations of [RFC8805] apply here as well.

360	   As mentioned in Section 4, many RPSL repositories have weak if any
361	   authentication.  This allows spoofing of inetnum: objects pointing to
362	   malicious geofeed files.  Section 4 suggests an unfortunately complex
363	   method for stronger authentication based on the RPKI.

365	   If an inetnum: for a wide prefix (e.g. a /16) points to an RPKI-
366	   signed geofeed file, a customer or attacker could publish an unsigned
367	   equal or narrower (e.g. a /24) inetnum: in a whois registry which has
368	   weak authorization.

370	   The RPSL providers have had to throttle fetching from their servers
371	   due to too-frequent queries.  Usually they throttle by the querying
372	   IP address or block.  Similar defenses will likely need to be
373	   deployed by geofeed file servers.

375	8.  IANA Considerations

377	   IANA is asked to register object identifiers for one content type in
378	   the "SMI Security for S/MIME CMS Content Type
379	   (1.2.840.113549.1.9.16.1)" registry as follows:

381	   Description             OID                         Specification
382	   -----------------------------------------------------------------
383	   id-ct-geofeedCSVwithCRLF  1.2.840.113549.1.9.16.1.47  [RFC-TBD]

385	9.  Acknowledgments

387	   Thanks to Rob Austein for CMS and detached signature clue.  George
388	   Michaelson for the first and substantial external review, Erik Kline
389	   who was too shy to agree to co-authorship.  Additionally, we express
390	   our gratitude to early implementors, including Menno Schepers, Flavio
391	   Luciani, Eric Dugas, Job Snijders who provided running code, and
392	   Kevin Pack.  Also, to geolocation providers that are consuming
393	   geofeeds with this described solution, Jonathan Kosgei (ipdata.co),
394	   Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com).  For
395	   helpful reviews we thank Adrian Farrel, Antonio Prado, Rob Wilton,
396	   George Michaelson, the document shepherd, Kyle Rose for a probing
397	   SECDIR review, Paul Kyzivat for a helpful GENART directorate review,
398	   and Jean-Michel Combes for an INTDIR review.

400	10.  References

402	10.1.  Normative References

404	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
405	              Requirement Levels", BCP 14, RFC 2119,
406	              DOI 10.17487/RFC2119, March 1997,
407	              <https://www.rfc-editor.org/info/rfc2119>.

409	   [RFC2622]  Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
410	              Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
411	              "Routing Policy Specification Language (RPSL)", RFC 2622,
412	              DOI 10.17487/RFC2622, June 1999,
413	              <https://www.rfc-editor.org/info/rfc2622>.

415	   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818,
416	              DOI 10.17487/RFC2818, May 2000,
417	              <https://www.rfc-editor.org/info/rfc2818>.

419	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
420	              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
421	              2003, <https://www.rfc-editor.org/info/rfc3629>.

423	   [RFC4012]  Blunk, L., Damas, J., Parent, F., and A. Robachevsky,
424	              "Routing Policy Specification Language next generation
425	              (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005,
426	              <https://www.rfc-editor.org/info/rfc4012>.

428	   [RFC5485]  Housley, R., "Digital Signatures on Internet-Draft
429	              Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009,
430	              <https://www.rfc-editor.org/info/rfc5485>.

432	   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
433	              RFC 5652, DOI 10.17487/RFC5652, September 2009,
434	              <https://www.rfc-editor.org/info/rfc5652>.

436	   [RFC6481]  Huston, G., Loomans, R., and G. Michaelson, "A Profile for
437	              Resource Certificate Repository Structure", RFC 6481,
438	              DOI 10.17487/RFC6481, February 2012,
439	              <https://www.rfc-editor.org/info/rfc6481>.

441	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
442	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
443	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

445	   [RFC8805]  Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
446	              Kumari, "A Format for Self-Published IP Geolocation
447	              Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
448	              <https://www.rfc-editor.org/info/rfc8805>.

450	10.2.  Informative References

452	   [geofeed-finder]
453	              Massimo Candela, "geofeed-finder",
454	              <https://github.com/massimocandela/geofeed-finder>.

456	   [I-D.ietf-sidrops-rpki-rta]
457	              Michaelson, G. G., Huston, G., Harrison, T., Bruijnzeels,
458	              T., and M. Hoffmann, "A profile for Resource Tagged
459	              Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work
460	              in progress), January 2021.

462	   [I-D.spaghetti-sidrops-rpki-rsc]
463	              Snijders, J., "RPKI Signed Checklists", draft-spaghetti-
464	              sidrops-rpki-rsc-03 (work in progress), February 2021.

466	   [INET6NUM]
467	              RIPE, "Description of the INET6NUM Object",
468	              <https://www.ripe.net/manage-ips-and-
469	              asns/db/support/documentation/ripe-database-documentation/
470	              rpsl-object-types/4-2-descriptions-of-primary-
471	              objects/4-2-3-description-of-the-inet6num-object>.

473	   [INETNUM]  RIPE, "Description of the INETNUM Object",
474	              <https://www.ripe.net/manage-ips-and-
475	              asns/db/support/documentation/ripe-database-documentation/
476	              rpsl-object-types/4-2-descriptions-of-primary-
477	              objects/4-2-4-description-of-the-inetnum-object>.

479	   [RFC0959]  Postel, J. and J. Reynolds, "File Transfer Protocol",
480	              STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
481	              <https://www.rfc-editor.org/info/rfc959>.

483	   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
484	              DOI 10.17487/RFC3912, September 2004,
485	              <https://www.rfc-editor.org/info/rfc3912>.

487	   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
488	              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
489	              RFC 7234, DOI 10.17487/RFC7234, June 2014,
490	              <https://www.rfc-editor.org/info/rfc7234>.

492	   [RFC7482]  Newton, A. and S. Hollenbeck, "Registration Data Access
493	              Protocol (RDAP) Query Format", RFC 7482,
494	              DOI 10.17487/RFC7482, March 2015,
495	              <https://www.rfc-editor.org/info/rfc7482>.

497	   [RFC7485]  Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin,
498	              "Inventory and Analysis of WHOIS Registration Objects",
499	              RFC 7485, DOI 10.17487/RFC7485, March 2015,
500	              <https://www.rfc-editor.org/info/rfc7485>.

502	   [RFC7909]  Kisteleki, R. and B. Haberman, "Securing Routing Policy
503	              Specification Language (RPSL) Objects with Resource Public
504	              Key Infrastructure (RPKI) Signatures", RFC 7909,
505	              DOI 10.17487/RFC7909, June 2016,
506	              <https://www.rfc-editor.org/info/rfc7909>.

508	   [RIPE-DB]  RIPE, "RIPE Database Documentation",
509	              <https://www.ripe.net/manage-ips-and-
510	              asns/db/support/documentation/ripe-database-
511	              documentation>.

513	   [RIPE181]  RIPE, "Representation Of IP Routing Policies In A Routing
514	              Registry",
515	              <https://www.ripe.net/publications/docs/ripe-181>.

517	   [RIPE81]   RIPE, "Representation Of IP Routing Policies In The RIPE
518	              Database",
519	              <https://www.ripe.net/publications/docs/ripe-081>.

521	Appendix A.  Example

523	   This appendix provides an example, including a trust anchor, a CA
524	   certificate subordinate to the trust anchor, an end-entity
525	   certificate subordinate to the CA for signing the geofeed, and a
526	   detached signature.

528	   The trust anchor is represented by a self-signed certificate.  As
529	   usual in the RPKI, the trust anchor has authority over all IPv4
530	   address blocks, all IPv6 address blocks, and all AS numbers.

532	       -----BEGIN CERTIFICATE-----
533	       MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
534	       BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
535	       MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
536	       AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
537	       0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
538	       XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
539	       g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
540	       O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
541	       jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
542	       BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU
543	       GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
544	       GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
545	       KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
546	       YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
547	       ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
548	       YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
549	       AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
550	       BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
551	       xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
552	       cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
553	       Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
554	       rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
555	       x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
556	       -----END CERTIFICATE-----

558	   The CA certificate is issued by the trust anchor.  This certificate
559	   grants authority over one IPv4 address block (192.0.2.0/24) and two
560	   AS numbers (64496 and 64497).

562	       -----BEGIN CERTIFICATE-----
563	       MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL
564	       BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5
565	       MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
566	       QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
567	       zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
568	       6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
569	       j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
570	       liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
571	       YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
572	       TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R
573	       4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD
574	       VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr
575	       BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u
576	       ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz
577	       Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v
578	       cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr
579	       BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu
580	       bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz
581	       Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF
582	       hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH
583	       AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA
584	       +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0
585	       Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm
586	       cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09
587	       mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq
588	       V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
589	       yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
590	       -----END CERTIFICATE-----

592	   The end-entity certificate is issued by the CA.  This certificate
593	   grants signature authority for one IPv4 address block (192.0.2.0/24).
594	   Signature authority for AS numbers is not needed for geofeed data
595	   signatures, so no AS numbers are included in the certificate.

597	       -----BEGIN CERTIFICATE-----
598	       MIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuMwDQYJKoZIhvcNAQEL
599	       BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
600	       Mzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAxOTA1MTdaMDMxMTAvBgNV
601	       BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
602	       MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
603	       yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
604	       K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
605	       BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
606	       tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
607	       qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
608	       AAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
609	       BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
610	       Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
611	       VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
612	       RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
613	       AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
614	       c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
615	       Y2VyMCEGCCsGAQUFBwEHAQH/BBIwEDAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUH
616	       AQsEOTA3MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90
617	       aWZpY2F0aW9uLnhtbDANBgkqhkiG9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHP
618	       TArIVBECZFSCdP+bJTse85TqYiblMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh
619	       6+xGs1n427JZUokoeLtY0UUb2fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b
620	       +YS8WXjEHt2KW6wyA/BcNS8adS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1ar
621	       Kelyz7PGIIXJGy9nF8C3/aaaEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfO
622	       MkB8YF6kUU+td2dDQsMztcOxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh4
623	       5Q==
624	       -----END CERTIFICATE-----

626	   The end-entity certificate is displayed below in detail.  For
627	   brevity, the other two certificates are not.

629	      0 1197: SEQUENCE {
630	      4  917:  SEQUENCE {
631	      8    3:   [0] {
632	     10    1:    INTEGER 2
633	            :     }
634	     13   20:   INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E3
635	     35   13:   SEQUENCE {
636	     37    9:    OBJECT IDENTIFIER
637	            :     sha256WithRSAEncryption (1 2 840 113549 1 1 11)
638	     48    0:    NULL
639	            :     }
640	     50   51:   SEQUENCE {
641	     52   49:    SET {
642	     54   47:     SEQUENCE {
643	     56    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
644	     61   40:      PrintableString
645	            :       '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
646	            :       }
647	            :      }
648	            :     }
649	    103   30:   SEQUENCE {
650	    105   13:    UTCTime 03/09/2020 19:05:17 GMT
651	    120   13:    UTCTime 30/06/2021 19:05:17 GMT
652	            :     }
653	    135   51:   SEQUENCE {
654	    137   49:    SET {
655	    139   47:     SEQUENCE {
656	    141    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
657	    146   40:      PrintableString
658	            :       '914652A3BD51C144260198889F5C45ABF053A187'
659	            :       }
660	            :      }
661	            :     }
662	    188  290:   SEQUENCE {
663	    192   13:    SEQUENCE {
664	    194    9:     OBJECT IDENTIFIER rsaEncryption
665	            :      (1 2 840 113549 1 1 1)
666	    205    0:     NULL
667	            :      }
668	    207  271:    BIT STRING, encapsulates {
669	    212  266:     SEQUENCE {
670	    216  257:      INTEGER
671	            :       00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
672	            :       40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
673	            :       B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
674	            :       57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
675	            :       74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
676	            :       9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
677	            :       E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
678	            :       95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
679	            :       F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
680	            :       16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
681	            :       BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
682	            :       88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
683	            :       6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
684	            :       67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
685	            :       78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
686	            :       FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
687	            :       EB
688	    477    3:      INTEGER 65537
689	            :       }
690	            :      }
691	            :     }
692	    482  439:   [3] {
693	    486  435:    SEQUENCE {
694	    490   29:     SEQUENCE {
695	    492    3:      OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
696	    497   22:      OCTET STRING, encapsulates {
697	    499   20:       OCTET STRING
698	            :        91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
699	            :        F0 53 A1 87
700	            :        }
701	            :       }
702	    521   31:     SEQUENCE {
703	    523    3:      OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
704	    528   24:      OCTET STRING, encapsulates {
705	    530   22:       SEQUENCE {
706	    532   20:        [0]
707	            :         3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
708	            :         B3 77 86 42
709	            :         }
710	            :        }
711	            :       }
712	    554   12:     SEQUENCE {
713	    556    3:      OBJECT IDENTIFIER basicConstraints (2 5 29 19)
714	    561    1:      BOOLEAN TRUE
715	    564    2:      OCTET STRING, encapsulates {
716	    566    0:       SEQUENCE {}
717	            :        }
718	            :       }
719	    568   14:     SEQUENCE {
720	    570    3:      OBJECT IDENTIFIER keyUsage (2 5 29 15)
721	    575    1:      BOOLEAN TRUE
722	    578    4:      OCTET STRING, encapsulates {
723	    580    2:       BIT STRING 7 unused bits
724	            :        '1'B (bit 0)
725	            :        }
726	            :       }
727	    584   24:     SEQUENCE {
728	    586    3:      OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
729	    591    1:      BOOLEAN TRUE
730	    594   14:      OCTET STRING, encapsulates {
731	    596   12:       SEQUENCE {
732	    598   10:        SEQUENCE {
733	    600    8:         OBJECT IDENTIFIER
734	            :          resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
735	            :          }
736	            :         }
737	            :        }
738	            :       }
739	    610   97:     SEQUENCE {
740	    612    3:      OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
741	    617   90:      OCTET STRING, encapsulates {
742	    619   88:       SEQUENCE {
743	    621   86:        SEQUENCE {
744	    623   84:         [0] {
745	    625   82:          [0] {
746	    627   80:           [6]
747	            :          'rsync://rpki.example.net/repository/3ACE2CEF4F'
748	            :          'B21B7D11E3E184EFC1E297B3778642.crl'
749	            :            }
750	            :           }
751	            :          }
752	            :         }
753	            :        }
754	            :       }
755	    709  108:     SEQUENCE {
756	    711    8:      OBJECT IDENTIFIER authorityInfoAccess
757	            :       (1 3 6 1 5 5 7 1 1)
758	    721   96:      OCTET STRING, encapsulates {
759	    723   94:       SEQUENCE {
760	    725   92:        SEQUENCE {
761	    727    8:         OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
762	    737   80:         [6]
763	            :          'rsync://rpki.example.net/repository/3ACE2CEF4F'
764	            :          'B21B7D11E3E184EFC1E297B3778642.cer'
765	            :          }
766	            :         }
767	            :        }
768	            :       }
769	    819   33:     SEQUENCE {
770	    821    8:      OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
771	    831    1:      BOOLEAN TRUE
772	    834   18:      OCTET STRING, encapsulates {
773	    836   16:       SEQUENCE {
774	    838    6:        SEQUENCE {
775	    840    2:         OCTET STRING 00 01
776	    844    0:         NULL
777	            :          }
778	    846    6:        SEQUENCE {
779	    848    2:         OCTET STRING 00 02
780	    852    0:         NULL
781	            :          }
782	            :         }
783	            :        }
784	            :       }
785	    854   69:     SEQUENCE {
786	    856    8:      OBJECT IDENTIFIER subjectInfoAccess
787	            :       (1 3 6 1 5 5 7 1 11)
788	    866   57:      OCTET STRING, encapsulates {
789	    868   55:       SEQUENCE {
790	    870   53:        SEQUENCE {
791	    872    8:         OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13'
792	    882   41:         [6]
793	            :          'https://rrdp.example.net/notification.xml'
794	            :          }
795	            :         }
796	            :        }
797	            :       }
798	            :      }
799	            :     }
800	            :    }
801	    925   13:  SEQUENCE {
802	    927    9:   OBJECT IDENTIFIER sha256WithRSAEncryption
803	            :    (1 2 840 113549 1 1 11)
804	    938    0:   NULL
805	            :    }
806	    940  257:  BIT STRING
807	            :   05 1D 93 D2 A4 F6 57 56 65 B1 98 E3 FB 21 CF 4C
808	            :   0A C8 54 11 02 64 54 82 74 FF 9B 25 3B 1E F3 94
809	            :   EA 62 26 E5 32 C3 52 F7 21 2E D9 23 5B 69 93 0D
810	            :   2E E4 92 88 07 DF 62 8A 21 E2 72 18 AB F4 61 EB
811	            :   EC 46 B3 59 F8 DB B2 59 52 89 28 78 BB 58 D1 45
812	            :   1B D9 F2 2C B9 AF 49 16 8F 18 19 39 E9 A8 33 06
813	            :   7B EC 67 A5 B2 74 48 24 A8 06 52 42 22 3F 9B F9
814	            :   84 BC 59 78 C4 1E DD 8A 5B AC 32 03 F0 5C 35 2F
815	            :   1A 75 2D A9 11 4C 02 D9 CB 3F 59 CC 33 81 BB 6D
816	            :   9E 47 27 1B BF F0 92 B4 37 A2 AC E9 0B 56 AB 29
817	            :   E9 72 CF B3 C6 20 85 C9 1B 2F 67 17 C0 B7 FD A6
818	            :   9A 12 91 DD ED 48 08 CA F5 D8 B8 26 3F 96 A5 93
819	            :   9B DE E3 0F 18 06 21 81 82 EF AE B4 9A D7 CE 32
820	            :   40 7C 60 5E A4 51 4F AD 77 67 43 42 C3 33 B5 C3
821	            :   B1 6F 3A A2 1A 78 9C 99 E2 5F 07 01 B6 96 2E 8E
822	            :   D2 FA 2B 5B 87 79 88 83 93 2A 94 32 A9 F8 78 E5
823	            :   }

825	   To allow reproduction of the signature results, the end-entity
826	   private key is provided.  For brevity, the other two private keys are
827	   not.

829	   -----BEGIN RSA PRIVATE KEY-----
830	   MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
831	   /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
832	   Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
833	   zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
834	   eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
835	   gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
836	   18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
837	   pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
838	   ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
839	   mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651
840	   IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF
841	   t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt
842	   MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M
843	   Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg
844	   26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l
845	   nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm
846	   FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
847	   O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
848	   Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
849	   vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
850	   DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
851	   taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
852	   PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
853	   E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
854	   iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
855	       -----END RSA PRIVATE KEY-----

857	   Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
858	   yields the following detached CMS signature.

860	   # RPKI Signature: 192.0.2.0/24
861	   # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
862	   # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
863	   # MwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
864	   # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAx
865	   # OTA1MTdaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
866	   # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
867	   # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
868	   # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
869	   # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
870	   # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
871	   # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
872	   # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71R
873	   # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
874	   # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg
875	   # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ
876	   # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5
877	   # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5
878	   # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0
879	   # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMCEGCCsGAQUFBwEHAQH/BBIwE
880	   # DAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUHAQsEOTA3MDUGCCsGAQUFBzANhilo
881	   # dHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90aWZpY2F0aW9uLnhtbDANBgkqhki
882	   # G9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHPTArIVBECZFSCdP+bJTse85TqYi
883	   # blMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh6+xGs1n427JZUokoeLtY0UUb2
884	   # fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b+YS8WXjEHt2KW6wyA/BcNS8a
885	   # dS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1arKelyz7PGIIXJGy9nF8C3/aa
886	   # aEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfOMkB8YF6kUU+td2dDQsMztc
887	   # OxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh45TGCAaowggGmAgEDgBSRR
888	   # lKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhkiG9w0BCQMx
889	   # DQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIwMDkxMzE4NDUxMFowLwY
890	   # JKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4VtBHypfcEWMA
891	   # 0GCSqGSIb3DQEBAQUABIIBAHUrA4PaJG42BD3hpF8U0usnV3Dg5NQh97SfyKTk7
892	   # YHhhwu/936gkmAew8ODRTCddMvMObWkjj7/XeR+WKffaTF1EAdZ1L6REV+GlV91
893	   # cYnFkT9ldn4wHQnNNncfAehk5PClYUUQ0gqjdJT1hdaolT83b3ttekyYIiwPmHE
894	   # xRaNkSvKenlNqcriaaf3rbQy9dc2d1KxrL2429n134ICqjKeRnHkXXrCWDmyv/3
895	   # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
896	   # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
897	   # End Signature: 192.0.2.0/24

899	Authors' Addresses

901	   Randy Bush
902	   IIJ & Arrcus
903	   5147 Crystal Springs
904	   Bainbridge Island, Washington  98110
905	   United States of America

907	   Email: randy@psg.com
908	   Massimo Candela
909	   NTT
910	   Siriusdreef 70-72
911	   Hoofddorp  2132 WT
912	   Netherlands

914	   Email: massimo@ntt.net

916	   Warren Kumari
917	   Google
918	   1600 Amphitheatre Parkway
919	   Mountain View, CA  94043
920	   US

922	   Email: warren@kumari.net

924	   Russ Housley
925	   Vigil Security, LLC
926	   516 Dranesville Road
927	   Herndon, VA  20170
928	   USA

930	   Email: housley@vigilsec.com