[registrars] Transfers discussion

["Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>]

Hello Tim,

> 
> The key is not an auth code. It is only provided after the 
> losing registrar has confirmed with the registrant. The 
> gaining registrar does not need to confirm because a valid 
> key (matches the registry) is evidence of the confirmation. 
> So in this case it IS authorization.

That sounds like authority to transfer away from the losing registrar,
rather than authority to transfer to another registrar.  To transfer to
a gaining registrar implies acceptance of the gaining registrars terms
and conditions.




> 
> That's a pretty big IF Bruce. Losing registrars are never 
> going to completely trust gaining registrars, they're 
> competitors. And in some cases local law may not even allow them to. 

Sure - but the converse also applies - ie gaining registrars won't trust
losing registrars.
This is the heart of the transfer problem - there is a lack of trust
between the three entities
(registrant, gaining registrar, losing registrar).

> 
> When there's an unauthorized transfer the damage is done long 
> before it gets back to where it belongs. I'm still convinced 
> that the losing registrar is in the best position to 
> accurately confirm, reducing disputes and reversals.
> 

In many cases the registrant is leaving the losing registrar because
they are unhappy with the service provided.  You model assumes a trusted
relationship between the registrant and the losing registrar - this is
often not the case.

The new transfers policy assumes a trusted relationship between the
registrant and the gaining registrar - this is normally the case when a
customer chooses a different supplier.



> With the current process you have difficult enforcement and 
> dispute resolution issues on both ends of the process. With 
> the key system it is focused on the losing registrar.

Surely the enforcement and dispute resolution issues are similar?


> 
> I was considering that, and it will still be faster in the 
> majority of the cases. Right now querying registrars' whois, 
> parsing out the admin contact, dealing with parse errors, 
> rotating formats, out of date data, etc. is not an efficient 
> process. Just getting to the point of being able to actually 
> submit the transfer request takes days and often even weeks.

Agreed.  Although this is a problem with WHOIS rather than the transfer
process.

Incidently there is nothing stopping the following scenario in the
existing EPP protocol.
(1) Registrar periodically could generate a different auth-code (e.g
daily, weekly, monthly, yearly etc)
(2) Registrant could retrieve auth-code at the time they need to use it
- with a time-to-live value

Basically I would be OK with your model IF the auth-code can be
automatically retrieved, without interference from the losing registrar.


> The problem with a losing registrar being slow to respond to 
> a key request is an enforcement issue that is at least as 
> addressable as the gaining registrar getting proper confirmation.

Agreed.  I think the problems are roughly equivalent.



> 
> Interesting spin, but what we're really talking about is the 
> safe and secure transfer of a service that is often 
> associated with an entity's livelihood.

Agreed.  The key in either model is enforcement.


Regards,
Bruce