not exactly. there are two trusts here. i have to accept that asns as incompetent at configuration as i are attesting to prefixes and paths or i won't be able to get to a large part of the net.
but this is orthogonal to my trust in their competence to attest to the identity of other asns by cross-signing others' certs. i could have a business relationship with an asn whose routing competence i question.
What happened to responsibility? Where does it fit in to the issue?
responsibility for what?
As much as they enjoy sharing brew sessions, I don't think I've often seen or heard of 701 and 2914 ever having to point out downstream misbehavior to each other. And I *think* they both have sticks that are big enough that they never have to be waved. So if we can assume that this is true of the other folks of "similar" size, then which are the large parts of the net you can't or won't be able to reach? Or are your peers not prepared to own responsibility for their announcements? And if not, why not? And I refuse to accept the reasoning that seems to have smothered pushback - Networks don't have to deploy new code or equipment or capabilities to control internal or downstream announcements.
uh, i really do not follow what you are saying. the point is that the trust model for attestation of identity need not be the same trust model for the attestation of prefix ownership or of as-path. in operation, this means that there could be isp- (or ufo-)centric isp identity certification (a la web of trust, for example) which could have a very separate cert chain from that of address space allocation, which, aside from the legacy issue, could come via the rirs. randy