idnits 2.17.1 

draft-ietf-opsawg-finding-geofeeds-08.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  -- The document has examples using IPv4 documentation addresses according
     to RFC6890, but does not use any IPv6 documentation addresses.  Maybe
     there should be IPv6 examples, too?


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (May 11, 2021) is 1078 days in the past.  Is this
     intentional?

  -- Found something which looks like a code comment -- if you have code
     sections in the document, please surround them with '<CODE BEGINS>' and
     '<CODE ENDS>' lines.


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Missing Reference: 'RFC-TBD' is mentioned on line 363, but not defined

  -- Looks like a reference, but probably isn't: '0' on line 701

  -- Looks like a reference, but probably isn't: '3' on line 648

  -- Looks like a reference, but probably isn't: '6' on line 748

  ** Downref: Normative reference to an Informational RFC: RFC 5485

  ** Downref: Normative reference to an Informational RFC: RFC 8805

  -- Obsolete informational reference (is this intentional?): RFC 7234
     (Obsoleted by RFC 9111)

  -- Obsolete informational reference (is this intentional?): RFC 7482
     (Obsoleted by RFC 9082)


     Summary: 2 errors (**), 0 flaws (~~), 2 warnings (==), 8 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                            R. Bush
3	Internet-Draft                                              IIJ & Arrcus
4	Intended status: Standards Track                              M. Candela
5	Expires: November 12, 2021                                           NTT
6	                                                               W. Kumari
7	                                                                  Google
8	                                                              R. Housley
9	                                                          Vigil Security
10	                                                            May 11, 2021

12	                     Finding and Using Geofeed Data
13	                 draft-ietf-opsawg-finding-geofeeds-08

15	Abstract

17	   This document describes how to find and authenticate geofeed data.

19	Status of This Memo

21	   This Internet-Draft is submitted in full conformance with the
22	   provisions of BCP 78 and BCP 79.

24	   Internet-Drafts are working documents of the Internet Engineering
25	   Task Force (IETF).  Note that other groups may also distribute
26	   working documents as Internet-Drafts.  The list of current Internet-
27	   Drafts is at https://datatracker.ietf.org/drafts/current/.

29	   Internet-Drafts are draft documents valid for a maximum of six months
30	   and may be updated, replaced, or obsoleted by other documents at any
31	   time.  It is inappropriate to use Internet-Drafts as reference
32	   material or to cite them other than as "work in progress."

34	   This Internet-Draft will expire on November 12, 2021.

36	Copyright Notice

38	   Copyright (c) 2021 IETF Trust and the persons identified as the
39	   document authors.  All rights reserved.

41	   This document is subject to BCP 78 and the IETF Trust's Legal
42	   Provisions Relating to IETF Documents
43	   (https://trustee.ietf.org/license-info) in effect on the date of
44	   publication of this document.  Please review these documents
45	   carefully, as they describe your rights and restrictions with respect
46	   to this document.  Code Components extracted from this document must
47	   include Simplified BSD License text as described in Section 4.e of
48	   the Trust Legal Provisions and are provided without warranty as
49	   described in the Simplified BSD License.

51	Table of Contents

53	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
54	     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
55	   2.  Geofeed Files . . . . . . . . . . . . . . . . . . . . . . . .   3
56	   3.  inetnum: Class  . . . . . . . . . . . . . . . . . . . . . . .   3
57	   4.  Authenticating Geofeed Data . . . . . . . . . . . . . . . . .   5
58	   5.  Operational Considerations  . . . . . . . . . . . . . . . . .   6
59	   6.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .   7
60	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
61	   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
62	   9.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   8
63	   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
64	     10.1.  Normative References . . . . . . . . . . . . . . . . . .   9
65	     10.2.  Informative References . . . . . . . . . . . . . . . . .  10
66	   Appendix A.  Example  . . . . . . . . . . . . . . . . . . . . . .  11
67	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  19

69	1.  Introduction

71	   Providers of Internet content and other services may wish to
72	   customize those services based on the geographic location of the user
73	   of the service.  This is often done using the source IP address used
74	   to contact the service.  Also, infrastructure and other services
75	   might wish to publish the locale of their services.  [RFC8805]
76	   defines geofeed, a syntax to associate geographic locales with IP
77	   addresses.  But it does not specify how to find the relevant geofeed
78	   data given an IP address.

80	   This document specifies how to augment the Routing Policy
81	   Specification Language (RPSL) [RFC4012] inetnum: class to refer
82	   specifically to geofeed data CSV files, and how to prudently use
83	   them.  In all places inetnum: is used, inet6num: should also be
84	   assumed [RFC4012].

86	   The reader may find [INETNUM] and [INET6NUM] informative, and
87	   certainly more verbose, descriptions of the inetnum: database
88	   classes.

90	   An optional, utterly awesome but slightly complex, means for
91	   authenticating geofeed data is also defined.

93	1.1.  Requirements Language

95	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
96	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
97	   "OPTIONAL" in this document are to be interpreted as described in BCP
98	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
99	   capitals, as shown here.

101	2.  Geofeed Files

103	   Geofeed files are described in [RFC8805].  They provide a facility
104	   for an IP address resource 'owner' to associate those IP addresses to
105	   geographic locale(s).

107	   Content providers and other parties who wish to locate an IP address
108	   to a geographic locale need to find the relevant geofeed data.  In
109	   Section 3 this document specifies how to find the relevant [RFC8805]
110	   geofeed file given an IP address.

112	   Geofeed data for large providers with significant horizontal scale
113	   and high granularity can be quite large.  The size of a file can be
114	   even larger if an unsigned geofeed file combines data for many
115	   prefixes, dual IPv4/IPv6 spaces are represented, etc.

117	   Geofeed data do have privacy considerations, see Section 6

119	   This document also suggests optional signature, which authenticates
120	   the data when present, for geofeed files to provide stronger
121	   authenticity to the data.

123	3.  inetnum: Class

125	   The Routing Policy Specification Language (RPSL), [RFC4012] used by
126	   the Regional Internet Registries (RIRs) specifies the inetnum:
127	   database class.  Each of these objects describes an IP address range
128	   and its attributes.  The inetnum: objects form a hierarchy ordered on
129	   the address space.

131	   Ideally, RPSL would be augmented to define a new RPSL geofeed:
132	   attribute in the inetnum: class.  Until such time, this document
133	   defines the syntax of a Geofeed remarks: attribute which contains an
134	   HTTPS URL of a geofeed file.  The format of the inetnum: geofeed
135	   attribute MUST be as in this example, "remarks: Geofeed ", where the
136	   token "Geofeed" is case sensitive, followed by a URL which will vary,
137	   but MUST refer only to a single [RFC8805] geofeed file.

139	       inetnum: 192.0.2.0/24 # example
140	       remarks: Geofeed https://example.com/geofeed.csv

142	   While we leave global agreement of RPSL modification to the relevant
143	   parties, we specify that a proper geofeed: attribute in the inetnum:
144	   class be simply "geofeed: " followed by a URL which will vary, but
145	   MUST refer only to a [RFC8805] geofeed file.

147	       inetnum: 192.0.2.0/24 # example
148	       geofeed: https://example.com/geofeed.csv

150	   The URL's use of the web PKI can not provide authentication of IP
151	   address space ownership.  It is only used to authenticate a pointer
152	   to the geofeed file and transport integrity of the data.  In
153	   contrast, the Resource Public Key Infrastructure (RPKI, see
154	   [RFC6481]) can be used to authenticate IP space ownership; see
155	   optional authentication in Section 4.

157	   Until all producers of inetnum:s, i.e. the RIRs, state that they have
158	   migrated to supporting a geofeed: attribute, consumers looking at
159	   inetnum:s to find geofeed URLs MUST be able to consume both the
160	   remarks: and geofeed: forms.  This not only implies that the RIRs
161	   support the geofeed: attribute, but that all registrants have
162	   migrated any inetnum:s from remarks: use to geofeed:s.

164	   Any particular inetnum: object MUST have at most, one geofeed
165	   reference, whether a remarks: or a proper geofeed: attribute when it
166	   is implemented.  If there is more than one, all are ignored.

168	   If a geofeed CSV file describes multiple disjoint ranges of IP
169	   address space, there are likely to be geofeed references from
170	   multiple inetnum: objects.

172	   As inetnum: objects form a hierarchy, Geofeed references SHOULD be at
173	   the lowest applicable inetnum: object covering the relevant prefixes
174	   in the referenced geofeed file.  When fetching, the most specific
175	   inetnum: object with a geofeed reference MUST be used.

177	   When geofeed references are provided by multiple inetnum: objects
178	   which have identical address ranges, then the geofeed reference on
179	   the inetnum: with the most recent last-modified: attribute SHOULD be
180	   preferred.

182	   It is significant that geofeed data may have finer granularity than
183	   the inetnum: which refers to them.  I.e. an INETNUM object for a
184	   prefix P could refer to a geofeed file in which P has been sub-
185	   divided into one or more longer prefixes.

187	   Currently, the registry data published by ARIN is not the same RPSL
188	   as the other registries; therefore, when fetching from ARIN via FTP
189	   [RFC0959], whois [RFC3912], RDAP [RFC7482], or whatever, the
190	   "NetRange" attribute/key MUST be treated as "inetnum" and the
191	   "Comment" attribute MUST be treated as "remarks".

193	4.  Authenticating Geofeed Data

195	   The question arises of whether a particular [RFC8805] geofeed data
196	   set is valid, i.e. authorized by the 'owner' of the IP address space
197	   and is authoritative in some sense.  The inetnum: which points to the
198	   [RFC8805] geofeed file provides some assurance.  Unfortunately the
199	   RPSL in many repositories is weakly authenticated at best.  An
200	   approach where RPSL was signed a la [RFC7909] would be good, except
201	   it would have to be deployed by all RPSL registries, and there is a
202	   fair number of them.

204	   An optional authenticator MAY be appended to a [RFC8805] geofeed
205	   file.  It is a digest of the main body of the file signed by the
206	   private key of the relevant RPKI certificate for the covering address
207	   range.  One needs a format that bundles the relevant RPKI certificate
208	   with the signature and the digest of the geofeed text.

210	   The canonicalization procedure converts the data from its internal
211	   character representation to the UTF-8 [RFC3629] character encoding,
212	   and the <CRLF> sequence MUST be used to denote the end of a line of
213	   text.  Trailing space characters MUST NOT appear on a line of text.
214	   That is, the space or tab characters must not be followed by the
215	   <CRLF> sequence.  Thus, a blank line is represented solely by the
216	   <CRLF> sequence.  Other nonprintable characters, such as backspace,
217	   are not expected.  For robustness, any nonprintable characters MUST
218	   NOT be changed by canonicalization.  Trailing blank lines MUST NOT
219	   appear at the end of the file.  That is, the file must not end with
220	   multiple consecutive <CRLF> sequences.  Any end-of-file marker used
221	   by an operating system is not considered to be part of the file
222	   content.  When present, such end-of-file markers MUST NOT be
223	   processed by the digital signature algorithm.  Borrowing detached
224	   signatures from [RFC5485], after file canonicalization, the
225	   Cryptographic Message Syntax (CMS) [RFC5652] would be used to create
226	   a detached DER encoded signature which is then BASE64 encoded and
227	   line wrapped to 72 or fewer characters.

229	   The address range of the signing certificate MUST cover all prefixes
230	   in the geofeed file it signs; and therefore must be covered by the
231	   range of the inetnum:.

233	   An address range A 'covers' address range B if the range of B is
234	   identical to or a subset of A.  'Address range' is used here because
235	   inetnum: objects and RPKI certificates need not align on CIDR prefix
236	   boundaries, while those of the CSV lines in the geofeed file do.

238	   Validation of the signing certificate needs to ensure that it is part
239	   of the current manifest and that the resources are covered by the
240	   RPKI certificate.

242	   As the signer specifies the covered RPKI resources relevant to the
243	   signature, the RPKI certificate covering the inetnum: object's
244	   address range is included in the [RFC5652] CMS SignedData
245	   certificates field.

247	   Identifying the private key associated with the certificate, and
248	   getting the department with the Hardware Security Module (HSM) to
249	   sign the CMS blob is left as an exercise for the implementor.  On the
250	   other hand, verifying the signature requires no complexity; the
251	   certificate, which can be validated in the public RPKI, has the
252	   needed public key.

254	   The appendix MUST be 'hidden' as a series of "#" comments at the end
255	   of the geofeed file.  The following is a cryptographically incorrect,
256	   albeit simple example.  A correct and full example is in Appendix A.

258	       # RPKI Signature: 192.0.2.0/24
259	       # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
260	       # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
261	       ...
262	       # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
263	       # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
264	       # End Signature: 192.0.2.0/24

266	   The signature does not cover the signature lines.

268	   [I-D.spaghetti-sidrops-rpki-rsc] describes and provides code for a
269	   Cryptographic Message Syntax (CMS) profile for a general purpose
270	   listing of checksums (a 'checklist'), for use with the Resource
271	   Public Key Infrastructure (RPKI).  It provides usable, albeit
272	   complex, code to sign geofeed files.

274	   [I-D.ietf-sidrops-rpki-rta] describes a Cryptographic Message Syntax
275	   (CMS) profile for a general purpose Resource Tagged Attestation (RTA)
276	   based on the RPKI.  While this is expected to become applicable in
277	   the long run, for the purposes of this document, a self-signed root
278	   trust anchor is used.

280	5.  Operational Considerations

282	   To create the needed inetnum: objects, an operator wishing to
283	   register the location of their geofeed file needs to coordinate with
284	   their RIR/NIR and/or any provider LIR which has assigned prefixes to
285	   them.  RIRs/NIRs provide means for assignees to create and maintain
286	   inetnum: objects.  They also provide means of [sub-]assigning IP
287	   address resources and allowing the assignee to create whois data,
288	   including inetnum: objects, and thereby referring to geofeed files.

290	   The geofeed files SHOULD be published over and fetched using https
291	   [RFC8446].

293	   When using data from a geofeed file, one MUST ignore data outside of
294	   the referring inetnum: object's inetnum: attribute address range.

296	   If and only if the geofeed file is not signed per Section 4, then
297	   multiple inetnum: objects MAY refer to the same geofeed file, and the
298	   consumer MUST use only geofeed lines where the prefix is covered by
299	   the address range of the inetnum: object they have followed.

301	   To minimize the load on RIR whois [RFC3912] services, use of the
302	   RIR's FTP [RFC0959] services SHOULD be the preferred access.  This
303	   also provides bulk access instead of fetching with tweezers.

305	   Currently, geolocation providers have bulk whois data access at all
306	   the RIRs.  An anonymized version of such data is openly available for
307	   all RIRs except ARIN, which requires an authorization.  However, for
308	   users without such authorization the same result can be achieved with
309	   extra RDAP effort.  There is open source code to pass over such data
310	   across all RIRs, collect all geofeed references, and process them
311	   [geofeed-finder].

313	   An entity fetching geofeed data using these mechanisms MUST NOT do
314	   frequent real-time look-ups to prevent load on RPSL and geofeed
315	   servers.  [RFC8805] Section 3.4 suggests use of the [RFC7234] HTTP
316	   Expires Caching Header to signal when geofeed data should be
317	   refetched.  As the data change very infrequently, in the absence of
318	   such an HTTP Header signal, collectors SHOULD NOT fetch more
319	   frequently than weekly.  It would be polite not to fetch at magic
320	   times such as midnight UTC, the first of the month, etc., because too
321	   many others are likely to do the same.

323	6.  Privacy Considerations

325	   [RFC8805] geofeed data may reveal the approximate location of an IP
326	   address, which might in turn reveal the approximate location of an
327	   individual user.  Unfortunately, [RFC8805] provides no privacy
328	   guidance on avoiding or ameliorating possible damage due to this
329	   exposure of the user.  In publishing pointers to geofeed files as
330	   described in this document the operator should be aware of this
331	   exposure in geofeed data and be cautious.  All the privacy
332	   considerations of [RFC8805] Section 4 apply to this document.

334	7.  Security Considerations

336	   It is generally prudent for a consumer of geofeed data to also use
337	   other sources to cross-validate the data.  All of the Security
338	   Considerations of [RFC8805] apply here as well.

340	   As mentioned in Section 4, many RPSL repositories have weak if any
341	   authentication.  This allows spoofing of inetnum: objects pointing to
342	   malicious geofeed files.  Section 4 suggests an unfortunately complex
343	   method for stronger authentication based on the RPKI.

345	   If an inetnum: for a wide prefix (e.g. a /16) points to an RPKI-
346	   signed geofeed file, a customer or attacker could publish an unsigned
347	   equal or narrower (e.g. a /24) inetnum: in a whois registry which has
348	   weak authorization.

350	   The RPSL providers have had to throttle fetching from their servers
351	   due to too-frequent queries.  Usually they throttle by the querying
352	   IP address or block.  Similar defenses will likely need to be
353	   deployed by geofeed file servers.

355	8.  IANA Considerations

357	   IANA is asked to register object identifiers for one content type in
358	   the "SMI Security for S/MIME CMS Content Type
359	   (1.2.840.113549.1.9.16.1)" registry as follows:

361	   Description             OID                         Specification
362	   -----------------------------------------------------------------
363	   id-ct-geofeedCSVwithCRLF  1.2.840.113549.1.9.16.1.47  [RFC-TBD]

365	9.  Acknowledgments

367	   Thanks to Rob Austein for CMS and detached signature clue.  George
368	   Michaelson for the first and substantial external review, Erik Kline
369	   who was too shy to agree to co-authorship.  Additionally, we express
370	   our gratitude to early implementors, including Menno Schepers, Flavio
371	   Luciani, Eric Dugas, Job Snijders who provided running code, and
372	   Kevin Pack.  Also to geolocation providers that are consuming
373	   geofeeds with this described solution, Jonathan Kosgei (ipdata.co),
374	   Ben Dowling (ipinfo.io), and Pol Nisenblat (bigdatacloud.com).  For
375	   helpful reviews we thank Adrian Farrel, Antonio Prado, Rob Wilton,
376	   George Michaelson, the document shepherd, Kyle Rose for a probing
377	   SECDIR review, and Paul Kyzivat for a helpful GENART directorate
378	   review

380	10.  References

382	10.1.  Normative References

384	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
385	              Requirement Levels", BCP 14, RFC 2119,
386	              DOI 10.17487/RFC2119, March 1997,
387	              <https://www.rfc-editor.org/info/rfc2119>.

389	   [RFC3629]  Yergeau, F., "UTF-8, a transformation format of ISO
390	              10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
391	              2003, <https://www.rfc-editor.org/info/rfc3629>.

393	   [RFC4012]  Blunk, L., Damas, J., Parent, F., and A. Robachevsky,
394	              "Routing Policy Specification Language next generation
395	              (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005,
396	              <https://www.rfc-editor.org/info/rfc4012>.

398	   [RFC5485]  Housley, R., "Digital Signatures on Internet-Draft
399	              Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009,
400	              <https://www.rfc-editor.org/info/rfc5485>.

402	   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
403	              RFC 5652, DOI 10.17487/RFC5652, September 2009,
404	              <https://www.rfc-editor.org/info/rfc5652>.

406	   [RFC6481]  Huston, G., Loomans, R., and G. Michaelson, "A Profile for
407	              Resource Certificate Repository Structure", RFC 6481,
408	              DOI 10.17487/RFC6481, February 2012,
409	              <https://www.rfc-editor.org/info/rfc6481>.

411	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
412	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
413	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

415	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
416	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
417	              <https://www.rfc-editor.org/info/rfc8446>.

419	   [RFC8805]  Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
420	              Kumari, "A Format for Self-Published IP Geolocation
421	              Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
422	              <https://www.rfc-editor.org/info/rfc8805>.

424	10.2.  Informative References

426	   [geofeed-finder]
427	              Massimo Candela, "geofeed-finder",
428	              <https://github.com/massimocandela/geofeed-finder>.

430	   [I-D.ietf-sidrops-rpki-rta]
431	              Michaelson, G., Huston, G., Harrison, T., Bruijnzeels, T.,
432	              and M. Hoffmann, "A profile for Resource Tagged
433	              Attestations (RTAs)", draft-ietf-sidrops-rpki-rta-00 (work
434	              in progress), January 2021.

436	   [I-D.spaghetti-sidrops-rpki-rsc]
437	              Snijders, J., "RPKI Signed Checklists", draft-spaghetti-
438	              sidrops-rpki-rsc-03 (work in progress), February 2021.

440	   [INET6NUM]
441	              RIPE, "Description of the INET6NUM Object",
442	              <https://www.ripe.net/manage-ips-and-
443	              asns/db/support/documentation/ripe-database-documentation/
444	              rpsl-object-types/4-2-descriptions-of-primary-
445	              objects/4-2-3-description-of-the-inet6num-object>.

447	   [INETNUM]  RIPE, "Description of the INETNUM Object",
448	              <https://www.ripe.net/manage-ips-and-
449	              asns/db/support/documentation/ripe-database-documentation/
450	              rpsl-object-types/4-2-descriptions-of-primary-
451	              objects/4-2-4-description-of-the-inetnum-object>.

453	   [RFC0959]  Postel, J. and J. Reynolds, "File Transfer Protocol",
454	              STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
455	              <https://www.rfc-editor.org/info/rfc959>.

457	   [RFC3912]  Daigle, L., "WHOIS Protocol Specification", RFC 3912,
458	              DOI 10.17487/RFC3912, September 2004,
459	              <https://www.rfc-editor.org/info/rfc3912>.

461	   [RFC7234]  Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
462	              Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
463	              RFC 7234, DOI 10.17487/RFC7234, June 2014,
464	              <https://www.rfc-editor.org/info/rfc7234>.

466	   [RFC7482]  Newton, A. and S. Hollenbeck, "Registration Data Access
467	              Protocol (RDAP) Query Format", RFC 7482,
468	              DOI 10.17487/RFC7482, March 2015,
469	              <https://www.rfc-editor.org/info/rfc7482>.

471	   [RFC7909]  Kisteleki, R. and B. Haberman, "Securing Routing Policy
472	              Specification Language (RPSL) Objects with Resource Public
473	              Key Infrastructure (RPKI) Signatures", RFC 7909,
474	              DOI 10.17487/RFC7909, June 2016,
475	              <https://www.rfc-editor.org/info/rfc7909>.

477	Appendix A.  Example

479	   This appendix provides an example, including a trust anchor, a CA
480	   certificate subordinate to the trust anchor, an end-entity
481	   certificate subordinate to the CA for signing the geofeed, and a
482	   detached signature.

484	   The trust anchor is represented by a self-signed certificate.  As
485	   usual in the RPKI, the trust anchor has authority over all IPv4
486	   address blocks, all IPv6 address blocks, and all AS numbers.

488	       -----BEGIN CERTIFICATE-----
489	       MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
490	       BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
491	       MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
492	       AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
493	       0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
494	       XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
495	       g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
496	       O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
497	       jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
498	       BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU
499	       GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
500	       GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
501	       KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
502	       YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
503	       ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
504	       YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
505	       AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
506	       BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
507	       xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
508	       cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
509	       Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
510	       rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
511	       x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
512	       -----END CERTIFICATE-----

514	   The CA certificate is issued by the trust anchor.  This certificate
515	   grants authority over one IPv4 address block (192.0.2.0/24) and two
516	   AS numbers (64496 and 64497).

518	       -----BEGIN CERTIFICATE-----
519	       MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL
520	       BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5
521	       MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
522	       QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
523	       zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
524	       6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
525	       j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
526	       liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
527	       YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
528	       TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R
529	       4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD
530	       VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr
531	       BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u
532	       ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz
533	       Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v
534	       cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr
535	       BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu
536	       bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz
537	       Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF
538	       hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH
539	       AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA
540	       +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0
541	       Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm
542	       cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09
543	       mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq
544	       V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
545	       yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
546	       -----END CERTIFICATE-----

548	   The end-entity certificate is issued by the CA.  This certificate
549	   grants signature authority for one IPv4 address block (192.0.2.0/24).
550	   Signature authority for AS numbers is not needed for geofeed data
551	   signatures, so no AS numbers are included in the certificate.

553	       -----BEGIN CERTIFICATE-----
554	       MIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuMwDQYJKoZIhvcNAQEL
555	       BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
556	       Mzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAxOTA1MTdaMDMxMTAvBgNV
557	       BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
558	       MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
559	       yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
560	       K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
561	       BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
562	       tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
563	       qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
564	       AAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
565	       BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
566	       Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
567	       VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
568	       RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
569	       AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
570	       c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
571	       Y2VyMCEGCCsGAQUFBwEHAQH/BBIwEDAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUH
572	       AQsEOTA3MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90
573	       aWZpY2F0aW9uLnhtbDANBgkqhkiG9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHP
574	       TArIVBECZFSCdP+bJTse85TqYiblMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh
575	       6+xGs1n427JZUokoeLtY0UUb2fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b
576	       +YS8WXjEHt2KW6wyA/BcNS8adS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1ar
577	       Kelyz7PGIIXJGy9nF8C3/aaaEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfO
578	       MkB8YF6kUU+td2dDQsMztcOxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh4
579	       5Q==
580	       -----END CERTIFICATE-----

582	   The end-entity certificate is displayed below in detail.  For
583	   brevity, the other two certificates are not.

585	      0 1197: SEQUENCE {
586	      4  917:  SEQUENCE {
587	      8    3:   [0] {
588	     10    1:    INTEGER 2
589	            :     }
590	     13   20:   INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E3
591	     35   13:   SEQUENCE {
592	     37    9:    OBJECT IDENTIFIER
593	            :     sha256WithRSAEncryption (1 2 840 113549 1 1 11)
594	     48    0:    NULL
595	            :     }
596	     50   51:   SEQUENCE {
597	     52   49:    SET {
598	     54   47:     SEQUENCE {
599	     56    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
600	     61   40:      PrintableString
601	            :       '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
602	            :       }
603	            :      }
604	            :     }
605	    103   30:   SEQUENCE {
606	    105   13:    UTCTime 03/09/2020 19:05:17 GMT
607	    120   13:    UTCTime 30/06/2021 19:05:17 GMT
608	            :     }
609	    135   51:   SEQUENCE {
610	    137   49:    SET {
611	    139   47:     SEQUENCE {
612	    141    3:      OBJECT IDENTIFIER commonName (2 5 4 3)
613	    146   40:      PrintableString
614	            :       '914652A3BD51C144260198889F5C45ABF053A187'
615	            :       }
616	            :      }
617	            :     }
618	    188  290:   SEQUENCE {
619	    192   13:    SEQUENCE {
620	    194    9:     OBJECT IDENTIFIER rsaEncryption
621	            :      (1 2 840 113549 1 1 1)
622	    205    0:     NULL
623	            :      }
624	    207  271:    BIT STRING, encapsulates {
625	    212  266:     SEQUENCE {
626	    216  257:      INTEGER
627	            :       00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
628	            :       40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
629	            :       B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
630	            :       57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
631	            :       74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
632	            :       9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
633	            :       E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
634	            :       95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
635	            :       F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
636	            :       16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
637	            :       BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
638	            :       88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
639	            :       6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
640	            :       67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
641	            :       78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
642	            :       FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
643	            :       EB
644	    477    3:      INTEGER 65537
645	            :       }
646	            :      }
647	            :     }
648	    482  439:   [3] {
649	    486  435:    SEQUENCE {
650	    490   29:     SEQUENCE {
651	    492    3:      OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
652	    497   22:      OCTET STRING, encapsulates {
653	    499   20:       OCTET STRING
654	            :        91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
655	            :        F0 53 A1 87
656	            :        }
657	            :       }
658	    521   31:     SEQUENCE {
659	    523    3:      OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
660	    528   24:      OCTET STRING, encapsulates {
661	    530   22:       SEQUENCE {
662	    532   20:        [0]
663	            :         3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
664	            :         B3 77 86 42
665	            :         }
666	            :        }
667	            :       }
668	    554   12:     SEQUENCE {
669	    556    3:      OBJECT IDENTIFIER basicConstraints (2 5 29 19)
670	    561    1:      BOOLEAN TRUE
671	    564    2:      OCTET STRING, encapsulates {
672	    566    0:       SEQUENCE {}
673	            :        }
674	            :       }
675	    568   14:     SEQUENCE {
676	    570    3:      OBJECT IDENTIFIER keyUsage (2 5 29 15)
677	    575    1:      BOOLEAN TRUE
678	    578    4:      OCTET STRING, encapsulates {
679	    580    2:       BIT STRING 7 unused bits
680	            :        '1'B (bit 0)
681	            :        }
682	            :       }
683	    584   24:     SEQUENCE {
684	    586    3:      OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
685	    591    1:      BOOLEAN TRUE
686	    594   14:      OCTET STRING, encapsulates {
687	    596   12:       SEQUENCE {
688	    598   10:        SEQUENCE {
689	    600    8:         OBJECT IDENTIFIER
690	            :          resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
691	            :          }
692	            :         }
693	            :        }
694	            :       }
695	    610   97:     SEQUENCE {
696	    612    3:      OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
697	    617   90:      OCTET STRING, encapsulates {
698	    619   88:       SEQUENCE {
699	    621   86:        SEQUENCE {
700	    623   84:         [0] {
701	    625   82:          [0] {
702	    627   80:           [6]
703	            :          'rsync://rpki.example.net/repository/3ACE2CEF4F'
704	            :          'B21B7D11E3E184EFC1E297B3778642.crl'
705	            :            }
706	            :           }
707	            :          }
708	            :         }
709	            :        }
710	            :       }
711	    709  108:     SEQUENCE {
712	    711    8:      OBJECT IDENTIFIER authorityInfoAccess
713	            :       (1 3 6 1 5 5 7 1 1)
714	    721   96:      OCTET STRING, encapsulates {
715	    723   94:       SEQUENCE {
716	    725   92:        SEQUENCE {
717	    727    8:         OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
718	    737   80:         [6]
719	            :          'rsync://rpki.example.net/repository/3ACE2CEF4F'
720	            :          'B21B7D11E3E184EFC1E297B3778642.cer'
721	            :          }
722	            :         }
723	            :        }
724	            :       }
725	    819   33:     SEQUENCE {
726	    821    8:      OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
727	    831    1:      BOOLEAN TRUE
728	    834   18:      OCTET STRING, encapsulates {
729	    836   16:       SEQUENCE {
730	    838    6:        SEQUENCE {
731	    840    2:         OCTET STRING 00 01
732	    844    0:         NULL
733	            :          }
734	    846    6:        SEQUENCE {
735	    848    2:         OCTET STRING 00 02
736	    852    0:         NULL
737	            :          }
738	            :         }
739	            :        }
740	            :       }
741	    854   69:     SEQUENCE {
742	    856    8:      OBJECT IDENTIFIER subjectInfoAccess
743	            :       (1 3 6 1 5 5 7 1 11)
744	    866   57:      OCTET STRING, encapsulates {
745	    868   55:       SEQUENCE {
746	    870   53:        SEQUENCE {
747	    872    8:         OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13'
748	    882   41:         [6]
749	            :          'https://rrdp.example.net/notification.xml'
750	            :          }
751	            :         }
752	            :        }
753	            :       }
754	            :      }
755	            :     }
756	            :    }
757	    925   13:  SEQUENCE {
758	    927    9:   OBJECT IDENTIFIER sha256WithRSAEncryption
759	            :    (1 2 840 113549 1 1 11)
760	    938    0:   NULL
761	            :    }
762	    940  257:  BIT STRING
763	            :   05 1D 93 D2 A4 F6 57 56 65 B1 98 E3 FB 21 CF 4C
764	            :   0A C8 54 11 02 64 54 82 74 FF 9B 25 3B 1E F3 94
765	            :   EA 62 26 E5 32 C3 52 F7 21 2E D9 23 5B 69 93 0D
766	            :   2E E4 92 88 07 DF 62 8A 21 E2 72 18 AB F4 61 EB
767	            :   EC 46 B3 59 F8 DB B2 59 52 89 28 78 BB 58 D1 45
768	            :   1B D9 F2 2C B9 AF 49 16 8F 18 19 39 E9 A8 33 06
769	            :   7B EC 67 A5 B2 74 48 24 A8 06 52 42 22 3F 9B F9
770	            :   84 BC 59 78 C4 1E DD 8A 5B AC 32 03 F0 5C 35 2F
771	            :   1A 75 2D A9 11 4C 02 D9 CB 3F 59 CC 33 81 BB 6D
772	            :   9E 47 27 1B BF F0 92 B4 37 A2 AC E9 0B 56 AB 29
773	            :   E9 72 CF B3 C6 20 85 C9 1B 2F 67 17 C0 B7 FD A6
774	            :   9A 12 91 DD ED 48 08 CA F5 D8 B8 26 3F 96 A5 93
775	            :   9B DE E3 0F 18 06 21 81 82 EF AE B4 9A D7 CE 32
776	            :   40 7C 60 5E A4 51 4F AD 77 67 43 42 C3 33 B5 C3
777	            :   B1 6F 3A A2 1A 78 9C 99 E2 5F 07 01 B6 96 2E 8E
778	            :   D2 FA 2B 5B 87 79 88 83 93 2A 94 32 A9 F8 78 E5
779	            :   }

781	   To allow reproduction of the signature results, the end-entity
782	   private key is provided.  For brevity, the other two private keys are
783	   not.

785	   -----BEGIN RSA PRIVATE KEY-----
786	   MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
787	   /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
788	   Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
789	   zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
790	   eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
791	   gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
792	   18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
793	   pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
794	   ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
795	   mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651
796	   IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF
797	   t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt
798	   MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M
799	   Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg
800	   26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l
801	   nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm
802	   FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
803	   O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
804	   Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
805	   vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
806	   DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
807	   taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
808	   PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
809	   E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
810	   iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
811	       -----END RSA PRIVATE KEY-----

813	   Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
814	   yields the following detached CMS signature.

816	   # RPKI Signature: 192.0.2.0/24
817	   # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
818	   # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
819	   # MwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
820	   # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMDA5MDMxOTA1MTdaFw0yMTA2MzAx
821	   # OTA1MTdaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
822	   # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
823	   # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
824	   # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
825	   # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
826	   # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
827	   # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
828	   # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggG3MIIBszAdBgNVHQ4EFgQUkUZSo71R
829	   # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
830	   # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg
831	   # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ
832	   # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5
833	   # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5
834	   # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0
835	   # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMCEGCCsGAQUFBwEHAQH/BBIwE
836	   # DAGBAIAAQUAMAYEAgACBQAwRQYIKwYBBQUHAQsEOTA3MDUGCCsGAQUFBzANhilo
837	   # dHRwczovL3JyZHAuZXhhbXBsZS5uZXQvbm90aWZpY2F0aW9uLnhtbDANBgkqhki
838	   # G9w0BAQsFAAOCAQEABR2T0qT2V1ZlsZjj+yHPTArIVBECZFSCdP+bJTse85TqYi
839	   # blMsNS9yEu2SNbaZMNLuSSiAffYooh4nIYq/Rh6+xGs1n427JZUokoeLtY0UUb2
840	   # fIsua9JFo8YGTnpqDMGe+xnpbJ0SCSoBlJCIj+b+YS8WXjEHt2KW6wyA/BcNS8a
841	   # dS2pEUwC2cs/WcwzgbttnkcnG7/wkrQ3oqzpC1arKelyz7PGIIXJGy9nF8C3/aa
842	   # aEpHd7UgIyvXYuCY/lqWTm97jDxgGIYGC7660mtfOMkB8YF6kUU+td2dDQsMztc
843	   # OxbzqiGnicmeJfBwG2li6O0vorW4d5iIOTKpQyqfh45TGCAaowggGmAgEDgBSRR
844	   # lKjvVHBRCYBmIifXEWr8FOhhzALBglghkgBZQMEAgGgazAaBgkqhkiG9w0BCQMx
845	   # DQYLKoZIhvcNAQkQAS8wHAYJKoZIhvcNAQkFMQ8XDTIwMDkxMzE4NDUxMFowLwY
846	   # JKoZIhvcNAQkEMSIEICvi8p5S8ckg2wTRhDBQzGijjyqs5T6I+4VtBHypfcEWMA
847	   # 0GCSqGSIb3DQEBAQUABIIBAHUrA4PaJG42BD3hpF8U0usnV3Dg5NQh97SfyKTk7
848	   # YHhhwu/936gkmAew8ODRTCddMvMObWkjj7/XeR+WKffaTF1EAdZ1L6REV+GlV91
849	   # cYnFkT9ldn4wHQnNNncfAehk5PClYUUQ0gqjdJT1hdaolT83b3ttekyYIiwPmHE
850	   # xRaNkSvKenlNqcriaaf3rbQy9dc2d1KxrL2429n134ICqjKeRnHkXXrCWDmyv/3
851	   # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
852	   # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
853	   # End Signature: 192.0.2.0/24

855	Authors' Addresses

857	   Randy Bush
858	   IIJ & Arrcus
859	   5147 Crystal Springs
860	   Bainbridge Island, Washington  98110
861	   United States of America

863	   Email: randy@psg.com
864	   Massimo Candela
865	   NTT
866	   Siriusdreef 70-72
867	   Hoofddorp  2132 WT
868	   Netherlands

870	   Email: massimo@ntt.net

872	   Warren Kumari
873	   Google
874	   1600 Amphitheatre Parkway
875	   Mountain View, CA  94043
876	   US

878	   Email: warren@kumari.net

880	   Russ Housley
881	   Vigil Security, LLC
882	   516 Dranesville Road
883	   Herndon, VA  20170
884	   USA

886	   Email: housley@vigilsec.com