idnits 2.17.00 (12 Aug 2021) /tmp/idnits56072/draft-ietf-opsawg-finding-geofeeds-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 19, 2021) is 367 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC-TBD' is mentioned on line 441, but not defined -- Looks like a reference, but probably isn't: '0' on line 819 -- Looks like a reference, but probably isn't: '3' on line 766 -- Looks like a reference, but probably isn't: '6' on line 866 ** Downref: Normative reference to an Informational RFC: RFC 2818 ** Downref: Normative reference to an Informational RFC: RFC 8805 -- Obsolete informational reference (is this intentional?): RFC 7482 (Obsoleted by RFC 9082) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft IIJ & Arrcus 4 Intended status: Standards Track M. Candela 5 Expires: November 20, 2021 NTT 6 W. Kumari 7 Google 8 R. Housley 9 Vigil Security 10 May 19, 2021 12 Finding and Using Geofeed Data 13 draft-ietf-opsawg-finding-geofeeds-11 15 Abstract 17 This document specifies how to augment the Routing Policy 18 Specification Language inetnum: class to refer specifically to 19 geofeed data CSV files, and describes an optional scheme to use the 20 Routing Public Key Infrastructure to authenticate the geofeed data 21 CSV files. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on November 20, 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 59 2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 5 62 5. Operational Considerations . . . . . . . . . . . . . . . . . 8 63 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 65 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 66 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 68 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 69 10.2. Informative References . . . . . . . . . . . . . . . . . 11 70 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 13 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 73 1. Introduction 75 Providers of Internet content and other services may wish to 76 customize those services based on the geographic location of the user 77 of the service. This is often done using the source IP address used 78 to contact the service. Also, infrastructure and other services 79 might wish to publish the locale of their services. [RFC8805] 80 defines geofeed, a syntax to associate geographic locales with IP 81 addresses. But it does not specify how to find the relevant geofeed 82 data given an IP address. 84 This document specifies how to augment the Routing Policy 85 Specification Language (RPSL) [RFC2622] inetnum: class to refer 86 specifically to geofeed data CSV files, and how to prudently use 87 them. In all places inetnum: is used, inet6num: should also be 88 assumed [RFC4012]. 90 The reader may find [INETNUM] and [INET6NUM] informative, and 91 certainly more verbose, descriptions of the inetnum: database 92 classes. 94 An optional, utterly awesome but slightly complex means for 95 authenticating geofeed data is also defined. 97 1.1. Requirements Language 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 101 "OPTIONAL" in this document are to be interpreted as described in BCP 102 14 [RFC2119] [RFC8174] when, and only when, they appear in all 103 capitals, as shown here. 105 2. Geofeed Files 107 Geofeed files are described in [RFC8805]. They provide a facility 108 for an IP address resource 'owner' to associate those IP addresses to 109 geographic locales. 111 Content providers and other parties who wish to locate an IP address 112 to a geographic locale need to find the relevant geofeed data. In 113 Section 3, this document specifies how to find the relevant [RFC8805] 114 geofeed file given an IP address. 116 Geofeed data for large providers with significant horizontal scale 117 and high granularity can be quite large. The size of a file can be 118 even larger if an unsigned geofeed file combines data for many 119 prefixes, dual IPv4/IPv6 spaces are represented, etc. 121 Geofeed data do have privacy considerations, see Section 6; and this 122 process makes bulk access to those data easier. 124 This document also suggests an optional signature to strongly 125 authenticate the data in the geofeed files. 127 3. inetnum: Class 129 The original RPSL specifications starting with [RIPE81], [RIPE181], 130 and a trail of subsequent documents were done by the RIPE community. 131 The IETF standardardized RPSL in [RFC2622] and [RFC4012]. Since 132 then, it has been modified and extensively enhanced in the Regional 133 Interney Registry (RIR) community, mostly by RIPE, [RIPE-DB]. 134 Currently, change control effectively lies in the operator community. 136 The Routing Policy Specification Language (RPSL), and [RFC2622] and 137 [RFC4012] used by the Regional Internet Registries (RIRs) specifies 138 the inetnum: database class. Each of these objects describes an IP 139 address range and its attributes. The inetnum: objects form a 140 hierarchy ordered on the address space. 142 Ideally, RPSL would be augmented to define a new RPSL geofeed: 143 attribute in the inetnum: class. Until such time, this document 144 defines the syntax of a Geofeed remarks: attribute which contains an 145 HTTPS URL of a geofeed file. The format of the inetnum: geofeed 146 remarks: attribute MUST be as in this example, "remarks: Geofeed ", 147 where the token "Geofeed" MUST be case-sensitive, followed by a URL 148 which will vary, but MUST refer only to a single [RFC8805] geofeed 149 file. 151 inetnum: 192.0.2.0/24 # example 152 remarks: Geofeed https://example.com/geofeed.csv 154 While we leave global agreement of RPSL modification to the relevant 155 parties, we specify that a proper geofeed: attribute in the inetnum: 156 class MUST be "geofeed: ", and MUST be followed by a single URL which 157 will vary, but MUST refer only to a single [RFC8805] geofeed file. 159 inetnum: 192.0.2.0/24 # example 160 geofeed: https://example.com/geofeed.csv 162 Registries MAY, for the interim, provide a mix of the remarks: 163 attribute form and the geofeed: attribute form. 165 The URL's use of the web PKI can not provide authentication of IP 166 address space ownership. It is only used to authenticate a pointer 167 to the geofeed file, authenticate the domain name in the URL, and 168 provide confidentiality and integrity for the geofeed file in 169 transit. In contrast, the Resource Public Key Infrastructure (RPKI, 170 see [RFC6481]) can be used to authenticate IP space ownership; see 171 optional authentication in Section 4. 173 Until all producers of inetnum:s, i.e. the RIRs, state that they have 174 migrated to supporting a geofeed: attribute, consumers looking at 175 inetnum:s to find geofeed URLs MUST be able to consume both the 176 remarks: and geofeed: forms. The migration not only implies that the 177 RIRs support the geofeed: attribute, but that all registrants have 178 migrated any inetnum:s from remarks: use to geofeed:s. 180 Any particular inetnum: object MUST have at most, one geofeed 181 reference, whether a remarks: or a proper geofeed: attribute when it 182 is implemented. If there is more than one, all are ignored. 184 If a geofeed CSV file describes multiple disjoint ranges of IP 185 address space, there are likely to be geofeed references from 186 multiple inetnum: objects. 188 As inetnum: objects form a hierarchy, Geofeed references SHOULD be at 189 the lowest applicable inetnum: object covering the relevant prefixes 190 in the referenced geofeed file. When fetching, the most specific 191 inetnum: object with a geofeed reference MUST be used. 193 When geofeed references are provided by multiple inetnum: objects 194 which have identical address ranges, then the geofeed reference on 195 the inetnum: with the most recent last-modified: attribute SHOULD be 196 preferred. 198 It is significant that geofeed data may have finer granularity than 199 the inetnum: which refers to them. For example an INETNUM object for 200 a prefix P could refer to a geofeed file in which P has been sub- 201 divided into one or more longer prefixes. 203 Currently, the registry data published by ARIN is not the same RPSL 204 as that of the other registries (see [RFC7485] for a survey of the 205 whois Tower of Babel); therefore, when fetching from ARIN via FTP 206 [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the 207 "NetRange" attribute/key MUST be treated as "inetnum" and the 208 "Comment" attribute MUST be treated as "remarks". 210 4. Authenticating Geofeed Data 212 The question arises whether a particular [RFC8805] geofeed data set 213 is valid, i.e. is authorized by the 'owner' of the IP address space 214 and is authoritative in some sense. The inetnum: which points to the 215 [RFC8805] geofeed file provides some assurance. Unfortunately, the 216 RPSL in many repositories is weakly authenticated at best. An 217 approach where RPSL was signed a la [RFC7909] would be good, except 218 it would have to be deployed by all RPSL registries, and there is a 219 fair number of them. 221 A single optional authenticator MAY be appended to a [RFC8805] 222 geofeed file. It is a digest of the main body of the file signed by 223 the private key of the relevant RPKI certificate for the covering 224 address range. One needs a format that bundles the relevant RPKI 225 certificate with the signature and the digest of the geofeed text. 227 The canonicalization procedure converts the data from its internal 228 character representation to the UTF-8 [RFC3629] character encoding, 229 and the sequence MUST be used to denote the end of a line of 230 text. Trailing space characters MUST NOT appear on a line of text. 231 That is, the space or tab characters must not be followed by the 232 sequence. Thus, a blank line is represented solely by the 233 sequence. Other nonprintable characters, such as backspace, 234 are not expected. For robustness, any nonprintable characters MUST 235 NOT be changed by canonicalization. Trailing blank lines MUST NOT 236 appear at the end of the file. That is, the file must not end with 237 multiple consecutive sequences. Any end-of-file marker used 238 by an operating system is not considered to be part of the file 239 content. When present, such end-of-file markers MUST NOT be 240 processed by the digital signature algorithm. 242 Should the authenticator be syntactically incorrect per the above, 243 the authenticator is invalid. 245 Borrowing detached signatures from [RFC5485], after file 246 canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652] 247 would be used to create a detached DER encoded signature which is 248 then padded BASE64 encoded (as per [RFC4648]) and line wrapped to 72 249 or fewer characters. 251 The address range of the signing certificate MUST cover all prefixes 252 in the geofeed file it signs; and therefore must be covered by the 253 range of the inetnum:. 255 An address range A 'covers' address range B if the range of B is 256 identical to or a subset of A. 'Address range' is used here because 257 inetnum: objects and RPKI certificates need not align on CIDR prefix 258 boundaries, while those of the CSV lines in the geofeed file do. 260 As the signer specifies the covered RPKI resources relevant to the 261 signature, the RPKI certificate covering the inetnum: object's 262 address range is included in the [RFC5652] CMS SignedData 263 certificates field. 265 Identifying the private key associated with the certificate, and 266 getting the department with the Hardware Security Module (HSM) to 267 sign the CMS blob is left as an exercise for the implementor. On the 268 other hand, verifying the signature requires no complexity; the 269 certificate, which can be validated in the public RPKI, has the 270 needed public key. The trust anchors for the RIRs are expected to 271 already be available to the party performing signature validation. 272 Validation of the CMS signature on the geofeed file involves: 274 1. Obtain the signer's certificate from an RPKI Repository. The 275 certificate SubjectKeyIdentifier extension [RFC5280] MUST match 276 the SubjectKeyIdentifier in the CMS SignerInfo SignerIdentifier 277 xref target="RFC5286"/>. If the key identifiers do not match, 278 then validation MUST fail. 280 2. Construct the certification path for the signer's certificate. 281 All of the needed certificates are expected to be readily 282 available in the RPKI Repository. The certification path MUST be 283 valid according to the validation algorithm in [RFC5280] and the 284 additional checks specified in [RFC3779] associated with the IP 285 Address Delegation certificate extension and the Autonomous 286 System Identifier Delegation certificate extension. If 287 certification path validation is unsuccessful, then validation 288 MUST fail. 290 3. Validate the CMS SignedData as specified in [RFC5652] using the 291 public key from the validated signer's certificate. If the 292 signature validation is unsuccessful, then validation MUST fail. 294 4. Verify that the IP Address Delegation certificate extension 295 [RFC3779] covers the address range of the geofeed file. If the 296 address range is not covered, then validation MUST fail. 298 5. Validation of the signing certificate MUST ensure that it is part 299 of the current manifest and that the resources are covered by the 300 RPKI certificate. 302 All of these steps MUST be successful to consider the geofeed file 303 signature as valid. 305 As the signer specifies the covered RPKI resources relevant to the 306 signature, the RPKI certificate covering the inetnum: object's 307 address range is included in the [RFC5652] CMS SignedData 308 certificates field. 310 Identifying the private key associated with the certificate, and 311 getting the department with the Hardware Security Module (HSM) to 312 sign the CMS blob is left as an exercise for the implementor. On the 313 other hand, verifying the signature requires no complexity; the 314 certificate, which can be validated in the public RPKI, has the 315 needed public key. 317 The appendix MUST be 'hidden' as a series of "#" comments at the end 318 of the geofeed file. The following is a cryptographically incorrect, 319 albeit simple example. A correct and full example is in Appendix A. 321 # RPKI Signature: 192.0.2.0/24 322 # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ 323 # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu 324 ... 325 # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa 326 # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= 327 # End Signature: 192.0.2.0/24 329 The signature does not cover the signature lines. 331 The bracketing "# RPKI Signature:" and "# End Signature:" MUST be 332 present exactly as shown. 334 [I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a 335 Cryptographic Message Syntax (CMS) profile for a general purpose 336 listing of checksums (a 'checklist'), for use with the Resource 337 Public Key Infrastructure (RPKI). It provides usable, albeit 338 complex, code to sign geofeed files. 340 [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax 341 (CMS) profile for a general purpose Resource Tagged Attestation (RTA) 342 based on the RPKI. While this is expected to become applicable in 343 the long run, for the purposes of this document, a self-signed root 344 trust anchor is used. 346 5. Operational Considerations 348 To create the needed inetnum: objects, an operator wishing to 349 register the location of their geofeed file needs to coordinate with 350 their RIR/NIR and/or any provider LIR which has assigned prefixes to 351 them. RIRs/NIRs provide means for assignees to create and maintain 352 inetnum: objects. They also provide means of [sub-]assigning IP 353 address resources and allowing the assignee to create whois data, 354 including inetnum: objects, and thereby referring to geofeed files. 356 The geofeed files MUST be published via and fetched using https 357 [RFC2818]. 359 When using data from a geofeed file, one MUST ignore data outside the 360 referring inetnum: object's inetnum: attribute address range. 362 If and only if the geofeed file is not signed per Section 4, then 363 multiple inetnum: objects MAY refer to the same geofeed file, and the 364 consumer MUST use only geofeed lines where the prefix is covered by 365 the address range of the inetnum: object they have followed. 367 If the geofeed file is signed, and the signer's certificate changes, 368 the signature in the geofeed file MUST be updated. 370 It is good key hygene to use a given key for only one purpose. To 371 dedicate a signing private key for signing a geofeed file, an RPKI CA 372 may issue a subordinate certificate exclusively for the purpose as 373 shown in Appendix A. 375 To minimize the load on RIR whois [RFC3912] services, use of the 376 RIR's FTP [RFC0959] services SHOULD be the preferred access. This 377 also provides bulk access instead of fetching by brute force search 378 through the IP space. 380 Currently, geolocation providers have bulk whois data access at all 381 the RIRs. An anonymized version of such data is openly available for 382 all RIRs except ARIN, which requires an authorization. However, for 383 users without such authorization, the same result can be achieved 384 with extra RDAP effort. There is open source code to pass over such 385 data across all RIRs, collect all geofeed references, and process 386 them [geofeed-finder]. 388 To prevent undue load on RPSL and geofeed servers, an entity fetching 389 geofeed data using these mechanisms MUST NOT do frequent real-time 390 look-ups. [RFC8805] Section 3.4 suggests use of the [RFC7234] HTTP 391 Expires Caching Header to signal when geofeed data should be 392 refetched. As the data change very infrequently, in the absence of 393 such an HTTP Header signal, collectors SHOULD NOT fetch more 394 frequently than weekly. It would be polite not to fetch at magic 395 times such as midnight UTC, the first of the month, etc., because too 396 many others are likely to do the same. 398 6. Privacy Considerations 400 [RFC8805] geofeed data may reveal the approximate location of an IP 401 address, which might in turn reveal the approximate location of an 402 individual user. Unfortunately, [RFC8805] provides no privacy 403 guidance on avoiding or ameliorating possible damage due to this 404 exposure of the user. In publishing pointers to geofeed files as 405 described in this document, the operator should be aware of this 406 exposure in geofeed data and be cautious. All the privacy 407 considerations of [RFC8805] Section 4 apply to this document. 409 Where [RFC8805] provided the ability to publish location data, this 410 document makes bulk access to those data readily available. 412 7. Security Considerations 414 It is generally prudent for a consumer of geofeed data to also use 415 other sources to cross-validate the data. All the Security 416 Considerations of [RFC8805] apply here as well. 418 As mentioned in Section 4, many RPSL repositories have weak if any 419 authentication. This allows spoofing of inetnum: objects pointing to 420 malicious geofeed files. Section 4 suggests an unfortunately complex 421 method for stronger authentication based on the RPKI. 423 If an inetnum: for a wide prefix (e.g. a /16) points to an RPKI- 424 signed geofeed file, a customer or attacker could publish an unsigned 425 equal or narrower (e.g. a /24) inetnum: in a whois registry which has 426 weak authorization. 428 The RPSL providers have had to throttle fetching from their servers 429 due to too-frequent queries. Usually they throttle by the querying 430 IP address or block. Similar defenses will likely need to be 431 deployed by geofeed file servers. 433 8. IANA Considerations 435 IANA is asked to register object identifiers for one content type in 436 the "SMI Security for S/MIME CMS Content Type 437 (1.2.840.113549.1.9.16.1)" registry as follows: 439 Description OID Specification 440 ----------------------------------------------------------------- 441 id-ct-geofeedCSVwithCRLF 1.2.840.113549.1.9.16.1.47 [RFC-TBD] 443 9. Acknowledgments 445 Thanks to Rob Austein for CMS and detached signature clue. George 446 Michaelson for the first and substantial external review, Erik Kline 447 who was too shy to agree to co-authorship. Additionally, we express 448 our gratitude to early implementors, including Menno Schepers, Flavio 449 Luciani, Eric Dugas, Job Snijders who provided running code, and 450 Kevin Pack. Also, to geolocation providers that are consuming 451 geofeeds with this described solution, Jonathan Kosgei (ipdata.co), 452 Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com). For 453 an amazing number of helpful reviews we thank Adrian Farrel, Antonio 454 Prado, Francesca Palombini, Jean-Michel Combes (INTDIR), John 455 Scudder, Kyle Rose (SECDIR), Martin Duke, Paul Kyzivat (GENART), Rob 456 Wilton, and Roman Danyliw. The authors also thank George Michaelson, 457 the awesome document shepherd. 459 10. References 461 10.1. Normative References 463 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 464 Requirement Levels", BCP 14, RFC 2119, 465 DOI 10.17487/RFC2119, March 1997, 466 . 468 [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D., 469 Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra, 470 "Routing Policy Specification Language (RPSL)", RFC 2622, 471 DOI 10.17487/RFC2622, June 1999, 472 . 474 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 475 DOI 10.17487/RFC2818, May 2000, 476 . 478 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 479 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 480 2003, . 482 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 483 Addresses and AS Identifiers", RFC 3779, 484 DOI 10.17487/RFC3779, June 2004, 485 . 487 [RFC4012] Blunk, L., Damas, J., Parent, F., and A. Robachevsky, 488 "Routing Policy Specification Language next generation 489 (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005, 490 . 492 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 493 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 494 . 496 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 497 Housley, R., and W. Polk, "Internet X.509 Public Key 498 Infrastructure Certificate and Certificate Revocation List 499 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 500 . 502 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 503 RFC 5652, DOI 10.17487/RFC5652, September 2009, 504 . 506 [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for 507 Resource Certificate Repository Structure", RFC 6481, 508 DOI 10.17487/RFC6481, February 2012, 509 . 511 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 512 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 513 May 2017, . 515 [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. 516 Kumari, "A Format for Self-Published IP Geolocation 517 Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, 518 . 520 10.2. Informative References 522 [geofeed-finder] 523 Massimo Candela, "geofeed-finder", 524 . 526 [I-D.ietf-sidrops-rpki-rta] 527 Michaelson, G. G., Huston, G., Harrison, T., Bruijnzeels, 528 T., and M. Hoffmann, "A profile for Resource Tagged 529 Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work 530 in progress), January 2021. 532 [I-D.spaghetti-sidrops-rpki-rsc] 533 Snijders, J., "RPKI Signed Checklists", draft-spaghetti- 534 sidrops-rpki-rsc-03 (work in progress), February 2021. 536 [INET6NUM] 537 RIPE, "Description of the INET6NUM Object", 538 . 543 [INETNUM] RIPE, "Description of the INETNUM Object", 544 . 549 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 550 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 551 . 553 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, 554 DOI 10.17487/RFC3912, September 2004, 555 . 557 [RFC5485] Housley, R., "Digital Signatures on Internet-Draft 558 Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009, 559 . 561 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 562 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 563 RFC 7234, DOI 10.17487/RFC7234, June 2014, 564 . 566 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 567 Protocol (RDAP) Query Format", RFC 7482, 568 DOI 10.17487/RFC7482, March 2015, 569 . 571 [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin, 572 "Inventory and Analysis of WHOIS Registration Objects", 573 RFC 7485, DOI 10.17487/RFC7485, March 2015, 574 . 576 [RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy 577 Specification Language (RPSL) Objects with Resource Public 578 Key Infrastructure (RPKI) Signatures", RFC 7909, 579 DOI 10.17487/RFC7909, June 2016, 580 . 582 [RIPE-DB] RIPE, "RIPE Database Documentation", 583 . 587 [RIPE181] RIPE, "Representation Of IP Routing Policies In A Routing 588 Registry", 589 . 591 [RIPE81] RIPE, "Representation Of IP Routing Policies In The RIPE 592 Database", 593 . 595 Appendix A. Example 597 This appendix provides an example, including a trust anchor, a CA 598 certificate subordinate to the trust anchor, an end-entity 599 certificate subordinate to the CA for signing the geofeed, and a 600 detached signature. 602 The trust anchor is represented by a self-signed certificate. As 603 usual in the RPKI, the trust anchor has authority over all IPv4 604 address blocks, all IPv6 address blocks, and all AS numbers. 606 -----BEGIN CERTIFICATE----- 607 MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL 608 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5 609 MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB 610 AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ 611 0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH 612 XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe 613 g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb 614 O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq 615 jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd 616 BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU 617 GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw 618 GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI 619 KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4 620 YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u 621 ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4 622 YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD 623 AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN 624 BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe 625 xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH 626 cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM 627 Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA 628 rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a 629 x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA== 630 -----END CERTIFICATE----- 632 The CA certificate is issued by the trust anchor. This certificate 633 grants authority over one IPv4 address block (192.0.2.0/24) and two 634 AS numbers (64496 and 64497). 636 -----BEGIN CERTIFICATE----- 637 MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL 638 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5 639 MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG 640 QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc 641 zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7 642 6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo 643 j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ 644 liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n 645 YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE 646 TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R 647 4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD 648 VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr 649 BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u 650 ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz 651 Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v 652 cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr 653 BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu 654 bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz 655 Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF 656 hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH 657 AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA 658 +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0 659 Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm 660 cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09 661 mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq 662 V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY 663 yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w== 664 -----END CERTIFICATE----- 666 The end-entity certificate is issued by the CA. This certificate 667 grants signature authority for one IPv4 address block (192.0.2.0/24). 668 Signature authority for AS numbers is not needed for geofeed data 669 signatures, so no AS numbers are included in the certificate. 671 -----BEGIN CERTIFICATE----- 672 MIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuMwDQYJKoZIhvcNAQEL 673 BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC 674 Mzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAxOTA1MTdaMDMxMTAvBgNV 675 BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi 676 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW 677 yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c 678 K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm 679 BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp 680 tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog 681 qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB 682 AAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j 683 BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B 684 Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag 685 VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF 686 RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB 687 AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv 688 c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu 689 Y2VyMCEGCCsGAQUFBwEHAQH/BBIwEDAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUH 690 AQsEOTA3MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90 691 aWZpY2F0aW9uLnhtbDANBgkqhkiG9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHP 692 TArIVBECZFSCdP+bJTse85TqYiblMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh 693 6+xGs1n427JZUokoeLtY0UUb2fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b 694 +YS8WXjEHt2KW6wyA/BcNS8adS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1ar 695 Kelyz7PGIIXJGy9nF8C3/aaaEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfO 696 MkB8YF6kUU+td2dDQsMztcOxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh4 697 5Q== 698 -----END CERTIFICATE----- 700 The end-entity certificate is displayed below in detail. For 701 brevity, the other two certificates are not. 703 0 1197: SEQUENCE { 704 4 917: SEQUENCE { 705 8 3: [0] { 706 10 1: INTEGER 2 707 : } 708 13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E3 709 35 13: SEQUENCE { 710 37 9: OBJECT IDENTIFIER 711 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 712 48 0: NULL 713 : } 714 50 51: SEQUENCE { 715 52 49: SET { 716 54 47: SEQUENCE { 717 56 3: OBJECT IDENTIFIER commonName (2 5 4 3) 718 61 40: PrintableString 719 : '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642' 720 : } 721 : } 722 : } 723 103 30: SEQUENCE { 724 105 13: UTCTime 03/09/2020 19:05:17 GMT 725 120 13: UTCTime 30/06/2021 19:05:17 GMT 726 : } 727 135 51: SEQUENCE { 728 137 49: SET { 729 139 47: SEQUENCE { 730 141 3: OBJECT IDENTIFIER commonName (2 5 4 3) 731 146 40: PrintableString 732 : '914652A3BD51C144260198889F5C45ABF053A187' 733 : } 734 : } 735 : } 736 188 290: SEQUENCE { 737 192 13: SEQUENCE { 738 194 9: OBJECT IDENTIFIER rsaEncryption 739 : (1 2 840 113549 1 1 1) 740 205 0: NULL 741 : } 742 207 271: BIT STRING, encapsulates { 743 212 266: SEQUENCE { 744 216 257: INTEGER 745 : 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8 746 : 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65 747 : B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE 748 : 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13 749 : 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37 750 : 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE 751 : E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED 752 : 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89 753 : F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E 754 : 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19 755 : BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65 756 : 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28 757 : 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9 758 : 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A 759 : 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41 760 : FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C 761 : EB 762 477 3: INTEGER 65537 763 : } 764 : } 765 : } 766 482 439: [3] { 767 486 435: SEQUENCE { 768 490 29: SEQUENCE { 769 492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 770 497 22: OCTET STRING, encapsulates { 771 499 20: OCTET STRING 772 : 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB 773 : F0 53 A1 87 774 : } 775 : } 776 521 31: SEQUENCE { 777 523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 778 528 24: OCTET STRING, encapsulates { 779 530 22: SEQUENCE { 780 532 20: [0] 781 : 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97 782 : B3 77 86 42 783 : } 784 : } 785 : } 786 554 12: SEQUENCE { 787 556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 788 561 1: BOOLEAN TRUE 789 564 2: OCTET STRING, encapsulates { 790 566 0: SEQUENCE {} 791 : } 792 : } 793 568 14: SEQUENCE { 794 570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 795 575 1: BOOLEAN TRUE 796 578 4: OCTET STRING, encapsulates { 797 580 2: BIT STRING 7 unused bits 798 : '1'B (bit 0) 799 : } 800 : } 801 584 24: SEQUENCE { 802 586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 803 591 1: BOOLEAN TRUE 804 594 14: OCTET STRING, encapsulates { 805 596 12: SEQUENCE { 806 598 10: SEQUENCE { 807 600 8: OBJECT IDENTIFIER 808 : resourceCertificatePolicy (1 3 6 1 5 5 7 14 2) 809 : } 810 : } 811 : } 812 : } 813 610 97: SEQUENCE { 814 612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 815 617 90: OCTET STRING, encapsulates { 816 619 88: SEQUENCE { 817 621 86: SEQUENCE { 818 623 84: [0] { 819 625 82: [0] { 820 627 80: [6] 821 : 'rsync://rpki.example.net/repository/3ACE2CEF4F' 822 : 'B21B7D11E3E184EFC1E297B3778642.crl' 823 : } 824 : } 825 : } 826 : } 827 : } 828 : } 829 709 108: SEQUENCE { 830 711 8: OBJECT IDENTIFIER authorityInfoAccess 831 : (1 3 6 1 5 5 7 1 1) 832 721 96: OCTET STRING, encapsulates { 833 723 94: SEQUENCE { 834 725 92: SEQUENCE { 835 727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2) 836 737 80: [6] 837 : 'rsync://rpki.example.net/repository/3ACE2CEF4F' 838 : 'B21B7D11E3E184EFC1E297B3778642.cer' 839 : } 840 : } 841 : } 842 : } 843 819 33: SEQUENCE { 844 821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7) 845 831 1: BOOLEAN TRUE 846 834 18: OCTET STRING, encapsulates { 847 836 16: SEQUENCE { 848 838 6: SEQUENCE { 849 840 2: OCTET STRING 00 01 850 844 0: NULL 851 : } 852 846 6: SEQUENCE { 853 848 2: OCTET STRING 00 02 854 852 0: NULL 855 : } 856 : } 857 : } 858 : } 859 854 69: SEQUENCE { 860 856 8: OBJECT IDENTIFIER subjectInfoAccess 861 : (1 3 6 1 5 5 7 1 11) 862 866 57: OCTET STRING, encapsulates { 863 868 55: SEQUENCE { 864 870 53: SEQUENCE { 865 872 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13' 866 882 41: [6] 867 : 'https://rrdp.example.net/notification.xml' 868 : } 869 : } 870 : } 871 : } 872 : } 873 : } 874 : } 875 925 13: SEQUENCE { 876 927 9: OBJECT IDENTIFIER sha256WithRSAEncryption 877 : (1 2 840 113549 1 1 11) 878 938 0: NULL 879 : } 880 940 257: BIT STRING 881 : 05 1D 93 D2 A4 F6 57 56 65 B1 98 E3 FB 21 CF 4C 882 : 0A C8 54 11 02 64 54 82 74 FF 9B 25 3B 1E F3 94 883 : EA 62 26 E5 32 C3 52 F7 21 2E D9 23 5B 69 93 0D 884 : 2E E4 92 88 07 DF 62 8A 21 E2 72 18 AB F4 61 EB 885 : EC 46 B3 59 F8 DB B2 59 52 89 28 78 BB 58 D1 45 886 : 1B D9 F2 2C B9 AF 49 16 8F 18 19 39 E9 A8 33 06 887 : 7B EC 67 A5 B2 74 48 24 A8 06 52 42 22 3F 9B F9 888 : 84 BC 59 78 C4 1E DD 8A 5B AC 32 03 F0 5C 35 2F 889 : 1A 75 2D A9 11 4C 02 D9 CB 3F 59 CC 33 81 BB 6D 890 : 9E 47 27 1B BF F0 92 B4 37 A2 AC E9 0B 56 AB 29 891 : E9 72 CF B3 C6 20 85 C9 1B 2F 67 17 C0 B7 FD A6 892 : 9A 12 91 DD ED 48 08 CA F5 D8 B8 26 3F 96 A5 93 893 : 9B DE E3 0F 18 06 21 81 82 EF AE B4 9A D7 CE 32 894 : 40 7C 60 5E A4 51 4F AD 77 67 43 42 C3 33 B5 C3 895 : B1 6F 3A A2 1A 78 9C 99 E2 5F 07 01 B6 96 2E 8E 896 : D2 FA 2B 5B 87 79 88 83 93 2A 94 32 A9 F8 78 E5 897 : } 899 To allow reproduction of the signature results, the end-entity 900 private key is provided. For brevity, the other two private keys are 901 not. 903 -----BEGIN RSA PRIVATE KEY----- 904 MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW 905 /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP 906 Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 907 zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ 908 eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm 909 gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo 910 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio 911 pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z 912 ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ 913 mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651 914 IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF 915 t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt 916 MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M 917 Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg 918 26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l 919 nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm 920 FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6 921 O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo 922 Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz 923 vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc 924 DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf 925 taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc 926 PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ 927 E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV 928 iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y= 929 -----END RSA PRIVATE KEY----- 931 Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF), 932 yields the following detached CMS signature. 934 # RPKI Signature: 192.0.2.0/24 935 # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ 936 # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu 937 # MwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR 938 # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAx 939 # OTA1MTdaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM 940 # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT 941 # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg 942 # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm 943 # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha 944 # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG 945 # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ 946 # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71R 947 # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI 948 # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg 949 # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ 950 # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5 951 # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5 952 # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0 953 # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMCEGCCsGAQUFBwEHAQH/BBIwE 954 # DAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUHAQsEOTA3MDUGCCsGAQUFBzANhilo 955 # dHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90aWZpY2F0aW9uLnhtbDANBgkqhki 956 # G9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHPTArIVBECZFSCdP+bJTse85TqYi 957 # blMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh6+xGs1n427JZUokoeLtY0UUb2 958 # fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b+YS8WXjEHt2KW6wyA/BcNS8a 959 # dS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1arKelyz7PGIIXJGy9nF8C3/aa 960 # aEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfOMkB8YF6kUU+td2dDQsMztc 961 # OxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh45TGCAaowggGmAgEDgBSRR 962 # lKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhkiG9w0BCQMx 963 # DQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIwMDkxMzE4NDUxMFowLwY 964 # JKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4VtBHypfcEWMA 965 # 0GCSqGSIb3DQEBAQUABIIBAHUrA4PaJG42BD3hpF8U0usnV3Dg5NQh97SfyKTk7 966 # YHhhwu/936gkmAew8ODRTCddMvMObWkjj7/XeR+WKffaTF1EAdZ1L6REV+GlV91 967 # cYnFkT9ldn4wHQnNNncfAehk5PClYUUQ0gqjdJT1hdaolT83b3ttekyYIiwPmHE 968 # xRaNkSvKenlNqcriaaf3rbQy9dc2d1KxrL2429n134ICqjKeRnHkXXrCWDmyv/3 969 # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa 970 # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= 971 # End Signature: 192.0.2.0/24 973 Authors' Addresses 975 Randy Bush 976 IIJ & Arrcus 977 5147 Crystal Springs 978 Bainbridge Island, Washington 98110 979 United States of America 981 Email: randy@psg.com 982 Massimo Candela 983 NTT 984 Siriusdreef 70-72 985 Hoofddorp 2132 WT 986 Netherlands 988 Email: massimo@ntt.net 990 Warren Kumari 991 Google 992 1600 Amphitheatre Parkway 993 Mountain View, CA 94043 994 US 996 Email: warren@kumari.net 998 Russ Housley 999 Vigil Security, LLC 1000 516 Dranesville Road 1001 Herndon, VA 20170 1002 USA 1004 Email: housley@vigilsec.com