RPKI checklists end manual PDF verification now

MyAPNIC now enables cryptographic document signing using RPKI certificates set in RFC 9323. (APNIC's ip addresses through 2025)

Emailing manually verified PDFs is dead. The industry is shifting to automated trust. RPKI Signed Checklists replace unstructured Letters of Authorization with cryptographically bound objects that prove resource authority without human intervention. This transition kills the ambiguity of email chains by binding digital signatures directly to specific IP address ranges and Autonomous System Numbers.

RFC 9323 establishes the architectural standard for these verifiable objects, swapping fragile paper trails for reliable CMS protected content. The workflow within MyAPNIC allows account holders to generate signatures using the `id-ct-signedChecklist` OID. Third parties can now independently verify document integrity against APNIC resource records, removing fallible manual processes from the equation.

The Role of RPKI Signed Checklists in Modern IP Resource Verification

RFC 9323 Definition of RPKI Signed Checklists

Published by the IETF in November 2022, RFC 9323 defines RPKI Signed Checklists as a Cryptographic Message Syntax protected content type. The standard introduces the object identifier `id-ct-signedChecklist` (1.2.840.113549.1.9.16.1.48) to bind arbitrary file checksums directly to an operator's resource certificate. MyAPNIC leverages this specification to replace manual verification with automated validation, allowing account holders to sign documents using IP address ranges or Autonomous System Numbers. The resulting RSC object packages signatures and hashes into a single container, cryptographically bound to the signer's Internet Number Resources.

Validation happens locally via `rpki-client` or through public services, confirming the signer legitimately holds the referenced resources. But there is a catch. The rigid CMS format prevents embedding explanatory text or legal clauses within the signature itself. Operators must maintain separate documentation for context. This separation forces network engineers to manage parallel workflows for legal approval and technical signing rather than consolidating them into a single artifact. Trust shifts from human interpretation of PDFs to deterministic algorithmic checks.

MyAPNIC enables account holders to generate RPKI Signed Checklists binding file checksums to specific IP ranges or ASNs. The official announcement on 23 Jan 2026 marked production availability for members needing cryptographic proof of resource authority. Operators upload arbitrary documents, and the system constructs a CMS object where the signature relies on the holder's existing RPKI certificate. This mechanism replaces unstructured PDFs with a standardized container verifiable by tools like `rpki-client`. Third parties confirm authenticity without manual intervention, as validation confirms the each Internet Resource Holder produced the RSC object. Automation levels reach full capacity compared to legacy Letter of Authorization workflows.

Strict adherence to resource ownership is the price of admission. A signature fails if the certificate does not match the Internet Number Resources listed in the attestation. Operators cannot sign documents for ranges they do not currently hold, preventing unauthorized delegations that plague legacy workflows. Tom Harrison, Product and Delivery Manager at APNIC, highlighted this capability as a significant step for proof of authority scenarios. Tooling maturity remains the bottleneck; legacy systems may not yet parse the specific OID required for validation.

Inside the Cryptographic Architecture of RSC Object Generation

RSC Object Structure and CMS Protected Content Type Mechanics

OID 1.2.840.113549.1.9.16.1.48 identifies the signedChecklist content type binding file hashes to resource certificates. This specific identifier forces the CMS protected content type to encapsulate both signature and checklist within a single binary object. Separation attacks fail because an adversary cannot swap a valid signature onto a malicious file list. Structure differs fundamentally from email attachments since the Cryptographic Object format requires validators to possess signer public key material via the RPKI repository before acceptance. Operators generate attestations by submitting file checksums to the portal, which constructs the container using the holder's private key associated with specific IP ranges. Tools like `rpki-client` parse the CMS structure to confirm the signer holds authority over referenced resources at the moment of verification. Automated checks remove human error factors inherent in manual PDF review, a process previously lacking cryptographic binding entirely.

RFC 9323 defines a rigid schema preventing operators from including narrative context or conditional clauses inside the signed object itself. The checksum list accepts only file digests. Organizations must maintain separate documentation for complex transfer agreements requiring legal nuance under the ietf.org/doc/rfc9323/) standard. Operators execute local verification of RSC objects using rpki-client or Routinator to parse CMS containers without manual intervention. Validation workflows require fetching the signer's certificate from the RPKI repository, checking the signature against the embedded checklist, and confirming resource ownership matches claimed IP ranges or ASNs. Deterministic cryptographic checks replace error-prone visual inspection of PDF Letters of Authority.

Third parties may alternatively apply the APNIC public online verification service for immediate attestation without installing local daemons. Integration into routing infrastructure allows systems like OpenBGPD to ingest validated data directly, enforcing policy based on cryptographic proof rather than trust. Early experiments indicated that similar RPKI mechanisms guided 75% of test traffic toward correct destinations, suggesting high efficacy for automated enforcement. Operator discipline remains the primary limitation. Validators function only if the network fetches fresh RPKI data at frequent intervals. Stale cache states cause valid signatures to appear expired, triggering false rejections of legitimate business documents. Failure to synchronize local repositories renders the signedChecklist useless, regardless of signature validity.

Operational Checklist for Replacing Manual LOAs with RSC Attestations

Fetching the signer's certificate from the RPKI repository precedes any parsing of the CMS protected content type. This prerequisite step keeps the validation chain intact without manual intervention. The process begins by generating the object in MyAPNIC, which binds file hashes to specific ASNs or IP ranges. Operators then distribute this binary object to peers instead of emailing spoofable PDFs. Recipients verify the signature using open-source command-line tools like `Routinator` to confirm legitimacy. Workflows eliminate the low security posture inherent in visual inspection of email attachments.

Moving toward automated validation removes human error from BYOIP authorization checks. Reliance on local tooling introduces a dependency on operator maintenance cycles. Teams ignoring this requirement face delayed convergence during resource transfers. Failure to automate leaves networks exposed to forged authority claims.

Executing Document Signing and Validation Workflows in MyAPNIC

Implementation: RSC Cryptographic Mechanics and CMS Protected Content Structure

RFC 9323 mandates the OID 1.2.840.113549.1.9.16.1.48 to identify the signedChecklist content type within CMS containers. The structure differs from email attachments because the Cryptographic Object format requires validators to possess signer public key material via the RPKI repository before acceptance. Operators generate these attestations by submitting file checksums through the MyAPNIC portal, binding hashes to specific ASNs or IP ranges.

Recipients execute local verification using rpki-client. The validation workflow fetches the signer certificate, checks the signature against the embedded checklist, and confirms resource ownership matches claimed assets.

1. Generate checksums for target documents locally.
2. Submit hashes via MyAPNIC to create the RSC object.
3. Distribute the binary container to relying parties.
4. Validate signatures using standard open-source tooling.

The cost of this rigidity is operational friction; validators cannot process an RSC if the signer's certificate is missing from the global repository, creating a hard dependency on RPKI synchronization status.

OpenBGPD consumes validated RSC data through `rpki-client` exports to enforce cryptographic trust on incoming policy documents.

1. Generate the RSC object within MyAPNIC by uploading file checksums tied to specific ASNs or IP blocks.
2. Distribute the resulting CMS binary to peers instead of emailing unverified PDF Letters of Authority.
3. Configure the validator to fetch signer certificates from the RPKI repository before parsing the signedChecklist content.
4. Import the validated output into OpenBGPD using the `table` directive to filter routes based on attestation status.

Validation failures often stem from missing certificate chains in the local cache rather than invalid signatures.

MyAPNIC generates RSC objects on 23 Jan 2026, binding file hashes to specific ASNs for immediate cryptographic validation.

1. Upload document checksums to the portal to create a CMS protected content type container.
2. Distribute the binary object to peers instead of emailing spoofable PDFs for BYOIP scenarios.
3. Run `rpki-client` locally to fetch certificates and verify the signature chain automatically.
4. Import validated results into routing policy engines to enforce access controls without manual review. Peers lacking local validators must rely on the public online verification service to confirm resource authority, introducing a dependency on external availability. This shift eliminates human error in visual signature matching but requires operators to maintain synchronized RPKI caches.

Strategic Adoption of RSCs for BYOIP and Cloud Infrastructure

APNIC MyAPNIC Native RSC Generation Capabilities

MyAPNIC delivers native RSC generation as of January 2026, whereas RIPE NCC ripe.net/publications/documentation/quarterly-planning/rpki/) delays implementation work until Q1 2026. This temporal gap creates an immediate operational advantage for APNIC members needing cryptographically signed proof of resource authority today. The feature binds file checksums to IP ranges within a CMS protected content type, replacing manual LOA PDFs with machine-verifiable objects. Operators gain the ability to sign documents for BYOIP deployments without waiting for external tooling maturity. The limitation is that third-party validators must already trust the underlying RPKI certificate chain; RSCs do not fix broken ROA coverage upstream. This dependency means RSC adoption accelerates security only where base RPKI deployment exists. Network engineers should deploy these attestation objects immediately to eliminate email-based spoofing vectors while competitors remain in planning phases. The strategic focus on delivery rather than policy enforcement distinguishes this rollout from peer registries.

BYOIP Provisioning and IP Authority Verification Workflows

Cloud providers now accept RSC objects for BYOIP onboarding, replacing manual LOA PDFs with cryptographic objects that bind file hashes to IP resources. Operators generate these attestations in MyAPNIC, distributing the binary to peers instead of emailing spoofable documents. This shift enables full automation where validators fetch signer certificates from the RPKI repository before parsing the signedChecklist content. The mechanism relies on the specific OID 1.2.840.113549.1.9.16.1.48 to prevent separation attacks between signatures and file lists.

Adoption momentum depends on starting with cloud providers who already lead in RPKI deployment, rather than waiting for telecom operators to update legacy workflows. The cost of this transition is the requirement for third parties to run local tools like `rpki-client` or use the online verification service instead of human review. IPv4 market prices ranging from $33 to $50 per address increase the stakes for accurate authority proof. A failure to validate the CMS protected content type correctly results in immediate route rejection by the cloud platform. Operators must ensure their routing policy engines can parse the validated output before submitting BYOIP requests.

Market Timing: APNIC RSC Launch Versus RIPE NCC Roadmap

MyAPNIC enables immediate RSC generation in January 2026, while RIPE NCC This gap forces operators in overlapping regions to choose between waiting for European parity or proceeding with cross-region validation now. The economic context involves recovering IPv4 values, yet the strategic urgency stems from automating BYOIP

Operators using APNIC The limitation is asymmetric trust; peers relying solely on RIPE validation chains cannot yet verify APNIC-signed objects automatically without local tool updates. Proceeding requires configuring validators to accept the CMS protected content type from the Asian registry before European support matures. Delaying adoption extends exposure to spoofed PDF Letters of Authority. InterLIR recommends deploying RSCs immediately for critical paths rather than synchronizing with the slower RIPE roadmap.