Summary

  • Number-resource registration has a narrow but indispensable public purpose: keep allocations unique, identify the party recognised for a range or ASN, and preserve accurate information needed for operations. None of those functions logically requires the recorder to own the economic interest it records.
  • A future Number Resource Society should distinguish four roles that can coincide but need not: the recognised holder, the live network operator, any party with a bounded commercial or security interest, and the qualified provider maintaining the authoritative registration service.
  • NRS custody should mean custody of evidence and continuity, not custody of the underlying economic benefit. A provider could verify identity, authority, succession and transfer completion while remaining unable to use, lease, pledge, sell, return or route the resources for its own account.
  • Every accepted change should have a provable basis, effective time and supersession history. Finality should prevent two providers from presenting two current holders, but it should not immunise fraud, erase a court order or prevent a reasoned correction.
  • Segregation is the institutional safeguard. Holder records, access credentials, deposits, evidence and continuity copies should remain separable from the provider's own assets and available to a qualified successor if that provider fails.
  • Fees should pay for registration service, not become an undefined power to capture value. Non-payment may justify proportionate service measures under clear terms, but should not silently vest the resource interest in the recorder or permit an unreviewed forfeiture.
  • NRS's public emphasis on operator rights, accurate registration and bounded registry authority supports this direction. It does not establish that the complete model is deployed, legally recognised across jurisdictions or proven at global scale; those results would have to be demonstrated through transparent pilots and independent review.

The register must be strong enough to be trusted and weak enough not to own

Every durable register contains a temptation. The institution that decides which entry is current can begin to speak as if it created the interest, granted every right attached to it and may withdraw the interest whenever its own institutional preferences change. Administrative custody then becomes a claim of dominion.

Internet number registration makes that temptation unusually consequential. The recognised holder entry can affect transfer, reverse DNS, route-origin authorisation, incident contact, due diligence and the confidence of customers or lenders. A mistaken or inaccessible entry can interrupt real businesses even though a registry does not command routers across the Internet. The record is not the network, yet the record can determine who is able to obtain many of the credentials and acknowledgements on which an orderly network depends.

The answer is not a weak register. If anyone can present a competing record, uniqueness disappears. If history can be rewritten without evidence, fraud becomes cheap. If an incumbent can ignore succession or refuse every correction, the register ceases to describe reality. The answer is a strong but limited institution: decisive about the state it is authorised to maintain, modest about the economic rights it does not adjudicate.

This is the central promise behind custody without confiscation. NRS should be able to say that a stated provider verified a stated change for a stated prefix at a stated time. It should not, merely by keeping that record, become entitled to the holder's lease revenue, sale proceeds, customer relationships, equipment, routing decisions or residual value.

That boundary must be architectural rather than rhetorical. A charter saying that providers are bookkeepers is useful. Contracts, data segregation, authority rules, portability, independent appeal, liability and tested succession are what make the statement credible when money or control is contested.

Registration accuracy is a coordination function, not a conveyance to the recorder

RFC 7020 describes registration accuracy as a core requirement of the Internet Numbers Registry System. The register is meant to ensure that IP addresses and AS numbers are not allocated to more than one party at the same time and to provide accurate information for operational purposes. It also says that route announcement decisions sit outside the registry system's scope. Those propositions identify a demanding public function while keeping it bounded.

Uniqueness requires an answer to a precise question: which allocation or registration state is current? Accuracy requires evidence that the named party and contact information correspond to that state. Neither requirement answers every legal question surrounding the commercial interest. A lender may have a security interest. A customer may have a lease. A shareholder may control the holding company. A court may restrain a transfer. The register can reflect relevant effects without becoming the owner or universal judge of those arrangements.

APNIC's active resource policy makes the distinction explicit within its own regional framework. It states that delegation or registration does not confer ownership and describes account holders as custodians rather than owners. That language is not a global judgment about every legacy allocation, contract or jurisdiction. It is nevertheless decisive evidence that the technical goals of registration can coexist with a denial that a database entry itself grants freehold title.

NRS can take the institutional lesson without importing every APNIC legal conclusion. Its service should verify who is recognised under the applicable rules and what change has been completed. Where parties use ownership, licence, holdership, assignment, custody or registration-right language, the record should preserve the applicable label and source rather than flattening them into a universal theory.

The result is stronger evidence, not evasive ambiguity. A qualified provider can certify the fact within its competence: "Organisation A is the current recognised holder in this registration system." It should not extend that certification into "Organisation A has indefeasible property title against every claimant under every law" unless an independent legal basis actually supports that larger proposition.

NRS should hold evidence, not the economic interest

"Custody" can describe several very different relationships. A securities custodian may hold customer assets subject to segregation and return obligations. A land registry keeps an authoritative title record but does not move into every house. A registrar maintains a domain relationship while the registrant continues to use the name. A warehouse holds goods physically without becoming their beneficial owner. The legal details differ, but the governance principle is recognisable: control necessary for safekeeping must not be confused with a right to appropriate value.

For NRS, the entity of custody should be stated narrowly. The service provider would hold or maintain identity evidence, authority instruments, a history of accepted registration states, contact and operational relations, proofs associated with completed changes, and continuity copies needed for recovery. It may also hold cryptographic material or supervise credential rotation under carefully divided control. These are records and service capabilities.

The provider should not receive a general economic interest in the address range or ASN. It should not book a holder's resource as its own inventory. It should not pledge the holder's expected transfer proceeds for the provider's debts. It should not lease unused space for its account, direct a sale to an affiliate or route the prefix to monetise traffic. It should not treat a service fee dispute as authority to appropriate the subject of the registration.

This separation should survive insolvency. If a registration provider fails, its creditors should encounter records held for continuity and obligations owed to holders, not an apparent pool of number-resource interests available for the provider's estate. The exact legal mechanism would depend on governing law: trust, agency, bailment, contractual segregation, statutory protection or another recognised form. NRS should not pretend one form works everywhere. It should require a legal opinion for each provider and publish the functional protections achieved.

The practical test is simple. Can the provider preserve and transfer the registration service when it fails without selling the holder's economic interest to satisfy the provider's own creditors? If the answer is uncertain, custody is not yet separated from confiscation risk.

Four roles should never be compressed into one ambiguous owner field

A future record should distinguish the recognised holder, the network operator, the commercial-interest party and the registration provider.

The recognised holder is the person or organisation accepted in relation to the number resource under the governing registration arrangement. That status may carry duties, access rights and authority to request certain changes. It does not necessarily identify every beneficiary, lender or operator.

The network operator is the organisation making operational use of the range or ASN. It may announce routes, serve customers, maintain reverse DNS, coordinate route-origin authorisations and answer abuse or technical incidents. The operator may be the holder, an affiliate, a lessee, a customer or a managed-service provider. BGP observations can help identify live use, but they do not prove the complete contractual mandate.

A commercial-interest party may receive lease revenue, hold a security interest, own shares in a special-purpose vehicle, possess an option, act as trustee or claim transfer proceeds. Some of those interests matter to a proposed change; others do not. A passive investor should not receive routing authority merely because it shares in returns. A lender's consent right should not make the lender the registered holder before enforcement.

The registration provider verifies and maintains the state. It can authenticate requests, test authority, preserve history and publish bounded attestations. It should have no residual commercial claim solely because it performed those services.

These roles need explicit verbs. "Holds," "operates," "has a registered security notice," and "maintains the registration service" are more informative than "owns." When roles coincide, the record can say so. When they diverge, the divergence is not a defect; it is a fact that needs the correct evidence and access treatment.

Confiscation risk begins when one role is allowed to swallow the others. A provider becomes dangerous when record custody is treated as beneficial ownership. An operator becomes dangerous when technical control is treated as transfer authority. A lender becomes dangerous when a notice is treated as present title. Precise roles prevent all three errors.

The authority to verify a change is narrower than the authority to create a right

An NRS-compatible provider should verify changes to a recognised registration state. Verification asks whether the requesting party is authentic, whether it has authority for this action, whether the affected resources are exactly identified, whether required consents or conditions are present, and whether the proposed result conflicts with another current state.

That is not the same as creating the parties' underlying rights. A merger instrument, sale agreement, court order, trust deed, insolvency appointment or succession law may create or alter authority outside the register. The provider assesses whether the evidence satisfies the published registration standard. It should not rewrite the transaction, take a share of its economics or claim that the commercial interest exists only because the provider approved it.

The distinction resembles the difference between a deed and a land-register correction. HM Land Registry's rectification guidance expressly separates a mistake in the register from a mistake in a deed submitted for registration. The registrar's power to correct the register does not become a general power to reform the parties' deed. That regime is jurisdiction-specific and concerns land, not Internet numbers. Its value here is conceptual: a recorder can be authoritative about its own record while remaining bounded by the legal instruments it records.

NRS should encode this distinction in every decision. An acceptance should identify the evidence class, verification performed, result, effective time and scope. A refusal should identify the unmet registration requirement. Neither should pronounce on unrelated commercial disputes.

Suppose a buyer and seller disagree about an earn-out after a completed transfer. The provider should not reverse the holder record unless the transfer instrument, governing law or competent decision makes that dispute relevant to registration validity. Conversely, if a signature was forged, the provider should not say the sale contract is a private matter and ignore a corrupted record.

Bounded verification creates responsibility. The provider cannot evade an identity failure by saying it owns nothing, and it cannot appropriate value by saying that it alone creates every right. It is accountable for the quality of the change it verifies.

The record should contain one current state and a complete chain of supersession

Custody without confiscation still requires finality. A holder cannot finance, operate or transfer a range confidently if several providers can each issue a plausible current certificate. The system needs one accepted current state for each registrable unit and a way to prove that earlier states have been superseded.

Finality should arise from coordinated state transition, not institutional ownership. Each change would carry a unique transaction reference, the exact prefix or ASN, the prior state reference, the new state, the evidence authority, required signatures, the effective time and a status such as pending, completed, restrained, superseded or corrected. Completion consumes the authorised instruction so it cannot be replayed.

The losing provider, gaining provider and shared coordination layer should agree the cutover result. If the losing provider is unavailable, an independent continuity authority should be able to complete the transition from verified copies and defined evidence after notice and a bounded challenge period. Silence should not create permanent custody, but neither should a rapid port erase a valid dispute.

History matters because a current name alone cannot explain a contested change. An auditor may need to know that Organisation A was recognised until a merger became effective, that Organisation B succeeded it, and that a later correction changed only an address or contact. A lender may need proof that its notice predated a proposed transfer. An operator may need to show that it had authority during an incident window.

History should be append-only in the practical sense that completed states remain visible to authorised reviewers. Correction adds a new, linked decision rather than silently altering the past. Personal information can be minimised, access-controlled or retained for a defined period; preserving an evidentiary chain does not require publishing every document forever.

This model protects holders from arbitrary rewriting and protects the public from duplicate claims. The provider's power is to maintain coherent sequence, not to convert sequence into title for itself.

Portability is the proof that custody is not possession

An institution can promise that it is merely a custodian while making departure practically impossible. If the holder cannot move a complete verified record to another qualified provider, the incumbent retains a form of possession through dependency.

Portability should therefore be a constitutional feature of NRS custody. The holder should be able to change the provider maintaining its registration service without changing the holder, selling the resource, relocating the network or renumbering. The port would move service responsibility and evidence continuity, not the economic interest.

Several distinctions are essential. Provider portability is not a transfer between holders. It is not a BGP route announcement. It is not necessarily an inter-RIR transfer or a change in the policy applicable to the resource. It is not permission to escape a court order, sanctions restriction, fraud inquiry or valid security restraint. Those conditions should follow the record with defined scope.

The domain-name system offers a bounded comparator. ICANN's Transfer Policy standardises movement between accredited registrars, requires authentication and evidence retention, limits denial grounds and gives the registry operator a role in validating the transfer command. Registrant continuity can survive a change of registrar. Domain names and Internet numbers differ technically, legally and institutionally, so the policy cannot simply be copied. It nevertheless demonstrates that a recorder can be replaceable while a shared layer preserves one recognised state.

ICANN's registrar data escrow and bulk-transition arrangements supply another lesson. Registration data is deposited so that names can be moved when a registrar fails or loses accreditation. The registration does not become the failed registrar's asset merely because that registrar managed it. Again, the analogy is not authority for NRS. It is evidence that continuity copies, successor selection and provider replacement are operationally intelligible concepts.

Custody becomes credible when a holder can leave with the complete record and no duplicate current state remains behind.

Segregation must cover records, credentials, money and legal claims

Financial custody regimes insist on segregation because labels alone do not protect customers during failure. The US Securities and Exchange Commission's customer-protection materials explain that broker-dealers holding customer securities and cash must keep protected assets apart from proprietary use under specified rules. Number resources are not securities, and NRS should not claim the authority or protections of US securities law. The comparator clarifies what serious custody design asks: whose asset or evidence is this, who may use it, and what happens when the intermediary fails?

NRS providers should answer those questions across four categories.

First, evidentiary records should be logically segregated by holder and replicated into independently controlled continuity storage. Provider employees should have role-limited access. A holder should be able to obtain a verified export without depending on one account administrator.

Second, credentials should be divided. No provider employee should possess an unrestricted combination that allows an unauthorised holder change, ROA change and deletion of recovery evidence. High-impact actions should require holder-controlled authentication plus provider verification, with emergency procedures that create conspicuous records.

Third, money should be separated. Prepaid fees, transaction deposits or indemnity funds should not be mixed casually with operating cash. If a settlement service holds purchase funds, it should use an appropriate regulated or legally protected arrangement rather than treating the money as provider working capital.

Fourth, legal claims should be disclaimed and structured. Provider contracts should state that maintaining a registration does not create a beneficial interest for the provider, its shareholders or creditors. Each jurisdictional implementation should explain whether that result survives insolvency and what a successor can obtain.

Segregation has costs. Independent storage, audits, dual control, insurance and legal structuring are not free. Those costs should be visible service charges. They are preferable to the hidden price of discovering during failure that the supposed custodian treated the record, credentials or proceeds as its own.

Public evidence should be useful without exposing the entire commercial arrangement

Custody without confiscation is not secrecy without accountability. A register that hides every relevant fact cannot support operations or trust. A register that publishes every contract, beneficiary and price can create privacy, security and commercial harm without improving uniqueness.

The public view should identify the resource, recognised holder, registration provider, status, effective date, relevant operational contacts or contact relay, and any public notation necessary to prevent misleading reliance. It may state that an operator relation or security notice exists without disclosing private terms. It should provide a means to verify that an attestation is genuine and current.

A protected assurance view can hold identity evidence, authority instruments, beneficial-control declarations where required, operator mandates, security notices, change proofs and review history. Access should be tied to a defined purpose and role: the holder, an authorised operator, a lender with a recorded interest, an auditor, a receiving provider or another party with consent.

Courts, insolvency officeholders and competent authorities may require broader access under applicable law. The system should authenticate the demand, record scope, disclose only what is required and preserve a challenge or notice route where law permits. NRS should not invent a global immunity from lawful process, nor should a provider voluntarily expose every private file because an informal request invokes authority.

Public labels need restraint. "Verified holder" means the provider completed the published holder verification; it does not certify solvency or good character. "Operator attested" means an operational relation was evidenced for a period; it does not guarantee every route. "Security notice active" signals a recorded condition; it does not decide priority against all claimants.

Accurate scope makes the public record more credible. Readers can know what is established, what remains private and which institution is responsible for the statement.

Fees must buy service rather than an option to seize the subject

Every registration system needs funding. Identity checks, secure operations, continuity storage, audits, dispute handling and customer support cost money. The fact that fees are necessary does not answer what remedies are legitimate when they are unpaid.

An NRS provider should publish fee classes, notice periods, dispute rights and consequences. Ordinary arrears might limit optional services, suspend non-critical account changes or trigger a port to a basic continuity provider. A provider could recover a contractual debt through normal legal means. None of those measures should silently transfer the economic interest to the provider.

Critical continuity should have a protected floor. The public holder record, emergency contact, evidence preservation, dispute notation and ability to move to a successor should not vanish the moment an invoice is late. Otherwise a small service debt can become leverage over a much larger operating asset.

There may be circumstances in which applicable policy or contract permits deregistration, return or revocation. Such action should identify the substantive ground, affected resource, decision maker, evidence, notice, effective time and review route. It should not be described as an automatic incident of custodial ownership. The provider is executing a published rule, not repossessing its own inventory.

Transaction fees present another risk. A percentage of value can align the provider with inflated prices or create a de facto tax on exit. A flat or cost-based fee may be fairer for verification, though complex cases can justifiably cost more. NRS should test fee structures openly and prevent a provider from delaying a port to preserve recurring revenue.

The strongest anti-confiscation rule is an exit right. If fees rise or service deteriorates, the holder can move the complete record to another qualified provider after paying genuinely due, non-disputed charges that the rules allow to affect transfer. Unrelated commercial debts should not become a lien over portability by default.

Corrections need due process because a false record can confiscate in practice

A record can deprive without declaring forfeiture. If an authorised holder is replaced by a fraudulent claimant, or if a correction request remains unresolved while access credentials are disabled, the economic and operational effect can resemble confiscation.

NRS should treat correction as a first-class service. A claimant should be able to identify the affected state, alleged defect, supporting evidence and requested remedy. The current holder should receive notice unless doing so would create a documented security risk or violate law. A neutral reviewer should distinguish contact correction, identity correction, succession, unauthorised transfer, duplicate claim and dispute about an underlying private agreement.

Temporary measures must be proportional. A credible credential-compromise report may justify freezing holder transfer while leaving incident contacts and routing-related services functioning. A dispute over sale proceeds should not automatically disable reverse DNS. A claim concerning one /24 should not freeze an unrelated portfolio. Each restraint needs scope, reason, reviewer and expiry or review date.

The decision should explain the registration question answered. If the evidence establishes a forged transfer instruction, the provider can restore the prior state and link the correction. If two parties present conflicting legal orders, the provider may preserve the state and seek direction from the appropriate forum. If the dispute concerns warranties after a valid transfer, the provider may leave the record unchanged while noting an applicable restraint.

Appeal cannot be solely to the employee who approved the original action. Providers should fund an independent review arrangement with published competence and conflict rules. Urgent access to a court or competent authority remains available under applicable law.

Finality and correction are not opposites. Operational finality tells relying parties which state is current. Correctability prevents the register's own mistake from becoming an unreviewable taking. A serious custodian needs both.

Courts and public authorities should restrain actions, not inherit the provider's ambiguity

Legal orders are often more precise than the systems receiving them. A court may restrain transfer, preserve evidence, recognise an officeholder or direct correction. If the registry has only a single undifferentiated control switch, every order can become a total shutdown.

NRS should represent legal effects as scoped conditions. A transfer restraint prevents a change of holder. An operational continuity order may preserve service while ownership or contract claims are litigated. An insolvency appointment changes who may instruct certain actions. A sanctions rule may prohibit service to a person or transaction under specific law. An evidence-preservation order protects history.

The provider should verify authenticity and jurisdictional relevance but should not privately broaden the remedy. A transfer restraint does not necessarily require route withdrawal. A demand for records does not necessarily authorise public disclosure. A judgment concerning a holding company may require analysis before changing every subsidiary relation.

Portability must carry valid restraints. A holder cannot escape an applicable order by moving providers. The receiving provider should receive the signed condition, scope, issuing authority, review date and disclosure limitations. The old provider should not retain service custody merely because a condition exists; continuity can move while the restraint remains effective.

This design also protects authorities. A clear record shows which provider is responsible, what action is restrained and when a review is due. Orders are less likely to be lost in an inbox or interpreted as indefinite global control.

NRS would need jurisdictional agreements, provider legal capacity and conflict-of-laws procedures before this model could be trusted across borders. A charter cannot resolve those questions. The positive case is that a bounded service can make legal effects more exact while refusing to convert every legal interaction into a claim that the registry owns the resource.

Legacy records require humility, not a presumption of institutional title

Some number-resource records predate current agreements, organisations or evidence standards. Companies have merged, dissolved, renamed and moved. Contacts have left. Old letters may be incomplete. A current provider may possess the only readily available registration history without possessing the original legal context.

NRS should not solve that evidentiary weakness by declaring that whatever the incumbent holds belongs to the incumbent. Nor should it accept every current operator as the holder. Operation, historical allocation, corporate succession and contractual recognition are separate evidence streams.

A legacy review should identify the earliest available allocation or assignment evidence, subsequent recognised changes, corporate continuity, current operation, prior registry correspondence and any competing claim. Gaps should be described as gaps. Confidence can be graded by evidence quality, but a grade should not invent a missing fact.

Where the current state is uncontested and operationally relied upon, continuity may be preserved while better evidence is collected. Where credible claims conflict, a notation or targeted restraint may be appropriate. The burden and forum should reflect the proposed action: correcting an email address is different from displacing a long-recognised holder.

The provider should publish its legacy method and avoid retroactively imposing impossible documents without alternatives. Affidavits, corporate archives, historical routing evidence and third-party records may contribute, though none should be treated as automatic title.

There is no complete denominator for legacy records with missing authority evidence across all current registries. Public data does not reveal every private agreement, failed company or rejected correction. NRS should not advertise a universal error rate. A pilot can report the number reviewed, evidence classes encountered, disputes raised and outcomes within that participating set.

Humility is a control mechanism. It prevents the custodian's possession of an old file from becoming a claim to the value the file describes.

Technical authority must remain separate from registration authority

An accurate holder record does not by itself originate a route. BGP propagates routing information among networks. A Route Origin Authorisation allows a holder within the RPKI framework to state which autonomous system is authorised to originate specified prefixes, but a ROA is not a sale contract or proof of beneficial ownership. Reverse DNS delegation and IRR data add further operational surfaces.

NRS custody should map these dependencies without collapsing them. The holder may authorise an operator to request or maintain a ROA. The provider may verify that mandate and issue or coordinate the relevant service. The operator remains responsible for network configuration. A commercial beneficiary receives no technical authority unless the holder grants it.

During provider portability, technical services need explicit continuity treatment. Existing valid entities should not disappear merely because the service administrator changes. New authority should become effective in an ordered sequence, and old provider access should be revoked after successful cutover. The transition should avoid an interval in which no one can respond to an abuse report or maintain necessary credentials.

The provider's emergency power should also be bounded. Credential compromise may justify suspension or rotation of a specific capability. It should not become an unrestricted right to change the holder or appropriate revenue. Every emergency action needs a record, scope and later review.

Technical evidence can support verification. Long-standing operation, consistent origin history and control of relevant systems may corroborate a claimed relation. It cannot replace legal and organisational evidence when the question is holder succession or transfer authority.

This separation protects NRS from becoming a super-operator. Its value would lie in coordinating trustworthy authority and continuity, not in routing every member's traffic or holding all operational keys.

Governance must prevent NRS from becoming the new confiscating monopoly

An institution created to limit registry power can reproduce the same power at a higher layer. If NRS alone accredits providers, controls the only state service, decides every appeal and owns the continuity copies, its promise of non-confiscatory custody depends on permanent institutional virtue.

The safer design separates functions. Independent standards governance defines minimum evidence and interoperability. Multiple qualified providers deliver registration service. A continuity operator maintains replicated recovery capability under divided control. An appeal body reviews contested provider decisions. Auditors test controls. Holders and operators participate in rulemaking, but no single commercial bloc can rewrite rights secretly.

Accreditation should test technical security, financial resilience, legal segregation, staff competence, continuity, insurance, conflict management, audit access and ability to port records. Entry cannot be purely political, and exit cannot erase obligations. A failed provider should be suspended from new business while existing records move safely.

Provider incentives deserve scrutiny. A provider affiliated with a broker, lender or large operator may favour related transactions. Disclosure and recusal help, but some combinations may need structural separation. NRS itself should disclose funding sources and prevent a major sponsor from acquiring privileged record access.

Rule changes affecting holdership, portability or correction should require notice, reasoned analysis and transition protection. They should not retroactively convert custody into title. Emergency changes need expiry and review.

Independent liability matters. If a provider accepts a forged instruction through negligent verification, "we are only a bookkeeper" is not a defence to every consequence. If it refuses a valid change without reason, portability and appeal should provide remedy. Conversely, the provider should not guarantee market price, routability or the truth of facts outside its verification scope.

Institutional legitimacy comes from exact responsibility. NRS should be powerful where coordination requires one answer and constrained wherever economic ownership or lawful private choice belongs elsewhere.

The anti-confiscation contract should be readable before a dispute

Holders should not need a crisis to discover what custody means. Each provider agreement should answer a short set of questions in direct language.

What exactly does the provider maintain? Which evidence may it request? Which actions can the holder perform? Which actions can an operator perform? Can the provider change or terminate service, on what grounds and after what notice? What remains available during a fee dispute? How is the record exported? Who can receive continuity data? What happens if the provider fails? Which law and forum govern? What liability, insurance and indemnity apply?

The agreement should state that the provider receives no beneficial interest solely by maintaining the registration. It should prohibit proprietary use, unauthorised pledge and affiliate transfer. It should distinguish an administrative lock from a substantive determination that the holder's interest ended.

Change procedures should be incorporated by stable reference and archived by version. A holder must be able to prove which rules applied when a transaction completed. Material changes need advance notice and a practical chance to port before they bind, except for narrowly defined emergency security measures.

The contract should also protect the provider from impossible expectations. Registration does not guarantee global route acceptance, market value, creditworthiness, absence of litigation or validity of every private agreement. Verification assurance should have a stated level and scope.

Plain language is not cosmetic. Ambiguous contracts transfer discretion to the institution with the credentials and records. Exact language transfers risk to the party able to manage it. The holder can maintain evidence and pay fees. The operator can secure the network. The provider can verify and preserve state. An external forum can decide disputes beyond the provider's competence.

Custody without confiscation should be visible in these allocations of duty, not confined to a slogan.

A pilot should measure separation rather than announce success

The proposed model has not supplied a public, multi-regional performance record. NRS should earn confidence through a bounded pilot whose claims never exceed its participating denominator.

The pilot could enrol a defined number of volunteer holders, providers and operators across disclosed legal settings. It should test ordinary holder verification, operator mandates, provider ports, succession, a disputed request, provider outage, credential recovery, continuity-copy restoration and correction. Synthetic cases can test severe conditions without endangering live networks; selected live service changes can test operational reality under consent.

Measures should include completion time by event type, evidence requests, authentication failures, duplicate-state detections, unauthorised changes prevented, reversals, unresolved disputes, service interruptions, continuity-export completeness, recovery time, entity cost and independent-control findings. Each result should state the number of eligible cases and the number observed.

The pilot should also test the anti-confiscation claim directly. Auditors can examine whether provider creditors could reach holder interests under each legal structure, whether records are separable, whether a provider can use credentials for itself, whether fees can block exit, and whether a successor can restore service without acquiring the economic interest.

Negative results should change the design. If porting duplicates authority, the cutover state is inadequate. If evidence cannot be restored, escrow is decorative. If a provider can delay every exit by opening a generic review, portability is not real. If courts cannot identify the responsible provider, jurisdictional mapping is incomplete.

No global prevalence, error, dispute or confiscation rate can be inferred from a volunteer pilot. The denominator of all holders, private transactions and unreported failures remains unavailable. The pilot can establish whether defined controls work for the cases tested and what needs repair before expansion.

Evidence-bounded optimism is stronger than promotional certainty. NRS should publish enough to let holders, operators and independent reviewers decide whether its custody is genuinely limited.

The economic gain comes from making institutional claims smaller and evidence stronger

Markets discount ambiguity. A buyer pays less when it cannot tell whether the seller can cause a recognised change. A lender advances less when the collateral depends on one institution's unexplained discretion. An operator invests less confidently when a fee or governance dispute can disable essential registration services. These effects do not require the register to own the resource; they arise because record reliability affects enforceability and continuity.

Custody without confiscation improves that position through narrower claims. The provider certifies identity and completed state. The holder retains the commercial interest. The operator retains bounded technical authority. A lender can record a notice without becoming the holder. A court can restrain an action without receiving every credential. A successor can continue service without buying the underlying interest.

This division can reduce diligence friction and institutional concentration risk. It cannot guarantee a price. IPv4 markets are heterogeneous, legal characterisation differs, routing reputation varies, and future demand is uncertain. No selected source supplies a global premium attributable to custody reform.

The benefit should therefore be tested transaction by transaction. Did verified history shorten diligence? Did a portable record reduce legal reservations? Did continuity protection change a lender's collateral haircut or covenant? Did providers compete on price and service? Did correction become faster without increasing fraud?

Some entities may see no financial change. A strong incumbent relationship may already satisfy them. Others may value portability mainly as governance insurance. The model succeeds if it makes those choices available while preserving one coherent registration state.

The ultimate economic discipline is that NRS itself receives service revenue, not the upside of the resources it records. Its institutional wealth should come from trust earned by accurate custody, never from converting administrative control into a portfolio.

The future test is whether NRS can disappear from the asset and remain present in the evidence

The best register is visible when evidence is needed and invisible in the holder's ordinary economic life. It confirms the current state, supports safe change and provides a remedy when the record is wrong. It does not insert itself into every lease, route, loan or sale merely to preserve institutional relevance.

For NRS, this means resisting two extremes. A purely declaratory society that cannot maintain continuity or prevent duplicate claims offers little protection. A central institution that takes title, keys, proceeds and final adjudicative power offers protection by domination. Neither is custody without confiscation.

The credible middle is exact. NRS defines interoperable evidence and anti-appropriation rules. Qualified providers verify identities and changes. One current state is maintained. Records and credentials are segregated. Valid legal conditions follow the state. Holders can replace providers. Operators retain bounded technical roles. Independent review corrects mistakes. Commercial value stays with the parties entitled under their agreements and applicable law.

NRS's public materials provide a positive normative starting point: accurate registration, stronger operator rights and limits on concentrated registry authority. They do not prove that this architecture exists, that courts will recognise every segregation form or that global networks will rely on its attestations. Those are implementation and adoption questions, and they should remain stated as such.

The constitutional question can still be answered now. A recorder does not need to own an asset in order to protect the integrity of its record. Indeed, the record becomes more trustworthy when the recorder has no economic reason to appropriate the value it verifies.

Future registry legitimacy will not be measured by how much the institution can claim. It will be measured by how reliably it can preserve a unique history, execute authorised change and then step aside.

Sources