>in operation, this means that there could be isp- (or ufo-)centric >isp identity certification (a la web of trust, for example) which >could have a very separate cert chain from that of address space >allocation, which, aside from the legacy issue, could come via the >rirs.
So when one receives an update, which part is it that you verify with the certificate derived from the RIR chain and which part is it that you verify with the certificate derived from the web-of-trust? I'm guessing the answer in part is that there's a signature attesting to the prefix origination based on the RIR-rooted certificate, but I'm not certain what you are suggesting you would sign with the web-of-trust based ISP identity certificate (the origination announcement, indicating that it is not only authorization to originate but also source authentication?) If the RIR-rooted certificate says that ISP XYZ is allocated prefix P, does the web-of-trust ISP identify certificate have to say exactly "ISP XYZ"? Is that exact match the link between what the RIR-rooted cert is proving and what the web-of-trust identify cert is proving? --Sandy
