rfc9632v1.txt   rfc9632.txt 
Internet Engineering Task Force (IETF) R. Bush Internet Engineering Task Force (IETF) R. Bush
Request for Comments: 9632 IIJ Research & Arrcus Request for Comments: 9632 IIJ Research & Arrcus
Obsoletes: 9092 M. Candela Obsoletes: 9092 M. Candela
Category: Standards Track NTT Category: Standards Track NTT
ISSN: 2070-1721 W. Kumari ISSN: 2070-1721 W. Kumari
Google Google
R. Housley R. Housley
Vigil Security Vigil Security
May 2024 July 2024
Finding and Using Geofeed Data Finding and Using Geofeed Data
Abstract Abstract
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language (RPSL) inetnum: class to refer specifically to Specification Language (RPSL) inetnum: class to refer specifically to
geofeed comma-separated values (CSV) data files and describes an geofeed comma-separated values (CSV) data files and describes an
optional scheme that uses the Resource Public Key Infrastructure optional scheme that uses the Resource Public Key Infrastructure
(RPKI) to authenticate the geofeed data files. This document (RPKI) to authenticate the geofeed data files. This document
skipping to change at line 78 skipping to change at line 78
Appendix A. Example Appendix A. Example
Acknowledgments Acknowledgments
Authors' Addresses Authors' Addresses
1. Introduction 1. Introduction
Providers of Internet content and other services may wish to Providers of Internet content and other services may wish to
customize those services based on the geographic location of the user customize those services based on the geographic location of the user
of the service. This is often done using the source IP address used of the service. This is often done using the source IP address used
to contact the service, which may not point to a user; see Section 14 to contact the service, which may not point to a user; see Section 14
of [RFC6269] in particular. Also, infrastructure and other services of [RFC6269] in particular. Also, administrators of infrastructure
might wish to publish the locale of their services. [RFC8805] and other services might wish to publish the locale of said
defines geofeed, a syntax to associate geographic locales with IP infrastructure or services. infrastructure and other services might
addresses, but it does not specify how to find the relevant geofeed wish to publish the locale of their services. [RFC8805] defines
data given an IP address. geofeed, a syntax to associate geographic locales with IP addresses,
but it does not specify how to find the relevant geofeed data given
an IP address.
This document specifies how to augment the Routing Policy This document specifies how to augment the Routing Policy
Specification Language (RPSL) [RFC2725] inetnum: class to refer Specification Language (RPSL) [RFC2725] inetnum: class to refer
specifically to geofeed data files and how to prudently use them. In specifically to geofeed data files and how to prudently use them. In
all places inetnum: is used, inet6num: should also be assumed all places inetnum: is used, inet6num: should also be assumed
[RFC4012]. [RFC4012].
The reader may find [INETNUM] and [INET6NUM] informative, and The reader may find [INETNUM] and [INET6NUM] informative, and
certainly more verbose, descriptions of the inetnum: database certainly more verbose, descriptions of the inetnum: database
classes. classes.
skipping to change at line 115 skipping to change at line 117
* The Authentication section (Section 5) has been rewritten to be * The Authentication section (Section 5) has been rewritten to be
more formal. more formal.
* Geofeed files are only UTF-8 CSV. * Geofeed files are only UTF-8 CSV.
* This document stresses that authenticating geofeed data is * This document stresses that authenticating geofeed data is
optional. optional.
* IP Address Delegation extensions must not use "inherit". * IP Address Delegation extensions must not use "inherit".
* If geofeed data are present, ignore geographic location hints in * If geofeed data are present, geographic location hints in other
other data. data should be ignored.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
2. Geofeed Files 2. Geofeed Files
skipping to change at line 158 skipping to change at line 160
This document also suggests an optional signature to strongly This document also suggests an optional signature to strongly
authenticate the data in the geofeed files. authenticate the data in the geofeed files.
3. inetnum: Class 3. inetnum: Class
The original RPSL specifications starting with [RIPE81], [RIPE181], The original RPSL specifications starting with [RIPE81], [RIPE181],
and a trail of subsequent documents were written by the RIPE and a trail of subsequent documents were written by the RIPE
community. The IETF standardized RPSL in [RFC2622] and [RFC4012]. community. The IETF standardized RPSL in [RFC2622] and [RFC4012].
Since then, it has been modified and extensively enhanced in the Since then, it has been modified and extensively enhanced in the
Regional Internet Registry (RIR) community, mostly by RIPE [RIPE-DB]. Regional Internet Registry (RIR) community, mostly by RIPE [RIPE-DB].
At the time of publishing this document, change control of RPSL At the time of publishing this document, change control of the RPSL
effectively lies in the operator community. effectively lies in the operator community.
The RPSL, and Routing Policy System Security [RFC2725] and RPSLng The inetnum: database class is specified by the RPSL, as well as
[RFC4012] used by the Regional Internet Registries (RIRs), specify Routing Policy System Security [RFC2725] and RPSLng [RFC4012], which
the inetnum: database class. Each of these objects describes an IP are used by the Regional Internet Registries (RIRs). Each of these
address range and its attributes. The inetnum: objects form a objects describes an IP address range and its attributes. The
hierarchy ordered on the address space. inetnum: objects form a hierarchy ordered on the address space.
Ideally, RPSL would be augmented to define a new RPSL geofeed: Ideally, the RPSL would be augmented to define a new RPSL geofeed:
attribute in the inetnum: class. Absent implementation of the attribute in the inetnum: class. Absent implementation of the
geofeed: attribute in a particular RIR database, this document geofeed: attribute in a particular RIR database, this document
defines the syntax of a Geofeed remarks: attribute, which contains an defines the syntax of a Geofeed remarks: attribute, which contains an
HTTPS URL of a geofeed file. The format of the inetnum: geofeed HTTPS URL of a geofeed file. The format of the inetnum: geofeed
remarks: attribute MUST be as in this example, "remarks: Geofeed ", remarks: attribute MUST be as in this example, "remarks: Geofeed ",
where the token "Geofeed " MUST be case sensitive, followed by a URL where the token "Geofeed " MUST be case sensitive, followed by a URL
that will vary, but it MUST refer only to a single geofeed [RFC8805] that will vary, but it MUST refer only to a single geofeed [RFC8805]
file. file.
inetnum: 192.0.2.0/24 # example inetnum: 192.0.2.0/24 # example
skipping to change at line 301 skipping to change at line 303
support, which includes geofeed data; see [RDAP-GEOFEED]. This support, which includes geofeed data; see [RDAP-GEOFEED]. This
SHOULD NOT be used for bulk retrieval of geofeed data. SHOULD NOT be used for bulk retrieval of geofeed data.
5. Authenticating Geofeed Data (Optional) 5. Authenticating Geofeed Data (Optional)
The question arises whether a particular geofeed [RFC8805] data set The question arises whether a particular geofeed [RFC8805] data set
is valid, i.e., is authorized by the "owner" of the IP address space is valid, i.e., is authorized by the "owner" of the IP address space
and is authoritative in some sense. The inetnum: that points to the and is authoritative in some sense. The inetnum: that points to the
geofeed [RFC8805] file provides some assurance. Unfortunately, the geofeed [RFC8805] file provides some assurance. Unfortunately, the
RPSL in some repositories is weakly authenticated at best. An RPSL in some repositories is weakly authenticated at best. An
approach where RPSL was signed per [RFC7909] would be good, except it approach where the RPSL was signed per [RFC7909] would be good,
would have to be deployed by all RPSL registries, and there is a fair except it would have to be deployed by all RPSL registries, and there
number of them. is a fair number of them.
The remainder of this section specifies an optional authenticator for The remainder of this section specifies an optional authenticator for
the geofeed data set that follows "Signed Object Template for the the geofeed data set that follows "Signed Object Template for the
Resource Public Key Infrastructure (RPKI)" [RFC6488]. Resource Public Key Infrastructure (RPKI)" [RFC6488].
A single optional authenticator MAY be appended to a geofeed A single optional authenticator MAY be appended to a geofeed
[RFC8805] file. It is a digest of the main body of the file signed [RFC8805] file. It is a digest of the main body of the file signed
by the private key of the relevant RPKI certificate for a covering by the private key of the relevant RPKI certificate for a covering
address range. The following format bundles the relevant RPKI address range. The following format bundles the relevant RPKI
certificate with a signature over the geofeed text. certificate with a signature over the geofeed text.
skipping to change at line 357 skipping to change at line 359
Identifier Delegation certificate extension [RFC3779]. If it is Identifier Delegation certificate extension [RFC3779]. If it is
present, the authenticator is invalid. present, the authenticator is invalid.
As with many other RPKI signed objects, the IP Address Delegation As with many other RPKI signed objects, the IP Address Delegation
certificate extension MUST NOT use the "inherit" capability defined certificate extension MUST NOT use the "inherit" capability defined
in Section 2.2.3.5 of [RFC3779]. If "inherit" is used, the in Section 2.2.3.5 of [RFC3779]. If "inherit" is used, the
authenticator is invalid. authenticator is invalid.
An IP Address Delegation extension using "inherit" would complicate An IP Address Delegation extension using "inherit" would complicate
processing. The implementation would have to build the certification processing. The implementation would have to build the certification
path from the end-entity to the trust anchor, then validate the path path from the end entity to the trust anchor, then validate the path
from the trust anchor to the end-entity, and then the parameter would from the trust anchor to the end entity, and then the parameter would
have to be remembered when the validated public key was used to have to be remembered when the validated public key was used to
validate a signature on a CMS object. Having to remember things from validate a signature on a CMS object. Having to remember things from
certification path validation for use with CMS object processing certification path validation for use with CMS object processing
would be quite complex and error-prone. Additionally, the would be quite complex and error-prone. Additionally, the
certificates do not get that much bigger by repeating the certificates do not get that much bigger by repeating the
information. information.
An address range A "covers" address range B if the range of B is An address range A "covers" address range B if the range of B is
identical to or a subset of A. "Address range" is used here because identical to or a subset of A. "Address range" is used here because
inetnum: objects and RPKI certificates need not align on Classless inetnum: objects and RPKI certificates need not align on Classless
Inter-Domain Routing (CIDR) [RFC4632] prefix boundaries, while those Inter-Domain Routing (CIDR) [RFC4632] prefix boundaries, while those
of the lines in a geofeed file do align. of the lines in a geofeed file do align.
The Certification Authority (CA) SHOULD sign only one geofeed file The Certification Authority (CA) SHOULD sign only one geofeed file
with each generated private key and SHOULD generate a new key pair with each generated private key and SHOULD generate a new key pair
for each new version of a particular geofeed file. The CA MUST for each new version of a particular geofeed file. The CA MUST
generate a new end-entity (EE) certificate for each signing of a generate a new end entity (EE) certificate for each signing of a
particular geofeed file. An associated EE certificate used in this particular geofeed file. An associated EE certificate used in this
fashion is termed a "one-time-use" EE certificate (see Section 3 of fashion is termed a "one-time-use" EE certificate (see Section 3 of
[RFC6487]). [RFC6487]).
Identifying the private key associated with the certificate and Identifying the private key associated with the certificate and
getting the department that controls the private key (which might be getting the department that controls the private key (which might be
stored in a Hardware Security Module (HSM)) to generate the CMS stored in a Hardware Security Module (HSM)) to generate the CMS
signature is left as an exercise for the implementor. On the other signature is left as an exercise for the implementor. On the other
hand, verifying the signature has no similar complexity; the hand, verifying the signature has no similar complexity; the
certificate, which is validated in the public RPKI, contains the certificate, which is validated in the public RPKI, contains the
skipping to change at line 482 skipping to change at line 484
If the geofeed file is signed, and the signer's certificate changes, If the geofeed file is signed, and the signer's certificate changes,
the signature in the geofeed file MUST be updated. the signature in the geofeed file MUST be updated.
It is good key hygiene to use a given key for only one purpose. To It is good key hygiene to use a given key for only one purpose. To
dedicate a signing private key for signing a geofeed file, an RPKI dedicate a signing private key for signing a geofeed file, an RPKI
Certification Authority (CA) may issue a subordinate certificate Certification Authority (CA) may issue a subordinate certificate
exclusively for the purpose shown in Appendix A. exclusively for the purpose shown in Appendix A.
Harvesting and publishing aggregated geofeed data outside of the RPSL Harvesting and publishing aggregated geofeed data outside of the RPSL
model should be avoided as it can have the effect that more specifics model should be avoided as it could lead to detailed data of one
from one aggregatee could undesirably affect the less specifics of a aggregatee undesirably affecting the less detailed data of a
different aggregatee. Moreover, publishing aggregated geofeed data different aggregatee. Moreover, publishing aggregated geofeed data
prevents the reader of the data from performing the checks described prevents the reader of the data from performing the checks described
in Section 4 and Section 5. in Section 4 and Section 5.
At the time of publishing this document, geolocation providers have At the time of publishing this document, geolocation providers have
bulk WHOIS data access at all the RIRs. An anonymized version of bulk WHOIS data access at all the RIRs. An anonymized version of
such data is openly available for all RIRs except ARIN, which such data is openly available for all RIRs except ARIN, which
requires an authorization. However, for users without such requires an authorization. However, for users without such
authorization, the same result can be achieved with extra RDAP authorization, the same result can be achieved with extra RDAP
effort. There is open-source code to pass over such data across all effort. There is open-source code to pass over such data across all
RIRs, collect all geofeed references, and process them RIRs, collect all geofeed references, and process them
[GEOFEED-FINDER]. [GEOFEED-FINDER].
To prevent undue load on RPSL and geofeed servers, entity-fetching To prevent undue load on RPSL and geofeed servers, entity-fetching
geofeed data using these mechanisms MUST NOT do frequent real-time geofeed data using these mechanisms MUST NOT do frequent real-time
lookups. Section 3.4 of [RFC8805] suggests use of the HTTP Expires lookups. Section 3.4 of [RFC8805] suggests use of the HTTP Expires
header [RFC7234] to signal when geofeed data should be refetched. As header [RFC9111] to signal when geofeed data should be refetched. As
the data change very infrequently, in the absence of such an HTTP the data change very infrequently, in the absence of such an HTTP
Header signal, collectors SHOULD NOT fetch more frequently than Header signal, collectors SHOULD NOT fetch more frequently than
weekly. It would be polite not to fetch at magic times such as weekly. It would be polite not to fetch at magic times such as
midnight UTC, the first of the month, etc., because too many others midnight UTC, the first of the month, etc., because too many others
are likely to do the same. are likely to do the same.
7. Privacy Considerations 7. Privacy Considerations
[RFC8805] geofeed data may reveal the approximate location of an IP [RFC8805] geofeed data may reveal the approximate location of an IP
address, which might in turn reveal the approximate location of an address, which might in turn reveal the approximate location of an
skipping to change at line 717 skipping to change at line 719
[RFC5485] Housley, R., "Digital Signatures on Internet-Draft [RFC5485] Housley, R., "Digital Signatures on Internet-Draft
Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009, Documents", RFC 5485, DOI 10.17487/RFC5485, March 2009,
<https://www.rfc-editor.org/info/rfc5485>. <https://www.rfc-editor.org/info/rfc5485>.
[RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and [RFC6269] Ford, M., Ed., Boucadair, M., Durand, A., Levis, P., and
P. Roberts, "Issues with IP Address Sharing", RFC 6269, P. Roberts, "Issues with IP Address Sharing", RFC 6269,
DOI 10.17487/RFC6269, June 2011, DOI 10.17487/RFC6269, June 2011,
<https://www.rfc-editor.org/info/rfc6269>. <https://www.rfc-editor.org/info/rfc6269>.
[RFC7234] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "Hypertext Transfer Protocol (HTTP/1.1): Caching",
RFC 7234, DOI 10.17487/RFC7234, June 2014,
<https://www.rfc-editor.org/info/rfc7234>.
[RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin, [RFC7485] Zhou, L., Kong, N., Shen, S., Sheng, S., and A. Servin,
"Inventory and Analysis of WHOIS Registration Objects", "Inventory and Analysis of WHOIS Registration Objects",
RFC 7485, DOI 10.17487/RFC7485, March 2015, RFC 7485, DOI 10.17487/RFC7485, March 2015,
<https://www.rfc-editor.org/info/rfc7485>. <https://www.rfc-editor.org/info/rfc7485>.
[RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy [RFC7909] Kisteleki, R. and B. Haberman, "Securing Routing Policy
Specification Language (RPSL) Objects with Resource Public Specification Language (RPSL) Objects with Resource Public
Key Infrastructure (RPKI) Signatures", RFC 7909, Key Infrastructure (RPKI) Signatures", RFC 7909,
DOI 10.17487/RFC7909, June 2016, DOI 10.17487/RFC7909, June 2016,
<https://www.rfc-editor.org/info/rfc7909>. <https://www.rfc-editor.org/info/rfc7909>.
skipping to change at line 743 skipping to change at line 740
[RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access [RFC9082] Hollenbeck, S. and A. Newton, "Registration Data Access
Protocol (RDAP) Query Format", STD 95, RFC 9082, Protocol (RDAP) Query Format", STD 95, RFC 9082,
DOI 10.17487/RFC9082, June 2021, DOI 10.17487/RFC9082, June 2021,
<https://www.rfc-editor.org/info/rfc9082>. <https://www.rfc-editor.org/info/rfc9082>.
[RFC9092] Bush, R., Candela, M., Kumari, W., and R. Housley, [RFC9092] Bush, R., Candela, M., Kumari, W., and R. Housley,
"Finding and Using Geofeed Data", RFC 9092, "Finding and Using Geofeed Data", RFC 9092,
DOI 10.17487/RFC9092, July 2021, DOI 10.17487/RFC9092, July 2021,
<https://www.rfc-editor.org/info/rfc9092>. <https://www.rfc-editor.org/info/rfc9092>.
[RFC9111] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Caching", STD 98, RFC 9111,
DOI 10.17487/RFC9111, June 2022,
<https://www.rfc-editor.org/info/rfc9111>.
[RIPE-DB] RIPE NCC, "RIPE Database Documentation", September 2023, [RIPE-DB] RIPE NCC, "RIPE Database Documentation", September 2023,
<https://www.ripe.net/manage-ips-and- <https://www.ripe.net/manage-ips-and-
asns/db/support/documentation/ripe-database- asns/db/support/documentation/ripe-database-
documentation>. documentation>.
[RIPE181] RIPE NCC, "Representation Of IP Routing Policies In A [RIPE181] RIPE NCC, "Representation Of IP Routing Policies In A
Routing Registry", October 1994, Routing Registry", October 1994,
<https://www.ripe.net/publications/docs/ripe-181>. <https://www.ripe.net/publications/docs/ripe-181>.
[RIPE81] RIPE NCC, "Representation Of IP Routing Policies In The [RIPE81] RIPE NCC, "Representation Of IP Routing Policies In The
skipping to change at line 767 skipping to change at line 769
Snijders, J., "Example on how to use rpki-client to Snijders, J., "Example on how to use rpki-client to
authenticate a signed Geofeed", September 2023, authenticate a signed Geofeed", September 2023,
<https://sobornost.net/~job/ <https://sobornost.net/~job/
using_geofeed_authenticators.txt>. using_geofeed_authenticators.txt>.
Appendix A. Example Appendix A. Example
This appendix provides an example, including a trust anchor, a This appendix provides an example, including a trust anchor, a
Certificate Revocation List (CRL) signed by the trust anchor, a CA Certificate Revocation List (CRL) signed by the trust anchor, a CA
certificate subordinate to the trust anchor, a CRL signed by the CA, certificate subordinate to the trust anchor, a CRL signed by the CA,
an end-entity certificate subordinate to the CA for signing the an end entity certificate subordinate to the CA for signing the
geofeed, and a detached signature. geofeed, and a detached signature.
The trust anchor is represented by a self-signed certificate. As The trust anchor is represented by a self-signed certificate. As
usual in the RPKI, the trust anchor has authority over all IPv4 usual in the RPKI, the trust anchor has authority over all IPv4
address blocks, all IPv6 address blocks, and all Autonomous System address blocks, all IPv6 address blocks, and all Autonomous System
(AS) numbers. (AS) numbers.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEQTCCAymgAwIBAgIUEggycNoFVRjAuN/Fw7URu0DEZNAwDQYJKoZIhvcNAQEL MIIEQTCCAymgAwIBAgIUEggycNoFVRjAuN/Fw7URu0DEZNAwDQYJKoZIhvcNAQEL
BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MTkyMDMzMzlaFw0zMzA5 BQAwFTETMBEGA1UEAxMKZXhhbXBsZS10YTAeFw0yMzA5MTkyMDMzMzlaFw0zMzA5
skipping to change at line 864 skipping to change at line 866
MzEwMjMxNTU1MzhaoC8wLTAfBgNVHSMEGDAWgBQ6zizvT7IbfRHj4YTvweKXs3eG MzEwMjMxNTU1MzhaoC8wLTAfBgNVHSMEGDAWgBQ6zizvT7IbfRHj4YTvweKXs3eG
QjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEACwCNzcAoqbMcUL1kBY65 QjAKBgNVHRQEAwIBATANBgkqhkiG9w0BAQsFAAOCAQEACwCNzcAoqbMcUL1kBY65
YhL95OnBqAcuc99pD4i9c1BmVOl7bXU3cJqLaOZ6Z8CmN0kBbcHyqlHBJ9oA/aYD YhL95OnBqAcuc99pD4i9c1BmVOl7bXU3cJqLaOZ6Z8CmN0kBbcHyqlHBJ9oA/aYD
ByhxsjzKk7jxtM2IlTpEvCEqvnGLSVihgS3h0NA+sgWqHGL3Rhcj6hVsi+j9GENc ByhxsjzKk7jxtM2IlTpEvCEqvnGLSVihgS3h0NA+sgWqHGL3Rhcj6hVsi+j9GENc
T6F9np1mxbI3i2xhgeDJG1pryvH0hWXh7yJiYS8ItNEaIIXDT3szK/J9wnPjukTR T6F9np1mxbI3i2xhgeDJG1pryvH0hWXh7yJiYS8ItNEaIIXDT3szK/J9wnPjukTR
5MITiK9P3TCFujawb3O7rIT5PPgkM6eiCdwDgt6gjmw6cow5+rMjNHSRa+GOviSd 5MITiK9P3TCFujawb3O7rIT5PPgkM6eiCdwDgt6gjmw6cow5+rMjNHSRa+GOviSd
gXljVDfJvF4tKHmw59Jc2aFnSGfX1/ITDNiNfXYpUYFOcsqxkYf8F0uO7AtbRmTF gXljVDfJvF4tKHmw59Jc2aFnSGfX1/ITDNiNfXYpUYFOcsqxkYf8F0uO7AtbRmTF
2w== 2w==
-----END X509 CRL----- -----END X509 CRL-----
The end-entity certificate is issued by the CA. This certificate The end entity certificate is issued by the CA. This certificate
grants signature authority for one IPv4 address block (192.0.2.0/24). grants signature authority for one IPv4 address block (192.0.2.0/24).
Signature authority for AS numbers is not needed for geofeed data Signature authority for AS numbers is not needed for geofeed data
signatures, so no AS numbers are included in the end-entity signatures, so no AS numbers are included in the end entity
certificate. certificate.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZvAwDQYJKoZIhvcNAQEL MIIEVjCCAz6gAwIBAgIUJ605QIPX8rW5m4Zwx3WyuW7hZvAwDQYJKoZIhvcNAQEL
BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC BQAwMzExMC8GA1UEAxMoM0FDRTJDRUY0RkIyMUI3RDExRTNFMTg0RUZDMUUyOTdC
Mzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkxNTU1MzhaMDMxMTAvBgNV Mzc3ODY0MjAeFw0yMzA5MjMxNTU1MzhaFw0yNDA3MTkxNTU1MzhaMDMxMTAvBgNV
BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi BAMTKDkxNDY1MkEzQkQ1MUMxNDQyNjAxOTg4ODlGNUM0NUFCRjA1M0ExODcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCycTQrOb/qB2W3i3Ki8PhA/DEW
yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c yii2TgGo9pgCwO9lsIRI6Zb/k+aSiWWP9kSczlcQgtPCVwr62hTQZCIowBN0BL0c
K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm K0/5k1imJdi5qdM3nvKswM8CnoR11vB8pQFwruZmr5xphXRvE+mzuJVLgu2V1upm
skipping to change at line 897 skipping to change at line 899
RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNlcjAfBggrBgEFBQcB RjRGQjIxQjdEMTFFM0UxODRFRkMxRTI5N0IzNzc4NjQyLmNlcjAfBggrBgEFBQcB
BwEB/wQQMA4wDAQCAAEwBgMEAMAAAjANBgkqhkiG9w0BAQsFAAOCAQEAlxt25FUe BwEB/wQQMA4wDAQCAAEwBgMEAMAAAjANBgkqhkiG9w0BAQsFAAOCAQEAlxt25FUe
e0+uCidTH+4p7At3u2ncgHcGTsag3UcoPjcE/I1JgQJRu9TiM4iNB1C7Lbdd131g e0+uCidTH+4p7At3u2ncgHcGTsag3UcoPjcE/I1JgQJRu9TiM4iNB1C7Lbdd131g
MdliL5GQ3P4QfKnfkuPR6S1V8suq6ZT1KQRyLJx+EPgDN2rb/iji0TOK6RKPNBdG MdliL5GQ3P4QfKnfkuPR6S1V8suq6ZT1KQRyLJx+EPgDN2rb/iji0TOK6RKPNBdG
lXVLjth4x/uu1O4V54GLEhDAPQC8IUm5intL/Hx1M1x2ptN/+j5HD3XUXd3x13yi lXVLjth4x/uu1O4V54GLEhDAPQC8IUm5intL/Hx1M1x2ptN/+j5HD3XUXd3x13yi
s6u758nbA7ND40JNhGG5JNGQgDchL4IQzIhylMNC+bKUiyyMHz3MqoVAklIB86IW s6u758nbA7ND40JNhGG5JNGQgDchL4IQzIhylMNC+bKUiyyMHz3MqoVAklIB86IW
Ucv72Mekq+i46T/w3RnaGn4x7RAJctVJWw3e5YMrFnQcuuaGOs0QcoxW7Bi4W7Eg Ucv72Mekq+i46T/w3RnaGn4x7RAJctVJWw3e5YMrFnQcuuaGOs0QcoxW7Bi4W7Eg
8fK1fd/f6fjZ9w== 8fK1fd/f6fjZ9w==
-----END CERTIFICATE----- -----END CERTIFICATE-----
The end-entity certificate is displayed below in detail. For The end entity certificate is displayed below in detail. For
brevity, the other two certificates are not. brevity, the other two certificates are not.
0 1110: SEQUENCE { 0 1110: SEQUENCE {
4 830: SEQUENCE { 4 830: SEQUENCE {
8 3: [0] { 8 3: [0] {
10 1: INTEGER 2 10 1: INTEGER 2
: } : }
13 20: INTEGER 13 20: INTEGER
: 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9 : 27 AD 39 40 83 D7 F2 B5 B9 9B 86 70 C7 75 B2 B9
: 6E E1 66 F0 : 6E E1 66 F0
skipping to change at line 1082 skipping to change at line 1084
: 4B FC 7C 75 33 5C 76 A6 D3 7F FA 3E 47 0F 75 D4 : 4B FC 7C 75 33 5C 76 A6 D3 7F FA 3E 47 0F 75 D4
: 5D DD F1 D7 7C A2 B3 AB BB E7 C9 DB 03 B3 43 E3 : 5D DD F1 D7 7C A2 B3 AB BB E7 C9 DB 03 B3 43 E3
: 42 4D 84 61 B9 24 D1 90 80 37 21 2F 82 10 CC 88 : 42 4D 84 61 B9 24 D1 90 80 37 21 2F 82 10 CC 88
: 72 94 C3 42 F9 B2 94 8B 2C 8C 1F 3D CC AA 85 40 : 72 94 C3 42 F9 B2 94 8B 2C 8C 1F 3D CC AA 85 40
: 92 52 01 F3 A2 16 51 CB FB D8 C7 A4 AB E8 B8 E9 : 92 52 01 F3 A2 16 51 CB FB D8 C7 A4 AB E8 B8 E9
: 3F F0 DD 19 DA 1A 7E 31 ED 10 09 72 D5 49 5B 0D : 3F F0 DD 19 DA 1A 7E 31 ED 10 09 72 D5 49 5B 0D
: DE E5 83 2B 16 74 1C BA E6 86 3A CD 10 72 8C 56 : DE E5 83 2B 16 74 1C BA E6 86 3A CD 10 72 8C 56
: EC 18 B8 5B B1 20 F1 F2 B5 7D DF DF E9 F8 D9 F7 : EC 18 B8 5B B1 20 F1 F2 B5 7D DF DF E9 F8 D9 F7
: } : }
To allow reproduction of the signature results, the end-entity To allow reproduction of the signature results, the end entity
private key is provided. For brevity, the other two private keys are private key is provided. For brevity, the other two private keys are
not. not.
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW MIIEpQIBAAKCAQEAsnE0Kzm/6gdlt4tyovD4QPwxFsootk4BqPaYAsDvZbCESOmW
/5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP /5Pmkollj/ZEnM5XEILTwlcK+toU0GQiKMATdAS9HCtP+ZNYpiXYuanTN57yrMDP
Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1 Ap6EddbwfKUBcK7mZq+caYV0bxPps7iVS4LtldbqZgV7lpaHsprnYellifhg48D1
zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/ zt0YlwXowazhTV4WhS3tPMuAz36/0v7VyTgZu0M0KbZmzy2LRn6a2LuOZYhRaqj/
eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm eFHi6SEn13d+gChs6kxQnHNxFvZeVBRNTBS5Z6BKIKraC6CgAbdCJDhRingvxIHm
gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo gXVi3uOvXXQva0H7ecOoOnJsRvmmA3SBAd+M6wIDAQABAoIBAQCyB0FeMuKm8bRo
 End of changes. 18 change blocks. 
34 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.48.