Summary
- A new numbering service should not become interoperable merely because an incumbent likes it, dislikes it less than a rival, or has political reasons to tolerate it. It should become interoperable only after it passes public, repeatable tests for uniqueness, security, migration safety, auditability, continuity and dispute notation.
- Existing recognition history contains useful principles: a registry must have technical capacity, impartial treatment, documented policy, operational infrastructure and reliable coordination. The weakness is that the older regional model tied recognition to a single large territory and to incumbent migration, leaving little room for portable service competition after IPv4 scarcity and modern RPKI, RDAP and reverse-DNS dependence changed the risk.
- Number Resource Society can turn its positive thesis into an assurance programme: prove that every entry is traceable to recognized IANA or RIR history, every conflicting claim is quarantined rather than silently accepted, every holder move has a reversible rehearsal, every key and service endpoint has recovery rules, and every audit can rebuild the state from public commitments plus protected evidence.
- The prize is not permission to govern networks. The prize is narrower and more valuable: relying parties can treat NRS records as high-assurance evidence and, over time, IANA-facing recognition can become conditional on performance rather than patronage.
Recognition should start at the test bench
The first room in which a future numbering service should seek recognition is not a boardroom. It is a test bench. An operator should be able to take a sample prefix, a sample autonomous system number, a sample holder change and a sample dispute, run them through the service, and see whether the result preserves uniqueness, explains authority, protects keys, keeps public discovery coherent and leaves an audit trail that another competent party can verify.
That test-bench principle matters because Internet number recognition is easy to romanticize. The public language around Regional Internet Registries often mixes history, community, territory, corporate form, policy tradition and technical service into one idea. A new service can be rejected as illegitimate because it did not descend from that lineage. It can also be accepted too quickly because it promises liberation from the failures of that lineage. Neither reaction answers the operational question: does the record remain safe, unique, portable and reviewable when people rely on it?
Number Resource Society is useful precisely because it sharpens that question. Its public charter presents number-resource institutions as bookkeepers whose legitimacy depends on accurate registration, voluntary reliance and limited authority rather than on claims to rule networks. That is an attractive starting point, but a charter is not assurance. A service that opposes gatekeeping can become a gatekeeper if its own admission, key custody, correction and dispute rules are opaque. A service that celebrates portability can fragment the numbering system if it signs attractive claims that do not reconcile with the existing global history.
Recognition by proof sets a higher standard than recognition by friendship. It asks NRS to show, before demanding reliance, that it can distinguish a holder-controlled credential from an authoritative allocation, a transfer receipt from a routing permission, a dispute note from a sanction, and a service move from a duplicate assignment. It also asks IANA, ICANN, the NRO and the operating community to define measurable conditions under which a non-incumbent service can interoperate without having to win political patronage from the institutions it may discipline.
The model is not anti-registry. It is anti-mystique. The current Internet Numbers Registry System is documented in RFC 7020, which describes distribution of globally unique IP address space and AS numbers and emphasizes registration accuracy. IANA's current number-resource page states that it coordinates global IP addressing systems and AS numbers, allocates pools to RIRs according to global policy, and does not ordinarily allocate directly to ISPs or end users. Those are facts to preserve, not myths to worship. A proof-based NRS would preserve the facts while making service reliance contestable.
What the old recognition model got right
The old recognition model should not be dismissed. ICP-2, the criteria for establishing a new Regional Internet Registry, required technical capacity, documented policy procedures, broad support in the proposed region, neutrality and impartial treatment. It required production-grade Internet connectivity, reverse-DNS support, suitable infrastructure and capable staff. It also required policies consistent with global goals of conservation, aggregation and registration.
Those requirements encode several durable truths. A numbering service must not be a private notebook. It must keep stable services online. It must be reachable by people who need the data. It must not treat equal requesters unequally. It must document the rules under which number-resource state changes. It must coordinate with other registries so that one resource has one current authoritative status. It must support reverse-DNS delegation and public registration services because downstream systems use them.
The weakness is not that ICP-2 cared about support and region. In the early regional expansion period, broad support from LIRs and migration of service agreements were practical ways to avoid split service inside a geographic area. The weakness is that the model was built around one registry per large region. It assumes that fragmentation is prevented by territorial monopoly rather than by a global root of uniqueness and strict interoperability tests. That assumption is now the very question under review.
IPv4 scarcity changed the economic stakes. Resource records are no longer merely administrative paths to future allocations. They are evidence used by buyers, lenders, cloud platforms, anti-abuse desks, upstream networks, courts, auditors, insurers and customers. RPKI changed the security stakes by connecting allocation authority and routing authorization. RDAP changed the discovery stakes by making structured registration data machine-readable and locatable through bootstrap registries. Reverse DNS remains a quiet dependency for mail, abuse handling and service onboarding. A new service must be judged against that full dependency stack.
The future recognition test should therefore keep the operational obligations of ICP-2 while separating them from territorial privilege. A service can prove neutrality without controlling a continent. It can prove technical capacity without becoming the only office in a region. It can prove community reliance through adoption, audit results, complaint outcomes and migration success rather than through incumbent consent. It can preserve global policy invariants without inheriting every discretionary habit of the old model.
The first proof is uniqueness
The numbering system's first invariant is uniqueness. There may be many opinions about who deserves a block, what a contract means, whether a sale should close, how much detail should be public, or which service provider is more efficient. There cannot be two valid current assignments of the same address range or the same AS number to incompatible holders. Once duplicate current state is normalized, the rest of the Internet pays the price in routing confusion, abuse handling, procurement failure and litigation.
NRS recognition must begin by proving that it cannot quietly accept duplicate current state. That means every asserted resource must be checked against the IANA registries, the relevant RIR or legacy history, existing public transfer logs where available, RDAP data, RPKI material and any protected evidence that the holder supplies. A service does not have to publish every document in order to prove it checked conflict classes. It does need to publish enough commitments, reasons and countersigned timestamps to show that a conflicting claim was either resolved, quarantined or marked as disputed.
Uniqueness proof also has to work at prefix boundaries. A /16 can contain transferred, leased, delegated, suballocated or disputed fragments. A status checker that treats a block as an indivisible label will miss overlap. A recognition test should include exact intervals, covered intervals, more-specific records, returned space, reserved ranges, legacy ranges, AS-number ranges and IPv6 aggregates.
It should simulate adversarial cases: two parties claim adjacent portions; one party claims a covering block after another has a more-specific operational record; a historic holder returns a block while stale RPKI material remains visible; a corporate successor claims capacity under a new legal name.
The proof should not become a secret trial. Some evidence will be private because it contains contracts, identity documents, security credentials or court material. But the public state can still identify the class of proof used, the date of review, the current status, the dispute flag if any, the hash commitment to protected evidence, the reviewing role and the appeal route. A cryptographic commitment does not prove truth, but it prevents a later record from being rewritten without leaving evidence of change.
Recognition by proof therefore flips the burden. NRS would not say, "accept us because we are the future." It would say, "try to make us sign a duplicate current status; try to make us miss a more-specific conflict; try to make us alter history without detection; try to make us hide a dispute as a clean allocation." If independent testers cannot break those invariants, reliance begins to have a technical foundation.
Security proof must cover keys, people and recovery
Security cannot be reduced to a secure web site. A number-resource service touches multiple security layers: holder authentication, staff privileges, signing keys, RPKI objects, repository publication, RDAP service endpoints, reverse-DNS change requests, transfer approvals, dispute locks, backup integrity and emergency recovery. A service can have strong encryption and weak authority review. It can have hardware key storage and still allow a single insider to approve a dangerous state change.
NRS should define a security proof that covers both cryptographic and institutional controls. Cryptographic controls should include clear key ceremonies, separation of online and offline signing functions where needed, documented key rotation, revocation and recovery, tamper-evident logs, independent witness checkpoints, secure time-stamping, repository integrity checks and tested restoration from backup. Institutional controls should include separation of duties, dual control for high-risk changes, least-privilege access, staff conflict disclosures, protected audit records, incident disclosure categories and external penetration testing.
The RPKI architecture in RFC 6480 is a useful discipline because it ties resource certificates to allocated IP addresses or AS numbers and allows route filters to be built from signed route-origin authorizations. It also exposes why recognition cannot be casual. A mistaken or captured resource certificate can affect the way networks evaluate route origin validity. A proof-based NRS should not claim RPKI authority it does not possess; it should show how its evidence interacts with existing certificates, hosted or delegated custody, transfer timing, revocation risk and holder-controlled keys.
Security proof must include failure exercises. What happens if a holder loses a signing key? What happens if two executives from the same company submit incompatible instructions? What happens if a court order freezes a claimed transfer? What happens if a registrar employee is compromised? What happens if a service endpoint is unavailable during a transfer window? What happens if a witness log is down but the registry is receiving urgent change requests? A service that has no published answer to these questions is asking for trust without a map.
The strongest NRS case is not that it will never fail. It is that its failures will be bounded, visible and repairable. An incident should have a classification, an affected resource set, a time window, a containment measure, a customer notice, an independent review and a recovery record. A silent security failure is a governance failure. A detected, disclosed and corrected failure can increase confidence if the correction proves that the service does not depend on institutional denial.
Migration proof is where portability becomes real
Portability is easy to endorse in a speech and hard to perform at 02:00 when a holder's RDAP service, reverse DNS, RPKI certificates, abuse contact, lender file, customer allowlist and upstream filtering record all depend on coherent registry state. The value of NRS is not the slogan that a network should be able to leave a failing registry relationship. The value is a tested way to leave without splitting the record or shocking the services that read it.
Migration proof should therefore be one of the central recognition tests. NRS should be able to run a dry move from an incumbent service record into an NRS-served record, and back again if necessary, while preserving a single authoritative status. The test should include a holder identity packet, resource interval, old service endpoint, new service endpoint, pending change state, dispute notation, grace period, rollback trigger, public notice category, protected evidence commitment and independent witness signature.
The test must distinguish three events that are often confused. A holder transfer changes the party with recognized rights or control. A service portability event changes the qualified service provider maintaining or publishing the record. A routing change alters how traffic is originated or accepted. A healthy system can change one without pretending to change all. A holder should be able to move registration service without automatically changing origin AS. A transfer should not become final simply because a route appears. A route should not become invalid merely because a service move is pending.
RDAP supplies a useful public lesson. RFC 9224 explains how clients find authoritative RDAP services through IANA bootstrap data and longest-match logic for IP address space. That does not create NRS authority, but it shows the value of a public discovery layer that points to the service for a resource. A proof-based NRS migration should show how the relevant discovery pointer, supplemental endpoint or recognition status changes in a way clients can verify.
Migration proof also needs customer continuity. A large network may have customers whose allowlists, procurement systems, mail reputation checks, DDoS scrubbing vendors and cloud bring-your-own-IP processes depend on stable registration data. NRS should not treat those dependencies as external noise. A migration package should include a continuity statement that identifies what public fields changed, what public fields stayed, what notices were issued, what stale services might remain visible and how a relying party can verify the final state.
The test should be repeated across hard cases: legacy IPv4, transferred IPv4, leased operating use, IPv6 assignments, AS numbers, corporate restructurings, insolvency instructions, RPKI delegated custody and reverse-DNS handover. A service that can only migrate a clean artificial example has not proved portability. A service that can migrate messy but lawful records with dispute controls and rollback has earned a more serious form of recognition.
Audit proof means strangers can rebuild the story
Auditability is not the same as transparency. Transparency says some records are public. Auditability says a competent stranger, with authorized access to protected evidence where appropriate, can rebuild the consequential story and detect unauthorized change. For numbering services, the story includes who asserted authority, what evidence was checked, what public status changed, what dependent services were affected, who approved the change, what objections were made, and how the final state was reconciled with the global record.
An NRS audit proof should start with a reconstruction exercise. Give an independent auditor a resource and a time period. The auditor should be able to reconstruct the old status, every pending event, every approved change, every rejected or quarantined claim, every service endpoint, every key transition, every dispute note and every public commitment. The auditor should be able to identify gaps, stale records and inconsistent histories without relying on oral assurances from management.
Append-only techniques help, but only if their limits are respected. RFC 9162, which defines a transparency-log model, describes signed tree heads, inclusion proofs and consistency proofs. Those tools can make equivocation detectable when monitors compare views. They do not prove that the underlying decision was correct. NRS should use such structures as evidence controls, not as a substitute for policy, identity review or remedy.
Audit proof should have public and protected layers. The public layer can show current status, event class, time, reviewing role, non-sensitive reason category, dispute flag, service endpoint and cryptographic commitments. The protected layer can contain contracts, identity documents, invoices, board resolutions, court orders, security secrets or confidential transfer terms. The auditor can test the link between layers without publishing sensitive material.
External audit also needs independence. A service should not select only friendly reviewers, hide the scope, publish only compliments or bury adverse findings in vague language. The draft NRO RIR Governance Document Version 2 points toward periodic and ad hoc audits, summary reporting and emergency continuity. Whether that draft becomes final or changes, the direction is important: registry continuity should be testable by parties beyond management.
NRS can go further. It can publish audit methods, sample records, redaction rules, finding categories, response deadlines, correction evidence and repeat-finding statistics. It can allow holders to export their own event history. It can let relying parties verify that an auditor saw the protected material behind a public commitment. That would make audit a service feature rather than an annual ceremony.
Community support should mean adoption evidence
ICP-2 asks a candidate RIR to demonstrate broad support from LIRs in a proposed region. In a territorial model, that makes sense. A registry that is supposed to serve a continent cannot be imposed on a community that will not use it. In a portable-service model, however, community support should not mean permission from incumbents or an undefined consensus gathered by the same organizations whose monopoly is under examination.
For NRS, support should be measured through adoption evidence. How many holders submit voluntary credentials? How many operators query the service? How many auditors are willing to verify it? How many software clients can consume its public data? How many lenders, brokers, cloud providers or upstreams accept its receipts as supplemental evidence? How many disputes are handled without duplicate state? How many migration rehearsals complete without operational shock? These are not popularity metrics. They are reliance metrics.
Adoption evidence also prevents a familiar trap. Reformers often seek recognition from institutions that have incentives to deny or delay it. Incumbents can present their own non-cooperation as proof that the new entrant lacks support. A proof-based model should not let the gatekeeper decide whether exit exists. If NRS can meet defined tests and actual relying parties use its evidence, lack of incumbent enthusiasm should not be fatal.
The reverse risk is capture by a narrow faction. A service can be popular among dissatisfied holders and still unsafe for the wider Internet. Adoption evidence must therefore be balanced with conflict tests, abuse handling, small-holder access, geographic spread, financial transparency, independent review, public security results and appeal outcomes. Recognition by proof is neither incumbent veto nor insurgent applause.
NRS's own first-party materials make this especially important. The NRS FAQ describes a global nonprofit membership organization that campaigns, empowers and supports businesses around IP interests. The charter stresses bookkeeper limits, accurate registration and voluntary recognition. Those statements support a positive direction, but they also show why external proof is needed. A membership organization must prove that it can serve as an evidence layer without simply converting member loyalty into authority.
The right standard is therefore graduated reliance. At the first level, NRS records may be treated as supplemental holder evidence. At the second, they may be accepted by private parties as part of transfer, finance, insurance or procurement diligence. At the third, they may become recognized inputs to IANA-facing or RIR-facing service transitions. At each level, proof expands reliance; patronage does not.
IANA can certify without becoming a political owner
IANA's current number-resource role is narrow and important. Its number-resource page identifies responsibility for global coordination of IP addressing systems and AS numbers, allocation of pools to RIRs under global policy, and documentation of IETF protocol assignments. It does not ordinarily allocate directly to ISPs or end users. That narrowness is a strength. The question is how a future recognition path can use IANA's uniqueness position without turning it into a political owner of every downstream dispute.
The answer is certification by invariant, not approval by favour. IANA-facing recognition should ask whether a service preserves global uniqueness, publishes coherent service endpoints, supports secure dependent services, provides evidence export, cooperates with emergency continuity, passes audit, exposes reasoned refusal categories and allows review. It should not ask whether the service shares the same politics as an incumbent or whether it promises to protect an existing regional monopoly from competition.
The 2016 SLA for IANA Numbering Services is an existing example of formal service accountability at a recognized boundary. It is between ICANN and the five RIRs, not between IANA and every holder. It does not create NRS rights. But it proves that number-resource service can be defined by agreements, service levels, review and escalation rather than by aura. Future recognition can extend that discipline: specify the service, measure the service, review the service, and define the consequence when the service fails.
IANA certification should also be modular. A service might first be certified for audit-log compatibility, then for supplemental holder receipts, then for migration rehearsals, then for live service-portability events under narrow conditions. A failed module should not destroy unrelated evidence. A successful module should not grant general authority. Modular recognition keeps the service honest because every claim has a defined scope.
That approach protects incumbents too. A proof-based NRS cannot demand full recognition by invoking reform language. It must pass the same tests. If it fails uniqueness, security, migration or audit, it does not get the next level of reliance. If an incumbent RIR fails comparable tests, it should face comparable scrutiny. Recognition becomes a public service discipline, not a political shield.
The operator's test is practical, not ideological
Network operators are not served by ideological purity. They need records that other networks, vendors, customers and authorities can trust. Before relying on NRS, an operator should ask a practical checklist. Can I prove that this resource is the same resource recognized in the IANA and RIR history? Can I prove that no conflicting current claim is hidden? Can I export my evidence if I leave? Can I recover after a key loss? Can I maintain route-origin authorization during a service change? Can my customers verify the public state without seeing confidential contracts?
The operator should also test latency. A record that is accurate but slow can fail a transaction. A court order, corporate closing, lender covenant, abuse emergency or customer migration may have a time window. NRS should publish target response times for high-risk changes, ordinary updates, dispute flags, emergency holds, audit responses and rollback. It should publish actual performance as well as targets.
Cost matters. A portable service that is technically elegant but priced only for large address holders would reproduce the same inequality it criticizes. Recognition proof should include access for smaller networks, clear fee classes, fee waivers or scaled assurance tiers, and public explanation of what each paid service covers. If audit, review and migration cost money, the cost should be visible rather than hidden inside discretionary friction.
Operators should test refusal. A fair registry service must sometimes say no: no to duplicate claims, no to forged authority, no to unverified corporate successors, no to unsafe key changes, no to abusive disclosure, no to emergency requests outside the defined standard. The quality of a service is shown not only by approvals but by reasoned refusals. NRS should publish refusal categories, appeal routes, correction options and statistics.
The final operator test is survivability. What happens if NRS itself fails, loses funding, is sued, changes management, suffers a serious breach or becomes captured by a faction? A proof-based institution should make its records portable away from itself. It should have escrow, successor rules, independent witness checkpoints, holder export and a sunset path. A service that cannot be left is not a portability institution; it is a new lock-in.
Failure must be disqualifying when it threatens uniqueness
Proof-based recognition should be generous about experimentation and severe about core invariants. A new service can improve its user interface, reporting cadence, complaint categories or fee design without losing every form of reliance. It cannot be casual about duplicate current status, unauthorized key changes, hidden security incidents, public evidence falsification, refusal to cooperate with external audit or inability to export holder records.
The harsh line is necessary because number resources carry external effects. A bad state change does not harm only the service provider and its customer. It can affect route acceptance, mail delivery, abuse response, procurement checks, cloud onboarding, financing, customer continuity and cross-border litigation. The more the Internet relies on a record, the less tolerance there can be for invisible conflict.
Disqualification should also be bounded. If NRS fails an RPKI migration test, it should not necessarily lose every supplemental holder-evidence role. If it fails an audit-log inclusion proof, it should pause high-risk live transitions until corrected. If it accepts a duplicate current status, the affected resource class should be frozen, all relying parties notified, and independent review triggered. Discipline works best when consequences map to the failed invariant.
This is where patronage fails. A patronage system often tolerates an incumbent's failure because the incumbent is systemically important, while treating a new entrant's smaller failure as proof of unfitness. It also allows friendly exceptions. Proof-based recognition should publish the same classes for every qualified service: warning, cure, suspended module, emergency operator, handback, permanent loss of qualification and post-failure audit.
NRS should welcome this severity. A positive NRS thesis depends on being harder to capture than the model it criticizes. If it asks for easier standards because it is reformist, it weakens its own case. If it invites hard testing and survives, it gives operators a reason to rely that does not depend on rhetoric.
Recognition by proof changes incentives
The largest benefit of proof-based recognition is not only that a new service can enter. It is that every existing service has to become more legible. Incumbents can no longer answer a portability proposal by saying that they are recognized and the challenger is not. They have to show their own security controls, auditability, migration safety, refusal reasons, service continuity and emergency readiness.
That discipline improves the current system even before NRS gains formal reliance. If NRS publishes a better holder export format, an incumbent has to explain why its own export is weaker. If NRS publishes stronger dispute notation, an incumbent has to explain opaque freezes. If NRS demonstrates faster correction without sacrificing security, an incumbent has to justify delay. Competition in evidence quality is healthier than competition in political access.
It also changes IANA's role. Instead of deciding who belongs to a club, IANA-facing recognition can become an assurance ladder. Services that meet the ladder obtain narrowly defined interoperability. Services that fail lose that class of reliance. The ladder can be public, testable and reviewable. That is a more stable model than one in which recognition status is so hard to earn and so hard to lose that it becomes both a franchise and a shield.
The model does not solve every legal question. Property treatment, contract interpretation, secured lending, insolvency priority, sanctions and court authority remain jurisdictional and factual questions. A proof-based registry service can record a court order, a dispute status or a transfer evidence packet; it cannot make every court agree. That humility is part of the design. Recognition should preserve a clean record of commitments and evidence, not convert NRS into a world court.
The model also does not require the public to accept every NRS claim at once. Reliance can be incremental: supplemental proof, private diligence, software testing, auditor acceptance, limited service-portability pilots, public discovery integration, formal recognition modules. A system that can only imagine total rejection or total authority has already conceded too much to patronage logic.
A qualification ladder can begin before formal authority
The practical path for NRS is a ladder, not a cliff. The first rung can be voluntary holder evidence: a holder submits identity, resource history, contact authority and current service facts, and NRS returns a signed receipt that is clearly supplemental to recognized IANA and RIR records. That receipt should not pretend to allocate anything. Its value is that a holder can carry a coherent evidence packet to a lender, buyer, cloud platform, upstream, insurer or auditor.
The second rung can be independent reconstruction. NRS can invite auditors and technical monitors to choose sample receipts and rebuild the chain from public records, protected holder evidence and public commitments. The result is not a promise that every holder claim is correct. It is a proof that the service can preserve evidence, disclose uncertainty, reject conflicts and explain why a claim has the status it has. That is already more useful than a private file that no outsider can test.
The third rung can be live dependency rehearsal. For a resource whose current recognized status remains unchanged, NRS can simulate a service move: RDAP endpoint readiness, abuse-contact continuity, reverse-DNS coordination plan, RPKI key transition plan, customer notice, rollback, stale-data warning and public status language. A rehearsal lets operators discover failure modes before any root recognition is at stake. It also lets incumbents, if they choose, see that portability is not a disguised raid on uniqueness.
The fourth rung can be narrow reliance by private parties. A broker may accept an NRS receipt as one piece of transfer diligence. A lender may require a holder to maintain an NRS evidence export alongside the current registrar record. A cloud provider may use NRS dispute notation as a supplemental risk signal. These uses do not bind IANA. They demonstrate whether the evidence is useful in real decisions and whether the service can answer questions under pressure.
The fifth rung can be formal pilot recognition for defined event classes. A pilot might allow a qualified registrar move for a limited set of low-conflict resources, with pre-filed rollback, independent monitoring and explicit statements that routing remains outside the ledger. Another pilot might allow emergency supplemental publication if an incumbent service is unavailable, without changing holder status. Each pilot should have entry criteria, publication rules, incident rules, termination rules and a public report.
This ladder is politically safer than a demand for instant equivalence. It lets a new service earn reliance in proportion to observed performance. It also gives the existing system a chance to match the improvements. If an incumbent publishes better exports, faster corrections, clearer dispute states and stronger audits in response, NRS has already improved the market for evidence. If incumbents do not respond and NRS keeps passing tests, the case for stronger recognition becomes empirical.
The evidence standard must include adversarial cases
A soft demonstration is not enough. Any service can look safe when every applicant is cooperative, every resource is clean and every auditor is friendly. A recognition test should include adversarial cases designed to expose weak assumptions. The point is not to embarrass a candidate service. The point is to learn whether the service fails safely.
One adversarial case is stale authority. A person who once controlled a holder account presents old documents and demands a registrar move. A safe service checks corporate succession, current authority, revocation and competing instructions before issuing any public state change. If the evidence is incomplete, the service records a protected inquiry or a rejected request, not a clean event.
Another case is interval conflict. A covering block has a historic holder, a more-specific fragment has a current operating customer, and a third party claims to have purchased the whole covering block. A safe service does not flatten the conflict into one winner. It maps intervals, identifies which claims overlap, checks whether the more-specific use has separate authority, and quarantines disputed parts until the evidence class is resolved.
A third case is service blackmail. An outgoing registrar refuses to cooperate with a holder's move and warns relying parties that any new record is illegitimate. A safe portability design does not let the outgoing registrar veto exit by silence. It requires notice, gives the outgoing registrar a defined objection window, records any actual dispute, and allows the move if the holder's authority and dependency plan pass the objective tests.
A fourth case is reformer capture. A new registrar's supporter submits a weak claim and expects favourable treatment because the service exists to challenge incumbents. A safe NRS says no and publishes the reason category. It proves independence by disappointing allies as well as opponents. That is essential because a reform institution that cannot refuse its friends will not remain a bookkeeper for long.
A fifth case is security compromise. An attacker obtains a holder credential and attempts to change service endpoints during a weekend. A safe service uses high-risk change controls, out-of-band confirmation, waiting periods or emergency review, and it leaves evidence of the attempt. The holder should be able to recover without the public record pretending the attack never happened.
These cases turn recognition into engineering discipline. NRS can publish test outcomes without exposing protected evidence. It can state that a stale-authority request was rejected, an interval conflict was quarantined, an outgoing registrar objection lacked evidence, an ally's weak claim failed, and a credential attack was contained. Such disclosures would do more for trust than polished institutional language.
Patronage fails both sides of the dispute
Patronage is often defended as stability. The argument is that the existing institutions are known, that networks already depend on them, and that letting a challenger interoperate will create confusion. There is truth in the stability concern. Sudden unsupervised replacement would be reckless. But patronage is not the same as stability. Patronage protects the decision-maker's position. Stability protects the ledger's invariants.
The difference matters for incumbents. If an incumbent service is genuinely reliable, proof-based recognition will show it. Its public status will be coherent, its corrections timely, its security incidents handled, its audits clean, its migration rules fair and its emergency plans tested. Such an incumbent should not fear objective comparison. It should fear only a standard that gives equal credit to weaker evidence.
The difference matters for challengers. A challenger that faces patronage has an incentive to build politics around grievance. A challenger that faces proof has an incentive to build stronger records. NRS is more likely to mature if the path to reliance is visible and hard. If the only path is persuading incumbents to surrender privilege, every debate becomes existential. If the path is passing tests, the service can improve one module at a time.
The difference also matters for users of the data. A cloud platform, abuse desk, broker, lender or public agency does not need to join a philosophical debate to evaluate a proof. It can ask whether the record has a conflict flag, whether a migration was rehearsed, whether the registrar is qualified, whether the event is current, whether the dependent services changed and whether an auditor can reconstruct the basis. These are practical questions with practical answers.
Patronage therefore weakens both accountability and confidence. It denies challengers a fair path while allowing incumbents to lean on inherited status. A proof regime is stricter but fairer. It tells NRS: you may enter only to the extent that you can prove safety. It tells incumbents: you may remain trusted only to the extent that you can prove service. That is the bargain a numbering system under scarcity needs.
The positive NRS covenant
NRS can make a powerful offer to the Internet if it states the covenant plainly. We will not ask for recognition because we oppose incumbents. We will not ask for recognition because our members are frustrated. We will not ask for recognition because a political sponsor prefers us. We will ask for recognition only for the functions we can prove.
For uniqueness, the covenant is single current state, overlap detection, conflict quarantine and public dispute notation. For security, it is separated duties, protected keys, witnessed commitments, incident disclosure and tested recovery. For migration, it is dry-run evidence, customer continuity, rollback and no confusion between service portability, holder transfer and routing change. For audit, it is independent reconstruction, export rights, protected evidence access and published correction. For governance, it is reasoned refusal, appeal, external review and survival of records after NRS itself changes or fails.
That covenant gives supporters a better argument. They no longer need to present NRS as a moral replacement for every RIR, or as a perfect answer to every historical grievance. They can present it as a service that earns defined trust through observed performance. The more rigorous the proof, the stronger the positive thesis becomes.
It also gives skeptics a better objection. A skeptic should not need to say that no new numbering service can ever be recognized because the existing system is the existing system. The skeptic can say: here is the uniqueness test you failed; here is the migration case you mishandled; here is the audit gap; here is the security recovery you have not demonstrated. Those objections are useful because NRS can fix them or lose the claim.
Recognition by proof is therefore more than an entry strategy. It is the constitutional principle for a portable numbering future. Incumbents should not be protected by patronage. Reformers should not be excused by idealism. The Internet should rely on a numbering service to the extent that the service proves the invariants on which everyone else depends.
Sources
- ICANN ICP-2 criteria for new Regional Internet Registries
- IANA Number Resources
- RFC 7020: The Internet Numbers Registry System
- RFC 9224: Finding the Authoritative RDAP Service
- RFC 6480: An Infrastructure to Support Secure Internet Routing
- RFC 9162: Certificate Transparency Version 2.0
- NRO RIR Governance Document Version 2
- NRO SLA for IANA Numbering Services
- Number Resource Society Charter
- Lu Heng note on number-resource portability and ICP-2 revision

