Summary

  • NRS's role in this subject is advocacy, research, campaigning, convening and authorized member representation. The operational acts belong to RIRs, IANA numbering services, standards bodies and qualified independent operators; citing an NRS position is neither evidence that NRS performs them nor an endorsement by BTW.
  • Registry interoperability should make independently issued claims understandable and verifiable across institutional boundaries. It should not transfer every allocation, registration, review and service decision to one company, board or jurisdiction.
  • A minimum common semantic contract must define resource identity, holder identity, authority, status, effective time, event type, provenance and evidence references. Local institutions may add detail, but they cannot silently change the meaning of a common field.
  • Every consequential claim should carry an issuer identity, authority scope, resource scope, version, effective period, evidence digest and digital signature. A signature proves origin and integrity; it does not prove that the issuer had jurisdiction or reached a correct decision.
  • Conflict rules must distinguish harmless representational differences from operational contradictions. Formatting differences can coexist, stale claims can expire, disputed claims can carry a visible stay, and incompatible current control claims must converge through a defined review path.
  • Discovery and public registration should lead users to one accepted current answer while preserving the chain of regional decisions behind it. RDAP offers a useful common response model, but policy meaning, provenance and issuer authority need additional discipline.
  • Institutional plurality is a resilience feature when authority, keys, service operations, review and liability are not concentrated in one failure domain. It becomes fragmentation only when members cannot predict how independent institutions recognize each other's acts.
  • Success should be measured through conformance, convergence time, unexplained conflict rates, signature validation, provenance completeness, portability and review outcomes, not by the number of institutions absorbed into a global parent.

The role boundary is part of the evidence

NRS's own stated positioning supplies the first boundary for this analysis. It is a membership and advocacy organization pressing for decentralization, exit, portability, redundancy and fewer discretionary choke points. Heng Lu's note on why NRS exists says directly that NRS does not sell products or implement commercial solutions; its role is to change the direction of governance. NRS may therefore publish research, organize campaigns, convene affected operators, support members and represent an organization that has granted it authority. It may not turn that representation into registry authority over anyone else.

The implementation layer is separate. RIRs, IANA numbering services, standards bodies and qualified independent operators remain responsible for any authoritative registry record, allocation, transfer recognition, RPKI or RDAP operation, technical failover, binding review, insolvency act or legally compelled remedy relevant to this article. The NRO coordinates the five RIRs; it is not another name for NRS. IANA numbering services perform their defined coordination role; they are not an NRS department. Courts and lawful public authorities retain the powers their legal systems actually give them.

BTW's role is separate again. BTW reports the observable structure, checks primary sources and labels proposals as proposals. It does not convert NRS advocacy into fact, campaign on NRS's behalf or infer authority from alignment. That reality-not-advocacy discipline is why the institutional nouns in this article matter: a recommendation from NRS, an act by an RIR and an order from a court are three different things.

The goal is shared facts, not shared ownership

Interoperability begins by separating a fact from the institution that stores or displays it. The proposition that a particular organization is the recognized holder of a defined prefix at a stated time can be expressed in a form another institution understands. The second institution does not have to own the first, accept its entire rulebook or operate the same software. It must be able to identify the issuer, interpret the proposition, verify that the issuer acted within a recognized scope and determine whether a later event superseded it.

That approach is familiar across the Internet. Networks exchange routes without merging into one carrier. Certificate users validate assertions made by many issuers without placing every issuer inside one corporation. RDAP clients interpret responses from distinct registration services because common specifications define important structures and behavior. None of these arrangements eliminates governance. Each works only because technical recognition is bounded by authority, policy and failure handling.

For the registry operator, shared ownership would create more problems than it solves. A single employer could control staff, signing keys, service availability, access policy and the public account of disputes. One corporate insolvency, executive capture, court order or operational mistake could affect every entity. Regional members would have little practical recourse if their only alternative was to replace the global institution itself.

Shared facts permit a different settlement. Institutions remain legally and financially separate. Each answers to its members and applicable law. Common claims travel across boundaries with enough context to be checked. The common layer is intentionally narrow: it protects resource uniqueness, continuity, evidence and discoverability. Questions such as local service bundles, language, staffing, elections and ordinary fees remain with the institutions closest to the affected members.

Interoperability has three separate layers

The first layer is semantic interoperability: entities attach the same meaning to essential terms. A resource range must identify the same addresses everywhere. “Current holder” cannot mean legal registrant in one institution and billing contact in another. “Transfer completed” cannot mean approved at one site and merely requested at another. If meanings drift, identical-looking records conceal disagreement.

The second layer is evidentiary interoperability: entities can evaluate where a claim came from and whether it changed. Issuer identity, authority scope, time, version, signatures and evidence references allow a recipient to verify origin and sequence. This layer does not require unrestricted access to private evidence. It requires a reliable statement that protected evidence exists, what proposition it supports and which reviewer can inspect it under proper authority.

The third layer is institutional interoperability: entities know when to recognize another institution's decision, how to challenge it and what happens during disagreement. A technically valid signature from a recognized institution may still exceed that institution's assigned resource scope. A valid local court order may bind one party without automatically reallocating a globally coordinated resource. Recognition rules connect technical proof to legitimate authority.

These layers should not be collapsed. A common file format cannot settle jurisdiction. A digital signature cannot make a false claim true. A political agreement cannot compensate for ambiguous resource boundaries. The system becomes trustworthy when each layer answers its own question and exposes enough evidence for the other layers to operate. Interoperability is therefore a compound institutional capability, not a data-export feature.

The common semantic contract must be small and exact

A federation should standardize only the concepts required to preserve uniqueness, accountability and continuity. The core begins with a canonical resource identifier: address family, start and end address or prefix, and autonomous system number where relevant. Equivalent textual representations must resolve to the same resource. The contract should reject malformed ranges, ambiguous boundaries and overlapping claims that are not explicitly related as parent and child authority.

Holder identity needs a stable reference separate from display name. Legal names change, organizations merge, transliterations differ and contacts rotate. The shared claim should carry a persistent holder reference, current public name, identity type, deciding institution and effective dates. Protected identity evidence can stay with an authorized custodian. A name change then becomes an event in history rather than the accidental creation of a second holder.

Authority must be explicit. The same organization can be a holder, a registration-service provider, a delegated administrator or an evidence custodian. Each role permits different acts. A claim should say whether the issuer allocated a resource, recognized a holder, recorded a service appointment, published a contact, accepted a transfer or imposed a temporary restriction. Generic labels such as “owner” obscure these distinctions and invite incompatible interpretations.

Status, time and history complete the minimum. Every current claim needs an effective time, a predecessor reference and a clear status such as proposed, active, stayed, superseded or revoked. Event claims describe why state changed. Local extensions may add services or policy detail, but they must not redefine common terms. A recipient that does not understand an extension should still understand the core claim and know what information it has not interpreted.

Canonical representation is an accountability control

Two institutions can agree on meaning and still produce byte sequences that differ because of field order, whitespace, address compression or character normalization. That matters when signatures and evidence digests are expected to verify across independent implementations. The signed representation must therefore have one deterministic form. Equivalent claims should produce the same digest, while a meaningful change should produce a different one.

Canonicalization is not editorial tidiness. It prevents an issuer from presenting one human-readable version while signing another. It also stops harmless serialization choices from creating false conflicts. RFC 8785 demonstrates how deterministic JSON representation can support repeatable hashing and signing. A registry service operator profile would still need rules specific to number resources, including canonical IP ranges, Unicode treatment for names, time precision and ordering of repeated values.

The human-readable rendering must remain linked to the signed claim. A public page may translate role labels or format dates for a reader, but it should offer the claim digest and issuer information that identify the underlying proposition. Translation cannot alter whether an event is pending or complete. A shortened card cannot omit a stay while showing a holder as fully current.

Canonical representation also aids evidence exchange during review. Two parties can identify the exact claim they contest without emailing screenshots or arguing over page updates. A reviewer can ask whether a digest was signed, when it was accepted and which later digest superseded it. The public need not understand the encoding to benefit from a record that cannot be quietly rewritten.

Signed claims need an authority envelope

A signature answers two valuable questions: which key signed these bytes, and have those bytes changed? It does not answer whether the signer was entitled to act for the resource. Every signed claim therefore needs an authority envelope. The envelope identifies the issuing institution, signing role, recognized authority grant, resource scope, claim type, validity period and key status.

Suppose a regional institution signs a holder-recognition event for a prefix outside its accepted service scope. The signature can be perfectly valid while the event remains unauthorized. A recipient must check both cryptography and jurisdiction. Likewise, a registration-service provider may sign evidence that it authenticated a holder, but only the recognized coordination authority may sign the event that changes the accepted provider reference.

The envelope should bind claims to a version and predecessor. This creates an ordered history rather than a collection of freestanding statements. If two issuers sign successors to the same current claim, recipients detect a fork immediately. If a late message refers to an old predecessor, it can be treated as stale instead of overwriting newer state.

Signatures also need durable verification. The public keys and authority grants used at the time of decision must remain discoverable after rotation or institutional closure. Revocation should identify whether a key is distrusted for future use, compromised for a past period or merely retired. Otherwise a routine key change can make valid history unverifiable, while an actual compromise may leave fabricated history looking legitimate.

Provenance must distinguish observation, assertion and decision

Number-resource records combine different kinds of knowledge. A network observer may see a route announcement. A holder may assert corporate control. A registrar may confirm contact authentication. A registry may decide that a transfer meets policy. A court may issue an order. Treating all of these as interchangeable “data” weakens accountability.

Each claim should identify its epistemic role. An observation says what a source measured at a time and place. An assertion says what a party represents to be true. A verification says that specified checks were completed. A decision says that an authorized body changed recognized state. Evidence links show which observations and assertions supported a verification or decision without pretending the evidence itself exercised authority.

This distinction is especially important for routing. A route collector may observe an autonomous system originating a prefix. That is relevant operational evidence, but it does not by itself prove lawful holder identity or allocation. Conversely, a registration record may show a recognized holder while the resource is not currently routed. Interoperability should expose the difference rather than forcing every signal into one ownership field.

Provenance also constrains rumor and stale replication. A recipient should know whether a contact value came directly from a current issuer, from a permitted mirror, from a historic export or from a third-party observation. Mirrors can serve availability, but they should preserve issuer, signature and version. Republishers must not become invisible authors of claims they did not decide.

RDAP is a foundation for public answers, not the whole settlement

RDAP already supplies a standardized way to query registration information and return structured responses for IP networks, autonomous system numbers and related entities. RFC 9083 defines common response structures, links, events, status values, notices and extension signaling. This is a substantial interoperability asset because clients do not need a unique parser for every registration service.

Yet response compatibility alone does not settle cross-institutional authority. Two RDAP services can each return a well-formed but contradictory current holder. A response can omit optional information under local policy. An extension can carry useful detail that another client ignores. Bootstrap discovery can find a service, but discovery does not explain how a disputed delegation was resolved.

Registry-operator approach should retain RDAP as the public query surface while adding verifiable issuer and provenance information to consequential claims. A response should identify the accepted state version, issuing authority, signature reference and relevant conflict status. Historic events should show the sequence of recognized changes. A mirror should reveal that it is serving another issuer's signed state rather than presenting itself as the original decision maker.

Public responses also need honest limits. Privacy redaction, legal restriction, pending review and incomplete observation are different conditions. Each should have a distinct notice. “No data” should not leave the reader guessing whether information does not exist, is withheld, is temporarily unavailable or belongs to another authority. Accountability improves when absence has a stated reason.

Discovery must converge without creating a corporate gatekeeper

Users need a reliable way to find the service responsible for a resource. RFC 9224 describes RDAP bootstrap registries for locating authoritative services. A federated registry system can build on that principle: a narrow discovery map points resource ranges to recognized service endpoints and authority records.

The map should not become a discretionary marketplace controlled by one company. Entries should derive from signed delegation events, follow published eligibility rules and have an independent challenge path. Multiple neutral mirrors can serve the same accepted map. Every mirror should expose the version and signature set so users can detect lag or alteration.

Discovery can list more than one endpoint without producing more than one current truth. An authoritative service, a read-only mirror and a language-specific presentation service may all answer for the same resource. Their roles must be visible. A client can prefer a nearby mirror while verifying that its state matches the accepted issuer version.

Change to discovery deserves stronger safeguards than ordinary profile edits because misdirection can hide the correct record. A delegation update should reference the prior version, require signatures from the recognized authority set and allow emergency suspension if keys are compromised. Historic maps should remain available for review. No operator should be able to redirect an entire region through an unsigned configuration change or an undocumented commercial decision.

Conflict resolution begins with classification

Not every difference is a conflict. One service may display a holder's full legal name while another uses an approved abbreviation. One may show a local-language address, another a transliteration. Timestamps may use different display zones while referring to the same instant. These are representational differences if the underlying identity, resource and event references match.

Staleness is a second class. A mirror may still show a superseded version because it has not received or validated a later claim. Staleness should be visible and time-bounded. Clients can compare version references and decide whether a delayed mirror is acceptable for low-risk reading. The remedy is synchronization and service accountability, not a merits hearing.

Policy differences form a third class. Two institutions may publish different amounts of contact information because privacy laws or disclosure rules differ. The common record should still agree on the holder reference, resource, authority and status. Differences in public detail can coexist when notices explain them and an authorized request path exists where required.

An operational contradiction is the serious class: two active holder claims for the same resource, two current provider appointments, incompatible transfer events, overlapping allocations without delegation, or a revoked state presented as current. These cannot remain as equal alternatives. They require containment, a visible dispute status, preserved evidence and a convergence decision. Classification prevents institutions from escalating harmless differences while ignoring contradictions that threaten uniqueness.

Conflict handling must preserve one accepted current state

When an operational contradiction appears, the first duty is to stop further divergence. The most recent uncontested state remains the accepted reference unless an authorized emergency stay says otherwise. New high-consequence changes are held for the affected resource, while unrelated resources and ordinary read service continue. Both conflicting claims are preserved; neither is silently deleted.

The second duty is to identify the contested proposition. Was an issuer outside its resource scope? Did two valid instructions reference the same predecessor? Was a signing key compromised? Did a court stay arrive before or after the effective event? Is the disagreement about holder identity, service appointment or public disclosure? A narrow question produces a narrow remedy.

The third duty is reasoned convergence. A designated first-instance reviewer examines authority grants, signatures, event order and protected evidence. Its decision identifies the accepted successor, the rejected or superseded claim and any corrective event. Appeal goes to a body independent of the issuer whose act is challenged. Urgent protection can precede full review, but it expires unless confirmed.

History should show that conflict occurred. Rewriting the record to make the losing claim disappear destroys evidence and rewards whoever controls publication. The public current answer can remain simple while the event history records the fork, stay and resolution. If compensation or service remediation is owed, that follows from accountable error without turning damages into authority to create a second current state.

Courts require a recognition rule, not automatic global reach

Independent institutions will receive orders from different courts. Some orders will bind a holder, provider or registry within a jurisdiction. Others may claim broader effect. A federation cannot treat every filed document as globally dispositive, nor can it ignore lawful orders affecting its entities.

The common contract should represent a court measure as a signed legal-event reference with issuing jurisdiction, parties, resource scope, effective time, duration and operative effect. The public record can state that a stay or restriction exists without exposing protected filings. The institution receiving the order assesses immediate obligations under its law and notifies the recognized cross-border review body when the order affects shared state.

Recognition then asks structured questions. Did the court have jurisdiction over the bound party? Is the order final or interim? Does it direct a party's conduct, preserve evidence or purport to change resource status? Would recognition create duplicate current claims? Is there a conflicting order elsewhere? These questions do not eliminate legal uncertainty, but they prevent a clerk's entry in one jurisdiction from becoming an unexplained global state change.

Where immediate harm is plausible, a narrow temporary stay may freeze transfer or provider change while ordinary routing and public registration continue. The stay expires on a published date unless renewed through reasoned review. This treatment respects courts without granting any one institution or jurisdiction an invisible veto over every entity.

Privacy and public accountability can coexist

Interoperability can tempt institutions to copy every underlying file into a common repository. That would be both unnecessary and dangerous. Identity documents, private contacts, contracts, payment records and protected testimony do not need global distribution merely because the resulting holder claim must be verifiable.

The shared claim should expose the minimum public facts required for uniqueness and accountability: resource, recognized holder reference and public name, authority, status, relevant events, issuer, version and evidence classes. Sensitive material stays with a qualified custodian under defined retention, access and review rules. Its digest can bind the material to a decision without revealing the material.

Selective disclosure must not become unverifiable discretion. A public notice should distinguish privacy redaction from absence. Authorized reviewers need a lawful route to inspect the source material. Access should be logged, purpose-limited and subject to challenge. If the original custodian closes, custody must transfer in a way that preserves both confidentiality and later review.

This separation also limits breach impact. A common public service can be mirrored widely because it carries bounded data. Protected evidence remains distributed among accountable institutions instead of accumulating in one global customer file. Interoperability thus becomes compatible with data minimization: entities share the claim needed for common action, not every document that helped one institution reach it.

Key governance is institutional governance

Signing keys are not merely technical credentials. A key may authorize holder recognition, allocation, transfer, service appointment or emergency stay. Whoever can use it can create claims that strangers may rely upon. Key custody therefore deserves the same separation of powers applied to financial authority or official seals.

High-consequence keys should require multiple authorized entities, protected devices, role separation and witnessed ceremonies. Routine service keys can have narrower authority and shorter validity. The authority envelope should make these distinctions machine-verifiable so a low-risk publication key cannot sign an allocation event.

Rotation needs continuity. A new key is introduced through an event signed under an existing trusted authority or an approved recovery quorum. The old key receives a retirement time. Historic claims remain verifiable. Emergency compromise creates a bounded review period in which claims signed during the suspected window receive additional scrutiny rather than disappearing automatically.

No institution should control all roots of trust. A federation can use threshold approval across several independent authorities for changes to the common trust list. Public logs and delayed activation give members time to detect an unauthorized addition or removal. Recovery should work if one institution is unavailable, but not if one executive acts alone. These measures preserve the practical meaning of institutional plurality at the cryptographic layer.

Common rules need plural change control

A semantic contract will evolve. New resource services, privacy requirements, signature methods and evidence types will appear. If one company can redefine common meanings unilaterally, technical interoperability becomes a quiet route to political control. Change authority must therefore be distributed.

The registry operator should publish a stable core and a clear extension path. Core changes that alter the meaning of holder, resource, authority, current status or event ordering should require broad approval across regional institutions and affected member classes. Additive extensions can move faster if they cannot reinterpret existing claims. Every change needs an effective date, compatibility statement and transition period.

Independent implementation is an important safeguard. A standard that only one vendor can interpret is proprietary control wearing open language. At least two independently developed implementations should demonstrate that they can produce and validate the same claims. Test materials should include valid cases, malformed cases, stale versions, overlapping resources, key changes and disputes.

Members need standing to challenge a change that shifts liability or weakens rights. A technical committee may specify encoding, but it should not redefine who may transfer a resource without institutional approval. Conversely, political bodies should not mandate ambiguous fields that cannot be implemented consistently. Joint change control keeps meaning, evidence and authority aligned.

Local variation should be explicit rather than forbidden

Interoperability does not require identical institutions. One region may organize membership by resource holding; another may include public-interest seats. One may offer multilingual support or enhanced verification. Another may recognize a particular legal form that does not exist elsewhere. These differences can support legitimacy when they are visible and bounded.

The common layer should classify local additions by effect. Presentation extensions change language or layout. Service extensions add optional offerings. Evidence extensions add recognized proof types. Policy extensions impose local conditions within an institution's authority. None may alter the globally significant identity of a resource or create a conflicting current holder.

Recipients should know when they encounter an extension they do not understand. Ignoring an unknown presentation hint may be safe. Ignoring an unknown transfer restriction may not be. Extension declarations should specify whether comprehension is optional, required for a particular act or required only in a named jurisdiction.

This approach avoids two extremes. Forced uniformity can erase legitimate regional choices and make change painfully slow. Unbounded customization can turn every exchange into a bespoke negotiation. A small common core, typed extensions and visible consequences let institutions innovate without surprising each other about facts that require convergence.

Institutional plurality improves resilience only when exit is possible

Several institutions do not automatically create a healthy federation. They may operate as a cartel, share one vendor, depend on one key service or make movement between them impossible. Nominal plurality then conceals a common failure domain.

Interoperability should make provider and institutional exit practical. A holder's signed history, identity reference, resource claims and public events must be portable in the common form. A receiving institution should verify them without asking the departing institution to produce a custom narrative. Protected evidence can transfer to a qualified custodian under legal controls while public claims remain stable.

Service portability also disciplines quality. If an institution delays publication, mishandles contacts or charges opaque fees, members can move service without abandoning their recognized history. Exit does not mean shopping for a more favorable answer to the same disputed facts. The accepted holder and restrictions travel with the resource until changed through a valid event.

The federation should disclose correlated dependencies: common cloud regions, shared signing services, common contractors and single discovery operators. Diversity that exists only on organization charts will not survive a shared outage. Regular cross-institution exercises can verify that one entity can serve accepted claims and continue review when another becomes unavailable.

Market competition belongs around service, not truth

Competition can improve verification, support, language access, monitoring and dispute assistance. It becomes destructive when institutions compete by recognizing incompatible holders or overlooking restrictions. A resource holder should be able to choose service without choosing which version of reality will be published.

The common contract therefore defines non-negotiable facts and leaves service differentiation around them. Providers may offer faster ordinary updates, stronger authentication, better reporting or lower prices. They cannot sell a current holder claim outside recognized authority. Institutions may adopt stricter evidence for high-risk acts, but they must explain how that affects cross-border recognition and appeal.

This boundary also helps regulators and courts. Liability can attach to the institution that authenticated, decided, published or failed to update a claim. A single global company would concentrate liability but might also make errors harder to contest. A loose market without common facts would allow every entity to blame another. Signed roles and event history show who did what.

Economic incentives should reward accurate convergence. Fees can support validation, mirrors, review and continuity exercises. Penalties can address unexplained stale service, unauthorized claims or missed conflict deadlines. No entity should earn more by prolonging ambiguity or withholding portable records. Interoperability becomes credible when the commercial model supports the same truth discipline as the technical design.

A cross-border transfer illustrates the boundary

Consider a resource holder incorporated in one country, served by a registrar in another and operating networks across several regions. It enters a merger and seeks to change both legal name and registration-service provider. The corporate event is reviewed where the holder is recognized. The provider change is reviewed under the service-portability rules. Neither event is hidden inside the other.

The deciding institution signs a holder-continuity claim linking the old and new names while preserving the stable holder reference. The provider coordinator signs a service-change event against the same resource version. Both events cite protected evidence digests and effective times. RDAP presentation services in several regions can display the new name and provider while preserving the earlier events.

Suppose a creditor obtains an interim court order after the merger decision but before the provider change. The order is represented as a legal event with defined scope. If it restrains disposal of the resource but not a service switch by the same holder, the provider change can proceed. If its meaning is contested, a narrow stay pauses only that act while current registration and routing remain visible.

No global company needs to own the holder, registrar or evidence. Interoperability works because each institution's role is explicit, the claims share meaning, signatures bind decisions to issuers, and conflict rules preserve one accepted state. The example also shows why a mere common data dump would be limited public evidence: the decisive information is authority, sequence and legal effect.

Failure cases should shape the design

The first failure is semantic drift. One entity begins using “holder” for a reseller or administrative contact. Its records still validate technically, but recipients infer authority the named party does not possess. Conformance tests and public definitions must catch this before the term enters current claims.

The second failure is a validly signed overreach. A recognized issuer signs an event outside its resource or role scope. Authority-envelope validation should reject it automatically and alert both institutions. The signature remains evidence of who attempted the act.

The third failure is an unresolved fork. Two successors reference the same predecessor, perhaps because of delay or compromise. The affected resource enters a visible hold, later changes pause and independent review selects the accepted successor. Public services must not choose whichever claim arrived first without examining authority.

The fourth failure is silent staleness. A mirror serves an old version as current after a transfer. Version age, signed checkpoints and monitoring reveal the lag. The mirror can remain available with a warning, but clients making consequential decisions should query another recognized endpoint.

The fifth failure is trust concentration. Several institutions rely on one vendor, one root key or one discovery operator. An outage or capture affects all of them. Dependency disclosure, independent implementations, threshold trust changes and tested alternative service reduce that risk. Designing from these failures produces stronger interoperability than beginning with an ideal diagram of cooperative institutions.

Conformance must test meaning and adverse conditions

A entity should not be declared interoperable merely because it can exchange a happy-path record. Certification must test canonical resource representation, holder references, role scopes, signatures, predecessor links, key rotation, privacy notices, extensions and public rendering. Independent implementations should reach the same interpretation from the same signed claims.

Adverse tests matter more. What happens when a resource overlaps an existing allocation, an event arrives out of order, a key is revoked, a mirror is stale, a court stay conflicts with a transfer, or two institutions claim authority? A compliant entity should reject, hold or escalate each case predictably. It should not invent a new current state.

Testing should include multilingual names and legal forms without treating identity strings as freely translatable. It should also test IPv4 and IPv6 normalization, autonomous system ranges, historic records and delegated authority. Public RDAP responses need checks for correct status, events, notices, links and version references.

Results should be public enough to discipline institutions without exposing protected customer data. A certificate has an expiry date and covered capability. Serious failures trigger remediation and retesting. Members can then compare actual interoperability rather than relying on institutional promises. Certification remains evidence of tested behavior, not immunity from liability or review.

Metrics should reveal whether plurality is working

The first metric is claim validity: the share of consequential claims with verifiable signatures, current authority grants, complete provenance and unbroken predecessor links. A high publication count means little if recipients cannot establish who decided what.

The second is convergence performance. Institutions should report how often conflicting current claims occur, how quickly they are contained, how long review takes and whether unrelated resources continue normally. Median figures alone are limited public evidence; the oldest unresolved cases reveal whether temporary holds become permanent captivity.

The third is public consistency. Independent queries to recognized endpoints should return the same core holder, resource, authority and status for the same accepted version. Differences in language or permitted detail should be classified. Unexplained differences should be measured and corrected.

The fourth is portability and resilience. Exercises should show whether a holder can move service, whether mirrors can continue during an issuer outage and whether historic signatures remain verifiable after key rotation. Dependency concentration should be disclosed. A federation that cannot survive one member's failure is plural in name only.

The fifth is legitimacy. Members should see which institution made a contested decision, use a review route independent of that institution and obtain a reasoned outcome. Appeal reversals, repeated issuer errors and missed deadlines should inform governance reform. These measures keep interoperability tied to public accountability rather than treating it as a purely technical success.

Independent witnesses can strengthen convergence without taking control

A federation benefits from witnesses that observe accepted events and retain signed checkpoints. A witness does not allocate resources, recognize holders or decide transfers. It confirms that a particular claim existed, carried specified signatures and occupied a stated place in the accepted sequence. Several independent witnesses can make quiet revision or selective history much harder.

Witness diversity matters. If every institution relies on a witness operated by the same common company, the arrangement recreates central control under a different name. Universities, public-interest bodies, qualified commercial operators and regional institutions could each serve checkpoints under transparent eligibility and retention rules. No single witness should be necessary for an ordinary event, while high-consequence trust changes can require agreement among several.

Witnesses also help during partition. Two regions may temporarily lose communication but continue serving the last accepted state. When connectivity returns, signed checkpoints reveal whether either side attempted incompatible successors. Harmless delayed events can be ordered. A genuine fork enters conflict handling. The witness record does not choose the winner; it supplies neutral evidence about sequence and visibility.

Public transparency must remain bounded. Checkpoints can contain digests, issuer references, event classes and times without publishing private contacts or protected evidence. Inclusion proof lets a holder show that an event was recorded. Consistency proof lets observers detect if a witness presents different histories to different audiences. This capability strengthens public trust while keeping the authority to make and review decisions with accountable institutions.

Liability should follow the role that failed

Interoperability can create a tempting defense: every entity points to another institution. The registrar says it relied on the registry, the registry says it accepted a signed verification, the mirror says it merely republished, and the common service says it only carried messages. Clear role attribution prevents responsibility from dissolving across the federation.

An institution that authenticates a holder is responsible for performing the required checks and preserving evidence. An authority that accepts a transfer is responsible for resource scope, event order and applicable restrictions. A publication service is responsible for accurately serving the accepted version and disclosing staleness. A witness is responsible for checkpoint integrity. A reviewer is responsible for reasoned decisions within its mandate and deadlines.

Liability should correspond to control. A mirror that faithfully serves an issuer's signed false claim should correct it quickly but should not be treated as the original decision maker. A registrar that supplied false verification cannot escape because a coordinator performed the final commit. A coordinator that ignored an obvious scope violation cannot shift all responsibility to the signer.

The event history makes these distinctions provable. Each role signs its own act, and every accepted transition references the acts on which it relied. Members can identify whether failure arose from evidence, decision, publication or review. Compensation and remediation can then target the responsible institution while continuity measures protect the holder. Distributed authority becomes accountable precisely because responsibility is not pooled into an abstract collective.

A minimum recognition compact can prevent political overreach

Independent institutions need a short recognition compact stating which acts they will accept from one another. The compact should cover authority grants, holder-continuity decisions, provider appointments, transfers, stays, revocations and conflict outcomes. Recognition is conditional on valid scope, signatures, evidence class, event order and review availability.

The compact must also state what recognition does not mean. Accepting another institution's holder decision does not make that institution a corporate parent, transfer tax residence, waive local privacy law or require adoption of unrelated fees. Accepting a temporary stay does not concede the issuing body's final jurisdiction. Serving another issuer's signed public record does not transfer ownership of the underlying customer relationship.

These negative boundaries protect legitimacy. Without them, members may fear that every interoperability commitment expands a distant institution's power. Institutions may then resist even useful common rules. A narrow compact gives regional bodies confidence that they can recognize essential acts while retaining lawful autonomy over matters that do not threaten shared resource state.

Withdrawal from the compact also needs rules. An institution cannot abruptly stop recognizing existing claims and create uncertainty for current holders. Notice, continuity, record export and a transition period protect members. Existing accepted events remain historic facts. If an institution rejects a later common change, it can limit new participation without fabricating a rival history. This makes institutional consent meaningful without allowing exit to become fragmentation.

Registry-operator settlement should be constitutional in scope

The registry operator does not need a world ministry of number resources. It needs a constitutional settlement around a few shared necessities. Resource identity must be unambiguous. Current authority must converge. Consequential acts must be attributable. History must survive institutional change. Conflicts must be contained and reviewed. Public discovery must not depend on one opaque gatekeeper.

Everything beyond that core should face a burden of justification before it is centralized. Service design, member representation, ordinary pricing, language, local evidence practice and regional policy can remain diverse if they do not corrupt common facts. This allocation of power makes the federation adaptable while limiting the damage any one institution can cause.

The legal and technical instruments should reinforce each other. Semantic definitions constrain what a signed claim can mean. Authority grants constrain who can sign it. Public history constrains quiet revision. Review constrains issuers. Portability constrains service providers. Threshold trust changes constrain the common layer itself.

Institutional merger offers the appearance of simplicity because hierarchy can issue one answer. But hierarchy also creates one capture point, one balance sheet and one jurisdictional choke point. Interoperability earns coherence differently: through precise meaning, attributable claims and disciplined convergence among institutions that remain capable of disagreeing, reviewing and surviving one another.

Conclusion

The decisive design choice is not central database versus disconnected registries. It is whether common facts are strong enough to travel without carrying an entire institution with them. A stable resource identifier, persistent holder reference, explicit role, signed event, preserved provenance and visible conflict status can make a claim understandable beyond the place where it originated.

That portability of meaning allows the registry operator to preserve both global coordination and institutional plurality. A user can discover one accepted current answer. A holder can retain history while changing service. A court or reviewer can identify the exact disputed proposition. A regional institution can add lawful detail without rewriting the common core. If one entity fails, others can continue serving verifiable claims.

The discipline lies in refusing shortcuts. A signature without authority is not legitimacy. A common response format without conflict rules is not consistency. Multiple institutions without exit and independent infrastructure are not resilience. One global company without distributed review is not neutral coordination.

The registry interoperability should therefore be judged by whether independent parties can verify the same essential facts, understand the boundaries of each issuer's power and converge after conflict without erasing evidence. If they can, institutional merger is unnecessary. The shared achievement is not one owner of every record. It is a public order in which no institution has to be trusted beyond the claims, powers and proofs that others can examine.

NRS and BTW role sources