question about Mark Koster's ARIN presentation

[randy at psg.com (Randy Bush)]

> The current effort will only allow for ipv6 objects
> (route6/inet6num).

s/allow for/add support for/

i hope

> We are using the same code that RIPE is using at http://certtest.ripe.net.
> RIPE has been very kind to allow us to use their code.  As for ARIN,
> this is a pilot and is certainly not a final fixed-feature set. The
> first go of this is the "hosted" solution where an ISP can come into
> ARIN's pilot and create ROAs based off of allocations that they
> have received from ARIN. 
> 
> All the ROAs will be placed into a rsync repository that can be retrieved 
> and validated. Specifically, here are the features that are a part of the 
> system:
> 
> *  Enables ARIN resource holders to request certificates for their IPv4 and 
>    IPv6 Provider Aggregatable (PA) resources
> *  Enables ARIN resource holders to manage Route Origin Authorizations (ROAs) 
>    for their PA address space
> *  Provides a public repository of certificates and ROAs
> *  Handles key rollovers and revocations

the simple version of the question: who holds my private key(s)?

the longer version: does this implement my having my own subsidiary CA
with it communiciating with ARIN's and RIPE's ... using the protocols of
the ietf sidr work?

randy