[registrars] Fourth draft of transfer form for LOSING registrars
Bruce Tonkin
Bruce.Tonkin at melbourneit.com.au
Thu Oct 16 01:10:45 UTC 2003
Hello Siegfried,
>
> I want to repeat something I already said in Rio:
>
> according to german law (and I guess some other EU-law also) I
> have a problem to ACK a outgoing transfer without explicit answer
> of the registrant (the law is assuming consumer protection).
>
> If ICANN accepts the regulation in which no answer from the
> customer is treated as a YES, I will have to ask the german court for
> a decision (in germany the loosing party pays all the court and
> lawyer fees).
I have never really understood this as I don't know German law.
My understanding is that the policy requires a positive acknowledgement
from the registrant before a transfer is initiated. This is the role of
the gaining registrar, and if a gaining registrar takes such action
without authority it would presumably be subject to German law.
A losing registrar has the right to rely on the gaining registrar having
received a positive acknowledgement.
In addition a losing registrar can audit the process by sending its own
message to the registrant. If a gaining registrar is found at fault
consistently this should be grounds for ICANN to remove their
accreditation.
The model relies on enforcement of the behaviour of the gaining
registrar.
>
> I have to do this as a self-protection act.
It would be great if you posted such a decision from a German court so
that we may all learn.
> I still wonder why a better working process (auth_code) is not
> used...
Actually auth_code is part of the new transfers policy.
The auth-code as used in the EPP protocol is a method for
"authenticating" the identity of the registrant. This is separate from
obtaining authorisation for a particular action. The transfer process
incorporates using the auth-code as a security mechanism to authenticate
the registrant. The standard transfer forms are then used to ensure
that the registrant has "authorised" a transfer.
As you have described German law, I would assume that just being able to
authenticate the registrant was not sufficient prove of obtaining
authority.
Now there are other security mechanisms you can use to strengthen the
process further.
For example if you used PKI encryption, you could store the public key
in the central registry. A registrant could use their private key to
"sign" a transfer authorisation message, and you could store this
authorisation as evidence that the registrant authorised the
transaction.
Regards,
Bruce Tonkin
More information about the registrars
mailing list