[registrars] Underlying principles that should drive decisions on the transfer issue

[Bruce Tonkin <Bruce.Tonkin@melbourneit.com.au>]

Hello All,

As part of developing policies relating to the transfer issue, I believe we
need to start with the core principles from a consumer perspective.  

The following is a discussion that may be used as a background at the start
of a policy document.

Regards,
Bruce Tonkin


Policy objectives related to the Transfer issue
===============================================

The fundamental objectives of domain name policies that relate to consumers
are:
* user choice
* quality of service
* lowest cost

User choice relates to the ability of a user to choose an organisation to
provide domain name services.  A user may choose an organization that is not
an accredited registrar.  In this case the organization must use the
services of an accredited registrar to communicate with the registry.  The
organisation should also be able to choose between registrars.

Under section 3.7.7 of the ICANN accreditation agreement with registrars,
the registrar must enter into a direct agreement with the domain name
registrant.  The purpose of this agreement is to require registrants to
provide accurate information for storage at the registrar and registry for
public disclosure, and maintain the accuracy of this information, and to
require registrars to state how any personal data about individuals
identified in this information must be handled.   

At present the inaccuracy of information maintained in the registrar
databases is making it difficult for third parties to contact the
"authorized contact" of the registrant.  There is a need to improve the
processes for maintaining the accuracy of this information (for example -
requiring that the information be validated every 6 months, and requiring
registrars to validate the email addresses at time of registration).  While
the current agreements require registrants to maintain their information or
their name maybe cancelled, there is no commercial incentive for either the
registry or registrars to enforce this provision.  It may be necessary for
an independent party to randomly audit information maintained in the
database of registrars with the power to require the registry to suspend the
use of the domain name until the information is corrected.

A user should be able to change the organisation that provides domain name
services.  An organisation that provides domain name sales to registrants,
should also be able to change the registrar it uses to provide domain name
management services.  This is critical to ensure that competition can occur
based on quality of service and cost, and that users can take full advantage
of this competition.  The process for doing this is documented in Exhibit B
of the Registry/Registry agreement.  In this agreement, it is up to the
gaining registrar to obtain approval for the transfer from the domain name
registrant.  The intent of this provision is to make it easy for a user to
change registrars, as the gaining registrar has an incentive to streamline
the procedure.  A losing registrar may deny a transfer under certain
conditions.   The methods and supporting documentation for a gaining
registrar obtaining authorisation from a domain name registrant require
further clarification.  The conditions under which a losing registrar can
deny a transfer also require further clarification.  The losing registrar
should be able to question the form of authorisation, and if there is a
dispute this should be handled under a dispute resolution procedure.  In the
interests of efficiency and minimal confusion for the domain name
registrant, the losing registrar should not duplicate the processes used by
the gaining registrar to obtain authorisation.

The quality of service for a domain name registrant covers issues such as
the reliability of the domain name servers associated with the domain name,
the ability to easily change the nameserver information as well as update
the contact details associated with the domain name, and protection from
unauthorised changes to the information at the registry or registrar.
Domain name registrants are particularly sensitive to changes in information
related to the nameservers (to avoid potential of the domain name being used
to identify the wrong resource on the Internet), and changes in information
relating to the "owner" of the domain name (to avoid domain name
"hijacking").  There appears to be a significant security vulnerability in
the current procedures, where a person could fraudulently authorize a
registrar to transfer a domain name, and then request the new registrar to
make critical changes to information at both the registry and regitars (ie
hijack the domain name).  There is no evidence of this occuring as yet.
Unfortunately procedures that are optimised to prevent unauthorised changes,
can also make it difficult to make authorised changes.  The complexity of
the procedures can also have a direct impact on the cost of the service.
Generally procedures that can be fully automated electronically are far
cheaper than those that require human intervention (e.g to manually check a
written signature on an authorisation document).  However sophisticated
electronic procedures can also act as a barrier to entry to the market for
both registrants and registrars.

The objective to achieve lowest cost has so far been achieved with the
current domain name procedures by choosing procedures that are fully
automatable.  Any changes to procedures that may provide a higher level of
protection against unauthorised changes at the expense of ease of domain
name management should be at the choice of the user.  For example a user may
choose to pay a higher domain name fee that will incorporate manual
procedures.  From a competition point of view, it is important that existing
registrars with large market share cannot impose procedures on their
registrants that restrict the ability of the domain name registrant to
change registrars.  

Criteria for judging proposed updates to the transfer procedures
===============================================================

It is important to agree on a set of criteria to evaluate the various
proposals that have been submitted by registrars.  

* Ease by which a domain name registrant can change registrars
* Minimum cost of the process for authorising transfers
* Protection against unauthorised change to domain name data in the Registry
(either   sponsoring registrar or nameserver information)
* Protection against unauthorised change to domain name data in the
Registrar (especially domain name "ownership" information)
* Ease by which the accuracy of information in the registry and registrars
can be maintained
* Ease by which information in the registry and registrars can be maintained
* Cost of the process for authorising updates to information in the registry
and registrars