You might try taking a look at the various presentations at NANOG/RIPE/ARIN/ APNIC/APRICOT about the whole idea. Central point: the entity that gives you a suballocation of its own address space signs something that says you now hold it.
If the whois directories actually operated under some set of guidelines defining their purpose and scope which was enforced by the directory publishers, then there would be no need for this certificate nonsense. Why force the routers to do crypto and check certificates when it is easier, less fragile, and more reliable to have some kind of operational support system checking the RIR whois diirectory? If the RIRs actually took whois directories seriously and RIGOROUSLY cleaned the information in those directories, then there would be no need for putting crypto in the BGP protocol or on the routers. This whole BGP-security-based-on-certificates idea is using a sledgehammer to fix an administrative problem with the whois directories. Note that RIPE is already moving to a more rigorous whois directory because of European Data Protection laws. It is no longer acceptable to just do whois like it was done 20 years ago just because that is the net tradition. Now we must have policies which define the purpose of whois directories and rigorously check the data to ensure that it meets those policies. This is an area where every ISP can get involved with a small amount of effort, much smaller than dealing with crypto on the routers and certificate systems.
No governments involved.
Fixing whois is even better. No security experts involved. There are just far too few real security experts to go around. This push for signing routes and signing DNS is just madness because it means that net operations people will not be able to determine whether a data source is trustable or not without becoming a security expert themselves. This is a wholly inappropriate application of certificates and crypto. --Michael Dillon