DNSO Archives: [registrars]

ICANN/DNSO DNSO Mailling lists archives

[registrars]

<<< Chronological Index >>> <<< Thread Index >>>

RE: [registrars] EPP Informed Consent

To: "Rick Wesson" <wessorh@ar.com>
Subject: RE: [registrars] EPP Informed Consent
From: "Michael D. Palage" <michael@palage.com>
Date: Tue, 3 Dec 2002 19:12:12 -0500
Cc: "Ross Wm. Rader" <ross@tucows.com>, <tim@godaddy.com>, <registrars@dnso.org>
Importance: Normal
In-Reply-To: <Pine.LNX.4.33.0212031518150.17511-100000@flash.ar.com>
Sender: owner-registrars@dnso.org

One step ahead of you Rick.

The PIR and the .US Proposal and now the .CN agreements all require
registrars to assign unique Auth Codes. However, there is nothing preventing
the REGISTRANT from modifying the auth code so that there is a common PIN
number similar to your bank card for all domain names registered to an
individual. Moreover, the flexibility of having a simple alpha-numberic code
versus a more complex (secure) code allows registrars to potentially offer
value added services, i.e. Auth Code Key Rings, etc.

Therefore, I would submit the Registry-Registrar contracts of .org and .cn
(and hopefully .us) will provide enhanced security and reliability while
providing registrars new value added services to their corporate or bulk
customer database.

Although I have been very quiet in the RPP transfer debate, I have been
working overtime in the EPP world to solve the problem.

Mike




-----Original Message-----
From: owner-registrars@dnso.org [mailto:owner-registrars@dnso.org]On
Behalf Of Rick Wesson
Sent: Tuesday, December 03, 2002 6:22 PM
To: Michael D. Palage
Cc: Ross Wm. Rader; tim@godaddy.com; registrars@dnso.org
Subject: Re: [registrars] EPP Informed Consent



Mike,

> (1) the registrant and/or admin contact can only get the auth code from
his
> registrar (losing registrar), thus adequate safeguards can be implement
> here;
>
> NOTE: Under the PIR (.ORG) agreement and my .US proposal, the registrar
auth
> codes must be unique (added security)

under origional design the AuthInfo in EPP were to be used as a passowrd,
a humanly remberable string.

your proposal breaks this assumption and much of the design for AuthInfo
in epp; infact it might even break some business models of registrars so
please be careful of your recomendations and you might even want to
circulate them with some the the folks that implement this stuff on the
client side.

Its not added security if folks have to write them down some place because
they aren't able to keep all their domains with the same AuthInfo token.

-rick

Follow-Ups:
- RE: [registrars] EPP Informed Consent
  - From: Rick Wesson <wessorh@ar.com>

References:
- Re: [registrars] EPP Informed Consent
  - From: Rick Wesson <wessorh@ar.com>

<<< Chronological Index >>> <<< Thread Index >>>