メインコンテンツまでスキップ

6. Authenticating prefixlen Data (Optional)

6. Authenticating prefixlen Data (Optional)

A single optional authenticator MAY be appended to a prefixlen file. It is a digest of the main body of the file signed by the private key of the relevant RPKI certificate for a covering address range. The canonicalization procedure uses UTF-8 and CRLF; trailing blank lines MUST NOT appear at the end of the file, and OS end-of-file markers MUST NOT be covered by the digital signature.

The CMS signature is detached DER, Base64 encoded with padding, and wrapped to 72 or fewer characters. The same digest algorithm MUST be used for the prefixlen content and the SignerInfo SignedAttributes. The address range of the signing certificate MUST cover all prefixes in the signed prefixlen file. The signing certificate MUST NOT include the AS Identifier Delegation extension, and its IP Address Delegation extension MUST NOT use inherit. A CA MUST generate a new EE certificate for each signing of a particular prefixlen file, and the private key SHOULD sign only one prefixlen file.

Signature validation requires matching SubjectKeyIdentifier values, a current-manifest signer certificate, a valid certification path, a valid CMS SignedData signature, eContentType OID id-ct-prefixlenCSVwithCRLF (1.2.840.113549.1.9.16.1.57), and IP resources covering all address ranges in the prefixlen file. All steps MUST succeed. The authenticator MUST be hidden as '#' comments at the end of the prefixlen file and bracketed by '# RPKI Signature:' and '# End Signature:' lines. The CMS signature does not cover the signature lines.