[registrars] Proliferation of registrar locks

Ross Wm. Rader ross at tucows.com
Sat Nov 13 14:45:00 UTC 2004 

> Goal: We wanted transfers to become easier
> Result: We can not check authinfos before we went through the FOA process.
>         If the FOA is successfully returned and the authinfo is incorrect,
>         the whole process has to be restarted. 
>         From the customer perspective, a transfer is now at least a 4-step
>         process: unlock the domain, initiate the transfer, reply to FOA on
>                  gaining side, reply to FOA on losing side



People have continuously claimed that auth-tokens were the solution to 
the problem. I've never understood this. An auth-token is just like a 
passport. When you present it to someone, it allows them to ascertain 
what rights the bearer has and ostensibly, if the bearer is who they say 
they are. Unto itself, it is not a mechanism to convey an authorization 
from the bearer to the inspector. It is just an identity document. 
Auth-tokens are precisely the same in this regard. The bearer may 
present one and then request a certain action be taken, but a process 
must still be followed in order to carry out the process. We still need 
to confirm that the bearer is who they say they are, that they have the 
authority to make the request etc.

Using auth-tokens as the solution to the transfer problem would have 
been the worst outcome and was never a serious option. While we may have 
been able to sort out some policies that made sense to govern .info and 
.biz, it would have caused a nightmare in .com, .net and likely .org.

It was never a goal to use authinfos as the solution.

>> Goal: We wanted a standardized transfer process
>> Result: We do not have it. While the transfer itself is standardized now,
>>         almost all registrars have now locked their domains, forcing the 
>>         customer into a non-standardized "have my domain unlocked" process

Yes - similar to the non-standard "register my domain", "update my 
nameserver" and "renew my domain" processes that we have to struggle 
with now. Standardizing the transfer process and standardizing internal 
registrar procedures are two very different things. I can't imagine even 
attempting to try and standardize an industry-wide "unlock my name" 
process. The policy provides ICANN with the capability and tools it 
needs to work with registrars to ensure that their unlock processes are 
accesible and useful - I think its appropriate to wait and see what 
precedents and actions they take to clarify this in the coming months.

> Goal: We wanted transfers to become easier
> Result: We can not check authinfos before we went through the FOA process.
>         If the FOA is successfully returned and the authinfo is incorrect,
>         the whole process has to be restarted. 
>         From the customer perspective, a transfer is now at least a 4-step
>         process: unlock the domain, initiate the transfer, reply to FOA on
>                  gaining side, reply to FOA on losing side


I'm not sure I understand this. The registrant has no obligation to 
respond to a losing FOA. It is problematic that you cannot retrieve an 
authinfo on a locked domain if what you are saying is correct...

> So where is the advantage?

Enhanced repudiation and remediation processes, centralized enforcement 
framework, clear processes, standardized processes...

-- 





                       -rwr



Contact info: http://www.blogware.com/profiles/ross
Skydasher: A great way to start your day
My weblog: http://www.byte.org

More information about the registrars mailing list