[GNSO-TPR] Notes and action items - TPR WG Meeting #29 - 21 Dec 2021
Julie Hedlund
julie.hedlund at icann.org
Tue Dec 21 17:33:32 UTC 2021
Dear TPR WG Members,
Please find below the notes and action items from today’s call.
The next TPR WG meeting will be on Tuesday, 04 January 2022 at 16:00 UTC.
Best regards,
Emily, Julie, Berry, and Caitlin
Action Items
Recommendation 3:
ACTION ITEM: WG to suggest/comment on the current language and suggest changes if any.
Recommendation 5:
ACTION ITEM: For recommendation 5.1 revise the recommendation to remove the second bullet.
ACTION ITEM: For recommendation 5.2 the WG to review and suggest revisions.
Transfer Policy Review Phase 1 - Meeting #29
Tuesday 21 December 2021 at 16:00 UTC
1. Roll Call & SOI Updates: No updates provided.
2. Welcome & Chair updates (5 minutes)
* There will not be a WG meeting on 28 December.
* The Project Change Request was approved by the GNSO Council on 16 December to move NACKs from Phase 2 to Phase 1a. The Project Plan and charter are updated.
* Update from Jim Galvin, RySG: drafted a summary about including the IANA ID about including it in the Registrar of Record. Several ways that information could be provided. Whatever choice will impact registrars. The RySG will present a proposal to the registrars via the Tech Ops group with the result to feed into the WG’s discussion.
* Would be useful to have the various options presented to the WG.
* Jim noted that several WG members will be involved in the Tech Ops discussions, but he will make sure that the WG will be in the loop.
3. Second reading: TAC and FOA (45 minutes)
TAC Working Document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!p4lHPnH0iN_MfQJDBOQ7D-uetrsUffDPOcZ_48v12A2pX79Yv5bRJ3EKX3Ugi-tzkVR-im7-UQ$> (beginning on p. 15)
Recommendation 3:
ACTION ITEM: WG to suggest/comment on the current language and suggest changes if any.
Recommendation 5.1:
* What are we trying to solve with this recommendation? Is it brute-force attacks? Or a user issue? Or both?
* Should we ask the Registry Stakeholder group whether brute-force attack is really a problem? Registries would have the most information. If they see this as a possible problem then we need to address it.
* Staff was doing some thinking about this and wondering how much of an issue brute force is. Maybe it was more of an issue when the TAC is generated with registration, but not with the recommendation to have the TAC generated on request. We have changed the TAC considerable from how AuthInfo works today based on our recommendations.
* Jim Galvin RySG: Never heard another registry talk about it. This is more of an ordinary operational issue for a registry. They monitor their systems. If a registrar is doing brute-force attacks it isn’t going to tell anyone/no registrar will see it. Only the registry can see it. This doesn’t need attention. Don’t think we will get any information by asking registries.
* Let’s assume that this is not a brute-force recommendation but a user experience recommendation. We should clean it up accordingly.
* Shouldn’t the Gaining Registrar get a notification? They should be notified, but that should be covered in the normal operations.
* Not sure we need a notification for every successive failure.
* From a user experience point of view we should think about the right way to handle this. Maybe the path is what the registry does after X failed attempts it disables the transfer, negates the code, and tells the registrar that transfers aren’t allowed. For the user experience consider what type of action you want to get the situation fixed?
* Combine bullets 1 and 2: As an alternative to “successive attempts” – after the 5th and every 5th after that the registry sends the notice to the Registrar of Record.
* We don’t have any data on how often this happens.
* We are trying to give the best user experience around the transfer.
* In favor of data that would support a certain number of failed attempts.
* If we’re wanting to provide notice to the RNH, a single notice after a # of failures would suffice. The question then becomes what that # is.
* Helpful to improve the registrant experience, but one notification should be enough.
* Think about what problem we are trying to solve. The Registrar of Record needs to know that an invalid TAC is presented if they have no knowledge that a domain name is transferable. The onus falls on the Gaining Registrar to deal with invalid TACs. It might be helpful to present one notification to the Registrar of Record, but otherwise there isn’t a need for anything further.
* If the Losing Registrar gets a notice (as the Registrar of Record) that an invalid TAC was provided to the RNH then the Losing Registrar will want to get in touch with the Gaining Registrar and to notify the RNH as good customer service.
* Should we add language that talks about what happens if the registry fails it where there’s a lock? Does it matter why the registry is failing the transfer.
* What happens when the TAC exists with a lock? If a domain name is locked and you can’t set a TAC, that will create operational issues.
* Think we all know that there is an intersection between transfers and locks. There is a user experience issue to be addressed here. Can locks be present if you set a TAC? How would a registry make the distinction between a lock that makes a domain name transfer eligible and one that doesn’t. You want a lock on to protect until the transfer. From a registry point of view some registries offer lock services and registrars also offer them. What happens when you have both? We haven’t played all of the scenarios.
* Seems that the lock overrides everything. Should the TAC be able to be set at the registry with the lock on? Can a lock be put on if there is a TAC? Would the lock override the TAC?
* A lock should be able to be placed on the domain even if a TAC is set for the domain.
* But then how do you effect the transfer? How does a registry know it’s valid?
* Today’s policy says the Registrar of Record has to remove the locks within 5 days or allow the RNH to remove them.
* If the TAC matches and the domain is unlocked, it’s a valid request.
* The registrar has to remove their locks for a domain name to be transfer eligible.
* The policy needs to say something about the registry removing its locks when presented with a valid TAC.
* Don't think the registry should even check the TAC if the domain is locked.
* It's an order of operations really: Is domain locked? Yes, deny transfer request. No, check TAC.
* No reason to check the TAC if it’s locked.
* Could be that there is a step to be taken if the domain name is locked.
* There are other reasons (like court orders) that domains can be locked. We need to recognize that at the registry or registrar. Don’t think that we have to differentiate too much. The registrant still has to go back to the Registrar of Record to resolve that lock. That covers all the locks we are talking about.
* Think that the Registrar of Record has to be responsible for resolving all locks that they were a party to before they set a TAC. Leaves open the possibility that if the registry has it locked then the Registrar of Record may not know. That should be addressed too.
* Three scenarios: Registrar or Record can resolve just by explaining to the RNH that there’s a lock. Resolve may not be to the transfer.
* It may be that the manual process has to transfer from the Registrar of Record to the Gaining Registrar. The Registrar of Record should not be obligated to notify the RNH of a lock that it doesn’t know about.
* Policy has to say that the registry has to account for the transfer process in the case of a commercial lock.
* Think we have the basic framework: Is domain locked? Yes, deny transfer request. No, check TAC. Need to put in place where the difference decisions/triggers happen.
ACTION ITEM: For recommendation 5.1 revise the recommendation to remove the second bullet.
Recommendation 5.2:
* Maybe an intermediate step – need to clear out the language and somehow put that in place of the Registrar of Record has to take action.
* Don’t think the Registrar of Record should have to reach out (MUST). Could be changed to MAY. But this help ICANN Compliance to follow up, such as a requirement to document?
* If we set this to 5 attempts and the Registrar of Record sees it but it is successful after that, maybe the Registrar or Record could just note that in its investigation in case Compliance follows up.
* Do we have data that justifies this recommendation? What are we trying to solve here?
* The purpose is for the user experience to be consistent and predictable for the registrant.
* Maybe it should be that the Registrar of Record MAY notify the RNH or investigate. Or just leave as MAY investigate. Don’t make either one more important. Maybe once you investigate you decide you don’t need to notify.
* If you have the option to notify or to investigate, then you can choose what to do.
* No sense in creating a requirement that can’t be enforced.
* Maybe a way to get out of this: Instead of 5.2 this could be changed to an implementation note to accompany this section that for notifications in 5.1 the Registrar or Record should investigate and notify as necessary.
* Even if it’s a implementation note isn’t it still a requirement?
* If we make it a MUST but a big OR – between investigation and notification that addresses enforcement.
* If we use SHOULD or MAY then there is no way to check compliance.
* Make sure the language is crystal clear.
ACTION ITEM: For recommendation 5.2 the WG to review and suggest revisions.
4. AOB (5 minutes): Next call: Tuesday 4 January 2021 at 16:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-tpr/attachments/20211221/c3b2d65b/attachment-0001.html>
More information about the GNSO-TPR
mailing list