<<<
Chronological Index
>>> <<<
Thread Index
>>>
RE: [registrars] .US Transfer Proposal
Hello Mike,
>
> I agree that providing an Auth Code alone is not enough and
> that is why it
> must be produced by either the Registrant or the Admin Contact.
>
> I believe my proposal was a two step process.
>
> Step 1: Registrant or Admin Contact provides an auth code to gaining
> registrar;
> Step 2: Gaining registrar submits auth code to implement transfer
>
>
> Correct me if I am wrong, but I believe you are proposing a three step
> process:
>
> Step 1: Registrant or Admin Contact provides an auth code to gaining
> registrar;
> Step 2: Gaining registrar submits standardized transfer
> communication to
> Registrant and Admin Contact, requesting re-verification of
> the initial
> request.
> Step 3: Gaining registrar submits auth code to implement transfer.
That is how it is defined in the Australian policy.
>
> In any challenge, the Gaining registrar would be required to
> provide the
> documentations in Step #2.
Yes.
>
>
> My question is it possible for Step #1 and Step #2 to happen
> concurrently.
Yes.
> Specifically, could a registrant go to a gaining registrars
> web site and
> click I want to transfer my domain name. On the first screen,
> registrant
> would provide domain name, email and auth code. After
> clicking the next
> button could the second screen provide the standardized
> communication. In
> this scenario, the only documentation the gaining registrar
> would have would
> be a database entry.
That is an option.
The process used in Australia requires an email to be sent to the Registrant
contact as defined in the WHOIS. This helps ensure that the actual
Registrant is aware of the process.
However the email could still direct the registrant to a particular webpage
as part of automating the process.
In the mechanism you suggest, it is possible for a party other than the
registrant to have the code (for example a reseller) and hence agree to the
standard text. The Australian process is more secure, but I would accept
the process you suggest as well (ie better than not having standardised
text).
In the Australian environment - the EPP Registrant contact in the WHOIS must
be that of the registrant and NOT the reseller - as part of that policy
framework. Also the full WHOIS record is protected using the auth-info code
- ie a gaining registrar would need the auth-info code to get all the WHOIS
information. The public WHOIS information is heavily restricted.
Here is the relevant text from the Australian transfer policy:
"Prior to sending a transfer command to the registry, the gaining registrar
must:
a) receive a written request for transfer (see definition in paragraph
2.1) that includes a valid domain name password [=EPP auth-info code] for
the domain name;
b) use the password to retrieve the full domain name record from the
registry database [=execute an EPP info command with the auth-info code on
the domain name that retrieves the full record];
c) send a standard transfer confirmation email to the person who has
requested the
transfer and to the registrant contact listed in the database (if
different);
d) receive an affirmative response from the registrant contact"
Step (a) above is usually in response to a marketing campaign etc where the
registrant could agree to any text provided by the gaining registrar, or
even to a telesales campaign - it is subject to the usual slamming. Step
(c) is a standardised text that ensures that the registrant is fully aware
that they are agreeing to a transfer from registrar A to registrar B - it is
basically the anti-slamming step.
>
> Or are you envisioning a multi-step process. Registrant
> provides information
> via web site, fax or snail mail. Then the gaining registrar
> sends email or
> similar electronic confirmation with the details. After receiving
> email/electronic confirmation back, gaining registrar submits transfer
> request.
>
> Although I see the merits of your additional step, I only see
> this value if
> the submission and verification is a two-step process.
A two step process is actually quite common in Internet based processes.
For example to register for the ICANN conference you go to a website
(http://register.icann.org/) and submit details, then a confirmation email
is sent, which you need to respond to. Also many mailing lists are
implemented in the same way. Thus users are familiar with the paradigm.
It is not onerous and is fully automatable. Note also that the whole
process can be completed in under 1 minute - e.g go to website, get email,
respond to email.
You could actually do the whole thing using a telephone instead. e.g person
A rings gaining registrar and requests transfer, the gaining registrar rings
the person listed in the WHOIS to confirm the transfer using a standard
telephone script. The auth-info code could be supplied at either step.
This two step process was often used (and still is) to authenticate
telephone instructions before the Internet existed. It is also used as part
of the authentication process for digital certificates by some digital
certificate authorities.
Regards,
Bruce Tonkin
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|