4.3.3 Description of the KEY-CERT Object

Below is the object template for the key-cert object. It lists all possible attributes that are allowed in this object type.

Attribute Name  Presence   Repeat     Indexed
key-cert: mandatory single primary/lookup key
method: generated single
owner: generated multiple
fingerpr: generated single inverse key
certif: mandatory multiple
org: optional multiple inverse key
remarks: optional multiple
notify: optional multiple inverse key
admin-c: optional multiple inverse key
tech-c: optional multiple inverse key
mnt-by: mandatory multiple inverse key
created: generated single
last-modified: generated single
source: mandatory single

A key-cert object holds a public key certificate, available by querying the RIPE Database. Anyone who needs to use authorisation in the RIPE Database and who has a private key can store their public key in a key-cert object. It is used with the mntner and irt objects. You cannot create a public/private key pair using the RIPE Database software. You must use some external software to create your keys and then copy the certificate data into the key-cert object.

Currently, the RIPE Database supports two types of keys, PGP and X.509.

The PGP certificate can be used to authorise updates to the RIPE Database and for signing and encrypting correspondence with a CSIRT using an irt object (see the sub-sections 'Description of the irt Object' and ‘Description of the mntner Object' for more details). The “key-cert:” attribute takes the format ‘PGP-nnnnnnnn' where the key-id nnnnnnnn is a hexadecimal number. These keys are compliant with the Open PGP Message Format. PGP keys using an Elliptic Curve algorithm are not currently supported (e.g. Curve 25519, NIST, SECG, ECC Brainpool etc.).

The X.509 certificate can be used to sign and encrypt correspondence with a CSIRT using an irt object. It may work in some circumstances for authorising updates to the RIPE Database but we cannot guarantee this. The “key-cert:” attribute takes the format ‘X509-nnn' where key-id nnn is an integer number starting with 1. If you want to create an X.509 key-cert object, you should specify the value as ‘AUTO-xx'. The next available number will be assigned by the software. If you delete an X.509 key-cert object, it is not possible to recreate it with the same key-id.

The "method:", "owner:" and "fingerpr:" attributes are all generated by the software. It is not necessary to include these attributes when you create or modify one of these objects. If any of them are supplied, the software will check the values. If the value is wrong for any reason, the software will replace the supplied values with generated values. In this case, a warning will be returned to the user. Description of Attributes Specific to the KEY-CERT Object

  • "key-cert:" – This attribute specifies the key-id. This is used in “auth:” attributes of the mntner and irt objects.
  • “method:” – This attribute defines the type of the public key. Currently, only PGP and X509 are supported.
  • “owner:” – This attribute specifies the owner of the public key. This information must be supplied when you create the key. The RIPE Database software extracts this information from the key data when the key-cert object is created.
  • “fingerpr:” – This attribute is an identifier of the public key. The RIPE Database software extracts this information from the key data when the key-cert object is created.
  • “certif:” – The value of the public key should be supplied either using multiple "certif:" attributes, or in one "certif:" attribute. In the first case, this is easily done by exporting the key from your local key ring in ASCII-armored format and adding the string "certif:" to the start of each line of the key. In the second case, line continuation should be used to represent an ASCII-armored format of the key. All the lines of the exported key must be included, not forgetting the begin and end markers and the empty line that separates the header from the key body.