Something I’ve been curious about for some time: since deployment of RPKI is (mostly) hosted by the RIRs and ultimately, the RIRs control the validation chain, what would happen if the RIR creates (or, if you prefer, is directed by court order to create) INVALIDs?
As explained earlier, RIRs cannot "create" INVALIDs.
Remember that RIRs role in RPKI is to validate that the organization creating ROAs is the one authorized to do so, because the number resources are assigned to them. That's it. They have no function in saying anything about the ROAs themselves.
RIRs could always invalidate the resource certificate if forced, which would invalidate those ROAs too, but that would lead to NOTFOUND from a validator, **NOT INVALID** INVALID means 'a VRP exists that covers this prefix, but does not MATCH it'.