<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [registrars] SIMPLE QUESTIONS
Michael,
I too am working on a policy proposal - I really don't have the time this
minute to go through your questions line by line and give you substantive
asnwers.If I have some spare time later today, I will, but it might have to
wait until Monday.
> With regard to your question. Yes, I agree that legitimate registrants
don't
> engage in fraudulent transactions. However, the high credit card charge
> backs that plague this industry seems to suggest to me that there are more
> than just a small handful of bad guys. I would further submit that this
> fraud is not limited to just initial registrations, but that it occurs at
> the time of expiration/renewal/transfer
But that's precisely my point. Your chargeback problem is not my chargeback
problem. My registrants should be affected because of the issues that
someone else is struggling with. Given that chargebacks can occur at any
time in the future, any limitations on portability are, at best, band-aid
solutions. At worst, one more irrelevant policy that my support people will
have to explain to my resellers and registrants..
----- Original Message -----
From: "Michael D. Palage" <michael@palage.com>
To: "Ross Wm. Rader" <ross@tucows.com>; <tim@godaddy.com>
Cc: <registrars@dnso.org>; <cgomes@verisign.com>
Sent: Saturday, November 30, 2002 4:45 PM
Subject: RE: [registrars] SIMPLE QUESTIONS
> Ross,
>
> I am trying to engage in a constructive discuss for the benefit of the
> members on this list. Believe it or not we are both striving for the same
> end result. This will be my last post in this exchange as I am trying to
> finish up my .US Intra-Registrar Transfer Proposal before the next .US
> Policy Council call on Dec. 10th. I will be forwarded a copy of this
> proposal to the list which makes almost exclusive use of the EPP Auth Code
> to eliminate the current problems we experience.
>
> Getting back to our original exchange. Could you PLEASE just answer my
> questions, particularly Questions #3 & #4.
>
>.
>
> Best regards,
>
> Mike
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: Ross Wm. Rader [mailto:ross@tucows.com]
> Sent: Saturday, November 30, 2002 4:06 PM
> To: Michael D. Palage; tim@godaddy.com
> Cc: registrars@dnso.org; cgomes@verisign.com
> Subject: Re: [registrars] SIMPLE QUESTIONS
>
>
> Michael,
>
> My problem with your proposal is very simple.
>
> Legitimate registrants don't engage in fraudulent exercises.
>
> Where a transfer has occurred, there is a presumption that a) payment for
> the first year has already occurred and b) the identity of the registrant
> has been verified as the result of the transfer process. Your proposal
> assumes that there are a large number of scammers that make it past these
> built-in filters and get to the stage where they are able to bounce around
> the system and launder their domain names. I submit that this is a bad
basis
> upon which to make a decision and that we should look at the real root of
> the problem, not a symptom.
>
> How the scammer got their hands on the domain name in the first place is a
> much more interesting question. Someone got hacked you say? Someone else
is
> allowing record updates via unverified faxes? Wouldn't it make more sense
> for these registrars to get their act together and deploy systems that
don't
> make it this convenient for the scammers? Why should my business practices
> and customers be impacted because another registrar doesn't have the
> technical sophistication to understand that a fax machine is inherently
> insecure.
>
> That's the problem that I have with your proposal - it makes the majority
> modify their practices because of the bad practices of the minority.
>
> -rwr
>
> ----- Original Message -----
> From: "Michael D. Palage" <michael@palage.com>
> To: "Ross Wm. Rader" <ross@tucows.com>; <tim@godaddy.com>
> Cc: <registrars@dnso.org>; <cgomes@verisign.com>
> Sent: Saturday, November 30, 2002 3:27 PM
> Subject: [registrars] SIMPLE QUESTIONS
>
>
> > Ross,
> >
> > Please just answer these questions with regard to my original proposal,
to
> > help me understand why TUCOWS opposes my original question.
> >
> > Question #1: The 60 day lock down period that is currently mandated by
> > policy into the registration agreement exists to provide a registrar a
> > safety mechanism to guarantee payment. YES [ ] or No [ ]
> >
> > Question #2: When transferring a domain name, registrars incur a
registry
> > fee for the additional year that is added to the registration term in
> > connection with the transfer. YES [ ] or NO [ ]
> >
> > Question #3: What is the difference between an initial registration that
> > remains locked for 60 days and a transfer that includes at a minimum a
one
> > year term extension from a Registrar's standpoint of wanting to
guarantee
> > payment prior to allowing a domain name to be transferred out.
> >
> > Question #4: Why not seek to abolish the initial 60 lock down window and
> > allow for maximum domain name portability?
> >
> > Question #5: Is it not in both the registrars and registrant's best
> interest
> > to allow a registrar to contact a new customer and inform them of the
> > services that they have to offer and explain some of the difficulties
that
> > may have been encountered in the transfer process?
> >
> >
> > Personal Comment: Domain name portability is one of the fundamental
> building
> > blocks of the competitive domain name industry. In connection with
domain
> > name portability registrars will experience churn. However, advocating a
> > system that potentially allows a domain name registrant to transfer a
> domain
> > name 5 times within one week does not seem to be benefiting registrars.
I
> am
> > glad that TUCOWS' database does not reveal this problem. All my original
> > proposal/question stated was that registrar should be permitted to
impose
> > this additional safeguard if they choose.
> >
> > Would you be able to share with us if TUCOWS has ever had to
reverse(undo)
> > an improper transfer into TUCOWS OpenSRS system. In the case where you
may
> > have had to undo the transfer, did the fact that the domain name was
still
> > with TUCOWS simply matters. Would it have not been increasingly
difficult
> if
> > the domain name was with a different registrar?
> >
> > You ASSUMED in your post that I called for a 60 day lock down period.
> > However, if you read my post carefully you will see that I explicitly
> stated
> > "I am not stating that the cool-down period be 60 days."
> >
> > Mike
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Ross Wm. Rader [mailto:ross@tucows.com]
> > Sent: Saturday, November 30, 2002 2:12 PM
> > To: Michael D. Palage; tim@godaddy.com
> > Cc: registrars@dnso.org; cgomes@verisign.com
> > Subject: Re: [registrars] Transfer Misc Question
> >
> >
> > Michael,
> >
> > I'm not sure which message you were reading, but your response includes
> > several inaccuracies. Perhaps this is the miscommunication that you are
> > referring to.
> >
> > 1. I continue to speak on behalf of Tucows unless otherwise noted. I
don't
> > believe that this is causing anyone but you confusion.
> > 2. No where did I dismiss the concern as "theoretical", I stated that
> > "theoretical or limited exceptions are fine" but that they tend not to
> add
> > value to the discussion or solve real business problems.
> > 3. The data that I was looking for was where duly identified registrants
> > that had transferred a domain name to a new registrar chargebacked on
> their
> > request. I did not ask Tim nor you to provide me with "instances in
which
> > the proposed mechanism would safeguard registrar and registrants
> interests."
> > 4. Asking Dan the questions you propose don't give me the answers that I
> > asked you for in #3. Besides, real registrars ask their sales, customer
> > service and finance people to quantify registrant issues for them - not
> > ICANN. A scan of our ticketing system and datamart doesn't support the
> basis
> > of fact that you put forward in support of your proposal for the reasons
I
> > identified in my initial message.
> > 5. Your proposal requires domain names to be locked 1/6 of the time. The
> > impact to registrants is clear: decreased portability. The impact to
> > Registries is obvious: decreased revenue from decreased churn. The
impact
> to
> > Registrars is dire: increased costs and decreased revenues.
> > 6. I'll leave the rest of your comments untouched for the reasons I
> > mentioned privately. If they were actually important please re-ask them
> and
> > I'll be happy to clarify. I assure you, my motives remain transparent
and
> my
> > intentions are clear.
> >
> > -rwr
> >
> > ----- Original Message -----
> > From: "Michael D. Palage" <michael@palage.com>
> > To: "Ross Wm. Rader" <ross@tucows.com>; <tim@godaddy.com>
> > Cc: <registrars@dnso.org>; <cgomes@verisign.com>
> > Sent: Saturday, November 30, 2002 1:28 PM
> > Subject: RE: [registrars] Transfer Misc Question
> >
> >
> > > Ross,
> > >
> > > If GoDaddy has a business concern, and one which I have heard from
other
> > > registrars then I do not believe as the Task Force representative of
> this
> > > constituency use should unilaterally dismiss these concerns as
> > > "theoretical."
> > >
> > > I know of at least one instance in which a registrar's system was
hacked
> > and
> > > transfers initiated, and laundered in the manner which I described.
For
> > > obvious reasons this registrar would prefer not to have these facts
> > recited
> > > publicly. GoDaddy seems to indicate that it also has seen similar
> > > questionable activity.
> > >
> > > What I do not understand is why would you prohibit registrars from
> > > voluntarily imposing a security safeguard to minimize fraud and
protect
> > > domain name registrants. This is really no different than the
redemption
> > > grace period designed to protect the interests of individuals and
> > > businesses. You have asked Tim and I to give you instances in which
the
> > > proposed mechanism would safeguard registrar and registrants
interests.
> I
> > > think we have and would suggest you contact Dan Halloran as he could
> give
> > > you some additional feedback as he has been involved in a number of
> these
> > > instances.
> > >
> > > In turn, I would ask you to provide me a situation in which a
> > > registrar/registrant would be penalized by asking that registrant to
> stay
> > > with a registrar for a brief period of time AFTER transferring his/her
> > > domain name. Again under the current policy, that registrant MUST stay
> > with
> > > a registrar for 60 days after registration. I am not stating that the
> > > cool-down period be 60 days but allowing a registrant to transfer in
and
> > > transfer out with a matter of hours should raise questions about the
> > > intention of the registrant, or the circumstances surrounding that
> > > transaction.
> > >
> > > Since you oppose what Tim and I deem as fairly reasonable proposal as
> > > "further limiting the rights of registrants and registrars in such an
> > > aggressive fashion", then does TUCOWS oppose the original 60 day lock
> down
> > > period as similarly onerous? Why did TUCOWS not seek to eliminate that
> > > requirement from the transfer's policy as similarly interfering with
the
> > > registrars and registrant's rights in such an aggressive fashion.
> > >
> > > I think this is just crossed communication, and a misinterpretation on
> > your
> > > end that this safeguard could be used to prohibit an INITIAL transfer.
> It
> > is
> > > not, it is a safeguard mechanism that registrars would be voluntarily
> > > allowed to impose in the case of MULTIPLE registrar transfers within a
> > brief
> > > period of time.
> > >
> > > Mike
> > >
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Ross Wm. Rader [mailto:ross@tucows.com]
> > > Sent: Saturday, November 30, 2002 12:51 PM
> > > To: tim@godaddy.com; michael@palage.com
> > > Cc: registrars@dnso.org; cgomes@verisign.com
> > > Subject: Re: [registrars] Transfer Misc Question
> > >
> > >
> > > The example provided presumes that the domain name transfer wasn't
> > verified
> > > in the first place. I'm not sure that it makes a ton of sense to throw
> the
> > > baby out with the bathwater in such an aggressive fashion. If
> chargebacks
> > > really are the issue, then lets talk about that, but I suspect the
> problem
> > > being voiced is more concerned with poor authentication requirements
> under
> > > the current policy. Duly identified registrants that actually exist
are
> > not
> > > likely to stop payment (its not inconceivable, but I submit that we
are
> > > dealing with exceptions, not rules at that point.) I'd like to see
some
> > data
> > > that supports the conclusion that this is a widespread issue.
> > >
> > > I don't agree with further limiting the rights of registrants and
> > registrars
> > > in such an aggressive fashion in order to deal with what I would
> > > characterize extremely limited instances of fraud.
> > >
> > > Theoretical or limited exceptions are fine but they don't provide
value
> to
> > > the discussion or help those of us that have a real business to run.
> > >
> > > -rwr
> > >
> > > ----- Original Message -----
> > > From: "Tim Ruiz" <tim@godaddy.com>
> > > To: <michael@palage.com>
> > > Cc: <registrars@dnso.org>; <cgomes@verisign.com>
> > > Sent: Saturday, November 30, 2002 12:09 PM
> > > Subject: Re: [registrars] Transfer Misc Question
> > >
> > >
> > > > Go Daddy supports this idea. We've seen the exact fraud scenario you
> > refer
> > > > to first.
> > > >
> > > > Tim
> > > >
> > > > -------- Original Message --------
> > > > Subject: [registrars] Transfer Misc Question
> > > > From: "Michael D. Palage" <michael@palage.com>
> > > > Date: Sat, November 30, 2002 9:40 am
> > > > To: <registrars@dnso.org>
> > > >
> > > > Under the current policy a domain name is locked for 60 days
after
> > > > registration to allow the registrar to secure payment. However,
> there
> > > > is no similar provision in the case of transfers. In more than
one
> > > > instance involving domain name hijacking/theft, I have seen a
> domain
> > > > name get transferred through multiple registrars then deleted and
> > > > re-registered in an attempt to launder a domain name within a
> couple
> > > > of days. Why under the proposed policy is it not permissible for
a
> > > > registrar to lock a domain name on transfer since there is a
> payment
> > > > which the registrar must verify for the one additional year that
> the
> > > > gaining registrar is billed by the registry. In addition, by
> locking
> > > > down a domain name after transfer it would limit the ability of
bad
> > > > guys to launder domain names through multiple registrars.
> > > >
> > > > I believe that several registrars have implemented a similar
policy
> > to
> > > > cut down on fraud, and I was wondering why this mechanism not be
> > > > incorporated into the transfer policy, at least on a voluntary
> basis.
> > > > I am not requesting that registries modify their software to
> > > > incorporate this safeguard. However, I believe registrars should
> not
> > > > be prohibited from incorporating this safeguard voluntarily.
> > > >
> > > > Although this scenario at first blush might possibly qualify
under
> > the
> > > > fraud and payment exception of Point 16, in the case of domain
name
> > > > theft/hi-jacking the domain name is generally in and out of a
> > > > registrar's system within a day or two. This brief period of time
> is
> > > > not adequate enough for a registrar to identify a possible
problem
> > and
> > > > halt the transfer. What I am basically proposing is that
registrars
> > be
> > > > permitted to incorporate a "cool down" period after a transfer to
> > > > guarantee payment and ensure that there is no fraud.
> > > >
> > > > One would have to admit that if it reasonable for a domain name
> > > > registrant to stick with one registrar for 60 days after
> registering
> > a
> > > > domain name, it is not unreasonable to ask that registrant to
stick
> > > > with a domain name registrar for brief period of time to identify
> any
> > > > potential illegal activity. Moreover, would people not find it
> highly
> > > > irregular for a domain name registrant wanting to transfer-out
> after
> > > > just transferring in. Obviously this voluntary policy would not
> > > > prohibit registrars from remedying transfers that were made in
> error
> > > > or illegally. In fact this transfer's cool down period is design
to
> > > > make such remedial actions much more easier as the number of
> > > > registrars involved in limited to two.
> > > >
> > > > Any thoughts?
> > > >
> > > > Mike
> > > >
> > > >
> > > >
> > >
> >
>
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|