<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Domain Transfers
On 2001-12-13 00:17:16 -0600, Kristy McKee wrote:
>>Registrars employ secure means, and for almost all of them, the
>>Administrative contact is the only one who is allowed to
>>authorize a domain transfer from one registrar to another.
>Well, personally, I agree that the Administrative Contact only
>should have authorization for such a move.
Of course, there's also still the Registrant who should ultimately
be in charge of the domain, shouldn't he? ,-)
Saying that only the Administrative Contact should be able to
authorize a change of registrars means that you are focusing on
implementation details a bit too much. If I send a written document
to a local registrar notarized in some way, asking him to transfer
my domain name to him, possibly add proof of my identity, and, BTW,
please fix the bad contact information after the transfer has
happened, that should really be sufficient...
Actually, there are several questions around which all this debate
is circling around (leaving business interests of typically loosing
registrars aside):
- Who should have the authority and ability to authorize a transfer
from one registrar to another? (In terms of real-life entities,
and law.)
The registrars constituency's proposal talks about "apparent
authority to legally bind the registered name holder". Christine
Russo of Verisign Registry complained on the transfer TF that this
is not clear enough, and must be further defined. Ross Wm. Rader
refers to standard (Common Law!) legal theory about this.
- How can the registrars involved (and, possibly, the registry)
learn about this authority?
- Should the loosing registrar verify transfers, and how?
Let's try to go through these questions: Of course, the registrant
himself should have the authority to authorize a transfer. He
should also be able to explicitly pass this authority to anyone he
desires, without this individual having to be listed as a contact.
Now, of course, different legal systems know different ways of
giving authority to a third party, and will consequently produce
different kinds of proof, in different languages (think "obscure
Chinese dialect") - in particular when the gaining registrar is a
local one who speaks the registrant's language and resides in the
same legal system.
As William pointed out already, we'll hardly expect registrants to
pay translators and run to consulates for approval. Also, we don't
expect registrars or registries to have translation capabilities for
all languages possibly spoken by registrants. This means that the
gaining registrar is the best we have to verify documents of
authority - because, in quite a few non-US cases, he may be the only
one to understand these documents.
For this kind of reason alone, it's a very good idea to let the
gaining registrar verify the registrant's intent (which is what
Exhibit B, and the registrars' proposal says). It may even be a
good thing to use some idea of apparent (and explicit) authority
which is present in the gaining registrar's or registrant's legal
system.
(Some of this was discussed on the registrars list in the past, and
one problem with this approach is that verification of
authentication becomes hard for loosing registrars and registries.
Also this approach could possibly create liability and
indemnification problems. But still, this may be something worth
looking into more closely on the task force.)
For the reasons given above, it's also a bad idea to let the loosing
registrar verify transfers with a NACK default (which seems to be
what currently happens with Verisign): The actual registrant (or his
Admin-C) may not understand English. (He may also not understand
the kind of advertinese used by certain registrars in most of their
communications. Or he may just be away from his mail, or the e-mail
address listed in the whois database may be
<no.valid.email@worldnic.net>. But that's yet another issue, which
can be summarized like this: The gaining registrar will generally be
closer to the registrant, and will have more up-to-date information
than the loosing registrar.)
Now, what if the gaining registrar is acting under the jurisdiction
of some warlord somewhere, and the warlord himself wants to hijack a
domain?
First, the actual registrant should be able to NACK a transfer to
the loosing registrar if he wishes so.
Second, the actual registrant could start a transfer back to the
originally loosing registrar, who would now turn into the gaining
one. But, ok, that's cumbersome.
Third, why not make auto-NACK or auto-ACK on the loosing registrar's
end configurable for registrants, with the default for old domains
being auto-ACK (which is what ICANN policy says), and the default
for new domains being set when they are initially registered?
The security level for a registrant-caused change of policy should
match the one used for a change of, say, the Admin-C. The
introduction of this feature could be announced via e-mail. As a
side effect, all domains managed by <no.valid.email@worldnic.net>
would have auto-ACK (which is probably the best thing in this case),
while registrants with valid e-mail addresses could quite easily get
the kind of protection Verisign so eagerly wants to force upon them.
Of course, all this is just my personal take of the problem, and I
may quite easily have made some mistakes, or missed important
points. If so, corrections are welcome. ;-)
--
Thomas Roessler http://log.does-not-exist.org/
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|