A route-origin attestation is supposed to be the sort of thing a board never has to discuss. It is a small cryptographic statement, published by or for a network resource holder, that tells the rest of the routing system which autonomous system is authorised to originate a particular IP prefix. Engineers know it as a ROA, part of the Resource Public Key Infrastructure. Executives usually meet it only after something goes wrong: a customer asks why a route is being filtered, a transit provider wants proof of authority, an insurer asks how route-hijack risk is controlled, an acquisition lawyer asks whether the target's address space can keep working after closing, or a lender asks whether revenue tied to an IPv4 portfolio rests on a certificate chain controlled by an institution in distress.
That is when RPKI stops looking like network-security plumbing and starts looking like institutional credit. A ROA is not merely a line in a technical system. It is a claim that the registry's authority over a block can be trusted enough for routers, counterparties and customers to act on it. The relying party may never speak to the registry. It may only see that a route is valid, invalid or not found under a chain of certificates. Yet behind that terse validation state is a layered social bargain: the registry accurately knows who holds the resource; the holder or its authorised operator controls the right account; the relevant keys and publication systems are intact; revocation is lawful and reviewable; and institutional continuity is strong enough that a court fight, receivership, board collapse or record defect will not quietly change the operating assumptions of a network.
AFRINIC is the sharpest current test of that bargain. The African Network Information Centre is the regional internet registry for Africa and parts of the Indian Ocean. It is a Mauritian nonprofit, member-based organisation that distributes and records IPv4 addresses, IPv6 prefixes and autonomous system numbers, while offering services such as WHOIS, RDAP, reverse DNS, an internet routing registry and a Resource Certification Program for RPKI. In ordinary times that catalogue sounds like a set of registry functions. In stressed times it is a list of dependencies. The same member account that requests a record update may also be the path through which certification material is created. The same registry fact that identifies a holder may determine who can publish a ROA. The same board that authorises litigation, budgets and senior management may influence whether staff, systems and member services remain steady enough for routing-security publication to be trusted.
The risk is not that AFRINIC can switch off the African internet by issuing one dramatic command. RPKI is more subtle than that, and operational networks have many layers of resilience. The risk is that RPKI turns registry legitimacy into a machine-readable routing dependency. When operators configure routers to reject invalid origins, they are not only trusting cryptography. They are trusting the institution that anchors the cryptographic chain. That institution must be boring in a specific way: accurate in its records, restrained in enforcement, solvent enough to operate, legitimate enough to make decisions, disciplined enough not to use security services as leverage, and continuous enough that courts or receivers can preserve the function without turning route-origin publication into another battlefield.
AFRINIC's recent history makes that dependency legible. Public reporting has described earlier address-record corruption allegations involving valuable African IPv4 space. The dispute with Cloud Innovation turned resource review, regional-use interpretation and commercial IPv4 activity into litigation. The Internet Governance Project reported that in July 2021 a Mauritius court order provisionally froze up to US$50m in AFRINIC bank accounts, a remedy that threatened ordinary operations. The Number Resource Organization later described a 2023 court order appointing a receiver whose role included preserving the status quo, overseeing elections and restoring functional governance. The Register followed the subsequent election crisis: a registry without a normal board or chief executive, warnings about credentials, ICANN concerns, voting delays, allegations involving powers of attorney, annulment of a June 2025 election, later board restoration and litigation continuing into 2026. Those episodes do not prove every claim made by either side. They do prove that the registry's institutional layer became a live risk surface.
RPKI is the part of that surface that deserves special attention because it compresses the institutional question into a cryptographic output. A public registry record can be checked by a person. A reverse-DNS delegation can fail noisily. WHOIS or RDAP data can look stale and still be interpreted cautiously. RPKI is built for automation. It invites operators to let validators turn registry-backed assertions into routing decisions. That is its security value. It is also its governance risk. When the registry is trusted, automation reduces hijacking and mistake costs. When the registry's legitimacy is contested, automation can transmit institutional failure faster and more quietly than older manual reliance did.
Route-origin validation remains technically useful, and AFRINIC should not retreat from it. The question is what institutional economics RPKI reveals. It shows that the registry is no longer just a clerical recordkeeper whose entries can be inspected after the fact. It is a delegated trust layer whose certificates may affect the treatment of live routes. In a region where IPv4 scarcity has turned address blocks into valuable commercial inputs, where leasing and transfers make holder/operator separation common, and where governance, courts, receivership, account control and record accuracy have all been stressed, that trust layer becomes a market and operational risk in its own right.
The certificate behind the route
RPKI is often explained as a technical answer to a routing-security problem. Border Gateway Protocol lets networks announce reachability to IP prefixes, but it was not originally built to prove that the announcing autonomous system is authorised by the recognised resource holder. Mistakes, leaks and hijacks can therefore spread because routers see a path, not a legal or administrative proof of origin authority. RPKI adds a resource-certification hierarchy. At the top are trust anchors associated with the regional registries. Beneath them are certificates covering resources. A route-origin authorisation says, in effect, that a specified autonomous system may originate a specified prefix, usually within a maximum prefix length. Validators fetch repository material, check certificate chains and produce the states on which route filters can act.
The mechanics matter because they reveal the economic dependence. The route-origin statement is cryptographic, but the authority behind it is institutional. A validator does not know by itself whether a company in Lagos, Mauritius, Johannesburg, Nairobi, Dubai or Hong Kong has the better contractual claim to a block. It knows whether a published object chains back to a recognised trust anchor and fits the data made available through that system. The certificate does not eliminate the need for a registry. It makes the registry's recognition harder, more portable and more automatable.
In a hosted RPKI model, the registry or its systems may create and publish certification material after the member uses a portal or account to express the desired authorisation. In a delegated model, a member can run more of its own certification operation, but the chain still begins from the registry's trust anchor and resource certificate relationship. Either way, the registry's role is not incidental. It is the institutional root that lets relying parties treat a cryptographic object as meaningful. If the registry's resource records are wrong, if account control is compromised, if a member's authority is disputed, if a certificate is revoked without clear process, or if publication is interrupted, the routing-security layer inherits the problem.
This is different from ordinary cybersecurity. A firewall, key store or router can be audited as an asset under the operator's control. RPKI is partly under the operator's control and partly under a regional trust arrangement. The operator can choose whether to create a ROA, maintain its route set, secure its accounts and monitor invalids. It cannot by itself determine whether the regional registry remains legitimate, solvent, able to publish, careful in revocation or insulated from litigation. A certificate chain is therefore a hybrid good: part software, part registry law, part member relationship, part market confidence.
That hybrid character is easy to miss when RPKI works. A valid route-origin state looks clean. A network engineer sees that the prefix is covered, the origin autonomous system matches and the validator is happy. A transit provider can raise the preference of valid routes or filter invalids. A customer can ask for a routing-security posture as part of procurement. A board may accept a short assurance that the company has "implemented RPKI". But that phrase hides the institution behind the implementation. It says nothing about who can alter the ROA tomorrow, what happens if the holder loses portal access, whether a lessee can obtain the right authorisation from a lessor, how a disputed transfer is handled, whether a court order restrains changes, or whether a receiver can keep certification services neutral.
The economic analogy is a letter of credit rather than a padlock. The cryptography checks that the letter is authentic. The market still asks whether the bank stands behind it. If the bank is well governed, capitalised and lawfully supervised, the letter is trusted. If the bank is in receivership, fighting over signatories and subject to freezing orders, the same technical form carries a different risk. In RPKI, the registry is not a bank, but it performs a related trust function for route-origin reliance. The market cares less about institutional slogans than about whether the claim will survive stress.
That is why AFRINIC's RPKI story cannot be separated from its governance story. AFRINIC's public service material places RPKI alongside resource management, reverse DNS, WHOIS, RDAP and IRR. That is accurate, but it understates RPKI's special character. WHOIS and RDAP publish information. Reverse DNS delegates a naming function. IRR objects guide routing policy, often with caution because data quality varies. RPKI asks routers to rely on cryptographic resource authority. The more networks treat invalids as routes to reject, the more RPKI turns institutional recognition into operational outcome.
The consequence is a new kind of diligence. A company buying or leasing IPv4 space in the AFRINIC region does not only ask whether the block is routed, contacts are current, abuse reputation is clean and reverse DNS can be delegated. It asks who can publish ROAs, whether ROAs can be transferred or reissued quickly, whether customer routes could become invalid if a registry dispute arises, and whether the registry's own continuity could affect publication. For a network operator, those questions are technical. For a finance director, they are revenue-protection questions. For a lawyer, they are authority and liability questions. For a board, they are enterprise risk.
RPKI thus forces a change in vocabulary. The important issue is not simply "security adoption". It is delegated institutional trust. A routing-security system cannot be judged only by how many prefixes have ROAs or how many networks filter invalids. It must also be judged by the resilience and restraint of the authority that can issue, host, revoke, suspend, preserve or fail to publish the underlying material. AFRINIC is a case study because its crisis shows what happens when the trust anchor's corporate and legal environment is no longer invisible.
Why AFRINIC makes the hidden bargain visible
AFRINIC is not important to this question because it is uniquely incapable of running technical services. The public record suggests the opposite in one respect: staff kept many services operating through years of turmoil. AFRINIC is important because it exposes conditions that many registry systems prefer to keep abstract. It is a private, member-based corporation under domestic law. It performs a regional coordination function with cross-border effects. Its members cannot simply move their African resources to another regional registry if governance becomes uncomfortable. It administers scarce IPv4 resources whose market value can dwarf annual membership fees. It offers technical trust services that depend on the same recognition system that courts, members and litigants have contested.
That combination makes the institutional bargain unusually visible. In a stable registry, RPKI appears to be a standard service. In AFRINIC's case, the surrounding events make every assumption explicit. Who speaks for the registry when there is no normal board? Who controls budgets if bank accounts are restrained? Who supervises staff during receivership? Who verifies member authority when election credentials are disputed? Who decides whether a member's resource use breaches policy? Who preserves RPKI publication if litigation asks for orders affecting accounts, resources or corporate control? Who prevents a dispute over board seats from becoming a dispute over operational trust?
The answer cannot simply be "the community". That word does useful work in policy development, but RPKI requires accountable operational authority. A relying party in another country cannot inspect a mailing-list consensus before accepting or rejecting a route. It sees an object in a repository and a validation result. The system therefore relies on a narrower chain of institutional facts: the resource was allocated or assigned; the holder or authorised operator has authority; the account is secure; the certification material was published under proper control; and the registry remains capable of serving its function. Community language may explain how policies emerge. It does not by itself manage key control.
Nor can the answer simply be "courts". Courts are essential because AFRINIC is not sovereign and its members need remedies under law. The appointment of a receiver in Mauritius was a court-supervised continuity measure, not an internet outage. It showed that ordinary legal institutions can preserve a private corporation performing a public-like technical function. Yet courts are not routing operators and should not be asked to redesign RPKI under emergency pressure. A court can restrain corporate action, appoint a receiver, order clarification, hear winding-up arguments or decide contractual claims. It cannot be the day-to-day source of confidence that every ROA remains operationally neutral.
The economic issue is that RPKI collapses delay tolerance. A slow court process may be survivable for a damages claim. A slow member dispute may be survivable for an election. A slow transfer may be costly but negotiable. A route-origin publication problem can become visible in minutes or hours if it changes validation state and networks enforce it. Even if no dramatic invalidation occurs, the possibility changes behaviour. Customers ask providers for assurances. Lessors build clauses around ROA maintenance. Buyers demand delivery conditions. Transit providers ask for route hygiene. Cloud services monitor invalid states. The registry's institutional condition therefore becomes part of the service-level discussion.
AFRINIC's crisis also shows how RPKI can sit at the intersection of three disputes that are often kept separate: governance legitimacy, record accuracy and commercial use. Governance legitimacy asks whether the board, receiver, staff and corporate processes are entitled to act. Record accuracy asks whether the registry knows the true holder and authorised contacts. Commercial-use disputes ask whether a holder's leasing, transfers or out-of-region customers are consistent with policy and agreements. RPKI needs all three to be stable. If legitimacy is contested, publication authority is questioned. If data is wrong, the wrong actor may create or withhold a ROA. If commercial use is disputed, the registry may be tempted to treat certification as a control point rather than a neutral security service.
That temptation is the most important. RPKI should not become an enforcement weapon. A registry must be able to correct fraud, suspend compromised accounts, comply with lawful orders and prevent false certification. But if it can use route-origin publication as leverage in ordinary disputes about fees, policy interpretation, leasing, transfers or member politics, the trust layer becomes a gatekeeping layer. Operators then face a choice between adopting RPKI for security and limiting adoption to avoid dependence on a registry whose discretion they do not trust. That would be a perverse outcome: a security tool weakened by governance risk.
AFRINIC's particular facts give this problem force. The 2019 address-record allegations made ledger integrity a real concern. The Cloud Innovation dispute made commercial IPv4 use and policy interpretation economically explosive. The account freeze reported in 2021 made institutional solvency and operating cash visible. Receivership made court continuity visible. The 2025 election disputes made member authority and board legitimacy visible. Litigation continuing into 2026 made recovery incomplete. Each episode touches a precondition of trusted RPKI: accurate records, reliable accounts, solvent operation, lawful authority, legitimate supervision and stable publication.
The result is not an argument against RPKI. It is an argument for treating RPKI as critical trust infrastructure rather than a registry add-on. In AFRINIC's region, and eventually in every region, route-origin certification needs a continuity constitution of its own. It should be insulated from discretionary enforcement. It should have documented emergency authority. It should protect publication during corporate stress. It should distinguish account compromise from member dispute. It should give resource holders and relying parties clear notice of changes. It should be audited as a high-consequence service, not merely counted as an adoption metric.
AFRINIC makes the problem visible because its crisis compressed years of abstract governance debate into practical questions that networks can understand. If the route is valid because the registry's trust chain says so, what happens when the registry itself is in court?
Scarcity turns publication into leverage
RPKI governance risk is sharper in IPv4 than in IPv6 because scarcity gives every administrative control a price. IPv6 address space is abundant enough that the loss, delay or dispute around one allocation is serious but usually not a market-wide scarcity event. IPv4 is different. AFRINIC's own exhaustion material says the region entered Soft Landing Phase 1 in March 2017 and Phase 2 in January 2020. It describes IPv4 as scarce and explains that the region's allocation policy moved into constrained phases after global depletion. Later public reporting in 2026 cited an AFRINIC executive saying the registry still had 773,376 unallocated IPv4 addresses and expressing eagerness to reach zero so the conversation could move to IPv6. That aspiration does not remove the transition problem. It confirms it.
IPv4 remains the compatibility layer for much of the commercial internet. Enterprises, content platforms, hosting companies, consumer networks, public services, anti-abuse systems and legacy customer environments still rely on IPv4 reachability. IPv6 deployment matters and should continue, but IPv6 is not a simple asset substitute in current commercial reality. A business that needs customer-ready IPv4 cannot always replace it with a strategic speech about the future. It must buy, lease, transfer, clean, route and certify scarce numbers today.
Scarcity changes the meaning of a ROA. In an abundant system, a mistaken or delayed route-origin authorisation may be an operational defect. In a scarce system, it may impair an asset-backed revenue stream. A clean IPv4 block with stable registration, reverse DNS, abuse contacts and RPKI authority can support hosting customers, cloud capacity, enterprise connectivity, managed services, finance assumptions and lease income. A block whose ROA status depends on a disputed holder account, a contested transfer, unclear lessor authority or a registry enforcement file carries a discount. The same prefix length can have different economic quality depending on the trust around publication.
Transfers and leasing make this more complex. A holder may retain the registry relationship while a customer or lessee operates the route. A buyer may want a ROA to switch origin after closing. A broker may need to prove that the seller can deliver not only a private contract but registry-recognised route-origin authority. A lessee may need the lessor to publish a ROA for the lessee's autonomous system, or may need delegated control under clear terms. If the registry treats commercial delegation as suspicious by default, or if policy interpretation around out-of-region use is unsettled, the parties cannot treat RPKI as a neutral security layer. They must treat it as a possible chokepoint.
AFRINIC's conflict with Cloud Innovation sits at this intersection. Public analyses have described the dispute as involving millions of IPv4 numbers, allegations by AFRINIC that use breached service-agreement or policy expectations, and Cloud Innovation's position that AFRINIC was asserting improper control over a business using scarce address space. The exact legal merits belong to the courts and contracts. The economic lesson is visible without deciding them. When a registry can threaten a large holder's resource position, route-origin authority becomes part of the perceived remedy set even if the immediate dispute is framed around membership or allocation conditions. Every holder then asks whether a certification service could become collateral damage.
The risk is not limited to revocation. Non-publication can be just as important. If a registry service is unavailable, if a portal account is suspended, if a receiver freezes change requests, if staff hesitate to process a disputed member's RPKI updates, or if a court order is interpreted cautiously, a holder may be unable to create or adjust ROAs in time for a network change. In a world of route-origin validation, delay is not neutral. It can constrain a migration, slow customer onboarding, complicate a transfer, undermine redundancy planning or force operators to choose between announcing a route without ROA coverage and delaying service.
The more networks reject invalid routes, the more this matters. RPKI's purpose is to make origin errors costly enough to deter hijacks and leaks. But enforcement changes the bargaining structure. If a customer knows that a provider's prefix could become invalid because the provider lacks reliable ROA control, the customer may demand stronger contractual assurance or choose another provider. If a buyer cannot be sure that closing will include clean route-origin publication, it may hold back payment or demand indemnities. If a lessor cannot guarantee ROA maintenance for the lessee's origin, lease pricing changes. If a bank sees that address-backed revenue depends on registry discretion, the loan receives a governance haircut.
This is institutional leverage even when nobody intends to use it. A registry may not deliberately weaponise RPKI. The mere fact that publication depends on registry-recognised authority gives it latent power. In a high-trust environment, latent power is acceptable because it is constrained by norms, contracts, due process and reputational discipline. In a low-trust environment, latent power is priced as risk. AFRINIC's crisis lowered the market's tolerance for assuming benign constraint.
Official reassurances about continuity are useful evidence of intent, but they cannot close the analytical question. The NRO's statement on receivership said the receiver would help ensure members kept receiving registry services. That matters. But route-origin trust requires more than a general service-continuity statement. It requires service-specific safeguards: what happens to hosted ROAs during receivership; who can authorise changes; whether disputed resources remain in a hold state; what notice is given before revocation; how publication integrity is monitored; whether staff can process urgent routing-security requests; and how a member can appeal a certification-affecting decision quickly enough for operational needs.
Scarcity also changes political incentives. A region with scarce IPv4 may be tempted to treat resource mobility and commercial use as regional economic policy. The language may be stewardship, conservation or development. The effect can be control over who can monetise, lease, transfer or route addresses. RPKI should not be the mechanism through which that control is smuggled into routing. If a policy debate wants to limit transfers, it should say so and face scrutiny. If a contract dispute concerns breach, it should use proportionate legal remedies. The route-origin system should remain a security and authority layer, not a disguised market-permission layer.
AFRINIC's case therefore turns a technical adoption question into a governance design question. Scarce IPv4 makes every registry-controlled publication channel economically meaningful. RPKI is the most acute channel because its outputs can be enforced automatically by others. A credible registry must prove that adoption of RPKI will not increase dependence on arbitrary authority. It must show that the more secure route is also the more institutionally protected route.
Cloud Innovation and the continuity premium
The Cloud Innovation dispute is often narrated as a clash between a regional registry and a large commercial holder of African IPv4 resources. That is true but incomplete. For RPKI analysis, the dispute matters because it shows how a disagreement over resource use can become a continuity premium applied to technical trust services. The market does not have to decide whether AFRINIC or Cloud Innovation is right on every legal point. It only has to observe that registry enforcement, litigation remedies, bank-account freezes, member status, account control and institutional legitimacy became linked. Once linked, every certification-dependent counterparty has to ask how far the link can spread.
Public reporting by the Internet Governance Project in 2021 described AFRINIC's action against Cloud Innovation as a response shaped by earlier governance and record-integrity problems, but criticised it as an overreaction based on weak policy premises and poor risk management. It also criticised Cloud Innovation's legal response as destructive. That balanced account is useful because the institutional problem is not one-sided. A registry that never enforces rules would invite fraud, false records and misuse. A member that can immobilise a regional registry through litigation creates systemic risk. But a registry that uses consequence-heavy discretion against live resources creates the mirror-image risk. RPKI sits between those risks.
The reported freeze of up to US$50m in AFRINIC's bank accounts made the issue unavoidable. A bank freeze does not directly alter a ROA, but it changes the institution's ability to operate, pay staff, maintain systems and reassure members. A receiver can preserve continuity, but receivership itself signals that ordinary governance has failed. A board election can restore formal authority, but if the election is delayed, challenged, suspended, annulled or relitigated, each step becomes a confidence event. RPKI relying parties do not need to follow every pleading to understand the basic question: is the trust anchor's institution stable enough that route-origin publication will remain neutral and dependable?
The continuity premium is the cost added to otherwise normal transactions because that question exists. It appears when a buyer of AFRINIC-administered space demands extra representations about RPKI control. It appears when a lessee asks whether the lessor can maintain ROAs throughout the lease. It appears when a cloud customer asks whether a provider's addresses are exposed to registry action. It appears when a transit provider asks for proof that the origin is properly authorised. It appears when a lender discounts revenue supported by contested or policy-sensitive address holdings. It appears when engineers spend time monitoring institutional risk rather than only route risk.
This premium is not irrational. In RPKI, the difference between valid and invalid can be operationally decisive for networks that enforce route-origin validation. A resource holder that loses the ability to publish correct ROAs may still be able to announce routes, but some counterparties may treat those routes with suspicion or reject them if conflicting invalid states emerge. A holder that cannot update ROAs during an origin migration may face delay. A holder caught in a transfer dispute may be unable to deliver the routing-security condition expected at closing. If enough major networks treat RPKI as normal hygiene, poor RPKI control becomes a commercial defect.
AFRINIC's dispute with Cloud Innovation also highlights the importance of separating enforcement from service neutrality. Suppose a registry believes a holder has breached agreement terms. The registry may need to investigate, demand information, place a dispute flag, seek court relief or, in extreme cases, pursue termination. But service neutrality asks a narrower question: while the dispute is unresolved, should security services necessary to protect the live network be maintained unless a specific legal or technical reason requires otherwise? The answer should generally be yes. Otherwise the registry can create the very instability it claims to prevent.
The same principle applies to account control. If a member account is compromised, RPKI changes should be frozen or reversed as needed. If a member refuses to pay fees, there may be contractual consequences. If a member is in a policy dispute, the registry may restrict certain transactions. But the conditions that affect route-origin publication should be explicit. A holder should know whether nonpayment, resource review, transfer hold, court restraint, corporate succession dispute or alleged misuse can affect RPKI publication, and in what order. Ambiguity is costly because it lets every dispute cast a shadow over routing-security reliance.
This is particularly important where holder and operator differ. IPv4 leasing, customer assignments, managed hosting and outsourced network operations often involve one party that holds the registry relationship and another that needs route-origin authority for service. RPKI can either make that relationship safer by making authority explicit, or more fragile by forcing every commercial arrangement through opaque registry discretion. A registry need not bless every lease as market policy. It does need a clear way to let the recognised holder authorise operational origins without turning each authorisation into an ideological trial about IPv4 commercialisation.
The Cloud Innovation conflict shows the cost of failing to build that boundary early. Once enforcement is mixed with arguments about regional use, address ownership, leasing, litigation tactics, registry survival and board control, every technical service is suspected of having hidden policy weight. Even if AFRINIC staff continue to run systems professionally, counterparties cannot ignore the institutional context. The trust layer has become politically and legally noisy.
The right lesson is not that registries should avoid enforcement. It is that enforcement must be ring-fenced from routing-security continuity. A serious RPKI governance model would state that certification services for existing live resources are presumptively maintained during disputes; that severe restrictions require defined legal or security grounds; that emergency actions are logged and reviewable; that publication changes are notified; that route-origin continuity for innocent downstream users is considered; and that the registry cannot use RPKI as economic leverage in a broader fight. Such a model would protect both the registry and the member, because it would reduce the incentive to treat every enforcement letter as a threat to live routes.
AFRINIC's crisis turned this from theory into market practice. The premium now exists because participants can imagine the chain from dispute to institution to publication to route. RPKI security cannot mature in such an environment unless the chain is made safer.
Receivership, elections and signing authority
Receivership is a legal device, but in a registry context it is also a question about who can sign. Not only who can sign a cheque, a contract or a board resolution, but who can authorise the institutional conditions under which certificates are issued, maintained and published. The NRO's 2023 statement said the Supreme Court of Mauritius had appointed a receiver for AFRINIC, restrained relocation or takeover-type actions, and tasked the receiver with preserving status quo assets, overseeing elections and facilitating a proper board and chief executive. As a factual description, that is central. It shows that court supervision was meant to preserve continuity rather than liquidate the registry function.
For RPKI, however, preservation needs to be translated into operational authority. A receiver preserving assets is not automatically a routing-security governance model. If hosted RPKI services continue, under whose delegated operational authority do staff act? If a disputed member asks for a ROA update, is that an ordinary service request, a change to status quo, or a decision requiring legal review? If a certificate must be revoked because of compromise, who approves the emergency action? If a transfer closes during receivership, can new route-origin material be created on time? If a court order restrains certain member changes, how does that restraint map to RPKI publication? These questions are not academic. They are the operational translation of corporate distress.
A healthy registry answers most of them before crisis. It has internal controls, delegated authority, documented service categories, incident response plans, audit logs, member-notice rules and escalation paths. A distressed registry answers them under pressure. AFRINIC's receivership period therefore matters not because it necessarily caused RPKI failure, but because it revealed the absence of a widely understood continuity constitution for the trust layer. The public learned that the registry could be placed under receivership; it did not learn, with equal clarity, how each critical technical service was insulated from corporate conflict.
The 2025 election sequence extended the problem from receivership to legitimacy. The Register reported that AFRINIC had been unable to elect a board since 2022 and that a receiver planned elections for June 2025, appointing senior British lawyers to oversee nominations amid concerns about interference. It later reported ICANN concerns, a court process, continued voting, then suspension and annulment after allegations concerning powers of attorney and voter documentation. Later reporting described a fresh election that produced directors but left possible legal challenges, government investigations and discomfort around influence. These details matter for RPKI because board legitimacy is the governance layer above operational trust.
The board does not create each ROA. It should not. But the board sets the conditions under which certification policy, legal response, member standing, budgets, staffing, security controls and crisis communications are managed. If board legitimacy is contested, decisions about severe member action or certification-affecting policy become easier to challenge. If the board is absent, staff may become cautious. If a receiver is the practical authority, every sensitive decision risks being characterised as beyond preservation. If ICANN or another outside body intervenes, members may ask whether local corporate governance or global coordination is in charge. RPKI needs a boring answer to who may act. AFRINIC's election history made the answer less boring.
This is not a plea for technocracy over law. Legal accountability is necessary. A registry that controls scarce resources and trust services must be subject to courts, contracts and member control. The problem is not that courts can supervise AFRINIC. The problem is that routing-security publication has no tolerance for a governance vacuum. Law can review authority; it cannot substitute for day-to-day operational trust. If every contested board act can call into question the legitimacy of the institution's security posture, the registry needs stronger separation between corporate contest and critical-service operation.
That separation can be designed. RPKI operations can be placed under a defined service-continuity mandate that survives board gaps, subject to audit and emergency oversight. Certification changes can be classified: routine member-authorised ROA creation, deletion or modification; security emergency; resource transfer; court-constrained resource; disputed member authority; suspected account compromise; severe enforcement action. Each class can have a documented approver and notice rule. Receivers can inherit a playbook rather than improvise one. Boards can supervise policy and budgets without micromanaging route-origin objects. Courts can see which actions preserve status quo and which alter rights.
AFRINIC's crisis suggests that such design is not optional. A registry trust anchor is a single point of institutional reliance even if the internet's routing is distributed. Validators around the world fetch material under the assumption that the hierarchy reflects stable resource authority. If the institution behind the hierarchy cannot show how authority survives receivership, contested elections or litigation, operators must either accept hidden risk or reduce reliance. Neither is desirable.
The market will ask simple questions. If AFRINIC has no board, can a member still create a ROA? If a receiver is in charge, can a transfer recipient get route-origin authority? If a member's voting credentials are disputed, does that affect its technical account? If a court later questions a board election, what happens to certification decisions made meanwhile? If ICANN threatens compliance review, can another registry step in for emergency registry functions, and would that include RPKI trust material? The current public record gives partial institutional answers but not a full service-level constitution. That gap is the risk.
The broader lesson is that signing authority in internet governance is not only cryptographic. Cryptographic keys are controlled by people, contracts, accounts, corporate bodies, courts and budgets. If those layers fail, the key can still mathematically sign. The market's question is whether it should trust the signature as institutionally legitimate. AFRINIC's receivership and election stress make that question unavoidable.
Record integrity and cryptographic reliance
RPKI can only be as reliable as the registry facts beneath it. Cryptography protects the authenticity of a statement; it does not prove that the underlying registry record is true. If a false holder is recorded, the system can faithfully publish false authority. If an authorised contact is stale, the wrong person may control publication. If a dormant company's resources were moved through improper documentation, a ROA can make the resulting route look cleaner than the history deserves. This is why AFRINIC's reported address-record corruption episode is directly relevant to RPKI governance risk, even though the public reports were not primarily about RPKI.
KrebsOnSecurity reported in 2019 that allegations stemming from a multi-year investigation involved valuable African IPv4 blocks associated with dormant or defunct entities, companies linked to a former AFRINIC policy coordinator, and an estimated market value exceeding US$50m for affected addresses identified by researcher Ron Guilmette. The report said AFRINIC's chief executive at the time acknowledged awareness of the allegations and said the organisation was investigating. Those are allegations and reports, not a final judicial account of every fact. But the economic significance is clear: once IPv4 has a market price, weak registry records become a form of custody risk.
RPKI magnifies custody risk because it gives registry-recognised authority a cryptographic expression. A false database change used to matter because it affected WHOIS, transfer confidence, abuse contact and claims of control. Under RPKI, it may also affect which autonomous system can be authorised to originate the prefix. The system is not designed to investigate corporate succession history or dormant-company fraud at validation time. It relies on the registry to have done that work correctly. A validator that sees a valid ROA has no independent memory of the original allocation, the merger history, the officer who signed a form, or the staff credentials used to change a record.
This does not make RPKI unsafe by design. It means RPKI must be paired with stronger record governance. A high-quality registry can use RPKI to reduce hijacking risk precisely because it has reliable holder records and secure member accounts. A weak registry can use the same cryptographic machinery to harden mistakes. The difference is institutional discipline, not mathematics.
AFRINIC's challenge is double. It must repair and protect historical records because public reporting has made record corruption a credible concern. It must also avoid turning record repair into open-ended discretion that threatens legitimate holders. Both conditions matter for RPKI. If record repair is too weak, false or compromised authority can be certified. If repair is too broad and unpredictable, holders may fear that certification is provisional on the registry's future interpretation of old use, old need or old policy. Confidence requires a narrow path between those risks.
That path begins with separating truth from preference. A registry has every reason to verify whether a holder exists, whether a representative is authorised, whether a corporate successor has valid documentation, whether an account was compromised, whether a transfer source is the recognised holder, whether a court order restrains action, and whether a requested ROA fits the recorded resource. Those are authority questions. They are directly relevant to RPKI. A registry should be much more cautious about using RPKI publication to police whether it likes the holder's business model, leasing strategy, customer geography or view of IPv4 markets. Those are policy or commercial disputes, not automatically certification defects.
Account control is a special risk. RPKI is operationally powerful because a portal credential or delegated key can change route-origin state. If a member account is stolen, coerced, purchased, misused by an ex-employee or manipulated through a contested power of attorney, route-origin authority can be affected. The 2025 AFRINIC election controversies involved allegations about credentials and powers of attorney in the voting context. Those allegations do not by themselves prove RPKI account compromise. They do, however, illustrate why member-authority controls matter. A registry that cannot convincingly verify who may vote, appoint a proxy or act for a member will struggle to reassure the market that all high-consequence account actions are protected.
The answer is not to publish private member information indiscriminately. It is to build auditable authority controls. For RPKI, that means strong authentication, clear role separation, change confirmation, tamper-evident logs, dual control for severe actions, emergency lock procedures, member notification and independent review after contested changes. It also means separating voting authority from technical authority. A person who can vote in an election should not automatically be able to change route-origin authorisations unless the member has expressly granted that operational role. A lawyer with a power of attorney for corporate representation may not be the network engineer who should control ROAs. Authority must be granular.
Record accuracy also affects lessor-lessee relations. If a holder leases addresses to an operator, the registry record may still show the holder while RPKI authorises the operator's origin. That is not necessarily a defect; it can be an accurate expression of commercial delegation. But it requires clarity. The record should show enough responsibility for abuse, contact and authority without forcing every commercial term into the public database. The ROA should be understood as an operational authorisation, not a transfer of title. If the lease ends, the holder should be able to withdraw or change the ROA. If the lease is disputed, the continuity of downstream customers may need a defined cure window. Without such rules, RPKI becomes a dispute amplifier.
AFRINIC's reported record-corruption history should therefore push the institution toward more precise certification governance, not toward broad suspicion of all commercial address use. The lesson of a record scandal is that factual authority must be verified. It is not that the registry should wield routing-security services as general economic control. A clean RPKI ecosystem needs both harder proof and narrower discretion.
The market will judge by behaviour. If AFRINIC can show that RPKI changes are traceable to verified authority, that disputed resources are handled through transparent status categories, that severe certification actions are rare and reasoned, and that ordinary operational authorisations are processed within stated time frames, confidence will rise. If certification appears vulnerable to politics, enforcement mood, weak account controls or opaque record repair, confidence will fall. A cryptographic trust layer cannot outrun the institutional quality of the records it certifies.
Revocation, non-publication and the quiet risk of invalidity
The dramatic fear in RPKI governance is revocation: the registry or certificate authority withdraws the certification material and a route that once validated becomes invalid or uncovered. That risk is real, but it is only one part of the problem. The quieter risks are often more likely and more commercially important: a member cannot publish a needed ROA; an old ROA remains in place after a business change; a new origin cannot be authorised before a migration; a transfer recipient waits for certification; a disputed resource sits in limbo; a publication repository fails; a validator sees stale material; or a registry hesitates to process a request because legal authority is unclear.
In routing economics, inaction can be action. A data-centre operator moving customers to a new autonomous system needs timely ROA changes. A cloud provider splitting traffic across upstreams may need maximum-prefix adjustments. A buyer completing an IPv4 transfer may need immediate route-origin authority to onboard customers. A lessor authorising a lessee's origin may need predictable publication throughout the term. If the registry cannot act, the operator may face invalid announcements, less secure unvalidated announcements, route filtering by strict networks or delayed service. The absence of an adverse decision does not eliminate the cost.
AFRINIC's institutional stress makes non-publication risk plausible even without evidence of RPKI-specific misconduct. A bank freeze can affect staffing and systems. A receiver can create caution around changes that might be seen as altering status quo. A board gap can leave staff unsure about sensitive decisions. Litigation can lead lawyers to review actions that were once routine. Election disputes can question member authority. A winding-up application can raise continuity fears. Each condition can slow the operational service layer even if everyone involved wants to preserve the internet.
This is why service firewalls matter. A registry should distinguish between changes that preserve live operational continuity and changes that alter resource entitlement. Updating a ROA to reflect an already-authorised network migration may be continuity-preserving. Creating a ROA for a party whose authority is disputed may require hold and review. Removing a ROA because of proven account compromise may be an emergency security action. Removing a ROA because of an unresolved commercial dispute may be an overreach unless a court or clear rule requires it. The registry must classify the action, not simply treat all RPKI changes as discretionary privileges.
Revocation governance should be especially strict. In a system where relying networks may drop invalid routes, revocation can have downstream effects beyond the immediate member. It can affect customers, content reachability, enterprise access, public services and reputation. Some revocations are necessary: compromised keys, false authority, resource return, completed transfer, duplicate certification, court order or proven fraud. But necessary does not mean casual. The registry should have defined grounds, notice where feasible, emergency exceptions, cure periods where safe, logging, appeal and post-incident disclosure at least in aggregate. A route-origin certificate should not be easier to disrupt than a mailing-list subscription.
Non-publication governance is harder because it often hides inside delay. A registry can harm reliance without making a formal adverse decision. It can simply not process a request. In a normal commercial setting, delay may be measured against a service standard. In a distressed registry setting, delay may be explained by legal caution, missing authority, staff shortage, system maintenance or policy uncertainty. The market does not care which internal category applies if the result is missed customer deployment. RPKI needs time-bound service commitments and escalation paths precisely because automated routing validation compresses the cost of delay.
AFRINIC's broader governance crisis also raises the question of emergency substitution. The Register reported that ICANN warned in 2025 that if AFRINIC failed a compliance review, another regional registry could be asked to step in as an emergency registry for Africa. That possibility was described in the context of AFRINIC's election and mandate concerns, not as an RPKI failover plan. Yet it raises the obvious question: if an emergency registry ever had to preserve number services, how would RPKI trust material migrate or be maintained? Would trust anchors change? Would existing ROAs remain valid? Who would notify relying parties? How would holders prove authority? How would courts in Mauritius interact with a cross-registry continuity plan?
Those questions should not be left for the day of crisis. RPKI's value depends on routable certainty. If emergency continuity requires validators, operators, holders and courts to interpret new trust relationships under pressure, the system will transmit confusion. A registry-failure plan should include RPKI continuity as a first-order service, not an appendix. It should define how publication repositories are preserved, how keys are protected, how member access is maintained, how certificate validity is handled, how revocations are frozen or permitted, and how relying parties are told what to trust.
The quiet risk of invalidity also interacts with insurance and compliance. Large enterprises increasingly ask suppliers about routing-security posture. A provider that cannot prove stable RPKI control may fail a vendor review. A cyber-insurance questionnaire may ask about route hijack prevention. A regulated customer may require secure routing for sensitive services. In such contexts, registry governance risk becomes a compliance cost. AFRINIC-administered resources may be technically sound, but if the holder cannot give convincing assurances about ROA continuity under dispute, the business may lose customers or accept weaker terms.
This is not because RPKI is bad. It is because RPKI is working: it has made origin authority visible enough to be governed. The problem is that visible authority must be backed by visible institutional safeguards. AFRINIC's crisis is a reminder that cryptography can make a trust problem more precise without making it disappear.
The best outcome would be boring. ROAs should be created, changed and withdrawn under rules clear enough that ordinary business can rely on them, courts can understand them, and registry staff can apply them under stress. A holder in good standing should not fear that route-origin publication can be pulled into a political fight. A registry should not fear that preserving live RPKI service prevents it from acting against fraud. Relying parties should not need to know which election dispute or court order sits behind a validation state. They should be able to trust that service-continuity rules separate routing security from institutional combat.
Why this is not a WHOIS, RDAP or reverse-DNS story
AFRINIC's registry services are tightly connected, so it is tempting to fold RPKI into a generic registry-layer risk story. That would miss what makes route-origin certification distinct. Record accuracy is about whether the underlying registry facts are true, current, attributable and reliable. Reverse DNS is about name delegation and the operational consequences for mail, diagnostics and network reputation. WHOIS and RDAP are about public record access, contactability and diligence. Generic registry-layer risk is about the overall premium created when the recordkeeper becomes unstable or discretionary. RPKI is different because it turns recognised authority into cryptographic routing evidence.
That difference changes both speed and opacity. A stale WHOIS contact can be noticed by a lawyer or abuse desk. A reverse-DNS problem can be diagnosed in mail logs. An RDAP inconsistency can be discussed during diligence. A ROA error can be converted by validators and route filters into route treatment across many networks. The affected business may first learn of it through reachability complaints, monitoring alerts or a transit provider's route rejection. RPKI is not merely another public interface. It is a machine-readable authorisation layer.
It also changes the trust audience. WHOIS and RDAP are read by humans and tools, but their users usually know that registry data can be messy. IRR data is used by routing systems, but many operators treat it with caution because object quality varies. RPKI aspires to stronger assurance. Its purpose is to make origin authority more dependable than informal routing claims. That aspiration makes governance weaknesses more consequential. If RPKI is treated as high-trust but its institutional base is low-trust, the gap becomes dangerous.
Record accuracy remains foundational. A registry cannot publish trustworthy RPKI material if it does not know who holds what. The reported AFRINIC address-record corruption allegations therefore matter. But the database-accuracy question asks whether the record itself can settle market reliance. The RPKI question asks what happens when that record is used to publish cryptographic routing authority. It is the difference between a land register and a digital lock tied to the land register. If the register is wrong, both fail. But the lock adds a new operational consequence.
Reverse DNS is also related but distinct. A reverse-DNS delegation can be valuable for mail reputation, customer operations and diagnostics. It depends on registered assignments and proper authority. Yet a reverse-DNS problem usually affects application-layer trust and naming expectations. RPKI affects route-origin validation. If a route becomes invalid under strict filtering, the reachability issue can be broader and more immediate. Naming continuity and route-origin trust both depend on registry governance, but they do not fail in the same way.
RDAP and WHOIS public records are about transparency and public legibility. They let counterparties see the holder, contacts, status and related data, subject to privacy and policy limits. RPKI can be opaque by comparison. A customer may not inspect the certificate chain; it may only see that a provider passed a security review. A router may not care why a ROA changed; it only applies policy. This makes governance safeguards more important, not less. Automation reduces the opportunity for case-by-case human interpretation.
The generic registry-layer problem asks how AFRINIC became a risk premium above routing, contracts and markets. The certification problem narrows the premium to the RPKI channel. The registry could be generally fragile but still keep RPKI well insulated, in which case route-origin risk would be lower than overall institutional risk. Or the registry could be generally stable but use RPKI in a discretionary way, in which case route-origin risk would be higher than headline governance suggests. The point is to assess the service-specific firewall.
That firewall has several parts. First, RPKI should depend on verified resource and account authority, not on broad institutional favour. Second, changes affecting live routes should be classified and time-bound. Third, severe actions such as revocation should require defined grounds and review. Fourth, disputes should preserve existing operational security where safe. Fifth, transfer and leasing reality should be handled through clear authorisation rather than denial by ambiguity. Sixth, receivership or board failure should trigger a continuity mode for certification services. Seventh, publication repositories and keys should have independent audit and incident response.
Such safeguards would not weaken the database, reverse DNS or RDAP functions. They would strengthen them by making each function's boundary clearer. A database correction would identify the true holder. A reverse-DNS delegation would follow registered assignment rules. RDAP would expose appropriate public facts. RPKI would express route-origin authority under a service-neutral security mandate. The registry would retain enforcement power against fraud and false authority, but it would not use the security layer to win unrelated institutional fights.
AFRINIC's crisis shows why this precision matters. If all registry functions are bundled into one discretionary authority, then a dispute over one function contaminates all. A member facing a resource review fears RPKI consequences. A buyer facing transfer delay fears reverse-DNS and certification delay. A court considering corporate restraint may inadvertently affect operational services. A receiver preserving status quo may freeze necessary security updates. A board election dispute may cause counterparties to question account authority. Bundling spreads risk.
Unbundling does not mean dismantling the registry. It means recognising that different functions require different safeguards. RPKI deserves the strongest continuity and neutrality safeguards because it is the most direct bridge between registry legitimacy and routing behaviour. AFRINIC's case should push the regional registry system to make that bridge safer before a certificate dispute becomes an outage.
The market that prices certificate doubt
Markets price uncertainty long before courts settle it. That is the central economic fact of RPKI governance risk. A prefix does not need to become unreachable for its value to fall. It only needs to carry a credible doubt about whether route-origin authority can be maintained across transfer, lease, dispute, migration or institutional stress. The discount may be invisible in public quotes, but it appears in private terms: lower purchase price, longer escrow, wider indemnities, stronger representations, delayed closing, customer carve-outs, higher legal fees, extra monitoring, or a preference for resources from a less troubled registry environment.
IPv4 scarcity makes those discounts meaningful. Public analysis in the AFRINIC dispute has cited IPv4 prices moving from single digits per address in earlier years to much higher levels during the scarcity era, and a /16 can represent millions of dollars of market value. When values are that high, a small change in perceived certainty matters. A buyer that would pay full price for a clean block may reduce the offer if RPKI control depends on a holder with unresolved registry issues. A lessor may charge more if it must assume responsibility for ongoing ROA maintenance under uncertain policy. A customer may ask for an alternative prefix if the provider cannot guarantee origin validation. A lender may treat address-supported revenue as less bankable.
The pricing mechanism is similar to title insurance in property or settlement risk in securities, but the asset is not ordinary land or a share. IP addresses are unique network identifiers administered through contracts and policy. Registries resist simple property analogies, and the resistance has a technical basis: uniqueness, coordination and routing responsibility matter. Yet non-property does not mean non-value. Many economically important rights are not fee-simple property. Leases, licences, concessions, spectrum rights, operating permits and contractual entitlements can all support investment while remaining conditional. The market prices the conditions.
RPKI adds one such condition. The holder's economic position is stronger if it can prove that the authorised origin will remain valid under ordinary operating changes. It is weaker if the registry may refuse, delay or revoke publication under ambiguous standards. The condition matters most where the holder and operator differ. Leasing makes this visible. If a lessor cannot guarantee ROAs for the lessee's network, the lease is less useful. If the lessee cannot rely on timely changes, it must reserve backup space or negotiate customer flexibility. If the registry later questions the arrangement, the lessee may be innocent but still exposed. The price of the lease should reflect that risk.
Transfer markets face a related problem. A transfer is not economically complete when money changes hands. It is complete when the recognised registry record, routing authority, reverse DNS, abuse contacts and route-origin material align with the buyer's intended operation. If RPKI change is delayed or contested, the buyer controls a resource that is not fully deployable. Escrow arrangements should therefore treat ROA delivery as part of settlement. That is a market response to registry trust. The more uncertain the registry, the more detailed the settlement conditions.
Cloud and hosting businesses carry the risk into customer contracts. A provider may hold AFRINIC-administered prefixes, lease them, or rely on upstreams that do. Customers rarely read regional registry policy, but they notice outages and route filtering. If a customer demands secure routing, the provider must show not only that ROAs exist but that the provider can maintain them. If the provider's resources are under review, if the holder is in dispute, or if the registry has a history of institutional turbulence, the customer may demand termination rights or a migration plan. The registry's governance problem has become a commercial sales problem.
Small operators may suffer the most because fixed costs do not scale down. A large cloud or carrier can employ lawyers, registry specialists, routing engineers and compliance staff. It can diversify address sources, hold extra inventory, maintain multiple autonomous systems and negotiate sophisticated contracts. A small ISP or hosting company may have one or two blocks, one registry relationship and limited staff. For it, a single RPKI dispute or delay can consume management attention and threaten customers. The promise of RPKI should be to help such operators reduce route hijack risk, not to add another institutional dependency they cannot manage.
AFRINIC's member dependence is therefore broader than the certification service. Members depend on allocation records, WHOIS, RDAP, reverse DNS, IRR, RPKI, billing status, transfer recognition and account access. These services are not substitutes; they reinforce one another. A clean database record supports RPKI authority. RPKI strengthens routing credibility. Reverse DNS supports mail and diagnostics. WHOIS and RDAP support public accountability and diligence. Transfer recognition supports liquidity. If governance risk affects one service, counterparties worry about the others. The bundle receives a registry discount.
The discount can also become self-reinforcing. If market participants view AFRINIC-administered resources as riskier, they may prefer other regions where possible, demand more from African holders, or route commercial activity through structures perceived as safer. That reduces liquidity and may harm the regional development arguments used to justify strong registry control. A registry that wants to support its region should therefore care about risk premia. The cheaper it makes trust, the more valuable its members' resources become and the easier it is for African networks to obtain capital, customers and partners.
The market is not always virtuous. Commercial actors may exaggerate registry risk to seek lower prices, resist legitimate review or defend profitable arbitrage. AFRINIC and its supporters are right to remember that address markets create incentives for abuse, speculation and record manipulation. But the existence of opportunistic buyers does not abolish the need for predictable trust services. It makes them more important. Clear RPKI governance helps distinguish legitimate operational reliance from bad-faith pressure. Opaque discretion helps the strongest actors because they can afford to litigate it.
The economic conclusion is simple. RPKI governance quality is now part of address quality. A prefix with stable route-origin authority is worth more than the same prefix with uncertain authority. AFRINIC's crisis makes that explicit, but the principle applies everywhere. As route-origin validation spreads, markets will price not only address quantity and reputation, but institutional confidence in the certificate chain.
A credible RPKI firewall
A credible RPKI firewall is not a firewall in the network-appliance sense. It is an institutional boundary that prevents route-origin certification from becoming collateral in fights over governance, fees, litigation, elections, transfer politics or commercial ideology. It accepts that a registry must run RPKI, verify authority and act against fraud. It rejects the idea that a registry may use certification uncertainty as a general lever over scarce address resources. In a post-exhaustion world, that boundary is as important as the cryptographic protocol.
The first element is service continuity. Existing valid ROAs for live resources should be presumed to remain in effect during institutional stress unless there is a specific technical, legal or authority reason to change them. Receivership, board absence, litigation or public controversy should not by themselves disrupt route-origin publication. If a member is in dispute, the default should be to preserve the last verified safe state while the dispute is classified. That protects downstream customers and reduces incentives for emergency litigation.
The second element is authority granularity. A registry account should not be a single undifferentiated key to all power. Voting authority, billing authority, legal-representative authority, resource-management authority, RPKI authority and abuse-contact authority should be separable. The 2025 AFRINIC controversies around member credentials and powers of attorney show why. A person may be entitled to vote but not to change ROAs. A lawyer may be entitled to receive notices but not to authorise a route. A network engineer may be entitled to manage ROAs but not to bind the company in a board election. Granularity reduces the chance that governance capture becomes routing capture.
The third element is a remedy ladder. Not every problem justifies certification disruption. A stale contact should trigger notice and update requirements. A billing issue may trigger contractual consequences, but not immediate route-origin harm unless rules clearly say so and safeguards apply. A suspected account compromise may require emergency lock and member verification. A disputed transfer may require temporary hold on new ROAs while preserving existing service where safe. Proven false authority may require revocation. Each category should be defined before crisis, with time limits and escalation paths.
The fourth element is transparency without recklessness. RPKI actions affecting live resources should be logged in a way that permits audit. Members should receive clear notice of changes, reasons and appeal routes. Relying parties do not need private litigation files, but the community can benefit from aggregate reporting on revocations, emergency locks, publication incidents, contested resources and service availability. A registry that publishes only adoption statistics but not governance incidents is hiding the part of RPKI that markets need to price.
The fifth element is transfer and leasing realism. AFRINIC and other registries do not need to endorse every market claim about IPv4 property. They do need to recognise that operational delegation exists. A holder may lawfully authorise another network to originate a prefix for hosting, transit, cloud, customer, lease or managed service reasons. RPKI should capture operational authority cleanly while leaving commercial disputes to contracts and policy processes. If the registry wants to restrict some forms of delegation, it should do so through explicit policy subject to scrutiny, not through opaque refusal to support route-origin authorisation.
The sixth element is emergency succession. If a registry enters receivership, loses a board, suffers system compromise or faces possible derecognition, RPKI continuity should have a written plan. The plan should say how keys are protected, how repositories remain online, how member access is preserved, how urgent changes are approved, how certificate validity is treated, how trust-anchor changes are communicated if ever necessary, and how another registry or neutral service could assist without seizing policy control. AFRINIC's receivership shows that such a plan is not speculative.
The seventh element is independent review for severe actions. A registry should not be the sole judge, prosecutor and executioner when a certification-affecting decision could impair live routes and valuable resources. Independent review need not be slow in emergencies. It can use expedited panels, technical ombuds, court-approved procedures or post-action review where immediate action is needed. The principle is that severe RPKI disruption should be accountable to a body or process not identical with the staff or board position in the underlying dispute.
The eighth element is liability symmetry, at least in disclosure if not always in damages. Registries often operate under limited liability, and there are reasons for limiting exposure for coordination bodies. But if a registry can take actions that affect high-value resources and customer continuity, members need to know what remedy exists for mistaken certification disruption. The answer cannot be a slogan. It may involve service credits, expedited correction, independent review, insurance, reserve policy or statutory limits. Whatever the design, the risk allocation should be explicit.
AFRINIC's recovery would be more credible if it treated RPKI this way. A new board, budget or strategy is useful, but the RPKI question is more concrete: can every member, including a disliked or disputed member, know exactly what certification services will continue, what actions can affect them, who approves those actions, how fast review occurs, and how downstream continuity is protected? If the answer is yes, RPKI becomes a stabilising technology. If the answer is no, it remains a governance risk disguised as security adoption.
Such a firewall would not strip AFRINIC of authority. It would make authority more legitimate. It would give staff clearer instructions under stress, members clearer expectations, courts clearer categories, and relying parties better reasons to trust the certificate chain. It would also protect the registry from claims that every enforcement action is a threat to live routing. Precision is a form of institutional defence.
The narrow ledger and the trusted route
AFRINIC's RPKI governance risk begins with a small technical statement and ends with a large institutional conclusion. The technical statement says that a prefix may be originated by a particular autonomous system. The institutional conclusion is that the registry's recognition, records, accounts, keys, publication systems and governance are trusted enough for the rest of the internet to act on that statement. If that conclusion is weak, the route-origin statement may still be cryptographically valid, but the market will treat it with caution.
The way forward is not to reject RPKI, nor to pretend that registries can avoid hard enforcement questions. A registry that cannot correct false records, prevent compromised publication or act on lawful orders is not protecting the internet. But a registry that can turn certification services into discretionary leverage over scarce resources is not protecting the internet either. It is importing institutional risk into the routing layer. The right design is a narrow ledger with a protected trust service: strong against fraud, precise about authority, neutral toward ordinary commercial use, continuous during governance stress and accountable when severe action is necessary.
For AFRINIC, that means recovery should be measured by the dependability of functions, not merely the existence of a board. Can members maintain ROAs through normal network changes? Can disputed cases be contained without contaminating unrelated resources? Can transfers and leases obtain clear operational authorisation without hidden ideological review? Can receivership or court supervision preserve technical services without freezing necessary updates? Can severe revocations be explained, reviewed and limited? Can the registry show that RPKI is a security service, not a policy weapon?
The broader market will also need to adapt. Buyers should treat RPKI delivery as part of IPv4 settlement. Lessors should specify ROA maintenance and change procedures. Customers should ask not only whether a provider has ROAs, but who controls them and what happens under dispute. Lenders and insurers should assess registry-governance exposure as part of address-backed revenue. Operators should monitor validation states and maintain contingency plans. These steps do not replace registry reform, but they reflect the reality that RPKI has made route-origin authority an economic input.
AFRINIC's crisis is therefore not a local curiosity about one regional registry's troubles. It is a warning about what happens when a security architecture depends on an institution whose legitimacy, records, courts, receivers, elections and commercial boundaries are under stress. The more successful RPKI becomes, the more important that warning becomes. A route can be filtered by machines, but the authority behind the route is still governed by people, contracts, companies and courts.
The final test is simple. A resource holder should be able to adopt RPKI because it reduces routing risk, not because it accepts a new form of registry dependency. A customer should be able to trust a valid route because the certificate chain reflects narrow, lawful and accurate authority, not because it has faith in institutional mythology. A registry should be able to enforce real rules without threatening live security publication. A court should be able to supervise a distressed registry without becoming the hidden operator of route-origin trust.
AFRINIC shows that route-origin certification is not merely a technical credential. It is an institutional claim. In the IPv4 scarcity era, that claim carries price, continuity and governance risk. The registry that wants routers to trust its certificates must first prove that its own authority is constrained enough to be trusted.

