So when one receives an update, which part is it that you verify with the certificate derived from the RIR chain and which part is it that you verify with the certificate derived from the web-of-trust? I'm guessing the answer in part is that there's a signature attesting to the prefix origination based on the RIR-rooted certificate, but I'm not certain what you are suggesting you would sign with the web-of-trust based ISP identity certificate (the origination announcement, indicating that it is not only authorization to originate but also source authentication?)
something like the rir attests to the delegation of the prefix and an asn to the identified isp. the isp signs, using their isp identity to o originating from the asn o originating that prefix (in sbgp, toward another isp) o possibly delegating a subset of that prefix o passing other prefixes on (in sbgp, toward ...) but either you, smb, or jis should be able to get it more correctly than i. randy