idnits 2.17.00 (12 Aug 2021) /tmp/idnits42450/draft-ietf-opsawg-finding-geofeeds-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 25, 2021) is 354 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC-TBD' is mentioned on line 455, but not defined -- Looks like a reference, but probably isn't: '0' on line 847 -- Looks like a reference, but probably isn't: '3' on line 794 -- Looks like a reference, but probably isn't: '6' on line 890 ** Downref: Normative reference to an Informational RFC: RFC 2818 ** Downref: Normative reference to an Informational RFC: RFC 8805 -- Obsolete informational reference (is this intentional?): RFC 7482 (Obsoleted by RFC 9082) Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group R. Bush 3 Internet-Draft IIJ & Arrcus 4 Intended status: Standards Track M. Candela 5 Expires: November 26, 2021 NTT 6 W. Kumari 7 Google 8 R. Housley 9 Vigil Security 10 May 25, 2021 12 Finding and Using Geofeed Data 13 draft-ietf-opsawg-finding-geofeeds-17 15 Abstract 17 This document specifies how to augment the Routing Policy 18 Specification Language inetnum: class to refer specifically to 19 geofeed data CSV files, and describes an optional scheme to use the 20 Routing Public Key Infrastructure to authenticate the geofeed data 21 CSV files. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on November 26, 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 59 2. Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. inetnum: Class . . . . . . . . . . . . . . . . . . . . . . . 3 61 4. Authenticating Geofeed Data . . . . . . . . . . . . . . . . . 5 62 5. Operational Considerations . . . . . . . . . . . . . . . . . 8 63 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9 64 7. Security Considerations . . . . . . . . . . . . . . . . . . . 9 65 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 66 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 67 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 68 10.1. Normative References . . . . . . . . . . . . . . . . . . 10 69 10.2. Informative References . . . . . . . . . . . . . . . . . 12 70 Appendix A. Example . . . . . . . . . . . . . . . . . . . . . . 14 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 73 1. Introduction 75 Providers of Internet content and other services may wish to 76 customize those services based on the geographic location of the user 77 of the service. This is often done using the source IP address used 78 to contact the service. Also, infrastructure and other services 79 might wish to publish the locale of their services. [RFC8805] 80 defines geofeed, a syntax to associate geographic locales with IP 81 addresses. But it does not specify how to find the relevant geofeed 82 data given an IP address. 84 This document specifies how to augment the Routing Policy 85 Specification Language (RPSL) [RFC2725] inetnum: class to refer 86 specifically to geofeed data CSV files, and how to prudently use 87 them. In all places inetnum: is used, inet6num: should also be 88 assumed [RFC4012]. 90 The reader may find [INETNUM] and [INET6NUM] informative, and 91 certainly more verbose, descriptions of the inetnum: database 92 classes. 94 An optional, utterly awesome but slightly complex means for 95 authenticating geofeed data is also defined. 97 1.1. Requirements Language 99 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 100 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 101 "OPTIONAL" in this document are to be interpreted as described in BCP 102 14 [RFC2119] [RFC8174] when, and only when, they appear in all 103 capitals, as shown here. 105 2. Geofeed Files 107 Geofeed files are described in [RFC8805]. They provide a facility 108 for an IP address resource 'owner' to associate those IP addresses to 109 geographic locales. 111 Content providers and other parties who wish to locate an IP address 112 to a geographic locale need to find the relevant geofeed data. In 113 Section 3, this document specifies how to find the relevant [RFC8805] 114 geofeed file given an IP address. 116 Geofeed data for large providers with significant horizontal scale 117 and high granularity can be quite large. The size of a file can be 118 even larger if an unsigned geofeed file combines data for many 119 prefixes, dual IPv4/IPv6 spaces are represented, etc. 121 Geofeed data do have privacy considerations, see Section 6; and this 122 process makes bulk access to those data easier. 124 This document also suggests an optional signature to strongly 125 authenticate the data in the geofeed files. 127 3. inetnum: Class 129 The original RPSL specifications starting with [RIPE81], [RIPE181], 130 and a trail of subsequent documents were done by the RIPE community. 131 The IETF standardized RPSL in [RFC2622] and [RFC4012]. Since then, 132 it has been modified and extensively enhanced in the Regional 133 Internet Registry (RIR) community, mostly by RIPE, [RIPE-DB]. 134 Currently, change control effectively lies in the operator community. 136 The Routing Policy Specification Language (RPSL), and [RFC2725] and 137 [RFC4012] used by the Regional Internet Registries (RIRs) specifies 138 the inetnum: database class. Each of these objects describes an IP 139 address range and its attributes. The inetnum: objects form a 140 hierarchy ordered on the address space. 142 Ideally, RPSL would be augmented to define a new RPSL geofeed: 143 attribute in the inetnum: class. Until such time, this document 144 defines the syntax of a Geofeed remarks: attribute which contains an 145 HTTPS URL of a geofeed file. The format of the inetnum: geofeed 146 remarks: attribute MUST be as in this example, "remarks: Geofeed ", 147 where the token "Geofeed" MUST be case-sensitive, followed by a URL 148 which will vary, but MUST refer only to a single [RFC8805] geofeed 149 file. 151 inetnum: 192.0.2.0/24 # example 152 remarks: Geofeed https://example.com/geofeed.csv 154 While we leave global agreement of RPSL modification to the relevant 155 parties, we specify that a proper geofeed: attribute in the inetnum: 156 class MUST be "geofeed: ", and MUST be followed by a single URL which 157 will vary, but MUST refer only to a single [RFC8805] geofeed file. 159 inetnum: 192.0.2.0/24 # example 160 geofeed: https://example.com/geofeed.csv 162 Registries MAY, for the interim, provide a mix of the remarks: 163 attribute form and the geofeed: attribute form. 165 The URL uses HTTPS, so the WebPKI provides authentication, integrity, 166 and confidentiality for the fetched geofeed file. However, the 167 WebPKI can not provide authentication of IP address space assignment. 168 In contrast, the Resource Public Key Infrastructure (RPKI, see 169 [RFC6481]) can be used to authenticate IP space assignment; see 170 optional authentication in Section 4. 172 Until all producers of inetnum:s, i.e. the RIRs, state that they have 173 migrated to supporting a geofeed: attribute, consumers looking at 174 inetnum:s to find geofeed URLs MUST be able to consume both the 175 remarks: and geofeed: forms. The migration not only implies that the 176 RIRs support the geofeed: attribute, but that all registrants have 177 migrated any inetnum:s from remarks: use to geofeed:s. 179 Any particular inetnum: object MUST have at most, one geofeed 180 reference, whether a remarks: or a proper geofeed: attribute when it 181 is implemented. If there is more than one, all are ignored. 183 If a geofeed CSV file describes multiple disjoint ranges of IP 184 address space, there are likely to be geofeed references from 185 multiple inetnum: objects. Files with geofeed references from 186 multiple inetnum: objects are not compatible with the signing 187 procedure in Section 4. 189 When geofeed references are provided by multiple inetnum: objects 190 which have identical address ranges, then the geofeed reference on 191 the inetnum: with the most recent last-modified: attribute SHOULD be 192 preferred. 194 As inetnum: objects form a hierarchy, Geofeed references SHOULD be at 195 the lowest applicable inetnum: object covering the relevant address 196 ranges in the referenced geofeed file. When fetching, the most 197 specific inetnum: object with a geofeed reference MUST be used. 199 It is significant that geofeed data may have finer granularity than 200 the inetnum: which refers to them. For example an INETNUM object for 201 an address range P could refer to a geofeed file in which P has been 202 sub-divided into one or more longer prefixes. 204 Currently, the registry data published by ARIN is not the same RPSL 205 as that of the other registries (see [RFC7485] for a survey of the 206 whois Tower of Babel); therefore, when fetching from ARIN via FTP 207 [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the 208 "NetRange" attribute/key MUST be treated as "inetnum" and the 209 "Comment" attribute MUST be treated as "remarks". 211 4. Authenticating Geofeed Data 213 The question arises whether a particular [RFC8805] geofeed data set 214 is valid, i.e. is authorized by the 'owner' of the IP address space 215 and is authoritative in some sense. The inetnum: which points to the 216 [RFC8805] geofeed file provides some assurance. Unfortunately, the 217 RPSL in many repositories is weakly authenticated at best. An 218 approach where RPSL was signed a la [RFC7909] would be good, except 219 it would have to be deployed by all RPSL registries, and there is a 220 fair number of them. 222 A single optional authenticator MAY be appended to a [RFC8805] 223 geofeed file. It is a digest of the main body of the file signed by 224 the private key of the relevant RPKI certificate for a covering 225 address range. One needs a format that bundles the relevant RPKI 226 certificate with the signature of the geofeed text. 228 The canonicalization procedure converts the data from its internal 229 character representation to the UTF-8 [RFC3629] character encoding, 230 and the sequence MUST be used to denote the end of a line of 231 text. A blank line is represented solely by the sequence. 232 For robustness, any non-printable characters MUST NOT be changed by 233 canonicalization. Trailing blank lines MUST NOT appear at the end of 234 the file. That is, the file must not end with multiple consecutive 235 sequences. Any end-of-file marker used by an operating system 236 is not considered to be part of the file content. When present, such 237 end-of-file markers MUST NOT be processed by the digital signature 238 algorithm. 240 Should the authenticator be syntactically incorrect per the above, 241 the authenticator is invalid. 243 Borrowing detached signatures from [RFC5485], after file 244 canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652] 245 would be used to create a detached DER encoded signature which is 246 then padded BASE64 encoded (as per [RFC4648] Section 4), and line 247 wrapped to 72 or fewer characters. The same digest algorithm MUST be 248 used for calculating the message digest on content being signed, 249 which is the geofeed file, and calculating the message digest on the 250 SignerInfo SignedAttributes [RFC8933]. The message digest algorithm 251 identifier MUST appear in both the SigenedData 252 DigestAlgorithmIdentifiers and the SignerInfo 253 DigestAlgorithmIdentifier [RFC5652]. 255 The address range of the signing certificate MUST cover all prefixes 256 in the geofeed file it signs. 258 An address range A 'covers' address range B if the range of B is 259 identical to or a subset of A. 'Address range' is used here because 260 inetnum: objects and RPKI certificates need not align on CIDR prefix 261 boundaries, while those of the CSV lines in a geofeed file do. 263 As the signer specifies the covered RPKI resources relevant to the 264 signature, the RPKI certificate covering the inetnum: object's 265 address range is included in the [RFC5652] CMS SignedData 266 certificates field. 268 Identifying the private key associated with the certificate, and 269 getting the department that controls the private key (which might be 270 trapped in a Hardware Security Module, HSM) to sign the CMS blob is 271 left as an exercise for the implementor. On the other hand, 272 verifying the signature requires no complexity; the certificate, 273 which can be validated in the public RPKI, has the needed public key. 274 The trust anchors for the RIRs are expected to already be available 275 to the party performing signature validation. Validation of the CMS 276 signature on the geofeed file involves: 278 1. Obtain the signer's certificate from the CMS SignedData 279 CertificateSet [RFC5652]. The certificate SubjectKeyIdentifier 280 extension [RFC5280] MUST match the SubjectKeyIdentifier in the 281 CMS SignerInfo SignerIdentifier [RFC5652]. If the key 282 identifiers do not match, then validation MUST fail. 284 2. Construct the certification path for the signer's certificate. 285 All of the needed certificates are expected to be readily 286 available in the RPKI Repository. The certification path MUST be 287 valid according to the validation algorithm in [RFC5280] and the 288 additional checks specified in [RFC3779] associated with the IP 289 Address Delegation certificate extension and the Autonomous 290 System Identifier Delegation certificate extension. If 291 certification path validation is unsuccessful, then validation 292 MUST fail. 294 3. Validate the CMS SignedData as specified in [RFC5652] using the 295 public key from the validated signer's certificate. If the 296 signature validation is unsuccessful, then validation MUST fail. 298 4. Verify that the IP Address Delegation certificate extension 299 [RFC3779] covers all of the address ranges of the geofeed file. 300 If all of the address ranges are not covered, then validation 301 MUST fail. 303 5. Validation of the signer's certificate MUST ensure that it is 304 part of the current [RFC6486] manifest and that the resources are 305 covered by the RPKI certificate. 307 All of these steps MUST be successful to consider the geofeed file 308 signature as valid. 310 As the signer specifies the covered RPKI resources relevant to the 311 signature, the RPKI certificate covering the inetnum: object's 312 address range is included in the [RFC5652] CMS SignedData 313 certificates field. 315 Identifying the private key associated with the certificate, and 316 getting the department with the Hardware Security Module (HSM) to 317 sign the CMS blob is left as an exercise for the implementor. On the 318 other hand, verifying the signature requires no complexity; the 319 certificate, which can be validated in the public RPKI, has the 320 needed public key. 322 The appendix MUST be 'hidden' as a series of "#" comments at the end 323 of the geofeed file. The following is a cryptographically incorrect, 324 albeit simple example. A correct and full example is in Appendix A. 326 # RPKI Signature: 192.0.2.0 - 192.0.2.255 327 # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ 328 # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu 329 ... 330 # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa 331 # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk= 332 # End Signature: 192.0.2.0 - 192.0.2.255 334 The signature does not cover the signature lines. 336 The bracketing "# RPKI Signature:" and "# End Signature:" MUST be 337 present following the model as shown. Their IP address range MUST 338 match that of the inetnum: URL followed to the file. 340 [I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a 341 Cryptographic Message Syntax (CMS) profile for a general purpose 342 listing of checksums (a 'checklist'), for use with the Resource 343 Public Key Infrastructure (RPKI). It provides usable, albeit 344 complex, code to sign geofeed files. 346 [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax 347 (CMS) profile for a general purpose Resource Tagged Attestation (RTA) 348 based on the RPKI. While this is expected to become applicable in 349 the long run, for the purposes of this document, a self-signed root 350 trust anchor is used. 352 5. Operational Considerations 354 To create the needed inetnum: objects, an operator wishing to 355 register the location of their geofeed file needs to coordinate with 356 their RIR/NIR and/or any provider LIR which has assigned address 357 ranges to them. RIRs/NIRs provide means for assignees to create and 358 maintain inetnum: objects. They also provide means of 359 [sub-]assigning IP address resources and allowing the assignee to 360 create whois data, including inetnum: objects, and thereby referring 361 to geofeed files. 363 The geofeed files MUST be published via and fetched using HTTPS 364 [RFC2818]. 366 When using data from a geofeed file, one MUST ignore data outside the 367 referring inetnum: object's inetnum: attribute address range. 369 If and only if the geofeed file is not signed per Section 4, then 370 multiple inetnum: objects MAY refer to the same geofeed file, and the 371 consumer MUST use only lines in the geofeed file where the prefix is 372 covered by the address range of the inetnum: object's URL it has 373 followed. 375 If the geofeed file is signed, and the signer's certificate changes, 376 the signature in the geofeed file MUST be updated. 378 It is good key hygiene to use a given key for only one purpose. To 379 dedicate a signing private key for signing a geofeed file, an RPKI CA 380 may issue a subordinate certificate exclusively for the purpose as 381 shown in Appendix A. 383 To minimize the load on RIR whois [RFC3912] services, use of the 384 RIR's FTP [RFC0959] services SHOULD be used for large scale access to 385 gather geofeed URLs. This also provides bulk access instead of 386 fetching by brute force search through the IP space. 388 Currently, geolocation providers have bulk whois data access at all 389 the RIRs. An anonymized version of such data is openly available for 390 all RIRs except ARIN, which requires an authorization. However, for 391 users without such authorization, the same result can be achieved 392 with extra RDAP effort. There is open source code to pass over such 393 data across all RIRs, collect all geofeed references, and process 394 them [geofeed-finder]. 396 To prevent undue load on RPSL and geofeed servers, an entity fetching 397 geofeed data using these mechanisms MUST NOT do frequent real-time 398 look-ups. [RFC8805] Section 3.4 suggests use of the [RFC7234] HTTP 399 Expires Caching Header to signal when geofeed data should be 400 refetched. As the data change very infrequently, in the absence of 401 such an HTTP Header signal, collectors SHOULD NOT fetch more 402 frequently than weekly. It would be polite not to fetch at magic 403 times such as midnight UTC, the first of the month, etc., because too 404 many others are likely to do the same. 406 6. Privacy Considerations 408 [RFC8805] geofeed data may reveal the approximate location of an IP 409 address, which might in turn reveal the approximate location of an 410 individual user. Unfortunately, [RFC8805] provides no privacy 411 guidance on avoiding or ameliorating possible damage due to this 412 exposure of the user. In publishing pointers to geofeed files as 413 described in this document, the operator should be aware of this 414 exposure in geofeed data and be cautious. All the privacy 415 considerations of [RFC8805] Section 4 apply to this document. 417 Where [RFC8805] provided the ability to publish location data, this 418 document makes bulk access to those data readily available. This is 419 a goal, not an accident. 421 7. Security Considerations 423 It is generally prudent for a consumer of geofeed data to also use 424 other sources to cross-validate the data. All the Security 425 Considerations of [RFC8805] apply here as well. 427 As mentioned in Section 4, many RPSL repositories have weak if any 428 authentication. This allows spoofing of inetnum: objects pointing to 429 malicious geofeed files. Section 4 suggests an unfortunately complex 430 method for stronger authentication based on the RPKI. 432 For example, if an inetnum: for a wide address range (e.g. a /16) 433 points to an RPKI-signed geofeed file, a customer or attacker could 434 publish an unsigned equal or narrower (e.g. a /24) inetnum: in a 435 whois registry which has weak authorization, abusing the rule that 436 the most-specific inetnum: object with a geofeed reference MUST be 437 used. 439 If signatures were mandatory, the above attack would be stymied. But 440 of course that is not happening anytime soon. 442 The RPSL providers have had to throttle fetching from their servers 443 due to too-frequent queries. Usually they throttle by the querying 444 IP address or block. Similar defenses will likely need to be 445 deployed by geofeed file servers. 447 8. IANA Considerations 449 IANA is asked to register object identifiers for one content type in 450 the "SMI Security for S/MIME CMS Content Type 451 (1.2.840.113549.1.9.16.1)" registry as follows: 453 Description OID Specification 454 ----------------------------------------------------------------- 455 id-ct-geofeedCSVwithCRLF 1.2.840.113549.1.9.16.1.47 [RFC-TBD] 457 9. Acknowledgments 459 Thanks to Rob Austein for CMS and detached signature clue. George 460 Michaelson for the first and substantial external review, Erik Kline 461 who was too shy to agree to co-authorship. Additionally, we express 462 our gratitude to early implementors, including Menno Schepers, Flavio 463 Luciani, Eric Dugas, Job Snijders who provided running code, and 464 Kevin Pack. Also, to geolocation providers that are consuming 465 geofeeds with this described solution, Jonathan Kosgei (ipdata.co), 466 Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com). For 467 an amazing number of helpful reviews we thank Adrian Farrel, Antonio 468 Prado, Francesca Palombini, Jean-Michel Combes (INTDIR), John 469 Scudder, Kyle Rose (SECDIR), Martin Duke, Murray Kucherawy, Paul 470 Kyzivat (GENART), Rob Wilton, and Roman Danyliw. The authors also 471 thank George Michaelson, the awesome document shepherd. 473 10. References 475 10.1. Normative References 477 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 478 Requirement Levels", BCP 14, RFC 2119, 479 DOI 10.17487/RFC2119, March 1997, 480 . 482 [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D., 483 Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra, 484 "Routing Policy Specification Language (RPSL)", RFC 2622, 485 DOI 10.17487/RFC2622, June 1999, 486 . 488 [RFC2725] Villamizar, C., Alaettinoglu, C., Meyer, D., and S. 489 Murphy, "Routing Policy System Security", RFC 2725, 490 DOI 10.17487/RFC2725, December 1999, 491 . 493 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 494 DOI 10.17487/RFC2818, May 2000, 495 . 497 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 498 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 499 2003, . 501 [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP 502 Addresses and AS Identifiers", RFC 3779, 503 DOI 10.17487/RFC3779, June 2004, 504 . 506 [RFC4012] Blunk, L., Damas, J., Parent, F., and A. Robachevsky, 507 "Routing Policy Specification Language next generation 508 (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005, 509 . 511 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 512 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 513 . 515 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 516 Housley, R., and W. Polk, "Internet X.509 Public Key 517 Infrastructure Certificate and Certificate Revocation List 518 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 519 . 521 [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, 522 RFC 5652, DOI 10.17487/RFC5652, September 2009, 523 . 525 [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for 526 Resource Certificate Repository Structure", RFC 6481, 527 DOI 10.17487/RFC6481, February 2012, 528 . 530 [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, 531 "Manifests for the Resource Public Key Infrastructure 532 (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012, 533 . 535 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 536 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 537 May 2017, . 539 [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W. 540 Kumari, "A Format for Self-Published IP Geolocation 541 Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020, 542 . 544 [RFC8933] Housley, R., "Update to the Cryptographic Message Syntax 545 (CMS) for Algorithm Identifier Protection", RFC 8933, 546 DOI 10.17487/RFC8933, October 2020, 547 . 549 10.2. Informative References 551 [geofeed-finder] 552 Massimo Candela, "geofeed-finder", 553 . 555 [I-D.ietf-sidrops-rpki-rta] 556 Michaelson, G. G., Huston, G., Harrison, T., Bruijnzeels, 557 T., and M. Hoffmann, "A profile for Resource Tagged 558 Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work 559 in progress), January 2021. 561 [I-D.spaghetti-sidrops-rpki-rsc] 562 Snijders, J., "RPKI Signed Checklists", draft-spaghetti- 563 sidrops-rpki-rsc-03 (work in progress), February 2021. 565 [INET6NUM] 566 RIPE, "Description of the INET6NUM Object", 567 . 572 [INETNUM] RIPE, "Description of the INETNUM Object", 573 . 578 [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol", 579 STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985, 580 . 582 [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912, 583 DOI 10.17487/RFC3912, September 2004, 584 . 586 [RFC5485] Housley, R., "Digital Signatures on Internet-Draft 587 Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009, 588 . 590 [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 591 Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching", 592 RFC 7234, DOI 10.17487/RFC7234, June 2014, 593 . 595 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 596 Protocol (RDAP) Query Format", RFC 7482, 597 DOI 10.17487/RFC7482, March 2015, 598 . 600 [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin, 601 "Inventory and Analysis of WHOIS Registration Objects", 602 RFC 7485, DOI 10.17487/RFC7485, March 2015, 603 . 605 [RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy 606 Specification Language (RPSL) Objects with Resource Public 607 Key Infrastructure (RPKI) Signatures", RFC 7909, 608 DOI 10.17487/RFC7909, June 2016, 609 . 611 [RIPE-DB] RIPE, "RIPE Database Documentation", 612 . 616 [RIPE181] RIPE, "Representation Of IP Routing Policies In A Routing 617 Registry", 618 . 620 [RIPE81] RIPE, "Representation Of IP Routing Policies In The RIPE 621 Database", 622 . 624 Appendix A. Example 626 This appendix provides an example, including a trust anchor, a CA 627 certificate subordinate to the trust anchor, an end-entity 628 certificate subordinate to the CA for signing the geofeed, and a 629 detached signature. 631 The trust anchor is represented by a self-signed certificate. As 632 usual in the RPKI, the trust anchor has authority over all IPv4 633 address blocks, all IPv6 address blocks, and all AS numbers. 635 -----BEGIN CERTIFICATE----- 636 MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL 637 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5 638 MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB 639 AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ 640 0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH 641 XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe 642 g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb 643 O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq 644 jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd 645 BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU 646 GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw 647 GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI 648 KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4 649 YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u 650 ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4 651 YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD 652 AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN 653 BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe 654 xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH 655 cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM 656 Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA 657 rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a 658 x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA== 659 -----END CERTIFICATE----- 661 The CA certificate is issued by the trust anchor. This certificate 662 grants authority over one IPv4 address block (192.0.2.0/24) and two 663 AS numbers (64496 and 64497). 665 -----BEGIN CERTIFICATE----- 666 MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL 667 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5 668 MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG 669 QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc 670 zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7 671 6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo 672 j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ 673 liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n 674 YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE 675 TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R 676 4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD 677 VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr 678 BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u 679 ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz 680 Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v 681 cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr 682 BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu 683 bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz 684 Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF 685 hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH 686 AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA 687 +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0 688 Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm 689 cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09 690 mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq 691 V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY 692 yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w== 693 -----END CERTIFICATE----- 695 The end-entity certificate is issued by the CA. This certificate 696 grants signature authority for one IPv4 address block (192.0.2.0/24). 697 Signature authority for AS numbers is not needed for geofeed data 698 signatures, so no AS numbers are included in the certificate. 700 -----BEGIN CERTIFICATE----- 701 MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL 702 BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC 703 Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV 704 BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi 705 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW 706 yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c 707 K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm 708 BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp 709 tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog 710 qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB 711 AAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j 712 BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B 713 Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag 714 VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF 715 RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB 716 AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv 717 c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu 718 Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1 719 BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv 720 bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN 721 07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz 722 ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP 723 5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD 724 nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc 725 /tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU= 726 -----END CERTIFICATE----- 728 The end-entity certificate is displayed below in detail. For 729 brevity, the other two certificates are not. 731 0 1189: SEQUENCE { 732 4 909: SEQUENCE { 733 8 3: [0] { 734 10 1: INTEGER 2 735 : } 736 13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4 737 35 13: SEQUENCE { 738 37 9: OBJECT IDENTIFIER 739 : sha256WithRSAEncryption (1 2 840 113549 1 1 11) 740 48 0: NULL 741 : } 742 50 51: SEQUENCE { 743 52 49: SET { 744 54 47: SEQUENCE { 745 56 3: OBJECT IDENTIFIER commonName (2 5 4 3) 746 61 40: PrintableString 747 : '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642' 748 : } 749 : } 750 : } 751 103 30: SEQUENCE { 752 105 13: UTCTime 20/05/2021 16:05:45 GMT 753 120 13: UTCTime 16/03/2022 16:05:45 GMT 754 : } 755 135 51: SEQUENCE { 756 137 49: SET { 757 139 47: SEQUENCE { 758 141 3: OBJECT IDENTIFIER commonName (2 5 4 3) 759 146 40: PrintableString 760 : '914652A3BD51C144260198889F5C45ABF053A187' 761 : } 762 : } 763 : } 764 188 290: SEQUENCE { 765 192 13: SEQUENCE { 766 194 9: OBJECT IDENTIFIER rsaEncryption 767 : (1 2 840 113549 1 1 1) 768 205 0: NULL 769 : } 770 207 271: BIT STRING, encapsulates { 771 212 266: SEQUENCE { 772 216 257: INTEGER 773 : 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8 774 : 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65 775 : B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE 776 : 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13 777 : 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37 778 : 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE 779 : E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED 780 : 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89 781 : F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E 782 : 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19 783 : BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65 784 : 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28 785 : 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9 786 : 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A 787 : 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41 788 : FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C 789 : EB 790 477 3: INTEGER 65537 791 : } 792 : } 793 : } 794 482 431: [3] { 795 486 427: SEQUENCE { 796 490 29: SEQUENCE { 797 492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14) 798 497 22: OCTET STRING, encapsulates { 799 499 20: OCTET STRING 800 : 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB 801 : F0 53 A1 87 802 : } 803 : } 804 521 31: SEQUENCE { 805 523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35) 806 528 24: OCTET STRING, encapsulates { 807 530 22: SEQUENCE { 808 532 20: [0] 809 : 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97 810 : B3 77 86 42 811 : } 812 : } 813 : } 814 554 12: SEQUENCE { 815 556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 816 561 1: BOOLEAN TRUE 817 564 2: OCTET STRING, encapsulates { 818 566 0: SEQUENCE {} 819 : } 820 : } 821 568 14: SEQUENCE { 822 570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 823 575 1: BOOLEAN TRUE 824 578 4: OCTET STRING, encapsulates { 825 580 2: BIT STRING 7 unused bits 826 : '1'B (bit 0) 827 : } 828 : } 829 584 24: SEQUENCE { 830 586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32) 831 591 1: BOOLEAN TRUE 832 594 14: OCTET STRING, encapsulates { 833 596 12: SEQUENCE { 834 598 10: SEQUENCE { 835 600 8: OBJECT IDENTIFIER 836 : resourceCertificatePolicy (1 3 6 1 5 5 7 14 2) 837 : } 838 : } 839 : } 840 : } 841 610 97: SEQUENCE { 842 612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31) 843 617 90: OCTET STRING, encapsulates { 844 619 88: SEQUENCE { 845 621 86: SEQUENCE { 846 623 84: [0] { 847 625 82: [0] { 848 627 80: [6] 849 : 'rsync://rpki.example.net/repository/3ACE2CEF4F' 850 : 'B21B7D11E3E184EFC1E297B3778642.crl' 851 : } 852 : } 853 : } 854 : } 855 : } 856 : } 857 709 108: SEQUENCE { 858 711 8: OBJECT IDENTIFIER authorityInfoAccess 859 : (1 3 6 1 5 5 7 1 1) 860 721 96: OCTET STRING, encapsulates { 861 723 94: SEQUENCE { 862 725 92: SEQUENCE { 863 727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2) 864 737 80: [6] 865 : 'rsync://rpki.example.net/repository/3ACE2CEF4F' 866 : 'B21B7D11E3E184EFC1E297B3778642.cer' 867 : } 868 : } 869 : } 870 : } 871 819 25: SEQUENCE { 872 821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7) 873 831 1: BOOLEAN TRUE 874 834 10: OCTET STRING, encapsulates { 875 836 8: SEQUENCE { 876 838 6: SEQUENCE { 877 840 2: OCTET STRING 00 01 878 844 0: NULL 879 : } 880 : } 881 : } 882 : } 883 846 69: SEQUENCE { 884 848 8: OBJECT IDENTIFIER subjectInfoAccess 885 : (1 3 6 1 5 5 7 1 11) 886 858 57: OCTET STRING, encapsulates { 887 860 55: SEQUENCE { 888 862 53: SEQUENCE { 889 864 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13' 890 874 41: [6] 891 : 'https://rrdp.example.net/notification.xml' 892 : } 893 : } 894 : } 895 : } 896 : } 897 : } 898 : } 899 917 13: SEQUENCE { 900 919 9: OBJECT IDENTIFIER sha256WithRSAEncryption 901 : (1 2 840 113549 1 1 11) 902 930 0: NULL 903 : } 904 932 257: BIT STRING 905 : 48 C2 F7 C8 15 A7 43 1B EE E8 8A 68 7C A5 3F 4E 906 : 39 DE 6B 49 F8 09 0D D3 B7 EC 2B FA 86 C3 F7 BD 907 : D0 32 6F ED CA 75 86 F8 E3 E2 EC B7 B2 07 FB 3C 908 : 94 3B 70 A3 46 AE 0C 9B AB F9 44 D2 37 1E F8 04 909 : 60 56 36 E2 D8 1A F3 66 C5 80 9C 1F 38 E9 29 F0 910 : B2 4B 70 E9 C7 A7 6A 27 FA 03 0C 3A AB 4D 0D B2 911 : 90 1E A4 C0 5D D9 58 3F F6 C2 85 BC EC 09 15 53 912 : A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9 913 : D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96 914 : 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1 915 : 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55 916 : 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA 917 : B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86 918 : 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E 919 : E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44 920 : 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05 921 : } 923 To allow reproduction of the signature results, the end-entity 924 private key is provided. For brevity, the other two private keys are 925 not. 927 -----BEGIN RSA PRIVATE KEY----- 928 MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW 929 /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP 930 Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 931 zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ 932 eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm 933 gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo 934 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio 935 pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z 936 ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ 937 mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651 938 IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF 939 t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt 940 MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M 941 Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg 942 26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l 943 nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm 944 FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6 945 O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo 946 Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz 947 vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc 948 DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf 949 taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc 950 PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ 951 E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV 952 iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y= 953 -----END RSA PRIVATE KEY----- 955 Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF), 956 yields the following detached CMS signature. 958 # RPKI Signature: 192.0.2.0 - 192.0.2.255 959 # MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ 960 # IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu 961 # QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR 962 # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx 963 # NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM 964 # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT 965 # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg 966 # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm 967 # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha 968 # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG 969 # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ 970 # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71R 971 # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI 972 # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg 973 # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ 974 # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5 975 # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5 976 # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0 977 # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMBkGCCsGAQUFBwEHAQH/BAowC 978 # DAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1BggrBgEFBQcwDYYpaHR0cHM6Ly9y 979 # cmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlvbi54bWwwDQYJKoZIhvcNAQELBQA 980 # DggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN07fsK/qGw/e90DJv7cp1hvjj4u 981 # y3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2BrzZsWAnB846Snwsktw6cenaif6A 982 # ww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP5rGJPWBcOMv52a/7adjfXwpn 983 # OijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xDnlpp+/r9xuNVYRtRcC36oWr 984 # aVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc/tiJLM7ZYxIe5IrYz1ZtN6 985 # n/SEssJAswRIgps2EhCt/HS2xAmGCOhgUxggGqMIIBpgIBA4AUkUZSo71RwUQmA 986 # ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3 987 # DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE 988 # JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w 989 # 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA 990 # Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M 991 # o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM 992 # 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7 993 # YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi 994 # S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na 995 # End Signature: 192.0.2.0 - 192.0.2.255 997 Authors' Addresses 999 Randy Bush 1000 IIJ & Arrcus 1001 5147 Crystal Springs 1002 Bainbridge Island, Washington 98110 1003 United States of America 1005 Email: randy@psg.com 1006 Massimo Candela 1007 NTT 1008 Siriusdreef 70-72 1009 Hoofddorp 2132 WT 1010 Netherlands 1012 Email: massimo@ntt.net 1014 Warren Kumari 1015 Google 1016 1600 Amphitheatre Parkway 1017 Mountain View, CA 94043 1018 US 1020 Email: warren@kumari.net 1022 Russ Housley 1023 Vigil Security, LLC 1024 516 Dranesville Road 1025 Herndon, VA 20170 1026 USA 1028 Email: housley@vigilsec.com