Gtld transfer process

Brandon Butterworth brandon at rd.bbc.co.uk
Tue Jan 18 09:35:00 UTC 2005


> The loophole that led to this error has been closed.   

Perhaps for you but this process leaves a lot of registrars in position
to do damage, accidentally or by the criminal action of staff.

> In some cases registrars delegate the obtaining of the approval from a reseller

Though well intentioned to make it easier to move away from
bad registrars all this does is put everyone else at far greater
risk - not only from registrars but also their resellors who are
likely to be unvetted. It seems quite easy for criminals to
gain conrol

> Many registrars now put names on lock by default

So we're back to needing the cooperation of the old registrar, may as well
have stuck with the old, less risky, way

> (7)  If the registry receives no response from the losing registrar
> after a 5 day period, the transfer will be completed.   

Adding the risk of not noticing and it just going through unchallenged

> (9) If the losing registrar believes that a transfer was unauthorised,
> the losing registrar may contact the gaining registrar for a copy of the
> authorisation in step 2 to arrange for the transfer to be reversed.

Too late, the damage is done

> In the case of panix.com, the step (2) failed at the gaining registrar.
> I can't comment on steps taken by the losing registrar.

It doesn't matter, the system is broken by design - they had to trust you
to be correct

> The principle of the process, is that a registrant can move to another
> domain name provider (registrar or reseller) at any time, and can
> initiate a transfer from the new provider.  This relies on the new
> provider authenticating the request.

I'm only paying my registrar to be trustworthy, I don't want to have
to trust the rest

> The integrity of the process is greatly improved through the use of the
> auth_info password in the EPP protocol.  This has been operating
> effectively in .org, .info., .biz and .name.

I disagree (the new whois sucks too)

> My personal view is that the current transfers policy WITH the use of
> auth_info and WITH the use of registrar-LOCK is a reasonable balance
> between security and allowing registrants to easily move their name. 

My experience has been that getting auth_info (which criminal staff
would have access to) from bad registrars is almost impossible, with
registrar-LOCK too they have enough control to negate the gain in
being able to pull a domain to a new registrar - you still need the
cooperation of the old one so it's just as bad as the old way but lots
more risk for everyone

EPP is thus of no advantage and registrar pull is dangerous

> I am interested to hear what members of the NANOG list believe would be
> a better transfers process.

Everyone has their ideas but the people running a $1.2B business should be able
to do better

brandon



More information about the NANOG mailing list