<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:40911884;
mso-list-template-ids:-1749495364;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:300037658;
mso-list-template-ids:1646937244;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:712769670;
mso-list-template-ids:1860232940;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3
{mso-list-id:895432468;
mso-list-template-ids:2129056490;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l4
{mso-list-id:912088477;
mso-list-template-ids:1272210380;}
@list l4:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l4:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:1286277780;
mso-list-template-ids:661429690;}
@list l5:level1
{mso-level-start-at:4;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l5:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6
{mso-list-id:1346637779;
mso-list-template-ids:-1022218088;}
@list l6:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level2
{mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l6:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l7
{mso-list-id:1436827888;
mso-list-template-ids:-139947670;}
@list l7:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l7:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l8
{mso-list-id:1810046863;
mso-list-template-ids:-905817680;}
@list l8:level1
{mso-level-start-at:5;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l8:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:black">Dear TPR WG Members,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">Please find below the notes and action items from today’s call.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">The next TPR WG meeting will be Tuesday, 1</span>9<span style="color:black"> October at 16:00 UTC.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><br>
Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">Emily, Julie, Berry, and Caitlin </span><o:p></o:p></p>
<p class="MsoNormal"><b><u><span style="color:black"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="color:black">Action Items<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="color:black"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal">1. WG members should review the Gaining and Losing GOA working documents – including candidate recommendations for the Losing FOA and suggested changes to the Gaining FOA policy. See:
<span class="apple-converted-space"><span style="color:black"> </span></span><a href="https://docs.google.com/document/d/1QOCzbLh7w4hdijpAsg6_lybddr0nlsFDcWjdz5e21Qo/edit?usp=sharing">Gaining FOA working document</a> and
<a href="https://docs.google.com/document/d/1wCUMe9ii6g05kUZ558IuUvJaS6K2t0GZJYvlfOy-raY/edit?usp=sharing">
Losing FOA working document</a>. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2. Charter Question b3 -- Staff to incorporate a recommendation to retain this policy with change from days to hours.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3. AuthInfo Code Candidate Recommendations: WG members to provide their input as suggestions in the AuthInfo Code Candidate Recommendations at:
<a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit?usp=sharing__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTX-VD_Hw$">
AuthInfo Codes working document [docs.google.com]</a>.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4. WG members to review and comment on the <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1q7xaJuxi50Q6TDD26H92P6wOfZ8luap1wdWOtIgkv7o/edit__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTbqTrOOA$">
Additional Security Measures working document [docs.google.com]</a> in preparation for the discussion during the next WG meeting on
<b>19 October.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="color:black">Transfer Policy Review Phase 1 - Meeting #2</span>1</b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:6.0pt;line-height:18.0pt"><b><span style="color:black">Tuesday </span>12
<span style="color:black">October 2021 at 16:00 UTC<o:p></o:p></span></b></p>
<p class="MsoNormal" style="margin-bottom:6.0pt;line-height:18.0pt">1. <span style="color:black">
Roll Call & SOI Updates (5 minutes) <o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in;text-indent:-.25in;line-height:18.0pt;mso-list:l6 level2 lfo1">
<![if !supportLists]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><span style="mso-list:Ignore">-<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Jim Galvin will soon be occupying a new role: I have been selected to be SSAC’s liaison to the ICANN Board of Directors, a role that I will assume at the AGM. It
won’t change my role on the WG as I will continue to represent the Registry Stakeholder Group. See:
<span style="color:black"><o:p></o:p></span></span></p>
<p class="MsoNormal">2. Welcome & Chair updates (5 minutes)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The WG will meet at ICANN72 on Tuesday, 26 October at 10:30 local time.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Roger will provide an update on the WG’s work during the Policy Update webinar today, 12 October, at 20:00 UTC.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Look at the Gaining and Losing FOA working documents: Staff have added candidate recommendations.</span><span style="font-size:11.0pt"><o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><b>ACTION ITEM: WG members should review the Gaining and Losing GOA working documents – including candidate recommendations for the Losing FOA and suggested changes to the Gaining FOA policy. See:
<span class="apple-converted-space"><span style="color:black"> </span></span><a href="https://docs.google.com/document/d/1QOCzbLh7w4hdijpAsg6_lybddr0nlsFDcWjdz5e21Qo/edit?usp=sharing">Gaining FOA working document</a> and
<a href="https://docs.google.com/document/d/1wCUMe9ii6g05kUZ558IuUvJaS6K2t0GZJYvlfOy-raY/edit?usp=sharing">
Losing FOA working document</a>. <o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">3. Review of draft responses to charter questions and candidate recommendations for AuthInfo Codes – see end of document beginning on page 16 (60 minutes) at:
<a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit?usp=sharing__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTX-VD_Hw$">
AuthInfo Codes working document [docs.google.com]</a><o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal"><u>Discussion</u>:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Charter Question b1) Is AuthInfo Code still a secure method for inter-registrar transfers? What evidence was used by the Working Group to make this determination?<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Candidate Recommendation 2</u>: The Working Group recommends that the Transfer Authorization Code be defined as follows: “A Transfer Authorization Code (TAC) is a code created by a Registrar of Record to validate that a request to transfer
a domain name in a generic top-level domain (gTLD) is submitted by the authorized person, which may be the RNH or another appropriate party. The individual demonstrates that they are the authorized person by providing the TAC. A TAC is
<s>required for a Registered Name Holder to transfer a domain name</s> to be transferred from one Registrar to another.”<o:p></o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Compliance concerns -- The term “authorized person” does not explicitly refer to the Registered Name Holder. Recommend replacing
“authorized person” with “Registered Name Holder” to avoid ambiguity and arguments due to various interpretations. Concerns about the implementation of this and how it would add to security measures. Make more specific – unless we are having a positive response
to the TAC, to make it more secure.<o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><u>Candidate Recommendation 6</u>: [The Working Group recommends that the Registry notifies the Registrar of Record
<s>[and registrant] receive a notification</s> after [number] failed attempts to enter the TAC. The Registrar of Record may subsequently also provide a notification to the registrant that these failed attempts have taken place. ICANN Org may change from time
to time the number of failed attempts that trigger a notification.] OR [The Working Group recommends that after [number] failed attempts to enter the TAC, it is not possible to attempt a transfer for [period of time]. ICANN Org may change from time to time
the number of failed attempts that trigger this result.]. <o:p></o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Trying to understand what we are trying to achieve with Recommendation 6. Beyond the syntax what other check is going on
here? There shouldn’t be any other reason for a TAC to fail. Answer: The goal should be that the correct syntax should be known to anyone. Trying to prevent a brute force attack. The syntax being right and it matching are two different things. This is
when the syntax is right but it doesn’t match. The goal is to notify the registrar or record so it could notify the registrar. Question: So what Recommendation 6 refers to is the Gaining registrar. Want to acknowledge that Registries would need to talk
to our team about a recommendation that the registrar can’t make transfers if they get it wrong. We’d then have to provide a process for undoing the lockdown. Answer: I don’t think we are looking for a lockdown, we are looking for a notification that someone
has tried this X number of times. Question: Registries will have to discuss because this is a new notification. How would you like that notification sent? Need to specify that process. This would have to be automated, perhaps through a poll message.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Has anyone encountered this? Do we have any data on brute force attack of the AuthInfo Code? Answer: Don’t know of any.
This came from the recommendation that the transfer is immediate – this would be the last line of defense. Not just a brute force but perhaps also a systemic problem.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Many of these candidate recommendations came out of brainstorming of the small group. One of the questions was what are the methods
to reduce brute force attacks.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Note that this are candidate recommendations – not even drafts. These are points that were pulled out of discussions on the charter
questions.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Any additional protection is positive.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">In the case of recommendation 6, this was framed as if there were no other restrictions, i.e. an immediate transfer, to provide protection
against brute forcing. Wouldn’t apply if there was a NACK for example.</span><span style="font-size:11.0pt"><o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><b>Charter Question b2) The registrar is currently the authoritative holder of the AuthInfo Code. Should this be maintained, or should the registry be the authoritative AuthInfo Code holder? Why?<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Candidate Recommendation 7</u>: The Working Group recommends that the registrar continue to own and generate the TAC. The Working Group further recommends that the TAC is only generated by the Registrar of Record upon request by the
registrant. When the registrar provides the TAC to the registrant it should also provide information about when the TAC will expire.<o:p></o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: This could relate to bulk transfers. Are we addressing those? Answer: Yes. As a bulk operation that may not work, but let’s
focus on individual transfers. We may have to clarify for bulk transfers.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">For all of these recommendations the plan is just to get something on paper, but there will be further opportunities to revise them.
We are trying to see where there is agreement and where more discussion is needed.</span><span style="font-size:11.0pt"><o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><u>Candidate Recommendation 8</u>: The Working Group recommends that when the registry receives the TAC, the registry must securely store the TAC using a one-way hash that protects the TAC from disclosure
<s>by using a secure password-hashing function (for example, bcrypt).</s><o:p></o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Rather than being specific. WG members should suggest language.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: This seems to be a pretty prescriptive requirement to put on a registry. Is this really what we want?</span><span style="font-size:11.0pt"><o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><u>Candidate Recommendation 9</u>: The Working Group confirms the following provision of Appendix G: Supplemental Procedures to the Transfer Policy contained in the Temporary Specification for gTLD Registration Data: “4. Registry Operator
MUST verify that the "AuthInfo" code provided by the Gaining Registrar is valid in order to accept an inter-registrar transfer request.”
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Does this mean there's a mechanism to validate the TAC other than the transfer?<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">There are two kinds of validation. There registry never actually knows what the TAC is in clear text. If an incumbent registrar is
concerned that the TAC is not correct it just creates a new one and stores it. It is in plain text until the registry has it, but inside an encrypted tunnel.</span><span style="font-size:11.0pt"><o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><b>Charter Question b3) The Transfer Policy currently requires registrars to provide the AuthInfo Code to the registrant within five [calendar] days of a request. Is this an appropriate SLA for the registrar’s provision of the AuthInfo
Code, or does it need to be updated? <o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">No candidate recommendations on this.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">WG could decide to have a recommendation that there are no changes to this policy.</span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Could say number of hours rather than number of days.</span><span style="font-size:11.0pt"><o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><b>ACTION ITEM: Staff to incorporate a recommendation to retain this policy with change from days to hours.<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal"><b>Charter Question b4) The Transfer Policy does not currently require a standard Time to Live (TTL) for the AuthInfo Code. Should there be a standard Time To Live (TTL) for the AuthInfo Code? In other words, should the AuthInfo Code expire
after a certain amount of time (hours, calendar days, <o:p></o:p></b></p>
<p class="MsoNormal"><b>etc.)?<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal"><u>Candidate Recommendation 10</u>: The Working Group recommends that the Transfer Policy include a standard maximum Time To Live (TTL) for the TAC of [14 days].<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Candidate Recommendation 11</u>: The Working Group recommends that the Transfer Policy include a standard minimum Time To Live (TTL) for the TAC of [period].<o:p></o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">This was more for registrars than registries – enforced by the registry. The idea was that there was a minimum.</span><b><span style="font-size:11.0pt"><o:p></o:p></span></b></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Important that we have a way to cancel the TTL. If the sponsoring registrar sees a problem they can change the TAC.</span><b><span style="font-size:11.0pt"><o:p></o:p></span></b></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Need to take a question back to registries – not certain that having registries enforce the TTL is the right model. What are we trying
to achieve by having the registry enforce the TTL. Don’t we want to say that the TAC can only be used once – single use. Like more discussion on this.</span><b><span style="font-size:11.0pt"><o:p></o:p></span></b></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Should definitely get a recommendation around one-time use TAC.</span><b><span style="font-size:11.0pt"><o:p></o:p></span></b></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The best technical solution to make sure that there aren’t registrar errors would be at least the registry verifies that the TAC is
not older than 14 days – they are verifying the TTL.</span><b><span style="font-size:11.0pt"><o:p></o:p></span></b></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Do we have some statistics from ccTLDs depending only on TAC re TTL?<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Good to at least have a minimum.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">What does it mean if the registry is involved in this process? Suggest that the minimum level doesn’t seem to provide protection against
a registrar being a bad actor, and could cause more issues.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Minimum causes more problems than it solves.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">If you are going to have SLAs then you have to promise the registrant X amount of time to do the transfer. Could have a minimum enforced
TTL on the registrar (by ICANN Compliance) not enforced by the registry.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Clearer language makes it easier for Compliance to enforce it.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">This would be solved if we had a standard TTL, rather than a minimum (or maximum) TTL. Just say 14 days.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Unless people want to argue for a minimum we seem to agree to drop Candidate Recommendation 11.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">If we say in a policy that it has to be 14 days then blanking/nulling it would go against that policy.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The registrar should be able to null or reset a TAC even during the TTL period.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The only real benefit of a minimum is it gives you a reactive mechanism for getting at bad actors.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Seems to be agreement for a standard for 14 days, rather than maximum or minimum and for the registrar to be able to nullify the TAC
during the TTL.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">You want to make sure there is time for manual steps to happen. Maximum TTL has the advantage that it gets at a security consideration
– a way at getting at registrars who are not providing a basic level of security service.<o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal">b5) Should the ability for registrants to request AuthInfo Codes in bulk be streamlined and codified? If so, should additional security measures be considered?<o:p></o:p></p>
<ol start="1" type="1">
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l6 level2 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">[For the Working Group to confirm: This question will be addressed when bulk transfers are discussed more generally in Phase 2.<o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><b>ACTION ITEM: WG members to provide their input as suggestions in the AuthInfo Code Candidate Recommendations at:
<a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit?usp=sharing__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTX-VD_Hw$">
AuthInfo Codes working document [docs.google.com]</a>.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">4. Deliberations on Additional Security Measures (15 minutes, time permitting) – see:
<a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1q7xaJuxi50Q6TDD26H92P6wOfZ8luap1wdWOtIgkv7o/edit__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTbqTrOOA$">
Additional Security Measures working document [docs.google.com]</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>ACTION ITEM: WG members to review and comment on the <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1q7xaJuxi50Q6TDD26H92P6wOfZ8luap1wdWOtIgkv7o/edit__;!!PtGJab4!vY_OmmhjTxQqMUCVI2zFFBvhR9gduKpGVubmedPrqRHZYuiwP9rYZ8nUGRXfZU6NGzTbqTrOOA$">
Additional Security Measures working document [docs.google.com]</a> in preparation for the discussion during the next WG meeting on 19 October.<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal">This is the related charter question: “a6) Survey respondents noted that mandatory domain name locking is an additional security enhancement to prevent domain name hijacking and improper domain name transfers. The Transfer Policy does not
currently require mandatory domain name locking; it allows a registrar to NACK an inter-registrar transfer if the inter-registrar transfer was requested within 60 days of the domain name’s creation date as shown in the registry RDDS record for the domain name
or if the domain name is within 60 days after being transferred. Is mandatory domain name locking an additional requirement the Working Group believes should be added to the Transfer Policy?”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">5. AOB (5 minutes)<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l3 level1 lfo9">Next meeting: 19 October 2021 @ 16.00 UTC<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>