the worry in the ripe region and elsewhere is what i call the 'virginia court attack', also called the 'dutch court attack'. some rights holder claims their movie is being hosted in your datacenter and they get the RIR to jerk the attestation to your ownership of the prefix or your ROA.
If a Dutch court would order the RIPE NCC to remove a certificate or ROA from the system, the effect would be that there no longer is an RPKI statement about a BGP route announcement. The result is that the announcement will have the RPKI status *UNKNOWN*. It will be like the organization never used RPKI to make the statement in the first place.
Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID route announcement; the result is RPKI UNKNOWN.
The only way a court order could make a route announcement get the RPKI status *INVALID* would be to: 1: Remove the original, legitimate ROA 2: Tamper with the Registry, inject a false ROA authorizing another AS to make the announcement look like a hijack
How does this interact with the presence of certificates for supernets, though? That is, suppose an ISP creates a legitimate ROA for 12.0.0.0/8, after ensuring that all of its customers have legitimate ROAs for the various subnets of 12.0.0.0/8. Now, suppose one of these customers has its legitimate ROA revoked by a court order. Would the legitimate announcement of that subnet (originated by the customer's ASN) still result in UNKNOWN status, or would it look like a sub-prefix hijack because the announcement has a different ASN than the matching 12.0.0.0/8 prefix? -- Jen