Re: [registrars] Transfer Misc Question

["Tim Ruiz" <tim@godaddy.com>]

Ross,

Go Daddy experienced this type of fraud first hand, and more than once.
That's why we have instituted such a policy ourselves. We do not allow a
transfer away within the first 60 days of a transfer to us.

I submit that the number of registrants who want to transfer away within
the first 60 days of a transfer is so small that such a policy would not
inconvenience anyone except those with less than honorable intent.

We run a real business with real people as customers who operate real
websites. The security of those sites is not a trivial issue. No matter how
well defined any dispute resolution policy becomes, it still only works
AFTER the fact, AFTER the loss of the domain name, AFTER the website goes
down. AFTER the loss of associated revenue. That is not acceptable.

Tim

 -------- Original Message --------
   Subject: Re: [registrars] Transfer Misc Question
   From: "Ross Wm. Rader" <ross@tucows.com>
   Date: Sat, November 30, 2002 10:51 am
   To: <tim@godaddy.com>, <michael@palage.com>

   The example provided presumes that the domain name transfer wasn't
   verified in the first place. I'm not sure that it makes a ton of sense
   to throw the baby out with the bathwater in such an aggressive
   fashion. If chargebacks really are the issue, then lets talk about
   that, but I suspect the problem being voiced is more concerned with
   poor authentication requirements under the current policy. Duly
   identified registrants that actually exist are not likely to stop
   payment (its not inconceivable, but I submit that we are dealing with
   exceptions, not rules at that point.) I'd like to see some data that
   supports the conclusion that this is a widespread issue.

   I don't agree with further limiting the rights of registrants and
   registrars in such an aggressive fashion in order to deal with what I
   would
   characterize extremely limited instances of fraud.

   Theoretical or limited exceptions are fine but they don't provide
   value to the discussion or help those of us that have a real business
   to run.

   -rwr

   ----- Original Message -----
   From: "Tim Ruiz" <tim@godaddy.com>
   To: <michael@palage.com>
   Cc: <registrars@dnso.org>; <cgomes@verisign.com>
   Sent: Saturday, November 30, 2002 12:09 PM
   Subject: Re: [registrars] Transfer Misc Question


   > Go Daddy supports this idea. We've seen the exact fraud scenario you
   > refer to first.
   >
   > Tim
   >
   >  -------- Original Message --------
   >    Subject: [registrars] Transfer Misc Question
   >    From: "Michael D. Palage" <michael@palage.com>
   >    Date: Sat, November 30, 2002 9:40 am
   >    To: <registrars@dnso.org>
   >
   >    Under the current policy a domain name is locked for 60 days
   >    after registration to allow the registrar to secure payment.
   >    However, there is no similar provision in the case of transfers.
   >    In more than one instance involving domain name hijacking/theft,
   >    I have seen a domain name get transferred through multiple
   >    registrars then deleted and re-registered in an attempt to
   >    launder a domain name within a couple of days. Why under the
   >    proposed policy is it not permissible for a registrar to lock a
   >    domain name on transfer since there is a payment which the
   >    registrar must verify for the one additional year that the
   >    gaining registrar is billed by the registry. In addition, by
   >    locking down a domain name after transfer it would limit the
   >    ability of bad guys to launder domain names through multiple
   >    registrars.
   >
   >    I believe that several registrars have implemented a similar
   >    policy to cut down on fraud, and I was wondering why this
   >    mechanism not be incorporated into the transfer policy, at least
   >    on a voluntary basis. I am not requesting that registries modify
   >    their software to
   >    incorporate this safeguard. However, I believe registrars should
   >    not be prohibited from incorporating this safeguard voluntarily.
   >
   >    Although this scenario at first blush might possibly qualify
   >    under the fraud and payment exception of Point 16, in the case of
   >    domain name theft/hi-jacking the domain name is generally in and
   >    out of a registrar's system within a day or two. This brief
   >    period of time is not adequate enough for a registrar to identify
   >    a possible problem and halt the transfer. What I am basically
   >    proposing is that registrars be permitted to incorporate a "cool
   >    down" period after a transfer to guarantee payment and ensure
   >    that there is no fraud.
   >
   >    One would have to admit that if it reasonable for a domain name
   >    registrant to stick with one registrar for 60 days after
   >    registering a domain name, it is not unreasonable to ask that
   >    registrant to stick with a domain name registrar for brief period
   >    of time to identify any potential illegal activity. Moreover,
   >    would people not find it highly irregular for a domain name
   >    registrant wanting to transfer-out after just transferring in.
   >    Obviously this voluntary policy would not prohibit registrars
   >    from remedying transfers that were made in error or illegally. In
   >    fact this transfer's cool down period is design to make such
   >    remedial actions much more easier as the number of
   >    registrars involved in limited to two.
   >
   >    Any thoughts?
   >
   >    Mike