Hierarchical relationships breed "reptiles" because of the inherent asymmetric business relationship that results. ... Frankly, I am quite impressed with the address registries.
How would you feel about having the registries serve as the root of a hierarchical certificate system?
So an institution would have its "certificate" signed by its upstream (or one of its upstream) providers.
How is this relationship not a hierarchical, asymmetric business relationship? What happens in this paradigm in de-peering situations? Are you are intending to exclude peering relationships from this web of trust?
The providers could cross-certificate to build a "root free" (as in "default free" zone) mesh (aka "Web of Trust.").
I believe a web of trust can be operationally feasible only if the web is more like a forest - if there are several well known examples of "tops" to the web. Otherwise, you have to be storing a plethora of different signers' certificates to be able to validate all the institution's certificates that come in. After all, there are thousands of different providers out there. If every bgp speaker uses a different certificate in signing updates to provider A than in signing updates to provider B, then the validation can be quite complex. Any trust relationship model would have to deal with (a) Provider independent space (b) Multi-homed organizations, with and without AS's (c) Organizations that are mobile - they might change their attachment point frequently or abruptly. Authorities exist for some number resources - e.g., those registries hand out addresses - should that be validated by the web of trust? (The authority says the address is allocated to A but I've got an update showing the address originating from B validated by my best peer's three best peers' peers) (Sometimes authorities are needed - if you were buying a car from Joe Doe, would you prefer a title signed by the DMV or the testimony of your favorite body shops that Joe Doe has been their customer for this car for awhile now.) That authority extends downward through sub-allocations in a tree, not a mesh. (But the web of trust might be useful for those current special cases that don't devolve from the existing registries, aka legacy space, until that situation can be fixed.) --Sandy