Summary
- NRS should pursue portable recognition: a holder-controlled, independently verifiable continuity record that can survive changes in registry service, certificate keys, repositories and corporate identity while preserving the recognised IANA-RIR allocation hierarchy.
- RPKI trust-anchor migration offers useful engineering lessons, especially staged successor keys and coexistence, but an NRS credential cannot become globally authoritative merely because it is signed. Relying parties, recognised registries and operators must choose and govern trust.
- The portable record should bind holder identity, resource scope, authority history, current contacts, RDAP location, RPKI state, reverse-DNS delegation, disputes, receipts and revocations without exposing private evidence or freezing past errors.
- This is a positive institutional proposal, not a report of completed capability. Public proof that NRS operates the required keys, witnesses, independent review, continuity exercises and broad relying-party adoption remains limited.
Portability begins where a registry relationship ends
A number-resource holder can outlive the institution that first recorded it. Companies merge, split, rename, relocate and enter insolvency. Registries can change policy, lose operational capacity, face court orders or transfer responsibilities. Certificate keys expire. Repository addresses move. Contacts depart. A reverse-DNS delegation can remain tied to an old account even after the underlying business has changed.
The ordinary answer is to ask the current authority to recognise the new state. That answer is necessary but incomplete. It places almost all continuity evidence behind the same gate that the holder may be disputing or trying to leave. If the registry cannot operate, refuses the premise, lacks a relevant transfer policy or has no accepted successor, the holder may possess contracts, correspondence and historical records without a compact proof that other networks can verify.
Portability would change the holder’s position. It would not let the holder invent an allocation or escape valid policy. It would let the holder carry a signed account of what was recognised, by whom, for which resources, under which terms, at what time, with which later changes and disputes. An independent relying party could verify the chain without trusting a screenshot or a private assertion.
Number Resource Society is well placed to pursue this future direction because its public philosophy treats number-resource institutions as bookkeepers whose standing depends on accurate records and voluntary recognition. The opportunity is to build a better book: portable enough to survive institutional change, constrained enough not to become a rival source of arbitrary power.
A trust anchor is a decision, not a certificate file
In cryptography, a trust anchor is information that a relying party accepts as the starting point for validation. The file can contain a public key and location, but the decisive act occurs when an operator chooses to trust that key for a defined purpose. A signature proves that the corresponding private key authorised data. It does not prove that the signer deserved authority.
This distinction matters for NRS. It could publish beautifully signed statements tomorrow and still lack recognised standing to certify Internet number resources. Networks would be rational to ask who verified the holder, how duplicate claims are prevented, which existing authorities consented, what happens after an error, and whether the signer can be removed without destroying continuity.
Portability must therefore operate on two planes. The authority plane records decisions by IANA, RIRs, national or local registries and other recognised issuers. The evidence plane preserves verifiable receipts, identity transitions, resource scope, contestation and service continuity. NRS can lead the evidence plane before it has any role on the authority plane.
That is not a timid role. Reliable evidence changes bargaining power. A holder with a verifiable history can challenge a bad record, move services, prove continuity to counterparties and support an orderly succession. Operators can compare claims without giving one incumbent exclusive custody of the past. Recognition becomes portable before authority becomes transferable.
The present hierarchy must remain visible
RFC 7020 documents the Internet Numbers Registry System as a coordinated hierarchy. IANA allocates large ranges to Regional Internet Registries, which make further allocations or assignments, directly or through other registries. Registration accuracy and uniqueness are core requirements. Routing choices remain operational matters outside the allocation registry’s direct scope.
Any NRS design that hides this hierarchy would create confusion. A self-asserted holder statement should not look identical to an RIR registration. A historical contract should not be presented as proof of current authority if a later recognised transfer changed the state. An NRS membership decision should not appear to be an IANA delegation.
The portable record should label authority precisely. Each claim needs an issuer, resource scope, effective period, evidence class and current status. “ARIN registered organisation X for prefix Y on date Z” is different from “organisation X told NRS that it controls Y.” Both can be recorded, but only the first is registry evidence from ARIN. If a recognised registry disputes the claim, that dispute must travel with the record.
Portability succeeds when history remains intelligible after custody changes. It fails when a new institution erases the distinction between evidence about authority and authority itself.
NRS has a coherent premise to prove
The NRS Charter argues that number-resource institutions derive standing from voluntary recognition, accurate registration and restrained stewardship rather than unlimited regulatory power. It presents NRS as an advocate for stability, free enterprise, transparency and accountability. Those are first-party claims, not independent proof of capacity.
Taken seriously, the charter implies a demanding design. Voluntary recognition cannot mean trust by slogan. It requires clear terms, inspectable controls and exit without data captivity. Accuracy cannot mean accepting the loudest holder. It requires evidence standards, conflict detection, correction and review. Limited power cannot mean weak accountability. It requires role separation so no founder, board, verifier or commercial partner can quietly rewrite recognition.
NRS’s published membership terms already reveal decisions that could become the first proving ground. Admission may require further information and involves discretion. Suspension and termination affect a member’s standing. NRS could issue signed, reasoned receipts for those decisions, provide review by people who did not make the first decision, and let former members retain proof of prior status.
That would not yet establish a number-resource trust anchor. It would show that NRS can maintain identity, authority, time, reasons, correction and exit in its own domain. Institutional credibility should grow from demonstrated restraint before broader recognition is requested.
Portability needs a defined entity
The phrase “portable trust anchor” can become vague unless it names what moves. A useful NRS portable recognition record would contain a small public core and protected supporting evidence.
The public core should identify the resource range or ASN, the recognised holder name, a stable holder identifier, the issuer of each authority statement, effective and superseded dates, current status, the holder’s public continuity key, authoritative RDAP discovery information, RPKI references, reverse-DNS delegation references, dispute markers and cryptographic commitments to supporting evidence. It should include no unnecessary personal address, identity document or confidential contract.
The protected evidence should preserve the documents and attestations needed to reconstruct the decision: registry receipts, signed holder requests, company succession evidence, transfer approvals, key-rotation approvals, reviewer decisions and notices. Access should be purpose-bound and logged. Different reviewers may need different views.
The holder should receive a portable package containing the public record, its own receipts, inclusion evidence, prior versions, issuer certificates and instructions for independent verification. The package should remain verifiable without an active NRS account. Otherwise suspension or fee dispute could erase the very portability being promised.
The record is not a title deed. It is a structured account of recognition and change. Legal rights, contractual rights, routing use and policy eligibility remain separate questions.
Holder control should begin with a continuity key
A holder needs a cryptographic identity that does not change merely because its registry account, employee or service provider changes. That identity can be represented by a continuity key controlled under the holder’s own governance. It should sign requests, acknowledge receipts and authorise key succession.
One laptop key is not enough. Companies need threshold control, hardware protection, named roles, recovery procedures and succession after staff departure. A small organisation may use an accredited custodian, but the custodian should not gain unilateral power to move resources. A court-appointed administrator may need a documented recovery route when ordinary signers are unavailable.
The continuity key must not become a permanent trap. Cryptography ages, devices fail and keys are compromised. A portable record should support a signed successor-key statement, an acceptance period, notice to known relying parties and a protected objection route. Emergency replacement needs stronger evidence and more reviewers than routine rotation.
Holder control also has limits. Possession of the continuity key cannot override a recognised transfer, a valid court order or a proven compromise. It establishes continuity of a holder-authorised voice, not absolute entitlement. NRS should make this boundary visible in every verifier.
RPKI shows how trust follows resource delegation
RFC 6480 describes RPKI as a certificate hierarchy aligned with number-resource allocation. Certificates support validation of signed entities such as ROAs. RFC 6487 specifies how resource certificates bind a subject key to enumerated IP address or AS number resources.
The hierarchy provides an essential lesson: authority is inherited through recognised delegation. A certificate created outside that chain may be cryptographically valid in isolation and irrelevant to operators who do not trust its root. The resource certificate also does not function as a general corporate identity certificate. Its subject naming is deliberately not descriptive in the ordinary identity sense.
For NRS, the lesson is to avoid a decorative certificate that appears stronger than its authority. The portable record can include RPKI state and verify signed entities under accepted trust anchors. It can preserve historical RPKI receipts and show when a holder’s authorisation changed. It cannot make an NRS root part of global routing security by declaration.
The positive path is interoperation. Recognised registries could sign portable receipts. Holders could link their continuity key to the key used for delegated RPKI services. Relying parties could verify both the recognised RPKI chain and the NRS continuity history, each for its proper proposition. Over time, broad participation could justify a more formal NRS role. Trust would follow evidence rather than precede it.
Trust Anchor Locators make the bootstrap problem explicit
RFC 8630 defines the RPKI Trust Anchor Locator, or TAL. It gives relying parties one or more locations from which to retrieve a trust-anchor certificate and a public key with which to verify that certificate. The relying party begins with trusted material distributed through other means, then retrieves and validates the current certificate.
This is a useful analogy and a warning. The TAL can carry multiple locations, helping a service survive the loss of one repository address. It allows the certificate contents to change while the relying party continues to recognise the configured key. But the relying party still had to obtain and accept the TAL. If the wrong key is trusted, correct cryptography faithfully validates the wrong authority.
An NRS portable package needs its own bootstrap story. Who gives a network the first NRS key? How does the network know it is not an impostor? How are replacement keys announced? Can two NRS sites present different histories? What happens if a jurisdiction orders one host to remove data?
The answer should use several independent channels: published key ceremonies, widely witnessed checkpoints, reproducible verifier releases, multiple repository locations, member receipts and third-party archival copies. No single website session should be the only basis for trust.
Successor keys are better than a sudden cutover
RFC 9691 adds a Trust Anchor Key signed entity for planned RPKI trust-anchor key transitions. It lets a trust-anchor operator signal the current and successor keys and associated certificate locations. Supporting relying parties observe the successor over a defined acceptance period before moving, while older clients may continue with prior material until separately updated.
The specific RPKI mechanism should not be copied blindly into a different institution. Its value is the migration discipline. A future NRS root-key change should be announced by the old key, confirmed by the new key, witnessed across independent channels and allowed to coexist for a declared period. Relying parties should be able to test the successor before relying on it. A rollback plan should exist if histories diverge or verifiers fail.
Emergency compromise is harder because the old key cannot be trusted to bless its successor. Recovery should require threshold approval by separated custodians, an independent incident finding, public notice, preserved evidence and an opportunity for relying parties to pin the last uncontested checkpoint. No executive should possess a private override that silently replaces the root.
The migration record itself must be portable. A holder or operator should be able to verify why a later NRS signature descends from an earlier trusted state even if the old service location has disappeared.
Independent proofs should outlive the operator
Portability is weak if every proof must be fetched from NRS at the moment of use. An outage, legal restraint or organisational failure would remove verification. The holder should possess enough material to prove inclusion in a previously witnessed state, and independent observers should retain the corresponding commitments.
RFC 9162 defines Certificate Transparency mechanisms including signed tree heads, inclusion proofs and consistency proofs for an append-only log. NRS could adapt the structural idea to recognition events: periodically commit to an ordered history, let holders prove that a receipt was included, and let monitors test that a later history extends an earlier one.
The analogy has strict limits. Inclusion proves that data appeared in a committed history; it does not prove the claim was true, lawful or fair. Consistency proves an append-only relationship between committed states; it does not prevent a decision-maker from accepting bad evidence. Private or predictable facts can leak through careless commitments.
NRS would therefore need witnesses as well as a log. Universities, operators, civil-society groups, RIRs and commercial relying parties could retain signed checkpoints. A verifier should reject a history that cannot be reconciled with sufficiently diverse witnesses. The witness set must rotate transparently so it does not become a permanent club.
Correction must append, not erase
A portable record will eventually contain an error. If correction deletes the old entry, a holder cannot explain why a third party saw a different state yesterday. If immutability freezes the error, the system becomes an efficient distributor of falsehood.
The answer is append-only correction. The old statement remains as historical evidence, but its current status becomes superseded, corrected or revoked. The new event identifies the proposition changed, authority for the change, effective time, reason class and link to the prior entry. Public views default to the current state while verifiers can reconstruct history.
Disputed claims need their own state. A challenge should not automatically revoke the current holder, because that would make denial of service easy. Nor should the system conceal a credible conflict until final judgment. A bounded contested marker can identify the field, reviewing authority and next milestone without publishing allegations or private documents.
Every correction should produce receipts for the holder and affected issuer. A reporter may receive a narrower receipt. Independent monitors should observe the new commitment. If a corrected record was previously exported, NRS should publish a machine-readable revocation or supersession notice so downstream users do not continue presenting it as current.
RDAP continuity requires recognised discovery
RDAP gives number-resource users structured registration responses, but they first need to find the authoritative service. RFC 9224 defines IANA bootstrap registries for IPv4, IPv6 and AS number space. Clients match a resource to the listed service URL and query the authoritative server.
This means NRS cannot make an endpoint authoritative merely by listing it in a portable credential. The IANA bootstrap state and recognised registry delegation remain decisive for ordinary RDAP discovery. An NRS endpoint could provide a continuity view, historical evidence or a referral supplement, but it must label itself accurately until the recognised bootstrap path changes.
Portability can still improve RDAP. The holder package can record the previous and current authoritative base URLs, response hashes, event times and issuer receipts. During a migration, NRS can monitor whether old and new services agree, whether redirects work and whether IANA bootstrap data reflects the accepted authority. If a recognised service fails, a continuity endpoint can return the last witnessed state with a prominent age and authority notice.
The future goal could be a standard RDAP link relation for portable recognition evidence. Adoption would require open technical agreement and careful privacy treatment. It should not depend on a proprietary NRS client or a private licence.
RPKI continuity is a migration, not a copy
RPKI material cannot simply be copied from one certification authority to another. Certificates, revocation lists, manifests and signed entities validate through a particular chain and repository context. RFC 9286 uses manifests to help relying parties determine the expected publication set and detect specified forms of alteration or disappearance. RFC 8182 lets relying parties synchronise repository snapshots and deltas.
A portable transition must preserve the old chain long enough for relying parties to observe the new one. The current authority should issue appropriate successor or replacement material, the new repository should publish a complete valid set, and monitors should compare outcomes under both views. Withdrawals and revocations must happen in an order that avoids an unnecessary validation gap.
NRS could coordinate evidence around that transition without holding the root key. It can record who authorised the move, which resource scope is affected, when each repository state was witnessed, what validators observed and whether the holder accepted completion. If the old authority refuses, NRS can preserve the dispute and technical impact without pretending it can repair the recognised chain alone.
This evidence would be valuable during an RIR succession or emergency operator event. It would show which signed state existed before the institutional change and which holders confirmed the successor. Actual routing-security continuity would still depend on accepted trust anchors, valid certificates, repository availability and operator retrieval.
Adverse action is the reason to separate custody
RFC 8211 examines how a certification authority or repository manager can cause harm by deleting, changing or revoking RPKI material. The cause may be mistake, attack, legal compulsion or deliberate action, and the visible effect can look similar until remediation occurs.
If the same institution controls registration recognition, certificate issuance, repository publication, dispute judgment and every copy of historical evidence, one adverse act can affect the entire account of legitimacy. Portability should divide those powers.
The recognised registry may remain the authority for allocation records. The holder controls its continuity key. NRS preserves portable receipts and public commitments. Independent witnesses retain checkpoints. Separate reviewers decide NRS admission and disputes. Relying parties choose whether to accept NRS evidence and can pin prior uncontested states.
No arrangement eliminates coercion or compromise. Separation increases the number of independent failures required to erase history or fabricate continuity. It also creates evidence when authorities disagree. A registry can revoke its current certificate while a witnessed NRS record preserves the fact that the certificate previously existed and identifies the contested transition.
That preservation does not keep a revoked route valid. It protects the ability to review what happened, seek remedy and migrate lawfully.
Reverse DNS reveals the parent-delegation limit
Reverse DNS is another test of honest portability. Authority beneath in-addr.arpa and ip6.arpa follows a DNS delegation chain. RFC 3172 describes management of the arpa domain and the relationship between address allocations and reverse zones. IANA, RIRs and holders each may control a different boundary.
A holder can carry its preferred nameservers, DNSSEC material, prior delegations and change receipts in a portable package. It can operate the child zone continuously and prove that the same continuity key authorised new servers. None of that forces the parent to publish the delegation. Parent cooperation or recognised succession remains necessary.
NRS can make the gap visible. A verifier could show “holder zone ready; current parent unchanged,” “parent update accepted; propagation observed,” or “delegation contested.” Independent DNS checks can record the view from several networks. During a planned transition, old and new nameservers can coexist where technically appropriate.
This is what constrained portability looks like: preserve holder capability and evidence, reduce avoidable downtime, but state clearly which gate remains outside the holder’s control. A design that promises seamless reverse-DNS movement without parent authority would be misleading.
Transfer history should travel with the resource
IPv4 transfers, organisational successions and registry-boundary changes can fragment evidence. The source registry may retain one account, the recipient registry another, a broker a third set of records and the holder only email confirmations. Years later, a due-diligence reviewer may struggle to reconstruct why the current entry follows from the earlier one.
The portable record should create a transfer chain. Each event identifies source and recipient entities, affected resources, recognised approving authorities, effective time, superseded credentials, new continuity key and any conditions that can be disclosed. Both parties should receive signed receipts. Each RIR can attest only to the part it controls.
Confidential price, negotiations and identity documents need not be public. A cryptographic commitment can bind protected evidence to the event, with selective disclosure for a later dispute. The public needs enough to understand continuity without learning commercial terms.
Where policy does not permit a transfer, NRS must not relabel a private sale as recognised registration. It can record that parties assert an agreement and that the current registry does not recognise a change. Portability protects the evidence of disagreement; it does not manufacture consensus.
Recognition must be portable across corporate change
The holder itself is not static. A legal name can change while the entity continues. A merger can move rights to a successor. A group can reorganise assets among affiliates. Insolvency can place control with an administrator. A portable key tied only to an old company name may become unusable at the exact moment continuity matters.
NRS should define identity transition events with evidence standards. A simple name change needs current public registration and authority from the holder. A merger needs proof of succession and review of which resources moved. Insolvency may require official appointment records and limits on who can sign. Cross-border changes may involve more than one legal system.
The public record should preserve canonical names and dates without exposing personal documents. It should distinguish continuity of the legal entity from transfer to a different entity. The holder key may continue through a name change but should rotate or gain successor approval after a change of control.
Independent review is crucial where the same person claims both old and new authority. A portable system that accepts any corporate document uploaded by an account holder would make takeover fraud easier. Portability must reduce dependency on incumbent discretion without reducing identity assurance.
Avoiding capture requires structural exit rights
An institution created to reduce registry gatekeeping can become a new gatekeeper. NRS might control the recognition key, verifier software, member admission, evidence archive and commercial licences. If relying parties later depend on all of them, NRS could raise fees, favour partners or make exit technically painful.
The cure is not a promise of good intent. The record format, verifier and cryptographic rules should be open. Anyone should be able to validate a portable package without contacting NRS or accepting changing commercial terms. Holders should be able to export current and historical records at any time. Witnesses should be diverse and replaceable. Key custody should require multiple institutions.
Governance should prevent one member class, registry, broker, founder, state or investor from controlling recognition policy. Conflict rules should cover organisations that earn money from transfers or disputes. Major changes to evidence standards, fees, root keys or verifier behaviour should require public notice, reasoned decision and a delayed effective date.
Exit must be tested. NRS should periodically demonstrate that an independent team can reconstruct the public history, operate a verifier and continue witness service from escrowed materials without access to NRS’s live systems. A portability institution that cannot itself be ported has failed its central claim.
Recognition needs an independent appeal
NRS membership or recognition will sometimes be denied, suspended or revoked. If the same staff member investigates, decides and hears the appeal, signed receipts merely make concentrated discretion easier to document.
The first review should verify identity, resource evidence and conflict checks. A separate body should hear challenges. Its members need fixed terms, published qualifications, conflict disclosures and protection against removal for an unpopular decision. The appellant should receive the reasons and evidence class relied upon, subject to lawful redaction.
Urgent protective action may occur before a full hearing when a key is compromised or a duplicate claim threatens users. Such action should expire unless confirmed, notify affected parties and preserve the last uncontested state. A later reversal should restore current recognition and append the correction rather than erasing the interruption.
Courts and recognised registry dispute mechanisms remain relevant. NRS should say when it will defer, when it will preserve a separate evidentiary view and how competing orders are handled. It cannot make every jurisdiction agree, but it can prevent silent forum shopping.
Appeal outcomes should be published in aggregate: affirmance, modification, reversal, withdrawal and pending age. This evidence will show whether NRS corrects itself or merely certifies its first decision.
Privacy and portability must be designed together
Portable evidence can become a surveillance asset. A package may reveal corporate contacts, transfer timing, security arrangements, prior disputes and names of reviewers. If every relying party receives the full file, the cost of portability is unacceptable exposure.
The public core should therefore contain only what broad verification requires. Protected evidence can be encrypted for defined reviewer roles. A holder can disclose one proposition without disclosing the entire history. Public commitments can prove that evidence existed before a decision without revealing its content.
Revocation also matters for privacy. A personal contact removed from the current record may remain in historical evidence. Access controls and retention rules should limit who can retrieve it. Public history can refer to a stable role identifier rather than a person’s name. Legal erasure duties may require removal of personal content while preserving a commitment and reason for the change.
NRS should publish what each verifier sends to its servers. Ideally, offline verification reveals nothing about which resource a user is checking. Online status services should resist turning query logs into a map of commercial interest or investigations.
Privacy is not opposed to accountability. A carefully designed receipt can expose institutional authority, time and outcome while protecting the documents that justified it.
Continuity should fail in bounded ways
Every trust service eventually experiences failure. The key may be unavailable. A repository may be partitioned. Witnesses may disagree. A verifier may contain a bug. The design should state what users see and which last-known state remains usable.
Availability failure should not silently become authority failure. If NRS cannot publish a fresh checkpoint, a verifier can show the last witnessed time and decline to treat later claims as current. If one repository fails, other signed locations can serve the same committed data. If witnesses disagree, the verifier should surface the split rather than choosing the most convenient history.
A compromised holder key should not automatically invalidate every prior receipt. The system can mark the compromise time, rotate to a successor after review and preserve signatures made before the contested event. A compromised NRS signing key is more severe and should activate the independent recovery constitution.
Continuity exercises should test loss of a site, key custodian, cloud provider, governing body and legal entity. Results should identify recovery time, missing evidence and corrective actions. The public need not see sensitive restoration details, but it should know whether the institution has proved that it can survive itself.
Adoption should begin with evidence, not authority
The first phase is modest and achievable. NRS can issue portable membership receipts, holder continuity keys and append-only decision history for its own members. Independent witnesses can retain checkpoints. An open verifier can work offline. Appeals can be tested against real admission and suspension decisions.
The second phase can add voluntary number-resource attestations. Holders submit recognised registry records, RPKI references, RDAP responses and reverse-DNS state. NRS verifies that the cited public evidence existed and labels its authority precisely. The result is a portable dossier of recognised evidence, not a replacement registration.
The third phase requires partnerships. RIRs, national registries, transfer facilitators or other recognised entities could issue signed receipts directly into the portable format. Operators could use NRS continuity evidence during due diligence and incident review. Technical groups could standardise link relations and credential fields.
Only after broad adoption, independent audits, successful key rotations and tested succession should NRS ask whether any statement deserves trust-anchor treatment beyond evidence. Even then, relying parties should opt in for a defined purpose. No default should turn NRS membership into routing authority.
This sequence frames NRS positively because it gives the institution a credible path to significance. It avoids the fatal mistake of announcing authority before demonstrating reliability.
Performance must be measured against portability claims
NRS should publish measures that test its central promise. Can every holder export a complete verifiable package? How long does verification work after an account closes? What share of receipts have independent inclusion evidence? How many witnesses observed each checkpoint? How long do key rotations take? How many appeals change the first decision? Can an outside team reconstruct the public history from escrowed material?
Counts need denominators and limitations. A successful key ceremony with no relying parties proves little about adoption. A thousand signed attestations from one corporate group prove little about diversity. One recovery exercise does not establish resilience to every legal or technical failure.
Privacy measures belong beside availability. NRS should report access to protected evidence, unauthorised attempts, redaction requests and retention exceptions in aggregate. Governance measures should show conflicts, recusals, concentrated voting power and material commercial dependencies.
The most important measure is portability after disagreement. A former member, losing party or critic should still be able to verify prior receipts and export the record it is entitled to hold. If only satisfied members can demonstrate portability, the design has not faced its real test.
Independent assurance should inspect decisions, not ceremonies
Public key ceremonies are useful, but they can become theatre if assurance stops at hardware and signatures. The hard questions concern who was allowed to assert a resource, how conflicting evidence was handled, whether reviewers were independent, and whether corrections reached every public view.
An assessor should sample admissions, denials, key changes, corporate successions, disputes, suspensions and exits. It should reconstruct authority from evidence, verify receipts, test public commitments and confirm that a holder can leave with a usable package. It should attempt recovery from backups and compare checkpoints retained by witnesses.
Technical testing should include divergent repository views, stale data, malicious replacement, compromised holder keys and verifier downgrade. Governance testing should inspect concentrated control, related-party decisions, reviewer conflicts and emergency powers. Privacy testing should ask whether commitments reveal predictable facts.
The report should separate design compliance from effectiveness. NRS may follow every rule and still produce false recognition if the evidence standard is weak. It may operate robust cryptography while appeals are inaccessible. A portable trust anchor earns confidence when the institution corrects both technical and judgment failures.
The strongest objections improve the design
One objection is that another recognition layer adds complexity. That is true. A poorly designed NRS credential could confuse operators and create duplicate claims. The answer is narrow propositions, precise authority labels and verifiers that show disagreement rather than hiding it.
A second objection is that portability weakens policy compliance. A holder might use NRS to evade a registry’s transfer restrictions or revocation. The answer is that NRS evidence cannot change recognised authority. It preserves the holder’s case and history while leaving policy decisions visible.
A third objection is that incumbents will not cooperate. Some may see portable receipts as a challenge. NRS can begin with public evidence and holder-controlled records, then demonstrate reduced dispute cost and better continuity. Cooperation becomes attractive when receipts lower the burden of reconstructing old cases.
A fourth objection is that cryptography cannot solve institutional legitimacy. Correct. It can make alteration, inclusion, succession and inconsistency more observable. Legitimacy still requires fair rules, competent verification, review, diversity and continued recognition.
A fifth objection is that NRS itself may be captured. That is the defining risk. Open formats, independent witnesses, export rights, distributed key custody and tested institutional succession are not optional extras; they are the conditions of the claim.
The current evidence remains limited
The proposal extends beyond demonstrated NRS capability. Public NRS materials establish an advocacy position, membership terms and institutional ambition. They do not show an operating number-resource certificate authority, a globally accepted trust anchor, a witnessed append-only recognition history, independent appeals at scale, cross-RIR signed receipts, or tested RDAP, RPKI and reverse-DNS migration.
The wider standards establish useful building blocks but not the proposed institution. RPKI trust-anchor key transition solves a defined certificate problem. RDAP bootstrap identifies recognised authoritative services. Transparency logs support bounded proofs. Reverse DNS follows parent delegation. None appoints NRS or guarantees that operators will accept its statements.
Costs are also unknown. High-assurance identity review, key custody, witness diversity, privacy protection, appeals and long-term preservation are expensive. Small holders must not be excluded by a design affordable only to large brokers and networks. Sustainable funding without control by one commercial class remains an open question.
These limitations should be treated as the NRS agenda, not as reasons to abandon it. A future direction becomes credible when unknowns are named before authority is claimed.
Watch the boundaries that can quietly collapse
As NRS develops, observers should watch whether a membership credential starts being marketed as proof of resource title. They should check whether self-assertions are visually distinct from RIR attestations, whether disputes travel with exports, and whether the verifier accepts only NRS-hosted data.
They should watch key custody. Who can activate emergency powers? Can one executive or vendor replace the root? Are successor keys witnessed long enough? Can relying parties retain the last uncontested state?
They should watch recognition economics. Do transfer brokers, large holders or registry partners gain privileged admission? Are fees public and comparable? Can a former member verify receipts without payment? Does an appeal require resources beyond a small operator’s reach?
They should watch interoperability. Do RDAP links use open conventions? Does RPKI evidence validate with standard relying-party tools? Can reverse-DNS status be checked independently? Are exports complete, documented and durable?
Above all, they should watch whether NRS publishes failures. A portable trust institution that reveals only successful ceremonies and growing membership has not demonstrated accountability.
Recognition should move without becoming unmoored
The Internet Numbers Registry System needs durable authority and the ability to change. Those goals appear to conflict only when the incumbent record is the sole container of institutional memory. Portable evidence lets a holder move identity, certificates, repositories and services while preserving the recognised chain and every contested break in it.
NRS can make this its defining contribution. It can give holders continuity keys, signed receipts, independent witnesses, append-only correction, export rights and a disciplined route from one recognised state to another. It can help operators verify history without demanding blind trust in either the holder or the incumbent registry.
The word “anchor” should remain demanding. NRS must be harder to capture than the gatekeepers it criticises, easier to leave than the institutions it seeks to improve, and more honest about the limits of a signature than the market for certainty usually allows. It must prove succession before promising permanence and prove independent review before asking for deference.
If it does that, portability will not fragment number-resource authority. It will make authority more resilient by ensuring that recognition history, holder evidence and service continuity do not disappear when one institution changes. That is a future worth building, and one that can begin without pretending it already exists.
Sources
- Number Resource Society, Our Charter - NRS’s first-party case for accurate registration, restrained registry power, free enterprise, transparency and voluntary recognition; it establishes advocacy, not operational trust-anchor capability.
- Number Resource Society, Membership Terms - identifies existing admission, information-request, suspension and termination decisions that could serve as an initial test of portable receipts and independent review.
- IETF, RFC 7020: The Internet Numbers Registry System - documents the IANA-RIR-LIR hierarchy, uniqueness and registration-accuracy requirements, while separating registry functions from routing operations.
- IETF, RFC 6480: An Infrastructure to Support Secure Internet Routing - describes the RPKI hierarchy, resource certificates, repositories and ROAs and bounds what a certificate chain establishes.
- IETF, RFC 6487: A Profile for X.509 Resource Certificates - specifies binding of keys to enumerated Internet number resources, non-descriptive subject naming, publication references and certificate validation limits.
- IETF, RFC 8630: RPKI Trust Anchor Locator - defines TAL locations and public-key verification, making bootstrap choice, multiple repositories and key-compromise risk explicit.
- IETF, RFC 9691: A Profile for RPKI Trust Anchor Keys - defines current, successor and predecessor key signalling and a staged acceptance model for planned trust-anchor transitions; used as a migration lesson, not proof of NRS deployment.
- IETF, RFC 8211: Adverse Actions in the RPKI - analyses certificate-authority and repository actions that can harm resource holders and supports separation of authority, evidence and custody.
- IETF, RFC 9286: Manifests for the RPKI - describes signed publication inventories and bounded detection of alteration or disappearance, with known replay limits.
- IETF, RFC 8182: The RPKI Repository Delta Protocol - defines repository snapshots, deltas, hashes and synchronisation used to reason about observed state during migration.
- IETF, RFC 9224: Finding the Authoritative RDAP Service - establishes IANA bootstrap discovery for authoritative number-resource RDAP services and limits any claim that an NRS endpoint is authoritative by declaration.
- IETF, RFC 3172: Management Guidelines for the ARPA Domain - grounds the parent-delegation limits on reverse-DNS portability beneath
in-addr.arpaandip6.arpa. - IETF, RFC 9162: Certificate Transparency Version 2.0 - supplies the bounded structural analogy for signed tree heads, inclusion proofs, consistency proofs and independent monitoring.
- Number Resource Organization, RIR Governance Document Version 2 - August 2025 draft language on accurate services, continuity, emergency operators, audits and dispute mechanisms; it neither appoints NRS nor proves adoption.
- Number Resource Organization, SLA for IANA Numbering Services - demonstrates that explicit continuity and performance relationships can exist at a recognised numbering-services boundary without creating a portable holder credential.

