RE: [registrars] Transfer Misc Question

["Michael D. Palage" <michael@palage.com>]

Ross,

If GoDaddy has a business concern, and one which I have heard from other
registrars then I do not believe as the Task Force representative of this
constituency use should unilaterally dismiss these concerns as
"theoretical."

I know of at least one instance in which a registrar's system was hacked and
transfers initiated, and laundered in the manner which I described. For
obvious reasons this registrar would prefer not to have these facts recited
publicly.  GoDaddy seems to indicate that it also has seen similar
questionable activity.

What I do not understand is why would you prohibit registrars from
voluntarily imposing a security safeguard to minimize fraud and protect
domain name registrants. This is really no different than the redemption
grace period designed to protect the interests of individuals and
businesses. You have asked Tim and I to give you instances in which the
proposed mechanism would safeguard registrar and registrants interests. I
think we have and would suggest you contact Dan Halloran as he could give
you some additional feedback as he has been involved in a number of these
instances.

In turn, I would ask you to provide me a situation in which a
registrar/registrant would be penalized by asking that registrant to stay
with a registrar for a brief period of time AFTER transferring his/her
domain name. Again under the current policy, that registrant MUST stay with
a registrar for 60 days after registration. I am not stating that the
cool-down period be 60 days but allowing a registrant to transfer in and
transfer out with a matter of hours should raise questions about the
intention of the registrant, or the circumstances surrounding that
transaction.

Since you oppose what Tim and I deem as fairly reasonable proposal as
"further limiting the rights of registrants and registrars in such an
aggressive fashion", then does TUCOWS oppose the original 60 day lock down
period as similarly onerous? Why did TUCOWS not seek to eliminate that
requirement from the transfer's policy as similarly interfering with the
registrars and registrant's rights in such an aggressive fashion.

I think this is just crossed communication, and a misinterpretation on your
end that this safeguard could be used to prohibit an INITIAL transfer. It is
not, it is a safeguard mechanism that registrars would be voluntarily
allowed to impose in the case of MULTIPLE registrar transfers within a brief
period of time.

Mike





-----Original Message-----
From: Ross Wm. Rader [mailto:ross@tucows.com]
Sent: Saturday, November 30, 2002 12:51 PM
To: tim@godaddy.com; michael@palage.com
Cc: registrars@dnso.org; cgomes@verisign.com
Subject: Re: [registrars] Transfer Misc Question


The example provided presumes that the domain name transfer wasn't verified
in the first place. I'm not sure that it makes a ton of sense to throw the
baby out with the bathwater in such an aggressive fashion. If chargebacks
really are the issue, then lets talk about that, but I suspect the problem
being voiced is more concerned with poor authentication requirements under
the current policy. Duly identified registrants that actually exist are not
likely to stop payment (its not inconceivable, but I submit that we are
dealing with exceptions, not rules at that point.) I'd like to see some data
that supports the conclusion that this is a widespread issue.

I don't agree with further limiting the rights of registrants and registrars
in such an aggressive fashion in order to deal with what I would
characterize extremely limited instances of fraud.

Theoretical or limited exceptions are fine but they don't provide value to
the discussion or help those of us that have a real business to run.

-rwr

----- Original Message -----
From: "Tim Ruiz" <tim@godaddy.com>
To: <michael@palage.com>
Cc: <registrars@dnso.org>; <cgomes@verisign.com>
Sent: Saturday, November 30, 2002 12:09 PM
Subject: Re: [registrars] Transfer Misc Question


> Go Daddy supports this idea. We've seen the exact fraud scenario you refer
> to first.
>
> Tim
>
>  -------- Original Message --------
>    Subject: [registrars] Transfer Misc Question
>    From: "Michael D. Palage" <michael@palage.com>
>    Date: Sat, November 30, 2002 9:40 am
>    To: <registrars@dnso.org>
>
>    Under the current policy a domain name is locked for 60 days after
>    registration to allow the registrar to secure payment. However, there
>    is no similar provision in the case of transfers. In more than one
>    instance involving domain name hijacking/theft, I have seen a domain
>    name get transferred through multiple registrars then deleted and
>    re-registered in an attempt to launder a domain name within a couple
>    of days. Why under the proposed policy is it not permissible for a
>    registrar to lock a domain name on transfer since there is a payment
>    which the registrar must verify for the one additional year that the
>    gaining registrar is billed by the registry. In addition, by locking
>    down a domain name after transfer it would limit the ability of bad
>    guys to launder domain names through multiple registrars.
>
>    I believe that several registrars have implemented a similar policy to
>    cut down on fraud, and I was wondering why this mechanism not be
>    incorporated into the transfer policy, at least on a voluntary basis.
>    I am not requesting that registries modify their software to
>    incorporate this safeguard. However, I believe registrars should not
>    be prohibited from incorporating this safeguard voluntarily.
>
>    Although this scenario at first blush might possibly qualify under the
>    fraud and payment exception of Point 16, in the case of domain name
>    theft/hi-jacking the domain name is generally in and out of a
>    registrar's system within a day or two. This brief period of time is
>    not adequate enough for a registrar to identify a possible problem and
>    halt the transfer. What I am basically proposing is that registrars be
>    permitted to incorporate a "cool down" period after a transfer to
>    guarantee payment and ensure that there is no fraud.
>
>    One would have to admit that if it reasonable for a domain name
>    registrant to stick with one registrar for 60 days after registering a
>    domain name, it is not unreasonable to ask that registrant to stick
>    with a domain name registrar for brief period of time to identify any
>    potential illegal activity. Moreover, would people not find it highly
>    irregular for a domain name registrant wanting to transfer-out after
>    just transferring in. Obviously this voluntary policy would not
>    prohibit registrars from remedying transfers that were made in error
>    or illegally. In fact this transfer's cool down period is design to
>    make such remedial actions much more easier as the number of
>    registrars involved in limited to two.
>
>    Any thoughts?
>
>    Mike
>
>
>