summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9092.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9092.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9092.txt')
-rw-r--r--doc/rfc/rfc9092.txt1045
1 files changed, 1045 insertions, 0 deletions
diff --git a/doc/rfc/rfc9092.txt b/doc/rfc/rfc9092.txt
new file mode 100644
index 0000000..fcf255b
--- /dev/null
+++ b/doc/rfc/rfc9092.txt
@@ -0,0 +1,1045 @@
+
+
+
+
+Internet Engineering Task Force (IETF) R. Bush
+Request for Comments: 9092 IIJ & Arrcus
+Category: Standards Track M. Candela
+ISSN: 2070-1721 NTT
+ W. Kumari
+ Google
+ R. Housley
+ Vigil Security
+ July 2021
+
+
+ Finding and Using Geofeed Data
+
+Abstract
+
+ This document specifies how to augment the Routing Policy
+ Specification Language inetnum: class to refer specifically to
+ geofeed data comma-separated values (CSV) files and describes an
+ optional scheme that uses the Routing Public Key Infrastructure to
+ authenticate the geofeed data CSV files.
+
+Status of This Memo
+
+ This is an Internet Standards Track document.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ Internet Standards is available in Section 2 of RFC 7841.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ https://www.rfc-editor.org/info/rfc9092.
+
+Copyright Notice
+
+ Copyright (c) 2021 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (https://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction
+ 1.1. Requirements Language
+ 2. Geofeed Files
+ 3. inetnum: Class
+ 4. Authenticating Geofeed Data
+ 5. Operational Considerations
+ 6. Privacy Considerations
+ 7. Security Considerations
+ 8. IANA Considerations
+ 9. References
+ 9.1. Normative References
+ 9.2. Informative References
+ Appendix A. Example
+ Acknowledgments
+ Authors' Addresses
+
+1. Introduction
+
+ Providers of Internet content and other services may wish to
+ customize those services based on the geographic location of the user
+ of the service. This is often done using the source IP address used
+ to contact the service. Also, infrastructure and other services
+ might wish to publish the locale of their services. [RFC8805]
+ defines geofeed, a syntax to associate geographic locales with IP
+ addresses, but it does not specify how to find the relevant geofeed
+ data given an IP address.
+
+ This document specifies how to augment the Routing Policy
+ Specification Language (RPSL) [RFC2725] inetnum: class to refer
+ specifically to geofeed data CSV files and how to prudently use them.
+ In all places inetnum: is used, inet6num: should also be assumed
+ [RFC4012].
+
+ The reader may find [INETNUM] and [INET6NUM] informative, and
+ certainly more verbose, descriptions of the inetnum: database
+ classes.
+
+ An optional utterly awesome but slightly complex means for
+ authenticating geofeed data is also defined.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
+ "OPTIONAL" in this document are to be interpreted as described in
+ BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
+ capitals, as shown here.
+
+2. Geofeed Files
+
+ Geofeed files are described in [RFC8805]. They provide a facility
+ for an IP address resource "owner" to associate those IP addresses to
+ geographic locales.
+
+ Content providers and other parties who wish to locate an IP address
+ to a geographic locale need to find the relevant geofeed data. In
+ Section 3, this document specifies how to find the relevant geofeed
+ [RFC8805] file given an IP address.
+
+ Geofeed data for large providers with significant horizontal scale
+ and high granularity can be quite large. The size of a file can be
+ even larger if an unsigned geofeed file combines data for many
+ prefixes, if dual IPv4/IPv6 spaces are represented, etc.
+
+ Geofeed data do have privacy considerations (see Section 6); this
+ process makes bulk access to those data easier.
+
+ This document also suggests an optional signature to strongly
+ authenticate the data in the geofeed files.
+
+3. inetnum: Class
+
+ The original RPSL specifications starting with [RIPE81], [RIPE181],
+ and a trail of subsequent documents were written by the RIPE
+ community. The IETF standardized RPSL in [RFC2622] and [RFC4012].
+ Since then, it has been modified and extensively enhanced in the
+ Regional Internet Registry (RIR) community, mostly by RIPE [RIPE-DB].
+ Currently, change control effectively lies in the operator community.
+
+ The RPSL, and [RFC2725] and [RFC4012] used by the Regional Internet
+ Registries (RIRs), specify the inetnum: database class. Each of
+ these objects describes an IP address range and its attributes. The
+ inetnum: objects form a hierarchy ordered on the address space.
+
+ Ideally, RPSL would be augmented to define a new RPSL geofeed:
+ attribute in the inetnum: class. Until such time, this document
+ defines the syntax of a Geofeed remarks: attribute, which contains an
+ HTTPS URL of a geofeed file. The format of the inetnum: geofeed
+ remarks: attribute MUST be as in this example, "remarks: Geofeed ",
+ where the token "Geofeed " MUST be case sensitive, followed by a URL
+ that will vary, but it MUST refer only to a single geofeed [RFC8805]
+ file.
+
+ inetnum: 192.0.2.0/24 # example
+ remarks: Geofeed https://example.com/geofeed.csv
+
+ While we leave global agreement of RPSL modification to the relevant
+ parties, we specify that a proper geofeed: attribute in the inetnum:
+ class MUST be "geofeed:" and MUST be followed by a single URL that
+ will vary, but it MUST refer only to a single geofeed [RFC8805] file.
+
+ inetnum: 192.0.2.0/24 # example
+ geofeed: https://example.com/geofeed.csv
+
+ Registries MAY, for the interim, provide a mix of the remarks:
+ attribute form and the geofeed: attribute form.
+
+ The URL uses HTTPS, so the WebPKI provides authentication, integrity,
+ and confidentiality for the fetched geofeed file. However, the
+ WebPKI can not provide authentication of IP address space assignment.
+ In contrast, the RPKI (see [RFC6481]) can be used to authenticate IP
+ space assignment; see optional authentication in Section 4.
+
+ Until all producers of inetnum: objects, i.e., the RIRs, state that
+ they have migrated to supporting a geofeed: attribute, consumers
+ looking at inetnum: objects to find geofeed URLs MUST be able to
+ consume both the remarks: and geofeed: forms. The migration not only
+ implies that the RIRs support the geofeed: attribute, but that all
+ registrants have migrated any inetnum: objects from remarks: to
+ geofeed: attributes.
+
+ Any particular inetnum: object MUST have, at most, one geofeed
+ reference, whether a remarks: or a proper geofeed: attribute when it
+ is implemented. If there is more than one, all are ignored.
+
+ If a geofeed CSV file describes multiple disjoint ranges of IP
+ address space, there are likely to be geofeed references from
+ multiple inetnum: objects. Files with geofeed references from
+ multiple inetnum: objects are not compatible with the signing
+ procedure in Section 4.
+
+ When geofeed references are provided by multiple inetnum: objects
+ that have identical address ranges, then the geofeed reference on the
+ inetnum: with the most recent last-modified: attribute SHOULD be
+ preferred.
+
+ As inetnum: objects form a hierarchy, geofeed references SHOULD be at
+ the lowest applicable inetnum: object covering the relevant address
+ ranges in the referenced geofeed file. When fetching, the most
+ specific inetnum: object with a geofeed reference MUST be used.
+
+ It is significant that geofeed data may have finer granularity than
+ the inetnum: that refers to them. For example, an INETNUM object for
+ an address range P could refer to a geofeed file in which P has been
+ subdivided into one or more longer prefixes.
+
+ Currently, the registry data published by ARIN are not the same RPSL
+ as that of the other registries (see [RFC7485] for a survey of the
+ WHOIS Tower of Babel); therefore, when fetching from ARIN via FTP
+ [RFC0959], WHOIS [RFC3912], the Registration Data Access Protocol
+ (RDAP) [RFC9082], etc., the "NetRange" attribute/key MUST be treated
+ as "inetnum", and the "Comment" attribute MUST be treated as
+ "remarks".
+
+4. Authenticating Geofeed Data
+
+ The question arises whether a particular geofeed [RFC8805] data set
+ is valid, i.e., is authorized by the "owner" of the IP address space
+ and is authoritative in some sense. The inetnum: that points to the
+ geofeed [RFC8805] file provides some assurance. Unfortunately, the
+ RPSL in many repositories is weakly authenticated at best. An
+ approach where RPSL was signed per [RFC7909] would be good, except it
+ would have to be deployed by all RPSL registries, and there is a fair
+ number of them.
+
+ A single optional authenticator MAY be appended to a geofeed
+ [RFC8805] file. It is a digest of the main body of the file signed
+ by the private key of the relevant RPKI certificate for a covering
+ address range. One needs a format that bundles the relevant RPKI
+ certificate with the signature of the geofeed text.
+
+ The canonicalization procedure converts the data from their internal
+ character representation to the UTF-8 [RFC3629] character encoding,
+ and the <CRLF> sequence MUST be used to denote the end of a line of
+ text. A blank line is represented solely by the <CRLF> sequence.
+ For robustness, any non-printable characters MUST NOT be changed by
+ canonicalization. Trailing blank lines MUST NOT appear at the end of
+ the file. That is, the file must not end with multiple consecutive
+ <CRLF> sequences. Any end-of-file marker used by an operating system
+ is not considered to be part of the file content. When present, such
+ end-of-file markers MUST NOT be processed by the digital signature
+ algorithm.
+
+ Should the authenticator be syntactically incorrect per the above,
+ the authenticator is invalid.
+
+ Borrowing detached signatures from [RFC5485], after file
+ canonicalization, the Cryptographic Message Syntax (CMS) [RFC5652]
+ would be used to create a detached DER-encoded signature that is then
+ padded BASE64 encoded (as per Section 4 of [RFC4648]) and line
+ wrapped to 72 or fewer characters. The same digest algorithm MUST be
+ used for calculating the message digest on content being signed,
+ which is the geofeed file, and for calculating the message digest on
+ the SignerInfo SignedAttributes [RFC8933]. The message digest
+ algorithm identifier MUST appear in both the SignedData
+ DigestAlgorithmIdentifiers and the SignerInfo
+ DigestAlgorithmIdentifier [RFC5652].
+
+ The address range of the signing certificate MUST cover all prefixes
+ in the geofeed file it signs.
+
+ An address range A "covers" address range B if the range of B is
+ identical to or a subset of A. "Address range" is used here because
+ inetnum: objects and RPKI certificates need not align on Classless
+ Inter-Domain Routing (CIDR) [RFC4632] prefix boundaries, while those
+ of the CSV lines in a geofeed file do.
+
+ As the signer specifies the covered RPKI resources relevant to the
+ signature, the RPKI certificate covering the inetnum: object's
+ address range is included in the [RFC5652] CMS SignedData
+ certificates field.
+
+ Identifying the private key associated with the certificate and
+ getting the department that controls the private key (which might be
+ trapped in a Hardware Security Module (HSM)) to sign the CMS blob is
+ left as an exercise for the implementor. On the other hand,
+ verifying the signature requires no complexity; the certificate,
+ which can be validated in the public RPKI, has the needed public key.
+ The trust anchors for the RIRs are expected to already be available
+ to the party performing signature validation. Validation of the CMS
+ signature on the geofeed file involves:
+
+ 1. Obtaining the signer's certificate from the CMS SignedData
+ CertificateSet [RFC5652]. The certificate SubjectKeyIdentifier
+ extension [RFC5280] MUST match the SubjectKeyIdentifier in the
+ CMS SignerInfo SignerIdentifier [RFC5652]. If the key
+ identifiers do not match, then validation MUST fail.
+
+ Validation of the signer's certificate MUST ensure that it is
+ part of the current [RFC6486] manifest and that the resources are
+ covered by the RPKI certificate.
+
+ 2. Constructing the certification path for the signer's certificate.
+ All of the needed certificates are expected to be readily
+ available in the RPKI repository. The certification path MUST be
+ valid according to the validation algorithm in [RFC5280] and the
+ additional checks specified in [RFC3779] associated with the IP
+ Address Delegation certificate extension and the Autonomous
+ System Identifier Delegation certificate extension. If
+ certification path validation is unsuccessful, then validation
+ MUST fail.
+
+ 3. Validating the CMS SignedData as specified in [RFC5652] using the
+ public key from the validated signer's certificate. If the
+ signature validation is unsuccessful, then validation MUST fail.
+
+ 4. Verifying that the IP Address Delegation certificate extension
+ [RFC3779] covers all of the address ranges of the geofeed file.
+ If all of the address ranges are not covered, then validation
+ MUST fail.
+
+ All of these steps MUST be successful to consider the geofeed file
+ signature as valid.
+
+ As the signer specifies the covered RPKI resources relevant to the
+ signature, the RPKI certificate covering the inetnum: object's
+ address range is included in the CMS SignedData certificates field
+ [RFC5652].
+
+ Identifying the private key associated with the certificate and
+ getting the department with the Hardware Security Module (HSM) to
+ sign the CMS blob is left as an exercise for the implementor. On the
+ other hand, verifying the signature requires no complexity; the
+ certificate, which can be validated in the public RPKI, has the
+ needed public key.
+
+ The appendix MUST be hidden as a series of "#" comments at the end of
+ the geofeed file. The following is a cryptographically incorrect,
+ albeit simple, example. A correct and full example is in Appendix A.
+
+ # RPKI Signature: 192.0.2.0 - 192.0.2.255
+ # MIIGlwYJKoZIhvcNAQcCoIIGiDCCBoQCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
+ # IhvcNAQkQAS+gggSxMIIErTCCA5WgAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
+ ...
+ # imwYkXpiMxw44EZqDjl36MiWsRDLdgoijBBcGbibwyAfGeR46k5raZCGvxG+4xa
+ # O8PDTxTfIYwAnBjRBKAqAZ7yX5xHfm58jUXsZJ7Ileq1S7G6Kk=
+ # End Signature: 192.0.2.0 - 192.0.2.255
+
+ The signature does not cover the signature lines.
+
+ The bracketing "# RPKI Signature:" and "# End Signature:" MUST be
+ present following the model as shown. Their IP address range MUST
+ match that of the inetnum: URL followed to the file.
+
+ [RPKI-RSC] describes and provides code for a CMS profile for a
+ general purpose listing of checksums (a "checklist") for use with the
+ Resource Public Key Infrastructure (RPKI). It provides usable,
+ albeit complex, code to sign geofeed files.
+
+ [RPKI-RTA] describes a CMS profile for a general purpose Resource
+ Tagged Attestation (RTA) based on the RPKI. While this is expected
+ to become applicable in the long run, for the purposes of this
+ document, a self-signed root trust anchor is used.
+
+5. Operational Considerations
+
+ To create the needed inetnum: objects, an operator wishing to
+ register the location of their geofeed file needs to coordinate with
+ their Regional Internet Registry (RIR) or National Internet Registry
+ (NIR) and/or any provider Local Internet Registry (LIR) that has
+ assigned address ranges to them. RIRs/NIRs provide means for
+ assignees to create and maintain inetnum: objects. They also provide
+ means of assigning or sub-assigning IP address resources and allowing
+ the assignee to create WHOIS data, including inetnum: objects,
+ thereby referring to geofeed files.
+
+ The geofeed files MUST be published via and fetched using HTTPS
+ [RFC2818].
+
+ When using data from a geofeed file, one MUST ignore data outside the
+ referring inetnum: object's inetnum: attribute address range.
+
+ If and only if the geofeed file is not signed per Section 4, then
+ multiple inetnum: objects MAY refer to the same geofeed file, and the
+ consumer MUST use only lines in the geofeed file where the prefix is
+ covered by the address range of the inetnum: object's URL it has
+ followed.
+
+ If the geofeed file is signed, and the signer's certificate changes,
+ the signature in the geofeed file MUST be updated.
+
+ It is good key hygiene to use a given key for only one purpose. To
+ dedicate a signing private key for signing a geofeed file, an RPKI
+ Certification Authority (CA) may issue a subordinate certificate
+ exclusively for the purpose shown in Appendix A.
+
+ To minimize the load on RIR WHOIS [RFC3912] services, use of the
+ RIR's FTP [RFC0959] services SHOULD be used for large-scale access to
+ gather geofeed URLs. This also provides bulk access instead of
+ fetching by brute-force search through the IP space.
+
+ Currently, geolocation providers have bulk WHOIS data access at all
+ the RIRs. An anonymized version of such data is openly available for
+ all RIRs except ARIN, which requires an authorization. However, for
+ users without such authorization, the same result can be achieved
+ with extra RDAP effort. There is open-source code to pass over such
+ data across all RIRs, collect all geofeed references, and process
+ them [GEOFEED-FINDER].
+
+ To prevent undue load on RPSL and geofeed servers, entity-fetching
+ geofeed data using these mechanisms MUST NOT do frequent real-time
+ lookups. Section 3.4 of [RFC8805] suggests use of the HTTP Expires
+ header [RFC7234] to signal when geofeed data should be refetched. As
+ the data change very infrequently, in the absence of such an HTTP
+ Header signal, collectors SHOULD NOT fetch more frequently than
+ weekly. It would be polite not to fetch at magic times such as
+ midnight UTC, the first of the month, etc., because too many others
+ are likely to do the same.
+
+6. Privacy Considerations
+
+ [RFC8805] geofeed data may reveal the approximate location of an IP
+ address, which might in turn reveal the approximate location of an
+ individual user. Unfortunately, [RFC8805] provides no privacy
+ guidance on avoiding or ameliorating possible damage due to this
+ exposure of the user. In publishing pointers to geofeed files as
+ described in this document, the operator should be aware of this
+ exposure in geofeed data and be cautious. All the privacy
+ considerations of Section 4 of [RFC8805] apply to this document.
+
+ Where [RFC8805] provided the ability to publish location data, this
+ document makes bulk access to those data readily available. This is
+ a goal, not an accident.
+
+7. Security Considerations
+
+ It is generally prudent for a consumer of geofeed data to also use
+ other sources to cross validate the data. All the security
+ considerations of [RFC8805] apply here as well.
+
+ As mentioned in Section 4, many RPSL repositories have weak, if any,
+ authentication. This allows spoofing of inetnum: objects pointing to
+ malicious geofeed files. Section 4 suggests an unfortunately complex
+ method for stronger authentication based on the RPKI.
+
+ For example, if an inetnum: for a wide address range (e.g., a /16)
+ points to an RPKI-signed geofeed file, a customer or attacker could
+ publish an unsigned equal or narrower (e.g., a /24) inetnum: in a
+ WHOIS registry that has weak authorization, abusing the rule that the
+ most-specific inetnum: object with a geofeed reference MUST be used.
+
+ If signatures were mandatory, the above attack would be stymied, but
+ of course that is not happening anytime soon.
+
+ The RPSL providers have had to throttle fetching from their servers
+ due to too-frequent queries. Usually, they throttle by the querying
+ IP address or block. Similar defenses will likely need to be
+ deployed by geofeed file servers.
+
+8. IANA Considerations
+
+ IANA has registered object identifiers for one content type in the
+ "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)"
+ registry as follows:
+
+ +=========+==========================+============+
+ | Decimal | Description | References |
+ +=========+==========================+============+
+ | 47 | id-ct-geofeedCSVwithCRLF | RFC 9092 |
+ +---------+--------------------------+------------+
+
+ Table 1
+
+9. References
+
+9.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <https://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC2622] Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
+ Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
+ "Routing Policy Specification Language (RPSL)", RFC 2622,
+ DOI 10.17487/RFC2622, June 1999,
+ <https://www.rfc-editor.org/info/rfc2622>.
+
+ [RFC2725] Villamizar, C., Alaettinoglu, C., Meyer, D., and S.
+ Murphy, "Routing Policy System Security", RFC 2725,
+ DOI 10.17487/RFC2725, December 1999,
+ <https://www.rfc-editor.org/info/rfc2725>.
+
+ [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
+ DOI 10.17487/RFC2818, May 2000,
+ <https://www.rfc-editor.org/info/rfc2818>.
+
+ [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
+ 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
+ 2003, <https://www.rfc-editor.org/info/rfc3629>.
+
+ [RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP
+ Addresses and AS Identifiers", RFC 3779,
+ DOI 10.17487/RFC3779, June 2004,
+ <https://www.rfc-editor.org/info/rfc3779>.
+
+ [RFC4012] Blunk, L., Damas, J., Parent, F., and A. Robachevsky,
+ "Routing Policy Specification Language next generation
+ (RPSLng)", RFC 4012, DOI 10.17487/RFC4012, March 2005,
+ <https://www.rfc-editor.org/info/rfc4012>.
+
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
+ <https://www.rfc-editor.org/info/rfc4648>.
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation List
+ (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
+ <https://www.rfc-editor.org/info/rfc5280>.
+
+ [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
+ RFC 5652, DOI 10.17487/RFC5652, September 2009,
+ <https://www.rfc-editor.org/info/rfc5652>.
+
+ [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for
+ Resource Certificate Repository Structure", RFC 6481,
+ DOI 10.17487/RFC6481, February 2012,
+ <https://www.rfc-editor.org/info/rfc6481>.
+
+ [RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski,
+ "Manifests for the Resource Public Key Infrastructure
+ (RPKI)", RFC 6486, DOI 10.17487/RFC6486, February 2012,
+ <https://www.rfc-editor.org/info/rfc6486>.
+
+ [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
+ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
+ May 2017, <https://www.rfc-editor.org/info/rfc8174>.
+
+ [RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
+ Kumari, "A Format for Self-Published IP Geolocation
+ Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
+ <https://www.rfc-editor.org/info/rfc8805>.
+
+ [RFC8933] Housley, R., "Update to the Cryptographic Message Syntax
+ (CMS) for Algorithm Identifier Protection", RFC 8933,
+ DOI 10.17487/RFC8933, October 2020,
+ <https://www.rfc-editor.org/info/rfc8933>.
+
+9.2. Informative References
+
+ [GEOFEED-FINDER]
+ "geofeed-finder", commit 5f557a4, June 2021,
+ <https://github.com/massimocandela/geofeed-finder>.
+
+ [INET6NUM] RIPE NCC, "Description of the INET6NUM Object", October
+ 2019, <https://www.ripe.net/manage-ips-and-
+ asns/db/support/documentation/ripe-database-documentation/
+ rpsl-object-types/4-2-descriptions-of-primary-
+ objects/4-2-3-description-of-the-inet6num-object>.
+
+ [INETNUM] RIPE NCC, "Description of the INETNUM Object", June 2020,
+ <https://www.ripe.net/manage-ips-and-
+ asns/db/support/documentation/ripe-database-documentation/
+ rpsl-object-types/4-2-descriptions-of-primary-
+ objects/4-2-4-description-of-the-inetnum-object>.
+
+ [RFC0959] Postel, J. and J. Reynolds, "File Transfer Protocol",
+ STD 9, RFC 959, DOI 10.17487/RFC0959, October 1985,
+ <https://www.rfc-editor.org/info/rfc959>.
+
+ [RFC3912] Daigle, L., "WHOIS Protocol Specification", RFC 3912,
+ DOI 10.17487/RFC3912, September 2004,
+ <https://www.rfc-editor.org/info/rfc3912>.
+
+ [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing
+ (CIDR): The Internet Address Assignment and Aggregation
+ Plan", BCP 122, RFC 4632, DOI 10.17487/RFC4632, August
+ 2006, <https://www.rfc-editor.org/info/rfc4632>.
+
+ [RFC5485] Housley, R., "Digital Signatures on Internet-Draft
+ Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009,
+ <https://www.rfc-editor.org/info/rfc5485>.
+
+ [RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
+ Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
+ RFC 7234, DOI 10.17487/RFC7234, June 2014,
+ <https://www.rfc-editor.org/info/rfc7234>.
+
+ [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin,
+ "Inventory and Analysis of WHOIS Registration Objects",
+ RFC 7485, DOI 10.17487/RFC7485, March 2015,
+ <https://www.rfc-editor.org/info/rfc7485>.
+
+ [RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy
+ Specification Language (RPSL) Objects with Resource Public
+ Key Infrastructure (RPKI) Signatures", RFC 7909,
+ DOI 10.17487/RFC7909, June 2016,
+ <https://www.rfc-editor.org/info/rfc7909>.
+
+ [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
+ Protocol (RDAP) Query Format", STD 95, RFC 9082,
+ DOI 10.17487/RFC9082, June 2021,
+ <https://www.rfc-editor.org/info/rfc9082>.
+
+ [RIPE-DB] RIPE NCC, "RIPE Database Documentation",
+ <https://www.ripe.net/manage-ips-and-
+ asns/db/support/documentation/ripe-database-
+ documentation>.
+
+ [RIPE181] RIPE NCC, "Representation Of IP Routing Policies In A
+ Routing Registry", October 1994,
+ <https://www.ripe.net/publications/docs/ripe-181>.
+
+ [RIPE81] RIPE NCC, "Representation Of IP Routing Policies In The
+ RIPE Database", February 1993,
+ <https://www.ripe.net/publications/docs/ripe-081>.
+
+ [RPKI-RSC] Snijders, J., Harrison, T., and B. Maddison, "Resource
+ Public Key Infrastructure (RPKI) object profile for Signed
+ Checklist (RSC)", Work in Progress, Internet-Draft, draft-
+ ietf-sidrops-rpki-rsc-04, 31 May 2021,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
+ rpki-rsc-04>.
+
+ [RPKI-RTA] Michaelson, G. G., Huston, G., Harrison, T., Bruijnzeels,
+ T., and M. Hoffmann, "A profile for Resource Tagged
+ Attestations (RTAs)", Work in Progress, Internet-Draft,
+ draft-ietf-sidrops-rpki-rta-00, 21 January 2021,
+ <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
+ rpki-rta-00>.
+
+Appendix A. Example
+
+ This appendix provides an example that includes a trust anchor, a CA
+ certificate subordinate to the trust anchor, an end-entity
+ certificate subordinate to the CA for signing the geofeed, and a
+ detached signature.
+
+ The trust anchor is represented by a self-signed certificate. As
+ usual in the RPKI, the trust anchor has authority over all IPv4
+ address blocks, all IPv6 address blocks, and all Autonomous System
+ (AS) numbers.
+
+ -----BEGIN CERTIFICATE-----
+ MIIEPjCCAyagAwIBAgIUPsUFJ4e/7pKZ6E14aBdkbYzms1gwDQYJKoZIhvcNAQEL
+ BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxODU0NTRaFw0zMDA5
+ MDExODU0NTRaMBUxEzARBgNVBAMTCmV4YW1wbGUtdGEwggEiMA0GCSqGSIb3DQEB
+ AQUAA4IBDwAwggEKAoIBAQCelMmMDCGBhqn/a3VrNAoKMr1HVLKxGoG7VF/13HZJ
+ 0twObUZlh3Jz+XeD+kNAURhELWTrsgdTkQQfqinqOuRemxTl55+x7nLpe5nmwaBH
+ XqqDOHubmkbAGanGcm6T/rD9KNk1Z46Uc2p7UYu0fwNO0mo0aqFL2FSyvzZwziNe
+ g7ELYZ4a3LvGn81JfP/JvM6pgtoMNuee5RV6TWaz7LV304ICj8Bhphy/HFpOA1rb
+ O9gs8CUMgqz+RroAIa8cV8gbF/fPCz9Ofl7Gdmib679JxxFrW4wRJ0nMJgJmsZXq
+ jaVc0g7ORc+eIAcHw7Uroc6h7Y7lGjOkDZF75j0mLQa3AgMBAAGjggGEMIIBgDAd
+ BgNVHQ4EFgQU3hNEuwvUGNCHY1TBatcUR03pNdYwHwYDVR0jBBgwFoAU3hNEuwvU
+ GNCHY1TBatcUR03pNdYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+ GAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjCBuQYIKwYBBQUHAQsEgawwgakwPgYI
+ KwYBBQUHMAqGMnJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4
+ YW1wbGUtdGEubWZ0MDUGCCsGAQUFBzANhilodHRwczovL3JyZHAuZXhhbXBsZS5u
+ ZXQvbm90aWZpY2F0aW9uLnhtbDAwBggrBgEFBQcwBYYkcnN5bmM6Ly9ycGtpLmV4
+ YW1wbGUubmV0L3JlcG9zaXRvcnkvMCcGCCsGAQUFBwEHAQH/BBgwFjAJBAIAATAD
+ AwEAMAkEAgACMAMDAQAwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgEAAgUA/////zAN
+ BgkqhkiG9w0BAQsFAAOCAQEAgZFQ0Sf3CI5Hwev61AUWHYOFniy69PuDTq+WnhDe
+ xX5rpjSDRrs5L756KSKJcaOJ36lzO45lfOPSY9fH6x30pnipaqRA7t5rApky24jH
+ cSUA9iRednzxhVyGjWKnfAKyNo2MYfaOAT0db1GjyLKbOADI9FowtHBUu+60ykcM
+ Quz66XrzxtmxlrRcAnbv/HtV17qOd4my6q5yjTPR1dmYN9oR/2ChlXtGE6uQVguA
+ rvNZ5CwiJ1TgGGTB7T8ORHwWU6dGTc0jk2rESAaikmLi1roZSNC21fckhapEit1a
+ x8CyiVxjcVc5e0AmS1rJfL6LIfwmtive/N/eBtIM92HkBA==
+ -----END CERTIFICATE-----
+
+ The CA certificate is issued by the trust anchor. This certificate
+ grants authority over one IPv4 address block (192.0.2.0/24) and two
+ AS numbers (64496 and 64497).
+
+ -----BEGIN CERTIFICATE-----
+ MIIFBzCCA++gAwIBAgIUcyCzS10hdfG65kbRq7toQAvRDKowDQYJKoZIhvcNAQEL
+ BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMDA5MDMxOTAyMTlaFw0yMTA5
+ MDMxOTAyMTlaMDMxMTAvBgNVBAMTKDNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVG
+ QzFFMjk3QjM3Nzg2NDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc
+ zz1qwTxC2ocw5rqp8ktm2XyYkl8riBVuqlXwfefTxsR2YFpgz9vkYUd5Az9EVEG7
+ 6wGIyZbtmhK63eEeaqbKz2GHub467498BXeVrYysO+YuIGgCEYKznNDZ4j5aaDbo
+ j5+4/z0Qvv6HEsxQd0f8br6lKJwgeRM6+fm7796HNPB0aqD7Zj9NRCLXjbB0DCgJ
+ liH6rXMKR86ofgll9V2mRjesvhdKYgkGbOif9rvxVpLJ/6zdru5CE9yeuJZ59l+n
+ YH/r6PzdJ4Q7yKrJX8qD6A60j4+biaU4MQ72KpsjhQNTTqF/HRwi0N54GDaknEwE
+ TnJQHgLJDYqww9yKWtjjAgMBAAGjggIvMIICKzAdBgNVHQ4EFgQUOs4s70+yG30R
+ 4+GE78Hil7N3hkIwHwYDVR0jBBgwFoAU3hNEuwvUGNCHY1TBatcUR03pNdYwDwYD
+ VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGAYDVR0gAQH/BA4wDDAKBggr
+ BgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5u
+ ZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0Iz
+ Nzc4NjQyLmNybDBOBggrBgEFBQcBAQRCMEAwPgYIKwYBBQUHMAKGMnJzeW5jOi8v
+ cnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5L2V4YW1wbGUtdGEuY2VyMIG5Bggr
+ BgEFBQcBCwSBrDCBqTA+BggrBgEFBQcwCoYycnN5bmM6Ly9ycGtpLmV4YW1wbGUu
+ bmV0L3JlcG9zaXRvcnkvZXhhbXBsZS1jYS5tZnQwNQYIKwYBBQUHMA2GKWh0dHBz
+ Oi8vcnJkcC5leGFtcGxlLm5ldC9ub3RpZmljYXRpb24ueG1sMDAGCCsGAQUFBzAF
+ hiRyc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8wHwYIKwYBBQUH
+ AQcBAf8EEDAOMAwEAgABMAYDBADAAAIwHgYIKwYBBQUHAQgEEjAQoA4wDDAKAgMA
+ +/ACAwD78TANBgkqhkiG9w0BAQsFAAOCAQEAnLu+d1ZsUTiX3YWGueTHIalW4ad0
+ Kupi7pYMV2nXbxNGmdJMol9BkzVz9tj55ReMghUU4YLm/ICYe4fz5e0T8o9s/vIm
+ cGS29+WoGuiznMitpvbS/379gaMezk6KpqjH6Brw6meMqy09phmcmvm3x3WTmx09
+ mLlQneMptwk8qSYcnMUmGLJs+cVqmkOa3sWRdw8WrGu6QqYtQz3HFZQojF06YzEq
+ V/dBdCFdEOwTfVl2n2XqhoJl/oEBdC4uu2G0qRk3+WVs+uwVHP0Ttsbt7TzFgZfY
+ yxqvOg6QoldxZVZmHHncKmETu/BqCDGJot9may31ukrx34Bu+XFMVihm0w==
+ -----END CERTIFICATE-----
+
+ The end-entity certificate is issued by the CA. This certificate
+ grants signature authority for one IPv4 address block (192.0.2.0/24).
+ Signature authority for AS numbers is not needed for geofeed data
+ signatures, so no AS numbers are included in the certificate.
+
+ -----BEGIN CERTIFICATE-----
+ MIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZuQwDQYJKoZIhvcNAQEL
+ BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
+ Mzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYxNjA1NDVaMDMxMTAvBgNV
+ BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
+ MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
+ yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
+ K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
+ BXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXhaFLe08y4DPfr/S/tXJOBm7QzQp
+ tmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKGzqTFCcc3EW9l5UFE1MFLlnoEog
+ qtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQft5w6g6cmxG+aYDdIEB34zrAgMB
+ AAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71RwUQmAZiIn1xFq/BToYcwHwYDVR0j
+ BBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkIwDAYDVR0TAQH/BAIwADAOBgNVHQ8B
+ Af8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBggrBgEFBQcOAjBhBgNVHR8EWjBYMFag
+ VKBShlByc3luYzovL3Jwa2kuZXhhbXBsZS5uZXQvcmVwb3NpdG9yeS8zQUNFMkNF
+ RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNybDBsBggrBgEFBQcB
+ AQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBv
+ c2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIu
+ Y2VyMBkGCCsGAQUFBwEHAQH/BAowCDAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1
+ BggrBgEFBQcwDYYpaHR0cHM6Ly9ycmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlv
+ bi54bWwwDQYJKoZIhvcNAQELBQADggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN
+ 07fsK/qGw/e90DJv7cp1hvjj4uy3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2Brz
+ ZsWAnB846Snwsktw6cenaif6Aww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP
+ 5rGJPWBcOMv52a/7adjfXwpnOijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xD
+ nlpp+/r9xuNVYRtRcC36oWraVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc
+ /tiJLM7ZYxIe5IrYz1ZtN6n/SEssJAswRIgps2EhCt/HS2xAmGCOhgU=
+ -----END CERTIFICATE-----
+
+ The end-entity certificate is displayed below in detail. For
+ brevity, the other two certificates are not.
+
+ 0 1189: SEQUENCE {
+ 4 909: SEQUENCE {
+ 8 3: [0] {
+ 10 1: INTEGER 2
+ : }
+ 13 20: INTEGER 27AD394083D7F2B5B99B8670C775B2B96EE166E4
+ 35 13: SEQUENCE {
+ 37 9: OBJECT IDENTIFIER
+ : sha256WithRSAEncryption (1 2 840 113549 1 1 11)
+ 48 0: NULL
+ : }
+ 50 51: SEQUENCE {
+ 52 49: SET {
+ 54 47: SEQUENCE {
+ 56 3: OBJECT IDENTIFIER commonName (2 5 4 3)
+ 61 40: PrintableString
+ : '3ACE2CEF4FB21B7D11E3E184EFC1E297B3778642'
+ : }
+ : }
+ : }
+ 103 30: SEQUENCE {
+ 105 13: UTCTime 20/05/2021 16:05:45 GMT
+ 120 13: UTCTime 16/03/2022 16:05:45 GMT
+ : }
+ 135 51: SEQUENCE {
+ 137 49: SET {
+ 139 47: SEQUENCE {
+ 141 3: OBJECT IDENTIFIER commonName (2 5 4 3)
+ 146 40: PrintableString
+ : '914652A3BD51C144260198889F5C45ABF053A187'
+ : }
+ : }
+ : }
+ 188 290: SEQUENCE {
+ 192 13: SEQUENCE {
+ 194 9: OBJECT IDENTIFIER rsaEncryption
+ : (1 2 840 113549 1 1 1)
+ 205 0: NULL
+ : }
+ 207 271: BIT STRING, encapsulates {
+ 212 266: SEQUENCE {
+ 216 257: INTEGER
+ : 00 B2 71 34 2B 39 BF EA 07 65 B7 8B 72 A2 F0 F8
+ : 40 FC 31 16 CA 28 B6 4E 01 A8 F6 98 02 C0 EF 65
+ : B0 84 48 E9 96 FF 93 E6 92 89 65 8F F6 44 9C CE
+ : 57 10 82 D3 C2 57 0A FA DA 14 D0 64 22 28 C0 13
+ : 74 04 BD 1C 2B 4F F9 93 58 A6 25 D8 B9 A9 D3 37
+ : 9E F2 AC C0 CF 02 9E 84 75 D6 F0 7C A5 01 70 AE
+ : E6 66 AF 9C 69 85 74 6F 13 E9 B3 B8 95 4B 82 ED
+ : 95 D6 EA 66 05 7B 96 96 87 B2 9A E7 61 E9 65 89
+ : F8 60 E3 C0 F5 CE DD 18 97 05 E8 C1 AC E1 4D 5E
+ : 16 85 2D ED 3C CB 80 CF 7E BF D2 FE D5 C9 38 19
+ : BB 43 34 29 B6 66 CF 2D 8B 46 7E 9A D8 BB 8E 65
+ : 88 51 6A A8 FF 78 51 E2 E9 21 27 D7 77 7E 80 28
+ : 6C EA 4C 50 9C 73 71 16 F6 5E 54 14 4D 4C 14 B9
+ : 67 A0 4A 20 AA DA 0B A0 A0 01 B7 42 24 38 51 8A
+ : 78 2F C4 81 E6 81 75 62 DE E3 AF 5D 74 2F 6B 41
+ : FB 79 C3 A8 3A 72 6C 46 F9 A6 03 74 81 01 DF 8C
+ : EB
+ 477 3: INTEGER 65537
+ : }
+ : }
+ : }
+ 482 431: [3] {
+ 486 427: SEQUENCE {
+ 490 29: SEQUENCE {
+ 492 3: OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
+ 497 22: OCTET STRING, encapsulates {
+ 499 20: OCTET STRING
+ : 91 46 52 A3 BD 51 C1 44 26 01 98 88 9F 5C 45 AB
+ : F0 53 A1 87
+ : }
+ : }
+ 521 31: SEQUENCE {
+ 523 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
+ 528 24: OCTET STRING, encapsulates {
+ 530 22: SEQUENCE {
+ 532 20: [0]
+ : 3A CE 2C EF 4F B2 1B 7D 11 E3 E1 84 EF C1 E2 97
+ : B3 77 86 42
+ : }
+ : }
+ : }
+ 554 12: SEQUENCE {
+ 556 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
+ 561 1: BOOLEAN TRUE
+ 564 2: OCTET STRING, encapsulates {
+ 566 0: SEQUENCE {}
+ : }
+ : }
+ 568 14: SEQUENCE {
+ 570 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
+ 575 1: BOOLEAN TRUE
+ 578 4: OCTET STRING, encapsulates {
+ 580 2: BIT STRING 7 unused bits
+ : '1'B (bit 0)
+ : }
+ : }
+ 584 24: SEQUENCE {
+ 586 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
+ 591 1: BOOLEAN TRUE
+ 594 14: OCTET STRING, encapsulates {
+ 596 12: SEQUENCE {
+ 598 10: SEQUENCE {
+ 600 8: OBJECT IDENTIFIER
+ : resourceCertificatePolicy (1 3 6 1 5 5 7 14 2)
+ : }
+ : }
+ : }
+ : }
+ 610 97: SEQUENCE {
+ 612 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
+ 617 90: OCTET STRING, encapsulates {
+ 619 88: SEQUENCE {
+ 621 86: SEQUENCE {
+ 623 84: [0] {
+ 625 82: [0] {
+ 627 80: [6]
+ : 'rsync://rpki.example.net/repository/3ACE2CEF4F'
+ : 'B21B7D11E3E184EFC1E297B3778642.crl'
+ : }
+ : }
+ : }
+ : }
+ : }
+ : }
+ 709 108: SEQUENCE {
+ 711 8: OBJECT IDENTIFIER authorityInfoAccess
+ : (1 3 6 1 5 5 7 1 1)
+ 721 96: OCTET STRING, encapsulates {
+ 723 94: SEQUENCE {
+ 725 92: SEQUENCE {
+ 727 8: OBJECT IDENTIFIER caIssuers (1 3 6 1 5 5 7 48 2)
+ 737 80: [6]
+ : 'rsync://rpki.example.net/repository/3ACE2CEF4F'
+ : 'B21B7D11E3E184EFC1E297B3778642.cer'
+ : }
+ : }
+ : }
+ : }
+ 819 25: SEQUENCE {
+ 821 8: OBJECT IDENTIFIER ipAddrBlocks (1 3 6 1 5 5 7 1 7)
+ 831 1: BOOLEAN TRUE
+ 834 10: OCTET STRING, encapsulates {
+ 836 8: SEQUENCE {
+ 838 6: SEQUENCE {
+ 840 2: OCTET STRING 00 01
+ 844 0: NULL
+ : }
+ : }
+ : }
+ : }
+ 846 69: SEQUENCE {
+ 848 8: OBJECT IDENTIFIER subjectInfoAccess
+ : (1 3 6 1 5 5 7 1 11)
+ 858 57: OCTET STRING, encapsulates {
+ 860 55: SEQUENCE {
+ 862 53: SEQUENCE {
+ 864 8: OBJECT IDENTIFIER '1 3 6 1 5 5 7 48 13'
+ 874 41: [6]
+ : 'https://rrdp.example.net/notification.xml'
+ : }
+ : }
+ : }
+ : }
+ : }
+ : }
+ : }
+ 917 13: SEQUENCE {
+ 919 9: OBJECT IDENTIFIER sha256WithRSAEncryption
+ : (1 2 840 113549 1 1 11)
+ 930 0: NULL
+ : }
+ 932 257: BIT STRING
+ : 48 C2 F7 C8 15 A7 43 1B EE E8 8A 68 7C A5 3F 4E
+ : 39 DE 6B 49 F8 09 0D D3 B7 EC 2B FA 86 C3 F7 BD
+ : D0 32 6F ED CA 75 86 F8 E3 E2 EC B7 B2 07 FB 3C
+ : 94 3B 70 A3 46 AE 0C 9B AB F9 44 D2 37 1E F8 04
+ : 60 56 36 E2 D8 1A F3 66 C5 80 9C 1F 38 E9 29 F0
+ : B2 4B 70 E9 C7 A7 6A 27 FA 03 0C 3A AB 4D 0D B2
+ : 90 1E A4 C0 5D D9 58 3F F6 C2 85 BC EC 09 15 53
+ : A0 35 CA A2 42 25 CF E6 B1 89 3D 60 5C 38 CB F9
+ : D9 AF FB 69 D8 DF 5F 0A 67 3A 28 E2 4C E8 0C 96
+ : 84 06 98 2D 93 3D 9A 72 75 92 A3 97 11 00 4D D1
+ : 44 42 CB 1A DF 7C 43 9E 5A 69 FB FA FD C6 E3 55
+ : 61 1B 51 70 2D FA A1 6A DA 54 0D E3 CC DE 85 EA
+ : B0 C4 F2 BF 31 B3 7C A5 21 25 73 E8 97 82 43 86
+ : 11 63 06 CC B2 38 DC FE D8 89 2C CE D9 63 12 1E
+ : E4 8A D8 CF 56 6D 37 A9 FF 48 4B 2C 24 0B 30 44
+ : 88 29 B3 61 21 0A DF C7 4B 6C 40 98 60 8E 86 05
+ : }
+
+ To allow reproduction of the signature results, the end-entity
+ private key is provided. For brevity, the other two private keys are
+ not.
+
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
+ /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
+ Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
+ zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
+ eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
+ gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
+ 18aKjFGSPEoZi53srIz5bvUgIi92TBLez7ZnzL6Iym26oJ+5th+lCHGO/dqlhXio
+ pI50C5Yc9TFbblb/ECOsuCuuqKFjZ8CD3GVsHozXKJeMM+/o5YZXQrORj6UnwT0z
+ ol/JE5pIGUCIgsXX6tz9s5BP3lUAvVQHsv6+vEVKLxQ3wj/1vIL8O/CN036EV0GJ
+ mpkwmygPjfECT9wbWo0yn3jxJb36+M/QjjUP28oNIVn/IKoPZRXnqchEbuuCJ651
+ IsaFSqtiThm4WZtvCH/IDq+6/dcMucmTjIRcYwW7fdHfjplllVPve9c/OmpWEQvF
+ t3ArWUt5AoGBANs4764yHxo4mctLIE7G7l/tf9bP4KKUiYw4R4ByEocuqMC4yhmt
+ MPCfOFLOQet71OWCkjP2L/7EKUe9yx7G5KmxAHY6jOjvcRkvGsl6lWFOsQ8p126M
+ Y9hmGzMOjtsdhAiMmOWKzjvm4WqfMgghQe+PnjjSVkgTt+7BxpIuGBAvAoGBANBg
+ 26FF5cDLpixOd3Za1YXsOgguwCaw3Plvi7vUZRpa/zBMELEtyOebfakkIRWNm07l
+ nE+lAZwxm+29PTD0nqCFE91teyzjnQaLO5kkAdJiFuVV3icLOGo399FrnJbKensm
+ FGSli+3KxQhCNIJJfgWzq4bE0ioAMjdGbYXzIYQFAoGBAM6tuDJ36KDU+hIS6wu6
+ O2TPSfZhF/zPo3pCWQ78/QDb+Zdw4IEiqoBA7F4NPVLg9Y/H8UTx9r/veqe7hPOo
+ Ok7NpIzSmKTHkc5XfZ60Zn9OLFoKbaQ40a1kXoJdWEu2YROaUlAe9F6/Rog6PHYz
+ vLE5qscRbu0XQhLkN+z7bg5bAoGBAKDsbDEb/dbqbyaAYpmwhH2sdRSkphg7Niwc
+ DNm9qWa1J6Zw1+M87I6Q8naRREuU1IAVqqWHVLr/ROBQ6NTJ1Uc5/qFeT2XXUgkf
+ taMKv61tuyjZK3sTmznMh0HfzUpWjEhWnCEuB+ZYVdmO52ZGw2A75RdrILL2+9Dc
+ PvDXVubRAoGAdqXeSWoLxuzZXzl8rsaKrQsTYaXnOWaZieU1SL5vVe8nK257UDqZ
+ E3ng2j5XPTUWli+aNGFEJGRoNtcQvO60O/sFZUhu52sqq9mWVYZNh1TB5aP8X+pV
+ iFcZOLUvQEcN6PA+YQK5FU11rAI1M0Gm5RDnVnUl0L2xfCYxb7FzV6Y=
+ -----END RSA PRIVATE KEY-----
+
+ Signing of "192.0.2.0/24,US,WA,Seattle," (terminated by CR and LF)
+ yields the following detached CMS signature.
+
+ # RPKI Signature: 192.0.2.0 - 192.0.2.255
+ # MIIGjwYJKoZIhvcNAQcCoIIGgDCCBnwCAQMxDTALBglghkgBZQMEAgEwDQYLKoZ
+ # IhvcNAQkQAS+gggSpMIIEpTCCA42gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZu
+ # QwDQYJKoZIhvcNAQELBQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExR
+ # TNFMTg0RUZDMUUyOTdCMzc3ODY0MjAeFw0yMTA1MjAxNjA1NDVaFw0yMjAzMTYx
+ # NjA1NDVaMDMxMTAvBgNVBAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM
+ # 0NUFCRjA1M0ExODcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycT
+ # QrOb/qB2W3i3Ki8PhA/DEWyii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQg
+ # tPCVwr62hTQZCIowBN0BL0cK0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZm
+ # r5xphXRvE+mzuJVLgu2V1upmBXuWloeymudh6WWJ+GDjwPXO3RiXBejBrOFNXha
+ # FLe08y4DPfr/S/tXJOBm7QzQptmbPLYtGfprYu45liFFqqP94UeLpISfXd36AKG
+ # zqTFCcc3EW9l5UFE1MFLlnoEogqtoLoKABt0IkOFGKeC/EgeaBdWLe469ddC9rQ
+ # ft5w6g6cmxG+aYDdIEB34zrAgMBAAGjggGvMIIBqzAdBgNVHQ4EFgQUkUZSo71R
+ # wUQmAZiIn1xFq/BToYcwHwYDVR0jBBgwFoAUOs4s70+yG30R4+GE78Hil7N3hkI
+ # wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCB4AwGAYDVR0gAQH/BA4wDDAKBg
+ # grBgEFBQcOAjBhBgNVHR8EWjBYMFagVKBShlByc3luYzovL3Jwa2kuZXhhbXBsZ
+ # S5uZXQvcmVwb3NpdG9yeS8zQUNFMkNFRjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5
+ # N0IzNzc4NjQyLmNybDBsBggrBgEFBQcBAQRgMF4wXAYIKwYBBQUHMAKGUHJzeW5
+ # jOi8vcnBraS5leGFtcGxlLm5ldC9yZXBvc2l0b3J5LzNBQ0UyQ0VGNEZCMjFCN0
+ # QxMUUzRTE4NEVGQzFFMjk3QjM3Nzg2NDIuY2VyMBkGCCsGAQUFBwEHAQH/BAowC
+ # DAGBAIAAQUAMEUGCCsGAQUFBwELBDkwNzA1BggrBgEFBQcwDYYpaHR0cHM6Ly9y
+ # cmRwLmV4YW1wbGUubmV0L25vdGlmaWNhdGlvbi54bWwwDQYJKoZIhvcNAQELBQA
+ # DggEBAEjC98gVp0Mb7uiKaHylP0453mtJ+AkN07fsK/qGw/e90DJv7cp1hvjj4u
+ # y3sgf7PJQ7cKNGrgybq/lE0jce+ARgVjbi2BrzZsWAnB846Snwsktw6cenaif6A
+ # ww6q00NspAepMBd2Vg/9sKFvOwJFVOgNcqiQiXP5rGJPWBcOMv52a/7adjfXwpn
+ # OijiTOgMloQGmC2TPZpydZKjlxEATdFEQssa33xDnlpp+/r9xuNVYRtRcC36oWr
+ # aVA3jzN6F6rDE8r8xs3ylISVz6JeCQ4YRYwbMsjjc/tiJLM7ZYxIe5IrYz1ZtN6
+ # n/SEssJAswRIgps2EhCt/HS2xAmGCOhgUxggGqMIIBpgIBA4AUkUZSo71RwUQmA
+ # ZiIn1xFq/BToYcwCwYJYIZIAWUDBAIBoGswGgYJKoZIhvcNAQkDMQ0GCyqGSIb3
+ # DQEJEAEvMBwGCSqGSIb3DQEJBTEPFw0yMTA1MjAxNjI4MzlaMC8GCSqGSIb3DQE
+ # JBDEiBCAr4vKeUvHJINsE0YQwUMxoo48qrOU+iPuFbQR8qX3BFjANBgkqhkiG9w
+ # 0BAQEFAASCAQB85HsCBrU3EcVOcf4nC6Z3jrOjT+fVlyTDAObF6GTNWgrxe7jSA
+ # Inyf51UzuIGqhVY3sQiiXbdWcVYtPb4118KvyeXh8A/HLp4eeAJntl9D3igt38M
+ # o84q5pf9pTQXx3hbsm51ilpOip/TKVMqzE42s6OPox3M0+6eKH3/vBKnw1s1ayM
+ # 0MUnPDTBfZL3JJEGPWfIZHEcrypevbqR7Jjsz5vp0qyF2D9v+w+nyhZOPmuePm7
+ # YqLyOw/E99PVBs9uI+hmBiCz/BK2Z3VRjrrlrUU+49eldSTkZ2sJyhCbbV2Ufgi
+ # S2FOquAgJzjilyN3BDQLV8Rp9cGh0PpVslKH2na
+ # End Signature: 192.0.2.0 - 192.0.2.255
+
+Acknowledgments
+
+ Thanks to Rob Austein for CMS and detached signature clue, George
+ Michaelson for the first and substantial external review, and Erik
+ Kline who was too shy to agree to coauthorship. Additionally, we
+ express our gratitude to early implementors, including Menno
+ Schepers; Flavio Luciani; Eric Dugas; Job Snijders, who provided
+ running code; and Kevin Pack. Also, thanks to the following
+ geolocation providers who are consuming geofeeds with this described
+ solution: Jonathan Kosgei (ipdata.co), Ben Dowling (ipinfo.io), and
+ Pol Nisenblat (bigdatacloud.com). For an amazing number of helpful
+ reviews, we thank Adrian Farrel, Antonio Prado, Francesca Palombini,
+ Jean-Michel Combes (INTDIR), John Scudder, Kyle Rose (SECDIR), Martin
+ Duke, Murray Kucherawy, Paul Kyzivat (GENART), Rob Wilton, and Roman
+ Danyliw. The authors also thank George Michaelson, the awesome
+ document shepherd.
+
+Authors' Addresses
+
+ Randy Bush
+ IIJ & Arrcus
+ 5147 Crystal Springs
+ Bainbridge Island, Washington 98110
+ United States of America
+
+ Email: randy@psg.com
+
+
+ Massimo Candela
+ NTT
+ Siriusdreef 70-72
+ 2132 WT Hoofddorp
+ Netherlands
+
+ Email: massimo@ntt.net
+
+
+ Warren Kumari
+ Google
+ 1600 Amphitheatre Parkway
+ Mountain View, CA 94043
+ United States of America
+
+ Email: warren@kumari.net
+
+
+ Russ Housley
+ Vigil Security, LLC
+ 516 Dranesville Road
+ Herndon, VA 20170
+ United States of America
+
+ Email: housley@vigilsec.com