RE: [registrars] unsanctioned whois concepts (long)

["Tim Ruiz" <tim@xxxxxxxxxxx>]

Joyce/Chris, I deliberately called it a key instead of an auth code so
as not confuse what I'm suggesting with the current EPP auth code
paradigm because there is a difference in how I envision the key
working.

A registrant goes to their current registrar and requests a transfer
key. The registrar verifies that they are indeed dealing with the
registrant or admin of the domain. If so, they provide a unique key to
the registrant AND notify the registry. The registry flags the domain as
pending transfer and stores the key and replies it was successful or not
successful (on hold, RGP, etc.).

The registrant then goes to the registrar of their choice and submits
the transfer and key. The gaining registrar submits the request and key
to the registry, if it matches the registry responds with success and
the domain is immediately moved to the new registrar and the gaining
registrar is notified.

Rick, there is of course still potential for fraud as there is now and
there would no doubt need to be dispute resolution procedures as there
are now, but likely much less complicated. Same with enforcement, just a
different focus. What prevents bad actors from not confirming
appropriately, or good actors making a mistake. There will enforcement
and dispute issues regardless, but I believe this process would minimize
them drastically.

A few other notes:

It's possible that the registries may prefer to provide the key. The
losing registrar just submits the request and if successful the registry
returns the key.

The reason I prefer a dynamically generated key over an auth code is for
security. Static long terms codes can more easily become known. A
dynamic one use key is more secure and could be expired in say 14 days
or something.

As far as getting the whois data, it would be possible to continue
getting it the way are now and we'd still be ahead of the game with this
process. But I don't think it's necessary because with this system why
would care if the whois data changes to some extent during the transfer.
The domain name stays same, the losing registrar is required to maintain
their records for years, if a dispute ends up reversing the name then it
just goes back to the losing registrar with the old whois data. And now
that transfers will soon only occur once every 60 days it gives a lot
more time to resolve issues.

Tim


-----Original Message-----
From: owner-registrars@xxxxxxxxxxxxxx
[mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of Rick Wesson
Sent: Thursday, October 30, 2003 2:22 PM
To: Tim Ruiz
Cc: markjr@xxxxxxxxxxx; registrars@xxxxxxxx
Subject: Re: [registrars] unsanctioned whois concepts (long)


Tim,

some questions for you about your proposal:
   how does the gaing registrar validate the key?

   who takes responsibility for fraud? how is this expressed in the
contracts?

   in thin registry how does the gaining registrar obtain the registrant
information?

   what prevents bad actors from not giving out a "key"


thanks,

-rick


On Thu, 30 Oct 2003 13:17:01 -0600
"Tim Ruiz" <tim@xxxxxxxxxxx> wrote:

> Rick,
> 
> Not sure I agree entirely with Mark's ideas either. But in regards to
> transfers, it is only a problem as long we continue to assume that the
> only way for transfers to work is to have them start with the gaining
> registrar. There is a better solution to transfers that would not rely
> on whois at all and would drastically reduce the potential for
disputes
> and fraud. Have them start with the losing registrar who provides a
key
> to the registrant and the registry upon request (the losing registrar
> has most accurate info to determine if it is a legitimate request) and
> the registrant can take that key to the registrar of their choice and
> complete a transfer in seconds.
> 
> Tim
> 
> 
> -----Original Message-----
> From: owner-registrars@xxxxxxxxxxxxxx
> [mailto:owner-registrars@xxxxxxxxxxxxxx] On Behalf Of Rick Wesson
> Sent: Thursday, October 30, 2003 11:23 AM
> To: Mark Jeftovic
> Cc: registrars@xxxxxxxx
> Subject: Re: [registrars] unsanctioned whois concepts (long)
> 
> On Thu, 30 Oct 2003 11:59:41 -0500 (EST)
> Mark Jeftovic <markjr@xxxxxxxxxxx> wrote:
> 
> 
> > My ideas essentially break down to:
> > 
> > - De-centralize the location of the records.
> 
> significantly increases complexity of transfers. not every domain rusn
a
> web site and your proposal would require every domain to have an A
> record and answer on port 80 to specific http requests.
> 
> I would ( and i expect many others in the IETF ) would not recomend
> such.
> 
> > - Revising the Data Elements attached to those record
> 
> things like "proposed use" lead to enforcement; we don't want to
> encourage any type of content enforcement.
> 
> do you have an ideas on inter-registrar data transfer as transfers
> require?
> 
> -rick
> 
>