Does the netblock "owner" suddenly see all of its traffic dropped?
If so, this is a far more powerful takedown than simply a domain or CA takedown or revocation and takes immediate effect across the globe.
It's basically a giant "kill switch" and centralizes enormous power in the RIR's, which still have to operate according to the laws of the jurisdiction that they operate in, but span country laws.
Follow up question. What happens when a judge in (any country) issues legal notice to terminate the certificate to the RIR of a region for a netblock of an entity in another country?
Assuming everyone implements RPKI validation AND the RIR signs a new valid ROA with a different origin: Yes, eventually. Depends on sync intervals. It's unlikely it would even be legally possible to compel them to do this.
Individual ASNs can still choose to accept the invalid route anyway.
The RIR already has the power to revoke assignments, and IRRs would likely remove the route objects which most large networks use to generate filters. It was simply a slower process, and filtering according to IRR data is much more error-prone and open to abuse.
For example, here's RIPE's policy: https://www.ripe.net/publications/docs/ripe-541
But then, at a higher level, look at the unilateral/collective censorship ("deplatforming") that is happening right now... and being carried out in part by Amazon. None of the censors have been legally compelled to take any such actions.
This certainly happens at the local level all the time: really toxic customers can get "fired" and banned from all the local movie theaters or all the local grocery stores. It is really no different online - some people just got used to living consequence-free on the internet. Wider society had no idea what the internet was at first then later didn't grasp the seriousness or impact the internet had. Fewer people hold such obviously disprovable beliefs now. The internet is just slowly catching up with how the physical world usually works. Neo-Nazi groups often can't find private venues willing to host their rallies, caterers willing to serve them food, etc. Newspapers refuse to run ads all the time. Broadcast networks don't hand over the microphone to everyone who demands it. If every newspaper in the country refuses to run your political ad that doesn't make it a grand conspiracy to censor you - perhaps you're just an asshole they don't want to do business with.
RIRs are not regular for-profit businesses and operate under very different policies for many reasons not the least of which is there are no alternatives since the RIR controls your access to the internet within your region via IP assignments.
Anyway, it does not change the point of the original comment which is that these entities are collectively taking action based on objectionable material without any legal compulsion.
Any protocol which lets them do that will surely face a lot of opposition.
"Only trust Operating Systems signed by us for your own security", "Only trust Apps signed by us for your own security", "Only trust routes signed by us for your own security", yeah I think we all know how that usually goes.
For example the EFF spent effort helping US judges understand that if they want to order that stealmovies.example must go away they need to order the example registry to remove this name, not try to force Let's Encrypt to revoke certificates for it as Hollywood lawyers were advocating.
That won't magically stop judges from making orders you disagree with but it does force them to be clear eyed about what they're about, and that means you're more likely to prevail with simple just rationales either in court or subsequently in popular opinion.
A RIR could, however, purposefully sign a new ROA with a different origin.
Does anyone know if AWS is going to push the remaining 1% to implement ROA?
Also, it sounds like an unsigned route - which I think most BGP announcements are - is still accepted, right? Any idea when we can start to require routes be signed?
For example, running tests to a signed, unsigned and invalid prefix can provide insight into how other networks are routing to them.
One example is a beacon to probe to determine if a network has enabled origin validation. Failure to connect, or a change in the routing path can provide insight into which networks on the internet have enabled origin validation.
Transitional technologies allow IPv4 holdouts to have "working" Internet despite an increasing proportion of IPv6 nodes, there's some device somewhere which is mapping your connection to some IPv6-only service as an imaginary IPv4 connection. Such things wouldn't scale with 99% of users and usages, but can handle say, five thousand IPv4 users on your ten million customer ISP who mostly visit Facebook and check email.
Eventually the long distance traffic for IPv4 is tiny, because there's a transition device nearer almost all remaining IPv4 users and that's turning their traffic into IPv6 for the long haul anyway.
At that point if you're a backbone provider, IPv4 is a sizeable cost (the routing tables for it are horrendous) for negligible benefit (hardly any of your traffic) and its future only looks more dismal. So you start deprecating this service for your customers, and they don't bother to buy a replacement because they have a transition device to help any residual IPv4 users.
And so one day, without a fanfare, there just isn't really an IPv4 Internet any more, and the RIRs will just deprecate their management of the numbering for that network because it's obsolete.
Ideally this is an obscure nerd event, like a leap second, which your friends at first don't understand, and then when you explain it they realise it's boring and they don't care.
I hope to live to see it.
This is mostly impossible, because an IPv4 packet doesn't have room for an IPv6 destination. The opposite direction (NAT64) is common, but that's for IPv6 clients talking to IPv4 servers.
This doesn't work great, it breaks protocols which assume they're transparent (e.g. some FTP modes), it is slower and clunkier than "just" having IPv4 as we do today, and as I said it isn't viable with huge numbers of users (you run out of address space) but it's good enough that a lot of common application software remains usable this way.
This is about the gentle slope down, so it doesn't need to be perfect or even have the potential to be perfect, it just needs to work well enough to reduce the amount of tech support phone calls.
Think of it like the way pulse dialling was deprecated. Nobody needed to figure out a way to have pulse dialling be as good as tone dialling, let alone a truly out-of-band system (as is used by your mobile phone, and most other modern systems), they just needed to minimise the situation where lots of customers discover that they were using pulse dialling only because now it doesn't work.
Recent developments like DNS over HTTPS make it even less viable.
Like DNSSEC this is only good for megacorps and nationstates. If anything it will expose human people to more abuse and exploitation.
A lot of threads about rising use of encryption seem to have this fear - that it will be used against us at some point, and I'd really like to understand where this fear comes from
Even taking a recent example of Parler; as far as I know it had HTTPS support and the corresponding X.509 cert was never revoked - instead hosting and I think the domain was terminated
At least with the way things are now there's no ground truth. Every AS has it's own perception of the routing table and the ability to act on it. That's the way it should be. Securing BGP means less security because there is no global consensus even implied in the protocol. Securing BGP means centralizing BGP, not security.
But Gaddafi was already in control of all Libyan ISPs and the .ly ccTLD. Why would DNSSEC have made his job any easier?
Also, surely Facebook was more instrumental in the Arab Spring than bit.ly was. If anything, the lack of DNSSEC made it easier for Gaddafi to spoof DNS results for facebook.com and other sites.
At first I thought it was just an extended bit, like the whole Cody Johnston "teleporting boars" thing 
But I don't think it can be, I think you're serious and er, that's not great basically. Maybe take a few minutes to think about it more clearly, discuss it with somebody you trust, and see if you can't figure out where you went wrong.
I would also point out that the big authorities handing out the certification for this can also just revoke your IP block instead. You could still announce the block but since you're not longer in legitimate ownership of the IP block, it's likely that you'll quickly be blocked from announcing it.
This is such a naive way of looking at things. First a trap is built. Then you wait. Years. Only when the trap is filled to the brim does it snap shut. Many examples of that pattern.
If you think Amazon did the right thing, then you would probably want them to be able to refuse routes from networks that are too dangerous.
If you think Amazon did the wrong thing, then you may be afraid that this gives them even more power to de-platform.
Either way, this seems relevant to me. Thanks OP for asking the question.
That said, votes usually come in waves. It'll end up where it needs to.