Summary
- Existing RIR, ICANN and IANA reports contain substantial evidence, but identical-looking totals can refer to different start points, completion states, actor roles and eligible populations.
- The comparison unit should be a governed decision event with a stable opaque identifier, an institution namespace, an event class, a policy version, a sequence of lifecycle states and explicit links to review, correction or reversal.
- Decision time should separate receipt, documentary completeness, substantive review, decision, notice and authoritative implementation; review should have its own filing, acceptance, interim-relief, outcome and remedy timestamps.
- Actor fields should describe institutional roles at the time of action - requester, verifier, recommender, decision-maker, implementer and reviewer - without publishing unnecessary natural-person identities or confusing a role with authority.
- Public event fields and protected evidence must be separate. A public record can expose status, reason class, timing and provenance while identity documents, legal advice, credentials and security material remain controlled and auditable.
- Every event must carry the schema version and vocabulary version under which it was emitted. Major changes require governed migrations, parallel restatement and preserved earlier releases rather than silent rewriting.
- Schema stewardship should belong to an independent, multi-party standards body with open change records, public test vectors, conflict disclosures and balanced participation; it should define data semantics, not decide RIR policy or individual cases.
- Number Resource Society can advocate an open schema, convene holders and researchers, and publish evidence-led comparisons. It cannot assign event IDs, maintain authoritative records, certify conformance, adjudicate decisions or operate the schema authority.
Comparison fails at the decision boundary
The RIPE NCC Annual Report 2025, the ARIN Annual Report 2025, APNIC's annual-report archive and ICANN's FY25 annual report all show that number-resource institutions already disclose substantial operational, financial and governance information. IANA's monthly number-resource performance reports go further in a narrow domain by naming stages and targets for requests between IANA and the RIRs. The problem is not a complete absence of disclosure.
The comparison failure appears when a reader asks whether two published values describe the same institutional act. A transfer may be counted when submitted, when deemed complete, when approved or when the authoritative registration changes. A correction may be counted when a ticket closes even though a public directory, reverse delegation or route-security entity remains stale. A review may be counted as filed, accepted, decided or implemented. An annual total usually does not carry enough structure to recover those distinctions.
This is why another comprehensive evidence portal would not solve the core problem. A portal can collect incompatible figures and make them look more orderly without making them more comparable. A long list of governance indicators can also become a scorecard whose weighting hides substantive choices. The missing layer is smaller and more demanding: a common representation of the event from which later totals are calculated.
The event schema should not attempt to store everything an institution knows. It should make a bounded claim about consequential decisions. It identifies the institutional lifecycle, authority source, actor roles, timing, outcome, review and publication history needed to reconstruct a comparison. Finance, concentration, membership and technical-service indicators may have separate standards. They should not be poured into this event model merely because a single dataset sounds convenient.
The scope is decisions, not an evidence warehouse
A decision event begins when an institution receives or initiates a matter that can change a person's or organisation's rights, registered status, service access, resource record or route-security state. It also includes governance decisions that change the rules under which those matters are handled. The common schema can cover allocation and assignment requests, transfers, registration corrections, adverse account actions, RPKI changes initiated by the registry, membership decisions, formal reviews and policy decisions. Each class uses a shared envelope and a class-specific profile.
The schema does not absorb raw case files. It does not become the canonical registry, replace RDAP or WHOIS, issue a certificate, record beneficial ownership as fact, decide legal title or preserve every message exchanged with staff. Those functions belong to the institution and lawful systems responsible for the decision. The public schema exposes enough to test process and outcome while referring to protected evidence through controlled identifiers.
Scope must be enforceable at field level. A field belongs only when it helps answer one of five questions: what matter entered the process, under which rule, which institutional role acted, when did the state change, and how was the result reviewed or corrected? A requested field that cannot be tied to one of those questions should be rejected or placed in a separate domain standard. This discipline prevents a decision schema from expanding into an indiscriminate institutional dossier.
Class profiles should remain narrow. A transfer profile needs source and recipient relationship classes, resource family, size band, inter-regional link, authority-check outcome and implementation state. A correction profile needs affected public surface, defect class, confirmation time, authoritative repair and propagation status. A review profile needs challenged event, standing class, filing, acceptance, interim protection, outcome and remedy implementation. Shared names should mean the same thing in every profile.
One event needs one durable identity
Every governed event requires a stable identifier that survives staff reassignment, case-system migration, annual reporting and later correction. Without it, a review cannot be reliably linked to the decision it challenges, an amended release can double-count a case, and two RIRs can publish the two legs of one inter-regional transfer as unrelated transactions.
The identifier should be opaque. It should not encode a holder name, resource range, country, outcome, risk class or submission date. Encoding those facts makes the identifier fragile when a classification changes and can expose protected information. A practical form combines a registered institution namespace with a collision-resistant local value. The public value remains stable; the responsible institution preserves the protected mapping to its internal case identifier.
Stability does not mean that every related action shares one ID. The model needs explicit relationships. A review event has its own ID and a reviews_event_id link to the challenged decision. A correction has its own ID and a corrects_event_id link. A reversal links to both the review and original decision where applicable. An inter-regional transaction can have a jointly derived correlation ID while each RIR retains its own local decision event. The relationship type carries meaning that string similarity cannot.
IDs must never be recycled. A withdrawn request, rejected application or event created in error still occupies its identifier. If the institution determines that two IDs represented one matter, it publishes a merge relationship and retains both histories. If one matter is divided into separately decidable parts, it publishes split relationships. Silent deletion would make later denominators impossible to reproduce.
The independent schema body should maintain institution namespaces and identifier syntax, but it should not issue operational event IDs. Each RIR assigns its own IDs under the shared syntax and remains accountable for uniqueness. For a cross-RIR correlation, participating registries generate or agree the shared value through a documented protocol. Neither an advocacy group nor the standards secretariat becomes a transaction registrar.
Event state is a sequence, not a status label
A single current status hides the path that produced it. “Completed” might mean that staff approved a request, that an authoritative record changed, that the holder was notified or that all dependent technical surfaces reconciled. The schema should represent an ordered sequence of state transitions while retaining a compact current state for ordinary use.
The shared lifecycle begins with received. It can move to acknowledged, awaiting_completeness, complete_for_review, under_substantive_review, decision_recorded, implementation_pending, implemented, notified and closed. Class profiles can declare states inapplicable, but they cannot silently omit them. A rejected request still has a decision and notice state. A withdrawn request records who withdrew it and at what stage. A transfer that was approved but not implemented remains visibly incomplete.
Transitions need reason classes. A case can wait for applicant evidence, counterparty confirmation, another registry, a court, sanctions analysis, security recovery or internal action. The reason class does not assign blame automatically. It identifies the dependency so gross elapsed time and institution-controlled time can both be calculated. Each pause has a start, end, initiator role and policy basis; an open pause cannot disappear at year end.
The state machine should reject impossible transitions unless an exception record explains them. An event cannot be implemented before a decision. A final review cannot precede its filing. Closure before notice requires a class-specific reason. Reopening creates a transition from closed to reopened with an actor role and basis, not a new event masquerading as an unrelated case. Validation rules catch these errors before publication.
Current state remains useful, but it is derived. The authoritative sequence is the append-only set of transitions and corrections. A release can publish the latest state for convenient querying while preserving the earlier transitions needed to calculate duration, reopening and reversal. That distinction is essential when a dashboard and an audit must reproduce the same result.
Time needs several clocks and one precision rule
Decision comparison is impossible if institutions start and stop the clock differently. The common envelope should require received_at, recorded_at and last_revised_at. Decision profiles then add complete_at, substantive_review_started_at, decision_at, notification_at, implementation_at and closure_at as applicable. Review profiles add review_filed_at, review_accepted_at, interim_relief_at, review_decision_at and remedy_implemented_at.
These timestamps answer different questions. Receipt measures when the institution obtained the matter through a recognized channel. Recording measures when the event entered the case system. Completeness measures when required material was present under the policy then in force. Decision measures when the authorized decision-maker fixed the outcome. Implementation measures when the authoritative system changed. Notification measures when the affected party was sent the result. Closure is administrative and should never substitute for implementation.
Every timestamp should use UTC with an explicit precision. If an old record supports only a date, the value must be tagged as day precision rather than converted to midnight and treated as exact. Estimated times require an estimation method. A missing value remains missing with a reason code; it is not set equal to the nearest available milestone. These rules prevent false precision in historical restatement.
The schema also distinguishes event time from publication time. A decision made on Monday and first published on Friday has two facts worth preserving. A later correction does not change the original decision timestamp; it creates a correction event and a new publication revision. Analysts can then measure decision latency, implementation latency, notice latency and disclosure latency without conflating them.
Calendar and business durations should both be derivable, but the release should privilege gross calendar time as the universal base. Business calendars differ by region and year. Each institution can publish its calendar identifier, holidays and service-hour assumptions so a governed transformation produces local business time. Publishing only business days would hide differences in weekend, holiday and emergency handling.
Actor fields should record roles, not biographies
The decisive accountability question is rarely the natural person's public identity. It is whether an authorized role acted, whether duties were separated and whether the authority existed at the time. The schema should therefore model actor roles independently from names.
The common role vocabulary includes requester, affected holder, intake officer, evidence verifier, substantive reviewer, recommender, decision-maker, implementer, notifier, independent reviewer, external authority and audit observer. A profile can add a role only through a versioned extension. It cannot use a free-text title to conceal that one person performed several supposedly independent functions.
An actor-role record needs an event ID, role code, institutional unit, authority-source reference, delegation status, start and end time, and a protected actor key. The public release normally exposes the role code, institution and whether separation requirements were met. The protected layer retains the natural person or service identity, credential evidence and delegation chain for an authorized auditor or review body.
Role and authority are not interchangeable. A field labelled decision_maker records who performed the decision function; a separate field identifies the policy, delegation or legal authority used. A board member does not possess authority over every case merely because of office. An automated service can implement an approved action but cannot be described as the substantive decision-maker unless the institution's policy actually assigns that function and the schema records the human accountability route.
Conflicts should be structured. The event can state whether a conflict check was required, performed, disclosed and resolved, together with the resolution class. It need not publish a person's private interests. A later audit can test the protected evidence. This approach supports comparison of controls without converting the public release into a personnel database.
Policy provenance belongs inside the event
A decision cannot be interpreted without the rule in force when it was made. Linking only to a current policy page is inadequate because pages change and URLs can remain constant. Each event should carry a policy instrument identifier, version, effective date and immutable digest or archival reference. The profile also records the procedure version and reason-code vocabulary version.
The authority reference should be specific enough to distinguish policy from implementation guidance. A transfer approval may cite the transfer policy and a staff procedure. An adverse action may cite a contract term, policy rule or external legal order. A governance decision may cite bylaws, a consultation procedure and the recorded decision. The schema does not decide whether those authorities were lawful; it preserves what the institution relied upon so review can test the claim.
Reason codes must be stable and bounded. “Administrative” or “other” cannot become a universal container. A rejection may concern eligibility, evidence, authority, policy incompatibility, unresolved dispute, sanctions restriction or withdrawal. A review outcome may uphold, vary, reverse, remit, dismiss for standing, dismiss as late or end by withdrawal. Free text can remain in the protected record, while the public code supports aggregate comparison.
When a policy changes during a pending case, the event should identify the transition rule. Did the old policy continue, did the new policy apply, or did the institution make a case-specific determination? That fact is analytically important because a backlog processed under changing rules can otherwise appear as a change in performance or outcomes.
Review must be linked to the decision and the remedy
Appeal statistics are weak when they cannot be joined to the underlying decision. The event schema should make review a first-class linked event. It records the challenged event ID, review route, standing class, filing time, acceptance or rejection for review, interim protection, reviewing role, outcome, reasons, remedy and implementation.
This separation prevents several distortions. A complaint is not automatically an accepted review. A review decision is not a remedy until the registry implements it. A remitted case returns to a decision stage and should remain linked. A court order may be an external-authority event that causes a registry implementation event; the schema should not represent the registry as the court or the court as the registry.
The public record can publish reason and outcome classes without exposing legal submissions. It can show that a transfer decision was reversed because the original authority test failed, or that a review was dismissed for lack of standing, while the protected layer retains the documents. Where even the reason class would identify a person in a small cohort, publication can be delayed or aggregated, but the confidential conformance check still includes it.
Interim relief deserves a timestamp and scope. A review may be formally available yet practically useless if an irreversible change occurs first. The schema records whether relief was requested, who decided it, what action was stayed, when the protection began and when it ended. It does not prescribe that every review receive relief; it makes the institution's rule and action visible.
Remedies should use a controlled vocabulary: correct record, restore access, repeat decision, lift hold, reissue credential, publish correction, refund fee, notify dependent service, preserve evidence or no further action. A remedy can contain several components, each with a due date and implementation status. Closing the review before those components are complete should remain detectable.
Correction should append, not overwrite
An event schema will contain mistakes. A source system may export the wrong timestamp, a reason can be miscoded, a protected/public classification can fail or an institution can later learn that two events were linked. Trust depends on correction without historical erasure.
Each public release should be immutable. A corrected event appears in a later release with the same event ID, a higher event revision, a correction reason, changed-field list, responsible role, correction time and link to the prior revision. The previous release remains available. Consumers can choose the latest valid revision while audits can reproduce what was known earlier.
Corrections to schema representation are distinct from corrections to the underlying institutional decision. If a decision occurred on a date but the export used the wrong date, an event revision repairs the data. If the institution changes the decision after review, a linked reversal or replacement decision event records the institutional act. Treating the latter as a data correction would erase accountability.
Deletion must be exceptional. A public field accidentally containing protected personal data may need prompt removal from the active file, but the release catalogue should preserve a tombstone that identifies the affected event and reason without reproducing the data. Protected evidence of the incident remains available to authorized investigators. Ordinary embarrassment, reclassification or an improved outcome is not a deletion reason.
Public and protected fields form two coordinated layers
The schema needs a public profile and a protected evidence profile. The public profile supports comparison: opaque event ID, institution, class, lifecycle states, role categories, policy references, timestamps, outcome, review links, correction history, publication revision and limitations. The protected profile supports verification: internal case mapping, identities, evidence references, legal material, security detail, exact resources where publication would expose a party, and auditor annotations.
The two layers should share identifiers and integrity checks. An auditor must be able to confirm that every eligible protected event has a public representation or a valid suppression reason. Public aggregates must reconcile to protected counts. A public row can carry a commitment to protected evidence without using a predictable hash of personal data. Cryptographic design should be independently reviewed rather than improvised by each institution.
Privacy rules belong in the schema, not in an undocumented release script. Every field should have a classification, purpose, permitted audience, retention class, aggregation rule and review date. Event profiles should specify minimum cell sizes and linkage risks. An event ID that is harmless in one table can become identifying when joined to a rare court action or a small regional cohort.
Stable IDs therefore do not require unlimited public joinability. The protected layer retains the canonical event ID. Public releases can use scoped pseudonyms for particularly sensitive profiles, with a protected crosswalk audited for completeness. A review link needed for accountability can remain public where safe; a link across sanctions, dispute and identity domains may require controlled access. The publication rule should be explicit and versioned.
Independent audit is essential because the public cannot verify omitted events by inspecting public rows alone. Auditors need access to eligibility rules, source systems, suppression logs and the protected crosswalk. Their assurance statement should identify the period, event classes, tests, exclusions and unresolved discrepancies. It should not claim that every underlying decision was substantively correct merely because the export reconciled.
Schema versions must travel with every event
A schema that changes without version discipline will manufacture trends. A field can be renamed, a state divided into two, an eligibility rule narrowed or a reason code retired. If old and new events are combined without preserving the change, apparent improvement may be nothing more than a new definition.
Every event should carry at least four versions: schema envelope version, class-profile version, vocabulary version and source-policy version. The release catalogue carries the publication format version. These values are not redundant. A profile can add a transfer-specific field without changing the common envelope; a vocabulary can clarify a reason code without restructuring the record; a policy can change while the technical schema remains stable.
Major versions change meaning or compatibility. Minor versions add backward-compatible optional capability. Patch versions correct specification errors without changing intended semantics. The independent standards body should publish a change classification with every release and provide examples of how old records behave. Institutions should not choose a lower version label simply to avoid migration duties.
Deprecation needs a schedule. A field first becomes discouraged with a replacement and mapping rule. It remains valid for a defined period. Removal occurs only in a major version. Consumers receive machine-readable notices, while historical records continue to identify the version that governed them. A later parser should never guess that an old field means the same thing as a new one.
Extensions are necessary because regional procedures differ. An extension uses a registered namespace, states its purpose and declares whether it affects eligibility, state or outcome. The core conformance report lists extensions used. A regional extension cannot redefine a core field while retaining its name. If a difference is important enough to change the core meaning, it belongs in the standards change process.
Migration is a governed transformation
Historical comparison requires restating old events into newer versions, but migration can invent precision the source never contained. A governed transformation must preserve the source event, transformation code, mapping version, execution time, operator and validation result. It creates a derived representation; it does not rewrite the original evidence.
Every mapped field needs a provenance class. Direct means the source contained the same proposition. Derived means a deterministic rule calculated it. Inferred means evidence supported a bounded conclusion but not the exact field. Unknown means the historical record did not support the value. Inapplicable means the event class did not require it. These classes prevent a blank from becoming zero and an approximate date from becoming an exact timestamp.
Major migrations should publish a concordance table. It identifies fields preserved, renamed, split, combined, retired and newly unavailable. A representative set of historical events becomes a public test corpus with synthetic or safely redacted data. Independent implementers run the transformation and compare results before the version is accepted.
Parallel restatement is necessary when a semantic change affects trends. For at least one transition period, institutions should publish results under both old and new versions where source data permits. The difference quantifies the effect of the definition change. If restatement is impossible, the release marks the break rather than drawing a continuous line.
Migration also applies when an RIR changes case systems. The stable event ID and lifecycle history must survive. Source-system identifiers can change, but the protected mapping records the transition. Counts before and after the migration should reconcile, including withdrawn, reopened and suppressed events. A successful database copy is not enough if decision relationships or timestamps lose meaning.
Inter-regional events need correlation without central custody
An inter-regional transfer illustrates why event relationships matter. Two RIRs can make distinct decisions under different policies, yet the transaction has a shared resource scope and cannot be globally complete while their authoritative states disagree. A common schema should represent both local autonomy and the linked outcome.
Each RIR publishes its own event ID, policy provenance, lifecycle, actor roles and outcome. The pair also carries a correlation ID, a resource-set digest or safe size band, and agreed hand-off milestones. One institution may reach local approval before the other. The schema preserves that difference instead of collapsing it into one centralized decision.
The correlation protocol should define who generates the shared value, how both parties confirm it and how a mistaken link is corrected. It should not require a third party to hold the underlying transaction file. The independent standards body maintains the protocol and test vectors. The participating RIRs remain custodians of the operational records and are the only bodies that implement their respective decisions.
IANA-facing numbering requests can use the same principle. IANA's published performance discipline shows defined acknowledgement, response and implementation stages at a particular institutional boundary. A linked RIR event can refer to the IANA request without claiming that every holder-facing RIR decision shares the same policy or service target.
Correlation is also useful for review and correction across institutions. If one RIR changes its leg after a review, the partner can publish a linked reconciliation event. The record shows which institution acted, under which authority and when the shared state became consistent. It does not invent a global tribunal.
The standards body should govern semantics, not outcomes
No single RIR should control the comparison vocabulary for its peers. Nor should an advocacy group, auditor, vendor or research institution become the hidden regulator by owning the schema. Stewardship should sit with an independent multi-party standards body whose mandate is confined to semantics, interoperability, privacy rules and conformance methods.
Its governing constituencies should include all five RIR communities, IANA numbering services, network operators, resource holders, independent technical researchers, privacy specialists and auditors. Participation needs published affiliations and conflicts. No constituency should be able to weaken a denominator, remove a state or redefine an outcome solely to improve its own apparent performance.
The body should publish proposals, issue histories, meeting records, draft text, implementation reports and recorded dispositions. Major changes require a public comment period, impact analysis, privacy review, migration plan and at least two independent implementations. Emergency security corrections can use an expedited process but expire unless ratified through the ordinary route.
A technical secretariat can maintain specifications, namespace registries, examples and validation tools. It cannot assign operational event IDs, inspect protected RIR cases as a matter of routine, decide whether an applicant should receive resources, overturn a registry decision or certify a policy as legitimate. Independent auditors perform institution-specific assurance under published criteria; the standards body maintains the criteria and recognizes reports that meet the format, not the substantive decision.
Funding should be diversified and disclosed. A schema maintained entirely by the institutions being compared risks defensive definitions. A body funded by one major commercial user risks fields optimized for that user's market. Fixed contributions, capped shares, public budgets and conflict rules can reduce capture. Technical participation should remain possible for smaller operators and affected members without expensive travel or membership fees.
Conformance must be testable in layers
Conformance should not be a single badge. An institution can implement the record syntax while omitting eligible events, or publish complete events while misclassifying protected data. The standard should define separate layers and require reports to state which were tested.
Syntactic conformance asks whether files parse, required fields appear, identifiers have valid form, timestamps include precision and enumerated values use the declared vocabulary. Lifecycle conformance tests allowed state transitions and relationship integrity. Semantic conformance samples source cases to determine whether fields represent the defined propositions. Coverage conformance reconciles eligible source events to emitted public or validly suppressed records. Privacy conformance tests classification, aggregation, linkage and access controls.
The standards body should publish machine-readable schemas, invalid examples, edge cases and test vectors. Examples should cover withdrawal before completeness, approval awaiting implementation, review with interim relief, correction after publication, cross-RIR correlation, historical day-precision timestamps, suppressed small cohorts and policy change during a pending case. Passing easy examples alone would prove little.
An auditor's conformance report should identify versions, event classes, period, sample design, source systems, coverage reconciliation, exceptions and remediation dates. A failure in one layer should not be hidden by success in another. “Schema-valid” is not shorthand for complete, accurate, private or fair.
Certification language also needs restraint. The independent assurance provider can state that a release conformed to specified tests for a period. It does not certify that the RIR made correct policy choices or that every decision was lawful. The standards body should publish the report and conformance status but should not become an appeals body for individual cases.
The schema should frustrate predictable gaming
Once event measures become public, institutions will respond. A completeness clock can encourage staff to delay declaring a file complete. A decision target can encourage premature rejection. A low reversal rate can encourage barriers to review. A closure count can encourage administrative closure before implementation. The schema should expose these substitutions.
Receipt remains fixed even if completeness comes later. Requests for additional material form timestamped transitions with reason classes. Rejection, withdrawal, abandonment and implementation are separate outcomes. Reopened cases remain linked. Gross time is always derivable even when institution-controlled time excludes justified pauses. These rules make it harder to move delay outside the measured interval.
Outcome cohorts should follow events after the decision. A transfer approved in one year but implemented in the next remains linked across releases. A corrected registration appears in the cohort that received the original decision as well as the correction period. Review rates use eligible decisions as a denominator and disclose accepted, rejected and withdrawn reviews. The event record supports these calculations without baking one preferred dashboard into the standard.
Reason codes should be monitored for drift. A sudden rise in “other,” “applicant delay” or “outside scope” may reflect a real change or classification gaming. The conformance report can sample the protected evidence and publish whether coding remained consistent. It should not expose parties or second-guess every judgment.
The schema body should evaluate measures every three years. Fields that do not support decisions, cannot be implemented proportionately or create unnecessary privacy risk should be revised or retired through a versioned process. New fields require a defined use and migration plan. The objective is not maximum collection; it is durable comparability at the point where institutional power acts.
A minimal release can stay narrow
The event standard does not need a giant public portal. Each institution can publish a small set of versioned files under stable URLs. The first file is an event envelope table. The second contains lifecycle transitions. The third contains event relationships. The fourth contains public actor-role records. The fifth is a release catalogue with schema versions, digests, coverage, suppression counts, corrections and conformance reports.
Human-readable summaries should be generated from those files, not maintained as separate numbers. A transfer dashboard can calculate decision and implementation distributions. A review page can show outcomes and remedy completion. An annual report can cite the same derived totals. When a correction arrives, the catalogue identifies which releases and summaries changed.
The minimum public fields are event ID, institution namespace, event class, current state, policy version, received time and precision, decision time, implementation time where applicable, outcome class, public actor roles, review link, correction revision, schema versions and publication metadata. Optional class profiles add only the fields needed to interpret that type of decision.
Aggregate tables remain useful for privacy and communication. They should name the exact event query, schema version, period and inclusion rules used. A published percentage should be reproducible from a public file where privacy permits or from an auditor-verified protected query where it does not. The aggregate is a view over the event record, not a competing source of truth.
Open licensing and durable archives matter. Researchers should be able to retrieve the release that was available when a board or community made a claim. Revised files should not overwrite earlier ones. File digests, signed catalogues and independent mirrors can support integrity without transferring operational registry authority to the mirror.
Number Resource Society has an advocacy role only
Number Resource Society can make a constructive contribution by arguing that holders deserve comparable decision records, publishing source-linked research on where definitions diverge, convening members and technical experts, and submitting schema proposals through the independent standards process. With a member's explicit authority, it can help that member explain how a decision record or review link failed to represent the process experienced.
NRS should not maintain the namespace registry, assign RIR event IDs, receive protected case exports, operate the correlation service, certify conformance, adjudicate schema disputes or decide whether an RIR outcome was correct. Those functions belong to the independent standards body, responsible registries, appointed auditors and recognized review institutions according to their distinct mandates.
Its comparative research should distinguish a missing public field from a failed institutional duty. A registry may protect a field for a valid privacy reason while still passing confidential coverage tests. Another may publish a field under a different legacy definition. NRS can document the gap, ask for evidence and advocate a change; it cannot convert its preferred interpretation into an authoritative registry record.
NRS can also model good practice in its own domain by versioning its policy submissions, membership decisions and corrections, while labelling them as advocacy or membership records. An NRS membership assertion is not evidence that NRS allocated, registered, transferred or certified a number resource. This boundary should appear in every public comparison that names NRS.
The positive role is persistent scrutiny. Advocacy groups can notice when a denominator changes quietly, when a review link disappears or when an implementation timestamp is replaced by administrative closure. They can make those questions legible to members. They do not need operational authority to improve the quality of public reasoning.
Adoption should begin with two event classes
A practical rollout should start with transfer decisions and registration corrections. They exercise consequential authority, have visible technical outcomes and expose the need for receipt, decision, implementation, review and correction links. They also reveal inter-regional correlation and privacy problems without requiring the schema to cover every governance process at once.
In the first phase, participating institutions map their internal states to a draft common lifecycle and publish synthetic test records. The standards body resolves semantic conflicts, not performance differences. An institution may have more local stages; it must identify which stage satisfies each common proposition and preserve the local detail as an extension.
The second phase uses a bounded historical cohort. Each institution restates a defined period with provenance classes for every field, publishes unknowns and runs coverage reconciliation under independent observation. The exercise should report mapping failures and inconsistent references rather than filling them with assumptions.
The third phase publishes current events on a fixed cadence, links reviews and corrections, and runs privacy and conformance audits. Cross-RIR transfer pairs test correlation. Public users reproduce a small set of agreed queries, such as gross receipt-to-implementation distributions and review-remedy completion, to confirm that the common semantics work.
Only after those classes stabilize should the standard add adverse account actions, membership decisions, RPKI registry actions or governance decisions. Each addition requires its own profile, threat model, public/protected boundary and test corpus. Expansion by checklist would recreate the unfocused evidence pack this design is intended to avoid.
The schema can compare process without ranking policy
Comparable events do not imply identical policy. One RIR may require additional evidence for a transfer class. Another may have different membership standing rules. Legal restrictions, language, market conditions and service design vary. The schema records those differences through policy provenance, class and reason fields rather than declaring them invalid.
A researcher can compare gross and stage-specific timing for similar event classes, examine how often decisions proceed to review, identify which remedies remain unimplemented and test whether definition changes explain a trend. A community can examine its own history before and after a policy change. An auditor can reconstruct whether eligible events reached the release. These are defensible uses.
A composite league table would be harder to justify. Faster is not always fairer if evidence review differs. More reversals can reflect accessible review rather than poor first decisions. More corrections can reflect stronger detection. The schema supplies facts and limitations; it does not choose a political weighting. Any later score should disclose its query, cohorts, assumptions and sensitivity rather than borrowing authority from the standard.
The event schema also cannot prove legal ownership, beneficial control, operational use or network safety. It records what a recognized institution decided and how the process moved. A valid event row can still represent a disputed or unlawful decision. Review, courts, policy processes and technical observation remain necessary.
That limit is a strength. A narrow schema can achieve precise semantics because it does not promise universal truth. It makes institutional acts traceable and comparable while leaving substantive authority where it belongs.
Known evidence gaps should remain visible
Public reports do not currently reveal the complete event structures, internal role bindings, protected evidence mappings or historical timestamps of every RIR. This article therefore does not claim that a common mapping can be completed without loss, nor that any named institution currently lacks adequate internal controls. Annual reports and public governance documents show outputs, not every case-system field.
Historical records may support only coarse dates, changing case identifiers or incomplete review links. Some event classes may be too rare for public release without identification risk. Policies may have changed without archived machine-readable versions. These are reasons to publish provenance, precision and suppression status, not to manufacture complete records.
The revised draft RIR Governance Document, the NRO RIR Governance Matrix and the Joint RIR Stability Fund provide institutional context for accountability and continuity. They do not define the event schema proposed here. The RIPE NCC Quarterly Sanctions Transparency Report for Q2 2026 demonstrates that consequential restrictions can be reported in aggregate with attention to privacy, but it does not establish one global event vocabulary.
Implementation cost is also uncertain. RIRs differ in source systems, legal obligations and historical data quality. A pilot should publish staff effort, mapping exceptions, privacy findings and audit cost. The standards body should use that evidence to keep the core proportionate rather than lowering semantic integrity to claim rapid adoption.
A decision should remain traceable after the dashboard changes
The durable question is simple: can a later reader reconstruct what the institution received, which rule applied, which role decided, when the authoritative effect occurred, whether review changed the outcome and which schema meaning governed the published record? Today, annual narratives and dashboards often answer only fragments.
A versioned event schema would not replace those publications. It would give them a reproducible foundation. Stable IDs preserve identity. Lifecycle transitions preserve sequence. Role fields preserve institutional responsibility without unnecessary biography. Policy references preserve authority claims. Review and correction links preserve remedy. Public and protected profiles preserve both scrutiny and confidentiality. Versioned migrations preserve meaning over time.
The governance of the schema matters as much as its field list. An independent multi-party body should maintain definitions, migrations and tests while remaining outside operational decisions. RIRs should retain their records and authority. Auditors should test coverage and semantics. Researchers and advocacy groups should interrogate the evidence. Holders should be able to recognize the path of a decision that affected them.
The result is intentionally less ambitious than a universal registry-governance evidence pack. It does not collect every KPI, rank every institution or centralize protected records. It standardizes the narrow seam where comparison repeatedly breaks: the institutional event itself.
By 2030, a consequential RIR decision should not dissolve into an annual total after the case closes. It should remain a versioned, bounded and reviewable event whose meaning survives a new dashboard, a new case system and a new generation of institutional claims.
Sources
- RIPE NCC Annual Report 2025 - current examples of resource, transfer, registry-check, service, assurance, finance and membership reporting; used to identify the gap between substantial institutional disclosure and a shared event representation.
- ARIN Annual Report 2025 - current corporate, election, policy, board and operational reporting; used as evidence of institution-specific disclosure rather than a common event schema.
- APNIC annual reports and auditor reports - examples of operational reporting paired with independent financial assurance, without implying that financial audit validates decision-event semantics.
- ICANN FY25 Annual Report - examples of governance, transparency, performance and financial reporting at the wider coordination layer.
- IANA Number Resource Performance Reports - examples of named service stages, targets, request counts and implementation measures at the IANA-RIR boundary.
- NRO RIR Governance Matrix - map of existing institutional documents and accountability arrangements; it does not supply the proposed event schema.
- Draft RIR Governance Document, version 2 - current public framework for operation, accountability, emergency continuity and transfer of services; cited for institutional context, not as an event-data specification.
- Joint RIR Stability Fund - a published continuity mechanism among the RIRs; cited to distinguish institutional stability arrangements from the narrower semantics and migration rules of a decision-event standard.
- RIPE NCC Quarterly Sanctions Transparency Report, Q2 2026 - a current example of aggregate reporting on consequential restrictions that explicitly addresses confidentiality and privacy.
- Number Resource Society FAQ - NRS's description of itself as a global non-profit membership organisation that campaigns, supports businesses, raises policy awareness and helps members participate and voice their interests.
- Number Resource Society Charter - NRS's published advocacy position on number-resource registration, accountability, free enterprise and the institutional limits it argues should bind registry bodies; cited as advocacy doctrine, not as an operational registry standard.

