idnits 2.17.1 

draft-ietf-opsawg-finding-geofeeds-04.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The document has examples using IPv4 documentation addresses according
     to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
     there should be IPv6 examples, too?


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (February 19, 2021) is 1163 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC-TBD' is mentioned on line 319, but not defined

  -- Looks like a reference, but probably isn't: '0' on line 651

  -- Looks like a reference, but probably isn't: '3' on line 598

  -- Looks like a reference, but probably isn't: '6' on line 698

  ** Downref: Normative reference to an Informational RFC: RFC 5485

  ** Downref: Normative reference to an Informational RFC: RFC 8805

  == Outdated reference: A later version (-03) exists of
     draft-spaghetti-sidrops-rpki-rsc-02

  -- Obsolete informational reference (is this intentional?): RFC 7234
     (Obsoleted by RFC 9111)

  -- Obsolete informational reference (is this intentional?): RFC 7482
     (Obsoleted by RFC 9082)


     Summary: 2 errors (**), 0 flaws (~~), 3 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                            R. Bush
3	Internet-Draft                                              IIJ & Arrcus
4	Intended status: Standards Track                              M. Candela
5	Expires: August 23, 2021                                             NTT
6	                                                               W. Kumari
7	                                                                  Google
8	                                                              R. Housley
9	                                                          Vigil Security
10	                                                       February 19, 2021

12	                     Finding and Using Geofeed Data
13	                 draft-ietf-opsawg-finding-geofeeds-04

15	Abstract

17	   This document describes how to find and authenticate geofeed data.

19	Status of This Memo

21	   This Internet-Draft is submitted in full conformance with the
22	   provisions of BCP 78 and BCP 79.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF).  Note that other groups may also distribute
26	   working documents as Internet-Drafts.  The list of current Internet-
27	   Drafts is at https://datatracker.ietf.org/drafts/current/.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   This Internet-Draft will expire on August 23, 2021.

36	Copyright Notice

38	   Copyright (c) 2021 IETF Trust and the persons identified as the
39	   document authors.  All rights reserved.

41	   This document is subject to BCP 78 and the IETF Trust's Legal
42	   Provisions Relating to IETF Documents
43	   (https://trustee.ietf.org/license-info) in effect on the date of
44	   publication of this document.  Please review these documents
45	   carefully, as they describe your rights and restrictions with respect
46	   to this document.  Code Components extracted from this document must
47	   include Simplified BSD License text as described in Section 4.e of
48	   the Trust Legal Provisions and are provided without warranty as
49	   described in the Simplified BSD License.

51	Table of Contents

53	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
54	     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
55	   2.  Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . .   3
56	   3.  inetnum: Class  . . . . . . . . . . . . . . . . . . . . . . .   3
57	   4.  Authenticating Geofeed Data . . . . . . . . . . . . . . . . .   4
58	   5.  Operational Considerations  . . . . . . . . . . . . . . . . .   6
59	   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
60	   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
61	   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   7
62	   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
63	     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
64	     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
65	   Appendix A.  Example  . . . . . . . . . . . . . . . . . . . . . .  10
66	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  18

68	1.  Introduction

70	   Providers of Internet content and other services may wish to
71	   customize those services based on the geographic location of the user
72	   of the service.  This is often done using the source IP address used
73	   to contact the service.  Also, infrastructure and other services
74	   might wish to publish the locale of their services.  [RFC8805]
75	   defines geofeed, a syntax to associate geographic locales with IP
76	   addresses.  But it does not specify how to find the relevant geofeed
77	   data given an IP address.

79	   This document specifies how to augment the Routing Policy
80	   Specification Language (RPSL) [RFC4012] inetnum: class [RFC2725] and
81	   [INETNUM] to refer to geofeed data, and how to prudently use them.
82	   In all places inetnum: is used, inet6num: should also be assumed
83	   [RFC4012] and [INET6NUM].

85	   An optional, but utterly awesome, means for authenticating geofeed
86	   data is also defined.

88	1.1.  Requirements Language

90	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
91	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
92	   "OPTIONAL" in this document are to be interpreted as described in BCP
93	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
94	   capitals, as shown here.

96	2.  Geofeed Files

98	   Geofeed files are described in [RFC8805].  They provide a facility
99	   for an IP address resource 'owner' to associate those IP addresses to
100	   geographic locale(s).

102	   Content providers and other parties who wish to locate an IP address
103	   to a geographic locale need to find the relevant geofeed data.  In
104	   Section 3 this document specifies how to find the relevant geofeed
105	   file given an IP address.

107	   Geofeed data for large providers with significant horizontal scale
108	   and high granularity can be quite large.  The size of a file can be
109	   even larger if an unsigned geofeed file combines data for many
110	   prefixes, as may be likely if the location data are maintained by a
111	   different department than address management, dual IPv4/IPv6 spaces
112	   are represented, etc.

114	   [RFC8805] geofeed data may reveal the approximate location of an IP
115	   address, which might in turn reveal the approximate location of an
116	   individual user.  Unfortunately, [RFC8805] provides no privacy
117	   guidance on avoiding or ameliorating possible damage due to this
118	   exposure of the user.  In publishing pointers to geofeed files as
119	   described in this document the operator should be aware of this
120	   exposure in geofeed data and be cautious.  All the privacy
121	   considerations of [RFC8805] Section 4 apply to this document.

123	   This document also suggests optional data for geofeed files to
124	   provide stronger authenticity to the data.

126	3.  inetnum: Class

128	   RPSL, [RFC4012], as used by the Regional Internet Registries (RIRs),
129	   has been augmented with the inetnum: [INETNUM] and the inet6num:
130	   [INET6NUM] classes; each of which describes an IP address range and
131	   its attributes.

133	   Ideally, RPSL would be augmented to define a new RPSL geofeed:
134	   attribute in the inetnum: class.  Until such time, this document
135	   defines the syntax of a Geofeed remarks: attribute which contains an
136	   HTTPS URL of a geofeed file.  The format MUST be as in this example,
137	   "remarks: Geofeed " followed by a URL which will vary.

139	       inetnum: 192.0.2.0/24 # example
140	       remarks: Geofeed https://example.com/geofeed.csv

142	   While we leave global agreement of RPSL modification to the relevant
143	   parties, we suggest that a proper geofeed: attribute in the inetnum:
144	   class be simply "geofeed: " followed by a URL which will vary.

146	       inetnum: 192.0.2.0/24 # example
147	       geofeed: https://example.com/geofeed.csv

149	   Until all producers of inetnum:s, i.e. the RIRs, state that they have
150	   migrated to supporting a geofeed: attribute, consumers looking at
151	   inetnum:s to find geofeed URLs MUST be able to consume both the
152	   remarks: and geofeed: forms.  This not only implies that the RIRs
153	   support the geofeed: attribute, but that all registrants have
154	   migrated any inetnum:s from remarks: use to geofeed:s.

156	   Any particular inetnum: object MAY have, at most, one geofeed
157	   reference, whether a remarks: or a proper geofeed: attribute when one
158	   is defined.

160	   inetnum: objects form a hierarchy, see [INETNUM] Section 4.2.4.1,
161	   Hierarchy of INETNUM Objects.  Geofeed references SHOULD be at the
162	   lowest applicable inetnum: object.  When fetching, the most specific
163	   inetnum: object with a geofeed reference MUST be used.

165	   When geofeed references are provided by multiple inetnum: objects
166	   which have identical address ranges, then the geofeed reference on
167	   the inetnum: with the most recent last-modified: attribute SHOULD be
168	   preferred.

170	   It is significant that geofeed data may have finer granularity than
171	   the inetnum: which refers to them.

173	   Currently, the registry data published by ARIN is not the same RPSL
174	   as the other registries; therefore, when fetching from ARIN via FTP
175	   [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the
176	   "NetRange" attribute/key must be treated as "inetnum" and the
177	   "Comment" attribute must be treated as "remarks".

179	4.  Authenticating Geofeed Data

181	   The question arises of whether a particular geofeed data set is
182	   valid, i.e. authorized by the 'owner' of the IP address space and is
183	   authoritative in some sense.  The inetnum: which points to the
184	   geofeed file provides some assurance.  Unfortunately the RPSL in many
185	   repositories is weakly authenticated at best.  An approach where RPSL
186	   was signed a la [RFC7909] would be good, except it would have to be
187	   deployed by all RPSL registries, and there is a fair number of them.

189	   An optional authenticator MAY be appended to a geofeed file.  It
190	   would be essentially a digest of the main body of the file signed by
191	   the private key of the relevant RPKI certificate for the covering
192	   address range.  One needs a format that bundles the relevant RPKI
193	   certificate with the signature and the digest of the geofeed text.

195	   Borrowing detached signatures from [RFC5485], after text file
196	   canonicalization (Sec 2.2), the Cryptographic Message Syntax (CMS)
197	   [RFC5652] would be used to create a detached DER encoded signature
198	   which is then BASE64 encoded and line wrapped to 72 or fewer
199	   characters.

201	   Both the address ranges of the signing certificate and of the
202	   inetnum: MUST cover all prefixes in the geofeed file; and the address
203	   range of the signing certificate must cover that of the inetnum:.

205	   An address range A 'covers' address range B if the range of B is
206	   identical to or a subset of A.  'Address range' is used here because
207	   inetnum: objects and RPKI certificates need not align on CIDR prefix
208	   boundaries, while those of geofeed lines must.

210	   As the signer would need to specify the covered RPKI resources
211	   relevant to the signature, the RPKI certificate covering the inetnum:
212	   object's address range would be included in the [RFC5652] CMS
213	   SignedData certificates field.

215	   Identifying the private key associated with the certificate, and
216	   getting the department with the HSM to sign the CMS blob is left as
217	   an exercise for the implementor.  On the other hand, verifying the
218	   signature requires no complexity; the certificate, which can be
219	   validated in the public RPKI, has the needed public key.

221	   Until [RFC8805] is updated to formally define such an appendix, it
222	   MUST be 'hidden' as a series of "#" comments at the end of the
223	   geofeed file.  This is a cryptographically incorrect, albeit simple
224	   example.  A correct and full example is in Appendix A.

226	       # RPKI Signature: 192.0.2.0/24
227	       # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
228	       # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
229	       ...
230	       # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
231	       # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
232	       # End Signature: 192.0.2.0/24

234	   [I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a
235	   Cryptographic Message Syntax (CMS) profile for a general purpose
236	   listing of checksums (a 'checklist'), for use with the Resource
237	   Public Key Infrastructure (RPKI).  It provides usable, albeit
238	   complex, code to sign geofeed files.

240	   [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax
241	   (CMS) profile for a general purpose Resource Tagged Attestation (RTA)
242	   based on the RPKI.  While this is expected to become applicable in
243	   the long run, for the purposes of this document, a self-signed root
244	   trust anchor is used.

246	5.  Operational Considerations

248	   To create the needed inetnum: objects, an operator wishing to
249	   register the location of their geofeed file needs to coordinate with
250	   their RIR/NIR and/or any provider LIR which has assigned prefixes to
251	   them.  RIRs/NIRs provide means for assignees to create and maintain
252	   inetnum: objects.  They also provide means of [sub-]assigning IP
253	   address resources and allowing the assignee to create whois data,
254	   including inetnum: objects, and thereby referring to geofeed files.

256	   The geofeed files SHOULD be published over and fetched using https
257	   [RFC8446].

259	   When using data from a geofeed file, one MUST ignore data outside of
260	   the referring inetnum: object's inetnum: attribute address range.

262	   Iff the geofeed file is not signed per Section 4, then multiple
263	   inetnum: objects MAY refer to the same geofeed file, and the consumer
264	   MUST use only geofeed lines where the prefix is covered by the
265	   address range of the inetnum: object they have followed.

267	   To minimize the load on RIR whois [RFC3912] services, use of the
268	   RIR's FTP [RFC0959] services SHOULD be the preferred access.  This
269	   also provides bulk access instead of fetching with a tweezers.

271	   Currently, geolocation providers have bulk whois data access at all
272	   the RIRs.  An anonymized version of such data is openly available for
273	   all RIRs except ARIN, which requires an authorization.  However, for
274	   users without such authorization the same result can be achieved with
275	   extra RDAP effort.  There is open source code to pass over such data
276	   across all RIRs, collect all geofeed references, and process them
277	   [geofeed-finder].

279	   An entity fetching geofeed data using these mechanisms MUST NOT do
280	   frequent real-time look-ups to prevent load on RPSL and geofeed
281	   servers.  [RFC8805] Section 3.4 suggests use of the [RFC7234] HTTP
282	   Expires Caching Header to signal when geofeed data should be
283	   refetched.  As the data change very infrequently, in the absence of
284	   such an HTTP Header signal, collectors MUST NOT fetch more frequently
285	   than weekly.  It would be wise not to fetch at magic times such as
286	   midnight UTC, the first of the month, etc., because too many others
287	   are likely to do the same.

289	6.  Security Considerations

291	   It would be generally prudent for a consumer of geofeed data to also
292	   use other sources to cross-validate the data.  All of the Security
293	   Considerations of [RFC8805] apply here as well.

295	   As mentioned in Section 4, many RPSL repositories have weak if any
296	   authentication.  This would allow spoofing of inetnum: objects
297	   pointing to malicious geofeed files.  Section 4 suggests an
298	   unfortunately complex method for stronger authentication based on the
299	   RPKI.

301	   If an inetnum: for a wide prefix (e.g. a /16) points to an RPKI-
302	   signed geofeed file, a customer or attacker could publish an unsigned
303	   equal or narrower (e.g. a /24) inetnum: in a whois registry which has
304	   weak authorization.

306	   The RPSL providers have had to throttle fetching from their servers
307	   due to too-frequent queries.  Usually they throttle by the querying
308	   IP address or block.  Similar defenses will likely need to be
309	   deployed by geofeed file servers.

311	7.  IANA Considerations

313	   IANA is asked to register object identifiers for one content type in
314	   the "SMI Security for S/MIME CMS Content Type
315	   (1.2.840.113549.1.9.16.1)" registry as follows:

317	   Description             OID                         Specification
318	   -----------------------------------------------------------------
319	   id-ct-geofeedCSVwithCRLF  1.2.840.113549.1.9.16.1.47  [RFC-TBD]

321	8.  Acknowledgments

323	   Thanks to Rob Austein for CMS and detached signature clue.  George
324	   Michaelson for the first, and a substantial, external review.  Erik
325	   Kline who was too shy to agree to co-authorship.  Additionally, we
326	   express our gratitude to early implementors, including Menno
327	   Schepers, Flavio Luciani, Eric Dugas, Job Snijders who provided
328	   running code, and Kevin Pack.  Also to geolocation providers that are
329	   consuming geofeeds with this described solution, Jonathan Kosgei
330	   (ipdata.co), Ben Dowling (ipinfo.io), and Pol Nisenblat
331	   (bigdatacloud.com).  For reviews, we thank Adrian Farrel, Antonio
332	   Prado, and George Michaelson, the document shepherd.

334	9.  References

336	9.1.  Normative References

338	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
339	              Requirement Levels", BCP 14, RFC 2119,
340	              DOI 10.17487/RFC2119, March 1997,
341	              <https://www.rfc-editor.org/info/rfc2119>.

343	   [RFC2725]  Villamizar, C., Alaettinoglu, C., Meyer, D., and S.
344	              Murphy, "Routing Policy System Security", RFC 2725,
345	              DOI 10.17487/RFC2725, December 1999,
346	              <https://www.rfc-editor.org/info/rfc2725>.

348	   [RFC4012]  Blunk, L., Damas, J., Parent, F., and A. Robachevsky,
349	              "Routing Policy Specification Language next generation
350	              (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005,
351	              <https://www.rfc-editor.org/info/rfc4012>.

353	   [RFC5485]  Housley, R., "Digital Signatures on Internet-Draft
354	              Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009,
355	              <https://www.rfc-editor.org/info/rfc5485>.

357	   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
358	              RFC 5652, DOI 10.17487/RFC5652, September 2009,
359	              <https://www.rfc-editor.org/info/rfc5652>.

361	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
362	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
363	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

365	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
366	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
367	              <https://www.rfc-editor.org/info/rfc8446>.

369	   [RFC8805]  Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
370	              Kumari, "A Format for Self-Published IP Geolocation
371	              Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
372	              <https://www.rfc-editor.org/info/rfc8805>.

374	9.2.  Informative References

376	   [geofeed-finder]
377	              Massimo Candela, "geofeed-finder",
378	              <https://github.com/massimocandela/geofeed-finder>.

380	   [I-D.ietf-sidrops-rpki-rta]
381	              Michaelson, G., Huston, G., Harrison, T., Bruijnzeels, T.,
382	              and M. Hoffmann, "A profile for Resource Tagged
383	              Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work
384	              in progress), January 2021.

386	   [I-D.spaghetti-sidrops-rpki-rsc]
387	              Snijders, J., "RPKI Signed Checklists", draft-spaghetti-
388	              sidrops-rpki-rsc-02 (work in progress), February 2021.

390	   [INET6NUM]
391	              RIPE, "Description of the INET6NUM Object",
392	              <https://www.ripe.net/manage-ips-and-
393	              asns/db/support/documentation/ripe-database-documentation/
394	              rpsl-object-types/4-2-descriptions-of-primary-
395	              objects/4-2-3-description-of-the-inet6num-object>.

397	   [INETNUM]  RIPE, "Description of the INETNUM Object",
398	              <https://www.ripe.net/manage-ips-and-
399	              asns/db/support/documentation/ripe-database-documentation/
400	              rpsl-object-types/4-2-descriptions-of-primary-
401	              objects/4-2-4-description-of-the-inetnum-object>.

403	   [RFC0959]  Postel, J. and J. Reynolds, "File Transfer Protocol",
404	              STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
405	              <https://www.rfc-editor.org/info/rfc959>.

407	   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
408	              DOI 10.17487/RFC3912, September 2004,
409	              <https://www.rfc-editor.org/info/rfc3912>.

411	   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
412	              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
413	              RFC 7234, DOI 10.17487/RFC7234, June 2014,
414	              <https://www.rfc-editor.org/info/rfc7234>.

416	   [RFC7482]  Newton, A. and S. Hollenbeck, "Registration Data Access
417	              Protocol (RDAP) Query Format", RFC 7482,
418	              DOI 10.17487/RFC7482, March 2015,
419	              <https://www.rfc-editor.org/info/rfc7482>.

421	   [RFC7909]  Kisteleki, R. and B. Haberman, "Securing Routing Policy
422	              Specification Language (RPSL) Objects with Resource Public
423	              Key Infrastructure (RPKI) Signatures", RFC 7909,
424	              DOI 10.17487/RFC7909, June 2016,
425	              <https://www.rfc-editor.org/info/rfc7909>.

427	Appendix A.  Example

429	   This appendix provides an example, including a trust anchor, a CA
430	   certificate subordinate to the trust anchor, an end-entity
431	   certificate subordinate to the CA for signing the geofeed, and a
432	   detached signature.

434	   The trust anchor is represented by a self-signed certificate.  As
435	   usual in the RPKI, the trust anchor has authority over all IPv4
436	   address blocks, all IPv6 address blocks, and all AS numbers.

438	       -----BEGIN CERTIFICATE-----
439	       MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
440	       BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
441	       MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
442	       AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
443	       0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
444	       XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
445	       g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
446	       O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
447	       jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
448	       BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU
449	       GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
450	       GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
451	       KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
452	       YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
453	       ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
454	       YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
455	       AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
456	       BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
457	       xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
458	       cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
459	       Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
460	       rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
461	       x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
462	       -----END CERTIFICATE-----

464	   The CA certificate is issued by the trust anchor.  This certificate
465	   grants authority over one IPv4 address block (192.0.2.0/24) and two
466	   AS numbers (64496 and 64497).

468	       -----BEGIN CERTIFICATE-----
469	       MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL
470	       BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5
471	       MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
472	       QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
473	       zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
474	       6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
475	       j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
476	       liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
477	       YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
478	       TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R
479	       4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD
480	       VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr
481	       BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u
482	       ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz
483	       Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v
484	       cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr
485	       BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu
486	       bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz
487	       Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF
488	       hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH
489	       AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA
490	       +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0
491	       Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm
492	       cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09
493	       mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq
494	       V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
495	       yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
496	       -----END CERTIFICATE-----

498	   The end-entity certificate is issued by the CA.  This certificate
499	   grants signature authority for one IPv4 address block (192.0.2.0/24).
500	   Signature authority for AS numbers is not needed for geofeed data
501	   signatures, so no AS numbers are included in the certificate.

503	       -----BEGIN CERTIFICATE-----
504	       MIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuMwDQYJKoZIhvcNAQEL
505	       BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
506	       Mzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAxOTA1MTdaMDMxMTAvBgNV
507	       BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
508	       MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
509	       yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
510	       K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
511	       BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
512	       tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
513	       qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
514	       AAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
515	       BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
516	       Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
517	       VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
518	       RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
519	       AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
520	       c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
521	       Y2VyMCEGCCsGAQUFBwEHAQH/BBIwEDAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUH
522	       AQsEOTA3MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90
523	       aWZpY2F0aW9uLnhtbDANBgkqhkiG9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHP
524	       TArIVBECZFSCdP+bJTse85TqYiblMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh
525	       6+xGs1n427JZUokoeLtY0UUb2fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b
526	       +YS8WXjEHt2KW6wyA/BcNS8adS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1ar
527	       Kelyz7PGIIXJGy9nF8C3/aaaEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfO
528	       MkB8YF6kUU+td2dDQsMztcOxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh4
529	       5Q==
530	       -----END CERTIFICATE-----

532	   The end-entity certificate is displayed below in detail.  For
533	   brevity, the other two certificates are not.

535	      0 1197: SEQUENCE {
536	      4  917:  SEQUENCE {
537	      8    3:   [0] {
538	     10    1:    INTEGER 2
539	            :     }
540	     13   20:   INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E3
541	     35   13:   SEQUENCE {
542	     37    9:    OBJECT IDENTIFIER
543	            :     sha256WithRSAEncryption (1 2 840 113549 1 1 11)
544	     48    0:    NULL
545	            :     }
546	     50   51:   SEQUENCE {
547	     52   49:    SET {
548	     54   47:     SEQUENCE {
549	     56    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
550	     61   40:      PrintableString
551	            :       '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
552	            :       }
553	            :      }
554	            :     }
555	    103   30:   SEQUENCE {
556	    105   13:    UTCTime 03/09/2020 19:05:17 GMT
557	    120   13:    UTCTime 30/06/2021 19:05:17 GMT
558	            :     }
559	    135   51:   SEQUENCE {
560	    137   49:    SET {
561	    139   47:     SEQUENCE {
562	    141    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
563	    146   40:      PrintableString
564	            :       '914652A3BD51C144260198889F5C45ABF053A187'
565	            :       }
566	            :      }
567	            :     }
568	    188  290:   SEQUENCE {
569	    192   13:    SEQUENCE {
570	    194    9:     OBJECT IDENTIFIER rsaEncryption
571	            :      (1 2 840 113549 1 1 1)
572	    205    0:     NULL
573	            :      }
574	    207  271:    BIT STRING, encapsulates {
575	    212  266:     SEQUENCE {
576	    216  257:      INTEGER
577	            :       00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
578	            :       40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
579	            :       B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
580	            :       57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
581	            :       74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
582	            :       9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
583	            :       E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
584	            :       95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
585	            :       F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
586	            :       16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
587	            :       BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
588	            :       88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
589	            :       6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
590	            :       67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
591	            :       78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
592	            :       FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
593	            :       EB
594	    477    3:      INTEGER 65537
595	            :       }
596	            :      }
597	            :     }
598	    482  439:   [3] {
599	    486  435:    SEQUENCE {
600	    490   29:     SEQUENCE {
601	    492    3:      OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
602	    497   22:      OCTET STRING, encapsulates {
603	    499   20:       OCTET STRING
604	            :        91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
605	            :        F0 53 A1 87
606	            :        }
607	            :       }
608	    521   31:     SEQUENCE {
609	    523    3:      OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
610	    528   24:      OCTET STRING, encapsulates {
611	    530   22:       SEQUENCE {
612	    532   20:        [0]
613	            :         3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
614	            :         B3 77 86 42
615	            :         }
616	            :        }
617	            :       }
618	    554   12:     SEQUENCE {
619	    556    3:      OBJECT IDENTIFIER basicConstraints (2 5 29 19)
620	    561    1:      BOOLEAN TRUE
621	    564    2:      OCTET STRING, encapsulates {
622	    566    0:       SEQUENCE {}
623	            :        }
624	            :       }
625	    568   14:     SEQUENCE {
626	    570    3:      OBJECT IDENTIFIER keyUsage (2 5 29 15)
627	    575    1:      BOOLEAN TRUE
628	    578    4:      OCTET STRING, encapsulates {
629	    580    2:       BIT STRING 7 unused bits
630	            :        '1'B (bit 0)
631	            :        }
632	            :       }
633	    584   24:     SEQUENCE {
634	    586    3:      OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
635	    591    1:      BOOLEAN TRUE
636	    594   14:      OCTET STRING, encapsulates {
637	    596   12:       SEQUENCE {
638	    598   10:        SEQUENCE {
639	    600    8:         OBJECT IDENTIFIER
640	            :          resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
641	            :          }
642	            :         }
643	            :        }
644	            :       }
645	    610   97:     SEQUENCE {
646	    612    3:      OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
647	    617   90:      OCTET STRING, encapsulates {
648	    619   88:       SEQUENCE {
649	    621   86:        SEQUENCE {
650	    623   84:         [0] {
651	    625   82:          [0] {
652	    627   80:           [6]
653	            :          'rsync://rpki.example.net/repository/3ACE2CEF4F'
654	            :          'B21B7D11E3E184EFC1E297B3778642.crl'
655	            :            }
656	            :           }
657	            :          }
658	            :         }
659	            :        }
660	            :       }
661	    709  108:     SEQUENCE {
662	    711    8:      OBJECT IDENTIFIER authorityInfoAccess
663	            :       (1 3 6 1 5 5 7 1 1)
664	    721   96:      OCTET STRING, encapsulates {
665	    723   94:       SEQUENCE {
666	    725   92:        SEQUENCE {
667	    727    8:         OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
668	    737   80:         [6]
669	            :          'rsync://rpki.example.net/repository/3ACE2CEF4F'
670	            :          'B21B7D11E3E184EFC1E297B3778642.cer'
671	            :          }
672	            :         }
673	            :        }
674	            :       }
675	    819   33:     SEQUENCE {
676	    821    8:      OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
677	    831    1:      BOOLEAN TRUE
678	    834   18:      OCTET STRING, encapsulates {
679	    836   16:       SEQUENCE {
680	    838    6:        SEQUENCE {
681	    840    2:         OCTET STRING 00 01
682	    844    0:         NULL
683	            :          }
684	    846    6:        SEQUENCE {
685	    848    2:         OCTET STRING 00 02
686	    852    0:         NULL
687	            :          }
688	            :         }
689	            :        }
690	            :       }
691	    854   69:     SEQUENCE {
692	    856    8:      OBJECT IDENTIFIER subjectInfoAccess
693	            :       (1 3 6 1 5 5 7 1 11)
694	    866   57:      OCTET STRING, encapsulates {
695	    868   55:       SEQUENCE {
696	    870   53:        SEQUENCE {
697	    872    8:         OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13'
698	    882   41:         [6]
699	            :          'https://rrdp.example.net/notification.xml'
700	            :          }
701	            :         }
702	            :        }
703	            :       }
704	            :      }
705	            :     }
706	            :    }
707	    925   13:  SEQUENCE {
708	    927    9:   OBJECT IDENTIFIER sha256WithRSAEncryption
709	            :    (1 2 840 113549 1 1 11)
710	    938    0:   NULL
711	            :    }
712	    940  257:  BIT STRING
713	            :   05 1D 93 D2 A4 F6 57 56 65 B1 98 E3 FB 21 CF 4C
714	            :   0A C8 54 11 02 64 54 82 74 FF 9B 25 3B 1E F3 94
715	            :   EA 62 26 E5 32 C3 52 F7 21 2E D9 23 5B 69 93 0D
716	            :   2E E4 92 88 07 DF 62 8A 21 E2 72 18 AB F4 61 EB
717	            :   EC 46 B3 59 F8 DB B2 59 52 89 28 78 BB 58 D1 45
718	            :   1B D9 F2 2C B9 AF 49 16 8F 18 19 39 E9 A8 33 06
719	            :   7B EC 67 A5 B2 74 48 24 A8 06 52 42 22 3F 9B F9
720	            :   84 BC 59 78 C4 1E DD 8A 5B AC 32 03 F0 5C 35 2F
721	            :   1A 75 2D A9 11 4C 02 D9 CB 3F 59 CC 33 81 BB 6D
722	            :   9E 47 27 1B BF F0 92 B4 37 A2 AC E9 0B 56 AB 29
723	            :   E9 72 CF B3 C6 20 85 C9 1B 2F 67 17 C0 B7 FD A6
724	            :   9A 12 91 DD ED 48 08 CA F5 D8 B8 26 3F 96 A5 93
725	            :   9B DE E3 0F 18 06 21 81 82 EF AE B4 9A D7 CE 32
726	            :   40 7C 60 5E A4 51 4F AD 77 67 43 42 C3 33 B5 C3
727	            :   B1 6F 3A A2 1A 78 9C 99 E2 5F 07 01 B6 96 2E 8E
728	            :   D2 FA 2B 5B 87 79 88 83 93 2A 94 32 A9 F8 78 E5
729	            :   }

731	   To allow reproduction of the signature results, the end-entity
732	   private key is provided.  For brevity, the other two private keys are
733	   not.

735	   -----BEGIN RSA PRIVATE KEY-----
736	   MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
737	   /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
738	   Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
739	   zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
740	   eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
741	   gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
742	   18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
743	   pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
744	   ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
745	   mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651
746	   IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF
747	   t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt
748	   MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M
749	   Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg
750	   26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l
751	   nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm
752	   FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
753	   O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
754	   Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
755	   vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
756	   DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
757	   taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
758	   PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
759	   E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
760	   iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
761	       -----END RSA PRIVATE KEY-----

763	   Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
764	   yields the following detached CMS signature.

766	   # RPKI Signature: 192.0.2.0/24
767	   # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
768	   # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
769	   # MwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
770	   # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAx
771	   # OTA1MTdaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
772	   # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
773	   # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
774	   # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
775	   # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
776	   # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
777	   # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
778	   # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71R
779	   # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
780	   # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg
781	   # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ
782	   # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5
783	   # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5
784	   # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0
785	   # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMCEGCCsGAQUFBwEHAQH/BBIwE
786	   # DAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUHAQsEOTA3MDUGCCsGAQUFBzANhilo
787	   # dHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90aWZpY2F0aW9uLnhtbDANBgkqhki
788	   # G9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHPTArIVBECZFSCdP+bJTse85TqYi
789	   # blMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh6+xGs1n427JZUokoeLtY0UUb2
790	   # fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b+YS8WXjEHt2KW6wyA/BcNS8a
791	   # dS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1arKelyz7PGIIXJGy9nF8C3/aa
792	   # aEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfOMkB8YF6kUU+td2dDQsMztc
793	   # OxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh45TGCAaowggGmAgEDgBSRR
794	   # lKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhkiG9w0BCQMx
795	   # DQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIwMDkxMzE4NDUxMFowLwY
796	   # JKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4VtBHypfcEWMA
797	   # 0GCSqGSIb3DQEBAQUABIIBAHUrA4PaJG42BD3hpF8U0usnV3Dg5NQh97SfyKTk7
798	   # YHhhwu/936gkmAew8ODRTCddMvMObWkjj7/XeR+WKffaTF1EAdZ1L6REV+GlV91
799	   # cYnFkT9ldn4wHQnNNncfAehk5PClYUUQ0gqjdJT1hdaolT83b3ttekyYIiwPmHE
800	   # xRaNkSvKenlNqcriaaf3rbQy9dc2d1KxrL2429n134ICqjKeRnHkXXrCWDmyv/3
801	   # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
802	   # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
803	   # End Signature: 192.0.2.0/24

805	Authors' Addresses

807	   Randy Bush
808	   IIJ & Arrcus
809	   5147 Crystal Springs
810	   Bainbridge Island, Washington  98110
811	   United States of America

813	   Email: randy@psg.com
814	   Massimo Candela
815	   NTT
816	   Siriusdreef 70-72
817	   Hoofddorp  2132 WT
818	   Netherlands

820	   Email: massimo@ntt.net

822	   Warren Kumari
823	   Google
824	   1600 Amphitheatre Parkway
825	   Mountain View, CA  94043
826	   US

828	   Email: warren@kumari.net

830	   Russ Housley
831	   Vigil Security, LLC
832	   516 Dranesville Road
833	   Herndon, VA  20170
834	   USA

836	   Email: housley@vigilsec.com