RE: [registrars] EPP Informed Consent

["Tim Ruiz" <tim@godaddy.com>]

Rick,

From our experience with Authcodes so far, I don't understand what the
registrant would need the code for other than to transfer to a different
registrar. It should be recoverable from their current registrar at any
time. I don't see any reason why a registrant needs to write it down for
safe keeping, or even remember it for very long.

Tim

-----Original Message-----
From: Rick Wesson [mailto:wessorh@ar.com]
Sent: Tuesday, December 03, 2002 5:22 PM
To: Michael D. Palage
Cc: Ross Wm. Rader; tim@godaddy.com; registrars@dnso.org
Subject: Re: [registrars] EPP Informed Consent



Mike,

> (1) the registrant and/or admin contact can only get the auth code from
his
> registrar (losing registrar), thus adequate safeguards can be implement
> here;
>
> NOTE: Under the PIR (.ORG) agreement and my .US proposal, the registrar
auth
> codes must be unique (added security)

under origional design the AuthInfo in EPP were to be used as a passowrd,
a humanly remberable string.

your proposal breaks this assumption and much of the design for AuthInfo
in epp; infact it might even break some business models of registrars so
please be careful of your recomendations and you might even want to
circulate them with some the the folks that implement this stuff on the
client side.

Its not added security if folks have to write them down some place because
they aren't able to keep all their domains with the same AuthInfo token.

-rick