Re: [registrars] Proliferation of registrar locks

["Marcus Faure" <faure@xxxxxxxxxxx>]

Hi Ross and all,

> People have continuously claimed that auth-tokens were the solution to 
> the problem. I've never understood this. An auth-token is just like a 
> passport. When you present it to someone, it allows them to ascertain 
> what rights the bearer has and ostensibly, if the bearer is who they say 
> they are. Unto itself, it is not a mechanism to convey an authorization 
> from the bearer to the inspector. It is just an identity document. 
> Auth-tokens are precisely the same in this regard. The bearer may 
> present one and then request a certain action be taken, but a process 
> must still be followed in order to carry out the process. We still need 
> to confirm that the bearer is who they say they are, that they have the 
> authority to make the request etc.
> 
> Using auth-tokens as the solution to the transfer problem would have 
> been the worst outcome and was never a serious option. While we may have 
> been able to sort out some policies that made sense to govern .info and 
> .biz, it would have caused a nightmare in .com, .net and likely .org.
> 
> It was never a goal to use authinfos as the solution.

Well, in that case you should not like the FOA as well. An FOA is not more 
secure than the authinfo. Why? Today you have a username/pass (call it token)
to access some registrar website on which you can change your domain details.
If you have criminal energy, just use that token to alter the registrar and
admin email and have the FOA sent to yourself.
While the authinfo may not be the best solution, we have not found a better
one. 
Maybe you could explain your point ".com authinfo nightmare" a little more.


> > Goal: We wanted transfers to become easier
> > Result: We can not check authinfos before we went through the FOA process.
> >         If the FOA is successfully returned and the authinfo is incorrect,
> >         the whole process has to be restarted. 
> >         From the customer perspective, a transfer is now at least a 4-step
> >         process: unlock the domain, initiate the transfer, reply to FOA on
> >                  gaining side, reply to FOA on losing side
> 
> 
> I'm not sure I understand this. The registrant has no obligation to 
> respond to a losing FOA. 

Right, if you can spend another 5 days, you can skip step 4.

> It is problematic that you cannot retrieve an 
> authinfo on a locked domain if what you are saying is correct...

That is not difficult to prove. Just look into an NSI account and search for
"authinfo". You will not find it.

> > So where is the advantage?
> 
> Enhanced repudiation and remediation processes, centralized enforcement 
> framework, clear processes, standardized processes...

Enforcement is a good thing, at least on paper. However, the whole number
of "side issues" makes this worthless. If our effort was to improve the 
registrar's position in a legal proceding/dispute, then November 12 was a
good day. But this was not my intention and I think it is also not the spirit
of the new policy. We wanted to have smaller transfer departments in our
companies. We will not have that, we will get the contrary.
If the policy gives us more security, why have all registrars locked their 
domains? Even those registars who have not yet put their domains on lock
will do so soon because the market will drive them to. Is that what the
transfer policy intended?

Marcus