ICANN ICANN Email List Archives

[comments-irtp-c-30mar15]


<<< Chronological Index >>>    <<< Thread Index >>>

Individual Comments on IRTP -James Gannon

  • To: "comments-irtp-c-30mar15@xxxxxxxxx" <comments-irtp-c-30mar15@xxxxxxxxx>
  • Subject: Individual Comments on IRTP -James Gannon
  • From: James Gannon <james@xxxxxxxxxxxxxxxxx>
  • Date: Wed, 6 May 2015 13:26:04 +0000

I would first like to commend the group on what appears to be a well-developed 
comprehensive policy. I will restrict my comments to a specific section that 
would concern me.

In Section 2. Availability of Change of Registrant specifically Section 2.2 a 
strict set of criteria for denial of a request is laid out. I will structure my 
comments in 2 sections:


1.       Does 'denial' of a request extend to temporary denial of a transfer 
request in the case of a registrar having concerns about the legitimacy of a 
transfer request?

a.       Domain hijacking is a genuine concern, with many high profile cases 
taking place over the past 12 months.

b.      The primary means of unauthorized transfer of for many of these cases 
has been through complex social engineering attacks which would have presented 
themselves to registrars as genuine transfer requests.

c.       While detecting these complex attacks is a difficulty many registrars 
will grapple with I fear that by denying the registrar the opportunity to deny 
a request, even if temporarily, in situations where they believe that the 
request may be technically correct and complete but possible not of good 
providence may need to be addressed.

d.      I would urge the group to recognize the seriousness and impact of such 
attacks and capture their importance in your work.



2.       Such a method that I might suggest be explored would be to recommend 
the development of a practice statement to accompany the policy setting out in 
further detail, which may not be appropriate to enter into a policy, a number 
of best practices with regards to detecting and processing requests that may be 
fraudulent. I would offer the suggestion that a combination of adding the 
language that is already contained in the policy for inter-registrar transfers 
in Section 3.7(a) Evidence of Fraud and combining that with a practice 
statement for such fraudulent activities may go some way to giving registrars a 
means of dealing with fraudulent requests under the policy.

Hopefully some of the briefest ICANN comments you'll see. Again thank you for 
the good work that the PDP seems to have done to this point.

James Gannon
Director
Cyber Invasion Ltd
Dun Laoghaire, County Dublin, Ireland
Office: +353 (1)663-8787
Cell: +353 (86)175-3581
Email:james@xxxxxxxxxxxxxxxxx<mailto:james@xxxxxxxxxxxxxxxxx?subject=Via:%20Email%20Signature>
GPG: https://keybase.io/jayg



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy