you can sign over something which ways "the person identified by the following public key is to be permitted to ..."
you mean the fraudlent attacker who owned that INR seems to have signed this request for a €1.000.000,49 wire transfer to their iban. a person is not identified by that signature.
If someone has a valid CA cert/key from the RIR, it's very hard to argue 'fraudulent'. It's, however, "easy" for the RIR to reverse the error, right? :)
sorry. by 'fraudulent' i meant that they have no authority to request the funds. you just know they own some INR. and if they request it again, you might be confident it is at least the same attacker :) now, you and i could agree formally, i.e. provably, out of band say using pgp or whatever, that ownership of some INR identifies you. or we could use some arbitrary other PKI entirely, e.g., X.400 was meant for this. but, as i said, karen, heather, and lucy know the personal and organisational identity space far better than i. i just know enough about the rpki that it is very intentionally not in that identity space. but think about the dance that prudent folk do to accept pgp keys, and pgp has fingerprints to make it a bit easier to do oob verification. but that verification uses an external identity provider, e.g. passport or whatever makes you comfortable. now infer what we would need to do to accept an rpki INR key as a proof of identity. randy --- randy@psg.com `gpg --locate-external-keys --auto-key-locate wkd randy@psg.com` signatures are back, thanks to dmarc header mangling