ICANN/DNSO
DNSO Mailling lists archives

[registrars]


<<< Chronological Index >>>    <<< Thread Index >>>

RE: [registrars] FW: [nc-transfer] Drafting Team Status Update


Mike,
 
Very well put. We agree completely. There is no way that it is appropriate to attempt to tie the losing registrar's hands in this matter in favor of the gaining registrar under the false impression that it is somehow better for the registrant. We also are concerned about the lack of enforcement of this proposed policy and existing contractual obligations. Adopting a policy that is not enforceable gets us nowhere and opens the transfer process up to even more problems than it already experiences.
 
Tim Ruiz
Go Daddy Software, Inc.

-------- Original Message --------
Subject: RE: [registrars] FW: [nc-transfer] Drafting Team Status Update
From: Michael Bilow <mbilow@registrationtek.com>
Date: Mon, September 2, 2002 1:59 am
To: "Ross Wm. Rader" <ross@tucows.com>

On 2002-08-30 at 13:42 -0400, Ross Wm. Rader wrote:

> The draft policy generally contemplates the following;
>
> 1. That the default rule on a transfer request from the registry to
> the losing registrar should be an "ack" in all cases unless the
> losing registrar has explicit knowledge that the registrant does not
> wish to undertake the transfer.

What about the case where a determined hijacker repeatedly puts in
transfer requests for a domain name? The registrant would be expected
to affirm repeatedly that they disapprove each transfer. One could
argue that in such a case the current registrar has explicit
knowledge, but that's not the kind of thing that could easily be
automated. Locking the domain at the registry would also help in such
cases, but this still places the burden on the legitimate registrant,
and that is unfair: if the legitimate registrant messes up even once,
or they have a problem with their e-mail, or someone takes a vacation,
or the contact for the domain is naive and unsophisticated, the domain
might inappropriately transfer.

Even saying that the burden rests with the requesting registrar is no
solution, since presumably a hijacker would give whatever false
assurances were requested and could move from one registrar to
another, creating fake accounts and doing all sort of other
underhanded things. In the face of this, it really seems
inappropriate to burden the legitimate registrant.

> 2. That the gaining registrar must only initiate the transfer
> process with the explicit consent of the registrant or an entity
> that the registrar reasonably believes has the authority to act on
> the
> registrants behalf.

This is the core of the problem: the gaining registrar has no real way
to determine this. On the one hand, the registrar can tell the
customer that initiating a request to transfer a domain is a claim of
apparent
authority, and can ask the customer to affirm such authority. Our
procedure is to make the customer check a box on a web form which
makes this claim under penalty of perjury. Obviously, someone could
lie, but it gives us a little more leverage in undoing an improper
transfer should we decide that our own customer wrongly requested it.

On the other hand, the majority of transfer requests are legitimate,
and putting a lot of obstacles in the way is unfair as well.

What I am particularly leery about is the possibility that two
competing claimants for apparent authority will use registrars as
proxies to fight their dispute. If this kind of thing happens, the
gaining registrar is likely to end up one of the defendants.

> 3. (This one is perhaps the most important) That the processes
> employed by registrars to undertake these types of transactions are
> registrant friendly and do not require the implementation of
> bureaucratic artifice such as double acknowledgements, artificial
> barriers to portability etc. In other words, the processes might be
> complex for registrars to carry out, but simple for registrants to
> deal with - "designed for the consumer" in other words - simple,
> efficient and safe.

Where we draw the line is between those cases which can be processed
automatically and those which cannot. For the tiny minority of cases
which cannot, our approach is to involve a real human who can apply
reasonable common sense and decision making skills. Trying to
oversimplify this into a set of rigid rules is really impossible: the
losing registrar has, I think, a clear duty to confirm the intent of
the registrant before allowing the transfer. We do not request a
notarized affidavit and a DNA sample, but we apply whatever methods
are appropriate to resolve the uncertainty we believe is present in a
particular case.

I concede that this duty of the losing registrar is in addition to the
duty of the gaining registrar to confirm apparent authority before
initiating the request, but such duty of the losing registrar seems to
exist nonetheless. Trying to constrain the losing registrar into
refusing a transfer only on the basis of "explicit knowledge" of the
registrant's contrary intent would introduce very serious complexities
and subtleties.

-- Mike



<<< Chronological Index >>>    <<< Thread Index >>>