randy/draft-9092update
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

-02 published

Browse source
This commit is contained in:
Randy Bush 2023-09-18 18:36:40 -07:00
parent 4c9ad63e1e
commit 8cdde2b887
1 changed files with 489 additions and 478 deletions
Download patch file Download diff file Expand all files Collapse all files

373
draft-ietf-opsawg-9092-update.xml
View file

@ -8,7 +8,7 @@
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-opsawg-9092-update-01"
<rfc category="std" docName="draft-ietf-opsawg-9092-update-02"
submissionType="IETF" consensus="true" ipr="trust200902"
obsoletes="9092" version="2" >
@ -492,6 +492,13 @@
object's address range is included in the <xref target="RFC5652"
format="default"/> CMS SignedData certificates field.
</t>
<t>
The CA MUST sign only one Geofeed with each generated private
key and MUST generate a new key pair for each new version of the
Geofeed. An associated EE certificate used in this fashion is
termed a "one-time-use" EE certificate (see Section 3 of
<xref target="RFC6487"/>).
</t>
<t>
Identifying the private key associated with the certificate and
getting the department that controls the private key (which
@ -753,6 +760,11 @@
treated as "remarks".
</t>
<t>
<xref target="rpki-client"/> can be used to authenticate a
signed geofeed file.
</t>
</section>
<section anchor="seccons" numbered="true" toc="default">
@ -820,6 +832,7 @@
<?rfc include="reference.RFC.8174.xml"?>
<?rfc include="reference.RFC.6481.xml"?>
<?rfc include="reference.RFC.6486.xml"?>
<?rfc include="reference.RFC.6487.xml"?>
<?rfc include="reference.RFC.8805.xml"?>
<?rfc include="reference.RFC.8933.xml"?>
</references>
@ -837,8 +850,6 @@
<?rfc include="reference.RFC.9092.xml"?>
<?rfc include="reference.RFC.9323.xml"?>
<?rfc include="reference.I-D.ietf-sidrops-rpki-rta.xml"?>
<reference anchor="RIPE81" target="https://www.ripe.net/publications/docs/ripe-081">
<front>
<title>Representation Of IP Routing Policies In The RIPE Database</title>
@ -901,59 +912,67 @@
<refcontent>commit 5f557a4</refcontent>
</reference>
<reference anchor="rpki-client" target="https://sobornost.net/~job/using_geofeed_authenticators.txt">
<front>
<title>Example on how to use rpki-client to authenticate a signed Geofeed</title>
<author fullname="Job Snijders"/>
<date month="September" year="2023" />
</front>
</reference>
</references>
<section anchor="example" numbered="true" toc="default">
<name>Example</name>
<section title="Example" anchor="example">
<t>
This appendix provides an example that includes a trust anchor, a CA
This appendix provides an example, including a trust anchor, a CA
certificate subordinate to the trust anchor, an end-entity
certificate subordinate to the CA for signing the geofeed, and a
detached signature.
</t>
detached signature.</t>
<t>
The trust anchor is represented by a self-signed certificate. As
usual in the RPKI, the trust anchor has authority over all IPv4
address blocks, all IPv6 address blocks, and all Autonomous System
(AS) numbers.
</t>
<sourcecode type=""><![CDATA[
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU
GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
-----END CERTIFICATE-----
]]></sourcecode>
address blocks, all IPv6 address blocks, and all AS numbers.</t>
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU
GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
-----END CERTIFICATE-----
]]></artwork></figure>
<t>
The CA certificate is issued by the trust anchor. This
certificate grants authority over one IPv4 address block
(192.0.2.0/24) and two AS numbers (64496 and 64497).</t>
<sourcecode type=""><![CDATA[
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5
MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDLUwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MTYyMTAzMjhaFw0yNDA5
MTUyMTAzMjhaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
@ -972,25 +991,27 @@
Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF
hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH
AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA
+/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0
Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm
cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09
mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq
V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
+/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAkWoRJBJRgIMRkTUgPDG/rqcd/fz+
eN8L3Yme1hNJuAnkf6S3pr5GT1NG9hVTphLFPI4jPSoPZSEQtZ6gsswU3KacnS2A
VtgHYfZA9gfRHhURuiWvFNSp+d7A2MeBmmRyBOD3a5v4f+wNoXPgPhUTZUsXh2Q4
q7WFgiQp6P8vdIXjZDKFB7Xtu7Fl1S5RVowV68DexjVfmaPTPZjetHaAqpz6C4/E
s4NArJzIL+8sqmIeuWUD11WXQ3wsC0IWuPMi6XOJQnPQQFtMPr79cftsw+Ynr/vc
F+WPd2Mdaby93ASOE2MyXdaaOf8Av3wIpMvhMuAuM03V/mPVksqxUbfOLw==
-----END CERTIFICATE-----
]]></sourcecode>
]]></artwork></figure>
<t>
The end-entity certificate is issued by the CA. This certificate
grants signature authority for one IPv4 address block (192.0.2.0/24).
Signature authority for AS numbers is not needed for geofeed data
signatures, so AS numbers MUST NOT be included in the certificate.
</t>
<sourcecode type=""><![CDATA[
The end-entity certificate is issued by the CA. This
certificate grants signature authority for one IPv4 address block
(192.0.2.0/24). Signature authority for AS numbers is not needed
for geofeed data signatures, so no AS numbers are included in the
end-entity certificate.</t>
<figure><artwork><![CDATA[
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuUwDQYJKoZIhvcNAQEL
MIIEZDCCA0ygAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuwwDQYJKoZIhvcNAQEL
BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
Mzc3ODY0MjAeFw0yMzA5MTIyMTI0MzJaFw0yNDA3MDgyMTI0MzJaMDMxMTAvBgNV
Mzc3ODY0MjAeFw0yMzA5MTYyMTAzMjhaFw0yNDA3MTIyMTAzMjhaMDMxMTAvBgNV
BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
@ -998,33 +1019,36 @@
BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
AAGjggFoMIIBZDAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
AAGjggFuMIIBajAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMA0GCSqGSIb3DQEBCwUAA4IB
AQDQhboLqwjpRHppCszugzqgaH29mEzCDvkbtWbfo97u2Edf/gRtfUoJ0hxherfH
faBdkS/yCQSgZXnA1UwnsnkavoRlOtlKLMicZ/Al6O8ef9DPpm01yz09Zu94UFie
TCRJQorJ3d4aURC/7Ox/MXoQRdffwT2swSKkWst/r7FL6JN5ZdIznWjnOErQXXbM
Dxp361/3TXUjX5fvNkKf/tivaOCngoBpG1FLSN62gAiVWQhunXO7nP+1ugw+aCvP
5l7FXEvVmTscrmy5SETQiDKIDwB+BlwfFdHufmKSpsaasRGbIe6e1SzmpBsymj+Z
ppLVbCS7uCs/8yKfjZdkVI7K
Y2VyMB8GCCsGAQUFBwEHAQH/BBAwDjAMBAIAATAGAwQAwAACMA0GCSqGSIb3DQEB
CwUAA4IBAQAIdkoBMQydWkkaE91zFTX6xIzzDhllfDR5bgw8C2XrAkTiWlMce+/A
794a7j3+fIAyDrQ1fjgPLof6I7xMaiqyNtb+5GqXNk+sHwjg6AnInZV2Xgz2X6lJ
dtNck25zGwfj/RZ8BxO+UUzP0JUOCTAaCed2KOVF9qWfmXeZ2HPvZVD+01G0PNKd
DGKzBmtWKzXsWVk00fvm+xaDs/sBTf28O907AUM+2ipuFYfWYc2mPaT3C4uK0udl
3/FhUzH6loqs/c1jIsL3mWd8iR2eAwBa+rsp9sc3wbnPCjFOuFZKN85nnXzrbJ6d
FjqNix9Z2it7TCmU89JltreRt5Q1xX+m
-----END CERTIFICATE-----
]]></sourcecode>
]]></artwork></figure>
<t>
The end-entity certificate is displayed below in detail. For
brevity, the other two certificates are not.
</t>
<sourcecode type=""><![CDATA[
0 1118: SEQUENCE {
4 838: SEQUENCE {
brevity, the other two certificates are not.</t>
<figure><artwork><![CDATA[
0 1124: SEQUENCE {
4 844: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 20: INTEGER 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9 6E E1 66 E5
13 20: INTEGER
: 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2
: B9 6E E1 66 EC
35 13: SEQUENCE {
37 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
@ -1034,25 +1058,28 @@
52 49: SET {
54 47: SEQUENCE {
56 3: OBJECT IDENTIFIER commonName (2 5 4 3)
61 40: PrintableString '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
61 40: PrintableString
: '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
: }
: }
: }
103 30: SEQUENCE {
105 13: UTCTime 12/09/2023 21:24:32 GMT
120 13: UTCTime 08/07/2024 21:24:32 GMT
105 13: UTCTime 16/09/2023 21:03:28 GMT
120 13: UTCTime 12/07/2024 21:03:28 GMT
: }
135 51: SEQUENCE {
137 49: SET {
139 47: SEQUENCE {
141 3: OBJECT IDENTIFIER commonName (2 5 4 3)
146 40: PrintableString '914652A3BD51C144260198889F5C45ABF053A187'
146 40: PrintableString
: '914652A3BD51C144260198889F5C45ABF053A187'
: }
: }
: }
188 290: SEQUENCE {
192 13: SEQUENCE {
194 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
194 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1)
205 0: NULL
: }
207 271: BIT STRING, encapsulates {
@ -1079,10 +1106,11 @@
: }
: }
: }
482 360: [3] {
486 356: SEQUENCE {
482 366: [3] {
486 362: SEQUENCE {
490 29: SEQUENCE {
492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
492 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14)
497 22: OCTET STRING, encapsulates {
499 20: OCTET STRING
: 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
@ -1090,7 +1118,8 @@
: }
: }
521 31: SEQUENCE {
523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
523 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35)
528 24: OCTET STRING, encapsulates {
530 22: SEQUENCE {
532 20: [0]
@ -1127,15 +1156,16 @@
: }
: }
610 97: SEQUENCE {
612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
612 3: OBJECT IDENTIFIER
: cRLDistributionPoints (2 5 29 31)
617 90: OCTET STRING, encapsulates {
619 88: SEQUENCE {
621 86: SEQUENCE {
623 84: [0] {
625 82: [0] {
627 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4FB2'
: '1B7D11E3E184EFC1E297B3778642.crl'
: 'rsync://rpki.example.net/repository/3ACE'
: '2CEF4FB21B7D11E3E184EFC1E297B3778642.crl'
: }
: }
: }
@ -1143,26 +1173,31 @@
: }
: }
709 108: SEQUENCE {
711 8: OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1)
711 8: OBJECT IDENTIFIER
: authorityInfoAccess (1 3 6 1 5 5 7 1 1)
721 96: OCTET STRING, encapsulates {
723 94: SEQUENCE {
725 92: SEQUENCE {
727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
727 8: OBJECT IDENTIFIER
: caIssuers (1 3 6 1 5 5 7 48 2)
737 80: [6]
: 'rsync://rpki.example.net/repository/3ACE2CEF4FB2'
: '1B7D11E3E184EFC1E297B3778642.cer'
: 'rsync://rpki.example.net/repository/3ACE'
: '2CEF4FB21B7D11E3E184EFC1E297B3778642.cer'
: }
: }
: }
: }
819 25: SEQUENCE {
821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
819 31: SEQUENCE {
821 8: OBJECT IDENTIFIER
: ipAddrBlocks (1 3 6 1 5 5 7 1 7)
831 1: BOOLEAN TRUE
834 10: OCTET STRING, encapsulates {
836 8: SEQUENCE {
838 6: SEQUENCE {
834 16: OCTET STRING, encapsulates {
836 14: SEQUENCE {
838 12: SEQUENCE {
840 2: OCTET STRING 00 01
844 0: NULL
844 6: SEQUENCE {
846 4: BIT STRING
: '010000000000000000000011'B
: }
: }
: }
@ -1170,34 +1205,38 @@
: }
: }
: }
846 13: SEQUENCE {
848 9: OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
859 0: NULL
: }
861 257: BIT STRING
: D0 85 BA 0B AB 08 E9 44 7A 69 0A CC EE 83 3A A0
: 68 7D BD 98 4C C2 0E F9 1B B5 66 DF A3 DE EE D8
: 47 5F FE 04 6D 7D 4A 09 D2 1C 61 7A B7 C7 7D A0
: 5D 91 2F F2 09 04 A0 65 79 C0 D5 4C 27 B2 79 1A
: BE 84 65 3A D9 4A 2C C8 9C 67 F0 25 E8 EF 1E 7F
: D0 CF A6 6D 35 CB 3D 3D 66 EF 78 50 58 9E 4C 24
: 49 42 8A C9 DD DE 1A 51 10 BF EC EC 7F 31 7A 10
: 45 D7 DF C1 3D AC C1 22 A4 5A CB 7F AF B1 4B E8
: 93 79 65 D2 33 9D 68 E7 38 4A D0 5D 76 CC 0F 1A
: 77 EB 5F F7 4D 75 23 5F 97 EF 36 42 9F FE D8 AF
: 68 E0 A7 82 80 69 1B 51 4B 48 DE B6 80 08 95 59
: 08 6E 9D 73 BB 9C FF B5 BA 0C 3E 68 2B CF E6 5E
: C5 5C 4B D5 99 3B 1C AE 6C B9 48 44 D0 88 32 88
: 0F 00 7E 06 5C 1F 15 D1 EE 7E 62 92 A6 C6 9A B1
: 11 9B 21 EE 9E D5 2C E6 A4 1B 32 9A 3F 99 A6 92
: D5 6C 24 BB B8 2B 3F F3 22 9F 8D 97 64 54 8E CA
852 13: SEQUENCE {
854 9: OBJECT IDENTIFIER
: sha256WithRSAEncryption (1 2 840 113549 1 1 11)
865 0: NULL
: }
]]></sourcecode>
867 257: BIT STRING
: 08 76 4A 01 31 0C 9D 5A 49 1A 13 DD 73 15 35 FA
: C4 8C F3 0E 19 65 7C 34 79 6E 0C 3C 0B 65 EB 02
: 44 E2 5A 53 1C 7B EF C0 EF DE 1A EE 3D FE 7C 80
: 32 0E B4 35 7E 38 0F 2E 87 FA 23 BC 4C 6A 2A B2
: 36 D6 FE E4 6A 97 36 4F AC 1F 08 E0 E8 09 C8 9D
: 95 76 5E 0C F6 5F A9 49 76 D3 5C 93 6E 73 1B 07
: E3 FD 16 7C 07 13 BE 51 4C CF D0 95 0E 09 30 1A
: 09 E7 76 28 E5 45 F6 A5 9F 99 77 99 D8 73 EF 65
: 50 FE D3 51 B4 3C D2 9D 0C 62 B3 06 6B 56 2B 35
: EC 59 59 34 D1 FB E6 FB 16 83 B3 FB 01 4D FD BC
: 3B DD 3B 01 43 3E DA 2A 6E 15 87 D6 61 CD A6 3D
: A4 F7 0B 8B 8A D2 E7 65 DF F1 61 53 31 FA 96 8A
: AC FD CD 63 22 C2 F7 99 67 7C 89 1D 9E 03 00 5A
: FA BB 29 F6 C7 37 C1 B9 CF 0A 31 4E B8 56 4A 37
: CE 67 9D 7C EB 6C 9E 9D 16 3A 8D 8B 1F 59 DA 2B
: 7B 4C 29 94 F3 D2 65 B6 B7 91 B7 94 35 C5 7F A6
: }
]]></artwork></figure>
<t>
To allow reproduction of the signature results, the end-entity
private key is provided. For brevity, the other two private
keys are not.</t>
<sourcecode type=""><![CDATA[
To allow reproduction of the signature results, the end-entity
private key is provided. For brevity, the other two private
keys are not.</t>
<figure><artwork><![CDATA[
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
/5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
@ -1225,81 +1264,53 @@ keys are not.</t>
E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
-----END RSA PRIVATE KEY-----
]]></sourcecode>
]]></artwork></figure>
<t>
Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF) yields the
following detached CMS signature.</t>
<sourcecode type=""><![CDATA[
# RPKI Signature: 192.0.2.0 - 192.0.2.255
# MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
# QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
# TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx
# NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF),
yields the following detached CMS signature.</t>
<figure><artwork><![CDATA[
# RPKI Signature: 192.0.2.0/24
# MIIGTgYJKoZIhvcNAQcCoIIGPzCCBjsCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
# IhvcNAQkQAS+gggRoMIIEZDCCA0ygAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
# wwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
# TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMzA5MTYyMTAzMjhaFw0yNDA3MTIy
# MTAzMjhaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
# 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
# QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
# tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
# r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
# FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
# zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
# ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71R
# ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggFuMIIBajAdBgNVHQ4EFgQUkUZSo71R
# wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
# wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg
# grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ
# S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5
# N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5
# jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0
# QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMBkGCCsGAQUFBwEHAQH/BAowC
# DAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1BggrBgEFBQcwDYYpaHR0cHM6Ly9y
# cmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlvbi54bWwwDQYJKoZIhvcNAQELBQA
# DggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN07fsK/qGw/e90DJv7cp1hvjj4u
# y3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2BrzZsWAnB846Snwsktw6cenaif6A
# ww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP5rGJPWBcOMv52a/7adjfXwpn
# OijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xDnlpp+/r9xuNVYRtRcC36oWr
# aVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc/tiJLM7ZYxIe5IrYz1ZtN6
# n/SEssJAswRIgps2EhCt/HS2xAmGCOhgUxggGqMIIBpgIBA4AUkUZSo71RwUQmA
# ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3
# DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE
# JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w
# 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA
# Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M
# o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM
# 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7
# YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi
# S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na
# End Signature: 192.0.2.0 - 192.0.2.255
]]></sourcecode>
</section>
# QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMB8GCCsGAQUFBwEHAQH/BBAwD
# jAMBAIAATAGAwQAwAACMA0GCSqGSIb3DQEBCwUAA4IBAQAIdkoBMQydWkkaE91z
# FTX6xIzzDhllfDR5bgw8C2XrAkTiWlMce+/A794a7j3+fIAyDrQ1fjgPLof6I7x
# MaiqyNtb+5GqXNk+sHwjg6AnInZV2Xgz2X6lJdtNck25zGwfj/RZ8BxO+UUzP0J
# UOCTAaCed2KOVF9qWfmXeZ2HPvZVD+01G0PNKdDGKzBmtWKzXsWVk00fvm+xaDs
# /sBTf28O907AUM+2ipuFYfWYc2mPaT3C4uK0udl3/FhUzH6loqs/c1jIsL3mWd8
# iR2eAwBa+rsp9sc3wbnPCjFOuFZKN85nnXzrbJ6dFjqNix9Z2it7TCmU89Jltre
# Rt5Q1xX+mMYIBqjCCAaYCAQOAFJFGUqO9UcFEJgGYiJ9cRavwU6GHMAsGCWCGSA
# FlAwQCAaBrMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABLzAcBgkqhkiG9w0BC
# QUxDxcNMjMwOTE2MjEwMzI4WjAvBgkqhkiG9w0BCQQxIgQgK+LynlLxySDbBNGE
# MFDMaKOPKqzlPoj7hW0EfKl9wRYwDQYJKoZIhvcNAQEBBQAEggEAm1SGhxyTWRb
# jf+ewdePchggMKR8zY7FRy+Z5ietrNaWkF2ZgqluVmm3mRDpQDeqTYrcTcBdR3o
# szs89XxWNf81Afs1mBcUdgPHxcghJNoVsDFmcPd+LEFikOtGjaFCwS2meF3RYaM
# 51jKer8SObP9nqV1JdPYzaArIpzhjHUA1wktTblEmg9lEOJPqALMI9uL7ngcKaE
# w4omrcNSBXt9vqge/I5wG7q9tMw2RRcYXTj1XG6nSm7bo9L4JQfBrsubaANmGO9
# NEAZeHyTQq7TzO9w7KBsB3Cg8qRhCzAY8bznt+r1DVPpQj4EHUBizYUMQRCxD5o
# IUjEELzssfleF8pQ==
# End Signature: 192.0.2.0/24
]]></artwork></figure>
<section anchor="ack" numbered="false" toc="default">
<name>Acknowledgments</name>
<t>
Thanks to <contact fullname="Rob Austein"/> for CMS and detached
signature clue, <contact fullname="George Michaelson"/> for the
first and substantial external review, and <contact
fullname="Erik Kline"/> who was too shy to agree to
coauthorship. Additionally, we express our gratitude to early
implementors, including <contact fullname="Menno Schepers"/>;
<contact fullname="Flavio Luciani"/>; <contact fullname="Eric
Dugas"/>; <contact fullname="Job Snijders"/>, who also found an
ASN.1 'inherit' issue; and <contact fullname="Kevin Pack"/>.
Also, thanks to the following geolocation providers who are
consuming geofeeds with this described solution: <contact
fullname="Jonathan Kosgei"/> (ipdata.co), <contact fullname="Ben
Dowling"/> (ipinfo.io), and <contact fullname="Pol Nisenblat"/>
(bigdatacloud.com). For an amazing number of helpful reviews,
we thank <contact fullname="Adrian Farrel"/>, <contact
fullname="Antonio Prado"/>, <contact fullname="Francesca
Palombini"/>, <contact fullname="Jean-Michel Combes"/> (INTDIR),
<contact fullname="Joe Clarke"/>, <contact fullname="John
Scudder"/>, <contact fullname="Kyle Rose"/> (SECDIR), <contact
fullname="Martin Duke"/>, <contact fullname="Murray
Kucherawy"/>, <contact fullname="Mohamed Boucadair"/>, <contact
fullname="Paul Kyzivat"/> (GENART), <contact fullname="Rob
Wilton"/>, <contact fullname="Roman Danyliw"/>, and <contact
fullname="Ties de Kock"/>.
</t>
</section>
</back>
</rfc>
</rfc>