RE: [registrars] Fourth draft of transfer form for LOSING registrars

["Siegfried Langenbach" <svl@xxxxxxx>]

Dear Bruce,

On 16 Oct 2003 at 11:10, Bruce Tonkin wrote:

Subject:        	RE: [registrars] Fourth draft of transfer form for LOSING registrars
Date sent:      	Thu, 16 Oct 2003 11:10:45 +1000
From:           	"Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>
To:             	<svl@xxxxxxx>
Copies to:      	<registrars@xxxxxxxx>

> 
> Hello Siegfried,
> 
> > 
> > I want to repeat something I already said in Rio:
> > 
> > according to german law (and I guess some other EU-law also) I 
> > have a problem to ACK a outgoing transfer without explicit answer 
> > of the registrant (the law is assuming consumer protection).
> > 
> > If ICANN accepts the regulation in which no answer from the 
> > customer is treated as a YES, I will have to ask the german court for 
> > a decision (in germany the loosing party pays all the court and 
> > lawyer fees).
> 
> I have never really understood this as I don't know German law.
> 
> My understanding is that the policy requires a positive acknowledgement
> from the registrant before a transfer is initiated.  This is the role of
> the gaining registrar, and if a gaining registrar takes such action
> without authority it would presumably be subject to German law.

As explained in my previous mail : I will be liable, not the gaining 
registrar.

Yes, in turn I can start and go to a court in US afterwards, something I 
would prefer to avoid.
For your information: one of the big differences between US and 
german law is that in germany the losing party pays all the fees.
In addition to pay the fee for court and laywers for the wrong transfer I 
will have then to pay US-lawyers....to get what ?


siegfried


> 
> A losing registrar has the right to rely on the gaining registrar having
> received a positive acknowledgement.

I do not think that this assumption will stand before any court.

> 
> In addition a losing registrar can audit the process by sending its own
> message to the registrant.  If a gaining registrar is found at fault
> consistently this should be grounds for ICANN to remove their
> accreditation.
> 
> The model relies on enforcement of the behaviour of the gaining
> registrar.
> 
> 
> > 
> > I have to do this as a self-protection act.
> 
> It would be great if you posted such a decision from a German court so
> that we may all learn.
> 
> 
> > I still wonder why a better working process (auth_code) is not 
> > used...
> 
> Actually auth_code is part of the new transfers policy.
> 
> The auth-code as used in the EPP protocol is a method for
> "authenticating" the identity of the registrant.  This is separate from
> obtaining authorisation for a particular action.  The transfer process
> incorporates using the auth-code as a security mechanism to authenticate
> the registrant.  The standard transfer forms are then used to ensure
> that the registrant has "authorised" a transfer.
> 
> As you have described German law, I would assume that just being able to
> authenticate the registrant was not sufficient prove of obtaining
> authority.
> 
> Now there are other security mechanisms you can use to strengthen the
> process further.
> 
> For example if you used PKI encryption, you could store the public key
> in the central registry.  A registrant could use their private key to
> "sign" a transfer authorisation message, and you could store this
> authorisation as evidence that the registrant authorised the
> transaction.
> 
> 
> Regards,
> Bruce Tonkin