I'll go a step further and say that the resource holder should be the ONLY holder of the private key for their resources.
Owen
If you're saying that ISPs can only participate in an RPKI scheme if they run their own Certificate Authority, then I think that would practically ruin the chances of Certification actually ever taking off on a large scale.
-Alex
No... I'm saying that if ISPs aren't the only entities that hold their private keys, then they aren't the only entities that can sign their resources. If you choose to delegate the CA role for signing your resources to someone else, then, obviously, you have to give them a valid private key with which to sign those resources. However, in doing that, you've created a situation where your signature is now much easier to forge. Kind of like automatic signing machines for checks. Benefit: The accounting department can sign thousands of checks and the CFO doesn't have to. Draw-back... The accounting department can sign thousands of checks without the CFO knowing they did so. Owen