Route Origin Authorization

$ rpki-client -vvf rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/ZbEq0ioO7n3dZmUjF6TmI01KVkM.roa
File:                     ZbEq0ioO7n3dZmUjF6TmI01KVkM.roa (raw, json)
Hash identifier:          teqowtcBqWZ5TacZj4+oU66L00/ZTMr/Rf1/Ea3CnXE=
Subject key identifier:   65:B1:2A:D2:2A:0E:EE:7D:DD:66:65:23:17:A4:E6:23:4D:4A:56:43
Certificate issuer:       /CN=cdaaa0e082360360acda347664eb8314eb11da10
Certificate serial:       0187FF6CBF9804487B94DC7160A703B46857
Authority key identifier: CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10
Authority info access:    rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer
Subject info access:      rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/ZbEq0ioO7n3dZmUjF6TmI01KVkM.roa
Signing time:             Tue 09 May 2023 07:32:09 +0000
ROA not before:           Tue 09 May 2023 07:32:09 +0000
ROA not after:            Mon 01 Jul 2024 00:00:00 +0000
asID:                     834
IP address blocks:        88.209.248.0/24 maxlen: 24
                          88.209.249.0/24 maxlen: 24
                          178.210.236.0/24 maxlen: 24
                          88.209.195.0/24 maxlen: 24
                          88.209.194.0/24 maxlen: 24
                          88.209.209.0/24 maxlen: 24
                          88.209.216.0/24 maxlen: 24
                          88.209.224.0/24 maxlen: 24
                          88.209.225.0/24 maxlen: 24
                          88.209.221.0/24 maxlen: 24
                          88.151.58.0/24 maxlen: 24
                          88.151.61.0/24 maxlen: 24
                          5.182.113.0/24 maxlen: 24

Validation:               Failed, RFC 3779 resource not subset of parent's resources

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:87:ff:6c:bf:98:04:48:7b:94:dc:71:60:a7:03:b4:68:57
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=cdaaa0e082360360acda347664eb8314eb11da10
        Validity
            Not Before: May  9 07:32:09 2023 GMT
            Not After : Jul  1 00:00:00 2024 GMT
        Subject: CN=65b12ad22a0eee7ddd66652317a4e6234d4a5643
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:41:16:b8:e4:fe:53:27:0a:a8:dc:f3:49:6a:
                    0a:0a:0a:7e:95:ed:4f:39:fc:0e:4c:2c:22:8f:43:
                    b9:6f:3e:bb:42:9c:ad:60:68:cf:0a:ca:2f:fd:ee:
                    c2:77:ab:ca:65:25:6d:2e:d6:61:ec:c7:11:f6:d4:
                    0e:a6:54:f3:76:0e:9f:69:91:19:b5:83:b5:82:88:
                    73:1e:64:e9:3e:03:93:89:c1:aa:09:82:eb:db:89:
                    2c:2a:a9:88:38:c0:89:1b:f7:7e:9e:d9:57:a9:eb:
                    c2:86:3e:dd:39:21:56:e4:69:95:0a:74:03:fd:c6:
                    aa:d6:b6:0a:6c:e1:2f:06:60:c3:8d:9f:8e:d7:96:
                    02:ed:fb:4b:f0:4b:49:1e:69:0a:f6:b8:54:40:a5:
                    20:6c:7b:ed:3e:12:51:69:83:88:78:ab:96:18:30:
                    d6:74:66:c6:9b:e8:fc:64:ff:91:36:68:4a:4f:19:
                    38:5b:dd:1c:b1:f9:4c:f6:2b:70:52:b2:d4:74:37:
                    18:8b:57:e2:42:92:10:ab:24:9f:b5:93:9f:29:1f:
                    10:21:d2:9a:9b:4f:a3:70:fe:e4:3b:26:a2:91:6d:
                    73:e5:8c:b6:1b:07:12:be:63:c6:20:a9:9b:3f:67:
                    84:d3:15:62:31:e6:d3:5a:b3:1d:05:aa:ce:b4:7a:
                    3d:57
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                65:B1:2A:D2:2A:0E:EE:7D:DD:66:65:23:17:A4:E6:23:4D:4A:56:43
            X509v3 Authority Key Identifier:
                keyid:CD:AA:A0:E0:82:36:03:60:AC:DA:34:76:64:EB:83:14:EB:11:DA:10

            X509v3 Key Usage: critical
                Digital Signature
            Authority Information Access:
                CA Issuers - URI:rsync://rpki.ripe.net/repository/DEFAULT/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.cer

            Subject Information Access:
                Signed Object - URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/ZbEq0ioO7n3dZmUjF6TmI01KVkM.roa

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:rsync://rpki.ripe.net/repository/DEFAULT/dd/589127-1096-4c91-96cc-7e4d6f6f6e66/1/zaqg4II2A2Cs2jR2ZOuDFOsR2hA.crl

            X509v3 Certificate Policies: critical
                Policy: ipAddr-asNumber

            sbgp-ipAddrBlock: critical
                IPv4:
                  5.182.113.0/24
                  88.151.58.0/24
                  88.151.61.0/24
                  88.209.194.0/23
                  88.209.209.0/24
                  88.209.216.0/24
                  88.209.221.0/24
                  88.209.224.0/23
                  88.209.248.0/23
                  178.210.236.0/24

    Signature Algorithm: sha256WithRSAEncryption
         99:9b:de:a2:68:88:9b:b0:60:49:6a:35:25:66:70:87:a2:a1:
         1a:a6:d2:05:95:8c:7a:c9:c6:d1:33:c5:bf:a2:cc:b8:15:79:
         d4:e0:ee:90:8b:95:d4:64:b6:c0:bc:31:9d:21:46:40:ed:24:
         78:dd:69:72:9f:d4:ad:31:7e:ac:66:52:3d:9d:0e:16:13:49:
         78:c8:3a:1a:b0:b2:e0:ff:33:df:53:dc:13:e0:4b:60:90:10:
         88:bf:45:3c:0c:df:b4:02:36:d8:02:2e:f6:8f:ab:f1:2a:e8:
         a9:c9:4b:1d:e8:b0:90:8b:90:f1:0a:df:3e:ce:1c:a7:b2:88:
         fa:42:6c:55:10:51:4e:a0:05:b5:28:cc:0d:40:a3:f3:03:6e:
         da:48:77:72:d3:5b:11:07:59:14:23:86:e2:26:63:29:38:06:
         e2:53:54:5a:77:6e:b8:65:e2:40:a2:0a:95:c3:bc:1b:92:47:
         61:31:ef:3b:0f:de:fd:b7:e7:70:0f:dd:c7:dd:8a:13:b0:f7:
         82:7f:99:1f:ff:aa:9e:5f:00:f0:8b:f9:00:72:7e:4d:8f:c8:
         0e:8a:2d:e0:79:f0:7b:cb:e8:3c:7e:9b:c3:cc:b7:56:1e:06:
         8f:72:de:e9:d1:10:97:e5:3f:4d:1d:fe:8b:71:db:de:aa:4c:
         05:79:de:d4
-----BEGIN CERTIFICATE-----
MIIFMzCCBBugAwIBAgISAYf/bL+YBEh7lNxxYKcDtGhXMA0GCSqGSIb3DQEBCwUA
MDMxMTAvBgNVBAMTKGNkYWFhMGUwODIzNjAzNjBhY2RhMzQ3NjY0ZWI4MzE0ZWIx
MWRhMTAwHhcNMjMwNTA5MDczMjA5WhcNMjQwNzAxMDAwMDAwWjAzMTEwLwYDVQQD
Eyg2NWIxMmFkMjJhMGVlZTdkZGQ2NjY1MjMxN2E0ZTYyMzRkNGE1NjQzMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApkEWuOT+UycKqNzzSWoKCgp+le1P
OfwOTCwij0O5bz67QpytYGjPCsov/e7Cd6vKZSVtLtZh7McR9tQOplTzdg6faZEZ
tYO1gohzHmTpPgOTicGqCYLr24ksKqmIOMCJG/d+ntlXqevChj7dOSFW5GmVCnQD
/caq1rYKbOEvBmDDjZ+O15YC7ftL8EtJHmkK9rhUQKUgbHvtPhJRaYOIeKuWGDDW
dGbGm+j8ZP+RNmhKTxk4W90csflM9itwUrLUdDcYi1fiQpIQqySftZOfKR8QIdKa
m0+jcP7kOyaikW1z5Yy2GwcSvmPGIKmbP2eE0xViMebTWrMdBarOtHo9VwIDAQAB
o4ICPzCCAjswHQYDVR0OBBYEFGWxKtIqDu593WZlIxek5iNNSlZDMB8GA1UdIwQY
MBaAFM2qoOCCNgNgrNo0dmTrgxTrEdoQMA4GA1UdDwEB/wQEAwIHgDBkBggrBgEF
BQcBAQRYMFYwVAYIKwYBBQUHMAKGSHJzeW5jOi8vcnBraS5yaXBlLm5ldC9yZXBv
c2l0b3J5L0RFRkFVTFQvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNlcjCB
jQYIKwYBBQUHAQsEgYAwfjB8BggrBgEFBQcwC4ZwcnN5bmM6Ly9ycGtpLnJpcGUu
bmV0L3JlcG9zaXRvcnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2Mt
N2U0ZDZmNmY2ZTY2LzEvWmJFcTBpb083bjNkWm1VakY2VG1JMDFLVmtNLnJvYTCB
gQYDVR0fBHoweDB2oHSgcoZwcnN5bmM6Ly9ycGtpLnJpcGUubmV0L3JlcG9zaXRv
cnkvREVGQVVMVC9kZC81ODkxMjctMTA5Ni00YzkxLTk2Y2MtN2U0ZDZmNmY2ZTY2
LzEvemFxZzRJSTJBMkNzMmpSMlpPdURGT3NSMmhBLmNybDAYBgNVHSABAf8EDjAM
MAoGCCsGAQUFBw4CMFUGCCsGAQUFBwEHAQH/BEYwRDBCBAIAATA8AwQABbZxAwQA
WJc6AwQAWJc9AwQBWNHCAwQAWNHRAwQAWNHYAwQAWNHdAwQBWNHgAwQBWNH4AwQA
stLsMA0GCSqGSIb3DQEBCwUAA4IBAQCZm96iaIibsGBJajUlZnCHoqEaptIFlYx6
ycbRM8W/osy4FXnU4O6Qi5XUZLbAvDGdIUZA7SR43Wlyn9StMX6sZlI9nQ4WE0l4
yDoasLLg/zPfU9wT4EtgkBCIv0U8DN+0AjbYAi72j6vxKuipyUsd6LCQi5DxCt8+
zhynsoj6QmxVEFFOoAW1KMwNQKPzA27aSHdy01sRB1kUI4biJmMpOAbiU1Rad264
ZeJAogqVw7wbkkdhMe87D979t+dwD93H3YoTsPeCf5kf/6qeXwDwi/kAcn5Nj8gO
ii3gefB7y+g8fpvDzLdWHgaPct7p0RCX5T9NHf6LcdveqkwFed7U
-----END CERTIFICATE-----