SIDROPS J. Snijders Internet-Draft Intended status: Standards Track B. Bakker Expires: 15 March 2026 T. Bruijnzeels RIPE NCC 11 September 2025 A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR) draft-spaghetti-sidrops-rpki-ccr-00 Abstract This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit trail keeping, validated payload dissemination, and analytics pipelines. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 15 March 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Snijders, et al. Expires 15 March 2026 [Page 1] Internet-Draft RPKI Canonical Cache Representation September 2025 Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. The Canonical Cache Representation content type . . . . . . . 3 3. The Canonical Cache Representation content . . . . . . . . . 3 3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. hashAlg . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3. producedAt . . . . . . . . . . . . . . . . . . . . . . . 5 3.4. State aspect fields . . . . . . . . . . . . . . . . . . . 5 3.4.1. ManifestState . . . . . . . . . . . . . . . . . . . . 5 3.4.2. ROAPayloadState . . . . . . . . . . . . . . . . . . . 6 3.4.3. ASPAPayloadState . . . . . . . . . . . . . . . . . . 6 3.4.4. TrustAnchorState . . . . . . . . . . . . . . . . . . 7 4. Operational Considerations . . . . . . . . . . . . . . . . . 7 4.1. Verifying CCR file integrity . . . . . . . . . . . . . . 7 5. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 7 6.2. RPKI Repository Name Schemes . . . . . . . . . . . . . . 8 6.3. SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 8 6.4. Media Types . . . . . . . . . . . . . . . . . . . . . . . 8 6.4.1. Canonical Cache Representation Media Type . . . . . . 8 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 7.1. Normative References . . . . . . . . . . . . . . . . . . 9 7.2. Informative References . . . . . . . . . . . . . . . . . 10 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 Appendix B. Example CCR . . . . . . . . . . . . . . . . . . . . 11 Appendix C. Implementation status . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 1. Introduction This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). A validated cache contains all RPKI objects that the Relying Party (RP) has verified to be valid according to the rules for validation (see [RFC6487], [RFC6488], [RFC9286]). CCR is a data interchange format using Distinguished Encoding Rules (DER, [X.690]) which can be used to represent various aspects of the state of a Snijders, et al. Expires 15 March 2026 [Page 2] Internet-Draft RPKI Canonical Cache Representation September 2025 validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit record keeping, validated payload dissemination, and analytics pipelines. The format was primarily designed to support comparative analysis of uniformities and differences among multiple RP instances using different RPKI transport protocols (such as [RFC5781], [RFC8182], and [I-D.spaghetti-sidrops-rpki-erik-protocol]). 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. The Canonical Cache Representation content type The contentType for a CCR currently is defined as id-ct- rpkiCanonicalCacheRepresentation, with Object Identifier (OID) 1.3.6.1.4.1.41948.825. Note: as part of the standardization process, the aforementioned contentType value should be changed from its current Private Enterprise Number ([RFC9371]) to an OID assigned by IANA (Section 6). 3. The Canonical Cache Representation content The content of a Canonical Cache Representation is formally defined as follows: RpkiCanonicalCacheRepresentation-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiCCR-2025(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE, Digest, DigestAlgorithmIdentifier, SubjectKeyIdentifier FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } -- in [draft-spaghetti-sidrops-rpki-erik-protocol-01] ManifestRef Snijders, et al. Expires 15 March 2026 [Page 3] Internet-Draft RPKI Canonical Cache Representation September 2025 FROM RpkiErikPartition-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiErikPartition-2025(TBD) } ASID, ROAIPAddressFamily FROM RPKI-ROA-2023 -- in [RFC9582] { so(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiROA-2023(75) } ; ct-rpkiCanonicalCacheRepresentation CONTENT-TYPE ::= { TYPE RpkiCanonicalCacheRepresentation IDENTIFIED BY id-ct-rpkiCanonicalCacheRepresentation } id-ct-rpkiCanonicalCacheRepresentation OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) snijders(41948) ccr(825) } RpkiCanonicalCacheRepresentation ::= SEQUENCE { version [0] INTEGER DEFAULT 0, hashAlg DigestAlgorithmIdentifier, producedAt GeneralizedTime, mfts [1] ManifestState OPTIONAL, vrps [2] ROAPayloadState OPTIONAL, vaps [3] ASPAPayloadState OPTIONAL, tas [4] TrustAnchorState OPTIONAL, ... } -- at least one of mfts, vrps, vaps, or tas MUST be present ( WITH COMPONENTS { ..., mfts PRESENT } | WITH COMPONENTS { ..., vrps PRESENT } | WITH COMPONENTS { ..., vaps PRESENT } | WITH COMPONENTS { ..., tas PRESENT } ) ManifestState ::= SEQUENCE { mftrefs SEQUENCE OF ManifestRef, mostRecentUpdate GeneralizedTime, hash Digest } ROAPayloadState ::= SEQUENCE { rps SEQUENCE OF ROAPayloadSet, hash Digest } ROAPayloadSet ::= SEQUENCE { asID ASID, ipAddrBlocks SEQUENCE (SIZE(1..2)) OF ROAIPAddressFamily } ASPAPayloadState ::= SEQUENCE { aps SEQUENCE OF ASPAPayloadSet, Snijders, et al. Expires 15 March 2026 [Page 4] Internet-Draft RPKI Canonical Cache Representation September 2025 hash Digest } ASPAPayloadSet ::= SEQUENCE { customerASID ASID providers SEQUENCE (SIZE(1..MAX)) OF ASID } TrustAnchorState ::= SEQUENCE { skis SEQUENCE (SIZE(1..MAX)) OF SubjectKeyIdentifier, hash Digest } END 3.1. version The version field contains the format version for the RpkiCanonicalCacheRepresentation structure, in this version of the specification it MUST be 0. 3.2. hashAlg The hashAlg field specifies the algorithm used to construct the message digests. This profile uses SHA-256 [SHS], therefore the OID MUST be 2.16.840.1.101.3.4.2.1. 3.3. producedAt The producedAt field contains a GeneralizedTime and indicates the moment in time the CCR was generated. 3.4. State aspect fields Each CCR contains one or more fields representing particular aspects of the cache's state. Implementers should note the ellipsis extension marker in the RpkiCanonicalCacheRepresentation ASN.1 notation and anticipate future changes as new signed object types are standardized. Each state aspect generally consists of a sequence of details extracted from RPKI Objects of a specific type, along with a digest computed by hashing the aforementioned DER-encoded sequence, optionally including some metadata. 3.4.1. ManifestState An instance of ManifestState represents the set of valid, current Manifests ([RFC9286]) in the cache. It contains three fields: Snijders, et al. Expires 15 March 2026 [Page 5] Internet-Draft RPKI Canonical Cache Representation September 2025 The mftrefs field contains a SEQUENCE of ManifestRef structures (see Section 3 of [I-D.spaghetti-sidrops-rpki-erik-protocol]) sorted in ascending order by hash value. The hash value in each instance of ManifestRef MUST be unique with respect to the other instances of ManifestRef. The mostRecentUpdate is a metadata field which contains the most recent thisUpdate amongst all Manifests. If the mftrefs field contains an empty sequence, the mostRecentUpdate MUST be set to the POSIX Epoch ("19700101000000Z"). The hash field contains a message digest computed using the mftrefs value (encoded in DER format) as input message. 3.4.2. ROAPayloadState An instance of ROAPayloadState contains a field named rps which represents the current set of Validated ROA Payloads (Section 2 of [RFC6811]) encoded as a SEQUENCE of ROAPayloadSet instances. The ROAPayloadSet structure is modeled after the RouteOriginAttestation (Section 4 of [RFC9582]). The asID value in each instance of ROAPayloadSet MUST be unique with respect to other instances of ROAPayloadSet. The contents of the ipAddrBlocks field MUST appear in canonical form and ordered as defined in Section 4.3.3 of [RFC9582]. The hash field contains a message digest computed using the rps value (encoded in DER format) as input message. 3.4.3. ASPAPayloadState An instance of ASPAPayloadState contains an aps field which represents the current set of deduplicated and merged ASPA payloads ([I-D.ietf-sidrops-aspa-profile]) ordered by ascending customerASID value encoded as a SEQUENCE of ASPAPayloadSet instances. The customerASID value in each instance of ASPAPayloadSet MUST be unique with respect to other instances of ASPAPayloadSet. The ASPAPayloadSet structure is modeled after the ProviderASSet (Section 3.3 of [I-D.ietf-sidrops-aspa-profile]). The hash field contains a message digest computed using the aps value (encoded in DER format) as input message. Snijders, et al. Expires 15 March 2026 [Page 6] Internet-Draft RPKI Canonical Cache Representation September 2025 3.4.4. TrustAnchorState An instance of TrustAnchorState represents the set of valid Trust Anchor (TA) Certification Authority (CA) resource certificates used by the relying party when producing the CCR. The skis field contains a sequence of Subject Key Identifiers (SKI) sorted in ascending order. Each SubjectKeyIdentifier is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the TA's Subject Public Key, as described in Section 4.8.2 of [RFC6487]. The hash field contains a message digest computed using the skis value (encoded in DER format) as input message. 4. Operational Considerations Comparing the ManifestState mostRecentUpdate timestamp value with the producedAt timestamp might help offer insight into the timing and propagation delays of the RPKI supply chain. Given the absence of public keys and fairly repetitive content in RPKI AccessDescription instances, it should be noted CCR content compresses well. 4.1. Verifying CCR file integrity The integrity of a CCR object can be checked by confirming whether the hash values embedded inside state aspects match the computed hash value of the respective state aspect payload structure. 5. Security Considerations CCR objects are not signed objects. 6. IANA Considerations 6.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) _NOTE: unclear which registry this actually should go..._ IANA is requested to allocate the following in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry: Snijders, et al. Expires 15 March 2026 [Page 7] Internet-Draft RPKI Canonical Cache Representation September 2025 +=========+==================================+==================+ | Decimal | Description | References | +=========+==================================+==================+ | TBD | id-ct- | draft-spaghetti- | | | rpkiCanonicalCacheRepresentation | sidrops-rpki-ccr | +---------+----------------------------------+------------------+ Table 1 6.2. RPKI Repository Name Schemes IANA is requested to add the Canonical Cache Representation file extension to the "RPKI Repository Name Schemes" registry [RFC6481] as follows: +===========+=================+==================================+ | Filename | RPKI Object | Reference | | Extension | | | +===========+=================+==================================+ | .ccr | Canonical Cache | draft-spaghetti-sidrops-rpki-ccr | | | Representation | | +-----------+-----------------+----------------------------------+ Table 2 6.3. SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) IANA is requested to allocate the following in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry: +=========+=====================+==================================+ | Decimal | Description | References | +=========+=====================+==================================+ | TBD | id-mod-rpkiCCR-2025 | draft-spaghetti-sidrops-rpki-ccr | +---------+---------------------+----------------------------------+ Table 3 6.4. Media Types IANA is requested to register the media type "application/rpki-ccr" in the "Media Types" registry as follows: 6.4.1. Canonical Cache Representation Media Type Type name: application Subtype name: rpki-ccr Snijders, et al. Expires 15 March 2026 [Page 8] Internet-Draft RPKI Canonical Cache Representation September 2025 Required parameters: N/A Optional parameters: N/A Encoding considerations: binary Security considerations: This media type contains no active content. Interoperability considerations: N/A Published specification: draft-spaghetti-sidrops-rpki-ccr Applications that use this media type: RPKI operators Fragment identifier considerations: N/A Additional information: Content: This media type is a RPKI Canonical Cache Representation object, as defined in draft- spaghetti-sidrops-rpki-ccr. Magic number(s): N/A File extension(s): .ccr Macintosh file type code(s): N/A Person & email address to contact for further information: Job Snijders (job@sobornost.net) Intended usage: COMMON Restrictions on usage: N/A Author: Job Snijders (job@sobornost.net) Change controller: IETF 7. References 7.1. Normative References [I-D.ietf-sidrops-aspa-profile] Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley, R., and B. Maddison, "A Profile for Autonomous System Provider Authorization", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-profile-20, 18 August 2025, . [I-D.spaghetti-sidrops-rpki-erik-protocol] Snijders, J., Bruijnzeels, T., Harrison, T., and W. Ohgai, "The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)", Work in Progress, Internet-Draft, draft-spaghetti-sidrops-rpki- erik-protocol-01, 11 September 2025, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Snijders, et al. Expires 15 March 2026 [Page 9] Internet-Draft RPKI Canonical Cache Representation September 2025 [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, . [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, . [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, . [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. Austein, "BGP Prefix Origin Validation", RFC 6811, DOI 10.17487/RFC6811, January 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9286] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, June 2022, . [RFC9582] Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S. Kent, "A Profile for Route Origin Authorizations (ROAs)", RFC 9582, DOI 10.17487/RFC9582, May 2024, . [SHS] National Institute of Standards and Technology, "Secure Hash Standard", March 2012, . [X.690] ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (B ER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, February 2021, . 7.2. Informative References Snijders, et al. Expires 15 March 2026 [Page 10] Internet-Draft RPKI Canonical Cache Representation September 2025 [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, February 2010, . [RFC8182] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, July 2017, . [RFC9371] Baber, A. and P. Hoffman, "Registration Procedures for Private Enterprise Numbers (PENs)", RFC 9371, DOI 10.17487/RFC9371, March 2023, . [rpki-client] Jeker, C., Dzonsons, K., Buehler, T., and J. Snijders, "rpki-client", August 2025, . Appendix A. Acknowledgements The authors wish to thank Theo Buehler for their generous feedback on this specification. Appendix B. Example CCR For a more elaborate example based on the global RPKI, see the URL in Appendix C. The following Base64-encoded blob contains a CCR listing 7 Manifest references, 5 Trust Anchor key identifiers, 0 ROA payloadsets and 0 ASPA payloadsets. It decodes as following: Snijders, et al. Expires 15 March 2026 [Page 11] Internet-Draft RPKI Canonical Cache Representation September 2025 $ rpki-client -f rpki.ccr File: rpki.ccr Hash identifier: j0NY9jKRKInopFJEpUywA4iZk0S6+9JF5H1XWKSrN1Y= CCR produced at: Wed 10 Sep 2025 08:16:33 +0000 Manifest state hash: Q0RDRkNDODlGNzhBNjVBMjcwQUFEMUQyNzUzMDczNjM= Manifest last update: Tue 09 Sep 2025 06:40:28 +0000 Manifest references: hash:NnnRzY/bqsyvIpxqd6J889SrjhhLPhvBJdsa3FAKsoY= size:1914 aki:13D4F24F9A9FCD98DB36F930631808C88F3974BC seqnum:010D0C9F4328584AE911B4F700712A87CD3AD281 sia:rsync://rpki.arin.net/repository/arin-rpki-ta/arin-rpki-ta.mft hash:RhGpQlXRWlD8hqMOj8bw+OsTEb/LxvFCJafqAcRTWuw= size:2218 aki:946DAE8464E7C581E9BA5787F74CBDA9DCF6F8CD seqnum:0145 sia:rsync://repository.lacnic.net/rpki/lacnic/E5AA1B2C690D34DD3A42E0C0268C3218ED158E15D29FCBD0BAB66B4786D632E6/0/946DAE8464E7C581E9BA5787F74CBDA9DCF6F8CD.mft hash:WCMf+nEY+28XN2sMvwb0IinMPbrncMV5xIgNeZDeVkY= size:2324 aki:98142C9D0B41A3B9FB603D769848236FD1F31924 seqnum:01DB sia:rsync://rpki.apnic.net/repository/980652E0B77E11E7A96A39521A4F4FB4/mBQsnQtBo7n7YD12mEgjb9HzGSQ.mft hash:a97DWzqSw63IBAs/lYmBskSeSN7z3WqF6otf5QONtbg= size:2222 aki:EB680F38F5D6C71BB4B106B8BD06585012DA31B6 seqnum:C4 sia:rsync://rpki.afrinic.net/repository/04E8B0D80F4D11E0B657D8931367AE7D/62gPOPXWxxu0sQa4vQZYUBLaMbY.mft hash:jYjg8nTVgVN0UZy/hD7e+HZakOP27uePHFO0WxONXLE= size:1959 aki:FC8A9CB3ED184E17D30EEA1E0FA7615CE4B1AF47 seqnum:19 sia:rsync://repository.lacnic.net/rpki/lacnic/FC8A9CB3ED184E17D30EEA1E0FA7615CE4B1AF47.mft hash:wtBCe8WjLELuoatWY9WSsfwpx9TvFqsLXh1jHQOdzCE= size:1786 aki:E8552B1FD6D1A4F7E404C6D8E5680D1EBC163FC3 seqnum:54 sia:rsync://rpki.ripe.net/repository/ripe-ncc-ta.mft hash:6bVWV9u2sQjBR0Qn8UBbNWNTnInl4eFumrqfAzm7pq0= size:1954 aki:0B9CCA90DD0D7A8A37666B19217FE0D84037B7A2 seqnum:D0 sia:rsync://rpki.apnic.net/repository/838DB214166511E2B3BC286172FD1FF2/C5zKkN0Neoo3ZmsZIX_g2EA3t6I.mft ROA payload state hash: RTRGNjBEMEFBNkQ3RjNEM0I2QTY0OTRCMUM4NjFCOTk= ROA payload entries: ASPA payload state hash: RTRGNjBEMEFBNkQ3RjNEM0I2QTY0OTRCMUM4NjFCOTk= ASPA payload entries: Trust anchor state hash: QjlCQTY2QjJCQ0Q1NEU0ODEyMjQ5RjYwRUQyREU5MzU= Trust anchor keyids: 0B9CCA90DD0D7A8A37666B19217FE0D84037B7A2, 13D4F24F9A9FCD98DB36F930631808C88F3974BC, E8552B1FD6D1A4F7E404C6D8E5680D1EBC163FC3, EB680F38F5D6C71BB4B106B8BD06585012DA31B6, FC8A9CB3ED184E17D30EEA1E0FA7615CE4B1AF47 Validation: N/A Snijders, et al. Expires 15 March 2026 [Page 12] Internet-Draft RPKI Canonical Cache Representation September 2025 MIIGNwYKKwYBBAGCx1yGOaCCBicEggYjMIIGHwYJYIZIAWUDBAIBGA8yMDI1MDkxMDA4MTYz M1qhggUXMIIFEzCCBNwwgaAEIDZ50c2P26rMryKcaneifPPUq44YSz4bwSXbGtxQCrKGAgIH egQUE9TyT5qfzZjbNvkwYxgIyI85dLwCFAENDJ9DKFhK6RG09wBxKofNOtKBMEwwSgYIKwYB BQUHMAuGPnJzeW5jOi8vcnBraS5hcmluLm5ldC9yZXBvc2l0b3J5L2FyaW4tcnBraS10YS9h cmluLXJwa2ktdGEubWZ0MIHsBCBGEalCVdFaUPyGow6PxvD46xMRv8vG8UIlp+oBxFNa7AIC CKoEFJRtroRk58WB6bpXh/dMvanc9vjNAgIBRTCBqTCBpgYIKwYBBQUHMAuGgZlyc3luYzov L3JlcG9zaXRvcnkubGFjbmljLm5ldC9ycGtpL2xhY25pYy9FNUFBMUIyQzY5MEQzNEREM0E0 MkUwQzAyNjhDMzIxOEVEMTU4RTE1RDI5RkNCRDBCQUI2NkI0Nzg2RDYzMkU2LzAvOTQ2REFF ODQ2NEU3QzU4MUU5QkE1Nzg3Rjc0Q0JEQTlEQ0Y2RjhDRC5tZnQwgbIEIFgjH/pxGPtvFzdr DL8G9CIpzD2653DFecSIDXmQ3lZGAgIJFAQUmBQsnQtBo7n7YD12mEgjb9HzGSQCAgHbMHAw bgYIKwYBBQUHMAuGYnJzeW5jOi8vcnBraS5hcG5pYy5uZXQvcmVwb3NpdG9yeS85ODA2NTJF MEI3N0UxMUU3QTk2QTM5NTIxQTRGNEZCNC9tQlFzblF0Qm83bjdZRDEybUVnamI5SHpHU1Eu bWZ0MIG0BCBr3sNbOpLDrcgECz+ViYGyRJ5I3vPdaoXqi1/lA421uAICCK4EFOtoDzj11scb tLEGuL0GWFAS2jG2AgIAxDByMHAGCCsGAQUFBzALhmRyc3luYzovL3Jwa2kuYWZyaW5pYy5u ZXQvcmVwb3NpdG9yeS8wNEU4QjBEODBGNEQxMUUwQjY1N0Q4OTMxMzY3QUU3RC82MmdQT1BY V3h4dTBzUWE0dlFaWVVCTGFNYlkubWZ0MIGlBCCNiODydNWBU3RRnL+EPt74dlqQ4/bu548c U7RbE41csQICB6cEFPyKnLPtGE4X0w7qHg+nYVzksa9HAgEZMGQwYgYIKwYBBQUHMAuGVnJz eW5jOi8vcmVwb3NpdG9yeS5sYWNuaWMubmV0L3Jwa2kvbGFjbmljL0ZDOEE5Q0IzRUQxODRF MTdEMzBFRUExRTBGQTc2MTVDRTRCMUFGNDcubWZ0MH8EIMLQQnvFoyxC7qGrVmPVkrH8KcfU 7xarC14dYx0DncwhAgIG+gQU6FUrH9bRpPfkBMbY5WgNHrwWP8MCAVQwPjA8BggrBgEFBQcw C4YwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvcmlwZS1uY2MtdGEubWZ0MIGy BCDptVZX27axCMFHRCfxQFs1Y1OcieXh4W6aup8DObumrQICB6IEFAucypDdDXqKN2ZrGSF/ 4NhAN7eiAgIA0DBwMG4GCCsGAQUFBzALhmJyc3luYzovL3Jwa2kuYXBuaWMubmV0L3JlcG9z aXRvcnkvODM4REIyMTQxNjY1MTFFMkIzQkMyODYxNzJGRDFGRjIvQzV6S2tOME5lb28zWm1z WklYX2cyRUEzdDZJLm1mdBgPMjAyNTA5MDkwNjQwMjhaBCDNz8yJ94plonCq0dJ1MHNjnbuO jquEZ47hjX6elGuEPaImMCQwAAQg5PYNCqbX89O2pklLHIYbmfZJxvnsUauvIBsg8pcyfJWj JjAkMAAEIOT2DQqm1/PTtqZJSxyGG5n2Scb57FGrryAbIPKXMnyVpIGVMIGSMG4EFAucypDd DXqKN2ZrGSF/4NhAN7eiBBQT1PJPmp/NmNs2+TBjGAjIjzl0vAQU6FUrH9bRpPfkBMbY5WgN HrwWP8MEFOtoDzj11scbtLEGuL0GWFAS2jG2BBT8ipyz7RhOF9MO6h4Pp2Fc5LGvRwQgubpm srzVTkgSJJ9g7S3pNXZwzEj/hI8bw19ZhnA95x8= Appendix C. Implementation status This section is to be removed before publishing as an RFC. This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. Snijders, et al. Expires 15 March 2026 [Page 13] Internet-Draft RPKI Canonical Cache Representation September 2025 According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". * Example .ccr files were created by Job Snijders. A current example CCR (regenerated every few minutes) is available here: https://console.rpki-client.org/rpki.ccr * A CCR serializer and deserializer implementation based on [rpki-client] was provided by Job Snijders. Authors' Addresses Job Snijders Amsterdam Netherlands Email: job@sobornost.net Bart Bakker RIPE NCC Netherlands Email: bbakker@ripe.net Tim Bruijnzeels RIPE NCC Netherlands Email: tbruijnzeels@ripe.net Snijders, et al. Expires 15 March 2026 [Page 14]