RE: [nc-transfer] EPP Authorization Information and Domain Transfers
While I welcome Scott's contribution, I believe that how the protocol was
originally designed has been overtaken with the political realities of the
Registry/Registrar relationship. For example, I am not sure there are many
registrars that would support the idea of the Registry directly
communicating with the Registrant. In addition, the contractual realities
would not protect the registries from fraudulent transfers especially
because there is no legal relationship.
That being said, we should listen to Scott, but then I would like a chance
to explain to the group why the "pure" EPP may not work in reality.
From: Cade,Marilyn S - LGA [mailto:firstname.lastname@example.org]
Sent: Wednesday, October 30, 2002 3:53 AM
To: Hollenbeck, Scott; email@example.com
Subject: RE: [nc-transfer] EPP Authorization Information and Domain
Scott, I welcome this submission.
I think this is worth further discussion. I don't know if you envision
co-existence of the two? However, I wonder whether also, some registrants
might comment on whether registrant management has limitations due to the
reality that many registrants are extremely ... could I suggest, forgetful?
I don't know enough at this point about what you are envisioning and believe
some further dialogue with the TF will be helpful to us. I've asked Ross
Rader if he can coordinate with you toward such a dialogue.
From: Hollenbeck, Scott [mailto:firstname.lastname@example.org]
Sent: Tuesday, October 29, 2002 4:16 AM
Subject: [nc-transfer] EPP Authorization Information and Domain
During today's transfer task force presentation in Shanghai I noted the
description of EPP authorization information (called "authorization codes"
during the presentation) with interest. As the author of EPP I'd like to
suggest an alternative to the method of sharing authorization information
with registrants as described during the presentation  and as currently
practiced by some registrars:
When I originally envisioned the authorization information concept, I
believed it would be most useful if a registrant provided the registrar with
their desired authorization information as part of the process of managing
the registration of a domain name. That is, when a name is registered the
authorization information (typically a password) would be provided by the
registrant as part of the registration process and passed through the
registrar to the registry. If forgotten, the authorization information
could be retrieved for the registrant from the registry through the
registrar. The registrant would thus possess the authorization information
at all times, and nothing would need to be collected from the registrar to
facilitate a transfer.
EPP does not require a registrar to solicit authorization information from a
registrant, nor does it require the registrar to create authorization
information for registrants to be returned when requested. The specific
method of generating authorization information is a matter of registry and
registrar business practice, with the protocol being flexible enough to
support different business practices.
Anyway, to cut to the chase I'd like to simply suggest that the task force
consider that there is at least one other way to use authorization
information to facilitate domain name transfers. Registrar management of
authorization information is one option. Registrant management of
authorization information is another.
VeriSign Global Registry Services
"Registrars must provide Registrants with authorization codes (where
applicable) within 72 hours."