Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/7c/48b407-6d94-49ae-a3d8-72c83128761b/1/z-y7S5VvfL1luqHyQX9LY6xsVj4.roa
File:                     z-y7S5VvfL1luqHyQX9LY6xsVj4.roa (raw, json)
Hash identifier:          l1dsqPw4jmlX93va/Mm5OfuE3TEipGKjdHXF53k0V2E=
Subject key identifier:   CF:EC:BB:4B:95:6F:7C:BD:65:BA:A1:F2:41:7F:4B:63:AC:6C:56:3E
Certificate issuer:       /CN=add353933674a5608f6d1ee2dab4f64c8bff8f39
Certificate serial:       018D174E26A7468E7975B6CEA6F49A609024
Authority key identifier: AD:D3:53:93:36:74:A5:60:8F:6D:1E:E2:DA:B4:F6:4C:8B:FF:8F:39
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/rdNTkzZ0pWCPbR7i2rT2TIv_jzk.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/7c/48b407-6d94-49ae-a3d8-72c83128761b/1/z-y7S5VvfL1luqHyQX9LY6xsVj4.roa
Signing time:             Wed 17 Jan 2024 12:03:34 +0000
ROA not before:           Wed 17 Jan 2024 12:03:34 +0000
ROA not after:            Tue 01 Jul 2025 00:00:00 +0000
asID:                     8851
IP address blocks:        91.84.0.0/18 maxlen: 18
                          91.84.96.0/19 maxlen: 19
                          91.84.128.0/17 maxlen: 17
                          91.85.0.0/17 maxlen: 17
                          91.85.128.0/19 maxlen: 19
                          91.85.192.0/18 maxlen: 18
                          194.46.32.0/19 maxlen: 19
                          194.46.64.0/19 maxlen: 19
                          194.46.80.0/20 maxlen: 20
                          212.104.128.0/19 maxlen: 19
                          212.108.80.0/21 maxlen: 21
                          212.108.88.0/22 maxlen: 22
Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:8d:17:4e:26:a7:46:8e:79:75:b6:ce:a6:f4:9a:60:90:24
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=add353933674a5608f6d1ee2dab4f64c8bff8f39
        Validity
            Not Before: Jan 17 12:03:34 2024 GMT
            Not After : Jul  1 00:00:00 2025 GMT
        Subject: CN=cfecbb4b956f7cbd65baa1f2417f4b63ac6c563e
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b1:28:33:f1:da:68:c7:0b:4f:c5:d4:a9:dc:20:
                    00:0a:71:af:2c:a0:73:f1:27:5b:e2:24:c4:13:16:
                    1a:1c:fc:2d:a2:70:65:0b:e8:05:53:b1:de:ef:aa:
                    04:df:5a:7d:f1:70:fe:08:e1:61:8d:19:6a:4c:f8:
                    52:b6:0c:24:58:2c:64:0d:8f:88:34:1f:c8:c3:19:
                    5d:9b:8d:95:0e:0b:5d:6d:e1:15:a0:5b:14:46:b7:
                    10:00:c8:1d:b1:eb:fd:63:1a:12:34:0c:53:cc:75:
                    6d:e0:ea:a5:89:b0:39:a4:0c:0d:f3:b6:7d:5e:de:
                    e6:ae:f8:08:e2:68:88:63:89:43:4f:0c:07:f9:0c:
                    84:4c:d3:88:ac:d8:3d:21:88:5f:b8:ad:c7:eb:eb:
                    03:78:71:52:d1:14:41:b1:86:c7:63:aa:3b:32:e2:
                    d7:38:04:96:d1:7a:a5:74:5e:9b:58:3b:be:f2:ed:
                    e1:fb:e3:51:60:7e:a9:6c:39:05:ed:4d:99:43:0a:
                    d4:de:e2:62:6d:2b:fd:ca:55:35:1d:77:41:b5:65:
                    50:88:65:01:e2:70:47:36:e0:b9:76:c6:ee:40:23:
                    a9:4b:17:32:99:89:f6:e6:75:aa:d4:de:bb:d7:e4:
                    3e:2d:88:fd:eb:f1:e4:d0:eb:70:7f:a6:de:5b:09:
                    a6:1d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                CF:EC:BB:4B:95:6F:7C:BD:65:BA:A1:F2:41:7F:4B:63:AC:6C:56:3E
            X509v3 Authority Key Identifier:
                keyid:AD:D3:53:93:36:74:A5:60:8F:6D:1E:E2:DA:B4:F6:4C:8B:FF:8F:39

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/rdNTkzZ0pWCPbR7i2rT2TIv_jzk.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/7c/48b407-6d94-49ae-a3d8-72c83128761b/1/z-y7S5VvfL1luqHyQX9LY6xsVj4.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/7c/48b407-6d94-49ae-a3d8-72c83128761b/1/rdNTkzZ0pWCPbR7i2rT2TIv_jzk.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  91.84.0.0/18
                  91.84.96.0-91.85.159.255
                  91.85.192.0/18
                  194.46.32.0-194.46.95.255
                  212.104.128.0/19
                  212.108.80.0-212.108.91.255

    Signature Algorithm: sha256WithRSAEncryption
         4e:10:af:87:ca:54:33:17:a0:0b:dc:8c:03:d6:b9:49:71:aa:
         6e:a9:5f:f1:f9:f9:81:72:b1:1b:e6:72:73:c1:0f:c0:e8:7b:
         00:6e:72:41:f3:9d:e6:37:9b:d6:7e:60:00:e6:ad:10:05:f8:
         f4:4b:91:b9:07:c2:34:a9:4d:a0:1c:a8:8c:79:85:9c:21:1b:
         00:52:85:c8:09:55:2a:b9:d7:f7:9e:03:58:14:94:f8:5e:49:
         b1:57:c4:59:7e:9e:64:44:12:57:ee:ca:bd:0d:82:83:8b:ba:
         df:75:59:6f:35:c7:1c:10:70:b0:e9:6c:07:4a:b7:86:93:19:
         ca:04:d3:05:f2:93:b9:83:35:22:ae:27:ba:87:81:b1:78:e9:
         2f:ac:5c:eb:25:1a:7c:2e:1c:9c:54:5e:ad:da:9b:a8:74:e7:
         b3:46:be:f9:3f:bd:8f:fb:bd:9f:f7:62:71:be:07:76:77:3c:
         e2:8b:89:df:ed:4e:b8:52:02:7c:63:0e:23:86:90:ae:b5:1c:
         2f:69:19:5c:ad:01:6c:a8:9b:5e:48:ea:2d:a4:06:39:c5:d4:
         c7:94:b3:da:37:ba:2e:0d:2d:6c:07:e5:c0:a6:96:4c:51:74:
         86:c0:d1:1a:43:06:d0:2f:41:9d:1f:5d:3c:3e:f7:48:51:e7:
         37:01:fd:64
-----BEGIN CERTIFICATE-----
MIIFMzCCBBugAwIBAgISAY0XTianRo55dbbOpvSaYJAkMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGFkZDM1MzkzMzY3NGE1NjA4ZjZkMWVlMmRhYjRmNjRjOGJm
ZjhmMzkwHhcNMjQwMTE3MTIwMzM0WhcNMjUwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EyhjZmVjYmI0Yjk1NmY3Y2JkNjViYWExZjI0MTdmNGI2M2FjNmM1NjNlMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSgz8dpoxwtPxdSp3CAACnGvLKBz
8Sdb4iTEExYaHPwtonBlC+gFU7He76oE31p98XD+COFhjRlqTPhStgwkWCxkDY+I
NB/Iwxldm42VDgtdbeEVoFsURrcQAMgdsev9YxoSNAxTzHVt4OqlibA5pAwN87Z9
Xt7mrvgI4miIY4lDTwwH+QyETNOIrNg9IYhfuK3H6+sDeHFS0RRBsYbHY6o7MuLX
OASW0XqldF6bWDu+8u3h++NRYH6pbDkF7U2ZQwrU3uJibSv9ylU1HXdBtWVQiGUB
4nBHNuC5dsbuQCOpSxcymYn25nWq1N671+Q+LYj96/Hk0Otwf6beWwmmHQIDAQAB
o4ICPzCCAjswHQYDVR0OBBYEFM/su0uVb3y9Zbqh8kF/S2OsbFY+MB8GA1UdIwQY
MBaAFK3TU5M2dKVgj20e4tq09kyL/485MA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvcmROVGt6WjBwV0NQYlI3aTJyVDJUSXZfanprLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC83Yy80OGI0MDctNmQ5NC00OWFlLWEzZDgt
NzJjODMxMjg3NjFiLzEvei15N1M1VnZmTDFsdXFIeVFYOUxZNnhzVmo0LnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC83Yy80OGI0MDctNmQ5NC00OWFlLWEzZDgtNzJjODMxMjg3NjFi
LzEvcmROVGt6WjBwV0NQYlI3aTJyVDJUSXZfanprLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMFUGCCsGAQUFBwEHAQH/BEYwRDBCBAIAATA8AwQGW1QAMAwD
BAVbVGADBAVbVYADBAZbVcAwDAMEBcIuIAMEBcIuQAMEBdRogDAMAwQE1GxQAwQC
1GxYMA0GCSqGSIb3DQEBCwUAA4IBAQBOEK+HylQzF6AL3IwD1rlJcapuqV/x+fmB
crEb5nJzwQ/A6HsAbnJB853mN5vWfmAA5q0QBfj0S5G5B8I0qU2gHKiMeYWcIRsA
UoXICVUqudf3ngNYFJT4XkmxV8RZfp5kRBJX7sq9DYKDi7rfdVlvNcccEHCw6WwH
SreGkxnKBNMF8pO5gzUirie6h4GxeOkvrFzrJRp8LhycVF6t2puodOezRr75P72P
+72f92Jxvgd2dzzii4nf7U64UgJ8Yw4jhpCutRwvaRlcrQFsqJteSOotpAY5xdTH
lLPaN7ouDS1sB+XAppZMUXSGwNEaQwbQL0GdH108PvdIUec3Af1k
-----END CERTIFICATE-----