Summary

  • Registration accuracy does not require a universal dossier on a number-resource holder. It requires an unambiguous resource, an accountable holder or delegated role, the basis and effective time of authority, a reachable role contact, and a preserved record of every consequential act.
  • A thin public ledger and a rich protected history should be designed as different layers. The first supports current operational use; the second preserves requests, approvals, evidence references and before-and-after state; public cryptographic commitments connect the two without exposing all underlying material.
  • Signed tree heads, inclusion proofs and consistency proofs offer a useful model for making deletion, reordering and equivocation detectable. They prove bounded facts about committed data, not that a holder was entitled to a resource or that an official applied policy correctly.
  • Role separation matters more than collecting extra biographical fields. The requester, verifier, approver, executor, signing-key custodian and auditor should not collapse into one privileged account, especially for transfers, suspensions, restorations and changes of control.
  • Holders need enforceable procedural rights: a signed receipt, advance notice where possible, preservation after a dispute, access to the evidence concerning their own record, a reasoned decision, independent review, correction and restoration. Public proof without a remedy would expose failure without curing it.
  • Corrections should append a new state and link it to the mistaken state. A registry that silently overwrites an error may improve today's display while destroying the evidence needed to determine responsibility, reliance and remedy.
  • NRS can credibly advocate and demonstrate this architecture without claiming to replace IANA or the Regional Internet Registries. Its useful role is to define a minimal record, publish an event vocabulary, issue portable holder receipts, operate or commission independent monitors, and prove that its own membership assertions meet the same standard.
  • The central bargain is institutional rather than merely cryptographic: collect less, explain more, preserve every material act, distribute control, and give the affected party a route from proof to repair.

The paradox is only apparent

Imagine a holder whose address block is shown on Monday under one corporate name and on Tuesday under another. A conventional response to the resulting dispute is to ask for more data: more identity documents, more contacts, more corporate records, more correspondence and longer retention of everything. Accumulation feels like assurance. It creates a larger file and therefore the appearance of a more serious institution.

Yet the additional fields may do little to answer the decisive questions. Which authenticated role requested the change? What authority did that role possess at the time? Which evidence did a verifier examine? Who approved the decision? Which exact record changed? Did a second official confirm a high-risk act? When did the new state become publicly effective? Can the institution prove that the prior state was not erased after the dispute began?

A registry can hold a passport scan, three telephone numbers and a stack of corporate filings while remaining unable to reconstruct its own decision. It can also expose those materials in a breach, keep them after their purpose has expired, or let an administrator use them for an unrelated inquiry. Rich personal data does not compensate for a poor institutional history.

The reverse design is more promising. Keep the public registration record narrow. Keep sensitive evidence only when it supports a defined proposition. Record the act, authority, decision and effect with unusual precision. Commit the history to externally witnessed proofs. Give the holder a receipt and a right to challenge. The institution learns less about private life while becoming less able to deny what it did.

That is the thin-ledger proposition. It is not a call for an empty address list or anonymous claims to scarce resources. It is a call to move assurance away from indiscriminate collection and towards verifiable institutional conduct.

Thin must mean sufficient, not evasive

Minimalism can become a convenient alibi. A registry may call itself privacy-preserving when it simply lacks the information needed to contact a responsible operator or distinguish two claimants. It may invoke restraint after failing to record who authorized a transfer. A thin ledger is defensible only if its fields are derived from explicit purposes and tested against real disputes.

The purposes begin with uniqueness and accurate registration. RFC 7020 describes registration accuracy as a core requirement of the Internet Numbers Registry System: allocations must be recorded so that globally unique numbers are not allocated to more than one party at the same time and so that accurate information supports operational needs. That does not prescribe a universal identity file. It does require enough information to identify the registered party and the administrative basis of the record.

For a public number-resource entry, the irreducible fields are likely to include the resource range or autonomous system number; the canonical identifier of the registered organisation or individual holder; the registration relationship and status; the authority from which the record derives; the effective time and current version; a role-based operational or abuse contact where policy requires one; and a reference through which the holder can obtain proof of the event that created the state.

Jurisdiction, resource type and relationship may justify further fields. A delegated network may need a parent reference. A legacy registration may need a historical basis label. A disputed record needs a visible contested status. A sanctions hold may require a legal authority reference without publishing protected details. The test is always the same: what decision or operational need does this field support, who can see it, how is it corrected, and when does it cease to be necessary?

Anything that fails that test should not enter merely because storage is cheap. A field collected without a proposition becomes a future privacy risk and a tempting substitute for better controls.

A registration state is the result of acts

Registries often present a clean current entity. It looks static: a prefix, an organisation, contacts, dates and status. But every line is the residue of an institutional act. Someone created the record, accepted a claim, delegated authority, updated a role, executed a transfer, imposed a hold, corrected an error or restored a prior state.

Auditability improves when the institution treats those acts as first-class records rather than incidental logs around a database. Each consequential event should identify the prior version, proposed change, authenticated requester, asserted role, evidence references, verifier, policy and procedure version, approval result, executor, commit time, publication time and resulting version. It should also record notices, objections and later review.

This event history is richer than the public state but need not be richer in unrelated personal detail. A verifier can record that a corporate-authority test passed under a named method and retain the protected evidence in a purpose-limited store. The event can contain a digest and stable reference rather than another copy of the director's identity document. An auditor can later establish what the verifier saw and whether the method was followed without making the document public.

The distinction also makes deletion more intelligent. A contact address that is no longer needed may be erased or tokenised under the applicable retention rule while the event's institutional skeleton remains: a named role made a request, verifier 417 applied procedure 6.2, approver 091 accepted it, transaction 8af changed version 48 to 49, and a holder receipt was issued. The history of power survives without preserving every private input forever.

A registry that models only current state has to reconstruct acts from scattered system traces. A registry that models acts can deliberately decide which facts must endure, which may expire and which can be proved without disclosure.

NRS has a useful premise to discipline

NRS presents number-resource institutions as bookkeepers whose legitimacy rests on accurate registration rather than a general power to govern networks. Its charter also treats voluntary recognition, free enterprise and limits on regulatory ambition as important. Those claims are advocacy, not proof that any proposed NRS service is authoritative or technically ready. But the bookkeeper premise can produce a serious design discipline.

A bookkeeper must be ordinary in one sense and exacting in another. It should not turn registration into a licence to inspect a holder's business, direct lawful routing choices or adjudicate every controversy around an address. It must nevertheless be able to show why an entry exists, who changed it and whether its own rules were obeyed. Narrow mandate is not low assurance.

The positive NRS case therefore should not begin with a claim to a new global register. It should begin with its own assertions. If NRS says that an organisation is a verified resource-holding member, what minimum evidence supports the statement? What happens when registry data is stale, a parent provider holds the allocation, a company merges, or two officers disagree? Can the member withdraw or correct the assertion? Can an auditor verify the history without obtaining the member's full application file?

By solving those questions publicly, NRS could demonstrate that minimal collection and strong proof are compatible. It could then offer the event model, receipt format and audit tests to holders and incumbent registries. Adoption would rest on utility and interoperability, not a declaration that NRS has displaced recognised authorities.

The standard should be especially strict because a minimalist creed can conceal arbitrary discretion. NRS's public membership terms give an Admission Committee discretion over applications and allow requests for further information. A thin-ledger design must put reasons, review and audit around that discretion. Otherwise the institution collects less while insiders still decide more.

Three layers prevent two common mistakes

The architecture should separate public state, protected evidence and public proof. Blurring them produces the two familiar failures: publishing sensitive material in the name of transparency, or keeping every integrity claim inside the institution that is being questioned.

The public-state layer answers current operational questions. It is deliberately compact, machine-readable and versioned. It shows the resource, registered party, relationship, status, authority, effective time and role contacts appropriate for public use. It can expose selected event labels - transferred, corrected, suspended, restored - without identifying private users or revealing security controls.

The protected-evidence layer explains the state. It holds authenticated requests, role bindings, approvals, policy snapshots, evidence references, before-and-after values, privileged actions, system acknowledgements and review outcomes. Access is based on purpose. A holder sees the material concerning its record, subject to protections for other people and security. An independent auditor receives a wider controlled view. A court or lawful authority receives material under the applicable rules. Ordinary public users do not receive raw authentication traces.

The public-proof layer commits to the protected history. At defined intervals, the service publishes signed cryptographic summaries of an ordered event set. A disclosed event can later be accompanied by an inclusion proof. Successive summaries can be checked for consistency. Independent witnesses retain summaries and compare what they receive. Aggregate public reports reconcile event counts, gaps, challenges and corrections.

These layers permit selective revelation. The registry can prove that an event was committed before a date, occupied a position in an ordered history and remained in later histories. It can disclose the event to an authorised reviewer without exposing every neighbouring event. The public can test continuity of the ledger while the holder's private evidence remains protected.

The design does not remove judgment. It makes the institution's judgment traceable and makes later alteration harder to conceal.

The event vocabulary should be boring and complete

Trust depends less on a grand constitutional statement than on whether mundane events have stable meanings. NRS should publish a small, extensible vocabulary that registries and holders can implement without translating every transaction into local prose.

At minimum it should distinguish creation, allocation or assignment, delegation, contact change, authority-role change, transfer, merger or succession, split, aggregation, return, expiry where applicable, hold, suspension, revocation, restoration, correction, dispute opening, dispute closure and disclosure. A status change should not impersonate a transfer. A correction should not appear as an original allocation. A temporary security hold should not become a permanent adverse decision by inertia.

Each event type needs mandatory propositions. A transfer requires a source holder, destination holder, resource set, authority test, effective time and continuity treatment. A contact change requires a role, old endpoint, new endpoint and confirmation path. A suspension requires the rule or lawful basis, scope, decision-maker, start, review date and effect on public services. A correction identifies the erroneous event and explains which factual or procedural defect is being cured.

Reason codes should be public enough to compare decisions but not so broad that every case becomes “administrative.” Free text can provide context in the protected record. The published code set should change through versioned, reviewed decisions. Old events retain the vocabulary version used at the time.

Completeness must include failure. Rejected requests, expired approvals, unsuccessful execution, partial restoration and abandoned disputes belong in the event sequence even when they do not change current state. Otherwise the ledger records only successful institutional acts and cannot reveal repeated attempts, unexplained delay or selective treatment.

A boring vocabulary is valuable because it resists rhetorical inflation. The registry either received, verified, approved, committed, published, corrected or did not. An auditor can test those verbs.

A signature on a page is not a signed history

Digital signatures are often added at the wrong level. An institution signs a daily export or a PDF certificate and calls the record verifiable. The signature may prove that a file was produced under a key. It does not show that all prior events were included, that two audiences received the same history, or that an earlier event was not removed before the file was signed.

A signed history needs order and continuity. Each event should have a canonical representation and an identifier that cannot be silently reassigned. The service should commit to batches or an append-only tree. Each signed checkpoint identifies the tree size, root, time, algorithm and key. A later checkpoint can be tested against an earlier one. A holder receipt binds the relevant event to a checkpoint rather than merely asserting that the current screen is authentic.

RFC 9162 supplies a useful, bounded model through Certificate Transparency. It defines signed tree heads, inclusion proofs and consistency proofs for a Merkle-tree log. Monitors can watch for entries of interest and check correct log behaviour. Signatures prevent a log from plausibly denying inconsistent structures that others retained.

Number-resource events are not certificates, and the standard should not be transplanted without analysis. Registry events can contain personal, commercial and security-sensitive facts. Acceptance rules, correction semantics, retention and remedies differ. The lesson is structural: publish compact commitments that permit external verification, separate submitter receipts from later inclusion, and make inconsistent histories detectable.

The registry must also define what a signed checkpoint does not establish. It does not prove that an underlying contract was genuine, an officer had corporate authority, a policy was fair or a suspension was lawful. It proves that a particular representation entered a committed history by a certain stage. That is a powerful fact only when stated honestly.

Public proof can reveal less than public records do today

Transparency is frequently treated as a choice between full publication and trust in the operator. Cryptographic commitments create a third option. The public can observe continuity and selected membership without receiving the content of every event.

Suppose a protected transfer event is represented by a canonical record containing the resource identifier, old and new holder identifiers, decision reference, effective time and digests of protected evidence. The complete event becomes a leaf in a committed tree. The public checkpoint exposes only a root, size, time and signature. The holder receives its event plus the path needed to prove inclusion. An auditor with authorised access can recompute the leaf and inspect the evidence. An ordinary observer can verify consistency between checkpoints without learning the parties to every transfer.

Selected public facts can receive separate proofs. A registry can prove that the current public entry is derived from a committed event. It can publish a daily count of transfers and a proof that the count reconciles with labelled events, using an appropriately designed disclosure method. It can let a holder prove to a counterparty that a registration existed at a time without revealing unrelated account records.

Care is required. Hashing predictable personal data is not anonymisation; an attacker may guess the input and compare the digest. Small event classes can leak facts through timing and counts. A direct proof request can reveal which resource interests the requester. The system should use salts or commitments appropriate to the threat model, batch events to limit timing leakage, minimise public metadata and permit proof delivery through the holder where possible.

The objective is not cryptographic spectacle. It is to make a narrow factual promise verifiable while disclosing less than a conventional public history might require.

Equivocation is an institutional offence

Deletion is not the only threat. A registry can present one consistent-looking history to a holder and another to an auditor. It can delay an embarrassing event from one view, issue a checkpoint to a friendly witness and a different checkpoint to a critic, or reset the log after claiming technical failure.

Independent witnessing addresses this risk. NRS should require checkpoints to be sent to multiple organisations that do not share administration, hosting or key custody. Holders can gossip the checkpoint attached to their receipts. Auditors compare tree size, root and time. A public archive preserves the sequence. Any two validly signed but incompatible checkpoints become evidence of equivocation.

Witness diversity matters more than the nominal count. Five witnesses operated by one supplier under one contract are one institutional dependency. A useful set might include a holder association, an academic network, an audit firm, a public-interest archive and another registry. Their duties should be modest: receive, timestamp, retain, compare and publish an alert when consistency cannot be established. They need not receive private event content.

Availability failures need a separate signal from integrity failures. A missed checkpoint can result from an outage, network partition or witness problem. The public record should distinguish late issuance, failed delivery, unverifiable consistency, key revocation and confirmed equivocation. Deadlines and escalation prevent “temporary” gaps from becoming permanent ambiguity.

The sanction for equivocation cannot be merely reputational. Contracts and governance rules should specify preservation, independent investigation, holder notification, suspension of unilateral high-risk changes, key replacement, reconstruction and, where authority depends on recognition, review of that recognition. Cryptography can expose the fork; institutions must decide what follows.

Separate the roles before adding another field

The strongest improvement available to a small registry may be organisational rather than mathematical. No single privileged operator should be able to create a claim, approve it, commit it, alter the audit record and sign the public proof.

The requester asserts the change. The identity service authenticates a technical principal and binds it to a holder role. The verifier evaluates evidence. The approver decides under policy. The executor applies an approved transaction. The proof service commits the event. The key custodian controls signing operations. The monitor checks consistency. The auditor reconstructs selected cases. These roles can be performed by compact teams and automation, but their authorities should remain distinct.

For low-risk contact changes, one person may initiate and confirm through an established channel. For a full transfer, merger, adverse suspension or restoration after compromise, dual control is justified. The second approver should receive the complete proposition and evidence result, not merely click an approval button labelled “reviewed.” Break-glass authority should expire quickly, require a reason and trigger automatic external notice.

Technical separation must match organisational separation. Distinct screen names in one administrator account are cosmetic. Access policies, service credentials, keys, logs and deployment rights should prevent the same principal from crossing the boundary without leaving a detectable exception. Audit administrators should not be able to change holder state. Production administrators should not be able to delete audit records. Signing keys should not be available to the application database.

NIST's SP 800-53 Revision 5 treats separation of duties, least privilege, audit protection and cryptographic integrity as related controls. It is a general security catalogue, not a number-registry mandate. Its useful lesson is that assurance comes from the arrangement of authority, not the volume of information collected about the subject.

Holder receipts turn a subject into a witness

Most registration systems let a holder download current data. Fewer give it a durable, independently checkable receipt for the act that created the data. A receipt would make each holder a distributed witness to institutional history.

After a consequential event, the holder should receive a canonical event statement, prior and resulting version identifiers, acceptance time, expected publication deadline, policy reference, checkpoint commitment and the signatures necessary to validate the receipt. Once the event is included, the service provides or makes available an inclusion proof. If the holder later sees a different public state, it can show exactly which accepted act conflicts with it.

The receipt should be portable. Verification cannot require a live account at the same institution accused of error. Public key history, algorithms, canonicalisation rules and proof formats must remain available. A successor registry or court-appointed custodian should be able to validate old receipts. Human-readable rendering should accompany the machine form so that an officer understands what was accepted.

A holder signature can add value but should not be misdescribed. For a voluntary transfer, the old and new holders might countersign the event statement. That supports consent to the represented terms. It does not prove legal capacity or eliminate fraud. For an adverse hold, requiring the holder's signature would create a veto over recording the institution's act. The receipt should instead prove notice and preserve any objection.

Loss of a receipt must not erase rights. The registry retains the committed event, and authorised holders can request another proof after authentication. Conversely, possession of a receipt should not by itself grant power to change the resource. Evidence of a past act is not a bearer credential for future control.

The design turns the holder from a passive database subject into a custodian of one part of the shared history.

Identity should attach to roles, not public biographies

Number-resource administration needs accountable people, but the public rarely needs their full identity files. The registry should distinguish the legal or organisational holder, the role empowered to act, the technical principal using that role and the natural person or service behind the principal.

The public entry usually needs the holder's canonical identity and reachable functional contacts. A security or abuse role can be expressed as a maintained endpoint rather than an employee's home address. The protected record binds the role to authorised individuals, records the assurance method and preserves start and end dates. Historical events continue to resolve to the role and person as they existed then, even after staff leave.

Verification should be proportional. A routine endpoint confirmation does not justify a broad corporate investigation. A transfer of a valuable address block may justify stronger evidence of company existence, officer authority and consent. The event records the method and result. Sensitive documents remain segregated, encrypted and subject to expiry or legal retention rules.

The European Union's General Data Protection Regulation is not a universal statute for every registry relationship. Its purpose limitation, data minimisation, accuracy, storage limitation, security and accountability principles nevertheless express a coherent design challenge: an institution should be able to explain why each category exists and demonstrate responsible handling.

Minimalism must not erase the route to accountability. Pseudonymous internal identifiers should map to real historical principals under controlled access. Shared accounts should be prohibited for consequential acts. Automated services should have named owners and narrow scopes. A public role address can protect personal data while a protected role history lets an auditor determine who acted.

The right question is not whether identity is public or secret. It is which identity proposition each audience needs and how that proposition can be proved.

Correction must add truth without deleting history

Every registry will make mistakes. The legitimacy test is not a claim of perfection but a correction design that preserves evidence, limits continuing harm and assigns responsibility.

When an error is confirmed, the service should append a correction event linked to the defective event. The current public state changes promptly. The prior event remains in protected history and, where appropriate, a public version history shows that a correction occurred. The correction states whether the defect involved input, identity binding, policy interpretation, approval, execution, display or later discovery.

This distinction matters for remedy. If a holder supplied a mistaken contact, correction may be sufficient. If staff approved a transfer without required authority, restoration, preservation and independent review may follow. If the public view was wrong but the authoritative state remained correct, the institution should identify the exposure period and affected services rather than imply that the resource itself moved.

Silent overwrite is tempting because it produces a clean present. It also permits the institution to hide the duration and cause of error, frustrates parties that relied on the old state and breaks external proofs. A signed checkpoint will expose unexplained rewriting only if the corrected event remains in the append-only sequence and the public derives current state through explicit supersession.

Corrections can themselves be wrong. They need the same request, approval, receipt and proof controls as original acts. A sequence may therefore show event, correction, reversal and final determination. That is untidy but honest. Auditability is not aesthetic neatness.

Public notices should be proportionate. A correction to a private contact need not reveal the old address. A correction affecting registered control should show the resource, affected versions, time and status while protecting investigative detail. Holders receive a fuller account and a route to contest it.

A disputed record needs a state of its own

Binary databases force institutions to choose between two dangerous displays: present the contested entry as unquestionably authoritative or remove it until the dispute ends. A thin ledger should support an explicit contested state without making the public decode legal correspondence.

The status should identify what is disputed: holder identity, authority to act, succession, scope, effective time, contact or a registry procedure. It should show when the dispute opened, which current operational state remains in effect, whether changes are restricted, the next review point and how an affected party can submit evidence. It should not publish accusations or protected evidence.

Opening a dispute must not automatically transfer control to the complainant. Nor should the incumbent receive an absolute veto over review. The institution applies a pre-published preservation rule based on reversibility and operational risk. It may freeze high-risk transfers while allowing essential contact or routing-security maintenance through enhanced approval. Emergency action should be time-limited and reviewed.

The event history preserves competing claims and institutional decisions. Each party receives receipts for submissions. The auditor can test whether the same evidence standard and timetable were applied. The public checkpoint proves that the dispute and decisions entered the history when claimed, even if the details remain restricted.

Closure requires a reasoned event, not a status toggle. It identifies the accepted authority, rejected or unresolved propositions, current state, effective time, correction of public data and available review. If a court or recognised authority decided a question, the record should distinguish that external decision from the registry's implementation.

This is another way in which less public prose can produce more accountability. A precise status and verifiable sequence are better than a large public file that prejudices parties while failing to explain institutional action.

Proof without a right to repair is theatre

An immaculate append-only log can prove that an institution harmed someone exactly as recorded. That is not accountability unless the affected party has standing, access, review and a remedy.

The holder should have a contractual or constitutional right to receive receipts for consequential events, prompt notice, a plain statement of reasons, preservation upon credible challenge and access to the evidence relating to its record. Access can redact another person's protected data or security detail, but the institution should identify every withholding category and provide a route for independent inspection.

Review should be structurally independent of the original approver. The reviewer needs authority to inspect protected evidence, test signatures and checkpoints, stay a reversible change, order correction, require restoration within the institution's control and recommend broader remediation. Time limits should reflect operational risk: an unauthorised control change cannot wait for an annual committee meeting.

Remedies should correspond to the defect. They may include correction, restoration, renewed credentials, removal of an improper hold, extension of a deadline, repayment of an improperly charged fee, publication of a correction, notification to affected services, preservation for court proceedings or compensation where contract and law provide it. Cryptographic proof does not determine damages or property rights.

Repeated control failure needs a governance remedy. If one verifier repeatedly accepts defective authority, remove the role pending review. If commitments are missed, require external supervision. If the registry cannot produce inclusion proofs for a class of events, pause non-emergency acts in that class until continuity is re-established. Aggregate findings should reach the board and members.

NRS should apply these rights to its own admission and membership decisions before prescribing them elsewhere. A free membership fee does not reduce the effect of exclusion from a claimed constituency. Minimal fields, a reasoned decision, an event receipt and independent appeal would make the bookkeeper principle tangible.

Cryptography proves less than enthusiasts promise

The thin ledger will attract elegant diagrams. Institutional analysis must keep asking what each proof establishes.

A digital signature proves that a holder of a private key signed defined bytes, assuming the algorithm, key and verification context remain trustworthy. It does not prove that the key holder was the authorised officer, understood the act or was free from coercion. A timestamp can support the proposition that data existed before a time; it does not prove the data was true. An inclusion proof shows that a leaf belongs to a committed tree; it does not show that no relevant event was kept outside the tree.

A consistency proof shows that one committed tree extends another under the construction. It cannot expose a second history unless witnesses compare checkpoints. A holder receipt proves that the service accepted a representation under a key; later inclusion and consistency must still be checked. Encryption protects confidentiality only while keys and endpoints are controlled. Hashing does not make predictable personal information anonymous.

These limits do not make the tools weak. They allocate the remaining burden. Identity systems must bind people to roles. Policy defines authority. Role separation constrains collusion. Complete-event reconciliation tests whether relevant acts entered the log. Witnesses detect forks. Auditors inspect protected evidence. Reviewers decide whether procedure and substance were justified. Courts apply law.

The public specification should include a “proof proposition” for every artefact: accepted by the service, included by checkpoint, consistent since checkpoint, signed by role, witnessed by organisation, or valid under archived key material. User interfaces should not turn all green verification marks into “ownership verified.”

Trust grows when an institution refuses to make its cryptography say more than it can.

Long-lived rights outlast short-lived keys

Number-resource disputes can arise years after an event. Algorithms weaken, certificates expire, signing devices fail, organisations merge and key custodians leave. A proof architecture designed only for today's key can make old history undecidable.

Key identity, purpose, activation, rotation, revocation and destruction need their own public history. A checkpoint should identify the exact key and algorithm. A planned rotation is announced and cross-signed where appropriate. A compromised key triggers a bounded incident event, preservation of witnessed checkpoints and a documented reconstruction; it should not justify silently starting a fresh history.

RFC 3161 describes time-stamp tokens that support proof that data existed before a particular time. RFC 4998 defines evidence records and renewal structures intended to preserve existence and integrity over long periods as algorithms and certificates change. These standards do not settle registry policy or legal admissibility. They demonstrate that long-term proof requires planned renewal, not indefinite faith in an old signature.

NRS should define a cryptographic continuity calendar. It would review algorithm strength, timestamp trust, certificate status and witness availability; renew evidence before a dependency becomes unreliable; and publish the relationship between old and new commitments. The archive retains software specifications and test vectors needed to validate historical artefacts.

Custody must also survive institutional failure. An escrowed set of checkpoints, public keys, specifications, encrypted protected records and access rules should be transferable to a successor under a defined trigger. The successor may not acquire every obsolete personal field. It must acquire enough institutional history to honour receipts, resolve current authority and continue the append-only sequence.

A thin record can therefore be durable. Durability comes from preservation design, not collecting a permanent copy of everything once submitted.

Availability and integrity should fail differently

A proof service that is perfectly immutable but frequently unreachable cannot support operational dependence. Conversely, a highly available service that can rewrite history is not trustworthy. NRS should publish separate objectives and incident states for availability, integrity and freshness.

Current registration data should be served from redundant systems and reproducible from signed state. Checkpoints should be distributed through multiple channels. Holder receipts should remain verifiable offline. Independent mirrors can serve public state and proof material without gaining authority to approve changes. Protected evidence needs encrypted, geographically and administratively separated copies with tested restoration.

Restoration exercises should begin with a known checkpoint and reconstruct current state by replaying committed events. The operator then reconciles event count, resulting state, public entries, pending disputes and holder receipts. A backup that restores tables but cannot reconcile the event sequence is not an adequate continuity test.

During an outage, the institution should avoid improvising irreversible acts outside the normal history. Emergency changes enter a separately constrained queue, use dual approval and receive receipts. On recovery, they are reconciled before ordinary high-risk changes resume. The public report identifies gaps between acceptance, commitment and publication.

Service metrics should not collapse these states into generic uptime. Report current-data availability, proof availability, checkpoint lateness, uncommitted accepted events, failed consistency checks, restoration test results and time to issue holder proof. Denominators and observation windows matter. “No integrity incidents” is meaningless if no independent monitor compared checkpoints.

Continuity is where minimalist design pays off. A compact state and precise event sequence are easier to export, verify and restore than an undocumented mass of mutable records. The architecture becomes resilient because it knows which facts are essential.

Interoperability prevents the ledger becoming a rival truth

Internet number resources already sit within the IANA, RIR, Local Internet Registry and holder relationships described by RFC 7020. NRS cannot create operational legitimacy by placing a second assertion beside a recognised registration and calling the conflict competition.

Every NRS record should identify its authority class. A direct observation of public RIR data is a derived assertion. A holder-submitted document is a holder claim. A membership verification is an NRS decision about membership. A future delegated registry act would require an identifiable legal and institutional basis. The public interface must not flatten those categories into one authoritative label.

Portable event and receipt formats should map to existing identifiers rather than rename resources. A prefix, ASN, organisation handle and source registry can be represented without claiming title. If a recognised record changes, the NRS assertion either updates through a proved event or becomes visibly stale. If the holder disputes the recognised record, NRS can preserve the challenge and evidence without presenting its preferred claimant as operational truth.

Interoperability also needs exit. A holder should be able to export its current assertion, event receipts, role history and pending challenges in a documented format. Another service can validate the signatures and continue under its own authority. NRS should publish conformance tests and permit independent implementations. Proprietary proof clients would turn cryptographic assurance into supplier dependence.

The NRO RIR Governance Document Version 2 text emphasises comprehensive records, transparency and continuity sufficient for an emergency operator. It does not prescribe this architecture or grant NRS a role. It does reinforce the principle that records must support transfer of essential service rather than bind the community permanently to one administrator.

The thin ledger succeeds when it makes recognised facts more portable and contestable, not when it manufactures a competing root of authority.

Auditors should reconstruct cases, not admire controls

An audit report can list encryption, access control and retention policies while missing the central question: can an outsider reconstruct why this record changed and prove that the history is complete?

The audit sample should begin with risk events. Select transfers, adverse holds, corrections, restorations, emergency actions, key rotations and rejected challenges. For each, start from the public state and derive the committed event. Verify the holder receipt, inclusion and consistency. Trace the requester to a historical role, inspect the authority test, identify verifier and approver, confirm execution matched approval, reconcile publication and review later changes.

The auditor should also sample absence. Compare application, support, authentication, decision and database systems to the committed sequence. Look for accepted requests without events, privileged changes without approvals, events committed after the maximum delay, duplicate identifiers, gaps in sequence, orphaned evidence and checkpoints seen by one witness but not another. Test whether administrators can suppress a rejected or failed request.

Privacy controls belong in the same audit. Ask whether each retained field has a purpose and expiry; whether proof leaves leak personal facts; whether auditor access is logged; whether old role bindings remain accurate but protected; and whether erased material remains in uncontrolled backups. Strong evidence custody should not become a quiet surveillance archive.

Auditor independence is practical. Who appoints and pays the firm? Can management narrow the sample? Does the auditor receive checkpoints from witnesses rather than only from the registry? Are findings and management responses published? Can holders report conflicting receipts directly? Rotation may reduce familiarity but lose expertise; peer review and public methods can offset either risk.

The final opinion should be proposition-specific. It can report that sampled events were included, roles were separated and state was reproducible. It should not convert a limited sample into a claim that every registration is substantively correct.

Public reporting needs honest denominators

A trust dashboard can mislead while every number on it is accurate. “Ninety-nine per cent verified” says little unless the reader knows what was eligible, which checks counted, which period was measured and whether unresolved cases disappeared from the denominator.

The ledger should report opening state, events received, accepted, rejected, pending, committed, published, challenged, corrected and reversed. It should reconcile the closing state. High-risk classes should be separated from routine contact updates. Checkpoint punctuality should use all scheduled checkpoints. Inclusion performance should use all accepted events whose deadline expired. Challenge outcomes should include withdrawals and cases still open.

Privacy may require aggregation, suppression of small cells or delayed reporting. Those protections should be stated, and suppressed classes should still reconcile to a protected auditor total. The institution should not reveal that one named holder was the only subject of a rare adverse action. Nor should it use privacy as a reason to publish no denominator.

Proof health deserves its own series: witness coverage, consistency checks attempted and completed, invalid signatures, key incidents, proof requests, reconstruction success and restoration tests. A claim of zero equivocation should identify the independent comparisons supporting it. A claim of complete history should identify systems reconciled and known exclusions.

NRS membership reporting should follow the same discipline. It can state applications, accepted members, rejected applications, suspensions, terminations, appeals and reversals without publishing applicants' evidence. It should distinguish individual members, organisations and verified resource-holding relationships. One person, one company and one delegated network are not interchangeable units of support.

The discipline is simple: every percentage earns a noun, a denominator, a period, an exclusion rule and a responsible verifier.

The incentives favour silence unless rights change them

Technology cannot be assessed without asking who benefits from a complete record. A holder wants proof when a registry errs but may prefer ambiguity when its own authority is weak. Staff want rapid resolution and may regard detailed event capture as administrative friction. Executives want clean incident figures. Auditors are paid by the institution they inspect. Witnesses may neglect a quiet service. Attackers want either an unauthorised change or destruction of the evidence.

The design should align incentives rather than expect unusual virtue. Automatic receipts give holders a reason to retain checkpoints. Public inclusion deadlines make uncommitted events visible. Append-only corrections reduce the temptation to clean up embarrassing history. Independent witnesses make suppression require collusion. Reviewer authority gives proof an operational consequence. Board reporting makes repeated exceptions difficult to contain within technical staff.

Costs also need allocation. The core registration charge, if any, should include event capture, proof, receipt, correction, review and continuity. Charging a holder a high fee merely to obtain evidence of the institution's own act would weaken accountability. Optional enhanced identity services can be separate, but payment must not buy a lower evidence standard or faster substantive appeal.

Auditor procurement should reward detection and reconstruction, not a clean opinion. The contract can require publication of methods, access to external witness data and follow-up of prior findings. Witnesses can receive modest fixed support that is independent of alert volume. A bounty for valid inconsistency evidence may help, provided disclosure rules protect ongoing incidents.

The institution should also publish where incentives defeated the design. If staff used an emergency path to meet a deadline, if a holder declined countersignature, or if a witness stopped checking for three months, record and remedy the exception. Trust comes from visible resistance to predictable pressure, not from claiming that pressure disappeared.

Minimalism should be tested against abuse

A thin ledger creates attack opportunities if “minimal” becomes weak authentication or easy anonymity. Impersonators may exploit sparse identity fields. Insiders may create plausible event records for fabricated evidence. Observers may infer commercial transactions from proof timing. A malicious holder may flood challenges to delay a transfer. A registry may commit every event correctly while excluding an entire shadow channel from the sequence.

The answer is not to collect every possible field. It is to test the architecture against named threats. Strong authentication and historical role binding address impersonation. Dual approval, evidence digests and independent review address insiders. Batching and limited public metadata reduce timing leakage. Rate controls and materiality tests address abusive challenges while preserving urgent review. Cross-system reconciliation exposes shadow channels.

Collusion remains possible. A requester, verifier and approver can conspire; witnesses can fail; key custodians can be compromised. The design raises the cost and leaves more evidence. It cannot make institutional trust unnecessary. Governance still determines appointment, conflict rules, sanctions and external jurisdiction.

False confidence is another threat. Users may treat a verified inclusion proof as proof of ownership, or a current NRS membership assertion as authority to route. Interfaces should state the proposition, authority source and expiry. High-value counterparties should inspect the underlying registration relationship and legal documents appropriate to their transaction.

Data minimisation can itself be attacked politically. An institution may retain private data under broad “future dispute” language or erase evidence needed for a pending claim under a privacy slogan. Purpose schedules, legal holds, independent review and public retention classes are the defence. The holder should know which evidence exists, why it remains and when deletion or preservation will be reconsidered.

A minimalist system is credible only when its threat model is richer than its public record.

A staged NRS demonstration can remain reversible

The most convincing future programme would start with claims NRS already controls and expand only after independent tests. It need not ask the Internet to trust a new authoritative service on day one.

Stage one can cover membership events. Publish the minimal membership assertion, event vocabulary, canonical format, key history and checkpoints. Give applicants receipts for submission, acceptance, rejection, suspension and termination. Create a protected evidence store with purpose and retention classes. Appoint independent witnesses and a reviewer. Publish aggregate reconciliation and exceptions.

Stage two can add voluntary holder attestations linked to recognised registry data. The attestation states precisely what the holder claims, which public record was consulted and when the claim expires. It does not overwrite the recognised record. Holders receive portable proofs; auditors sample authority tests; the public sees provenance and staleness.

Stage three can test a delegated service in a closed, non-production environment with participating holders and an identified authority. Exercises cover transfer, dispute, correction, key compromise, witness failure, restoration and export to a successor. The result should publish failed tests and changed assumptions, not a declaration of universal readiness.

Any authoritative expansion requires a separate decision identifying legal basis, recognition, resource scope, liability, service levels, interoperability, financing, appeal and exit. The proof architecture can support that decision but cannot create the authority itself. If counterparties do not recognise the service, the ledger remains a well-proved assertion system.

Reversibility is a success criterion. Can NRS stop issuing new assertions while old receipts remain verifiable? Can another operator restore state? Can a member exit without losing evidence? Can an error be corrected without erasing history? Can a witness be replaced without resetting trust? Can the institution narrow scope after an adverse audit?

Starting with its own membership would make NRS's positive case concrete and expose governance weaknesses before scarce resources depend on them.

The board should govern the proof, not operate it

A board should not approve individual transfers or handle signing keys. It should set the evidentiary constitution and receive indicators that reveal whether management respects it.

The constitution defines the minimal public record, protected evidence classes, event vocabulary, role separations, high-risk approval thresholds, checkpoint frequency, witness criteria, holder rights, review authority, retention, correction, key continuity and successor triggers. Material changes receive notice, reasons and a transition plan. The board cannot waive an affected holder's access or rewrite a checkpoint by resolution.

Quarterly reporting should show unreconciled events, missed commitments, emergency acts, role conflicts, open challenges, reversals, correction causes, witness gaps, key incidents, failed restoration tests and overdue remediation. Trends matter more than a single green score. The board should ask why exceptions cluster around one event type, person or commercial relationship.

An audit committee can commission reconstruction tests and meet holders or witnesses without management present. A privacy function reviews field necessity and disclosure. A technical committee reviews cryptographic continuity. Independence between these functions reduces the risk that one expert vocabulary overwhelms the others.

Members need a route to amend the constitution and challenge board failure without gaining access to private cases. Supermajority protection may be appropriate for weakening proof or review rights. Emergency amendments should expire. Funding arrangements should not let a major donor appoint the sole witness or auditor.

The board's central duty is to prevent proof from becoming decoration. It must connect missing evidence to operational limits, review findings to correction, and continuity failures to investment or succession. It governs the consequences while leaving event decisions to accountable roles.

The better ledger knows exactly what it does not know

There is no public, comparable inventory of every RIR's protected event fields, role bindings, retention, key controls, privileged paths, external witnesses and holder evidence rights. NRS should not build its argument by asserting that all existing registries lack such controls. Public WHOIS, RDAP, history services and governance documents reveal only parts of their internal evidence systems.

Nor can the proposed architecture establish a global fact of legal ownership. Number-resource relationships arise from policies, contracts, historical allocations, corporate succession and local law. The ledger can record the recognised relationship and preserve the decision. It cannot settle every jurisdiction's property doctrine through a signature.

Some events will remain uncertain. A compromised credential may leave impeccable technical evidence but ambiguous human attribution. A dissolved company may have incomplete succession documents. A witness outage may leave a checkpoint late but not falsified. The record should express confidence and unresolved propositions instead of converting technical completeness into substantive certainty.

The costs are not yet known across institutions and event volumes. Storage for compact commitments is cheap; secure identity, review, key custody, privacy engineering and long-term evidence are not. A pilot should publish unit costs and failure rates rather than promise a universal low fee.

These limitations sharpen the case. The thin ledger is not a machine for producing certainty. It is a method for locating uncertainty. It shows which fact was asserted, which authority was accepted, which official decided, which proof endures, which private evidence can be inspected, which question remains open and which remedy is available.

That is a richer form of trust than an institution that knows more about its users but can prove less about itself.

Collect less, bind more, repair openly

The bookkeeper metaphor is often used to shrink institutional ambition. Its stronger use is to enlarge institutional discipline. A bookkeeper does not need a biography of every holder. It needs an exact account, a controlled authority to post changes, a history that balances, independent inspection and a correction that never pretends the error did not occur.

NRS can turn that discipline into a positive programme. Define the minimum registration propositions. Separate public state from protected evidence. Model consequential acts. Bind people to roles. Divide request, verification, approval, execution, signing and audit. Give every holder a portable receipt. Publish externally witnessed commitments. Preserve cryptographic validity. Reconcile every event class. Offer review and repair.

The result would be thinner than a universal identity repository and richer than a mutable registration table. It would disclose fewer private facts while producing more public assurance. It would make corruption harder to hide, mistakes easier to locate and succession less dependent on one administrator's goodwill.

None of this lets NRS declare itself authoritative. Authority still requires recognition, agreement, operational competence and lawful scope. But a voluntary institution can lead by making its own claims verifiable and its own discretion appealable. If holders, auditors and existing registries find the design useful, adoption can grow from demonstrated restraint.

Minimal registration and auditability are therefore not opposing values. They conflict only when institutions confuse evidence with accumulation. The credible ledger is parsimonious about people and lavish about power: who exercised it, under which rule, on what evidence, with whose approval, at what time, producing which state, witnessed by whom and repairable how.

That is what rich proof should mean.

Sources