I at least think that whatever future and time-table is planned for RPKI, this should not stand in the way of ARIN offering an effective authentication mechanism for the ARIN IRR. ... I really do wonder what ARIN's plan is if a bad guy decides to forge emails and delete or modify some or all of the objects.
my guess is do their best to try to see who has the right data. as arin seems to be driven by fud, policy wannbes, and lawyer(s), this might be complex, slow, and expensive. so it goes. but, unlike the other regions, the arin.irr is not confuddled with the arin.whois. i.e. it is kind of irrelevant to the authority on resource ownership, arin's real responsibility. they are just providing a free irr service, as it is the popular thing for rirs to do these years. and i don't think many use it. if you don't like its weak authentication, then don't use it, there are plenty of alternatives, e.g. see $subject. i agree that running an irr instance with only mail-from is pretty lame. and there is good free software out there to do it well if you do not suffer from nih. so i would advise putting it late in your peval() string. randy, who runs an irr instance using irrd