[CPWG] Reminder: Deadline for input to Transfer PDP Initial Draft for Phase 1A is May 14, 2022

Lutz Donnerhacke lutz at donnerhacke.de
Sat May 14 22:16:26 UTC 2022 

On Sat, May 14, 2022 at 11:48:25PM +0200, Lutz Donnerhacke via CPWG wrote:
> By my reading of the initial report and the AtLarge "Draft responses" I do
> not miss anything important (besides the point, that the FOAs are removed in
> exchange for a promise to have an easy to use rollback mechanism later) or
> misleading.

Please let me explain my point by quoting some lines of the "TRP Initial
Report Draft", lines 576-580
(https://community.icann.org/display/TPRPDP/Working+Documents?preview=/167543675/197263958/TPR%20Initial%20Report%20Draft%20-%2029%20April%202022.pdf)
-----
Taking into account these considerations, the working group determined that
the Losing FOA requirement should be eliminated and replaced with new
requirements. These new requirements allow the transfer to occur in nearly
real time while ensuring that:
 1. The RNH is informed of an inter-Registrar transfer and
 2. A sufficient record of the process is maintained to support investigation
    of complaints and resolution of disputes.
-----

As far as my memory told me, this was one of the occurences of this
"promise of an quick-reverse mechanism". But this promise is missing in the
draft.

OTOH on the same page there is a mentioning of a "TAC notification" which
seems to replace the "Losing FOA", but can not stop the initiated transfer.
There is a time window to transfer the domain using the TAC which is send
out at roughly the same time as the notification, so the TAC can be used
before the registrant had time to react (given, that most registrans do not
read email every day).

In lines 606-629 that a "Notification of Transfer Complete" must be send.
This might also be called "Damage report", if something went wrong. I.e. the
registrants notification email is using the domain name, which was
transfered maliciously, so the attacker can redirect all emails and filter
the notification. So the line 628/629 instructions how to revert a domain
transfer might not reach the (former) registrant.

Yes, this is not part of the currenct process, but should be raised during
the public comment phase.

More information about the CPWG mailing list