SIDROPS J. Snijders Internet-Draft BSD Intended status: Standards Track B. Bakker Expires: 5 June 2026 T. Bruijnzeels RIPE NCC T. Buehler OpenBSD 2 December 2025 A Profile for Resource Public Key Infrastructure (RPKI) Canonical Cache Representation (CCR) draft-ietf-sidrops-rpki-ccr-01 Abstract This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). CCR is a DER-encoded data interchange format which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit trail keeping, validated payload dissemination, and analytics pipelines. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 5 June 2026. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. Snijders, et al. Expires 5 June 2026 [Page 1] Internet-Draft RPKI Canonical Cache Representation December 2025 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. The Canonical Cache Representation content type . . . . . . . 3 3. The Canonical Cache Representation content . . . . . . . . . 3 3.1. version . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. hashAlg . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3. producedAt . . . . . . . . . . . . . . . . . . . . . . . 6 3.4. State aspect fields . . . . . . . . . . . . . . . . . . . 6 3.4.1. ManifestState . . . . . . . . . . . . . . . . . . . . 7 3.4.2. ROAPayloadState . . . . . . . . . . . . . . . . . . . 8 3.4.3. ASPAPayloadState . . . . . . . . . . . . . . . . . . 8 3.4.4. TrustAnchorState . . . . . . . . . . . . . . . . . . 9 3.4.5. RouterKeyState . . . . . . . . . . . . . . . . . . . 9 4. Operational Considerations . . . . . . . . . . . . . . . . . 9 4.1. Verifying CCR file integrity . . . . . . . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) . . . . . . . . . . . . . . . . 10 6.2. RPKI Repository Name Schemes . . . . . . . . . . . . . . 10 6.3. SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) . . . . . . . . . . . . . . . . 10 6.4. Media Types . . . . . . . . . . . . . . . . . . . . . . . 11 6.4.1. Canonical Cache Representation Media Type . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 13 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 14 Appendix B. Example CCR . . . . . . . . . . . . . . . . . . . . 14 Appendix C. Implementation status . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Snijders, et al. Expires 5 June 2026 [Page 2] Internet-Draft RPKI Canonical Cache Representation December 2025 1. Introduction This document specifies a Canonical Cache Representation (CCR) content type for use with the Resource Public Key Infrastructure (RPKI). A validated cache contains all RPKI objects that the Relying Party (RP) has verified to be valid according to the rules for validation (see [RFC6487], [RFC6488], [RFC9286]). CCR is a data interchange format using Distinguished Encoding Rules (DER, [X.690]) which can be used to represent various aspects of the state of a validated cache at a particular point in time. The CCR profile is a compact and versatile format well-suited for a diverse set of applications such as audit record keeping, validated payload dissemination, and analytics pipelines. The format was primarily designed to support comparative analysis of uniformities and differences among multiple RP instances using different RPKI transport protocols (such as [RFC5781], [RFC8182], and [I-D.ietf-sidrops-rpki-erik-protocol]). 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. The Canonical Cache Representation content type The content of a CCR file is an instance of EncapsulatedContentInfo. The contentType for a CCR is defined as id-ct- rpkiCanonicalCacheRepresentation, with Object Identifier (OID) 1.2.840.113549.1.9.16.1.54. The eContent is the payload of the CCR encapsulated as an OCTET STRING. 3. The Canonical Cache Representation content The content of a Canonical Cache Representation is formally defined as follows: Snijders, et al. Expires 5 June 2026 [Page 3] Internet-Draft RPKI Canonical Cache Representation December 2025 RpkiCanonicalCacheRepresentation-2025 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiCCR-2025(TBD) } DEFINITIONS EXPLICIT TAGS ::= BEGIN IMPORTS CONTENT-TYPE, Digest, DigestAlgorithmIdentifier, SubjectKeyIdentifier FROM CryptographicMessageSyntax-2010 -- in [RFC6268] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2009(58) } ASID, ROAIPAddressFamily FROM RPKI-ROA-2023 -- in [RFC9582] { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) mod(0) id-mod-rpkiROA-2023(75) } CertificateSerialNumber, SubjectPublicKeyInfo FROM PKIX1Explicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) } AccessDescription, KeyIdentifier FROM PKIX1Implicit-2009 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) } ; EncapsulatedContentInfo ::= SEQUENCE { eContentType CONTENT-TYPE.&id({ContentSet}), eContent [0] EXPLICIT OCTET STRING (CONTAINING CONTENT-TYPE.&Type({ContentSet}{@eContentType})) OPTIONAL } ContentSet CONTENT-TYPE ::= { ct-rpkiCanonicalCacheRepresentation, ... } ct-rpkiCanonicalCacheRepresentation CONTENT-TYPE ::= { TYPE RpkiCanonicalCacheRepresentation IDENTIFIED BY id-ct-rpkiCanonicalCacheRepresentation } id-ct-rpkiCanonicalCacheRepresentation OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) id-smime(16) id-ct(1) ccr(54) } Snijders, et al. Expires 5 June 2026 [Page 4] Internet-Draft RPKI Canonical Cache Representation December 2025 RpkiCanonicalCacheRepresentation ::= SEQUENCE { version [0] INTEGER DEFAULT 0, hashAlg DigestAlgorithmIdentifier, producedAt GeneralizedTime, mfts [1] ManifestState OPTIONAL, vrps [2] ROAPayloadState OPTIONAL, vaps [3] ASPAPayloadState OPTIONAL, tas [4] TrustAnchorState OPTIONAL, rks [5] RouterKeyState OPTIONAL, ... } -- at least one of mfts, vrps, vaps, tas, or rks MUST be present ( WITH COMPONENTS { ..., mfts PRESENT } | WITH COMPONENTS { ..., vrps PRESENT } | WITH COMPONENTS { ..., vaps PRESENT } | WITH COMPONENTS { ..., tas PRESENT } | WITH COMPONENTS { ..., rks PRESENT } ) ManifestState ::= SEQUENCE { mis SEQUENCE OF ManifestInstance, mostRecentUpdate GeneralizedTime, hash Digest } ManifestInstance ::= SEQUENCE { hash Digest, size INTEGER (1000..MAX), aki KeyIdentifier, manifestNumber INTEGER (0..MAX), thisUpdate GeneralizedTime, locations SEQUENCE SIZE (1..MAX) OF AccessDescription, subordinates SEQUENCE (SIZE(1..MAX)) OF SubjectKeyIdentifier OPTIONAL } ROAPayloadState ::= SEQUENCE { rps SEQUENCE OF ROAPayloadSet, hash Digest } ROAPayloadSet ::= SEQUENCE { asID ASID, ipAddrBlocks SEQUENCE (SIZE(1..2)) OF ROAIPAddressFamily } ASPAPayloadState ::= SEQUENCE { aps SEQUENCE OF ASPAPayloadSet, hash Digest } ASPAPayloadSet ::= SEQUENCE { customerASID ASID, providers SEQUENCE (SIZE(1..MAX)) OF ASID } Snijders, et al. Expires 5 June 2026 [Page 5] Internet-Draft RPKI Canonical Cache Representation December 2025 TrustAnchorState ::= SEQUENCE { skis SEQUENCE (SIZE(1..MAX)) OF SubjectKeyIdentifier, hash Digest } RouterKeyState ::= SEQUENCE { rksets SEQUENCE OF RouterKeySet, hash Digest } RouterKeySet ::= SEQUENCE { asID ASID, routerKeys SEQUENCE (SIZE(1..MAX)) OF RouterKey } RouterKey ::= SEQUENCE { ski SubjectKeyIdentifier, spki SubjectPublicKeyInfo } END 3.1. version The version field contains the format version for the RpkiCanonicalCacheRepresentation structure, in this version of the specification it MUST be 0. 3.2. hashAlg The hashAlg field specifies the algorithm used to construct the message digests. This profile uses SHA-256 [SHS], therefore the OID MUST be 2.16.840.1.101.3.4.2.1. 3.3. producedAt The producedAt field contains a GeneralizedTime and indicates the moment in time the CCR was generated. 3.4. State aspect fields Each CCR contains one or more fields representing particular aspects of the cache's state. Implementers should note the ellipsis extension marker in the RpkiCanonicalCacheRepresentation ASN.1 notation and anticipate future changes as new signed object types are standardized. Each state aspect generally consists of a sequence of details extracted from RPKI Objects of a specific type, along with a digest computed by hashing the aforementioned DER-encoded sequence, optionally including some metadata. Snijders, et al. Expires 5 June 2026 [Page 6] Internet-Draft RPKI Canonical Cache Representation December 2025 3.4.1. ManifestState An instance of ManifestState represents the set of valid, current Manifests ([RFC9286]) in the cache. It contains three fields: mis, mostRecentUpdate, and hash. 3.4.1.1. ManifestInstance The mis field contains a SEQUENCE of ManifestInstance. There is one ManifestInstance for each current manifest. A manifest is nominally current until the time specified in nextUpdate or until a manifest is issued with a greater manifestNumber, whichever comes first (see Section 4.2.1 of [RFC9286]). A ManifestInstance is a structure consisting of the following fields: hash the hash of the represented DER-encoded manifest object size the size of the represented DER-encoded manifest object aki the manifest issuer's key identifier manifestNumber the manifest number contained within the manifest's eContent field thisUpdate the thisUpdate contained within the manifest's eContent field locations a sequence of AccessDescription instances from the manifest's End-Entity certificate's Subject Information Access extension subordinates a optional non-empty SEQUENCE of SubjectKeyIdentifier The subordinates field represents the keypairs associated with the set of non-revoked, non-expired, validly signed, certification authority (CA) resource certificates subordinate to the manifest issuer. Each SubjectKeyIdentifier is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the resource certificate's Subject Public Key, as described in Section 4.8.2 of [RFC6487]. The sequence elements of the subordinates field MUST be sorted in ascending order by interpreting each SubjectKeyIdentifier value as an unsigned 160-bit integer and MUST be unique with respect to each other. Snijders, et al. Expires 5 June 2026 [Page 7] Internet-Draft RPKI Canonical Cache Representation December 2025 The sequence elements in the mis field MUST be sorted in ascending order by hash value contained in each instance of ManifestInstance and MUST be unique with respect to the other instances of ManifestInstance. 3.4.1.2. mostRecentUpdate The mostRecentUpdate is a metadata field which contains the most recent thisUpdate amongst all current manifests represented by the ManifestInstance structures. If the mis field contains an empty sequence, the mostRecentUpdate MUST be set to the POSIX Epoch ("19700101000000Z"). 3.4.1.3. hash The hash field contains a message digest computed using the mis value (encoded in DER format) as input message. 3.4.2. ROAPayloadState An instance of ROAPayloadState contains a field named rps which represents the current set of Validated ROA Payloads (Section 2 of [RFC6811]) encoded as a SEQUENCE of ROAPayloadSet instances. The ROAPayloadSet structure is modeled after the RouteOriginAttestation (Section 4 of [RFC9582]). The asID value in each instance of ROAPayloadSet MUST be unique with respect to other instances of ROAPayloadSet. The contents of the ipAddrBlocks field MUST appear in canonical form and ordered as defined in Section 4.3.3 of [RFC9582]. The hash field contains a message digest computed using the rps value (encoded in DER format) as input message. 3.4.3. ASPAPayloadState An instance of ASPAPayloadState contains an aps field which represents the current set of deduplicated and merged ASPA payloads ([I-D.ietf-sidrops-aspa-profile]) ordered by ascending customerASID value encoded as a SEQUENCE of ASPAPayloadSet instances. The customerASID value in each instance of ASPAPayloadSet MUST be unique with respect to other instances of ASPAPayloadSet. The ASPAPayloadSet structure is modeled after the ProviderASSet (Section 3.3 of [I-D.ietf-sidrops-aspa-profile]). The hash field contains a message digest computed using the aps value (encoded in DER format) as input message. Snijders, et al. Expires 5 June 2026 [Page 8] Internet-Draft RPKI Canonical Cache Representation December 2025 3.4.4. TrustAnchorState An instance of TrustAnchorState represents the set of valid Trust Anchor (TA) Certification Authority (CA) resource certificates used by the relying party when producing the CCR. Each SubjectKeyIdentifier is the 160-bit SHA-1 hash of the value of the DER-encoded ASN.1 bit string of the TA's Subject Public Key, as described in Section 4.8.2 of [RFC6487]. The skis field contains a sequence of Subject Key Identifiers (SKI) sorted in ascending order by interpreting the SKI value as an unsigned 160-bit integer. The hash field contains a message digest computed using the skis value (encoded in DER format) as input message. 3.4.5. RouterKeyState An instance of RouterKeyState contains an rksets field which represents the current set of valid BGPsec Router Keys [RFC8205] encoded as a SEQUENCE of RouterKeySet instances. The asID value in each instance of RouterKeySet MUST be unique with respect to other instances of RouterKeySet. Instances of RouterKeySet are sorted by ascending value of asID. Instances of RouterKey are sorted by ascending value of ski by interpreting the SKI value as an unsigned 160-bit integer. The hash field contains a message digest computed using the rks value (encoded in DER format) as input message. 4. Operational Considerations Comparing the ManifestState mostRecentUpdate timestamp value with the producedAt timestamp might help offer insight into the timing and propagation delays of the RPKI supply chain. Given the absence of public keys and fairly repetitive content in RPKI AccessDescription instances, it should be noted CCR content compresses well. 4.1. Verifying CCR file integrity The integrity of a CCR object can be checked by confirming whether the hash values embedded inside state aspects match the computed hash value of the respective state aspect payload structure. Snijders, et al. Expires 5 June 2026 [Page 9] Internet-Draft RPKI Canonical Cache Representation December 2025 5. Security Considerations CCR objects are not signed objects. 6. IANA Considerations 6.1. SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1) IANA has allocated the following in the "SMI Security for S/MIME CMS Content Type (1.2.840.113549.1.9.16.1)" registry: +=========+==================================+==================+ | Decimal | Description | References | +=========+==================================+==================+ | 54 | id-ct- | draft-ietf- | | | rpkiCanonicalCacheRepresentation | sidrops-rpki-ccr | +---------+----------------------------------+------------------+ Table 1 6.2. RPKI Repository Name Schemes IANA is requested to add the Canonical Cache Representation file extension to the "RPKI Repository Name Schemes" registry [RFC6481] as follows: +===========+=================+=============================+ | Filename | RPKI Object | Reference | | Extension | | | +===========+=================+=============================+ | .ccr | Canonical Cache | draft-ietf-sidrops-rpki-ccr | | | Representation | | +-----------+-----------------+-----------------------------+ Table 2 6.3. SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0) IANA is requested to allocate the following in the "SMI Security for S/MIME Module Identifier (1.2.840.113549.1.9.16.0)" registry: Snijders, et al. Expires 5 June 2026 [Page 10] Internet-Draft RPKI Canonical Cache Representation December 2025 +=========+=====================+=============================+ | Decimal | Description | References | +=========+=====================+=============================+ | TBD | id-mod-rpkiCCR-2025 | draft-ietf-sidrops-rpki-ccr | +---------+---------------------+-----------------------------+ Table 3 6.4. Media Types IANA is requested to register the media type "application/rpki-ccr" in the "Media Types" registry as follows: 6.4.1. Canonical Cache Representation Media Type Type name: application Subtype name: rpki-ccr Required parameters: N/A Optional parameters: N/A Encoding considerations: binary Security considerations: This media type contains no active content. Interoperability considerations: N/A Published specification: draft-ietf-sidrops-rpki-ccr Applications that use this media type: RPKI operators Fragment identifier considerations: N/A Additional information: Content: This media type is a RPKI Canonical Cache Representation object, as defined in draft- ietf-sidrops-rpki-ccr. Magic number(s): N/A File extension(s): .ccr Macintosh file type code(s): N/A Person & email address to contact for further information: Job Snijders (job@bsd.nl) Intended usage: COMMON Restrictions on usage: N/A Author: Job Snijders (job@bsd.nl) Change controller: IETF 7. References 7.1. Normative References Snijders, et al. Expires 5 June 2026 [Page 11] Internet-Draft RPKI Canonical Cache Representation December 2025 [I-D.ietf-sidrops-aspa-profile] Azimov, A., Uskov, E., Bush, R., Snijders, J., Housley, R., and B. Maddison, "A Profile for Autonomous System Provider Authorization", Work in Progress, Internet-Draft, draft-ietf-sidrops-aspa-profile-20, 18 August 2025, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, DOI 10.17487/RFC6481, February 2012, . [RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, DOI 10.17487/RFC6487, February 2012, . [RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, DOI 10.17487/RFC6488, February 2012, . [RFC6811] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R. Austein, "BGP Prefix Origin Validation", RFC 6811, DOI 10.17487/RFC6811, January 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC9286] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 9286, DOI 10.17487/RFC9286, June 2022, . [RFC9582] Snijders, J., Maddison, B., Lepinski, M., Kong, D., and S. Kent, "A Profile for Route Origin Authorizations (ROAs)", RFC 9582, DOI 10.17487/RFC9582, May 2024, . Snijders, et al. Expires 5 June 2026 [Page 12] Internet-Draft RPKI Canonical Cache Representation December 2025 [SHS] National Institute of Standards and Technology, "Secure Hash Standard", March 2012, . [X.690] ITU-T, "Information technology - ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, February 2021, . 7.2. Informative References [I-D.ietf-sidrops-rpki-erik-protocol] Snijders, J., Bruijnzeels, T., Harrison, T., and W. Ohgai, "The Erik Synchronization Protocol for use with the Resource Public Key Infrastructure (RPKI)", Work in Progress, Internet-Draft, draft-ietf-sidrops-rpki-erik- protocol-00, 1 December 2025, . [RFC5781] Weiler, S., Ward, D., and R. Housley, "The rsync URI Scheme", RFC 5781, DOI 10.17487/RFC5781, February 2010, . [RFC8182] Bruijnzeels, T., Muravskiy, O., Weber, B., and R. Austein, "The RPKI Repository Delta Protocol (RRDP)", RFC 8182, DOI 10.17487/RFC8182, July 2017, . [RFC8205] Lepinski, M., Ed. and K. Sriram, Ed., "BGPsec Protocol Specification", RFC 8205, DOI 10.17487/RFC8205, September 2017, . [rpki-client] Jeker, C., Dzonsons, K., Buehler, T., and J. Snijders, "rpki-client", December 2025, . [rpkitouch] Snijders, J., "rpki-client", December 2025, . Snijders, et al. Expires 5 June 2026 [Page 13] Internet-Draft RPKI Canonical Cache Representation December 2025 Appendix A. Acknowledgements The authors wish to thank Russ Housley and Luuk Hendriks for their generous feedback on this specification. Appendix B. Example CCR The below is a Base64-encoded example CCR object. For a more elaborate example based on the global RPKI, see the URL in Appendix C. MIIQsgYLKoZIhvcNAQkQATagghChBIIQnTCCEJkGCWCGSAFlAwQCARgPMjAyNTEyMDIwO TIwMTVaoYINCzCCDQcwggzQMIHRBCAEIPV/uSkTHf99a3wAhJwkaRY3ljqHJ+b/t93GVR eslQICCF8EFOUti1y6fC0rivBG638xAQWsDAmsAgIFUhgPMjAyNTEyMDIwMDAxMjhaMH4 wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFV TFQvYjQvZDRmODNkLWZiNTMtNDI0Zi04NTFkLWMwZDA2MmE3NTM1NC8xLzVTMkxYTHA4T FN1SzhFYnJmekVCQmF3TUNhdy5tZnQwgdEEIAQhjxq7EC+M4LcwU1Rv4WRzqcNOtDHnv3 cmK7faqTm0AgIHhAQUla6L0zJJzx7V8NQ5gUfv0y0lQhoCAg7GGA8yMDI1MTIwMjA3MDI 1OVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkv REVGQVVMVC8xZi9lMjdkOWItOTMxYS00ODhiLWFjMzUtOGZmYmQ2YzczYmY1LzEvbGE2T DB6Skp6eDdWOE5RNWdVZnYweTBsUWhvLm1mdDCB0QQgBCHnZyxReuJ8T3Z3bnRUnl+Sln GcINUFjyOMA0REw74CAgeEBBQZX6gzAlKgfyUOUdjkdLs419w7mgICBXMYDzIwMjUxMjA yMDMwMTAzWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3Np dG9yeS9ERUZBVUxUL2NkL2U5YjBlMC1mNGI2LTQ2ZGEtYWZmOC1iZTcwODdkYmY1MzYvM S9HVi1vTXdKU29IOGxEbEhZNUhTN09OZmNPNW8ubWZ0MIHRBCAEJmlVwzgav9XDqPXqf0 fWjTrZlTI1+s5xnKTbmkvpOwICB84EFCNLRJiUWJ0W9na/8oKr7apWzHuNAgIHkhgPMjA yNTEyMDIwMDAxMzBaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9y ZXBvc2l0b3J5L0RFRkFVTFQvMGQvMzMxOGQ5LTU2NjktNDkyMC1hNTVjLTczYTYzYjI1O WJlYi8xL0kwdEVtSlJZblJiMmRyX3lncXZ0cWxiTWU0MC5tZnQwgdEEIAQmcgts0SqRCg E8XUCVn5ACWJPT4z0q3rCb0pINnSajAgIHhAQUSxd8RQ0gNQZ7qiaSC4pL02x7MxQCAg5 pGA8yMDI1MTIwMjA3MDI0OVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu bmV0L3JlcG9zaXRvcnkvREVGQVVMVC85OS81YTZhYWQtYTRjNy00M2I5LThhOWUtOGQ3Y jczNmE2OTVjLzEvU3hkOFJRMGdOUVo3cWlhU0M0cEwwMng3TXhRLm1mdDCB0QQgBCagCS WmdO3mC73CYFmilUBUD1aB6UbauZo8WDBN8LMCAgfOBBQg1L1Jn1hJSsDoImO1UgosZNZ HfgICFugYDzIwMjUxMjAyMDAwMTMzWjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2ku cmlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzk1L2FmNjAxZS1jMmJmLTRhNmEtYWEzM i1kMmVlMTUzOTlkMDYvMS9JTlM5U1o5WVNVckE2Q0pqdFZJS0xHVFdSMzQubWZ0MIH6BC AEJtpLL/iJGicbwG9B+JZrAQLOCsdNsDxE6k8rEZYS9gICEusEFD7uu5RqjSHUCDyT3An O5Ve7KsMuAgIC5RgPMjAyNTEyMDEyMzEyNDRaMIGOMIGLBggrBgEFBQcwC4Z/cnN5bmM6 Ly9yc3luYy5wYWFzLnJwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS82ZmY3YTk4OS1lY2RmL TQzZDYtODZlMS1mNmMzOTM1YjliM2QvNC8zRUVFQkI5NDZBOEQyMUQ0MDgzQzkzREMwOU NFRTU1N0JCMkFDMzJFLm1mdDAWBBQEyS2bHIMHtwxHKQFm1Zic76vcxDCB0QQgBCl0MQp E86B5mYTCdjobXkfXd+yKruym1EG8O6o52hkCAgeEBBRTN936ZTD8xn92k33r49ggjLmQ LAICCPkYDzIwMjUxMjAyMDEwMTM5WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kuc mlwZS5uZXQvcmVwb3NpdG9yeS9ERUZBVUxULzgwLzJjNmMyYi01NGQ2LTQzMWQtOWMwNi 1kZGUzNjU3NGIxNzgvMS9VemZkLW1Vd19NWl9kcE45Ni1QWUlJeTVrQ3cubWZ0MIHRBCA EK+ABs2zFJ9rS2w57bQ2ms997WhExDGaRg3dRS/6NpwICB88EFNJo2aKmRdfML9JTs2cE CAVeVv/5AgIOORgPMjAyNTEyMDIwNzAyNTRaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vc Snijders, et al. Expires 5 June 2026 [Page 14] Internet-Draft RPKI Canonical Cache Representation December 2025 nBraS5yaXBlLm5ldC9yZXBvc2l0b3J5L0RFRkFVTFQvZTcvNDQwMzhiLTgwMzEtNDRlMC 05MWM0LWNjNTY3NmM3ZGU5Zi8xLzBtalpvcVpGMTh3djBsT3pad1FJQlY1V19fay5tZnQ wgdEEIAQsVhrUyiF2H16Wjhg7i/PEPk8Ww6RM2prBAVj5h5SEAgIHhAQUuo1nmL3QsriA XUOzRV92c5uUbx0CAhbmGA8yMDI1MTIwMjA3MDIzNFowfjB8BggrBgEFBQcwC4ZwcnN5b mM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRvcnkvREVGQVVMVC9lYy82OGI1N2ItZDE4ZC 00Nzg1LTk3YjAtZWM1NmMwYjA4MWFlLzEvdW8xbm1MM1FzcmlBWFVPelJWOTJjNXVVYng wLm1mdDCB/QQgBDNmKXoKbp/8++wT92tazKm/IBKJL2D8/tC14qPSifoCAgkTBBRtL6lP UTH+uzRMEUBZDh5likmi0wICAUEYDzIwMjUxMjAxMTk1MzU4WjCBqTCBpgYIKwYBBQUHM AuGgZlyc3luYzovL3JlcG9zaXRvcnkubGFjbmljLm5ldC9ycGtpL2xhY25pYy9EMDREOT I2QkM4Rjc4REE2QkRFQjkwMUNFNTAyMzVFOUY3RkRCNkFENERGNDJFOURBMkYzQzQ5OTQ 1ODFDQzVFLzAvNkQyRkE5NEY1MTMxRkVCQjM0NEMxMTQwNTkwRTFFNjU4QTQ5QTJEMy5t ZnQwgeAEIAQz+QWjrEExD4P4TURGIDSwMttHxOY/xfOBDdY/H0hLAgII+wQUMABR7zArN OA9uYIS2XiGnjSRB9YCAUgYDzIwMjUxMjAyMDUwOTU4WjCBjTCBigYIKwYBBQUHMAuGfn JzeW5jOi8vcnBraS1yZXBvLnJlZ2lzdHJvLmJyL3JlcG8vNWd1ell1OURxc25rZnBZSjR 4MUI2N3l4QWlyUENKUXRBbTc3UVdEMTNtMXkvMC8zMDAwNTFFRjMwMkIzNEUwM0RCOTgy MTJEOTc4ODY5RTM0OTEwN0Q2Lm1mdDCB0QQgBDVXRzdRUBIsb7FPiDRKRiBBl86bHb8AU yl+zPkRemMCAgeEBBRGDFcREar8DVHl/eCCML94uJ5KSAICF1MYDzIwMjUxMjAyMDYwMD Q5WjB+MHwGCCsGAQUFBzALhnByc3luYzovL3Jwa2kucmlwZS5uZXQvcmVwb3NpdG9yeS9 ERUZBVUxUL2U2LzA2OWU5NS0wYWMyLTRjMjctODJiNC1iZDJmZmY1Yjg4NDkvMS9SZ3hY RVJHcV9BMVI1ZjNnZ2pDX2VMaWVTa2cubWZ0MIHRBCAEOqCaolOx/H4V5s+b6WiJx3L28 5SVC/sLtZrGj5AzYAICB4QEFJB6TRKSS1NX4wJnr+PFzHNkJBFYAgIRbBgPMjAyNTEyMD IwNzAyMzZaMH4wfAYIKwYBBQUHMAuGcHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBvc2l 0b3J5L0RFRkFVTFQvNWEvYWVmNDRmLWNiZGYtNDEyMC04NGYxLTYyMWEyYmI0MGM2Ni8x L2tIcE5FcEpMVTFmakFtZXY0OFhNYzJRa0VWZy5tZnQwgdEEIAQ8vr7Ls5661bYCf/SZx ZWOmSPSUde+6bval/LAq69rAgIHzgQUXGiieXadGT3z+XgdK6TB2Sd7T9YCAgWGGA8yMD I1MTIwMjAzMDEzMVowfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3J lcG9zaXRvcnkvREVGQVVMVC81Mi9mNWM5NmEtYjcwZi00MTllLTgyNmYtMTUzOThiYTVi MGU3LzEvWEdpaWVYYWRHVDN6LVhnZEs2VEIyU2Q3VDlZLm1mdBgPMjAyNTEyMDIwNzAyN TlaBCAa+M3kk2YLjUlmoTPOBY3VgMgCYTMWK2zsQ5OMMYk/0aKCAWowggFmMIIBQDBkAg EHMF8wSAQCAAEwQjAJAwQAwCNeAgEgMAkDBADAQysCASAwCQMEAMIgRQIBIDAJAwQBwiD aAgEgMAkDBADCIooCASAwCQMEAcI9XAIBIDATBAIAAjANMAsDBQMqCztAAgIAgDCBmwIC IFswgZQwdgQCAAEwcDAGAwQAW9AiMAYDBABejvAwBgMEA16O8DAGAwQAXo7xMAYDBABej vIwBgMEAF6O9DAGAwQAXo71MAYDBABejvYwBgMEAF6O9zAGAwQAuTTgMAYDBAK5NOAwBg MEALk04TAGAwQAuTTiMAYDBAC5NOMwGgQCAAIwFDAJAwcAIAEGeAaIMAcDBQAqAgiYMDo CAjzKMDQwMgQCAAIwLDAJAwcAIAEGfCCMMAkDBwAgAQcoGAgwCQMHACoOskAAADAJAwcA Kg6yQAEYBCCShx56LQOE9StolvwkWwoCtU+iZ/GFMY3zlgR3WYpwnKOBjDCBiTBlMAoCA ghJMAQCAg0FMAkCAhGMMAMCAQAwDwICEfkwCQICIGoCAwDjAzAjAgIZGDAdAgIArgICBP kCAgUTAgIZPQICGmoCAhquAgMCJ4kwFgICGncwEAICAK4CAhg8AgIbGwICMuYEICz1Hxj /8Ur8yZsJDt5IGPn/pGKgaURkFZUkoheP7OiDpFIwUDAsBBToVSsf1tGk9+QExtjlaA0e vBY/wwQU/Iqcs+0YThfTDuoeD6dhXOSxr0cEICwfZLVoC974XWm5we/yGi0/BBPizd8TA BVgCi+3yVUupYIBGTCCARUwgfAwge0CAjzKMIHmMHEEFF1CUOLYHURI2KKe/OkdKf8HXs niMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgFcjQ/g//LAQerAH2Mpp+GucoDAGBbh IqD33wNPsXxnAGb+mtZ7XQrVO9DQ6UlAShtig5+QfEKpTtFgiqfiAFTBxBBS+iJtV0Lc3 OX11xJ9IW4WPqYrRHzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOBcSa9J9m7sdbl9R L5fkFsGWLyGnT4y7hV9psairgBlISp6+1Syw4KxPvpfaeXh9pFkzVQDdthVFN3W/0SqRN sEILpftEnO+2ugDzYSeWKi7qboZ/6FErvdrenG5Li8FsHS It decodes as follows: Snijders, et al. Expires 5 June 2026 [Page 15] Internet-Draft RPKI Canonical Cache Representation December 2025 =============== NOTE: '\' line wrapping per RFC 8792 ================ $ rpki-client -f example.ccr File: example.ccr Hash identifier: dTmqYyAdIR9bqR3nfaVLA3iRx8WdAbqGu70Nbc0cW5M= CCR produced at: Tue 02 Dec 2025 09:20:15 +0000 Manifest state hash: MUFGOENERTQ5MzY2MEI4RDQ5NjZBMTMzQ0UwNThERDU= Manifest last update: Tue 02 Dec 2025 07:02:59 +0000 Manifest instances: hash:BCD1f7kpEx3/fWt8AIScJGkWN5Y6hyfm/7fdxlU\ XrJU= size:2143 aki:E52D8B5CBA7C2D2B8AF046EB7F310105AC0C09AC seqnum:\ 0552 thisupdate:1764633688 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/b4/d4f83d-fb53-424f-851d-c0d062a75354/1/5S2LXLp8LSuK8EbrfzEBBawM\ Caw.mft hash:BCGPGrsQL4zgtzBTVG/hZHOpw060Mee/dyYrt9q\ pObQ= size:1924 aki:95AE8BD33249CF1ED5F0D4398147EFD32D25421A seqnum:\ 0EC6 thisupdate:1764658979 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/1f/e27d9b-931a-488b-ac35-8ffbd6c73bf5/1/la6L0zJJzx7V8NQ5gUfv0y0l\ Qho.mft hash:BCHnZyxReuJ8T3Z3bnRUnl+SlnGcINUFjyOMA0R\ Ew74= size:1924 aki:195FA8330252A07F250E51D8E474BB38D7DC3B9A seqnum:\ 0573 thisupdate:1764644463 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/cd/e9b0e0-f4b6-46da-aff8-be7087dbf536/1/GV-oMwJSoH8lDlHY5HS7ONfc\ O5o.mft hash:BCZpVcM4Gr/Vw6j16n9H1o062ZUyNfrOcZyk25p\ L6Ts= size:1998 aki:234B449894589D16F676BFF282ABEDAA56CC7B8D seqnum:\ 0792 thisupdate:1764633690 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/0d/3318d9-5669-4920-a55c-73a63b259beb/1/I0tEmJRYnRb2dr_ygqvtqlbM\ e40.mft hash:BCZyC2zRKpEKATxdQJWfkAJYk9PjPSresJvSkg2\ dJqM= size:1924 aki:4B177C450D2035067BAA26920B8A4BD36C7B3314 seqnum:\ 0E69 thisupdate:1764658969 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/99/5a6aad-a4c7-43b9-8a9e-8d7b736a695c/1/Sxd8RQ0gNQZ7qiaSC4pL02x7\ MxQ.mft hash:BCagCSWmdO3mC73CYFmilUBUD1aB6UbauZo8WDB\ N8LM= size:1998 aki:20D4BD499F58494AC0E82263B5520A2C64D6477E seqnum:\ 16E8 thisupdate:1764633693 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/95/af601e-c2bf-4a6a-aa32-d2ee15399d06/1/INS9SZ9YSUrA6CJjtVIKLGTW\ R34.mft hash:BCbaSy/4iRonG8BvQfiWawECzgrHTbA8ROpPKxG\ WEvY= size:4843 aki:3EEEBB946A8D21D4083C93DC09CEE557BB2AC32E seqnum:\ 02E5 thisupdate:1764630764 sia:rsync://rsync.paas.rpki.ripe.net/repo\ sitory/6ff7a989-ecdf-43d6-86e1-f6c3935b9b3d/4/3EEEBB946A8D21D4083C93\ DC09CEE557BB2AC32E.mft subordinates:04C92D9B1C8307B70C47290166D5989C\ EFABDCC4 hash:BCl0MQpE86B5mYTCdjobXkfXd+yKruym1EG8O6o\ 52hk= size:1924 aki:5337DDFA6530FCC67F76937DEBE3D8208CB9902C seqnum:\ 08F9 thisupdate:1764637299 sia:rsync://rpki.ripe.net/repository/DEFA\ Snijders, et al. Expires 5 June 2026 [Page 16] Internet-Draft RPKI Canonical Cache Representation December 2025 ULT/80/2c6c2b-54d6-431d-9c06-dde36574b178/1/Uzfd-mUw_MZ_dpN96-PYIIy5\ kCw.mft hash:BCvgAbNsxSfa0tsOe20NprPfe1oRMQxmkYN3UUv\ +jac= size:1999 aki:D268D9A2A645D7CC2FD253B3670408055E56FFF9 seqnum:\ 0E39 thisupdate:1764658974 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/e7/44038b-8031-44e0-91c4-cc5676c7de9f/1/0mjZoqZF18wv0lOzZwQIBV5W\ __k.mft hash:BCxWGtTKIXYfXpaOGDuL88Q+TxbDpEzamsEBWPm\ HlIQ= size:1924 aki:BA8D6798BDD0B2B8805D43B3455F76739B946F1D seqnum:\ 16E6 thisupdate:1764658954 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/ec/68b57b-d18d-4785-97b0-ec56c0b081ae/1/uo1nmL3QsriAXUOzRV92c5uU\ bx0.mft hash:BDNmKXoKbp/8++wT92tazKm/IBKJL2D8/tC14qP\ Sifo= size:2323 aki:6D2FA94F5131FEBB344C1140590E1E658A49A2D3 seqnum:\ 0141 thisupdate:1764618838 sia:rsync://repository.lacnic.net/rpki/la\ cnic/D04D926BC8F78DA6BDEB901CE50235E9F7FDB6AD4DF42E9DA2F3C4994581CC5\ E/0/6D2FA94F5131FEBB344C1140590E1E658A49A2D3.mft hash:BDP5BaOsQTEPg/hNREYgNLAy20fE5j/F84EN1j8\ fSEs= size:2299 aki:300051EF302B34E03DB98212D978869E349107D6 seqnum:\ 48 thisupdate:1764652198 sia:rsync://rpki-repo.registro.br/repo/5guz\ Yu9DqsnkfpYJ4x1B67yxAirPCJQtAm77QWD13m1y/0/300051EF302B34E03DB98212D\ 978869E349107D6.mft hash:BDVXRzdRUBIsb7FPiDRKRiBBl86bHb8AUyl+zPk\ RemM= size:1924 aki:460C571111AAFC0D51E5FDE08230BF78B89E4A48 seqnum:\ 1753 thisupdate:1764655249 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/e6/069e95-0ac2-4c27-82b4-bd2fff5b8849/1/RgxXERGq_A1R5f3ggjC_eLie\ Skg.mft hash:BDqgmqJTsfx+FebPm+loicdy9vOUlQv7C7Waxo+\ QM2A= size:1924 aki:907A4D12924B5357E30267AFE3C5CC7364241158 seqnum:\ 116C thisupdate:1764658956 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/5a/aef44f-cbdf-4120-84f1-621a2bb40c66/1/kHpNEpJLU1fjAmev48XMc2Qk\ EVg.mft hash:BDy+vsuznrrVtgJ/9JnFlY6ZI9JR177pu9qX8sC\ rr2s= size:1998 aki:5C68A279769D193DF3F9781D2BA4C1D9277B4FD6 seqnum:\ 0586 thisupdate:1764644491 sia:rsync://rpki.ripe.net/repository/DEFA\ ULT/52/f5c96a-b70f-419e-826f-15398ba5b0e7/1/XGiieXadGT3z-XgdK6TB2Sd7\ T9Y.mft ROA payload state hash: OTI4NzFFN0EyRDAzODRGNTJCNjg5NkZDMjQ1QjBBMDI= ROA payload entries: 192.35.94.0/24-32 AS 7 192.67.43.0/24-32 AS 7 194.32.69.0/24-32 AS 7 194.32.218.0/23-32 AS 7 194.34.138.0/24-32 AS 7 194.61.92.0/23-32 AS 7 2a0b:3b40::/29-128 AS 7 91.208.34.0/24 AS 8283 94.142.240.0/24 AS 8283 Snijders, et al. Expires 5 June 2026 [Page 17] Internet-Draft RPKI Canonical Cache Representation December 2025 94.142.240.0/21 AS 8283 94.142.241.0/24 AS 8283 94.142.242.0/24 AS 8283 94.142.244.0/24 AS 8283 94.142.245.0/24 AS 8283 94.142.246.0/24 AS 8283 94.142.247.0/24 AS 8283 185.52.224.0/24 AS 8283 185.52.224.0/22 AS 8283 185.52.225.0/24 AS 8283 185.52.226.0/24 AS 8283 185.52.227.0/24 AS 8283 2001:678:688::/48 AS 8283 2a02:898::/32 AS 8283 2001:67c:208c::/48 AS 15562 2001:728:1808::/48 AS 15562 2a0e:b240::/48 AS 15562 2a0e:b240:118::/48 AS 15562 ASPA payload state hash:MkNGNTFGMThGRkYxNEFGQ0M5OUIwOTBFREU0ODE4Rjk= ASPA payload entries: customer: 2121 providers: 3333 customer: 4492 providers: 0 customer: 4601 providers: 8298, 58115 customer: 6424 providers: 174, 1273, 1299, 6\ 461, 6762, 6830, 141193 customer: 6775 providers: 174, 6204, 6939, 1\ 3030 Trust anchor state hash:MkMxRjY0QjU2ODBCREVGODVENjlCOUMxRUZGMjFBMkQ= Trust anchor keyids: E8552B1FD6D1A4F7E404C6D8E5680D1EBC163FC3, FC\ 8A9CB3ED184E17D30EEA1E0FA7615CE4B1AF47 Router key state hash: QkE1RkI0NDlDRUZCNkJBMDBGMzYxMjc5NjJBMkVFQTY= Router keys: asid:15562 ski:5D4250E2D81D4448D8A29EFCE91D2\ 9FF075EC9E2 pubkey:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgFcjQ/g//LAQe\ rAH2Mpp+GucoDAGBbhIqD33wNPsXxnAGb+mtZ7XQrVO9DQ6UlAShtig5+QfEKpTtFgiq\ fiAFQ== asid:15562 ski:BE889B55D0B737397D75C49F485B8\ 58FA98AD11F pubkey:MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE4FxJr0n2bux1u\ X1Evl+QWwZYvIadPjLuFX2mxqKuAGUhKnr7VLLDgrE++l9p5eH2kWTNVAN22FUU3db/R\ KpE2w== Validation: N/A Appendix C. Implementation status This section is to be removed before publishing as an RFC. Snijders, et al. Expires 5 June 2026 [Page 18] Internet-Draft RPKI Canonical Cache Representation December 2025 This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in RFC 7942. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist. According to RFC 7942, "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit". * Example .ccr files were created by Job Snijders. A current example CCR (regenerated every few minutes) is available here: https://console.rpki-client.org/rpki.ccr * A CCR serializer and deserializer implementation based on [rpki-client] was provided by Job Snijders and Theo Buehler. * Another CCR serializer and deserializer implementation based on [rpkitouch] was provided by Job Snijders. Authors' Addresses Job Snijders BSD Software Development Amsterdam Netherlands Email: job@bsd.nl URI: https://www.bsd.nl Bart Bakker RIPE NCC Netherlands Email: bbakker@ripe.net Snijders, et al. Expires 5 June 2026 [Page 19] Internet-Draft RPKI Canonical Cache Representation December 2025 Tim Bruijnzeels RIPE NCC Netherlands Email: tbruijnzeels@ripe.net Theo Buehler OpenBSD Switzerland Email: tb@openbsd.org Snijders, et al. Expires 5 June 2026 [Page 20]