William-

Yes, you're correct on that point. 

Fundamentally though, if an RIR actually did that, it's effectively the end of RPKI, and seismic damage to the internet at large. The entire foundation of this system is that everything must trust that the RIRs are the source of truth over what IPs are allocated and to whom. RPKI just provides a way to cryptographically verify it. If an RIR was forced to pull an allocation by an external party for "non-normal" reasons, then trust in that RIR is irrevocably broken, and we have much larger issues to deal with. 

On Thu, Nov 14, 2024 at 5:28 PM Brandon Z. <Brandon@huize.asia> wrote:
Yeah ,that's what I meant. They can remove the certificate for the resource holder and sign a new certificate for these resources and set ROA for as0 only. Technically speaking.

Brandon Z.
HUIZE LTD

This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus.


On Fri, Nov 15, 2024 at 01:21 William Herrin <bill@herrin.us> wrote:
On Thu, Nov 14, 2024 at 9:03 AM Tom Beecher <beecher@beecher.cc> wrote:
> As explained earlier,  RIRs cannot "create" INVALIDs.

Hi Tom,

Wouldn't they just withdraw the delegation and issue an AS0 ROA
covering the address block? Does that not cause the associated route
advertisements to become RPKI invalid?

Regards,
Bill Herrin


--
William Herrin
bill@herrin.us
https://bill.herrin.us/