<pedantry but technically critical pedantry> [ and 06:00 here so i am probably also making critical errors ]
> I don't think rr.arin.net and RPKI have anything to do with each > other. I think the direction the RPKI should/is taking is to have the > RIR sign a ROA to the ORG that they allocate the address space to... s/ROA/resource certificate/ > Similarly the ORG (if they are an N|LIR-type) will sign a ROA to the > ORG that they assign address space to. idem it is only when you get down to someone who has [a piece of] that allocation they wish to announce into bgp that they acually cause a ROA to be issued which may be validated using the cert chain. > The parts of the puzzle here that ARIN (or really any RIR) is > responsible for are the 'signing roas to allocatees' (the "up/down > protocol" as it's referred to in the drafts s/roas/certificates/ > I believe the 'up/down protocol' part here is critical, the "web > server" part ... I'm not sure is so critical, maybe a third party > makes that happen outside of the ARIN management chain? this is easily done with the rpki, up/down, publication, ... architecture. > Using someone not yourself (ARIN or another third party) to manage > your ROA data means you probably have (in the most simple case) given > the ability to that third party to sign objects for you, that means > they have your private key(s) and can break you by > mistake/malfeasance/oversight/etc. For this reason some folks may be > ok with using a third party, many will choose to hold their fate in > their own hands. exactly. but only if the parent runs the up/down ('provisioning') protocol, does the child have that choice. randy