Summary

  • An IPv4 transaction has at least four distinct moments: commercial agreement, payment settlement, registration change and operational use. The first two can occur without the third, leaving a completed bargain dependent on an incumbent registry that was not a commercial party.
  • Settlement finality in this context means a verified registration change becomes authoritative at a defined time and cannot be withheld or casually reversed by the former registration service. It does not mean that fraud, ownership litigation, sanctions duties or a competent court order cease to exist.
  • NRS-style portability should let the holder choose a qualified receiving registration service. The incumbent gets a short, auditable opportunity to identify a narrow defect; silence, institutional failure or a policy objection to the buyer's lawful business model cannot become an indefinite veto.
  • Disputes should be separated into notation and restraint. Most claims can follow the registration as a visible, time-stamped caution while the transfer completes. Only a legally effective restraint or a tightly defined integrity emergency should pause completion, with reasons, expiry and rapid independent review.
  • Uniqueness is protected through one transfer identifier, a single authoritative state transition, signed evidence, replay prevention and public confirmation that the former record is superseded. Routing continuity is protected through staged contact, reverse-DNS and security-service changes rather than an abrupt administrative cutover.
  • Portability strengthens institutional legitimacy because exit makes service quality, neutrality and competence consequential. NRS should define the portable right, evidence and continuity safeguards while avoiding a new global commercial gatekeeper or a tribunal for ordinary private bargains.

A sale can close while the registration remains open

The most dangerous sentence in an IPv4 transaction is often the most reassuring one: the deal has closed.

It may mean the purchase agreement is signed. It may mean the seller has delivered its contractual documents. It may mean the buyer has funded escrow and the release conditions have been met. Lawyers may regard the obligations as performed, the accounting entry may have moved and the commercial risk may have passed.

Yet the public registration can still name the seller. The relevant account may remain under the seller's regional registry. Reverse-DNS authority, routing-security controls and contact maintenance may still depend on credentials held under the old relationship. A receiving network may be preparing to use the space, but the administrative record has not caught up with the bargain.

That interval is not merely delay. It is an unresolved settlement state. The buyer has paid for a change that a non-party institution can still prevent from becoming legible to the rest of the Internet. The seller may no longer have the economic interest or operational staff to maintain the old record. Escrow can hold money, but it cannot compel a registry to update a registration. A court can eventually decide rights, but litigation is a poor substitute for a routine transfer mechanism.

Current inter-regional transfers make the dependence especially clear. The source and recipient registries each evaluate the request under their applicable requirements. Coordination can protect accuracy, but it also means that two administrative paths must remain available and compatible. If the source institution refuses to act, loses capacity or treats a commercial-policy objection as decisive, the receiving side cannot alone produce the recognised change.

The problem is not solved by saying that routing can begin anyway. A route announcement proves neither lawful authority nor complete registration. Nor is it solved by saying the contract remains enforceable. A buyer may have a claim for damages and still lack the registration services on which its deployment depends.

A mature transfer market needs a point at which performance becomes a final change in the registration record. That point cannot remain entirely at the discretion of the institution the seller happened to use before the transaction began.

Finality is a state transition, not a declaration of moral certainty

Financial-market infrastructure uses settlement finality to answer a narrow but essential question: when is a transfer irrevocable and unconditional within the relevant system? The analogy must be handled carefully. IPv4 registration is not cash, a security or a central-bank liability, and number-resource institutions do not inherit the legal status of payment systems merely because both maintain records.

The useful lesson is functional. A market cannot scale if entities cannot identify the moment after which a completed transfer will be treated as complete. If every settled instruction can be reopened by an intermediary's later preference, the buyer cannot rely on delivery, the seller cannot rely on discharge and third parties cannot know which record governs.

For IPv4, finality should mean that a validated registration instruction has crossed a published completion point. At that moment, one receiving registration becomes authoritative, the former entry is marked as superseded, all other services can resolve the same transfer identifier, and neither registration service can create a concurrent claim merely by restoring an older copy.

Finality does not certify that the commercial bargain was wise. It does not decide the tax treatment of the sale, the seller's internal authority under company law or the buyer's intended network design. It does not immunise fraud. It does not defeat a court with jurisdiction. It says something much smaller and more useful: the registration system has completed the instruction on the evidence and legal conditions then applicable.

That distinction prevents the word from becoming a shield for abuse. Finality must coexist with correction, but correction must not mean administrative whim. A typographical error can be corrected without undoing the transfer. A later court judgment can direct a new transfer or restoration. Proven credential theft can trigger an emergency recovery path. Each event should be recorded as a new, attributable change rather than a silent rewrite of history.

The market needs both confidence and truth. Confidence comes from a completion point that ordinary institutional disagreement cannot disturb. Truth comes from preserving the evidence, disputes and later lawful orders that may alter what happens next.

The incumbent cannot remain a permanent condition of performance

The seller's registry has legitimate information. It knows the current account, historical contacts, prior transfers, contractual status and any constraints already recorded against the resource. It should be consulted. Consultation is not the same as a veto without end.

An incumbent may fail in several ways. The obvious failure is technical: its systems are unavailable, records cannot be changed or staff cannot process requests. Institutional failure is broader. A registry can be insolvent, paralysed by governance conflict, unable to form valid decisions or subject to a transition that leaves ordinary requests unanswered. It can also be operationally present but functionally refusing: repeated evidence requests never reach a decision, response periods restart without cause, or a policy dispute unrelated to uniqueness is used to prevent completion.

If the buyer's registration can move only when that incumbent agrees, the incumbent remains a condition of contractual performance even though it did not negotiate the contract and bears little of the loss caused by delay. This creates a hold-up opportunity precisely when the parties have sunk legal, financing and integration costs.

The answer is not to treat every delay as misconduct. Complex cases can involve disputed seller authority, fragmented blocks, inconsistent company names, prior legal restraints or errors that require correction. The answer is to make the institution state the condition it believes remains unsatisfied, cite the rule or legal instrument, and do so within a fixed period.

Portability changes the default after that period. A qualified receiving service may validate the transfer from the parties' evidence and the existing registration history. The incumbent can identify a recognised defect, acknowledge that the record is clear, or remain silent. It cannot convert silence into permanent custody.

This is the central legitimacy claim. A service that can never be left is not disciplined by the people who rely on it. Elections, consultations and service pledges may improve conduct, but none replaces exit. Portability makes failure observable and survivable. It allows the registration to outlive the institution without pretending the institution never held relevant evidence.

Portability is not another name for an ordinary market transfer

Two movements are often confused. The first is a transfer between the seller and buyer. The second is portability between registration services. They may occur together, but they answer different questions.

The commercial transfer changes the party recognised as holder. Portability changes the service that maintains the authoritative registration. A network could port its registration without selling the resource, just as a customer can change a service provider while retaining the underlying identifier or entitlement. A buyer could also receive the resource and choose a new registration service as part of the same completion.

Keeping these movements separate improves evidence. The seller-to-buyer instruction requires proof of authority from the seller and acceptance by the buyer. The service-portability instruction requires proof that the recognised holder selected the receiving service. A combined instruction must satisfy both. The record should show both changes rather than compress them into an unexplained replacement of one organisation and one institution.

This separation also clarifies failure. If the incumbent entities because the seller never authorised the sale, that reaches the commercial transfer. If it entities because the holder wants a competing service, that reaches portability. The former may expose an integrity defect. The latter is the exercise of the right at issue and cannot be treated as evidence against itself.

Fees must be separated too. The incumbent may collect an accrued, contractually valid charge through ordinary legal means. It should not hold portability hostage to an unrelated future fee, a disputed service charge or the buyer's refusal to purchase another product. ICANN's transfer policy provides a useful comparison by distinguishing certain payment disputes from the registrar-transfer process and by limiting the reasons a registrar may deny transfer.

Number resources require their own rules, but the structural lesson is sound: a recordkeeping chokepoint should not become general-purpose security for every claim the incumbent has against a customer.

Portability therefore creates finality in two dimensions. It completes the transfer to the buyer, and it ends the old service's exclusive ability to decide whether that completion can be recorded.

The receiving service needs evidence, not permission

A portable system cannot accept assertion alone. If a buyer could select a friendly recorder and replace a registration without evidence, competition would produce duplicate claims rather than accountable service. The receiving institution must independently verify a minimum case.

The case begins with resource identity. The exact prefixes must match the current authoritative record and any more-specific registrations must be accounted for. The transfer cannot split or overlap a block in a way that creates two current holders for the same addresses.

Next comes party authority. The seller's instruction should be signed through credentials bound to the current registration, with additional corporate evidence where the transaction is unusually large, the credentials recently changed or the signatory's authority is reasonably contested. The buyer supplies its legal identity, acceptance and destination contact. A cryptographic signature is useful, but it is not magic: key custody and corporate authority remain different facts.

The receiving service then checks the recorded history. It verifies whether a transfer lock, court order, sanctions prohibition or previously noted dispute applies. It checks that the instruction has not already been consumed, that the same resource is not entering two transactions and that the requested effective time is coherent.

Finally, it confirms operational readiness. That does not mean judging the buyer's business plan. It means the receiving registration can publish accurate holder and contact data, maintain the resource, support relevant reverse-DNS and routing-security transitions, and answer subsequent correction requests.

The incumbent contributes evidence during a defined response window. It can return a signed confirmation, a precise defect notice or a documented legal restraint. A statement such as “policy concerns remain” is limited public evidence unless the policy defines an objective condition that the receiving service can test. A claim that the buyer does not fit the incumbent's preferred commercial model is not an integrity finding.

When the minimum case is verified and no effective restraint exists, the receiving service does not need the incumbent's permission. It needs a finality rule recognised by all participating services. That is how portability avoids both monopoly and chaos.

Silence must have a consequence

Many transfer protections fail because they specify documents but not the consequence of institutional silence. A request enters a queue. Questions are sent. Time passes. Nobody can say whether the matter is pending, denied or simply unattended. The absence of a decision acquires the practical force of a denial without the accountability of one.

A portable right requires a clock. The length can vary by risk class, but the clock must begin at a defined point: when the incumbent receives a complete notice carrying the transfer identifier, resource list, party attestations and receiving-service details. The incumbent acknowledges receipt automatically and can identify a missing minimum element once, not indefinitely reset the period through serial requests.

For an ordinary case, the incumbent should either confirm, entity on an allowed ground or let the period expire. Expiry is not proof that every fact is true. It is proof that the institution did not use its opportunity to identify a defect. The receiving service then completes its independent validation and posts the finality event.

An institution experiencing verified technical disruption can obtain a short continuity extension through an external status mechanism. That extension should apply to all affected requests, carry a public start and end, and trigger assistance or failover rather than private stagnation. A governance crisis cannot justify an unlimited extension merely because the institution cannot decide who has authority internally.

The clock also disciplines parties. A seller cannot issue conflicting instructions and then exploit institutional delay. The first valid instruction reserves the prefixes for the stated completion period. A buyer cannot keep an unfinished case open forever; its acceptance and evidence expire on a published schedule. A receiving service that misses its own confirmation deadline releases the reservation.

Silence rules are sometimes criticised as automatic approval. That description is inaccurate if the receiving service still verifies the case. The approval does not arise from silence; the loss of the incumbent's exclusive objection opportunity does. The distinction is essential. Portability replaces one institution's inaction with another institution's accountable decision.

A dispute should travel with the record unless law requires a stop

The transfer market currently treats “dispute” as if it were one condition. It is many.

A former employee may send an unsupported complaint. A creditor may assert that the seller breached a financing agreement. Shareholders may contest internal authority. A registry may have unresolved questions about historical documents. A court may issue an order prohibiting transfer. A sanctions authority may make performance unlawful. Credentials may have been stolen. These claims differ in evidence, legal effect and urgency.

The portable design should distinguish notation from restraint.

A notation records that a claim exists. It identifies the claimant class, the affected prefixes, the date, the asserted basis, the forum if one exists, the evidence custodian and the current status. Public disclosure can be limited to protect sensitive parties, but a buyer and receiving service must be able to see the condition. The notation follows the resource after completion. It does not imply that the claim is valid.

A restraint prevents the transfer for a limited period. It requires more: a court order from a competent jurisdiction, a directly applicable legal prohibition, a verified mismatch in seller authority, evidence of credential compromise or another narrowly defined condition where completion itself would create an immediate integrity failure. The restraint identifies who imposed it, when it expires or must be reviewed, and where a party can challenge it.

Most private disputes should remain notations. The claimant retains access to courts and contractual remedies. A judgment can direct a later transfer, compensation or another lawful result. The registration service does not erase the dispute; it refuses to become the court merely because it controls a useful record.

This separation prevents two opposite harms. Without notation, portability could make genuine claims disappear during movement. Without a restraint threshold, anyone capable of creating a dispute could create an indefinite veto. The correct system preserves the claim while asking law, not administrative caution alone, whether completion must stop.

Lawful restraint must be precise, reviewable and temporary

There are cases in which transfer should not complete. Portability loses credibility if it is designed as an escape from lawful process.

A court may order that identified prefixes remain under the current registration while ownership litigation proceeds. A sanctions rule may prohibit dealing with a named party. An insolvency court or officeholder may control disposition of the seller's assets. A credible report of stolen credentials may require enough time to contact authorised officers and prevent an irreversible hijack.

The difficult question is not whether restraint can exist. It is how to stop restraint from becoming a label that recreates incumbent discretion.

First, the scope must be exact. A dispute over one /24 should not immobilise an unrelated /16 unless the legal instrument actually reaches it. A corporate claim against one affiliate should not freeze every resource held by the group without evidence of authority over those resources.

Second, the basis must be attributable. “Legal review” is not a legal basis. The record needs the issuing authority, instrument date, jurisdiction, operative language or confidential reference available to the parties, and the institution responsible for confirming that the restraint remains effective.

Third, every temporary restraint needs an expiry or review date. An emergency credential hold might last days. A court order lasts according to its terms. A sanctions prohibition can be rechecked against the applicable list and licence. The registration should not remain frozen after the underlying instrument has ended merely because nobody closed an old ticket.

Fourth, review must be outside the commercial transfer desk that imposed the first hold. The reviewer need not decide ownership. It decides whether the restraint meets the published threshold, remains in force and has the stated scope.

Finally, a restrained case should preserve operational continuity. Existing contacts and security services remain stable unless the order says otherwise. The holder can correct urgent operational data without treating the correction as disposition. Customers should not lose reachability merely because title or payment is contested.

Lawful restraint is therefore compatible with finality. It defines when the completion point has not yet been reached. What finality excludes is an unbounded ability to reopen or prevent a completed change without a new lawful event.

One resource, one current registration, one consumed instruction

Portability cannot weaken uniqueness. That is the non-negotiable technical purpose around which the rest of the design must fit.

The transfer instruction should receive a globally unique identifier derived from a nonce, the exact resource set, seller, buyer, receiving service and validity period. Participating services publish a signed commitment when the instruction enters validation. That commitment reserves the prefixes against another simultaneous completion without prematurely changing the holder.

At finality, the receiving service publishes a signed completion containing the instruction identifier, effective time, new holder reference, superseded registration reference and a digest of the evidence decision. The incumbent and other resolvers mark the former record as superseded. The instruction becomes consumed and cannot be replayed.

If two receiving services attempt to complete conflicting instructions, the common state must reject the later or non-preferred instruction according to an objective ordering rule established before the conflict. Human discretion after two apparent completions is too late. The system must prevent concurrent current records rather than ask the market to choose between them.

Corrections are additive. If the buyer's name contains an error, the receiving service issues a correction linked to the finality event. If a court later returns the resource, that is a new legally directed transfer referencing the judgment and prior event. History remains visible. No institution quietly deletes the completion and pretends it never happened.

The public does not need the purchase agreement, price or personal identity evidence. It needs enough to verify that the old registration is no longer current, the new registration is authoritative and the same instruction was not used twice. Parties and authorised reviewers retain the richer evidence under clear access rules.

This is how a competitive registration environment remains coherent. Services can compete over responsiveness, assurance, price and interfaces. They do not compete by maintaining incompatible truths about who currently holds the same address space.

Routing continuity must be designed around the completion point

Changing the registration is necessary, but a network experiences continuity through more than a holder name. Contacts, reverse DNS, routing information services and security assertions may all depend on the incumbent relationship. A transfer that updates the main entry while breaking those adjacent functions is formally final and operationally reckless.

The continuity plan begins before completion. The buyer supplies new administrative, technical, network-operations and abuse contacts. The receiving service validates access and prepares, but does not prematurely publish, the relevant delegations. The seller identifies which existing services must remain during a transition period.

At the finality event, the holder record changes first and the authority to manage adjacent services moves according to a signed transition schedule. Reverse-DNS changes can be staged so existing delegations remain valid until the buyer confirms replacements. Routing-security changes can overlap where technically safe, allowing the new operator to prepare authorisations before the old authority is withdrawn. Internet routing registry entries can be copied as proposed records and activated only when the holder change is final.

The exact controls differ among services. The governing principle is that an administrative transfer should not create an avoidable routing incident. The old institution must not be able to disable the resource in retaliation, and the new institution must not delete working data merely because it prefers a clean start.

Emergency contact paths matter during the first days. Both services and both parties retain named responders who can distinguish a registry mismatch from a route leak, hijack, stale route object or ordinary propagation delay. Every emergency action is logged against the transfer identifier.

Continuity does not require routing to prove title. BGP remains a reachability mechanism, and observed announcements can conflict with registration for legitimate or illegitimate reasons. It does require the registration transition to respect the operating network rather than assume packets will adapt to paperwork.

Finality is valuable because other systems can rely on one completion point. Its design must make that reliance safe.

Failure portability should not wait for institutional collapse

The easiest case for portability is a registry that has visibly ceased operating. By then, the damage may already be extensive. Records can be stale, credentials inaccessible, staff dispersed and legal authority contested. Continuity should not depend on everyone agreeing that collapse is complete.

Portability must therefore operate during ordinary times. A holder should be able to change registration service for price, quality, jurisdictional fit, technical capability or trust, subject to the same evidence and uniqueness protections. Routine use keeps the mechanism tested. It also makes departure less politically explosive because it is a normal service decision rather than a vote of no confidence requiring institutional permission.

Failure conditions can accelerate the process. Published triggers might include prolonged inability to update records, loss of essential security services, invalid governance authority, insolvency administration, termination of recognised status or repeated failure to answer portable requests. Triggering acceleration does not transfer every registration automatically. It shortens response periods, activates shared continuity support and allows holders to move without waiting for an unavailable incumbent.

Where a registry fails as a whole, bulk transition may be appropriate. The domain-name system provides an instructive example: ICANN has procedures for moving registrations from a de-accredited registrar so registrants are not stranded by the intermediary's discontinued ability to manage them. Number resources are different in legal and technical detail, but the continuity principle transfers. The registration belongs with the relying network, not in the wreckage of a failed service relationship.

Bulk movement needs holder choice. A temporary receiving institution can preserve records and services, but it should not become the permanent provider by default without an exit path. Holders must be able to select another qualified service after continuity is secured.

The purpose of failure portability is not to punish the incumbent. It is to ensure that registry institutional continuity and network continuity are not treated as the same thing. The ledger function must survive even when the corporation performing it does not.

Narrow reversal protects both buyers and true holders

Any final system needs an answer to unauthorised transfer. If finality means nothing can ever change, a stolen credential could turn efficiency into dispossession. If any allegation can reverse a completed event, finality disappears.

The first defence is preventive: strong seller authentication, multi-person approval for high-value holdings, cooling periods after credential replacement, independent confirmation to established contacts and a visible pending notice before completion. These controls should be proportionate. A routine move should not require a trial, but a sudden transfer of a very large holding from newly changed credentials deserves additional assurance.

After completion, emergency reversal should be available only for specified integrity failures. Examples include forged authorisation, compromise of the registered holder's credentials, completion contrary to an effective restraint already recorded, or a duplicate state caused by a technical fault. A dispute about price, warranty, financing or later performance is not an integrity failure in the registration event.

The emergency applicant supplies a minimum evidential case and accepts responsibility for a false application. The receiving service freezes further portability for a short period but preserves current routing support. An independent panel examines whether the transfer event itself was unauthorised, not who deserves the asset on every possible theory.

Possible outcomes include confirmation, correction, reversal or referral to a court while the current state remains. A reversal is a new signed event linked to the original; it does not erase history. If a court later directs a different result, that order produces another attributable change.

This structure protects the true holder without giving the incumbent a second veto. The incumbent can submit evidence like any other custodian. It does not decide the case merely because the transfer left its service.

Finality is strongest when exceptions are explicit. Market entities can price a known fraud-recovery rule. They cannot price an institution's undefined right to revisit a transfer whenever pressure changes.

Institutional legitimacy begins where monopoly ends

Regional registries often ground legitimacy in community process, technical history, membership structures and the practical need for coordinated records. Each can contribute value. None answers why a holder must remain bound to one service even when that service fails at its narrow function.

Exit changes the relationship. A registry that knows holders can leave has to earn continued reliance through accurate records, responsive service, neutral treatment and credible continuity. A holder dissatisfied with one institution need not capture its board, dominate a policy meeting or wait for a court to reconstruct the entire governance system. It can move the registration while the common uniqueness rule remains intact.

This is not deregulation in the sense of no rules. Portability requires strong common rules about identity, authority, conflicts, finality and service qualification. It removes a different kind of rule: the incumbent's ability to make its own institutional survival a condition of the holder's operational continuity.

Competition also improves the meaning of consent. A member vote inside an institution may authorise internal budgets or policies under its constitution. It cannot credibly stand in for the consent of every network that cannot leave. Once exit exists, continued participation carries more information. The institution's claims become narrower and more defensible.

There is a risk that portability merely moves monopoly upward to the body that recognises receiving services. NRS must guard against that. Qualification criteria should be objective, open and testable: technical availability, security controls, evidence retention, continuity capability, financial assurance and acceptance of the common uniqueness rule. Denial should be reasoned and reviewable. Multiple independent services must be able to qualify.

Legitimacy does not require NRS to approve the buyer's business purpose, set transfer prices or decide ownership disputes. It requires NRS to protect the right to move, the integrity of the move and the ability of another competent service to reproduce the result.

NRS should be the guarantor of exit, not the new gatekeeper

Number Resource Society's constructive role begins with a bill of portable rights. A recognised holder can export its registration evidence, select a qualified receiving service, receive a timely response from the incumbent, carry disputes without concealment, preserve operational services and obtain a final completion that other entities recognise.

The second task is a common evidence standard. NRS can define the minimum transfer instruction, authority attestations, legal-restraint fields, service signatures, completion record and correction history. A holder should not need to rebuild its identity and chain of custody from scattered correspondence each time it moves.

The third task is continuity assurance. NRS can test whether services can export records, accept incoming registrations, preserve adjacent functions and recover from a simulated outage. It can publish results and coordinate emergency support without owning every registration.

The fourth task is dispute separation. NRS can maintain the distinction between a caution, a legal restraint and an emergency integrity hold. It can accredit independent reviewers for narrow transfer-integrity questions while leaving broad commercial and ownership disputes to courts or chosen arbitration.

The fifth task is public accountability. Aggregate measures should show completion times, defect reasons, expired objections, portability volume, failed-service activations, reversals and continuity incidents. These measures reveal whether the right works in practice.

NRS should refuse several powers. It should not decide whether the buyer needs the addresses. It should not require disclosure of price or commercial strategy as a condition of recognition. It should not prevent a move because the incumbent dislikes the receiving service. It should not use portability fees to tax asset value. It should not turn membership in NRS into a prerequisite for technical recognition.

Most importantly, NRS must itself be portable. Standards, verification software, event formats and qualification tests should be publicly implementable. If NRS becomes unavailable, independent services must still be able to validate prior events and continue the uniqueness rule.

The positive case for NRS is strongest when its authority is architectural rather than proprietary. It makes exit possible and trustworthy. It does not own the exit.

The settlement analogy has limits, and those limits are useful

The Principles for Financial Market Infrastructures call for clear and certain final settlement, at minimum by the end of the value date. European settlement-finality law protects designated payment and securities systems against certain insolvency disruptions. These sources show why mature markets define when an instruction becomes irrevocable.

They do not prove that IPv4 registration should copy securities law. Payment systems have designated operators, statutory protections, central-bank relationships and carefully defined entity obligations. Number-resource registration developed through technical coordination and private institutional arrangements. The legal rights associated with addresses vary by contract and jurisdiction.

The analogy should therefore supply questions, not borrowed authority.

What is the transfer order? When does it enter the system? When can a party revoke it? What conditions must be satisfied before completion? What happens if a entity becomes insolvent? Which record is authoritative after completion? Who can reverse an error, on what evidence and within what time? How are third parties told that the state changed?

Current IPv4 transfers often answer these questions through institutional practice rather than a portable public rule. That may work on normal days. It becomes fragile when the incumbent is the source of delay or failure.

Domain-name registrar transfers offer a closer service-portability comparison. ICANN's policy creates standard duties, limits denial grounds, requires release of transfer credentials within defined periods, separates some payment disputes from transfer and provides bulk transfer when a registrar loses accreditation. Domain names and IP addresses remain different resources, but the comparison disproves the claim that identifier uniqueness requires permanent dependence on one intermediary.

The proper conclusion is modest. Other infrastructures treat finality and intermediary failure as design questions. Number-resource governance should do the same. It should build a rule suited to routing identifiers rather than pretend a registration is settled whenever the incumbent says it is.

A practical portability case should fit on one page

Complex institutions often answer a missing right with a large procedure. Portability should begin with a small, inspectable case.

The first block identifies the resources, current holder, proposed holder if different, incumbent service, receiving service and requested effective time. The second records seller authority, buyer acceptance and holder selection of the receiving service. The third lists current cautions, legal restraints, recent credential changes and any overlapping pending instruction. The fourth sets the operational transition contacts. The fifth records dates: notice, incumbent response deadline, receiving decision and finality.

The incumbent can return one of a limited set of responses: confirmed; record correction required; authority defect; resource conflict; effective legal restraint; credential-integrity emergency; or service failure notice. Every response includes evidence and the part of the resource set affected. “Other” cannot stop completion without rapid external review.

The receiving service decides each identified issue and publishes a short reason. If only part of the block is restrained, the parties may complete the uncontested part if doing so preserves aggregation and does not create ambiguous more-specific records. If the case is clean, it completes at the scheduled time.

The final public notice is equally small. It states that the specified registration moved, identifies the superseded and current services, gives the effective time, confirms whether a caution follows the record and provides the signed event identifier. Sensitive evidence remains protected.

Fees should reflect actual verification and continuity costs. A routine move should be inexpensive. A complex authority dispute can carry a review charge allocated under published rules. No fee should scale automatically with the market price of the addresses.

This compact design makes testing possible. Auditors can select cases, reproduce the decision from preserved evidence, confirm deadlines and inspect whether operational services remained available. Parties can understand the right without hiring counsel merely to discover the status of a request.

The hardest cases should shape the safeguards, not defeat the right

Critics will begin with the hardest cases: a sanctioned buyer, a forged board resolution, an insolvent seller, an address hijacker with stolen credentials, or two courts issuing inconsistent orders. Those cases are real. They justify careful safeguards. They do not justify permanent monopoly over every ordinary registration.

Conflicting courts require a conflicts rule and legal advice. Portability cannot solve public international law. It can make the conflict visible, preserve the current operational state and identify which institution acted on which order. That is better than allowing one registry to make an opaque choice and call the result technical administration.

Insolvency requires proof of who controls disposition. The officeholder or court may replace ordinary seller authority. The receiving service records that basis. It does not ask the registry to relitigate the insolvency sale after the competent process has produced a final direction.

Sanctions require screening against applicable law, not a global moral veto. A service subject to one jurisdiction may be unable to act; another service must still respect law applicable to it and the transaction. NRS can require transparent legal attribution without pretending all jurisdictions produce one answer.

Credential theft requires fast intervention, but speed must be paired with liability for false holds and immediate review. Large holders should be able to pre-register stronger transfer controls, including multi-signature approval and trusted recovery contacts, without forcing identical friction on every small case.

None of these safeguards requires the incumbent to remain sovereign. Each requires evidence, a defined role and an attributable decision. Hard cases are arguments for a better finality rule because undefined discretion performs worst under stress.

The test is whether the design can preserve uniqueness and continuity while law resolves what law must resolve. If it can, the existence of disputes no longer supports institutional lock-in.

Measure finality by reliance, not by the registry's completion email

A portability regime should be judged by what parties and networks can safely rely on.

The first measure is completion certainty. Of complete portable requests, how many reach finality within the published period? How many stop for an effective legal restraint, an authority defect, an integrity emergency or an operational readiness problem? How often does incumbent silence occur?

The second is durability. How many completed events are corrected, challenged or reversed? Reversal alone does not prove weakness; a system that catches theft may be working. The reason, timing and decision path matter.

The third is continuity. Did any transfer cause loss of reverse DNS, routing-security authority, contact reachability or other registration-linked service? How long did restoration take? Were customers affected?

The fourth is uniqueness. Were conflicting instructions prevented? Did any resolver present two current holders? Could an old instruction be replayed? Were superseded records clearly marked?

The fifth is institutional incidence. Which services generate repeated expired response windows, unsupported objections, stale restraints or failed exports? Portability should make these patterns visible without requiring a political campaign around each case.

The sixth is market reliance. Do escrow agents, lenders, insurers and auditors recognise the finality event? Are contracts able to define payment release against it? Can a buyer deploy without retaining an indefinite reserve for registry reversal?

These measures turn finality from rhetoric into performance. A registry's email saying “completed” is evidence of one action. Settlement finality exists only when the wider system consistently treats that action as authoritative, preserves the network and limits later change to published legal or integrity grounds.

Portability completes the transfer architecture

The IPv4 market has developed contracts, brokers, escrow arrangements, due diligence and public transfer histories. Each solves part of the transaction. None can guarantee that the registration will become final if the incumbent registry refuses, fails or delays after the parties have done everything required of them.

That missing protection distorts the whole market. Buyers price institutional risk into bids. Sellers remain exposed after payment because their names may stay on records. Escrow terms become longer and more conditional. Operators cannot plan cutovers with confidence. Courts are asked to repair administrative paralysis that should never have become a property dispute.

Portability supplies the absent completion right. The holder can choose a qualified receiving service. The incumbent provides evidence but not indefinite permission. A valid instruction receives one identifier and one final state. Lawful disputes remain visible. Effective restraints pause only what they reach. Operational services move in a controlled sequence. Fraud recovery exists without turning every allegation into reversal.

NRS is well placed to make that right coherent because its stated mission centres operator control of registration rights and resistance to structural lock-in. Its best contribution is not to replace five regional monopolies with one global monopoly. It is to guarantee that no registration service, including NRS itself, becomes indispensable to the continued existence of a valid record.

The institutional principle is simple. A recordkeeper may protect uniqueness. A court may restrain disposition. A receiving service may verify authority. None should confuse its role with ownership of the transaction.

A sale is not finally settled because the money moved. It is not finally settled because the buyer announced a route. It is settled when the authoritative registration has changed, the former record cannot reappear as a rival truth, the network can continue operating and any surviving dispute is carried in the open under law.

Without portability, that moment remains a favour from the incumbent.

With portability, it becomes a right.

Sources