I see also that many concerns expressed here are extensions of the perceived failures of the whole CA business. I agree that the whole model of CAs has largely failed. Not only there are too many of them, but the fact that they try to operate as for-profits makes them vulnerable to all the pressures that come with the need to sell and generate revenue. The spectacular failures they have suffered in the past (certificates with Microsoft's name on them, I guess everyone remembers) have certainly not helped. Basically the only thing you now get from using SSL certs is end-to-end encryption, and for that, a self-signed certificate does just as well as a thousand dollar one from your preferred friendly CA. However, as I said on an earlier post, I still believe that the hosted solution for RPKI is a good one at this point in time for a certain group of users of a certain application. It is *very* vertical, or niche if you want. We should not try to extend it to other applications or other groups of users. Randy sums up my whole feelings on the issue. I also think we need top-down soon, and I wouldn't mind in the future seeing a nice Paretto distribution where 80% of members use the hosted solution, but account for 20% of routed space, where 20% customers use top-down accounting for 80% of routed space. Perfection is the enemy of good. Before hosted RPKI the only way of checking origin-as information was to use one of the public routing registries. A routing registry which is fed from RPKI data is a lot more trustworthy than plain email auth IRRs are. Is it pefect? Of course not. Can it be improved? Of course it can. cheers! Carlos