[db-wg] re-evaluate route-object authorisation model

Dear working group,

Yesterday during the birds of a feather session about "cross-registry
authorisation" the idea to relax the authorisation requirements for
route-object creation was brought up (again). I ask this group to further
explore.

Today, to create a route-object, BOTH the inetnum mntner, and the autnum
mntner need to approve the creation of the route-object. One could argue
that it is sufficient to require only authorisation from the inetnum
owner to create a route-object. This would simplify the process,
especially if the autnum is managed in a non-RIPE RIR. No longer would
ARIN autnum owners be required to create a superfluous autnum object in
the RIPE database.

Questions:
    
    - should the authorisation model work differently for RIPE managed
      space versus non-RIPE managed space? Should we even continue to
      allow route-objects covering non-RIPE managed space?

    - should the authorisation model work differently when creating a
      route-object for RIPE managed space with a non-RIPE managed
      autnum? If yes, how so?

    - although in this idea the autnum owner is no longer required to
      approve /creation/ of a route-object, would it be a good idea to
      allow the autnum owner to /delete/ any route-object in which their
      autnum is referenced as origin?

    - Is RFC 2725 the only reason why the authorisation model was
      implemented as it was implemented, can someone remember practical
      reasons for doing it this way? During the BoF it was pointed out
      that any potential DoS vector already exists today.
    
    - ... ?

Kind regards,

Job