<<<
Chronological Index
>>> <<<
Thread Index
>>>
Individual Comments on IRTP -James Gannon
- To: "comments-irtp-c-30mar15@xxxxxxxxx" <comments-irtp-c-30mar15@xxxxxxxxx>
- Subject: Individual Comments on IRTP -James Gannon
- From: James Gannon <james@xxxxxxxxxxxxxxxxx>
- Date: Wed, 6 May 2015 13:26:04 +0000
I would first like to commend the group on what appears to be a well-developed
comprehensive policy. I will restrict my comments to a specific section that
would concern me.
In Section 2. Availability of Change of Registrant specifically Section 2.2 a
strict set of criteria for denial of a request is laid out. I will structure my
comments in 2 sections:
1. Does 'denial' of a request extend to temporary denial of a transfer
request in the case of a registrar having concerns about the legitimacy of a
transfer request?
a. Domain hijacking is a genuine concern, with many high profile cases
taking place over the past 12 months.
b. The primary means of unauthorized transfer of for many of these cases
has been through complex social engineering attacks which would have presented
themselves to registrars as genuine transfer requests.
c. While detecting these complex attacks is a difficulty many registrars
will grapple with I fear that by denying the registrar the opportunity to deny
a request, even if temporarily, in situations where they believe that the
request may be technically correct and complete but possible not of good
providence may need to be addressed.
d. I would urge the group to recognize the seriousness and impact of such
attacks and capture their importance in your work.
2. Such a method that I might suggest be explored would be to recommend
the development of a practice statement to accompany the policy setting out in
further detail, which may not be appropriate to enter into a policy, a number
of best practices with regards to detecting and processing requests that may be
fraudulent. I would offer the suggestion that a combination of adding the
language that is already contained in the policy for inter-registrar transfers
in Section 3.7(a) Evidence of Fraud and combining that with a practice
statement for such fraudulent activities may go some way to giving registrars a
means of dealing with fraudulent requests under the policy.
Hopefully some of the briefest ICANN comments you'll see. Again thank you for
the good work that the PDP seems to have done to this point.
James Gannon
Director
Cyber Invasion Ltd
Dun Laoghaire, County Dublin, Ireland
Office: +353 (1)663-8787
Cell: +353 (86)175-3581
Email:james@xxxxxxxxxxxxxxxxx<mailto:james@xxxxxxxxxxxxxxxxx?subject=Via:%20Email%20Signature>
GPG: https://keybase.io/jayg
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|