[GNSO-TPR] Input Due 30 November: Draft Revisions to Recommendations 2-9
zak at muscovitch.com
Tue Nov 29 18:31:54 UTC 2022
Many thanks, Sarah for preparing the below revised straw-man proposal.
I have a couple questions in order to gain a better understanding and to explore the issues presented:
1. In the proposed Step 3, it states:
When the RNH receives the TAC, they provide it to the gaining Rr and the transfer is completed
The proposal appears to envision a RNH providing the TAC directly to the gaining registrar, rather than providing it to the gaining registrant. Is this what you had intended? And if so, that would seem to provide a possible solution to the concern I express in latter portion of my second question, below.
1. Under the status quo, I understand that a registrant would have the ability to see which registrar has made the transfer request via the Losing FOA, whereas under the proposed Straw Man, a registrant would not be able to see this and therefore, after providing the TAC to the gaining registrant (i.e. the transferee), the TAC could in theory somehow be stolen by a third party and used at an unintended and foreign registrar (though I recognize that this would generally be a very rare instance and would likely involve greater security issues than we are trying to address via the Transfer Policy Itself).
If this is the case, then my question is, ‘what benefit does the new proposed TAC request / refusal approach have over the current approach, if the proposed new approach introduces a possible (even if generally unlikely) vulnerability into the process (as referenced above)?’
What I am trying to better understand here, is although the new proposal rather elegantly provides the crucial ability of a registrant to stop a transfer (at the TAC stage, instead of at the transfer stage, per se), it may not be so much of an incremental improvement overall, that it justifies even an arguably minimal risk of an TAC being deployed by an unauthorized third party at an unintended registrar with no notice to the registrant.
The previous and current approach which employs the FOA, does not have this issue, so I am thinking there should be a very clear benefit to abandoning the FOA in favor of this approach, and I am genuinely uncertain what it is.
That being said, if as per my remarks above at #1, there is a procedure envisioned for the registrant (transferor) directly inputting the TAC into the losing registrar, then that could possibly route around this potential issue, since the registrant would maintain constant control of the TAC and would be able to deploy it at the intended registrar. Of course, there would need to be a system available at the gaining registrar for enabling a non-account holder to input the TAC for the benefit of the gaining registrar’s account holder, and this would involve a correlation between the TAC and for example, the prospective new registrant’s recorded email address.
Muscovitch Law P.C.
1-866-654-7129 (Toll Free)
Zak at Muscovitch.com<mailto:Zak at Muscovitch.com>
From: GNSO-TPR <gnso-tpr-bounces at icann.org> On Behalf Of James Galvin
Sent: Tuesday, November 29, 2022 11:10 AM
To: Sarah Wyld <swyld at tucows.com>
Cc: gnso-tpr at icann.org
Subject: Re: [GNSO-TPR] Input Due 30 November: Draft Revisions to Recommendations 2-9
One clarification I would add is that in Step 1, where you say the RNH unlocks the domain, this means removing all registrar locks. It does not include removing registry locks, since they may be associated with Registry Lock Services and those are explicitly out of scope for this PDP.
A registry has a responsibility to resolve its registry locks at some time beginning with the receipt of a valid TAC and ending upon the actual transfer of the domain.
On 22 Nov 2022, at 13:48, Sarah Wyld wrote:
I’ve reviewed our draft updated recommendations and the strawman for Rec 2<https://docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit>. Left some minor changes in the redline doc<https://docs.google.com/document/d/1d7KwQH6poIxrafFYc5_1e1jQiiCA4WHqdNuRrx2IfWY/edit>.
I want to provide more context specifically around the suggestion for an alternative to the Losing FOA, we can call it the “TAC ACK” process. Prior to our public comment review, the WG seemed aligned on the decision to drop the Losing FOA; we must certainly address all the concerns raised in the public comments, and I think we can do that while also maintaining our goal of streamlining the transfer process by further exploring the TAC ACK option.
What the process would look like:
1. RNH unlocks domain and requests TAC from the Registrar of Record (Losing Rr)
2. Losing Rr sends a TAC ACK email to the RNH saying “Someone requested a TAC; if this wasn’t you, click <NACKlink>. If it was you, you can either do nothing and we’ll provide you the TAC in 5 days or you can click <ACKlink> and we’ll give you the TAC right now”
* If RNH clicks <NACKlink>, the TAC is never set at the Ry, and other things might happen (e.g. account password reset, etc)
* If RNH clicks <ACKlink>, the Losing Rr provisions the TAC at the Ry and issues it to the RNH (Rec 3 Notification of TAC Issuance)
* If no response, Losing Rr waits 5 days and then provisions the TAC at the Ry and issues it to the RNH (Rec 3 Notification of TAC Issuance)
1. When the RNH receives the TAC, they provide it to the gaining Rr and the transfer is completed (Rec 4 “Notification of Transfer Completion” etc)
Why this is beneficial:
* Registrant agency: the Registrant has the option to cancel the transfer right away, following the same process as with the current Losing FOA (which has the option to NACK, and which auto-ACKs after a 5 day pending period)
* Just-in-time notifications: The TAC ACK process occurs right when the RNH is preparing for the transfer, rather than at some point later on after they’ve initiated it with the gaining Rr and moved on/stopped thinking about it
* Simplicity: Registrants consistently request fewer emails overall and fewer steps specifically in the transfer process, and have requested an ‘instant transfer’ process for years
Risks & mitigations:
* Risk: There would be no notification/’stop the transfer’ moment after the transfer is initiated with the gaining registrar; Mitigation: (a) there is a notification/stop moment at the time of TAC request, and (b) the fast-undo process we are committed to creating in the next phase of this WG would specifically address these issues and could certainly include reverting DNS if it was changed
* Risk: Level of development effort does not balance benefit; Mitigation: The level of effort will differ for different providers, and we shouldn‘t reject ideas just because they take work, especially since we’re already making changes to the transfer process as a whole. Now is exactly the time to do this!
The working group hasn’t reached consensus on eliminating the Losing FOA, but we also haven’t reached consensus on keeping it. I still believe that this “TAC ACK” proposal would address the entirely valid concerns about security and registrant agency, while also providing noticeable improvement for registrants who have repeatedly and for quite some time requested a faster transfer process. I hope we can discuss this proposal alongside the Losing FOA strawman.
Sarah Wyld, CIPP/E
Policy & Privacy Manager
swyld at tucows.com<mailto:swyld at tucows.com>
From: Emily Barabas<mailto:emily.barabas at icann.org>
Sent: November 16, 2022 12:18 PM
To: gnso-tpr at icann.org<mailto:gnso-tpr at icann.org>
Subject: [GNSO-TPR] Input Due 30 November: Draft Revisions toRecommendations 2-9
Dear working group members,
As discussed on yesterday’s call, staff had an action item to provide a redline revision of the Initial Report reflecting agreed updates to Recommendations 3-9 (see pages 18-24), as well as a strawman draft of the new Recommendation 2 and response to Charter Question A7. The redline is attached. The Recommendation 2 strawman is available here<https://docs.google.com/document/d/1e8iG6FmRD0M5VlMUrmIedPw3burqfxLXQrkubxDJ3oQ/edit>.
Please carefully review these documents in coordination with the groups you represent. If you feel that there are items that need to be revised, please enter them here<https://docs.google.com/document/d/1d7KwQH6poIxrafFYc5_1e1jQiiCA4WHqdNuRrx2IfWY/edit>. For each item, please include:
* Report version (the date listed in the header of the document) and applicable line numbers ( these are listed along the left margin of the document).
* Name and group you represent: If multiple WG members represent a group, input should be in coordination with these other members.
* Rationale: please provide a clear explanation for why you are proposing the revision.
* Specific proposed revision: Provide the language you would like to see added/removed/edited.
The deadline for submitting input is 30 November 2022. After the deadline, the working group will discuss the items submitted in the input document. Following review of those items, the text will be considered stable.
Please do not hesitate to reach out with any questions about the review process.
Caitlin, Julie, Berry, and Emily
Policy Development Support Senior Manager
Internet Corporation for Assigned Names and Numbers (ICANN)
Phone: +31 (0)6 84507976
GNSO-TPR mailing list
GNSO-TPR at icann.org<mailto:GNSO-TPR at icann.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the GNSO-TPR