On Sun, Apr 29, 2012 at 11:28:58AM -0400, Jennifer Rexford <jrex@CS.Princeton.EDU> wrote a message of 37 lines which said:
How does this interact with the presence of certificates for supernets, though? That is, suppose an ISP creates a legitimate ROA for 12.0.0.0/8, after ensuring that all of its customers have legitimate ROAs for the various subnets of 12.0.0.0/8. Now, suppose one of these customers has its legitimate ROA revoked by a court order. Would the legitimate announcement of that subnet (originated by the customer's ASN) still result in UNKNOWN status, or would it look like a sub-prefix hijack because the announcement has a different ASN than the matching 12.0.0.0/8 prefix?
The second (and therefore Alex Band's example is not good). But it depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA (section 3.3 of RFC 6482). If, in the future, RIRs or operators create ROAs for all the blocks they manage, revocation of a ROA will be deadly.