[ga] Alternate unlocking or authcode retrieval system might make domain hijacking easier

[George Kirikos <gkirikos@xxxxxxxxx>]

Hello,

As a result of the RegisterFly.com debacle, ICANN is considering make
changes to the RAA. See:

http://blog.icann.org/?p=65

If one is able to unlock a domain name or get the authcodes at a venue
independent of the registrar, that 2nd venue would become a target for
domain name hijackers. The security of domain transfers would thus
become the MINIMUM of the registrar's system and the registry/ICANN's
systems. The security practices of good registrars would be bypassed by
hijackers instead using that 2nd venue.

ICANN or the registry operators could become liable for the damages
that ensue should a domain name be hijacked (e.g. a valuable domain
name like Google.com, Yahoo.com or eBay.com hijacked even for a short
time can cause millions of dollars worth of damage) due to insecure
systems or identity theft.

While one empathizes with registrants of RegisterFly, one should not
weaken the security of clients of other registrars by creating a new
means to hijack domains. At a minimum, if such a parallel system
existed, it should only be enabled when there is compelling evidence
that many registrants are unable to unlock their domains or obtain
authcodes. Of course, if that evidence did exist, the registrar would
be in violation of the Transfers Policy, and ICANN could take separate
action.

In conclusion, ICANN should be careful not to weaken the overall
security of domains, just because one registrar screwed up things for
their customers. Ideally, those screwups would have been more
transparent to the public, giving them more data to make an informed
choice of who to trust as a registrar.

Sincerely,

George Kirikos
http://www.kirikos.com/