Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/b3/0828e7-1e57-4747-8ea1-36a808f3d14d/1/HSs3gDI1v2esT517yi4H6DJ5iXI.roa
File:                     HSs3gDI1v2esT517yi4H6DJ5iXI.roa (raw, json)
Hash identifier:          3OMnw1DXB8yQnggSyxXGqrAaR4LWbOPDJY7rSCYHtR0=
Subject key identifier:   1D:2B:37:80:32:35:BF:67:AC:4F:9D:7B:CA:2E:07:E8:32:79:89:72
Certificate issuer:       /CN=a14e499240cea588541a7dc74f321c9141744bb6
Certificate serial:       0185728CACA1E15EEBE299F5616DF73AB19A
Authority key identifier: A1:4E:49:92:40:CE:A5:88:54:1A:7D:C7:4F:32:1C:91:41:74:4B:B6
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/oU5JkkDOpYhUGn3HTzIckUF0S7Y.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/b3/0828e7-1e57-4747-8ea1-36a808f3d14d/1/HSs3gDI1v2esT517yi4H6DJ5iXI.roa
Signing time:             Mon 02 Jan 2023 12:54:59 +0000
ROA not before:           Mon 02 Jan 2023 12:54:59 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     49603
IP address blocks:        46.19.152.0/21 maxlen: 24
                          185.88.60.0/22 maxlen: 24
                          185.92.152.0/22 maxlen: 24
                          89.207.248.0/21 maxlen: 24
                          185.92.160.0/22 maxlen: 24
                          185.92.168.0/22 maxlen: 24
                          185.92.180.0/22 maxlen: 24
                          185.92.188.0/22 maxlen: 24
                          185.92.204.0/22 maxlen: 24
                          2a05:ca80::/29 maxlen: 29

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:85:72:8c:ac:a1:e1:5e:eb:e2:99:f5:61:6d:f7:3a:b1:9a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=a14e499240cea588541a7dc74f321c9141744bb6
        Validity
            Not Before: Jan  2 12:54:59 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=1d2b37803235bf67ac4f9d7bca2e07e832798972
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:8f:f7:23:5d:c4:a1:2b:c3:a1:e9:bd:3c:91:f4:
                    4a:6b:1d:cf:33:2f:b2:d1:54:d7:86:b2:67:fb:d1:
                    86:83:88:3d:27:cd:b7:b6:0b:1c:24:e9:00:ad:00:
                    97:97:97:ad:be:d9:d0:e1:f0:69:f9:c3:65:ed:fd:
                    6f:51:0e:fc:24:75:81:c5:20:48:61:17:cd:9f:1b:
                    e0:cd:f0:89:b5:c2:2c:dd:95:98:ca:11:9c:aa:2a:
                    ee:92:d5:34:e1:36:3f:bb:27:ba:b5:cb:2d:44:9d:
                    79:8b:95:67:d7:26:24:23:b4:19:1f:f4:76:dc:6b:
                    ca:0a:9d:4a:4f:b1:82:5c:b3:d0:cf:35:0d:9f:14:
                    a0:31:d7:dc:11:ba:ab:59:b3:d9:ea:d4:13:f6:d2:
                    da:60:f5:f9:c0:7e:36:8b:9e:6f:5b:87:48:48:db:
                    4c:1b:b0:3f:3e:54:65:de:76:ac:96:c6:83:53:27:
                    ad:07:37:51:d5:4e:c8:7c:d0:0e:b6:67:4a:f5:8f:
                    70:5b:c1:0b:31:1f:7a:49:6c:1d:c4:6b:47:96:1e:
                    81:d6:33:85:c2:b8:48:29:91:3e:d9:7d:10:ad:8f:
                    79:2f:e4:ed:df:c8:3a:08:a6:b1:be:be:0c:91:b9:
                    84:82:f8:0e:01:0a:59:52:9e:ad:4c:d4:c1:00:38:
                    48:cf
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1D:2B:37:80:32:35:BF:67:AC:4F:9D:7B:CA:2E:07:E8:32:79:89:72
            X509v3 Authority Key Identifier:
                keyid:A1:4E:49:92:40:CE:A5:88:54:1A:7D:C7:4F:32:1C:91:41:74:4B:B6

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/oU5JkkDOpYhUGn3HTzIckUF0S7Y.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/b3/0828e7-1e57-4747-8ea1-36a808f3d14d/1/HSs3gDI1v2esT517yi4H6DJ5iXI.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/b3/0828e7-1e57-4747-8ea1-36a808f3d14d/1/oU5JkkDOpYhUGn3HTzIckUF0S7Y.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  46.19.152.0/21
                  89.207.248.0/21
                  185.88.60.0/22
                  185.92.152.0/22
                  185.92.160.0/22
                  185.92.168.0/22
                  185.92.180.0/22
                  185.92.188.0/22
                  185.92.204.0/22
                IPv6:
                  2a05:ca80::/29

    Signature Algorithm: sha256WithRSAEncryption
         77:45:0d:de:59:bb:25:ba:42:41:06:6d:e6:a2:9a:5b:ee:61:
         50:54:65:1f:27:a7:b1:70:ba:14:ce:ba:cf:15:e4:23:0f:e7:
         94:a9:06:c7:7f:8a:ad:f6:35:cd:6c:f5:e0:0c:cb:08:bf:0c:
         88:e0:a3:a0:46:f8:70:ef:80:ce:fd:56:68:88:f5:6e:36:13:
         f6:93:ff:8b:7c:58:60:e6:ac:4c:f1:81:1f:6e:15:a0:6d:05:
         96:ce:5d:48:b3:9e:36:13:4d:ba:fd:f1:40:da:76:4f:36:98:
         85:94:92:71:15:72:69:82:ef:70:e5:f6:0b:8e:ef:6f:b8:86:
         9b:0f:33:c0:37:f7:80:ab:77:3e:7c:7e:18:86:de:9a:b2:14:
         fc:be:9a:93:0c:4c:0a:53:c2:56:37:89:d9:c2:dd:97:55:f4:
         b4:76:0f:67:bd:1f:ff:39:f4:dc:7b:6a:c1:75:54:67:1b:d6:
         6c:e7:e2:d4:64:59:e6:d0:ab:6e:4f:84:c6:d6:0d:e6:96:63:
         b5:35:da:7c:a0:ab:8c:e5:47:6a:35:7a:b7:a9:07:b9:8b:0b:
         29:7d:07:6b:15:7d:ce:ba:dc:d8:bc:33:7d:fb:e5:43:42:6e:
         30:c9:5d:39:89:ef:92:3e:fe:34:06:c7:20:7e:6e:ac:09:2c:
         da:99:5c:a7
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgISAYVyjKyh4V7r4pn1YW33OrGaMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGExNGU0OTkyNDBjZWE1ODg1NDFhN2RjNzRmMzIxYzkxNDE3
NDRiYjYwHhcNMjMwMTAyMTI1NDU5WhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
EygxZDJiMzc4MDMyMzViZjY3YWM0ZjlkN2JjYTJlMDdlODMyNzk4OTcyMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj/cjXcShK8Oh6b08kfRKax3PMy+y
0VTXhrJn+9GGg4g9J823tgscJOkArQCXl5etvtnQ4fBp+cNl7f1vUQ78JHWBxSBI
YRfNnxvgzfCJtcIs3ZWYyhGcqiruktU04TY/uye6tcstRJ15i5Vn1yYkI7QZH/R2
3GvKCp1KT7GCXLPQzzUNnxSgMdfcEbqrWbPZ6tQT9tLaYPX5wH42i55vW4dISNtM
G7A/PlRl3naslsaDUyetBzdR1U7IfNAOtmdK9Y9wW8ELMR96SWwdxGtHlh6B1jOF
wrhIKZE+2X0QrY95L+Tt38g6CKaxvr4MkbmEgvgOAQpZUp6tTNTBADhIzwIDAQAB
o4ICSDCCAkQwHQYDVR0OBBYEFB0rN4AyNb9nrE+de8ouB+gyeYlyMB8GA1UdIwQY
MBaAFKFOSZJAzqWIVBp9x08yHJFBdEu2MA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvb1U1SmtrRE9wWWhVR24zSFR6SWNrVUYwUzdZLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9iMy8wODI4ZTctMWU1Ny00NzQ3LThlYTEt
MzZhODA4ZjNkMTRkLzEvSFNzM2dESTF2MmVzVDUxN3lpNEg2REo1aVhJLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9iMy8wODI4ZTctMWU1Ny00NzQ3LThlYTEtMzZhODA4ZjNkMTRk
LzEvb1U1SmtrRE9wWWhVR24zSFR6SWNrVUYwUzdZLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMF4GCCsGAQUFBwEHAQH/BE8wTTA8BAIAATA2AwQDLhOYAwQD
Wc/4AwQCuVg8AwQCuVyYAwQCuVygAwQCuVyoAwQCuVy0AwQCuVy8AwQCuVzMMA0E
AgACMAcDBQMqBcqAMA0GCSqGSIb3DQEBCwUAA4IBAQB3RQ3eWbslukJBBm3moppb
7mFQVGUfJ6excLoUzrrPFeQjD+eUqQbHf4qt9jXNbPXgDMsIvwyI4KOgRvhw74DO
/VZoiPVuNhP2k/+LfFhg5qxM8YEfbhWgbQWWzl1Is542E026/fFA2nZPNpiFlJJx
FXJpgu9w5fYLju9vuIabDzPAN/eAq3c+fH4Yht6ashT8vpqTDEwKU8JWN4nZwt2X
VfS0dg9nvR//OfTce2rBdVRnG9Zs5+LUZFnm0KtuT4TG1g3mlmO1Ndp8oKuM5Udq
NXq3qQe5iwspfQdrFX3OutzYvDN9++VDQm4wyV05ie+SPv40Bscgfm6sCSzamVyn
-----END CERTIFICATE-----