* Alex Band wrote:
2) A PI End User requests a resource certificate through their sponsoring LIR and gets access to the Route Origin Access (ROA) management system themselves, or they delegate management to the sponsoring LIR
I do prefer this option. Sponsoring LIR does handle the contractual issues with RIPE and I do count rPKI in the same way as allocates. They are tighly coupled.
The issue is: A PI End user must prove to the RIPE NCC that they truly are the legitimate holder of the resources they would like to have a certificate for. What proof do they need to give to the RIPE NCC before we grant them access to the system?
Use a token running thought the sponsoring LIR. This satisfies the principle of "follow the contracts". Skipping contractual relationship does open a can of layw^Wworms.