Registration Protocols Extensions (regext)                      J. Singh
Internet-Draft                                                      ARIN
Intended status: Standards Track                               A. Newton
Expires: 19 July 2025                                              ICANN
                                                         15 January 2025


              An RDAP Extension for RPKI Registration Data
                   draft-jasdips-regext-rdap-rpki-01

Abstract

   The Resource Public Key Infrastructure (RPKI) is used to secure
   inter-domain routing on the internet.  This document defines a new
   Registration Data Access Protocol (RDAP) extension, "rpki1", for
   accessing the RPKI registration data in the Internet Number Registry
   System (INRS) through RDAP.  The Internet Number Registry System
   (INRS) is composed of Regional Internet Registries (RIRs), National
   Internet Registries (NIRs), and Local Internet Registries (LIRs).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 19 July 2025.

Copyright Notice

   Copyright (c) 2025 IETF Trust and the persons identified as the
   document authors.  All rights reserved.










Singh & Newton            Expires 19 July 2025                  [Page 1]

Internet-Draft                  rdap-rpki                   January 2025


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  Common Data Members . . . . . . . . . . . . . . . . . . . . .   4
   3.  Route Origin Authorization  . . . . . . . . . . . . . . . . .   5
     3.1.  Object Class  . . . . . . . . . . . . . . . . . . . . . .   5
     3.2.  Lookup  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     3.3.  Search  . . . . . . . . . . . . . . . . . . . . . . . . .   8
       3.3.1.  Search Results  . . . . . . . . . . . . . . . . . . .   9
     3.4.  Reverse Search  . . . . . . . . . . . . . . . . . . . . .  11
     3.5.  Relationship with IP Network Object Class . . . . . . . .  11
   4.  Autonomous System Provider Authorization  . . . . . . . . . .  14
     4.1.  Object Class  . . . . . . . . . . . . . . . . . . . . . .  14
     4.2.  Lookup  . . . . . . . . . . . . . . . . . . . . . . . . .  15
     4.3.  Search  . . . . . . . . . . . . . . . . . . . . . . . . .  16
       4.3.1.  Search Results  . . . . . . . . . . . . . . . . . . .  17
     4.4.  Reverse Search  . . . . . . . . . . . . . . . . . . . . .  19
     4.5.  Relationship with Autonomous System Number Object
           Class . . . . . . . . . . . . . . . . . . . . . . . . . .  19
   5.  X.509 Resource Certificate  . . . . . . . . . . . . . . . . .  22
     5.1.  Object Class  . . . . . . . . . . . . . . . . . . . . . .  22
     5.2.  Lookup  . . . . . . . . . . . . . . . . . . . . . . . . .  26
     5.3.  Search  . . . . . . . . . . . . . . . . . . . . . . . . .  26
       5.3.1.  Search Results  . . . . . . . . . . . . . . . . . . .  29
     5.4.  Reverse Search  . . . . . . . . . . . . . . . . . . . . .  31
     5.5.  Relationship with Other Object Classes  . . . . . . . . .  31
   6.  RDAP Conformance  . . . . . . . . . . . . . . . . . . . . . .  35
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  35
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  35
     8.1.  RDAP Extensions Registry  . . . . . . . . . . . . . . . .  35
     8.2.  RDAP Reverse Search Registry  . . . . . . . . . . . . . .  35
     8.3.  RDAP Reverse Search Mapping Registry  . . . . . . . . . .  37
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  38
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  38
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  38
     10.2.  Informative References . . . . . . . . . . . . . . . . .  40
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  41




Singh & Newton            Expires 19 July 2025                  [Page 2]

Internet-Draft                  rdap-rpki                   January 2025


1.  Introduction

   The network operators are increasingly deploying the Resource Public
   Key Infrastructure (RPKI, [RFC6480]) to secure inter-domain routing
   ([RFC4271]) on the internet.  RPKI enables Internet Number Resource
   (INR) holders to cryptographically assert about their registered IP
   addresses and autonomous system numbers to prevent route hijacks and
   leaks.  To that end, RPKI defines the following cryptographic
   profiles:

   *  Route Origin Authorization (ROA, [RFC9582]) where a Classless
      Inter-Domain Routing (CIDR, [RFC1519]) address block holder
      cryptographically asserts about the origin autonomous system (AS,
      [RFC4271]) for routing that CIDR address block.
   *  Autonomous System Provider Authorization (ASPA,
      [I-D.ietf-sidrops-aspa-profile]) where an autonomous system number
      (ASN, [RFC5396]) holder cryptographically asserts about the
      provider AS for that ASN.
   *  X.509 Resource Certificate ([RFC6487]) where the issuer grants the
      subject a right-of-use for the listed IP addresses and/or
      autonomous system numbers.

   This document defines a new RDAP extension, "rpki1", for accessing
   the RPKI registration data within the Internet Number Registry System
   (INRS) for aforementioned RPKI profiles through RDAP.  The Internet
   Number Registry System (INRS) is composed of Regional Internet
   Registries (RIRs), National Internet Registries (NIRs), and Local
   Internet Registries (LIRs).

   The motivation here is that such RDAP data could complement the
   existing RPKI diagnostic tools when troubleshooting a route hijack or
   leak, by conveniently providing access to registration information
   from a registry's database beside what is inherently available from
   an RPKI profile object.  There is registration metadata that is often
   needed for troubleshooting that does not appear in, say, a ROA or a
   VRP (Verified ROA Payload); such as:

   *  When did the initial version of a ROA get published?
   *  Was a ROA created in conjunction with an Internet Routing Registry
      (IRR, [RFC2622]) route?
   *  Which IRR route is related with a ROA?
   *  Which IP network is associated with a ROA?

   Furthermore, correlating registered RPKI data with registered IP
   networks and autonomous system numbers would also give access to the
   latter's contact information through RDAP entity objects, which
   should aid troubleshooting.




Singh & Newton            Expires 19 July 2025                  [Page 3]

Internet-Draft                  rdap-rpki                   January 2025


   In addition to troubleshooting, serving RPKI metadata over RDAP
   offers a convenience to network operators through a simple lookup
   mechanism.  As is demonstrated in [RDAP-GUIDE], constructing custom
   RDAP scripts is relatively easy and beneficial to network operators
   for the purposes of reporting.  Though not RDAP-based, systems such
   as [JDR] and [CLOUDFLARE] have shown the utility of an approach that
   allows users to explore the RPKI hierarchy in a visual fashion,
   without interacting with the signed objects directly.

   For these purposes, this specification defines RDAP object classes,
   as well as lookup and search path segments, for the ROA, ASPA, and
   X.509 resource certificate registration data.

1.1.  Requirements Language

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   [BCP14] when, and only when, they appear in all capitals, as shown
   here.

   Indentation and whitespace in examples are provided only to
   illustrate element relationships, and are not a REQUIRED feature of
   this protocol.

   "..." in examples is used as shorthand for elements defined outside
   of this document.

2.  Common Data Members

   The RDAP object classes for RPKI (Section 3.1, Section 4.1,
   Section 5.1) can contain one or more of the following common members:

   *  "handle" -- a string representing the registry-unique identifier
      of an RPKI object registration
   *  "name" -- a string representing the identifier assigned to an RPKI
      object registration by the registration holder
   *  "notValidBefore" -- a string that contains the time and date in
      Zulu (Z) format with UTC offset of 00:00 ([RFC3339]), representing
      the not-valid-before date of an X.509 resource certificate for an
      RPKI object (Section 4 of [RFC6487])
   *  "notValidAfter" -- a string that contains the time and date in
      Zulu (Z) format with UTC offset of 00:00 ([RFC3339]), representing
      the not-valid-after date of an X.509 resource certificate for an
      RPKI object (Section 4 of [RFC6487])
   *  "publicationUri" -- a URI string pointing to the location of an
      RPKI object within an RPKI repository; the URI scheme is "rsync",
      per Section 4 of [RFC6487]



Singh & Newton            Expires 19 July 2025                  [Page 4]

Internet-Draft                  rdap-rpki                   January 2025


   *  "notificationUri" -- an HTTPS URI string pointing to the location
      of the RPKI Repository Delta Protocol (RRDP) update notification
      file for an RPKI repository (Section 3 of [RFC8182])
   *  "entities" -- an array of entity objects (Section 5.1 of
      [RFC9083]), including the organization (entity) registered as the
      authoritative source for an RPKI object
   *  "rpkiType" -- a string literal representing various combinations
      of an RPKI repository and a Certification Authority (CA), with the
      following possible values:
      -  "hosted" -- both the repository and CA are operated by a
         registry for an organization with allocated resources
      -  "delegated" -- both the repository and CA are operated by an
         organization with resources allocated by a registry
      -  "hybrid" -- the repository is operated by a registry for an
         organization with allocated resources whereas the CA is
         operated by the organization itself

   RRDP is intended as the long-term replacement for rsync in RPKI.  For
   a CA that implements RRDP, the update notification file location is
   expected to be set in each X.509 resource certificate it issues
   (Section 3.2 of [RFC8182]).  Consequently, the "notificationUri" data
   should help inform about the RPKI repository and/or CA operated
   downstream from a registry by an organization with resources
   allocated by that registry.

3.  Route Origin Authorization

3.1.  Object Class

   The Route Origin Authorization (ROA) object class can contain the
   following members:

   *  "objectClassName" -- the string "rpki1_roa"
   *  "handle" -- see Section 2
   *  "name" -- see Section 2
   *  "roaIps" -- an array of objects representing CIDR address blocks
      within a ROA; such an object can contain the following members:
      -  "ip" -- a string representing an IPv4 or IPv6 CIDR address
         block with the "<CIDR prefix>/<CIDR length>" format (Section 4
         of [RFC9582])
      -  "maxLength" -- a number representing the maximum prefix length
         of the CIDR address block that the origin AS is authorized to
         advertise; up to 32 for IPv4 and up to 128 for IPv6 (Section 4
         of [RFC9582])
   *  "originAutnum" -- an unsigned 32-bit integer representing the
      origin autonomous system number (Section 4 of [RFC9582])
   *  "notValidBefore" -- see Section 2
   *  "notValidAfter" -- see Section 2



Singh & Newton            Expires 19 July 2025                  [Page 5]

Internet-Draft                  rdap-rpki                   January 2025


   *  "publicationUri" -- see Section 2
   *  "notificationUri" -- see Section 2
   *  "entities" -- see Section 2
   *  "rpkiType" -- see Section 2
   *  "events" -- see Section 4.5 of [RFC9083]
   *  "links" -- "self" link, and "related" links for IP network and IRR
      (when defined) objects (Section 4.2 of [RFC9083])
   *  "remarks" -- see Section 4.3 of [RFC9083]

   Here is an elided example of a ROA object:

   {
     "objectClassName": "rpki1_roa",
     "handle": "XXXX",
     "name": "ROA-1",
     "roaIps":
     [
       {
         "ip": "2001:db8::/48",
         "maxLength": 64
       },
       ...
     ],
     "originAutnum": 65536,
     "notValidBefore": "2024-04-27T23:59:59Z",
     "notValidAfter": "2025-04-27T23:59:59Z",
     "publicationUri": "rsync://example.net/path/to/XXXX.roa",
     "notificationUri": "https://example.net/path/to/notification.xml",
     "entities":
     [
       {
         "objectClassName": "entity",
         "handle": "XYZ-RIR",
         ...
       },
       ...
     ],
     "rpkiType": "hosted",
     "events":
     [
       {
         "eventAction": "registration",
         "eventDate": "2024-01-01T23:59:59Z"
       },
       ...
     ],
     "links":
     [



Singh & Newton            Expires 19 July 2025                  [Page 6]

Internet-Draft                  rdap-rpki                   January 2025


       {
         "value": "https://example.net/rdap/rpki1/roa/XXXX",
         "rel": "self",
         "href": "https://example.net/rdap/rpki1/roa/XXXX",
         "type": "application/rdap+json"
       },
       {
         "value": "https://example.net/rdap/rpki1/roa/XXXX",
         "rel": "related",
         "href": "https://example.net/rdap/ip/2001:db8::/48",
         "type": "application/rdap+json"
       },
       ...
     ],
     "remarks":
     [
       {
         "description": [ "ROA" ]
       }
     ]
   }

3.2.  Lookup

   The resource type path segment for exact or closest match lookup of a
   ROA object is "rpki1/roa".

   The following lookup path segments are defined for a ROA object:

   Syntax: rpki1/roa/<handle>

   Syntax: rpki1/roa/<IP address>

   Syntax: rpki1/roa/<CIDR prefix>/<CIDR length>

   A lookup query for ROA information by handle is specified using this
   form:

   rpki1/roa/XXXX

   XXXX is a string representing the "handle" property of a ROA, as
   described in Section 3.1.  The following URL would be used to find
   information for a ROA that exactly matches the
   "8a848ab0729f0f4f0173ba2013bc5eb3" handle:

   https://example.net/rdap/rpki1/roa/8a848ab0729f0f4f0173ba2013bc5eb3





Singh & Newton            Expires 19 July 2025                  [Page 7]

Internet-Draft                  rdap-rpki                   January 2025


   A lookup query for ROA information by IP address is specified using
   this form:

   rpki1/roa/YYYY

   YYYY is a string representing an IPv4 or IPv6 address.  The following
   URL would be used to find information for a ROA that completely
   encompasses the "192.0.2.0" IP address:

   https://example.net/rdap/rpki1/roa/192.0.2.0

   Similarly, for the "2001:db8::" IP address:

   https://example.net/rdap/rpki1/roa/2001%3Adb8%3A%3A

   A lookup query for ROA information by CIDR is specified using this
   form:

   rpki1/roa/YYYY/ZZZZ

   YYYY/ZZZZ is a string representing the "ip" property of a CIDR
   address block within a ROA, as described in Section 3.1.  The
   following URL would be used to find information for the most-specific
   ROA matching the "192.0.2.0/25" CIDR:

   https://example.net/rdap/rpki1/roa/192.0.2.0/25

   Similarly, for the "2001:db8::/64" CIDR:

   https://example.net/rdap/rpki1/roa/2001%3Adb8%3A%3A/64

   In the "links" array of a ROA object, the context URI ("value"
   member) of each link should be the lookup URL by its handle, and if
   that's not available, then the lookup URL by one of its IP addresses.

3.3.  Search

   The resource type path segment for searching ROA objects is "rpki1/
   roas".

   The following search path segments are defined for ROA objects:

   Syntax: rpki1/roas?name=<name search pattern>

   Syntax: rpki1/roas?originAutnum=<autonomous system number>

   Searches for ROA information by name are specified using this form:




Singh & Newton            Expires 19 July 2025                  [Page 8]

Internet-Draft                  rdap-rpki                   January 2025


   rpki1/roas?name=XXXX

   XXXX is a search pattern per Section 4.1 of [RFC9082], representing
   the "name" property of a ROA, as described in Section 3.1.  The
   following URL would be used to find information for ROA names
   matching the "ROA-*" pattern:

   https://example.net/rdap/rpki1/roas?name=ROA-*

   Searches for ROA information by origin autonomous system number are
   specified using this form:

   rpki1/roas?originAutnum=BBBB

   BBBB is an autonomous system number representing the "originAutnum"
   property of a ROA, as described in Section 3.1.  The following URL
   would be used to find information for ROAs with origin autonomous
   system number 65536:

   https://example.net/rdap/rpki1/roas?originAutnum=65536

3.3.1.  Search Results

   The ROA search results are returned in the "rpki1_roaSearchResults"
   member, which is an array of ROA objects (Section 3.1).

   Here is an elided example of the search results when finding
   information for ROAs with origin autonomous system number 65536:

{
  "rdapConformance":
  [
    "rdap_level_0",
    "rpki1",
    ...
  ],
  ...
  "rpki1_roaSearchResults":
  [
    {
      "objectClassName": "rpki1_roa",
      "handle": "XXXX",
      "name": "ROA-1",
      "roaIps":
      [
        {
          "ip": "2001:db8::/48",
          "maxLength": 64



Singh & Newton            Expires 19 July 2025                  [Page 9]

Internet-Draft                  rdap-rpki                   January 2025


        },
        ...
      ],
      "originAutnum": 65536,
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/XXXX.roa",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/roa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/roa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/roa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8::/48",
          "type": "application/rdap+json"
        },
        ...
      ]
    },
    ...
  ]
}





Singh & Newton            Expires 19 July 2025                 [Page 10]

Internet-Draft                  rdap-rpki                   January 2025


3.4.  Reverse Search

   Per Section 2 of [RFC9536], if a server receives a reverse search
   query with a searchable resource type of "ips" (Section 5 of
   [I-D.ietf-regext-rdap-rir-search]), a related resource type of
   "rpki1_roa", and a ROA property of "originAutnum" or "ip", then the
   reverse search will be performed on the IP network objects from its
   data store.

   Section 8.2 and Section 8.3 include registration of entries for IP
   network searches in the RDAP Reverse Search and RDAP Reverse Search
   Mapping IANA registries when the related resource type is
   "rpki1_roa".

3.5.  Relationship with IP Network Object Class

   An IP network object can span multiple ROA objects, and vice-versa.
   Their relationship is affected by IP address transfers and splits in
   a registry.  It would be useful to show all the ROA objects
   associated with an IP network object.  To that end, this extension
   adds a new "rpki1_roas" member to the IP Network object class
   (Section 5.4 of [RFC9083]):

   *  "rpki1_roas" -- an array of ROA objects (Section 3.1) associated
      with an IP network object; if the array is too large, the server
      MAY truncate it, per Section 9 of [RFC9083]

   Here is an elided example for an IP network object with ROAs:

{
  "objectClassName": "ip network",
  "handle": "ZZZZ-RIR",
  "startAddress": "2001:db8::",
  "endAddress": "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff",
  "ipVersion": "v6",
  ...
  "rpki1_roas":
  [
    {
      "objectClassName": "rpki1_roa",
      "handle": "XXXX",
      "name": "ROA-1",
      "roaIps":
      [
        {
          "ip": "2001:db8::/48",
          "maxLength": 64
        },



Singh & Newton            Expires 19 July 2025                 [Page 11]

Internet-Draft                  rdap-rpki                   January 2025


        ...
      ],
      "originAutnum": 65536,
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/XXXX.roa",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/roa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/roa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/roa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8::/48",
          "type": "application/rdap+json"
        },
        ...
      ]
    },
    {
      "objectClassName": "rpki1_roa",
      "handle": "YYYY",
      "name": "ROA-2",
      "roaIps":
      [



Singh & Newton            Expires 19 July 2025                 [Page 12]

Internet-Draft                  rdap-rpki                   January 2025


        {
          "ip": "2001:db8:1::/48",
          "maxLength": 64
        },
        ...
      ],
      "originAutnum": 65537,
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/YYYY.roa",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/roa/YYYY",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/roa/YYYY",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/roa/YYYY",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8:1::/48",
          "type": "application/rdap+json"
        },
        ...
      ]
    },
    ...
  ]



Singh & Newton            Expires 19 July 2025                 [Page 13]

Internet-Draft                  rdap-rpki                   January 2025


}

4.  Autonomous System Provider Authorization

4.1.  Object Class

   The Autonomous System Provider Authorization (ASPA) object class can
   contain the following members:

   *  "objectClassName" -- the string "rpki1_aspa"
   *  "handle" -- see Section 2
   *  "name" -- see Section 2
   *  "autnum" -- an unsigned 32-bit integer representing an autonomous
      system number of the registration holder (Section 3 of
      [I-D.ietf-sidrops-aspa-profile])
   *  "providerAutnums" -- an array of unsigned 32-bit integers, each
      representing the autonomous system number of an AS that is
      authorized as a provider (Section 3 of
      [I-D.ietf-sidrops-aspa-profile])
   *  "notValidBefore" -- see Section 2
   *  "notValidAfter" -- see Section 2
   *  "publicationUri" -- see Section 2
   *  "notificationUri" -- see Section 2
   *  "entities" -- see Section 2
   *  "rpkiType" -- see Section 2
   *  "events" -- see Section 4.5 of [RFC9083]
   *  "links" -- "self" link, and "related" links for autonomous system
      number and IRR (when defined) objects (Section 4.2 of [RFC9083])
   *  "remarks" -- see Section 4.3 of [RFC9083]

   Here is an elided example of an ASPA object:

   {
     "objectClassName": "rpki1_aspa",
     "handle": "XXXX",
     "name": "ASPA-1",
     "autnum": 65536,
     "providerAutnums":
     [
       65542,
       ...
     ],
     "notValidBefore": "2024-04-27T23:59:59Z",
     "notValidAfter": "2025-04-27T23:59:59Z",
     "publicationUri": "rsync://example.net/path/to/XXXX.aspa",
     "notificationUri": "https://example.net/path/to/notification.xml",
     "entities":
     [



Singh & Newton            Expires 19 July 2025                 [Page 14]

Internet-Draft                  rdap-rpki                   January 2025


       {
         "objectClassName": "entity",
         "handle": "XYZ-RIR",
         ...
       },
       ...
     ],
     "rpkiType": "hosted",
     "events":
     [
       {
         "eventAction": "registration",
         "eventDate": "2024-01-01T23:59:59Z"
       },
       ...
     ],
     "links":
     [
       {
         "value": "https://example.net/rdap/rpki1/aspa/XXXX",
         "rel": "self",
         "href": "https://example.net/rdap/rpki1/aspa/XXXX",
         "type": "application/rdap+json"
       },
       {
         "value": "https://example.net/rdap/rpki1/aspa/XXXX",
         "rel": "related",
         "href": "https://example.net/rdap/autnum/65536",
         "type": "application/rdap+json"
       },
       ...
     ],
     "remarks":
     [
       {
         "description": [ "ASPA" ]
       }
     ]
   }

4.2.  Lookup

   The resource type path segment for exact match lookup of an ASPA
   object is "rpki1/aspa".

   The following lookup path segments are defined for an ASPA object:

   Syntax: rpki1/aspa/<handle>



Singh & Newton            Expires 19 July 2025                 [Page 15]

Internet-Draft                  rdap-rpki                   January 2025


   Syntax: rpki1/aspa/<autonomous system number>

   A lookup query for ASPA information by handle is specified using this
   form:

   rpki1/aspa/XXXX

   XXXX is a string representing the "handle" property of an ASPA, as
   described in Section 4.1.  The following URL would be used to find
   information for an ASPA that exactly matches the
   "47ab80ed8693f25d0187d93a07db4484" handle:

   https://example.net/rdap/rpki1/aspa/47ab80ed8693f25d0187d93a07db4484

   A lookup query for ASPA information by autonomous system number is
   specified using this form:

   rpki1/aspa/YYYY

   YYYY is an autonomous system number representing the "autnum"
   property of an ASPA, as described in Section 4.1.  The following URL
   would be used to find information for an ASPA with autonomous system
   number 65536:

   https://example.net/rdap/rpki1/aspa/65536

   In the "links" array of an ASPA object, the context URI ("value"
   member) of each link should be the lookup URL by its handle, and if
   that's not available, then the lookup URL by its autonomous system
   number.

4.3.  Search

   The resource type path segment for searching ASPA objects is "rpki1/
   aspas".

   The following search path segments are defined for ASPA objects:

   Syntax: rpki1/aspas?name=<name search pattern>

   Syntax: rpki1/aspas?providerAutnum=<autonomous system number>

   Searches for ASPA information by name are specified using this form:

   rpki1/aspas?name=XXXX






Singh & Newton            Expires 19 July 2025                 [Page 16]

Internet-Draft                  rdap-rpki                   January 2025


   XXXX is a search pattern per Section 4.1 of [RFC9082], representing
   the "name" property of an ASPA, as described in Section 4.1.  The
   following URL would be used to find information for ASPA names
   matching the "ASPA-*" pattern:

   https://example.net/rdap/rpki1/aspas?name=ASPA-*

   Searches for ASPA information by provider autonomous system number
   are specified using this form:

   rpki1/aspas?providerAutnum=YYYY

   YYYY is an autonomous system number within the "providerAutnums"
   property of an ASPA, as described in Section 4.1.  The following URL
   would be used to find information for ASPAs with provider autonomous
   system number 65542:

   https://example.net/rdap/rpki1/aspas?providerAutnum=65542

4.3.1.  Search Results

   The ASPA search results are returned in the "rpki1_aspaSearchResults"
   member, which is an array of ASPA objects (Section 4.1).

   Here is an elided example of the search results when finding
   information for ASPAs with provider autonomous system number 65542:

{
  "rdapConformance":
  [
    "rdap_level_0",
    "rpki1",
    ...
  ],
  ...
  "rpki1_aspaSearchResults":
  [
    {
      "objectClassName": "rpki1_aspa",
      "handle": "XXXX",
      "name": "ASPA-1",
      "autnum": 65536,
      "providerAutnums":
      [
        65542,
        ...
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",



Singh & Newton            Expires 19 July 2025                 [Page 17]

Internet-Draft                  rdap-rpki                   January 2025


      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/XXXX.aspa",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/aspa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}









Singh & Newton            Expires 19 July 2025                 [Page 18]

Internet-Draft                  rdap-rpki                   January 2025


4.4.  Reverse Search

   Per Section 2 of [RFC9536], if a server receives a reverse search
   query with a searchable resource type of "autnums" (Section 5 of
   [I-D.ietf-regext-rdap-rir-search]), a related resource type of
   "rpki1_aspa", and an ASPA property of "autnum" or "providerAutnum",
   then the reverse search will be performed on the autonomous system
   number objects from its data store.

   Section 8.2 and Section 8.3 include registration of entries for
   autonomous system number searches in the RDAP Reverse Search and RDAP
   Reverse Search Mapping IANA registries when the related resource type
   is "rpki1_aspa".

4.5.  Relationship with Autonomous System Number Object Class

   An autonomous system number object for an ASN range can span multiple
   ASPA objects.  However, an ASPA object can only be linked to a single
   autonomous system number object.  It would be useful to show all the
   ASPA objects associated with an autonomous system number object.  To
   that end, this extension adds a new "rpki1_aspas" member to the
   Autonomous System Number object class (Section 5.5 of [RFC9083]):

   *  "rpki1_aspas" -- an array of ASPA objects (Section 4.1) for the
      autonomous system number range in the autonomous system number
      object; if the array is too large, the server MAY truncate it, per
      Section 9 of [RFC9083]

   Here is an elided example for an autonomous system number object with
   ASPAs:

{
  "objectClassName": "autnum",
  "handle": "ZZZZ-RIR",
  "startAutnum": 65536,
  "endAutnum": 65541,
  ...
  "rpki1_aspas":
  [
    {
      "objectClassName": "rpki1_aspa",
      "handle": "XXXX",
      "name": "ASPA-1",
      "autnum": 65536,
      "providerAutnums":
      [
        65542,
        ...



Singh & Newton            Expires 19 July 2025                 [Page 19]

Internet-Draft                  rdap-rpki                   January 2025


      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/XXXX.aspa",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/aspa/XXXX",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/aspa/XXXX",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    {
      "objectClassName": "rpki1_aspa",
      "handle": "YYYY",
      "name": "ASPA-2",
      "autnum": 65537,
      "providerAutnums":
      [



Singh & Newton            Expires 19 July 2025                 [Page 20]

Internet-Draft                  rdap-rpki                   January 2025


        65543,
        ...
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/YYYY.aspa",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/aspa/YYYY",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/aspa/YYYY",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/aspa/YYYY",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}





Singh & Newton            Expires 19 July 2025                 [Page 21]

Internet-Draft                  rdap-rpki                   January 2025


5.  X.509 Resource Certificate

5.1.  Object Class

   The X.509 resource certificate object class can contain the following
   members:

   *  "objectClassName" -- the string "rpki1_x509ResourceCert"
   *  "handle" -- see Section 2
   *  "serialNumber" -- a string representing the unique identifier for
      the certificate (Section 4.2 of [RFC6487])
   *  "issuer" -- a string representing the CA that issued the
      certificate (Section 4.4 of [RFC6487])
   *  "signatureAlgorithm" -- a string representing the algorithm used
      by the CA to sign the certificate (Section 4.3 of [RFC6487])
   *  "subject" -- a string representing the identity of the subject the
      certificate is issued to (Section 4.5 of [RFC6487])
   *  "subjectPublicKeyInfo" -- an object representing the subject's
      public key information (Section 4.7 of [RFC6487]), with the
      following members:
      -  "publicKeyAlgorithm" -- a string representing the algorithm for
         the public key
      -  "publicKey" -- a string representation of the public key
   *  "subjectKeyIdentifier" -- a string, typically Base64-encoded,
      representing the unique identifier for the public key
      (Section 4.8.2 of [RFC6487])
   *  "ips" -- an array of strings, each representing an IPv4 or IPv6
      CIDR address block with the "<CIDR prefix>/<CIDR length>" format
      (Section 4.8.10 of [RFC6487])
   *  "autnums" -- an array of unsigned 32-bit integers, each
      representing an autonomous system number (Section 4.8.11 of
      [RFC6487])
   *  "notValidBefore" -- see Section 2
   *  "notValidAfter" -- see Section 2
   *  "publicationUri" -- see Section 2
   *  "notificationUri" -- see Section 2
   *  "entities" -- see Section 2
   *  "rpkiType" -- see Section 2
   *  "events" -- see Section 4.5 of [RFC9083]
   *  "links" -- "self" link, and "related" links for IP network and/or
      autonomous system number objects (Section 4.2 of [RFC9083])
   *  "remarks" -- see Section 4.3 of [RFC9083]

   The following types of certificates can be represented using this
   object class:






Singh & Newton            Expires 19 July 2025                 [Page 22]

Internet-Draft                  rdap-rpki                   January 2025


   *  a CA certificate that a registry issues to an organization for its
      allocated IP addresses and/or autonomous system numbers,
      authorizing the organization CA to issue end-entity certificates
   *  a BGPSec router certificate ([RFC8209]) where an ASN(s) holder
      cryptographically asserts that a router holding the corresponding
      private key is authorized to emit secure route advertisements on
      behalf of the AS(es) specified in the certificate

   Here is an elided example of an X.509 resource certificate object for
   a CA certificate:

{
  "objectClassName": "rpki1_x509ResourceCert",
  "handle": "ABCD",
  "serialNumber": "1234",
  "issuer": "CN=RIR-CA",
  "signatureAlgorithm": "ecdsa-with-SHA256",
  "subject": "CN=ISP-CA",
  "subjectPublicKeyInfo":
  {
    "publicKeyAlgorithm": "id-ecPublicKey",
    "publicKey": "..."
  },
  "subjectKeyIdentifier": "hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
  "ips":
  [
    "192.0.2.0/24",
    "2001:db8::/48"
  ],
  "autnums":
  [
    65536,
    65537
  ],
  "notValidBefore": "2024-04-27T23:59:59Z",
  "notValidAfter": "2025-04-27T23:59:59Z",
  "publicationUri": "rsync://example.net/path/to/ABCD.cer",
  "notificationUri": "https://example.net/path/to/notification.xml",
  "entities":
  [
    {
      "objectClassName": "entity",
      "handle": "XYZ-RIR",
      ...
    },
    ...
  ],
  "rpkiType": "hosted",



Singh & Newton            Expires 19 July 2025                 [Page 23]

Internet-Draft                  rdap-rpki                   January 2025


  "events":
  [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T23:59:59Z"
    },
    ...
  ],
  "links":
  [
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "self",
      "href": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "related",
      "href": "https://example.net/rdap/ip/192.0.2.0/24",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "related",
      "href": "https://example.net/rdap/ip/2001:db8::/48",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65536",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65537",
      "type": "application/rdap+json"
    },
    ...
  ],
  "remarks":
  [
    {
      "description": [ "CA certificate" ]
    }
  ]



Singh & Newton            Expires 19 July 2025                 [Page 24]

Internet-Draft                  rdap-rpki                   January 2025


}

   Here is an elided example of an X.509 resource certificate object for
   a BGPSec router certificate:

{
  "objectClassName": "rpki1_x509ResourceCert",
  "handle": "EFGH",
  "serialNumber": "5678",
  "issuer": "CN=ISP-CA",
  "signatureAlgorithm": "ecdsa-with-SHA256",
  "subject": "CN=ISP-BGPSEC-ROUTER",
  "subjectPublicKeyInfo":
  {
    "publicKeyAlgorithm": "id-ecPublicKey",
    "publicKey": "..."
  },
  "subjectKeyIdentifier": "iOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
  "autnums":
  [
    65536,
    65537
  ],
  "notValidBefore": "2024-04-27T23:59:59Z",
  "notValidAfter": "2025-04-27T23:59:59Z",
  "publicationUri": "rsync://example.net/path/to/EFGH.cer",
  "notificationUri": "https://example.net/path/to/notification.xml",
  "entities":
  [
    {
      "objectClassName": "entity",
      "handle": "XYZ-RIR",
      ...
    },
    ...
  ],
  "rpkiType": "hosted",
  "events":
  [
    {
      "eventAction": "registration",
      "eventDate": "2024-01-01T23:59:59Z"
    },
    ...
  ],
  "links":
  [
    {



Singh & Newton            Expires 19 July 2025                 [Page 25]

Internet-Draft                  rdap-rpki                   January 2025


      "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
      "rel": "self",
      "href": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65536",
      "type": "application/rdap+json"
    },
    {
      "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
      "rel": "related",
      "href": "https://example.net/rdap/autnum/65537",
      "type": "application/rdap+json"
    },
    ...
  ],
  "remarks":
  [
    {
      "description": [ "BGPSec router certificate" ]
    }
  ]
}

5.2.  Lookup

   The resource type path segment for exact match lookup of an X.509
   resource certificate object is "rpki1/x509_resource_cert".

   The following lookup path segment is defined for an X.509 resource
   certificate object:

   Syntax: rpki1/x509_resource_cert/<handle>

   For example:

   https://example.net/rdap/rpki1/x509_resource_cert/ABCD

5.3.  Search

   The resource type path segment for searching X.509 resource
   certificate objects is "rpki1/x509_resource_certs".

   The following search path segments are defined for X.509 resource
   certificate objects:



Singh & Newton            Expires 19 July 2025                 [Page 26]

Internet-Draft                  rdap-rpki                   January 2025


   Syntax: rpki1/x509_resource_certs?handle=<handle search pattern>

   Syntax: rpki1/x509_resource_certs?issuer=<issuer search pattern>

   Syntax: rpki1/x509_resource_certs?subject=<subject search pattern>

   Syntax: rpki1/x509_resource_certs?subjectKeyIdentifier=<subject key
   identifier>

   Syntax: rpki1/x509_resource_certs?ip=<IP address>

   Syntax: rpki1/x509_resource_certs?cidr=<CIDR>

   Syntax: rpki1/x509_resource_certs?autnum=<autonomous system number>

   Searches for X.509 resource certificate information by handle are
   specified using this form:

   rpki1/x509_resource_certs?handle=XXXX

   XXXX is a search pattern per Section 4.1 of [RFC9082], representing
   the "handle" property of an X.509 resource certificate object, as
   described in Section 5.1.  The following URL would be used to find
   information for X.509 resource certificate objects with handle
   matching the "EFG*" pattern:

   https://example.net/rdap/rpki1/x509_resource_certs?handle=EFG*

   Searches for X.509 resource certificate information by certificate
   issuer are specified using this form:

   rpki1/x509_resource_certs?issuer=YYYY

   YYYY is a search pattern per Section 4.1 of [RFC9082], representing
   the "issuer" property of an X.509 resource certificate object, as
   described in Section 5.1.  The following URL would be used to find
   information for X.509 resource certificate objects with issuer
   matching the "CN=ISP-*" pattern:

   https://example.net/rdap/rpki1/x509_resource_certs?issuer=CN%3DISP-*

   Searches for X.509 resource certificate information by certificate
   subject are specified using this form:

   rpki1/x509_resource_certs?subject=ZZZZ






Singh & Newton            Expires 19 July 2025                 [Page 27]

Internet-Draft                  rdap-rpki                   January 2025


   ZZZZ is a search pattern per Section 4.1 of [RFC9082], representing
   the "subject" property of an X.509 resource Certificate object, as
   described in Section 5.1.  The following URL would be used to find
   information for X.509 resource certificate objects with subject
   matching the "CN=ISP-BGPSEC-ROUTE*" pattern:

https://example.net/rdap/rpki1/x509_resource_certs?subject=CN%3DISP-BGPSEC-ROUTE*

   Searches for X.509 resource certificate information by subject key
   identifier are specified using this form:

   rpki1/x509_resource_certs?subjectKeyIdentifier=BBBB

   BBBB is a string representing the "subjectKeyIdentifier" property of
   an X.509 resource certificate object, as described in Section 5.1.
   The following URL would be used to find an X.509 resource certificate
   object with subject key identifier matching the
   "iOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=" string:

https://example.net/rdap/rpki1/x509_resource_certs?subjectKeyIdentifier=iOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=

   Searches for X.509 resource certificate information by an IP address
   are specified using this form:

   rpki1/x509_resource_certs?ip=CCCC

   CCCC is a string representing an IPv4 or IPv6 address.  The following
   URL would be used to find information for X.509 resource certificate
   objects with the "ips" member encompassing the "192.0.2.0" IP
   address:

   https://example.net/rdap/rpki1/x509_resource_certs?ip=192.0.2.0

   Similarly, for the "2001:db8::" IP address:

  https://example.net/rdap/rpki1/x509_resource_certs?ip=2001%3Adb8%3A%3A

   Searches for X.509 resource certificate information by a CIDR are
   specified using this form:

   rpki1/x509_resource_certs?cidr=CCCC/DDDD

   CCCC/DDDD is a string representing an IPv4 or IPv6 CIDR, with CCCC as
   the CIDR prefix and DDDD as the CIDR length.  The following URL would
   be used to find information for X.509 resource certificate objects
   with the "ips" member encompassing the "192.0.2.0/25" CIDR:

  https://example.net/rdap/rpki1/x509_resource_certs?cidr=192.0.2.0%2F25



Singh & Newton            Expires 19 July 2025                 [Page 28]

Internet-Draft                  rdap-rpki                   January 2025


   Similarly, for the "2001:db8::/64" CIDR:

https://example.net/rdap/rpki1/x509_resource_certs?cidr=2001%3Adb8%3A%3A%2F64

   Searches for X.509 resource certificate information by an autonomous
   system number are specified using this form:

   rpki1/x509_resource_certs?autnum=EEEE

   EEEE is an autonomous system number within the "autnums" property of
   an X.509 resource certificate object, as described in Section 5.1.
   The following URL would be used to find information for X.509
   resource certificate objects with the "autnums" member including
   autonomous system number 65536:

   https://example.net/rdap/rpki1/x509_resource_certs?autnum=65536

5.3.1.  Search Results

   The X.509 resource certificate search results are returned in the
   "rpki1_x509ResourceCertSearchResults" member, which is an array of
   X.509 resource certificate objects (Section 5.1).

   Here is an elided example of the search results when finding
   information for X.509 resource certificate objects with issuer
   matching the "CN=ISP-*" pattern:

{
  "rdapConformance":
  [
    "rdap_level_0",
    "rpki1",
    ...
  ],
  ...
  "rpki1_x509ResourceCertSearchResults":
  [
    {
      "objectClassName": "rpki1_x509ResourceCert",
      "handle": "EFGH",
      "serialNumber": "5678",
      "issuer": "CN=ISP-CA",
      "signatureAlgorithm": "ecdsa-with-SHA256",
      "subject": "CN=ISP-BGPSEC-ROUTER",
      "subjectPublicKeyInfo":
      {
        "publicKeyAlgorithm": "id-ecPublicKey",
        "publicKey": "..."



Singh & Newton            Expires 19 July 2025                 [Page 29]

Internet-Draft                  rdap-rpki                   January 2025


      },
      "subjectKeyIdentifier": "iOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
      "autnums":
      [
        65536,
        65537
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/ABCD.cer",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"



Singh & Newton            Expires 19 July 2025                 [Page 30]

Internet-Draft                  rdap-rpki                   January 2025


        },
        ...
      ],
      ...
    },
    ...
  ]
}

5.4.  Reverse Search

   Per Section 2 of [RFC9536], if a server receives a reverse search
   query with a searchable resource type of "ips" (Section 5 of
   [I-D.ietf-regext-rdap-rir-search]), a related resource type of
   "rpki1_x509ResourceCert", and an X.509 Resource Certificate property
   of "handle", then the reverse search will be performed on the IP
   network objects from its data store.

   Similarly, if a server receives a reverse search query with a
   searchable resource type of "autnums", a related resource type of
   "rpki1_x509ResourceCert", and an X.509 Resource Certificate property
   of "handle", then the reverse search will be performed on the
   autonomous system number objects.

   Section 8.2 and Section 8.3 include registration of entries for IP
   network and autonomous system number searches in the RDAP Reverse
   Search and RDAP Reverse Search Mapping IANA registries when the
   related resource type is "rpki1_x509ResourceCert".

5.5.  Relationship with Other Object Classes

   It would be useful to show all the X.509 resource certificates
   associated with an object of another RDAP class; in particular, with
   an IP network object, an autonomous system number object, or an
   entity (organization) object.  To that end, this extension adds a new
   "rpki1_x509ResourceCerts" member to the IP Network (Section 5.4 of
   [RFC9083]), Autonomous System Number (Section 5.5 of [RFC9083]), and
   Entity (Section 5.1 of [RFC9083]) object classes:

   *  "rpki1_x509ResourceCerts" -- an array of X.509 resource
      certificate objects (Section 5.1) for the IP address range in an
      IP network object, the autonomous system number range in an
      autonomous system number object, or an entity (organization)
      object; if the array is too large, the server MAY truncate it, per
      Section 9 of [RFC9083]

   Here is an elided example for an entity (organization) object with
   X.509 resource certificates:



Singh & Newton            Expires 19 July 2025                 [Page 31]

Internet-Draft                  rdap-rpki                   January 2025


{
  "objectClassName" : "entity",
  "handle":"XYZ-RIR",
  ...
  "rpki1_x509ResourceCerts":
  [
    {
      "objectClassName": "rpki1_x509ResourceCert",
      "handle": "ABCD",
      "serialNumber": "1234",
      "issuer": "CN=RIR-CA",
      "signatureAlgorithm": "ecdsa-with-SHA256",
      "subject": "CN=ISP-CA",
      "subjectPublicKeyInfo":
      {
        "publicKeyAlgorithm": "id-ecPublicKey",
        "publicKey": "..."
      },
      "subjectKeyIdentifier": "hOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
      "ips":
      [
        "192.0.2.0/24",
        "2001:db8::/48"
      ],
      "autnums":
      [
        65536,
        65537
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/ABCD.cer",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"



Singh & Newton            Expires 19 July 2025                 [Page 32]

Internet-Draft                  rdap-rpki                   January 2025


        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/ip/192.0.2.0/24",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/ip/2001:db8::/48",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/ABCD",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    {
      "objectClassName": "rpki1_x509ResourceCert",
      "handle": "EFGH",
      "serialNumber": "5678",
      "issuer": "CN=ISP-CA",
      "signatureAlgorithm": "ecdsa-with-SHA256",
      "subject": "CN=ISP-BGPSEC-ROUTER",
      "subjectPublicKeyInfo":
      {



Singh & Newton            Expires 19 July 2025                 [Page 33]

Internet-Draft                  rdap-rpki                   January 2025


        "publicKeyAlgorithm": "id-ecPublicKey",
        "publicKey": "..."
      },
      "subjectKeyIdentifier": "iOcGgxqXDa7mYv78fR+sGBKMtWJqItSLfaIYJDKYi8A=",
      "autnums":
      [
        65536,
        65537
      ],
      "notValidBefore": "2024-04-27T23:59:59Z",
      "notValidAfter": "2025-04-27T23:59:59Z",
      "publicationUri": "rsync://example.net/path/to/EFGH.cer",
      "notificationUri": "https://example.net/path/to/notification.xml",
      "entities":
      [
        {
          "objectClassName": "entity",
          "handle": "XYZ-RIR",
          ...
        },
        ...
      ],
      "rpkiType": "hosted",
      "events":
      [
        {
          "eventAction": "registration",
          "eventDate": "2024-01-01T23:59:59Z"
        },
        ...
      ],
      "links":
      [
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "rel": "self",
          "href": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "rel": "related",
          "href": "https://example.net/rdap/autnum/65536",
          "type": "application/rdap+json"
        },
        {
          "value": "https://example.net/rdap/rpki1/x509_resource_cert/EFGH",
          "rel": "related",



Singh & Newton            Expires 19 July 2025                 [Page 34]

Internet-Draft                  rdap-rpki                   January 2025


          "href": "https://example.net/rdap/autnum/65537",
          "type": "application/rdap+json"
        },
        ...
      ],
      ...
    },
    ...
  ]
}

6.  RDAP Conformance

   A server that supports the functionality specified in this document
   MUST include the "rpki1" string literal in the "rdapConformance"
   array of its responses.

7.  Security Considerations

   The RDAP extension in this document MUST NOT be used to directly
   influence internet routing.  Neither RDAP nor this extension define
   the necessary security properties or distribution mechanisms required
   to securely add, remove, or modify internet routes.

   This document does not introduce any new security considerations past
   those already discussed in the RDAP protocol specifications
   ([RFC7481], [RFC9560]).

8.  IANA Considerations

8.1.  RDAP Extensions Registry

   IANA is requested to register the following values in the RDAP
   Extensions Registry at [RDAP-EXTENSIONS]:

   *  Extension identifier: rpki1
   *  Registry operator: Any
   *  Published specification: This document.
   *  Contact: IETF iesg@ietf.org (mailto:iesg@ietf.org)
   *  Intended usage: This extension is used for accessing the RPKI
      registration data through RDAP.

8.2.  RDAP Reverse Search Registry

   IANA is requested to register the following entries in the RDAP
   Reverse Search Registry at [RDAP-REVERSE-SEARCH]:

   IP network search by the origin autonomous system number of a ROA:



Singh & Newton            Expires 19 July 2025                 [Page 35]

Internet-Draft                  rdap-rpki                   January 2025


   *  Searchable Resource Type: ips
   *  Related Resource Type: rpki1_roa
   *  Property: originAutnum
   *  Description: The server supports the IP network search by the
      origin autonomous system number of an associated RPKI ROA.
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   IP network search by a CIDR address block of a ROA:

   *  Searchable Resource Type: ips
   *  Related Resource Type: rpki1_roa
   *  Property: ip
   *  Description: The server supports the IP network search by a CIDR
      address block of an associated RPKI ROA.
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   Autonomous system number search by the autonomous system number of an
   ASPA:

   *  Searchable Resource Type: autnums
   *  Related Resource Type: rpki1_aspa
   *  Property: autnum
   *  Description: The server supports the autonomous system number
      search by the autonomous system number of an associated RPKI ASPA.
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   Autonomous system number search by a provider autonomous system
   number of an ASPA:

   *  Searchable Resource Type: autnums
   *  Related Resource Type: rpki1_aspa
   *  Property: providerAutnum
   *  Description: The server supports the autonomous system number
      search by a provider autonomous system number of an associated
      RPKI ASPA.
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   IP network search by the handle of an X.509 resource certificate:

   *  Searchable Resource Type: ips



Singh & Newton            Expires 19 July 2025                 [Page 36]

Internet-Draft                  rdap-rpki                   January 2025


   *  Related Resource Type: rpki1_x509ResourceCert
   *  Property: handle
   *  Description: The server supports the IP network search by the
      handle of an associated RPKI X.509 resource certificate.
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   Autonomous system number search by the handle of an X.509 resource
   certificate:

   *  Searchable Resource Type: autnums
   *  Related Resource Type: rpki1_x509ResourceCert
   *  Property: handle
   *  Description: The server supports the autonomous system number
      search by the handle of an associated RPKI X.509 resource
      certificate.
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

8.3.  RDAP Reverse Search Mapping Registry

   IANA is requested to register the following entries in the RDAP
   Reverse Search Mapping Registry at [RDAP-REVERSE-SEARCH-MAPPING]:

   IP network search by the origin autonomous system number of a ROA:

   *  Searchable Resource Type: ips
   *  Related Resource Type: rpki1_roa
   *  Property: originAutnum
   *  Property Path: $.originAutnum
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   IP network search by a CIDR address block of a ROA:

   *  Searchable Resource Type: ips
   *  Related Resource Type: rpki1_roa
   *  Property: ip
   *  Property Path: $.roaIps[*].ip
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   Autonomous system number search by the autonomous system number of an
   ASPA:



Singh & Newton            Expires 19 July 2025                 [Page 37]

Internet-Draft                  rdap-rpki                   January 2025


   *  Searchable Resource Type: autnums
   *  Related Resource Type: rpki1_aspa
   *  Property: autnum
   *  Property Path: $.autnum
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   Autonomous system number search by a provider autonomous system
   number of an ASPA:

   *  Searchable Resource Type: autnums
   *  Related Resource Type: rpki1_aspa
   *  Property: providerAutnum
   *  Property Path: $.providerAutnums[*]
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   IP network search by the handle of an X.509 resource certificate:

   *  Searchable Resource Type: ips
   *  Related Resource Type: rpki1_x509ResourceCert
   *  Property: handle
   *  Property Path: $.handle
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

   Autonomous system number search by the handle of an X.509 resource
   certificate:

   *  Searchable Resource Type: autnums
   *  Related Resource Type: rpki1_x509ResourceCert
   *  Property: handle
   *  Property Path: $.handle
   *  Registrant Name: IETF
   *  Registrant Contact Information: iesg@ietf.org
   *  Reference: This document.

9.  Acknowledgements

   Job Snijders, Ties de Kock, Mark Kosters, Tim Bruijnzeels, Bart
   Bakker, and Frank Hill provided valuable feedback for this document.

10.  References

10.1.  Normative References



Singh & Newton            Expires 19 July 2025                 [Page 38]

Internet-Draft                  rdap-rpki                   January 2025


   [BCP14]    Best Current Practice 14,
              <https://www.rfc-editor.org/info/bcp14>.
              At the time of writing, this BCP comprises the following:

              Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

              Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

   [I-D.ietf-regext-rdap-rir-search]
              Harrison, T. and J. Singh, "RDAP RIR Search", Work in
              Progress, Internet-Draft, draft-ietf-regext-rdap-rir-
              search-13, 25 November 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-regext-
              rdap-rir-search-13>.

   [I-D.ietf-sidrops-aspa-profile]
              Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley,
              R., and B. Maddison, "A Profile for Autonomous System
              Provider Authorization", Work in Progress, Internet-Draft,
              draft-ietf-sidrops-aspa-profile-19, 6 January 2025,
              <https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-
              aspa-profile-19>.

   [RFC1519]  Fuller, V., Li, T., Yu, J., and K. Varadhan, "Classless
              Inter-Domain Routing (CIDR): an Address Assignment and
              Aggregation Strategy", RFC 1519, DOI 10.17487/RFC1519,
              September 1993, <https://www.rfc-editor.org/info/rfc1519>.

   [RFC3339]  Klyne, G. and C. Newman, "Date and Time on the Internet:
              Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
              <https://www.rfc-editor.org/info/rfc3339>.

   [RFC5396]  Huston, G. and G. Michaelson, "Textual Representation of
              Autonomous System (AS) Numbers", RFC 5396,
              DOI 10.17487/RFC5396, December 2008,
              <https://www.rfc-editor.org/info/rfc5396>.

   [RFC6480]  Lepinski, M. and S. Kent, "An Infrastructure to Support
              Secure Internet Routing", RFC 6480, DOI 10.17487/RFC6480,
              February 2012, <https://www.rfc-editor.org/info/rfc6480>.






Singh & Newton            Expires 19 July 2025                 [Page 39]

Internet-Draft                  rdap-rpki                   January 2025


   [RFC6487]  Huston, G., Michaelson, G., and R. Loomans, "A Profile for
              X.509 PKIX Resource Certificates", RFC 6487,
              DOI 10.17487/RFC6487, February 2012,
              <https://www.rfc-editor.org/info/rfc6487>.

   [RFC8182]  Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein,
              "The RPKI Repository Delta Protocol (RRDP)", RFC 8182,
              DOI 10.17487/RFC8182, July 2017,
              <https://www.rfc-editor.org/info/rfc8182>.

   [RFC8209]  Reynolds, M., Turner, S., and S. Kent, "A Profile for
              BGPsec Router Certificates, Certificate Revocation Lists,
              and Certification Requests", RFC 8209,
              DOI 10.17487/RFC8209, September 2017,
              <https://www.rfc-editor.org/info/rfc8209>.

   [RFC9082]  Hollenbeck, S. and A. Newton, "Registration Data Access
              Protocol (RDAP) Query Format", STD 95, RFC 9082,
              DOI 10.17487/RFC9082, June 2021,
              <https://www.rfc-editor.org/info/rfc9082>.

   [RFC9083]  Hollenbeck, S. and A. Newton, "JSON Responses for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 9083, DOI 10.17487/RFC9083, June 2021,
              <https://www.rfc-editor.org/info/rfc9083>.

   [RFC9536]  Loffredo, M. and M. Martinelli, "Registration Data Access
              Protocol (RDAP) Reverse Search", RFC 9536,
              DOI 10.17487/RFC9536, April 2024,
              <https://www.rfc-editor.org/info/rfc9536>.

   [RFC9582]  Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S.
              Kent, "A Profile for Route Origin Authorizations (ROAs)",
              RFC 9582, DOI 10.17487/RFC9582, May 2024,
              <https://www.rfc-editor.org/info/rfc9582>.

10.2.  Informative References

   [CLOUDFLARE]
              Cloudflare, "RPKI Portal", <https://rpki.cloudflare.com/>.

   [JDR]      NLNet Labs, "JDR",
              <https://blog.nlnetlabs.nl/introducing-jdr/>.

   [RDAP-EXTENSIONS]
              IANA, "RDAP Extensions",
              <https://www.iana.org/assignments/rdap-extensions/>.




Singh & Newton            Expires 19 July 2025                 [Page 40]

Internet-Draft                  rdap-rpki                   January 2025


   [RDAP-GUIDE]
              Newton, A., "RDAP Guide",
              <https://rdap.rcode3.com/misc/uses.html>.

   [RDAP-REVERSE-SEARCH]
              IANA, "RDAP Reverse Search",
              <https://www.iana.org/assignments/rdap-reverse-search/>.

   [RDAP-REVERSE-SEARCH-MAPPING]
              IANA, "RDAP Reverse Search Mapping",
              <https://www.iana.org/assignments/rdap-reverse-search-
              mapping/>.

   [RFC2622]  Alaettinoglu, C., Villamizar, C., Gerich, E., Kessens, D.,
              Meyer, D., Bates, T., Karrenberg, D., and M. Terpstra,
              "Routing Policy Specification Language (RPSL)", RFC 2622,
              DOI 10.17487/RFC2622, June 1999,
              <https://www.rfc-editor.org/info/rfc2622>.

   [RFC4271]  Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
              Border Gateway Protocol 4 (BGP-4)", RFC 4271,
              DOI 10.17487/RFC4271, January 2006,
              <https://www.rfc-editor.org/info/rfc4271>.

   [RFC7481]  Hollenbeck, S. and N. Kong, "Security Services for the
              Registration Data Access Protocol (RDAP)", STD 95,
              RFC 7481, DOI 10.17487/RFC7481, March 2015,
              <https://www.rfc-editor.org/info/rfc7481>.

   [RFC9560]  Hollenbeck, S., "Federated Authentication for the
              Registration Data Access Protocol (RDAP) Using OpenID
              Connect", RFC 9560, DOI 10.17487/RFC9560, April 2024,
              <https://www.rfc-editor.org/info/rfc9560>.

Authors' Addresses

   Jasdip Singh
   ARIN
   Email: jasdips@arin.net


   Andy Newton
   ICANN
   Email: andy@hxr.us







Singh & Newton            Expires 19 July 2025                 [Page 41]