Summary

  • Identity-verification friction is the cost of deciding who may bind a RIPE NCC resource holder for a specific registry act, not a general paperwork burden.
  • The core failure mode is the separation between operational control and legal authority: a logged-in portal user, technical contact, sponsoring LIR, parent company or former director may not have present power to commit the holder.
  • RIPE NCC's transfer, merger, required-documents, RIPE NCC Access and RIPE-831 materials are used here as factual exhibits showing where authority questions arise across transfers, business-structure changes, insolvency, sponsorship and account access.
  • IPv4 scarcity gives the authority decision market consequences: registry recognition can release escrow, preserve restructuring value, affect customer continuity, shape sanctions review and decide whether a scarce resource can move safely.
  • Too little friction enables false transfers, stale-contact abuse, account capture, insider misuse and sham succession; too much friction can turn registry recognition into a private veto over lawful recovery or commerce.
  • A practical standard should be act-specific, holder-specific, role-specific, evidence-specific and remedy-specific, with proof calibrated to the risk of the requested change.
  • Small operators and End Users need a confidential path that respects non-standard legal forms, sponsoring-LIR dependencies, insolvency appointments and lost access without diluting fraud control.
  • The settlement is bounded registry governance: verify who can bind the holder, protect sensitive proof, give reasons, allow partial or temporary continuity where appropriate and avoid becoming a general corporate court.

The login that proves too little

Begin with the ordinary case. A small access provider, hosting company or enterprise network in the RIPE NCC service region has changed ownership. The technical staff still know how to route the prefixes. The portal credentials have not been lost. The invoices may be current. The old director may have resigned, the new director may be recorded in a national commercial register, and a parent company may be integrating subsidiaries across more than one jurisdiction. A transfer or name-change request is submitted because the registry must reflect a corporate fact that already exists outside the registry.

On the screen, the situation can look tidy. The request is in the right form. The prefix list matches the holder's account. The signing page has names. The registration extract is recent enough. In routing terms, nothing has broken. In customer terms, a delay can still be costly. Contracts may depend on address continuity; data-centre migrations may be scheduled; a lender or purchaser may be waiting for clean title to the registration; a sanctions-screening bank may refuse to process settlement until the registry status is stable.

Yet the decisive uncertainty is personal and institutional rather than documentary. Does the submitter control the portal because the company still authorises them, or because a former employee retained access? Does the named signatory have general capacity to bind the company, or only a procurement role? If the company is in administration, does the former director still have power to dispose of assets, or has that power shifted to an insolvency office-holder? If a parent company is acting, does it have authority to bind the subsidiary that actually holds the resources? If a sponsoring LIR is involved, is it relaying the End User's instruction or substituting its own commercial preference?

The registry's work is therefore not only to read papers. It is to connect an act to a person, the person to a role, the role to a legal or contractual source of authority, and that authority to the specific registry change requested. Each link has a cost. The submitter must spend time producing proof. The registry must spend time checking it. The transaction waits. The cost is not a nuisance added to the real transaction. It is part of the transaction because registry recognition changes who can later sell, lock, sponsor, route, certify or recover resources.

This is why the portal login is an incomplete proof. Operational access is evidence of control, but not necessarily evidence of legal capacity. A legitimate technical contact may be able to update a maintainer record yet lack power to sign a transfer. A director may have legal capacity yet lack access to the portal after a hostile departure by staff. A receiver may hold statutory authority but lack knowledge of RIPE NCC procedures. A small network may have one person who is owner, engineer, billing contact and portal user, until illness, death, divorce, bankruptcy or sale splits those roles apart. Identity verification becomes visible when these neat categories separate.

Friction is an information cost, not a moral preference

In institutional economics, friction is not simply waste. It is the price of learning enough to make a decision under imperfect information. A registry could eliminate much visible friction by accepting every request from a logged-in account. That would reduce delay but increase error. It could eliminate most false-transfer risk by requiring court orders, notarised chains and repeated human review for every material request. That would reduce some fraud but increase paralysis. The real design problem is to place the cost where it creates the most assurance for the least interference.

Identity-verification friction is a particular information cost. It is not the cost of gathering every possible document. It is the cost of answering a narrower question: who may bind the holder for this act? That question changes with the act. A request to correct a postal address should not require the same proof as a request to transfer a /16. An RPKI-related access recovery should not be treated exactly like an inter-company sale. A request from an administrator in insolvency is not a normal corporate housekeeping matter. A sponsoring-LIR change may have lower market value than a full transfer but can still determine whether an End User can keep a network alive.

This distinction is easy to lose because documents and identity travel together. A company extract may prove both that the company exists and who its directors are. A passport copy may identify a natural person and support a link to a named signatory. A transfer agreement may describe the deal and reveal who signed it. But the registry's analytic task should remain separate. One layer asks whether the asserted fact happened. Another asks whether the person asking the registry to recognise that fact can cause the holder to act.

The more scarce and tradable IPv4 becomes, the more expensive mistakes become. IPv4 addresses are not owned in the simple chattel sense, but registration status can support market transfers, service continuity, financing assumptions and due diligence. A false transfer can impose large recovery costs and may be difficult to unwind once routing, contracts and downstream assignments have shifted. A wrongly blocked transfer can destroy a sale, strand customers, or reduce a distressed company's value. Identity verification is therefore both a fraud-control instrument and a liquidity-control instrument.

The cost falls unevenly. Large telecommunications groups and cloud companies can produce board papers, legal opinions and compliance teams. A small ISP in a frontier market, a family-owned hosting company, or a university network with legacy arrangements may struggle to produce clean authority evidence quickly, even when its claim is honest. This does not mean the standard should be diluted until fraud becomes easy. It means the standard should be explicit, narrow and reviewable, so that the party knows what question is being answered and which missing link prevents recognition.

A well-run registry is a ledger, not a gatehouse. It records resource-holder facts with enough confidence to keep the Internet's coordination layer reliable. It is not a sovereign deciding corporate succession for the world. But a ledger still needs a bookkeeper. If anyone can write to the ledger, the ledger is not neutral; it is captured by whoever has the fastest password, the most aggressive lawyer, or the least scruple. The bookkeeper's power is justified only when used to decide a registry act, and only in proportion to the risks that act creates.

Why RIPE NCC is a special case

All regional Internet registries face authority problems. RIPE NCC faces a distinctive version because of geography, legal diversity and market structure. Its service region spans more than 75 countries across Europe, the Middle East and parts of Central Asia. The legal forms in that region include public companies, private limited companies, foundations, associations, state-linked operators, universities, ministries, family firms, free-zone entities, partnerships, sole traders and natural-person resource holders. Corporate evidence may come from Dutch, German, British, French, Turkish, Ukrainian, Kazakh, Emirati, Georgian, Serbian, Israeli or many other authorities. The registry must interpret enough of that evidence to act, without becoming a general corporate court.

RIPE NCC also has a practical Amsterdam-Dubai reality. It is incorporated and governed through Dutch institutional settings, while it serves a region in which commercial, banking and regulatory channels often run through the Gulf as well as Europe. A European acquirer may buy a Middle Eastern network. A Dubai holding company may control an operating company elsewhere. A Central Asian ISP may rely on a sponsoring LIR in another jurisdiction. A sanctions screen may interact with bank compliance, export controls, beneficial-ownership uncertainty and government registries that differ in reliability and language.

Cross-border authority is not a cosmetic complication. It changes the probability that a document is misunderstood, that a director's role has a different legal meaning, that a parent company's instruction is overstated, or that a former signatory remains visible in stale registry contact data. A registry that accepts every document at face value can be exploited by those who know the local corporate form better than the registry. A registry that rejects unfamiliar forms too readily can punish legitimate networks outside the institutional comfort zone of Western European commercial registers.

RIPE NCC's materials reflect this tension. The transfer page distinguishes LIRs and End Users, sponsoring LIRs and offering parties, membership-required resources and sponsored resources. The merger page addresses business-structure changes and sanctions screening. The procedural document RIPE-831 covers transfers, legal-name changes, bankruptcy, liquidation, suspension of payments and insolvency proceedings, and it discusses transfer agreements signed by authorised persons. These are not abstract legal niceties. They are the vocabulary of a registry operating across a varied corporate landscape.

The variety also affects small operators. In some markets, documentation from national authorities is digital, standardised and in English or easily translated. In others, records may be delayed, partly offline, politically constrained, or in formats that do not map neatly onto RIPE NCC's forms. A small operator may not have in-house counsel. The same friction that is minor for a multinational can become existential for a network serving a town, a research community, a data-centre cluster, or a niche enterprise sector. The registry cannot ignore fraud risk to help such parties, but it can make the authority test predictable and commensurate with the act.

The RIPE environment therefore needs a standard that is more nuanced than "more verification is safer." More verification can be safer when it targets the authority gap. It can be harmful when it multiplies papers without narrowing the question. The issue is not whether RIPE NCC should verify identity. It must, in material cases. The issue is whether verification is tied to present authority, market risk, operational continuity and reversible evidence, rather than institutional anxiety.

The transfer file is not the decision

Transfers expose the separation between documents and authority most clearly. RIPE NCC says a resource transfer changes holdership from an offering party to a receiving party. Its transfer pages require documents for each party, signed agreements and proof that signatories are authorised. This is sensible. A transfer has market value, and once it is recognised, the registry's statement may affect routing, contracts, escrow release, financing and future transfers.

But a transfer file is not self-executing. Suppose a transfer agreement is signed by a person whose name appears in an old company extract. The extract is genuine, but the person has since resigned. Or suppose the signatory is a director in a parent company, while the resources are registered to a subsidiary. Or suppose the transfer is part of a bankruptcy sale, and the former management wants to cooperate, but the administrator is the only person with authority to dispose of the assets. In each case the documentation can be real while the authority claim is defective.

The reverse can also occur. A legitimate successor may have authority before all paperwork is perfect. In an urgent insolvency sale, a court-appointed office-holder may need registry recognition to preserve customer service and sale value. A company registry may update slowly. A translation may be pending. A portal account may remain under the control of the old team. If the registry treats incomplete conventional paperwork as proof that authority does not exist, it may help destroy value that the legal process is trying to preserve.

The better approach is to treat the file as evidence, not as the decision. The decision is whether the registry has enough confidence that the person requesting recognition can bind the holder for the specific act. That confidence can come from a combination of channel, role, document, confirmation, timing, transaction type, risk and review. A request from a registered contact through a portal with two-factor authentication and a current company extract may be enough for a low-risk name correction. A large IPv4 transfer involving a recently changed corporate structure may require additional confirmation from directors, administrators, legal successors or national documents.

The distinction also reduces perverse incentives. If parties learn that the registry merely checks whether a file contains certain documents, sophisticated bad actors will build better files. They will obtain stale extracts, control legacy emails, pressure technical staff, or present a partial deal as a completed succession. If parties learn that the registry asks a narrower but deeper authority question, the game changes. The burden shifts from paper volume to the chain of authority. Who signs? In what capacity? For which holder? Under which legal or contractual source? For which registry act? That is the question a fraudster finds harder to fake and a legitimate holder should be able to answer.

The registry must still avoid turning this into legal adjudication. It should not decide a corporate dispute that belongs in court. It should decide whether it can safely recognise a registry change. Where rival plausible claims exist, the registry may need to preserve the status quo, request a clearer mandate, or wait for competent external resolution. That is not abdication. It is recognition that the registry's competence is limited to the coordination ledger and that its refusal to rewrite the ledger can be the least intrusive act when authority is genuinely contested.

Legal authority and operational control are different assets

RIPE NCC Access, the LIR Portal, maintainers, organisation records and authorised contacts create a practical control surface. They let people request resources, view tickets, update records, manage resource entries, request transfers, work with RPKI, and administer accounts. This surface is indispensable. A registry cannot handle every routine update through notarised letters. The Internet runs because operational people can make timely changes.

Yet operational control and legal authority are different assets. A person can have the password and lack authority. A person can have authority and lack the password. A person can have authority for technical updates but not for transfers. A sponsoring LIR can have a portal path but not an open mandate to substitute its commercial will for the End User's instruction. A consultant can be trusted to maintain routing data but not to sell the holder's address space.

This separation is common in corporate life. Bank signatories, system administrators, directors, procurement managers, outside counsel and network engineers all act for a company, but not for the same decisions. The trouble in registry governance is that old Internet institutions often grew from trust networks in which one or two technical contacts embodied the holder. That model still works for many routine changes. It fails when IPv4 scarcity gives registry changes market value and when corporate structures become layered, cross-border and contested.

Account recovery is the clearest stress test. If a legitimate holder loses access because staff left, a consultant disappeared, a founder died, or a former provider refuses cooperation, the registry must help restore control. If it restores control too casually, it enables takeover. If it refuses until the old account holder cooperates, it lets stale operational control defeat current legal authority. The registry must identify the holder's current authority chain and then rebuild access around it.

The same issue appears in RPKI and routing security. A portal user may be able to manage ROAs for resources. That is an operational act with immediate network consequences. It is not identical to a transfer, but it can affect reachability and customer service. A hostile or stale user may not sell the resources, yet can still damage operations. Conversely, a legitimate new operator may need timely RPKI access to prevent outages after a merger. Identity verification therefore cannot be reserved only for market transfers. It is relevant wherever account control can change the practical value of the resource.

This does not mean every helpdesk ticket becomes a legal proceeding. It means authority tiers should be explicit. Routine operational updates can rely on authenticated accounts and existing maintainer relationships. Material acts - transfer, merger recognition, legal-name change, sponsorship change, voluntary transfer lock, account recovery after conflict, or high-impact RPKI recovery - need an authority test. The test should be stronger when the action is irreversible, market-sensitive, contested, sanctions-relevant or likely to affect many downstream users.

The institutional mistake is to collapse the two assets. Trust-the-login collapses legal authority into operational control. Demand-formal-proof-for-everything collapses operational continuity into legal paperwork. A registry serving real networks needs both distinctions. It must let engineers operate, while reserving deeper recognition for acts that change who can bind the holder or control high-value resource status.

Scarce IPv4 changes the calculus

IPv4 scarcity turns identity verification from administrative hygiene into market infrastructure. The RIPE NCC region has a mature transfer market because new IPv4 supply is exhausted and demand persists. A registry transfer is not a sale of property in the ordinary sense, but recognition of a transfer can be the practical event that releases money, completes due diligence or lets a network consolidate assets. Where a registry act affects a scarce and priced resource, the identity question acquires financial weight.

This changes incentives. A stale contact on a dormant allocation is no longer merely untidy. It may be a target. A portal account attached to a resource-rich LIR is not only an administrative convenience. It may be a key to a valuable transaction. A former director with old credentials may be tempted to act before a new board can secure the account. A buyer under time pressure may prefer a fast but weak authority file. A seller in financial distress may face pressure from creditors, insiders, customers and competing acquirers.

Escrow arrangements magnify the point. In many private transactions, payment depends on registry recognition. The buyer does not want to release funds until the registry changes the record; the seller does not want to lose control without payment. If identity verification is slow or opaque, escrow capital sits idle and counterparties worry. If it is too lax, the escrow can release against a defective transfer. The registry's friction becomes part of the cost of capital.

Mergers and restructurings add another layer. A corporate transaction may close under company law before registry updates are complete. The buyer may have operating responsibility but not yet have portal control. The seller may have residual obligations but no continuing economic interest. The registry may be asked to reconcile documents from national authorities, purchase agreements, board decisions and current portal roles. Delay may be harmless for a passive holding company. It may be costly for a network whose customer contracts, peering arrangements, RPKI, abuse handling and billing depend on stable recognition.

The scarce-asset context also raises the stakes of false negatives. A registry that is too fearful can freeze value. Distressed companies may need to sell address space to preserve service, pay creditors or complete a restructuring. Small providers may need to consolidate resources after a merger to survive. A lawful acquirer may need to integrate routing and certification. If the authority test is unclear, those parties spend money guessing what proof will satisfy the registry. Some deals fail not because the authority is absent but because the path to recognition is uncertain.

There is no frictionless solution. Any standard can be gamed at the edges. The point is to select friction that matches economic risk. A request to transfer a large IPv4 block between unrelated entities should carry a high authority burden. A request to correct a spelling error after a verified name change should carry less. A request from an insolvency administrator should be treated as unusual but not suspect merely because it does not resemble a normal director signature. A sponsoring-LIR request should be checked for End User authority where the action changes the End User's position. Scarcity makes proportionality more important, not less.

Mergers, insolvency and the succession problem

Mergers and insolvency are where authority verification becomes hardest. Ordinary corporate life assumes continuity: a company exists, its officers are known, and its records are current. Restructuring breaks that assumption. The holder may merge into another entity. A business unit may be sold without the old company disappearing. A company may change its legal name but not its identity. A network may be acquired from a company whose legal shell remains. A court may appoint an administrator. A liquidation may terminate old management's power. Each case presents a different path from old holder to new authority.

RIPE-831 is useful as a technical exhibit because it recognises transfers caused by mergers, acquisitions, bankruptcy, liquidation, suspension of payments and insolvency proceedings when supported by official documentation from national authorities. It also recognises legal successors and authorised persons as possible requesters. That language points to the core problem: succession is not always a neat signature by yesterday's director and tomorrow's director. Sometimes yesterday's director no longer has power. Sometimes tomorrow's director controls a different legal person. Sometimes the only person who can act is appointed by a court or creditor process.

Insolvency creates particularly acute incentives. Address registrations may be among the few valuable assets associated with a failing network. Creditors want value preserved. Customers want service continuity. Former management may want a sale, resist a sale, or attempt to favour one buyer. Employees may control systems. A purchaser may need fast registry recognition to keep services alive. The insolvency office-holder may understand corporate law but not RIPE NCC procedure. A registry that cannot distinguish old operational control from new legal authority may either aid an insider transfer or block a lawful restructuring.

There is also a timing problem. Corporate events can happen faster than registry records change. A merger may be effective under local law before the registry file is updated. A court appointment may immediately displace directors. A national registry may publish records with delay. A buyer may need to plan customer migration before all documents are translated. The registry needs enough assurance to act, but it should not treat every timing gap as evidence of fraud. The relevant question is whether the claimed authority is legally and factually connected to the holder and the requested act.

Cross-border succession multiplies uncertainty. A Dutch procedural lens may not map perfectly onto a Turkish restructuring, an Emirati free-zone entity, a Ukrainian wartime corporate record, a Kazakh state-linked company, or a British administration. The registry does not need to become expert in every system. It does need a way to ask for decision-relevant proof without laundering its uncertainty into an unlimited demand for more papers. It can require translations, recent extracts, proof of appointment, board authority, court documents or confirmations where risk justifies them. It should explain which link is missing.

The most dangerous cases are those with partial authority. A parent company may control the group but not directly own the resource holder. A service provider may manage the network but not hold the resources. A former director may have signed the original RIPE NCC service documents but lost capacity. A sponsoring LIR may be the only party with portal access but may not be the economic beneficiary. In such cases, the registry's friction should focus on the missing link: from requester to holder, from holder to resource, from legal event to registry act.

Sponsoring LIRs and the delegated edge

The sponsoring-LIR model is a useful coordination device and a recurring source of authority friction. End Users that are not RIPE NCC members can hold independent resources through a contractual relationship with a sponsoring LIR. That arrangement lets smaller or specialised networks obtain registry services without full membership. It also creates a delegated edge where the registry may see the sponsoring LIR more clearly than it sees the End User's current internal authority.

For ordinary support, this can work well. The sponsoring LIR understands the portal, RIPE NCC processes and technical norms. It may help an End User request a change, maintain records, or manage resource relationships. But the sponsor's visibility is not the same as ownership of the End User's decision. A sponsorship change, transfer involving independent resources, or recovery request can place the sponsoring LIR in a position where its commercial interest differs from the End User's interest. The authority question then becomes delicate: is the sponsoring LIR transmitting the End User's instruction, or is it speaking for itself?

This matters for small-operator survival. An End User may be a local provider, enterprise network, non-profit, research body or public institution. It may rely on a sponsoring LIR because it lacks registry expertise. If the sponsor fails, is acquired, becomes hostile, loses staff or refuses cooperation during a dispute, the End User needs a path to restore or change sponsorship. If the registry insists on sponsor cooperation in all cases, the delegated relationship becomes a lock-in. If it accepts any End User claim without checking current authority, it invites hijack and commercial opportunism.

The registry needs a two-sided standard. It should respect the sponsoring LIR's operational role, because the LIR is often the only party able to submit through established channels. It should also preserve the End User's underlying authority, because the resources are associated with that End User's contractual relationship and network use. Where a material change affects the End User's rights, the registry should be able to ask whether the End User's current authorised representative supports the request. Where the sponsor is unresponsive or conflicted, the registry should have a confidential route for the End User to prove authority directly.

The same logic applies to service providers and consultants. Many networks outsource operations. A consultant may maintain records, hold credentials and manage routing. That practical dependence should not become unlimited registry authority. Conversely, a company should not be punished for outsourcing if it can show current authority and a legitimate need to regain control. Identity verification must distinguish trusted technical help from capacity to bind the holder.

The delegated edge is also where overbroad verification can do harm. A small End User may not have the polished corporate papers of a large LIR. Its signatory may be a municipal official, university administrator, founder, trustee or small-company director. A standard designed only for large corporate transfers may make recovery too slow. The question should remain specific. Who can bind this End User for this sponsorship or registry change? What proof is available from the relevant institution? What risk does the change create? Can the registry grant limited recognition, require later confirmation, or preserve continuity while resolving authority?

Sanctions, banks and the cost of being wrong

Sanctions add a public-law dimension to authority verification. RIPE NCC's merger and transfer pages state that requests are checked against the EU sanctions list and that a transfer will not be approved if a party is under sanctions. This is a technical exhibit of a broader reality: registry recognition, bank settlement and compliance review increasingly interact. The registry is not a bank, but its decision can influence whether a bank, escrow provider, purchaser or counterparty treats a resource transaction as clean.

The authority question matters because sanctions risk is not limited to the name on the front of the file. A corporate group may contain sanctioned owners, non-sanctioned subsidiaries, blocked directors, nominee structures or rapidly changing control. A request may be submitted by a person who is not themselves sanctioned but acts for a party that is. A former director may attempt to move value before a freeze takes effect. A buyer may seek confirmation that a distressed resource transfer is not tainted. Identity verification cannot solve beneficial-ownership law. It can reduce the chance that the registry recognises a request from someone who lacks authority or conceals the real party in control.

There is a danger on both sides. If the registry treats sanctions anxiety as a reason to demand unlimited information, it risks becoming a parallel compliance authority with unclear standards. If it treats sanctions screening as a checkbox detached from authority, it risks approving formal requests that mask sham succession or insider evasion. The better standard is again proportional. Where sanctions exposure is plausible, the registry should ask who is binding the holder, who controls the receiving party for purposes relevant to the registry act, and whether the stated succession or transfer is supported by official and transaction evidence.

Banks and escrow providers create another layer of friction. They may require evidence that the registry will recognise a transfer before funds move; the registry may require signed agreements before recognition; parties may be unwilling to sign certain final documents before financing is secured. The result can be a coordination problem. Clear authority standards reduce that problem by telling parties what must be true before the registry acts. Unclear standards turn the registry into a source of transaction uncertainty.

The registry should also be careful with confidentiality. Authority evidence can include passports, corporate control documents, insolvency papers, sanctions-sensitive information, private sale terms and personal data. Public registry accuracy does not require public exposure of all verification material. In fact, over-publication can increase fraud by teaching bad actors what to mimic. A narrow, confidential verification channel can protect the registry while limiting disclosure to what is necessary for public coordination.

Sanctions also reinforce why a bookkeeper should not become sovereign. The registry may have duties under applicable law and should not recognise transfers that those duties forbid. But it should resist the temptation to convert every geopolitical concern into discretionary recognition power. The question for the registry is not whether it approves of a company, country or transaction in a broad sense. The question is whether applicable legal constraints and registry policy permit recognition, and whether the person asking has authority to bind the holder.

Fraud prevention without registry sovereignty

Fraud prevention is the strongest argument for identity verification. False transfers, account capture, stale-contact abuse, insider misuse and sham succession are real risks. IPv4 value gives them motive. Cross-border corporate complexity gives them cover. Operational dependence on accounts gives them opportunity. A registry that fails to verify authority can help convert a compromised credential or stale role into recognised control.

But fraud prevention can become a mandate without limits. A registry can begin by asking whether a signatory is authorised and end by deciding whether a merger is commercially sensible, whether a family dispute is credible, whether a buyer is desirable, or whether a distressed operator deserves rescue. That would be mandate laundering: using a narrow registry safety function to exercise broader recognition power. The cure for fraud is not unlimited discretion. It is a decision-relevant test.

The test should begin with the act. What is the requester asking the registry to do? Transfer holdership? Change a legal name? Change sponsorship? Recover account access? Lock resources? Update a contact? Create or manage RPKI functions? The act determines the potential harm. The potential harm determines the strength of proof. A high-value irreversible transfer needs more assurance than a routine contact correction. A contested account recovery needs more assurance than a password reset for a known admin. A voluntary transfer lock needs proof that the requester can bind the holder because the lock can constrain future liquidity.

The test should then identify the holder and the current authority chain. For a company, that may include directors, authorised signatories, administrators, liquidators, legal successors, or persons empowered by board or court documents. For a natural person, it may include identity proof and evidence that the person is the current holder or legal successor. For an End User, it may include the End User agreement, sponsoring LIR relationship and evidence that the End User's representative supports the action. For a group company, it may require proof that the acting entity can bind the registered holder rather than merely asserting group control.

The test should also respect operational signals without overvaluing them. Portal access, SSO, two-factor authentication, existing maintainer relationships, ticket history, billing contacts and prior communication patterns are evidence. They are not conclusive. They can increase confidence when they align with legal authority. They can raise alarms when they diverge from it. A request from a newly added account to transfer valuable space soon after a corporate dispute deserves more scrutiny than a routine request from a long-standing contact that matches current company records.

Finally, the test should produce reasons. A refusal need not publish private evidence. But the requester should understand the missing link: no proof that the signatory can bind the holder; no evidence that the parent company can act for the subsidiary; no confirmation from the insolvency administrator; no authority from the End User behind a sponsoring-LIR request; conflicting claims that require external resolution; sanctions or legal constraints preventing recognition. Reasons discipline the registry and help legitimate parties cure defects without guessing.

Confidentiality, review and reversibility

Identity verification requires sensitive evidence. The registry may see identity documents, company extracts, board resolutions, court appointments, sale agreements, insolvency records, beneficial-ownership information, translations and private contact details. The public Internet needs reliable resource registration; it does not need every verification artifact. Confidentiality is therefore not an indulgence. It is part of the design.

Confidentiality reduces three risks. First, it protects personal data and commercial information. Second, it reduces the chance that bad actors can study past files to imitate successful authority chains. Third, it encourages legitimate parties to provide complete evidence rather than withholding material out of fear that it will be exposed. A registry that cannot protect sensitive authority evidence will either receive less evidence or create new attack surfaces.

Review is equally important. The party facing friction should not experience the registry as a black box. A reasoned request for more proof is different from an indefinite pause. An explicit refusal is different from silence. A documented escalation path is different from staff discretion without institutional memory. Review does not require turning every case into litigation. It means that material decisions can be reconsidered by someone not invested in the first answer, with the authority question framed clearly.

Reversibility is more difficult. Some registry acts are easier to undo than others. A contact correction can be reversed. A transfer may be reversible in registry terms but costly in market and operational terms once money, routing and contracts have moved. RIPE-831 notes that the RIPE NCC reserves the right to reverse a transfer if another party contests it and proves the resources should have been transferred to them. That is a necessary safety valve, not a substitute for careful verification. Reversal after a false transfer is expensive, uncertain and disruptive.

The concept of reversible recognition can still help. Where uncertainty exists but operational continuity is urgent, the registry might grant limited access, preserve status quo routing functions, or allow certain updates while blocking transfer or disposal. It might recognise an insolvency office-holder for recovery and continuity while requiring stronger proof for sale. It might allow a verified End User to change a failed sponsor while scrutinising any simultaneous transfer to a buyer. The point is to separate acts rather than treating recognition as all-or-nothing.

This separation reduces harm. A legitimate holder locked out of RPKI tools may need urgent recovery to prevent outages. That does not mean the same person should immediately be able to transfer the resources. A buyer may have enough evidence to prepare a transaction but not enough for final recognition. A former contact may be useful for technical continuity but not for legal consent. Granular authority lets the registry respond to reality without over-recognising uncertain claims.

Reasons, confidentiality and partial recognition also make proportionality credible. Without them, "proportionality" is a slogan. With them, the registry can say: this act creates this risk; this proof is missing; this evidence will cure it; this temporary access is allowed; this transfer is not; this decision can be reviewed. That is how friction becomes governance rather than delay.

The small-operator problem

Identity-verification friction is regressive unless deliberately designed otherwise. The fixed cost of proving authority is easier for large institutions to absorb. A multinational carrier can produce notarised board papers, counsel letters, translations and dedicated compliance staff. A small ISP, hosting firm or enterprise network may have one administrator, one accountant and a director who is also the engineer. The harm of delay may be larger relative to revenue.

Small operators are not automatically lower risk. Some frauds target small or dormant holders precisely because records are stale and oversight is weak. But small operators often face authority disruptions for mundane reasons: founder death, divorce, illness, staff turnover, unpaid consultants, local registry delays, migration from a legacy sponsor, or acquisition by a nearby provider. A standard built around large corporate assumptions can turn honest disruption into paralysis.

The RIPE NCC service region's diversity makes this acute. In some countries, company registers are fast and transparent. In others, official records may be slow, expensive, offline, interrupted by conflict, or difficult to translate. Some entities are public-sector bodies or non-profits with signatory structures that do not resemble private companies. Some are free-zone companies with documentation familiar in the Gulf but less familiar in Amsterdam. Some are natural-person holders whose succession may be governed by family or probate documents rather than corporate extracts.

A registry should not solve this by waiving authority. That would make small holders easier to steal from. It should solve it by publishing a comprehensible path. The path should say which types of evidence can prove current authority for common entity types; what to do when portal access is lost; how a sponsoring LIR can and cannot act; how to handle death, insolvency and legal-name change; how to request confidential review; and what temporary measures may preserve operations while the authority chain is clarified.

For small operators, time is a material cost. A two-week delay can be survivable for a large carrier and fatal for a distressed local provider. It can disrupt a sale, trigger customer churn, or cause a bank to withdraw. Clear service expectations matter. If a case is complex, the registry should identify the complexity early. If a document is missing, it should say which link it affects. If an external legal resolution is required, it should say why registry evidence cannot resolve the conflict.

The registry should also avoid English-language and document-form bias. Translation may be necessary, but unfamiliar form should not be mistaken for weak authority. A public university's authority chain, a municipal network's signatory rules, a free-zone company's license, or an insolvency appointment may look different from a Western European company extract. The standard should ask whether the evidence credibly identifies the holder, the requester and the authority for the act, not whether it resembles the registry's most common file.

Good friction protects small holders from theft and from abandonment. Bad friction does the opposite. It protects the registry's comfort while leaving the holder unable to recover accounts, change sponsors, complete restructurings or keep customers online. The difference lies in whether the registry verifies authority with precision or accumulates paper as insurance against blame.

A narrow verification standard

A practical authority standard for RIPE NCC should have five parts. First, it should be act-specific. The registry should define the requested act and map it to a risk tier. Transfer, merger recognition, legal-name change, sponsorship change, voluntary transfer lock and contested account recovery should not all receive the same treatment as routine data maintenance. The act determines both the proof level and the possible interim measures.

Second, it should be holder-specific. The registry should identify the current registered holder and the legal or contractual structure that connects the requester to that holder. This is where parent-subsidiary confusion, sponsor-End User confusion and consultant-holder confusion should be resolved. Authority to act for an affiliate is not automatically authority to bind the registered holder. Operational service to a holder is not automatically authority to dispose of the holder's registration rights. A sponsoring LIR's portal role is not automatically the End User's instruction.

Third, it should be role-specific. The registry should ask what role the person holds: director, officer, administrator, liquidator, legal successor, authorised signatory, registered contact, sponsoring LIR representative, technical contact, billing contact, or portal admin. It should then ask what that role can do. A role sufficient for receiving invoices may not be sufficient for a transfer. A technical role may be sufficient for a routing-related update but not for a sale. An insolvency role may override former directors for certain acts.

Fourth, it should be evidence-specific. The registry should identify which evidence supports which link. Company extracts support existence and officers. Court documents support administration or liquidation. Board resolutions support delegated authority. Transfer agreements support transaction consent. Portal history supports operational continuity. Sponsoring agreements support delegated service. Identity documents connect a person to a name. No single document should be treated as magic; no missing document should be fatal if another reliable source proves the same link, unless law or policy requires that form.

Fifth, it should be remedy-specific. If the proof is insufficient, the registry should say how to cure it or why it cannot be cured inside the registry process. If rival claimants present plausible authority, the remedy may be external resolution. If a portal account is stale but legal authority is clear, the remedy may be account recovery plus controlled access. If a transfer is too risky but operations are at risk, the remedy may be limited continuity measures. If sanctions law blocks recognition, the remedy may be outside the registry's discretion.

This standard would not eliminate judgment. It would make judgment accountable. It would also reduce the temptation to over-collect. Asking for every possible document can feel safer, but it often obscures the missing issue. Asking for the right document or confirmation is better. The question should be: what evidence would change the registry's confidence that this requester can bind this holder for this act?

The narrow standard also respects the registry's institutional role. RIPE NCC should not decide who deserves IPv4 value, who should win a corporate dispute, or whether a business restructuring is wise. It should decide whether the registry can recognise a requested change without undermining the accuracy, security and lawful operation of the resource registry. That is a powerful role, but a bounded one.

What resource holders should internalise

Resource holders often notice authority verification only when a crisis has already arrived. That is too late. The cheaper strategy is to reduce ambiguity in advance. A holder should maintain current portal roles, remove departed staff, enable strong authentication, document who can approve transfers or major registry changes, keep company records aligned with registry records, and ensure that sponsoring-LIR relationships are not dependent on one unreachable person.

This is not mere administrative neatness. It is insurance. A company that treats registry access as a shared engineering password may find that, during a sale or dispute, nobody can prove who is authorised. A parent company that never aligns subsidiary records may discover that group-level authority is not enough. A small operator that relies entirely on a consultant may find itself unable to recover resources if the consultant disappears. An End User that never reviews its sponsoring arrangement may find a change slow just when operational continuity matters most.

Boards and finance teams should also understand that IPv4-related registry status can affect transaction value. A purchase agreement for a network should identify Internet number resources, registry holder names, sponsoring relationships, portal access, RPKI control, transfer restrictions and signatory authority. Escrow conditions should account for registry timing. Insolvency planning should treat resource registrations as operational assets requiring continuity, not as a back-office detail.

For small holders, the practical advice is even simpler: make authority legible before it is contested. Keep a current company extract or equivalent. Record who can speak to the registry. Make sure more than one appropriate person understands portal access. Avoid leaving credentials with a contractor alone. If sponsorship is used, ensure the agreement and contact paths are clear. Where a founder or individual holder is involved, succession planning matters. Registry ambiguity after death or incapacity is costly and preventable.

For sponsoring LIRs, the lesson is to document instruction. When acting for an End User, especially on material changes, the LIR should be able to show that it is following the End User's current authorised direction. This protects the End User, the LIR and the registry. It also reduces the chance that a commercial dispute over unpaid fees, service termination or migration becomes disguised as an authority dispute.

For buyers and sellers, the lesson is to treat identity verification as part of deal execution. Do not assume that a signed commercial agreement is enough if the signatory's registry authority is unclear. Do not assume that portal access is enough if legal capacity is missing. Build a closing checklist that connects legal authority, registry holder name, transfer restrictions, sanctions screening, invoices, sponsorship and operational control. The cost of doing this early is smaller than the cost of discovering the gap at closing.

These private preparations cannot replace registry standards. They reduce the probability that the registry must exercise hard discretion under pressure. The best authority verification is often the one made boring by prior hygiene.

The bookkeeper's settlement

The best settlement is modest. RIPE NCC should verify identity and authority when a registry act requires it. It should do so because false recognition can damage holders, customers, markets and the registry itself. But verification should remain tied to the registry act. The ledger needs a bookkeeper, not a sovereign.

That settlement has practical consequences. For routine updates, authenticated operational channels should usually suffice. For material acts, the registry should identify the current holder, the requester, the role, the authority source and the requested act. For high-value transfers, restructurings, insolvency cases, sponsorship changes, voluntary transfer locks and contested account recovery, it should require stronger proof. For unclear but urgent operational cases, it should consider limited continuity measures. For rival plausible claims, it should preserve the registry from capture and require external clarity. For sanctions constraints, it should state the legal or procedural issue as clearly as confidentiality allows.

This approach also changes how friction is judged. The question is not whether a user finds verification annoying. Of course they do. The question is whether the friction buys a decision-relevant reduction in risk. If a document demand does not improve confidence about who may bind the holder, it is a tax on liquidity and continuity. If an identity check prevents a stale contact from transferring scarce resources, it is a public-registry safeguard. Same friction, different value.

The economics are therefore not anti-verification. They are anti-indiscriminate verification. Identity checks are justified where the registry's act would recognise authority, change control, enable transfer, affect sanctions exposure, restore accounts, or alter operational continuity. They are less justified where they merely make the registry feel safer without changing the decision. Proportionality is not softness. It is precision.

For RIPE NCC, this is a governance challenge likely to grow. IPv4 scarcity is not disappearing. Corporate structures are not becoming simpler. Sanctions and compliance screens are not receding. Small operators will continue to change hands, fail, recover, merge and rely on sponsors. Account control will remain both an operational necessity and an attack surface. The registry will keep receiving cases where the network works, the file is nearly complete, and the person pressing submit is the unresolved risk.

The durable answer is a narrow authority discipline: explain what act is being recognised; verify who can bind the holder for that act; protect confidential evidence; preserve operational continuity where possible; give reasons; and avoid converting registry recognition into general corporate sovereignty. That is the economics of identity-verification friction. It is the cost of keeping the ledger useful without letting the bookkeeper own the market.