RE: [registrars] EPP Informed Consent

["Michael D. Palage" <michael@palage.com>]

Unlike the .AU policy that does not provide for an emergency NAC, the .ORG,
.CN (and hopefully .US) policies keep in place the 5 day transfer window.
Therefore, should an auth code be stolen, and fraudulently submitted and
reconfirmed, the registrant would still have a 5 day emergency window to let
him/her know that a transfer is about to take place. This is something I
think the .AU policy is missing.

Actually, Ross if you read the proposed .US policy I have put in language
which states that the access and modification of the Auth Code should be no
more difficult than changing DNS. I actually got this idea from the
Transfer's Task Force Report. Speaking with Paul at Enom I believe they
already have this feature integrated into their system rather easily.

So I think the first two questions have been addressed.

With regard to being gTLD ready, it is going live with .CN and hopefully
.US. It is already operational in .AU. The ground work has been laid in the
PIR .ORG contract. Hopefully if .CN and .US prove successful, PIR may be
convinced to incorporate this change. If not I think it would be in the
constituency's best interest to approach Afilias (.INFO), NeuStar (.BIZ) and
GNR (.NAME) to ask for a similar contract change.

I believe both the Task Force Report and Principles allow for registries to
make policy improvements.

I await your more detailed analysis.

Mike



-----Original Message-----
From: Ross Wm. Rader [mailto:ross@tucows.com]
Sent: Tuesday, December 03, 2002 7:01 PM
To: Michael D. Palage; tim@godaddy.com; registrars@dnso.org
Subject: Re: [registrars] EPP Informed Consent


> I think if you look at my .US proposal and then the constructive comments
of
> Bruce based upon .au policy, I think EPP has everything we need.

I've read them through - not sure I agree. A more practical approach would
be appreciated, at least on this end. For instance, the proposal is silent
on what we should do in cases where things have gone wrong. It places too
much emphasis on the magic of technology and not enough on the value of
predictable processes. There are a few other real-life considerations that
would need to be addressed before the recommendations are "gTLD-ready" ie
3.9.2 - Failure to provide an authinfo code within 3 days is considered to
be a material breach of the agreement. Registrar loses accreditation because
of a bad mailserver?

That's all that I came up with after just a quick review, I'm sure that we
would have additional comments if I flew this around the office. Overall,
its a great step in the right direction, but we can't let the shiny sexiness
of this new technology get in the way of an appropriate level of technical
and procedural objectiveness.

-rwr