Safe and Secure Keys

The private key is kept private, but the public key is openly published for others to access. APNIC, acting as the certificate authority, publishes the public key in a certificate and attests that the key belongs to the resource holder identified in the certificate. APNIC signs this attestation with its own private key and makes the APNIC public key available.

In this way, resource certificates extend the public key certification model and affirm that the resource holder is the 'right-of-use' holder or controller of a specific set of IP address and AS number resources.

Included in this system of routing security is a mechanism that allows entities to verify that an AS has permission from an IP address block holder to advertise routes to one or more prefixes within that address block. The address block holder would sign a route origin attestation (ROA). Where an AS advertises routes with one or more autonomous systems (ASes), it would sign as adjacency attestation (AAO). This attests that there is an inter-domain adjacency or that the local AS is a routing peer with those ASes adjacent to it.

APNIC members, the majority of ISPs, telecommunication operators and large network managers across the Asia Pacific, can access resource certification via the secure online portal, MyAPNIC. This is a one-stop shop that allows members to manage resource certificates, route origin attestations, and other signed objects all within the resource management GUI. Users are able to create, manage, apply, and destroy certificates over all their resources and see them published in the worldwide resource certificate repository hierarchy at APNIC.