[GNSO-TPR] Notes and action items - TPR WG Meeting #30 - 04 Jan 2022
Julie Hedlund
julie.hedlund at icann.org
Tue Jan 4 17:33:18 UTC 2022
Dear TPR WG Members,
Please find below the notes and action items from today’s call.
The next TPR WG meeting will be on Tuesday, 11 January 2022 at 16:00 UTC.
Best regards,
Emily, Julie, Berry, and Caitlin
Action Items -- See: TAC Working Document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!qzlgP--eqWdxnOP5QSpfkcaOjgtvpRyP7sSNb5qupcEIHdFw6NecZmMzYGPlE_PwIm4Yt8JDtQ$>
Recommendation 3:
ACTION ITEM: WG to suggest/comment on the current language and suggest changes if any. Beth Bacon volunteered also to consult with the RySG. WG members to review the RFC at: https://datatracker.ietf.org/doc/rfc9154/ Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer.
Recommendation 5:
ACTION ITEM: WG members to review the recommendation and ask whether it helps to answer any of the charter questions or address a security issue.
Recommendations 6 and 7:
ACTION ITEM: WG members to provide suggestions for requirements for the one-way hash and Beth Bacon to use that information to consult with the RySG. WG members to review and comment on the suggested new wording combining recommendations 6 and 7.
Recommendation 9:
ACTION ITEM: Revise the recommendation to say that “The Working Group recommends that the TAC [MUST be used no more than once per domain name].” New text in brackets.
Recommendation 11:
ACTION ITEM: WG members to review 11.2 and consider whether to comment or suggest changes, and revisit at the next meeting.
Transfer Policy Review Phase 1 - Meeting #30
Tuesday 04 January 2022 at 16:00 UTC
1. Roll Call & SOI Updates:
* Kristian Ormen: Updating SOI to reflect changing jobs to ccNSO from the Registrar Stakeholder Group. Not sure when his replacement will join the TPR PDP WG
2. Welcome & Chair updates (5 minutes): No updates provided.
3. Second reading: TAC and FOA (45 minutes)
TAC Working Document [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!qzlgP--eqWdxnOP5QSpfkcaOjgtvpRyP7sSNb5qupcEIHdFw6NecZmMzYGPlE_PwIm4Yt8JDtQ$> (beginning on p. 15)
Recommendation 3:
* Still looking for suggestions for revised language.
* Should we be looking for a standard? Problem when all of the TLDs switch to backends. Then have to update to new requirements set by the registry. Any TLD can set any requirement if there is no standard. Better if there is a standard for all TLDs.
* Could at least set bounds – but need to get wording that is consistent across all TLDs but allows flexibility. Don’t need to get more specific, or maybe the IRT can work out the details.
* Re: wording about ICANN changing the requirements and concerns if the requirement is a policy, then there needs to be a policy making process, or at least involving the contracted parties.
* Would like to go back to the registries to see if there is a technical reason to allow some flexibility. Beth Bacon volunteered to take this question back to the RySG.
* Challenge to find some balance – a consensus policy recommendation can only be changed through a PDP. Not sure that was the intent for a purely technical requirement. Should be more prescriptive to make it easier for the IRT, but also to word it so that ICANN can make the changes.
* Not sure we need “from time to time”. Reads more smoothy without it. Action is to delete it. (DONE)
* Add “in collaboration with the Registrar and Registry Stakeholder Groups” for both mentions of ICANN Org. But might be helpful to better understand what “collaboration” means in this context and include then in the recommendation. The community would in any case be involved in setting the standards through the IRT. Would there be an IRT to update the standard too?
* Would it not be better for changes to the standards happen via the IETF? Need to take a look at the RFCs relating to the TAC. Don’t know if any standards on the TAC at this time. Not sure the IETF is the best place. This there is a secure AuthInfo Code standard already out there. Need to check.
* See the draft RFC at: https://datatracker.ietf.org/doc/rfc9154/ Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer – Seems to have a lot of what we are discussing. Maybe the contracted parties should review it.
Recommendation 3:
ACTION ITEM: WG to suggest/comment on the current language and suggest changes if any. Beth Bacon volunteered also to consult with the RySG. WG members to review the RFC at: https://datatracker.ietf.org/doc/rfc9154/ Extensible Provisioning Protocol (EPP) Secure Authorization Information for Transfer.
Recommendation 5:
* These notifications need to be subject to standard EPP poll messages.
* In general, don’t see how the notification is of any value. Think the recommendation in 5.2 will be exploited. Would be better if the registry also informs ICANN compliance.
* Looking at 5.1 the notification sounds good on paper – any attacker could easily figure out how to stymie the notifications via DDoS.
* Maybe need to make the investigation requirement more clear in 5.2.
* Step back and look at the purpose of these requirements – operational goals. Think about if we were to remove this recommendation, would there be a gap in the goals of this PDP and the transfer policy? Consider whether this needs to stay in.
* This seems to be more of an operational/user experience concept. Does it help answer the charter question? Does it address something that nothing else is resolving?
Recommendation 5:
ACTION ITEM: WG members to review the recommendation and ask whether it helps to answer any of the charter questions or address a security issue.
[Additional Candidate Recommendation xx: If a Gaining Registrar requests a transfer and an inter-registrar transfer lock is in place, the transfer must not proceed.]
* Question: Is this a requirement, or just a statement? Answer: The discussion around this was that when this occurs there could be different locks for different reasons and it’s up to the registrar of record (losing registrar) to resolve those issues.
* There is an educational purpose – for the registrants to understand the different types of locks.
* Is this useful – does it serve a purpose?
* Is this overly broad? Could be used to block transfers.
* This might be another case when we take a step back and ask what we are trying to achieve with a recommendation on this item.
* Seems that we should park this one and see if we address it in another way.
* We will come back to this on the 60-day lock discussion.
Recommendations 6 and 7:
* Discussion with leadership about whether to condense 6 and 7 in a logical manner. See revised suggested combination text.
* Question: We set requirements around the TAC, but not on the one-way hash? Answer: That is true. Don’t know if we need to do so.
* Maybe need to set some minimum level for the hash.
* Could Beth Bacon go back to the registries to see if they have any comment on whether we need to set parameters for the hash.
* If there are standards for the one-way hash it would be helpful if they could be included in the document. If Kristian or Theo could provide it.
* 6.2 appears to be addressed by RFC9154.
ACTION ITEM: WG members to provide suggestions for requirements for the one-way hash and Beth Bacon to use that information to consult with the RySG. WG members to review and comment on the suggested new wording combining recommendations 6 and 7.
Recommendation 8:
* Make sure the language is consistent with current ICANN policy, without referring to specifics. Do we need to point to the Temp Spec? Not sure if this recommendation is necessary.
Recommendation 9:
* Why do we have “may” instead of “MUST”? Change to “MUST” to be consistent with the rest of the recommendation?
* Trying to say that you don’t want the same TAC for multiple domain names.
* Could say “MUST be used no more than once”.
* Could be problematic if the TAC is already used. Could cause operational issues. Don’t think it means the uniqueness, but per that domain – one time use only.
* Maybe add “per domain name transfer”? Look at language we used elsewhere.
* Prefer a requirement that the TAC needs to be randomly generated – think that goes back to recommendation 3 and the syntax of the TAC as well as the RFC. But perhaps that isn’t enough?
* Seems we are saying that the registrar of record generates the TAC – check to make sure that is clear and also with reference to the uniqueness.
* Definition of designated representative would be helpful. Some registrars or resellers may add provisions in the registration agreement forcing the RNH to agree that the account holder or the reseller may be a designated representative. Bearing in mind the fact that many registrants do not carefully read the registration agreements/Terms of Service before signing, this may lead to more unauthorized transfer complaints.
ACTION ITEM: Revise the recommendation to say that “The Working Group recommends that the TAC [MUST be used no more than once per domain name].” New text in brackets.
Recommendation 11:
* Staff have suggested alternative language and added a footnote.
* Drop “retain the ability”? Sounds like they MAY set the tac to null in those cases, rather than MAY be able to do so.
* Think what we were trying to do was to allow a registrar and registrant to agree on automatic nulling.
* RFC 9154 has information about TTL – that there is no current definition; flexibility on proprietary registrar criteria.
* We used 120 hours for sending the TAC to the RNH, should we convert this to hours? Sound like 14 days is agreeable.
Recommendation 11:
ACTION ITEM: WG members to review 11.2 and consider whether to comment or suggest changes, and revisit at the next meeting.
4. AOB (5 minutes): Next call: Tuesday 11 January 2021 at 16:00 UTC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-tpr/attachments/20220104/398f5855/attachment-0001.html>
More information about the GNSO-TPR
mailing list