<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:439380639;
mso-list-type:hybrid;
mso-list-template-ids:-2146798198 -537501306 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:5;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1275862363;
mso-list-template-ids:-424241878;}
@list l1:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:1825468864;
mso-list-template-ids:737071194;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:black">Dear TPR WG Members,</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">Please find below the notes and action items from today’s call.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">The next TPR WG meeting will be</span> on<span style="color:black">
<b>Tuesday, </b></span><b>14 December <span style="color:black">at </span>16:00<span style="color:black"> UTC</span></b><span style="color:black">.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><br>
Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:black">Emily, Julie, Berry, and Caitlin </span><o:p></o:p></p>
<p class="MsoNormal"><b><u><span style="color:black"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="color:black">Action Items<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><o:p><span style="text-decoration:none"> </span></o:p></u></b></p>
<p class="MsoNormal">Revisit TAC recommendations (60 minutes) – see: <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!qGrkxyZFmDorN7nN4vBzKNwg8Z_hVP0Ut9t-YjAP9D2_1DYFNvDSle6gfxmuPrkes-0kY6Pdyw$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!qGrkxyZFmDorN7nN4vBzKNwg8Z_hVP0Ut9t-YjAP9D2_1DYFNvDSle6gfxmuPrkes-0kY6Pdyw$">
TAC Working Document [docs.google.com]</a> (beginning on p. 15)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Recommendation 1:<b> </b><b>Revise text to (new text in brackets): “The Working Group recommends that the Transfer Policy and all related policies use the term “Transfer Authorization Code (TAC)” in place of the currently-used term “AuthInfo
Code”[ and related terms].”<o:p></o:p></b></p>
<p class="MsoNormal">Recommendation 2:<b> </b><b>Revise the wording (new text in brackets) to ““A Transfer Authorization Code (TAC) is a token created by the Registrar of Record and provided upon request to the registrant or [their designated representative.]
Change “registrant” to “Registered Name Holder” throughout.<o:p></o:p></b></p>
<p class="MsoNormal">Recommendation 3:<b> WG members to suggest alternate/revised language.<o:p></o:p></b></p>
<p class="MsoNormal">Recommendation 4:<b> </b><b>Change “created” to “stored”.<o:p></o:p></b></p>
<p class="MsoNormal"><b>Recommendation 5: </b><b>WG to review revised text as suggested: “The Working Group recommends that the Registry notify the Registrar of Record after the Gaining Registrar has made [3-5] failed attempts to present a valid TAC to the
Registry for a domain name, and for each successive failed attempt as long as a TAC is present. The Registrar of Record must notify the registrant that the failed attempts have taken place, and may take additional action, for example resetting the TAC.”<o:p></o:p></b></p>
<p class="MsoNormal">Recommendations 6-11:<b> WG to review and comment.<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal"><b><span style="color:black">Transfer Policy Review Phase 1 - Meeting #2</span>7</b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:6.0pt;line-height:18.0pt"><b><span style="color:black">Tuesday </span>07 December<span style="color:black"> 2021 at
</span>16:00<span style="color:black"> UTC<o:p></o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">1. Roll Call & SOI Updates<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">No updates provided.<o:p></o:p></span></li></ul>
<p class="MsoNormal">2. Welcome & Chair updates (5 minutes)<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Owen Smigelski: Questions about registrar type in the survey. Provided responses grouped by type and size. See attached. There are
several types and we had responses to the survey from several different types and sizes. Could not correlate between type and size. Did seems to be more support for having locks than not, but could not correlate that response by type or size.<o:p></o:p></span></li></ul>
<p class="MsoNormal">3. Rationale for elimination of the Gaining FOA (15 minutes) – see:
<a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1QOCzbLh7w4hdijpAsg6_lybddr0nlsFDcWjdz5e21Qo/edit__;!!PtGJab4!qGrkxyZFmDorN7nN4vBzKNwg8Z_hVP0Ut9t-YjAP9D2_1DYFNvDSle6gfxmuPrkes-2LzxYsMw$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1QOCzbLh7w4hdijpAsg6_lybddr0nlsFDcWjdz5e21Qo/edit__;!!PtGJab4!qGrkxyZFmDorN7nN4vBzKNwg8Z_hVP0Ut9t-YjAP9D2_1DYFNvDSle6gfxmuPrkes-2LzxYsMw$">
Gaining FOA Working Document [docs.google.com]</a> (beginning on p. 16)<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Have not seen comments on the final revisions. We will read it out to see if there are more comments. We will come back to it so we
aren’t done yet.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">In October the WG agreed that we would draft a summary of the discussion on the elimination of the Gaining FOA.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">We provided some of the background for context.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><u>Discussion</u>: <o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Why do we say this? “The Working Group believes that the notifications detailed in recommendations [xxx-xxx] ensure that the
Registered Name Holder receives the necessary information when a key change has been made to their account.” This is no longer true based on current discussion. Answer: We have updated the text to reflect the recent discussion in the Losing FOA document
and we’ll update the language here to be consistent.</span><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></li></ul>
<p class="MsoNormal">4. Revisit TAC recommendations (60 minutes) – see: <a href="https://urldefense.com/v3/__https:/docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!qGrkxyZFmDorN7nN4vBzKNwg8Z_hVP0Ut9t-YjAP9D2_1DYFNvDSle6gfxmuPrkes-0kY6Pdyw$" title="https://urldefense.com/v3/__https://docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit__;!!PtGJab4!qGrkxyZFmDorN7nN4vBzKNwg8Z_hVP0Ut9t-YjAP9D2_1DYFNvDSle6gfxmuPrkes-0kY6Pdyw$">
TAC Working Document [docs.google.com]</a> (beginning on p. 15)<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">We updated this to no longer be candidate recommendations since we’ve reviewed it several times – now these are draft recommendations.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Not every charter question ended up with a recommendation.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b>Charter Question b1) Is AuthInfo Code still a secure method for inter-registrar transfers? What evidence was used by the Working Group to make this determination?<o:p></o:p></b></p>
<p class="MsoNormal"><b>Recommendations 1-5:<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Recommendation 1</u>:<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:10.5pt;font-family:"Calibri",sans-serif">Big change was to eliminate the confusion over terminology.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">As an editorial comment – in place of the currently used term also add “and related terms” to be more inclusive. Don’t want to lose
the opportunity to cover everything appropriate.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b>ACTION ITEM: Revise text to (new text in brackets): “The Working Group recommends that the Transfer Policy and all related policies use the term “Transfer Authorization Code (TAC)” in place of the currently-used term “AuthInfo Code”[
and related terms].”<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><u>Recommendation 2</u>:<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Are we consistent in terminology throughout when referencing the registrant? Should we be using Registered Name Holder?</span><span style="font-family:"Calibri",sans-serif"><o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Registrant and admin are the only ones authorized.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Registrant is not necessarily the account holder. Good to show the ultimate decision maker as the registrant.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Suggest change to “registrant or [their] designated representative” – new text in brackets. Need to be mindful of how this policy will
work with the transfer dispute policy.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Some registrars use a designated agent for a transfer, so “designated representative” is still accurate.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The Definition should not exclude other security mechanisms.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Avoid using the administrative contact language since that is going away.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: To be precise, the admin contact in RDDS is going away, but is it conceivable that via the account panel that the RNH will
assign a non-RDDS admin contact? How does a RNH go about designating that person? Answer: Could be that their provider that allows a log in for the account that provides access to certain things – they could give that info to a representative, but we shouldn’t
get too specific here.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The sole Point is to reach the registrant, so we do not need to define the various opportunities. So, “send to the registrant” is sufficient.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Change “registrant” to Registered Name Holder” throughout?<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b>ACTION ITEM: Revise the wording (new text in brackets) to ““A Transfer Authorization Code (TAC) is a token created by the Registrar of Record and provided upon request to the registrant or [their designated representative.] Change “registrant”
to “Registered Name Holder” throughout.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Recommendation 3:<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question re: “ICANN org may change these requirements from time to time in response to new or updated standards, but any changes to
the requirements must go in effect with sufficient [notification and] time for registrars<s>registries</s> to implement the necessary updates.” Is it normal for ICANN Org to establish this type of requirement?<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">If this were a protocol issue those statements would be done in the IETF. This is a security requirement. IETF is a source we can
go to for this. Could be a statement that it “should be based on applicable security standards” and add a reference.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The key here is that ICANN would be initiating it – should other parties be able to initiate?<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">In the last sentence, change “registrars and registries” to “contracted parties”.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">See IETF language at:
<a href="https://datatracker.ietf.org/doc/draft-ietf-regext-secure-authinfo-transfer/">
https://datatracker.ietf.org/doc/draft-ietf-regext-secure-authinfo-transfer/</a> <o:p>
</o:p></span></li></ul>
<p class="MsoNormal"><b>ACTION ITEM: WG members to suggest alternate/revised language.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Recommendation 4:<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Suggest it should say “stored” or “set” rather than “created”.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b>ACTION ITEM: Change “created” to “stored”.<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Recommendation 5:<o:p></o:p></p>
<ul type="disc">
<li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">May need to look at this recommendation again for bulk transfers.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Are we failing to set a new TAC, or providing the wrong TAC? Answer: We need to revise the language to make it clearer.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: If we are setting the number of failed attempts as a trigger, can ICANN Org change it later? Or is that a policy change?<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Question: Should we set a period of time?<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">If you want to detect brute-force attempts then we should make that clear. Brute force was one example, could also just be a system
error.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Could change to: “The Working Group recommends that, if the Gaining Registrar presents an invalid TAC [$number] times, or [$number within
$period] times, the Registry MUST notify the Registrar of Record of the invalid attempts.”<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Comment: from a security perspective – from the principle of wanting to provide protection to the registrant in this case there may
be a malefactor involved so we are trying to provide an extra layer of protection. If everything is working as it should then the only risk here is that the value has been mis-entered. We should put a number here; a small number of attempts. Something to
think about is the transfer should not be allowed if you have entered X number of failed attempts. Maybe the registry disables the transfer and make them go to get another TAC.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">One thing to keep in mind, in order for this system to work if the registry is going to be telling you something it should be required
– “MUST” not “MAY”. As a security mechanism using “MUST” makes more sense.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Number of failed attempts could be between 3-5.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Recalling earlier discussions: there were originally two formations of this recommendation. It sounded like the recommendation to cancel
the transfer was not selected because it would be a way to derail a transfer.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">If after the failed attempts (3 or 5), a notification to the registrant is sufficient. I think changing it automatically isn’t a good
idea, as it’s done its job.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Clarify that this is per domain (issue of bulk transfers).
<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From a security perspective if you aren’t going to disable the transfer then you could force a reset; if you don’t want to do that you
should say that the registry after X number of attempts an any attempt that failed you MUST send a notification.
<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">A notification is sufficient of the failed attempts.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Suggest, “registrar of record MUST notify the registrant and MAY take further action such as resetting the TAC.” If we do say the registrar
MUST notify we should decide if we need to provide a template for that communication.<o:p></o:p></span></li><li class="MsoListParagraph" style="mso-list:l0 level1 lfo1"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">What is the process for changing the number of failed attempts? If we put a number here do we need policy to change it? Maybe suggest
a number to the IRT that they can update.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><b>ACTION ITEM: WG to review revised text as suggested: “The Working Group recommends that the Registry notify the Registrar of Record after the Gaining Registrar has made [3-5] failed attempts to present a valid TAC to the Registry for
a domain name, and for each successive failed attempt as long as a TAC is present. The Registrar of Record must notify the registrant that the failed attempts have taken place, and may take additional action, for example resetting the TAC.”<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">5. AOB (5 minutes)<o:p></o:p></p>
<ol style="margin-top:0in" start="3" type="1">
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l1 level2 lfo3">Next call: Tuesday 14 December 2021 at 16:00 UTC<o:p></o:p></li></ul>
</ol>
</div>
</body>
</html>