Summary
- A global number-resource transfer ledger should maintain one conflict-free history of recognized changes across regions. Global uniqueness is the shared invariant; a global commercial approval authority is not.
- Number Resource Society can define a minimal common data protocol and conformance tests while allowing multiple record-service providers to compete. Parties should be able to choose and replace a provider without changing the underlying resource claim.
- Every accepted change should produce a verifiable receipt containing the prior state, new state, prefix, event type, effective time, authorizing signatures, service provider and a commitment to the evidence reviewed. The receipt proves what was recorded, not the fairness of price or the wisdom of purpose.
- Commercial terms should remain off the public ledger. Price, payment schedule, financing, customer plans, lease terms and confidential corporate documents can be exchanged privately, with only the minimum proof of authorization and integrity retained.
- Portability has two forms: a resource may be transferred to a new holder, and an existing holder may move record service without transferring the resource. The second form is the structural safeguard against an incumbent's failure or lock-in.
- No single provider, NRS committee, RIR, IANA function or auditor should control market entry, set price, approve business use or block a valid change because it dislikes the transaction. Deterministic uniqueness and authorization checks are legitimate; commercial judgment belongs elsewhere.
- The model does not require a cryptocurrency, token, public exposure of contracts or one universal computing network. Signed canonical records, independent replicas, witnessed checkpoints, inclusion proofs and open retrieval are enough to make alterations detectable and continuity practical.
One global fact does not require one global ruler
An IPv4 block cannot be recognized as exclusively held by two unrelated parties at the same time. That is the hard global problem. A transfer between regions changes a fact on which networks, security systems, counterparties and future buyers rely. If two registries publish conflicting answers, the damage is not merely administrative. The resource becomes harder to route, finance, lease, insure, secure and transfer again.
The traditional answer has been hierarchical. IANA maintains the top of the allocation hierarchy; five Regional Internet Registries maintain records within continent-sized service regions; Local Internet Registries and customers operate below them. RFC 7020 describes this structure and identifies registration accuracy and uniqueness as core requirements.
That history does not prove that every future transfer must pass through one regional institution's commercial judgment. It proves that the system needs a reliable answer about recognized registration. The distinction matters because scarcity transformed IPv4 transfers into capital transactions. A recordkeeper can now delay or deny a deal whose price, financing and operating purpose it did not create.
The false choice is between regional fragmentation and a world registrar with sovereign discretion. Fragmentation produces conflicting records, incompatible paths and weak portability. A world registrar may solve consistency by concentrating every failure, political pressure and policy expansion in one place.
Number Resource Society offers a third architecture. The global layer can be a common record protocol rather than a supreme institution. Multiple providers can validate the same narrow invariants, issue interoperable receipts and replicate accepted changes. Holders can move service. Auditors can detect inconsistent histories. Commercial parties can keep their bargain private.
This is not governance by absence. The rules for uniqueness, authorization, conflict, signatures, timing, correction and continuity must be precise. The restraint lies in what those rules do not cover. They do not decide who deserves to buy, how much the addresses should cost, which country should benefit or whether a company's network plan is socially approved.
One global fact requires one compatible truth. It does not require one global ruler.
The current system already shares data but not finality
The RIR system is less isolated than its regional labels suggest. RIRs exchange statistics, coordinate inter-RIR cases, publish common transfer logs and support global registration discovery. A transfer that crosses regions already depends on cooperation.
The NRO transfer-log format is an important precedent. It defines a common JSON format for intra-RIR and inter-RIR transfer records and expects each RIR to publish a cumulative log. This shows that institutions can agree on a shared representation of transfer events without surrendering all operations to one office.
RDAP supplies another precedent. RFC 7480, RFC 9082 and related standards allow clients to query registration information through a common protocol. RFC 7484 provides bootstrap registries that help a client find the authoritative service for an address scope. Global discovery and regional service coexist.
What remains weak is transfer finality across institutional boundaries. A common public log is published after each institution's own process. It does not by itself provide the parties with a jointly signed receipt showing the exact prior state, accepted transition, evidence commitment and effective time. It does not let a holder move the record to another qualified provider if the incumbent fails. It does not prevent a region from making recognition conditional on discretionary commercial criteria.
Inter-RIR transfers therefore behave like bilateral diplomatic projects. Source and recipient institutions check different conditions, coordinate timing and update separate systems. If rules are incompatible, the path can close. If one institution is slow or disputed, the other cannot independently complete a globally recognized change.
The limitation is structural rather than a criticism of individual staff. Two organizations maintaining separate authoritative histories cannot create atomic finality merely by emailing each other. A shared publication format helps observers after the fact; it does not give parties a portable proof that every compatible provider must recognize.
NRS should retain what already works-common data, authoritative discovery, operational expertise-and add the missing layer: a verifiable, portable change record whose validity does not depend on commercial approval from one geographic monopoly.
The thin ledger has one constitutional job
The global ledger should answer a narrow question: has the recognized registration state for this resource changed through a valid, non-conflicting, authorized event?
That question contains several necessary checks. The resource must exist within the recognized number space. The stated prior record must be current. The source must possess the authority required to initiate the change. The recipient must be identified sufficiently to receive the record. The event cannot create overlapping exclusive claims. Required signatures must verify. The event must follow the common transition rules. Any active dispute or court restriction must be represented according to a declared status process.
Everything else begins outside the common layer. The ledger need not know the negotiated price. It need not approve the buyer's projected utilization. It need not decide whether leasing is moral. It need not determine tax treatment, accounting classification, competition policy or national-security clearance. Those questions may matter under contract or law, but they do not become global uniqueness invariants merely because addresses are scarce.
The common job can be expressed as four invariants.
Uniqueness: within one compatibility set, no two current exclusive registration claims overlap.
Continuity: every current claim derives from a valid prior state or a declared initial state, and history cannot be silently rewritten.
Authorization: each change carries verifiable approval from the roles required by the event type.
Portability: a holder can change record-service provider without changing the resource claim or losing access to its history.
Security and availability support all four. Key compromise, replay, provider failure and split views must be detectable and recoverable. Yet the security rules remain attached to the record function. They cannot be stretched into power over commercial purpose.
This narrowness is the source of legitimacy. Every provider can explain why it rejected a malformed or conflicting event by pointing to a deterministic rule. It cannot reject an otherwise valid transfer because staff dislike the price, buyer, industry or deployment plan.
NRS should publish the invariants, examples and conformance tests. It should not publish a list of worthy uses for IPv4.
Roles must be separated before software is written
Many institutional failures begin with role compression. The organization that stores a record becomes the organization that interprets rights, investigates disputes, enforces policy and speaks for the market. A global ledger will repeat that failure unless responsibilities are separated in advance.
The protocol steward maintains the minimum public specification and conformance suite. NRS can perform this role initially, but the documents and tests must be open, versioned and implementable without a private licence. Stewardship is not approval of individual transfers.
The record-service provider receives proposed changes, verifies the common rules, signs receipts, publishes the permitted event data and serves current records. Several independent providers should be able to perform this function.
The holder controls the recognized registration claim and chooses a provider. The holder authorizes transfers, service moves, operator contacts and security changes according to its internal authority.
The recipient accepts a transfer and identifies the provider that will serve the new record. It may use the same provider as the source or a different one.
The witness or monitor observes signed checkpoints, verifies append-only history and exposes conflicting views. It does not decide whether a transaction is commercially acceptable.
The auditor tests providers against the protocol, security controls, continuity obligations and service metrics. It cannot sell approval priority or substitute its judgment for a valid event.
The adjudicator resolves genuinely contested authority under an agreed legal or arbitral process. It is independent from the provider that recorded or rejected the event. During a dispute, the ledger preserves the last verified operational state while blocking conflicting mutations where necessary.
The network operator decides routing, security policy, reverse DNS, customer assignment and deployment. It may be the holder, recipient, lessee or a separate authorized operator.
The separation prevents a monitor from becoming a regulator, a provider from becoming a court and NRS from becoming a world ministry of address transactions. The architecture should assume that every role will eventually be occupied by a fallible institution. No role receives more power than its function needs.
The common data protocol must be boring and exact
Interoperability depends on unglamorous details. Every implementation must construct the same meaning from the same transfer event. Signatures must remain verifiable after records move between providers. A party should not lose history because one service encoded a date or organization identifier differently.
The event record should include a protocol version, event identifier, resource range, prefix length, event type, prior-state digest, proposed new state, source-holder identifier, recipient identifier, provider identifiers, effective time, sequence number, authorization signatures, evidence commitment, dispute status and correction reference where applicable.
Fields should distinguish a transfer of the resource claim from a provider move, corporate succession, temporary operating delegation, contact update, security-authority change and correction. If every change is called "transfer," the ledger will confuse commercial events with maintenance.
Canonical representation is essential because cryptographic signatures fail when equivalent records serialize differently. RFC 8785 supplies one useful method for creating an invariant JSON representation for hashing and signing. NRS need not mandate that exact choice forever, but the initial protocol must choose one deterministic method and provide test vectors.
Identifiers require equal care. Company names change, collide and use several scripts. The public record can display names while signatures rely on stable identifiers tied to verified legal or contractual authority. Provider identifiers and keys must rotate without breaking old receipts.
Time should be represented consistently in UTC, but the event must not rely on one wall clock for ordering. A sequence linked to the prior state provides the decisive order for a resource. Signed provider time and witness checkpoints supply audit evidence.
Extensions should be namespaced and non-critical by default. A provider may add market analysis, multilingual display, local compliance records or customer services without making them global conditions. A new critical field should require broad implementation and a migration plan because it changes which events remain compatible.
The protocol succeeds when two independent teams can process the same event, produce the same validity result and verify each other's receipt. Elegance is secondary to determinism.
A change receipt is the unit of trust
The party to a completed transfer should not leave with only an email saying that the record was updated. It should receive a portable, verifiable change receipt.
The receipt binds the transition. It identifies the exact resource, prior state, new holder, event type, effective sequence, provider, accepted signatures and a cryptographic commitment to the evidence reviewed. It includes or references proof that the event entered the provider's published history. A second provider can verify it without calling the first provider's account manager.
The receipt serves several audiences. The seller can prove that it no longer holds the recognized claim after the effective event. The buyer can show the chain of recorded custody in a later sale or financing. A lender can verify that the borrower received the stated block. An operator can distinguish a transfer from a fraudulent contact change. An auditor can reconcile current state with history.
The receipt must remain narrow. It proves that the provider accepted a stated transition under a stated protocol version. It does not prove that payment cleared unless a separate settlement attestation is attached. It does not prove legal title against every possible claimant. It does not certify a fair price or efficient use.
Corrections should create new receipts rather than overwrite old ones. If a provider misspells a name, records the wrong country display or later applies an adjudicated reversal, the chain must show both the original event and correction. Silent edits destroy reliance.
Receipts should be independently verifiable offline for a reasonable period. A holder facing provider failure must not depend on the failed provider's live portal. Public keys, revocation history, protocol versions and checkpoint proofs therefore need durable archives.
The receipt changes institutional bargaining. Today a holder can be locked into correspondence and private account state. With a portable receipt, the holder carries the decisive record of what the service did. The provider remains important, but it no longer owns the evidence of its own action.
Verifiability does not require cryptocurrency
The phrase "global ledger" invites an immediate technology pitch: a token, a public chain, mining, speculative incentives and claims that code will eliminate institutions. None is necessary for the problem at hand.
Number-resource registration has known entities, structured events and an existing hierarchy of records. The requirement is to make accepted changes portable, consistent and resistant to hidden rewriting. Ordinary digital signatures, canonical records, replicated storage and transparent checkpoints can do that.
RFC 9162, which defines Certificate Transparency version 2.0, provides a relevant design pattern without being a number-resource registry. Its append-only Merkle tree supports inclusion proofs and consistency proofs. Monitors can detect a log that presents inconsistent histories or fails to incorporate promised entries. The lesson is not to copy certificate policy. It is that a record service can issue a signed promise and later prove that the event was included in a history consistent with earlier checkpoints.
A transfer ledger can use similar techniques. Each provider publishes signed checkpoints. Independent witnesses retain them and compare views. A receipt includes an inclusion proof or a promise that must become provable within a declared maximum delay. Providers cross-witness one another's checkpoints. Conflicting signed views become evidence of misbehavior.
The record itself can remain in a conventional replicated service. There is no need to broadcast commercial documents to every entity. There is no need for a scarce token. There is no need to tie finality to the energy, fees or politics of an unrelated public network.
Even a transparency tree is optional if another open method provides equivalent detection and recovery. The architectural requirements matter more than branding: deterministic validation, signed events, append-only history, independent observation, portable receipts and recoverable replicas.
NRS should say this plainly because technology theatre can undermine institutional legitimacy. Operators need predictable transfer finality, not a new asset sold on top of the asset they already bought.
Commercial terms belong in the bargain, not the public ledger
A transfer record needs enough information to preserve uniqueness and verify authority. It does not need the full purchase agreement.
Price, payment schedule, escrow conditions, broker commission, financing, tax allocation, customer plans, business forecasts, warranties and indemnities are commercially sensitive. Public exposure would deter participation, reveal strategy and create security risks. A global ledger should not make confidentiality the price of recognition.
The evidence model should have three layers. The public event contains the minimum fields needed to identify the resource, current holder or protected holder reference, event type, time, provider, status and receipt verification material. The party evidence contains contracts, corporate authority and settlement documents shared among authorized entities. The evidence commitment is a hash or signed manifest binding the private material reviewed to the public receipt without revealing its contents.
A commitment proves integrity only. It does not prove that a hidden document was legally sufficient. The provider should therefore sign a specific statement about what it verified: for example, that the source authority and recipient acceptance met the common rule. It should not imply that it audited every warranty in the purchase agreement.
Selective disclosure can support later disputes. A party may reveal one document and prove that it matches the earlier commitment without disclosing the rest. An adjudicator can inspect protected evidence under appropriate confidentiality.
Data minimization also protects people. Public contact records should identify operational roles without publishing unnecessary personal details. Stable organizational identifiers can coexist with role-based published contact points. Audit access should be logged.
NRS must resist pressure to collect price "for transparency" as a condition of recognition. Aggregated voluntary price research can improve markets, but it is a separate service. The ledger's legitimacy depends on not turning necessary registration into compulsory commercial surveillance.
The transaction can be globally verifiable in its recorded effect while remaining private in its economic content. That boundary is a design feature, not a compromise.
Provider portability is different from resource transfer
Portability is often described as moving a resource between regional registries. That is one important case, but the ledger needs a more precise distinction.
A resource transfer changes the recognized holder. It requires source authorization, recipient acceptance, conflict checks and a new state receipt.
A provider move leaves the holder and resource unchanged while changing which record-service provider serves the account and publishes future events. It is closer to moving custody or account service than selling the asset. No buyer or seller exists.
Without provider moves, competition is fictional. A holder may dislike fees, service, governance, security or legal exposure and still be unable to leave. The incumbent can then attach unrelated conditions to every change because the holder has no alternative path.
The provider-move event should be simple. The current holder authenticates, selects a new conforming provider, presents the latest receipt chain and authorizes the handoff. The new provider verifies history against witnessed checkpoints, accepts service and issues a provider-move receipt. The old provider may entity only on deterministic grounds such as a conflicting current state, invalid signature or active adjudicated restriction.
The move must preserve RPKI, reverse DNS, RDAP and contact continuity. That may require staged overlap and delegated service rather than an abrupt switch. The record protocol should define transition windows, key handoff and rollback conditions. Portability that breaks routing security is not real portability.
The incumbent must supply a complete machine-readable history and current state. It may charge a published cost-based service fee, but it cannot withhold the record to collect unrelated debt or demand acceptance of new commercial rules. Disputed fees can be handled separately.
Provider portability creates accountability without a global regulator. If one service becomes slow, expensive or politically aggressive, holders can leave. If many leave, the provider receives an unmistakable market signal. Exit becomes a practical discipline rather than a conference slogan.
No provider should have a commercial approval monopoly
Competition among record providers is meaningful only if valid events are portable across them. A provider that can reject a transfer because it dislikes the buyer's business model still controls the market, even if several firms display the same public data.
The common rules should permit rejection for objective defects: the prefix does not match current state; a signature is invalid; the source lacks required authority; the recipient acceptance is missing; the event overlaps another current claim; the receipt chain is broken; a declared dispute restriction applies; or the request is a replay.
The rules should not permit rejection because the provider thinks the price is too high, the buyer already owns too much, the projected use is unconvincing, the addresses may be leased, the customer base lies outside a region or the industry is unpopular. Those are commercial or public-law questions, not record-integrity defects.
Providers can offer optional diligence. One may verify beneficial control, sanctions exposure, reputation, financing or operational readiness for parties that want the service. Another may specialize in rapid corporate succession. A third may bundle RPKI and reverse-DNS support. Optional products can compete on price and quality.
Optional must mean optional. A premium diligence certificate cannot become a hidden condition recognized by every provider. A provider may decline a private customer relationship under applicable law, but the architecture must give the holder another conforming route where lawful. The provider's local restriction must not rewrite global resource history.
NRS itself must not become the final approval desk. Its conformance program should test implementations, not bless transactions. Its committees should not hear appeals about whether a buyer "needs" a /16. Its membership should not vote on prices or commercial purposes.
Institutional legitimacy comes from refusing power that the technical function does not require. The moment NRS can decide who may trade for economic reasons, the global ledger has become the global gatekeeper it was designed to avoid.
Identity and authority need rigor without one identity monopoly
Transfers cannot be secure if anyone can sign as the holder. The ledger therefore needs strong identity and authority checks. Decentralization does not mean anonymity at the point of changing a scarce resource record.
The difficult question is who can attest identity. If one global identity service is mandatory, the gatekeeper returns through a different door. If every provider accepts anything, fraud becomes easy.
A plural model can define trust requirements rather than one issuer. A legal entity may present corporate-registry evidence, existing account credentials, notarized authority, regulated digital identity or another credential accepted under the common assurance level. Providers publish which credential paths they support. High-value changes can require two independent forms of authority.
The source signature should come from a role authorized to dispose of the resource claim. The recipient signature should come from a role authorized to accept it. A broker or lawyer may submit documents but cannot silently substitute for the principal. Delegations must be explicit, scoped and time-limited.
Corporate succession needs dedicated events. Mergers, reorganizations, insolvency and court orders can change authority without an ordinary sale. The protocol should record the legal basis category and supporting commitment while protecting confidential documents. It should not pretend that every case can be reduced to two account passwords.
Key management is equally important. Organizations change staff. Hardware keys fail. A recovery process needs delay, multi-party authorization and notice to existing contacts. Emergency recovery must not become an easy route for provider staff to seize a record.
Beneficial-control evidence can help detect a party transferring to itself through shells or evading holding rules where such rules lawfully apply. It should remain protected and purpose-limited. The global public event does not need a map of every shareholder.
The test is assurance with replaceability. Several independent providers and credential issuers should be able to reach the same conclusion about authority. No identity vendor should be able to strand an otherwise verifiable holder.
Finality should be deterministic, fast and reversible only by a new event
Parties need to know when the transfer is done. A vague period in which two institutions may still reinterpret the case raises settlement risk.
The ledger can define finality as the moment a valid change event is accepted against the current state, signed by the required parties and provider, assigned the next resource sequence, and accompanied by a verifiable receipt. Witness inclusion may follow within a short maximum delay, but the provider is already bound by its signed promise.
Before finality, the resource can enter a brief transaction lock that prevents conflicting changes while preserving ordinary operation. The lock must expire automatically if the event is not completed. A provider cannot leave a prefix immobilized indefinitely because a buyer failed to answer.
After finality, the prior state is history. A complaint does not delete the event. If fraud or error is later established, the remedy is a signed reversal or corrective event referencing the original receipt. That preserves reliance and allows everyone to understand what changed.
Reversal must be exceptional and procedurally clear. A provider should not unilaterally undo a completed transfer merely because staff reconsider a commercial fact. The common rules can permit correction of obvious clerical defects and execution of an independent decision. Material disputes go to the designated adjudicator.
Operational services need coordinated finality. The record change may be final while RPKI and reverse-DNS transitions remain in a bounded handover window. The receipt should state the service transition status separately. A delayed name-server change does not make the holder transfer provisional.
Atomic settlement of payment and registration may be desirable but cannot be assumed. Escrow can release funds when it verifies the final receipt. The ledger should expose a reliable event for that purpose without holding money or dictating payment terms.
The result is a clean division: parties bargain and settle privately; the record service validates the narrow transition; the receipt gives escrow, lenders and operators an objective completion signal.
Disputes should freeze conflicting changes, not running networks
A global ledger will encounter fraud allegations, inheritance claims, insolvency orders, forged signatures and corporate disputes. Pretending that deterministic validation eliminates law would be reckless.
The architecture should isolate disputes. When a credible restriction is entered through the defined process, the ledger marks the claim as disputed and blocks incompatible mutations. It preserves the last verified operational state, including RDAP publication, reverse DNS and routing-security continuity where safe.
The provider that first receives the complaint should not become judge. It verifies whether the complaint qualifies for temporary status under objective criteria and forwards the merits to an independent adjudicator chosen under the service agreement or applicable law. Emergency measures expire unless confirmed.
The public record can disclose that a dispute exists, the affected range, status and decision reference without publishing pleadings or private allegations. Parties receive complete notice and a way to respond. Time limits prevent a strategic complaint from immobilizing a resource indefinitely.
If the adjudicator orders a change, the ledger creates a new event. The order or protected commitment is referenced, and the receipt identifies the authority executed. History remains intact.
The revocation firewall is crucial. A dispute about payment, contract interpretation or corporate control should not be converted casually into route invalidation. RPKI changes can affect global reachability. The default should preserve the last verified authorization until an independent decision or a clearly necessary security response supports alteration.
This approach does not guarantee that every court will agree. Providers operate under law. It does make institutional behavior legible: who imposed the restriction, under what authority, for how long, with what review and what effect.
A gatekeeper resolves uncertainty by controlling everything. A legitimate ledger resolves uncertainty by preserving evidence, limiting interim harm and sending contested merits to the proper forum.
RPKI and reverse DNS need service continuity, not ownership claims
The transfer ledger cannot stop at a name change. Operators rely on security and delegation services linked to the registered resource. A portable record that breaks RPKI or reverse DNS would create formal freedom and practical captivity.
RPKI requires careful transition because certificates, repositories, manifests, revocation information and ROAs form a chain. RFC 6480 explains that a ROA authorizes an origin AS for a prefix. A transfer may require the old authority to withdraw or expire and the new holder to publish replacements without creating an avoidable invalid window.
The protocol should support make-before-break where safe: the new holder prepares authorizations, the transfer reaches finality, and service authority changes within a defined overlap. The receipt records old and new key references and transition status. Local routing decisions remain with networks, as RFC 6811 makes clear.
Reverse DNS has similar continuity requirements. Parent delegation must move without forcing every PTR record to disappear. Classless delegation can involve boundaries described in RFC 2317. A provider move should preserve the holder's chosen name servers wherever possible rather than treating its own DNS platform as mandatory.
RDAP publication should follow the new provider through common discovery. Existing clients need redirects or bootstrap updates. A transition period can serve signed responses from both providers, with one marked current.
These services should be modular. A holder may use one provider for the transfer record, another qualified operator for RPKI, and its own reverse-DNS service. The record identifies authorized service endpoints without bundling all functions into an unavoidable package.
Unbundling limits damage. A DNS outage need not prevent a transfer. A dispute over optional analytics need not affect RPKI. A record provider cannot threaten routing security to collect an unrelated fee.
Continuity is what makes portability believable. The holder must be able to leave an institution without asking customers to survive a self-inflicted outage.
Split views are the central technical danger
A multiple-provider ledger faces a hard problem: two providers may accept conflicting changes from the same prior state. Network partitions, malicious staff, compromised keys or simple races can produce a fork.
The protocol must treat resource sequence as exclusive. A change names the prior-state digest and next sequence. Providers check a shared set of recent checkpoints before acceptance. A short transaction lock or quorum of independent witnesses can reduce races for high-value events.
No mechanism eliminates every partition. The important requirement is rapid detection and deterministic recovery. Providers publish signed checkpoints frequently. Witnesses compare them. A provider that signs two conflicting successors creates cryptographic evidence of equivocation. Clients reject histories that cannot prove consistency with accepted checkpoints.
RFC 9162's consistency-proof model is useful here, but a transfer ledger has an additional state constraint: overlapping prefixes cannot diverge independently. A change to a /16 affects every contained /24. Validation must check the interval tree of current claims, not only an event list.
Recovery rules should prefer the earliest valid event incorporated into the agreed witness set, subject to independent adjudication where fraud is alleged. The losing fork remains archived as evidence and cannot silently reappear. Operational services should stay on the last non-conflicting state during recovery.
Witness diversity matters. If every witness is controlled by NRS or one vendor, the architecture is centralized in practice. RIRs, operators, universities, auditors, governments and commercial providers can run independent monitors. No witness should gain unilateral veto; their job is to expose inconsistency.
Clients also need safe degradation. If checkpoints cannot be reconciled, they should refuse new conflicting mutations while continuing to serve the last verified state. Availability for changes may pause; running networks should not be withdrawn.
The system earns trust not by claiming that forks are impossible, but by making them detectable, bounded and survivable.
Protocol change must not recreate the gatekeeper
An initially thin ledger can grow into a thick institution through updates. A committee adds a mandatory beneficial-use field. Another update requires price disclosure. A later version excludes unpopular industries. Soon the common protocol carries the commercial controls that the first version rejected.
The answer is a minimum initial specification and disciplined change. Lu Heng's Minimum Initial Specification, Localized Future Decision, and Voluntary Adoption argues that the common layer should contain only deterministic rules required for uniqueness, interoperability, shared safety and security. Later choices should be adopted through implementation rather than imposed by a continuing authority.
Applied here, a protocol change is globally critical only if old and new providers cannot preserve uniqueness or verify transitions without it. New display fields, analytics, diligence services and local legal checks can remain optional extensions. They do not need to split the core compatibility set.
NRS can publish proposals, reference implementations and tests. Providers and holders decide whether to adopt optional capabilities. A genuinely necessary security change needs a migration period, backward-compatibility plan and clear evidence of the threat.
The change process should disclose authorship, funding, implementation status and affected parties. A provider that benefits commercially from a mandatory field must declare that interest. No vote count alone should convert a preference into a global invariant.
Forking cannot be treated casually because conflicting uniqueness rules would be dangerous. That is precisely why the initial common layer must remain small. The fewer questions it answers, the fewer future political disputes threaten compatibility.
NRS's legitimacy will be tested most severely when it wants to add a rule that many providers reject. The correct response may be to leave the feature outside the common layer. Restraint during disagreement is not weakness. It is the protection against becoming the institution the architecture was meant to replace.
Existing RIRs can compete inside the model
A global ledger does not require the five RIRs to disappear. They possess experienced staff, historical records, operational systems and relationships with holders. They can become high-quality record-service providers if they accept common receipts and portability.
An RIR could continue serving members in its familiar region, provide RDAP, RPKI, reverse DNS, support and policy advice, and charge for those services. Its expertise may make it the preferred provider. Preference earned through service is different from exclusivity enforced through geography.
The transition begins with common event receipts. Each RIR can sign transfers in the shared format and publish witnessed checkpoints. Inter-RIR cases then become one atomic change acknowledged by both providers rather than two loosely synchronized updates.
Next comes provider portability. A holder can move service to another RIR or a new qualified provider while retaining the same claim and history. The former provider remains in the receipt chain and continues to be verifiable.
IANA's role can remain at the top of the number space, maintaining global allocation boundaries and bootstrap information. It need not approve each downstream commercial transfer. The ledger provides a verifiable view of current sub-allocation state without converting IANA into a world transaction desk.
RIR policies that concern optional services can remain regional or contractual. Policies that alter the common validity of a transfer would need to fit the shared invariants. A region can advise members against a transaction. It cannot make the rest of the world recognize two conflicting holders.
Some incumbents may reject portability because it changes their revenue and authority. That is not a technical objection. The pilot should measure whether service continuity and uniqueness can be preserved. If they can, exclusivity becomes a governance choice that must be defended openly.
The model gives RIRs a positive future: trusted providers in a competitive, interoperable system. It asks them to become replaceable, not irrelevant.
NRS must be constrained by its own design
It is easy to demand limits on incumbents and forget to limit the challenger. NRS will have legitimacy only if it can be replaced too.
The protocol text, test suite, public keys, receipt formats and reference code must be openly available. An independent provider should be able to implement the service without joining NRS as a commercial member or purchasing permission.
NRS can certify conformance, but certification cannot be the sole route to interoperability. Providers should be able to demonstrate compatibility through transparent tests and independent audit. Competing certification bodies should be possible.
NRS should not hold the only root key. A multi-party trust arrangement, transparent key changes and provider-specific signatures reduce single-point control. Emergency authority must be bounded, time-limited and publicly auditable.
The society should not receive a percentage of transfer value. Value-based fees create an incentive to expand control over the bargain. Funding should relate to protocol maintenance, testing, public monitoring and continuity. Commercial service providers can price their own optional products competitively.
Governance records should disclose decisions, conflicts and finances. Yet transparency alone is not enough. Structural exit matters more. If NRS fails, providers must retain the protocol, records and ability to interoperate. A successor steward can maintain the public specification.
The NRS explanation of its purpose describes a global nonprofit membership organization concerned with number-resource interests. That public identity can support convening and advocacy. It does not confer authority over every holder. The technical model must stand on verifiable rules, not organizational self-description.
NRS should publish a standing non-goal list: no price setting, no commercial-purpose approval, no compulsory contract disclosure, no exclusive identity issuer, no single provider, no routing command and no confiscation through service suspension. The list should be enforceable through architecture, not merely promised.
A challenger that makes itself indispensable by preventing exit has reproduced the incumbent problem. The best evidence that NRS is different will be a system that survives NRS.
Price formation remains outside the ledger
IPv4 prices arise from scarcity, block size, reputation, fragmentation, region, timing, financing, buyer need, seller urgency and bargaining. A global transfer ledger can improve the evidence around those transactions. It should not become an exchange-rate board for addresses.
Better records can reduce uncertainty. A buyer can verify custody history, dispute status, prior transfers and provider continuity. A seller can prove current recognized control. Escrow can rely on a final receipt. Lenders can inspect an unbroken chain. These improvements may narrow risk discounts and support more comparable prices.
That effect is different from controlling price. NRS should not publish an official "fair value" that contracts must follow. It should not refuse a change because the price differs from a benchmark. It should not tax the transaction as a percentage of value.
Voluntary research can aggregate prices under confidentiality. Brokers and parties can contribute data to independent analysts. The results should disclose coverage and conflicts. None should be a condition for recognition.
The same boundary applies to concentration. A public ledger can support analysis of holdings and transfers, subject to privacy and entity-resolution limits. Competition authorities may use lawful evidence. The record provider does not become a global antitrust agency.
Market manipulation, fraud and money laundering are real legal concerns. Applicable authorities and regulated intermediaries may impose obligations. The global record can preserve relevant orders and evidence references. It should not invent worldwide commercial law through technical conformance.
The ledger's economic contribution is lower transaction risk, not administrative pricing. By making record finality portable and verifiable, it allows parties to bargain with better information. It does not bargain for them.
Commercial purpose remains with operators and lawful authorities
A buyer may acquire IPv4 for an access network, cloud platform, hosting service, enterprise migration, security product, reserve, lease portfolio or future project. Some uses may be regulated in a jurisdiction. Some may be commercially poor. The global ledger is not competent to decide among them.
Purpose review creates three problems. First, the provider receives confidential business plans that it does not need for uniqueness. Second, staff judgment becomes a hidden capital-allocation decision. Third, providers apply different standards, closing cross-region paths.
Objective authority review is different. The provider must know that the source can authorize the change and the recipient can accept it. It may need a lawful identity and service contact. Those checks protect the record.
The recipient's deployment plan does not protect the record. A plan can fail after approval or succeed after skepticism. Markets and management bear that risk. Routing remains an operational decision outside the registry function, consistent with RFC 7020.
Where public law prohibits a transaction, a provider must comply with binding obligations. The event record should distinguish a legal restriction from a discretionary policy denial. It should identify jurisdiction, issuing authority, scope and review path where disclosure is lawful. Another provider cannot lawfully ignore a universally applicable order, but it also should not inherit an institution's unsupported preference.
NRS should not convert political pressure into a global commercial-purpose rule. Different countries will disagree about industries, ownership and capital. The common layer can survive that disagreement only by remaining attached to globally necessary technical facts.
The phrase "without a global gatekeeper" therefore has practical content. It means no standing institution can make its approval of business purpose a prerequisite for a unique, verifiable registration change. Law continues to exist. Commercial risk continues to exist. The ledger simply refuses to impersonate both.
A transfer event can be processed in ten visible steps
The architecture becomes concrete when followed through a normal case.
One: obtain current state. The source retrieves the latest resource record, receipt chain, provider checkpoint proof, dispute status and active service delegations.
Two: prepare private terms. Buyer and seller negotiate price, payment, warranties, timing and any escrow conditions outside the public ledger.
Three: identify parties. Each side proves organizational identity and signing authority to its chosen provider under a supported assurance path.
Four: construct the event. The proposal names the resource, exact prior-state digest, source, recipient, event type, chosen providers, intended effective window and evidence commitment.
Five: authorize. Source and recipient sign the canonical event. Delegated representatives attach scoped authority.
Six: check conflicts. Providers verify signatures, current sequence, overlapping resources, replay protection, dispute restrictions and protocol conformance. A brief lock prevents a concurrent successor.
Seven: accept and receipt. The responsible provider signs the next state and issues the change receipt. The counterpart provider verifies and acknowledges where two services are involved.
Eight: publish and witness. The minimum public event enters the append-only history. Independent witnesses receive a checkpoint, and the receipt gains an inclusion proof within the declared delay.
Nine: complete service handoff. RDAP, RPKI, reverse DNS and contacts move under stated transition windows. Their status appears separately from holder finality.
Ten: settle privately. Escrow or the parties act on the verified receipt according to their contract. The ledger never sees the price unless they voluntarily disclose it elsewhere.
Every rejection maps to a step and rule. Every delay has an owner. Every accepted event produces evidence the parties can carry away. The process does not ask a committee whether the buyer's purpose is desirable.
This visibility is itself a legitimacy reform. Power becomes a set of testable checks instead of an opaque institutional opinion.
Four cases show why the distinction matters
Consider a transfer from a Canadian holder to a Brazilian operator. The parties use different record providers. Both providers verify the same canonical event and current state. Once signed and accepted, one global receipt records the change. The providers do not need compatible theories of whether the Brazilian deployment is efficient. They need compatible proofs of authority and uniqueness.
Now consider a European holder dissatisfied with service but not selling anything. It moves its record from Provider A to Provider B. The holder, prefix and receipt chain stay the same. RDAP and security services transition under overlap. Provider A cannot relabel the move as a commercial transfer or demand a needs demonstration.
Third, consider a disputed insolvency. A trustee presents a court order while former directors entity. The provider marks a dispute and prevents conflicting transfers. It preserves existing routes and service state. An independent forum determines authority. The eventual correction or transfer is recorded as a new event with the decision reference. The provider does not destroy the resource while acting as judge.
Finally, consider a leased block. The registered holder remains unchanged while an operator role and RPKI origin authorization are updated. The public record can show an authorized operating contact without revealing rent or customers. When the lease ends, another operational event changes the role. No false holder transfer is created.
These cases differ legally and operationally. A thick gatekeeper tends to force them through one approval channel because it controls the account. A thin ledger uses distinct event types and preserves only the common facts.
The architecture becomes credible when ordinary edge cases remain ordinary. It should not require heroic intervention by NRS leaders. Good systems turn difficult power questions into bounded, reviewable state changes.
Failure scenarios should be designed before launch
The model must assume provider insolvency, key compromise, corrupted records, network partition, witness collusion, malicious insiders and protocol defects. A positive proposal that ignores failure would be another institutional promise.
If a provider goes offline, holders should present their latest receipts and witnessed history to another provider. Replicated public events and protected evidence escrow allow recovery. Service endpoints can fail over under pre-authorized continuity rules.
If a signing key is compromised, the provider publishes a signed revocation from an offline recovery authority, witnesses freeze new events from the compromised key, and a replacement key resumes from the last accepted checkpoint. Events during the uncertain window receive review; running state remains stable.
If a provider corrupts private evidence, the parties retain their documents and commitments. The public receipt shows what the provider claimed to verify. Liability and audit can follow without erasing the transfer chain.
If witnesses collude, diverse independent monitors and holder-retained checkpoints can expose conflicting history later. No single witness is sufficient for high-value events. Witness lists and thresholds should be public.
If the protocol contains a defect, providers can pause affected event types while continuing read service and unrelated changes. The protocol steward publishes a narrow fix and test vectors. Emergency powers expire.
If NRS itself fails, the published specification, tests, checkpoints and provider network continue. Another steward can maintain the common materials. Existing receipts do not depend on a live NRS server.
These responses share a principle: freeze the smallest affected mutation surface, preserve the last verified operational state and keep evidence portable. Do not "save" the ledger by disabling the networks that rely on it.
The pilot should prove interoperability, not announce a revolution
The first deployment should be small enough to audit and broad enough to expose institutional boundaries. A useful pilot could involve voluntary transfers among several providers, with at least two regions represented and no effect on existing recognition until both systems reconcile.
Phase one should replay historical public transfer events. Independent implementations ingest the same records, produce canonical forms and verify that they derive identical current state. Differences reveal naming, fragmentation and event-type problems before live use.
Phase two should issue shadow receipts for real transfers processed through existing channels. Parties compare the receipt time and state with current institutional results. The shadow system exercises signatures, privacy, checkpoints and service-transition fields without becoming the legal completion signal.
Phase three should permit voluntary provider moves for records whose incumbents agree, while maintaining mirrored RDAP and security services. This tests portability separately from sale.
Phase four can make the common receipt an accepted settlement signal among participating providers. Escrow, lenders and parties can rely on it contractually. The pilot publishes service metrics and failures.
Success should be measured by conformance, not slogans. Did independent implementations reach the same result? Could a holder leave a provider? Were split views detected? Did RPKI and reverse DNS remain coherent? Could a party verify a receipt offline? Were commercial terms kept private? Did any provider apply an unpublished condition?
The pilot should invite hostile testing. Researchers should attempt replays, overlapping transfers, stale signatures, provider equivocation, malformed ranges and privacy leakage. Results and fixes should be public.
No token sale, grand launch or claim of instant replacement is needed. Institutional legitimacy grows from boring evidence that the system works under failure and that no organizer can quietly expand its powers.
Metrics should expose both service quality and power creep
A global ledger needs public performance measures. Otherwise competition will be asserted without evidence.
Operational metrics include acceptance time, rejection reason, lock duration, receipt issuance, witness inclusion delay, provider-move completion, RDAP transition, RPKI handover, reverse-DNS continuity, correction rate, unresolved dispute age and recovery time after failure. Percentiles matter more than averages.
Interoperability metrics include conformance-test results, event agreement among implementations, receipt verification success, checkpoint consistency, replica freshness and successful history import by another provider.
Portability metrics include the number of provider moves, exit completion time, fees, failed moves and reasons. A provider with no exits may have excellent service or hidden lock-in; reason data clarifies.
Power-creep metrics are equally important. Count requests for fields not required by the common protocol. Publish how often providers seek commercial-purpose documents, price information or customer plans, and whether those requests were optional. Record emergency powers invoked and their expiry.
Privacy metrics should include public-field minimization, unauthorized access, evidence-retention compliance and the ability of parties to delete optional material while preserving the necessary receipt.
Audit results need context. A provider serving complex insolvency cases may have longer times than one serving simple transfers. Case type and dispute status should be separated. League tables without risk adjustment invite gaming.
NRS should publish its own metrics: change proposals, implementation adoption, funding sources, conflicts, certification revenue and requests to expand mandatory fields. The steward is part of the system and must be observable.
The most important indicator may be the simplest: can another conforming provider independently verify and continue every accepted record? If not, the ledger remains institution-dependent regardless of how distributed its marketing sounds.
Legitimacy comes from competence, restraint and exit
Institutions often seek legitimacy through broad representation: committees, public meetings, regional balance and consultation. Those can improve advice. They do not by themselves justify control over a global asset transfer.
A transfer ledger earns legitimacy differently.
It earns competence by preserving uniqueness, preventing conflicting changes, protecting keys, maintaining service continuity and issuing reliable receipts.
It earns restraint by refusing to control price, purpose, investment size, customer geography or political worthiness when those questions are not required for the record.
It earns exit by allowing holders to move providers and allowing the system to continue if NRS or an incumbent fails.
These properties are testable. A committee's claim to represent the Internet is not. Holders can verify receipts, compare providers and leave. Auditors can inspect checkpoints. Courts can identify which institution acted. Operators can continue routing through disputes.
The model also aligns authority with liability. A provider that signs a false receipt or serves conflicting histories leaves evidence of its act. Its contractual responsibility can be defined. It cannot hide behind an amorphous "community" when the signature is its own.
No architecture removes politics. Provider admission, protocol maintenance, identity assurance and dispute rules will be contested. The answer is to keep those disputes from expanding the global invariant. Many services can differ while one uniqueness rule remains shared.
NRS should present the ledger not as a perfect institution but as a deliberately limited one. Its strongest promise is not that good people will govern wisely. It is that no provider needs enough power to govern the market.
A global ledger can make regional competition real
Today regional service is largely assigned by history and geography. A holder cannot easily compare providers when moving service threatens recognition or operational continuity. That makes fees and governance weakly contestable.
Portable records change the market. Providers can compete on response time, multilingual support, security, dispute handling, RPKI tooling, reverse-DNS reliability, financing integrations and price. Specialized providers can serve high-volume operators, small networks, governments or insolvency cases, provided all implement the same core validity rules.
Competition also reveals cost. The shared protocol and public checkpoints are common goods. Account service, diligence and operational support are provider products. Separating them shows what holders pay for instead of bundling everything under an unavoidable membership.
Regional expertise can remain valuable. A provider familiar with corporate law in one jurisdiction may process authority evidence efficiently. Another may offer better support in a language or time zone. The ledger does not erase local knowledge; it prevents local knowledge from becoming global exclusivity.
Portability must avoid a race to the bottom. Providers cannot waive uniqueness, signatures or conflict checks. They compete above a common safety floor. Audits and witnessed history make cheating visible.
Nor should competition become fragmentation. Optional features can differ, but receipts and current state must remain interoperable. A provider cannot trap holders through proprietary event fields. The holder's complete record belongs with the holder.
This is the positive institutional case for NRS. It can turn "decentralization" from a slogan into a service market disciplined by common proofs and real exit. The outcome is not the absence of institutions. It is the presence of several institutions that remain useful because none can hold the record hostage.
The global gatekeeper is unnecessary by construction
The architecture can now be stated without metaphor.
There is one globally compatible history of current registration claims. Multiple providers serve that history. Every change references the prior state and carries required signatures. Accepted changes produce portable receipts. Providers publish witnessed checkpoints. Clients can detect forks. Resource transfers and provider moves are different events. RPKI, reverse DNS and RDAP transition without turning service continuity into institutional ownership.
Private contracts stay private. Price stays with the parties. Business purpose stays with operators and lawful authorities. NRS maintains the minimum protocol and tests, but another steward can replace it. RIRs can participate as providers. IANA can retain the top-level allocation and discovery role without approving downstream bargains.
The model is global where the fact must be global: uniqueness, continuity, authorization and verifiable change. It is plural where choice is possible: provider, commercial service, identity path, legal forum, analytics and operating model.
That division is more than technical neatness. It answers the legitimacy problem. A record service can justify checking a signature because every entity needs to know the change was authorized. It cannot justify demanding a twenty-four-month utilization forecast merely from the need for uniqueness. The first requirement follows from the shared fact. The second is a capital-allocation preference.
Number Resource Society should be judged against this boundary. If it builds a protocol that holders can verify, carry and leave, it creates infrastructure. If it makes its own approval necessary for price or purpose, it creates a throne.
The Internet needs the first. A scarce global resource deserves one reliable transfer history, but scarcity is not a mandate for one commercial sovereign. The ledger can be global precisely because the gatekeeper is absent by design.
Sources
- RFC 7020, The Internet Numbers Registry System - the current hierarchy, global uniqueness, registration accuracy and separation of routing decisions from the registry function.
- ARIN, NRO Transfer Log Format - an existing common representation for intra-RIR and inter-RIR transfer events.
- RFC 7480, HTTP Usage in RDAP, RFC 9082, RDAP Query Format, and RFC 7484, Finding the Authoritative RDAP Service - interoperable registration queries, structured responses and global discovery of authoritative services.
- RFC 8785, JSON Canonicalization Scheme - a concrete method for deterministic JSON representation before hashing and signing.
- RFC 9162, Certificate Transparency Version 2.0 - append-only log, signed promise, inclusion proof, consistency proof and monitor concepts used here as an architectural comparator rather than a number-resource policy.
- RFC 6480, An Infrastructure to Support Secure Internet Routing and RFC 6811, BGP Prefix Origin Validation - origin authorization, distributed validation state and the boundary between signed assertions and local routing decisions.
- RFC 2317, Classless IN-ADDR.ARPA Delegation - reverse-DNS delegation mechanics that a portable service handoff must preserve.
- Number Resource Society, Frequently Asked Questions - NRS's first-party description of its global nonprofit membership and advocacy role, treated as institutional self-description rather than proof of deployed ledger capability.
- Lu Heng, Minimum Initial Specification, Localized Future Decision, and Voluntary Adoption - the principle that a common coordination layer should contain only deterministic rules required for uniqueness, interoperability, safety and security.
- Lu Heng, The Registry Continuity Fallacy - the distinction between continuity of registration, RDAP, reverse DNS and RPKI functions and permanence of the incumbent institution.
- Lu Heng, On Why NRS Exists - NRS's portability, redundancy, exit and survivability argument, used here as a design claim that must be enforced by replaceable implementation.
- Lu Heng, On Portability of Number Resources and the ICP-2 Revision - the case for resource-provider exit as an accountability and continuity mechanism.

