[GNSO-TPR] Input on the break through proposal

[Theo Geurts]

Hello, 

Some high-level observations on the breakthrough proposal. 

Step 1 goto gaining registrar. 
This excludes resellers, making it a highly complex process as resellers use different registrars for different TLDs for various reasons. Coding this into systems will be difficult., if not impossible. 

Also, registrants know who their reseller or hosting company is. They usually have no idea who the underlying registrar is. This issue is usually related to the wholesale registrar industry.  

Generating the PTID. 
The suggested method is to log in to the registrar's account and generate the PTID on the website. 
While logical, Wholesale registrars have zero control/interaction with registrant accounts at a reseller level. 

The proposal does not cover the complexity of sub sub resellers. 

If the PTID is compromised, it is still possible for an attacker to set up an account at the registrar and continue the transfer to that registrar and move the domain name to another registrar when the lock period expires. 

Regarding the proposal for making the losing FOA visible by using consent from the data subject, consent is a very shaky legal option. 
Plus, I have a hard time imagining how this system would work, without creating all kinds of new risks and possible data breaches by people who did not understand what the consequences could be. 

Again everything in an ICANN policy is public, and attackers will modify or create new TTPs to get around the barriers/security requirements mentioned in the policy. 

And we have not considered all the operational and security effects of the proposals. 

Best. 
Theo 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/gnso-tpr/attachments/20220918/6c585748/attachment.html>