[GNSO-TPR] Notes and action items - TPR WG Meeting #21 - 12 Oct 2021

[Julie Hedlund]

Dear TPR WG Members,

Please find below the notes and action items from today’s call.

The next TPR WG meeting will be Tuesday, 19 October at 16:00 UTC.

Best regards,

Emily, Julie, Berry, and Caitlin

Action Items

1. WG members should review the Gaining and Losing GOA working documents – including candidate recommendations for the Losing FOA and suggested changes to the Gaining FOA policy.  See:  Gaining FOA working document<https://docs.google.com/document/d/1QOCzbLh7w4hdijpAsg6_lybddr0nlsFDcWjdz5e21Qo/edit?usp=sharing> and Losing FOA working document<https://docs.google.com/document/d/1wCUMe9ii6g05kUZ558IuUvJaS6K2t0GZJYvlfOy-raY/edit?usp=sharing>.

2. Charter Question b3 -- Staff to incorporate a recommendation to retain this policy with change from days to hours.

3. AuthInfo Code Candidate Recommendations: WG members to provide their input as suggestions in the AuthInfo Code Candidate Recommendations at: AuthInfo Codes working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit?usp=sharing__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTX-VD_Hw$>.

4. WG members to review and comment on the Additional Security Measures working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1q7xaJuxi50Q6TDD26H92P6wOfZ8luap1wdWOtIgkv7o/edit__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTbqTrOOA$> in preparation for the discussion during the next WG meeting on 19 October.

Transfer Policy Review Phase 1 - Meeting #21
Tuesday 12 October 2021 at 16:00 UTC
1. Roll Call & SOI Updates (5 minutes)

-          Jim Galvin will soon be occupying a new role: I have been selected to be SSAC’s liaison to the ICANN Board of Directors, a role that I will assume at the AGM.  It won’t change my role on the WG as I will continue to represent the Registry Stakeholder Group.  See:
2. Welcome & Chair updates (5 minutes)


     *   The WG will meet at ICANN72 on Tuesday, 26 October at 10:30 local time.
     *   Roger will provide an update on the WG’s work during the Policy Update webinar today, 12 October, at 20:00 UTC.
     *   Look at the Gaining and Losing FOA working documents: Staff have added candidate recommendations.
ACTION ITEM: WG members should review the Gaining and Losing GOA working documents – including candidate recommendations for the Losing FOA and suggested changes to the Gaining FOA policy.  See:  Gaining FOA working document<https://docs.google.com/document/d/1QOCzbLh7w4hdijpAsg6_lybddr0nlsFDcWjdz5e21Qo/edit?usp=sharing> and Losing FOA working document<https://docs.google.com/document/d/1wCUMe9ii6g05kUZ558IuUvJaS6K2t0GZJYvlfOy-raY/edit?usp=sharing>.

3. Review of draft responses to charter questions and candidate recommendations for AuthInfo Codes –  see end of document beginning on page 16 (60 minutes) at: AuthInfo Codes working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit?usp=sharing__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTX-VD_Hw$>
Discussion:

Charter Question b1) Is AuthInfo Code still a secure method for inter-registrar transfers? What evidence was used by the Working Group to make this determination?

Candidate Recommendation 2: The Working Group recommends that the Transfer Authorization Code be defined as follows: “A Transfer Authorization Code (TAC) is a code created by a Registrar of Record to validate that a request to transfer a domain name in a generic top-level domain (gTLD) is submitted by the authorized person, which may be the RNH or another appropriate party. The individual demonstrates that they are the authorized person by providing the TAC. A TAC is required for a Registered Name Holder to transfer a domain name to be transferred from one Registrar to another.”

     *   Question: Compliance concerns -- The term “authorized person” does not explicitly refer to the Registered Name Holder. Recommend replacing “authorized person” with “Registered Name Holder” to avoid ambiguity and arguments due to various interpretations.  Concerns about the implementation of this and how it would add to security measures.  Make more specific – unless we are having a positive response to the TAC, to make it more secure.
Candidate Recommendation 6: [The Working Group recommends that the Registry notifies the Registrar of Record [and registrant] receive a notification after [number] failed attempts to enter the TAC. The Registrar of Record may subsequently also provide a notification to the registrant that these failed attempts have taken place. ICANN Org may change from time to time the number of failed attempts that trigger a notification.] OR [The Working Group recommends that after [number] failed attempts to enter the TAC, it is not possible to attempt a transfer for [period of time]. ICANN Org may change from time to time the number of failed attempts that trigger this result.].

     *   Question: Trying to understand what we are trying to achieve with Recommendation 6.  Beyond the syntax what other check is going on here?  There shouldn’t be any other reason for a TAC to fail. Answer: The goal should be that the correct syntax should be known to anyone.  Trying to prevent a brute force attack.  The syntax being right and it matching are two different things.  This is when the syntax is right but it doesn’t match.  The goal is to notify the registrar or record so it could notify the registrar.   Question: So what Recommendation 6 refers to is the Gaining registrar.  Want to acknowledge that Registries would need to talk to our team about a recommendation that the registrar can’t make transfers if they get it wrong.  We’d then have to provide a process for undoing the lockdown.  Answer: I don’t think we are looking for a lockdown, we are looking for a notification that someone has tried this X number of times.  Question: Registries will have to discuss because this is a new notification.  How would you like that notification sent?  Need to specify that process.  This would have to be automated, perhaps through a poll message.
     *   Question: Has anyone encountered this?  Do we have any data on brute force attack of the AuthInfo Code?  Answer: Don’t know of any.  This came from the recommendation that the transfer is immediate – this would be the last line of defense.  Not just a brute force but perhaps also a systemic problem.
     *   Many of these candidate recommendations came out of brainstorming of the small group.  One of the questions was what are the methods to reduce brute force attacks.
     *   Note that this are candidate recommendations – not even drafts.  These are points that were pulled out of discussions on the charter questions.
     *   Any additional protection is positive.
     *   In the case of recommendation 6, this was framed as if there were no other restrictions, i.e. an immediate transfer, to provide protection against brute forcing.  Wouldn’t apply if there was a NACK for example.
Charter Question b2) The registrar is currently the authoritative holder of the AuthInfo Code. Should this be maintained, or should the registry be the authoritative AuthInfo Code holder? Why?

Candidate Recommendation 7: The Working Group recommends that the registrar continue to own and generate the TAC. The Working Group further recommends that the TAC is only generated by the Registrar of Record upon request by the registrant. When the registrar provides the TAC to the registrant it should also provide information about when the TAC will expire.

     *   Question: This could relate to bulk transfers.  Are we addressing those?  Answer: Yes.  As a bulk operation that may not work, but let’s focus on individual transfers.  We may have to clarify for bulk transfers.
     *   For all of these recommendations the plan is just to get something on paper, but there will be further opportunities to revise them.  We are trying to see where there is agreement and where more discussion is needed.
Candidate Recommendation 8: The Working Group recommends that when the registry receives the TAC, the registry must securely store the TAC using a one-way hash that protects the TAC from disclosure by using a secure password-hashing function (for example, bcrypt).

     *   Rather than being specific. WG members should suggest language.
     *   Question: This seems to be a pretty prescriptive requirement to put on a registry.  Is this really what we want?
Candidate Recommendation 9: The Working Group confirms the following provision of Appendix G: Supplemental Procedures to the Transfer Policy contained in the Temporary Specification for gTLD Registration Data: “4. Registry Operator MUST verify that the "AuthInfo" code provided by the Gaining Registrar is valid in order to accept an inter-registrar transfer request.”


     *   Question: Does this mean there's a mechanism to validate the TAC other than the transfer?
     *   There are two kinds of validation.  There registry never actually knows what the TAC is in clear text.  If an incumbent registrar is concerned that the TAC is not correct it just creates a new one and stores it.  It is in plain text until the registry has it, but inside an encrypted tunnel.
Charter Question b3) The Transfer Policy currently requires registrars to provide the AuthInfo Code to the registrant within five [calendar] days of a request. Is this an appropriate SLA for the registrar’s provision of the AuthInfo Code, or does it need to be updated?


     *   No candidate recommendations on this.
     *   WG could decide to have a recommendation that there are no changes to this policy.
     *   Could say number of hours rather than number of days.
ACTION ITEM: Staff to incorporate a recommendation to retain this policy with change from days to hours.

Charter Question b4) The Transfer Policy does not currently require a standard Time to Live (TTL) for the AuthInfo Code. Should there be a standard Time To Live (TTL) for the AuthInfo Code? In other words, should the AuthInfo Code expire after a certain amount of time (hours, calendar days,
etc.)?

Candidate Recommendation 10: The Working Group recommends that the Transfer Policy include a standard maximum Time To Live (TTL) for the TAC of [14 days].

Candidate Recommendation 11: The Working Group recommends that the Transfer Policy include a standard minimum Time To Live (TTL) for the TAC of [period].

     *   This was more for registrars than registries – enforced by the registry.  The idea was that there was a minimum.
     *   Important that we have a way to cancel the TTL.  If the sponsoring registrar sees a problem they can change the TAC.
     *   Need to take a question back to registries – not certain that having registries enforce the TTL is the right model.  What are we trying to achieve by having the registry enforce the TTL. Don’t we want to say that the TAC can only be used once – single use.  Like more discussion on this.
     *   Should definitely get a recommendation around one-time use TAC.
     *   The best technical solution to make sure that there aren’t registrar errors would be at least the registry verifies that the TAC is not older than 14 days – they are verifying the TTL.
     *   Do we have some statistics from ccTLDs depending only on TAC re TTL?
     *   Good to at least have a minimum.
     *   What does it mean if the registry is involved in this process?  Suggest that the minimum level doesn’t seem to provide protection against a registrar being a bad actor, and could cause more issues.
     *   Minimum causes more problems than it solves.
     *   If you are going to have SLAs then you have to promise the registrant X amount of time to do the transfer.  Could have a minimum enforced TTL on the registrar (by ICANN Compliance) not enforced by the registry.
     *   Clearer language makes it easier for Compliance to enforce it.
     *   This would be solved if we had a standard TTL, rather than a minimum (or maximum) TTL.  Just say 14 days.
     *   Unless people want to argue for a minimum we seem to agree to drop Candidate Recommendation 11.
     *   If we say in a policy that it has to be 14 days then blanking/nulling it would go against that policy.
     *   The registrar should be able to null or reset a TAC even during the TTL period.
     *   The only real benefit of a minimum is it gives you a reactive mechanism for getting at bad actors.
     *   Seems to be agreement for a standard for 14 days, rather than maximum or minimum and for the registrar to be able to nullify the TAC during the TTL.
     *   You want to make sure there is time for manual steps to happen.  Maximum TTL has the advantage that it gets at a security consideration – a way at getting at registrars who are not providing a basic level of security service.
b5) Should the ability for registrants to request AuthInfo Codes in bulk be streamlined and codified? If so, should additional security measures be considered?

     *   [For the Working Group to confirm: This question will be addressed when bulk transfers are discussed more generally in Phase 2.
ACTION ITEM: WG members to provide their input as suggestions in the AuthInfo Code Candidate Recommendations at: AuthInfo Codes working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit?usp=sharing__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTX-VD_Hw$>.

4. Deliberations on Additional Security Measures (15 minutes, time permitting) – see: Additional Security Measures working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1q7xaJuxi50Q6TDD26H92P6wOfZ8luap1wdWOtIgkv7o/edit__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTbqTrOOA$>

ACTION ITEM: WG members to review and comment on the Additional Security Measures working document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1q7xaJuxi50Q6TDD26H92P6wOfZ8luap1wdWOtIgkv7o/edit__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTbqTrOOA$> in preparation for the discussion during the next WG meeting on 19 October.

This is the related charter question: “a6) Survey respondents noted that mandatory domain name locking is an additional security enhancement to prevent domain name hijacking and improper domain name transfers. The Transfer Policy does not currently require mandatory domain name locking; it allows a registrar to NACK an inter-registrar transfer if the inter-registrar transfer was requested within 60 days of the domain name’s creation date as shown in the registry RDDS record for the domain name or if the domain name is within 60 days after being transferred. Is mandatory domain name locking an additional requirement the Working Group believes should be added to the Transfer Policy?”

5.   AOB (5 minutes)

  *   Next meeting: 19 October 2021 @ 16.00 UTC

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-tpr/attachments/20211012/7e155e14/attachment-0001.html>