[comments-transfer] Interim Transfer Task Force Report and the EPP Authorization Model

["Hollenbeck, Scott" <shollenbeck@verisign.com>]

Thank you for this opportunity to comment on the interim report of the DNSO
transfer task force.  I have read the report and listened to the discussions
that took place during the ICANN meeting in Shanghai with a special interest
in the portions of the report that relate to the Extensible Provisioning
Protocol (EPP).  As the author of EPP I would like to specifically address
references to the use of EPP authorization information (called
"authorization codes" in the report and the meeting presentations) and use
of that information to facilitate domain name transfer operations.

One of the slides presented at Shanghai included an implicit reference to an
operational model in which registrars generate and maintain authorization
information on behalf of registrants [1].  When I first envisioned the use
of a password-like mechanism to authorize domain name transfers, I imagined
an operational model in which a registrant could provide authorization
information to a registrar when a domain is registered.  Registrars would
solicit this information from registrants as part of the normal information
collection process that takes place when a domain name is registered, and
the registrar would pass the authorization information through to the
registry.  A registrant would thus possess the authorization information at
all times, and there would be no need to request the information from a
registrar to initiate a transfer.  If forgotten, the authorization
information would be maintained at the registry and could be retrieved or
updated by the registrar on behalf of the registrant at any time.

EPP does not require registrars to generate and maintain authorization
information on behalf of registrants; the protocol is flexible enough to
support multiple operational models.  The model alluded to in the interim
report is one model.  The model I have described above is another.  Both are
"legal", and others are undoubtedly possible -- even within the same
operating environment.  This is one feature that allows registrars to
develop distinguishing business practices and consumer services.

In summary, I would like the task force to clearly understand that EPP does
not mandate the operating model that is currently used by some registries
and registrars.  Other models are possible and may be of interest to the
task force and the community at large.

Thank you again for this opportunity to comment on the report.

Scott Hollenbeck
VeriSign Global Registry Services

[1]
"Registrars must provide Registrants with authorization codes (where
applicable) within 72 hours."