Re: [gnso-irtp-b-jun09] 60 day lock following registrant change
- To: "Gnso-irtp-b-jun09@xxxxxxxxx" <Gnso-irtp-b-jun09@xxxxxxxxx>
- Subject: Re: [gnso-irtp-b-jun09] 60 day lock following registrant change
- From: George Kirikos <icann@xxxxxxxx>
- Date: Tue, 6 Jul 2010 14:01:14 -0400
Addressing Bob first, he wrote:
> While fraud for us is rare, the vast majority of fraudulent buyer and seller
> situations are detected within this period giving us a chance to unwind
> sales that otherwise would have resulted in the loss of a domain, funds, or
Fraud by a buyer is easy for you to manage -- insist upon a wire
transfer. It's your choice to use credit cards or other risky forms of
payments. All registrants who are doing things properly shouldn't have
to suffer to subsidize your business model or credit practices (most
NameMedia marketplace names are owned by NameMedia, so their desire to
clawback names that have a chargeback are clear). We saw how the 5 day
add grace period was abused, too.
Fraud by a seller is also easy for you to manage -- you need to
properly authenticate the seller. In most cases, that is yourselves.
When it's not yourselves, there's the WHOIS (where there are accuracy
requirements). If you only use an email address to authenticate,
that's your business model's fault. If others are authenticating using
stronger methods, we shouldn't be penalized.
Given fraud can happen from both buyer and seller, what happens when
the seller commits fraud *after* a sale, by undoing it on a whim,
using the current ETRP proposal (where the allegation alone makes the
domain name come back to the prior registrar)? That ability to undo
without due process would put severely undermine the marketplace you
speak of. It creates a severe risk for the buyer that is impossible to
Why would I buy a domain name from NameMedia for $100,000, for
example, when 3 months later you can simply take it back without due
process? I'd have to discount the price to reflect that risk of a
clawback (and the resultant legal costs to undo the clawback), just
like merchants adjust their prices to reflect chargebacks by
consumers. Notice it's a definite devaluation of all domain names (for
both buyers and sellers, i.e. all registrants) --- not having clear
title to a domain name for a period of up to 6 months after a
registrant name change (if the ETRP exists) is always a liability, and
that liability reduces the value of the asset. Having the domain name
at an insecure/undesirable registrar for 60 days is also a liability
that reduces the value of the asset.
On Tue, Jul 6, 2010 at 12:34 PM, James M. Bladel <jbladel@xxxxxxxxxxx> wrote:
> Setting that aside, however, the primary issue that this group is
> wrestling with is the balance between Domain Security vs. Domain
Agreed, that's the primary issue. However, we disagree as to how to
achieve domain security. A 60-day lock/hostage situation is not the
way. Good security happens *before* the registrant change takes place,
and doesn't wait only until after a change.
> But in our quest for portability, we must acknowledge that reasonable
> safeguards against fraud and theft are required. And that these
> safeguards will represent an inconvenience (but should not become an
> impediment) to portability.
If those "reasonable safeguards" were proactive, instead of reactive
(like the proposed ETRP), we would strongly support them. Recall,
there were multiple reports on this topic:
which had many proactive measures that registrars and registrants can
use to ensure their security (e.g. out-of-band authentication, not
relying on emails for everything, etc.). All those recommendations and
best practices appear to have been ignored, with the ETRP presented as
some "magic bullet" that will solve a lot of problems. It won't --
it'll cause more problems than it solves.
> In his introduction today, George mentioned that he is the registrant of
> several high-profile domain names. Registrants of these names are
> probably aware that their registrations are prime hijacking targets, and
> should consider their response if/when one of these names were suddenly
> transferred to an unresponsive registrar in China. Some may respond
> that this is impossible, because they "only use Registrar X" or "only
> operate according to Best Practice Y." But this is naive, and
> disregards the fact that no registration is simultaneously 100% secure
> and 100% portable.
Yes, we get attacked all the time, so I'm acutely aware of these
issues (and have helped others recover stolen domains). Some of my
domains are on VeriSign Lock, for example, as are elite domains like
Google.com, Facebook.com, etc. (as MarkMonitor has blogged about on
CircleID, and which I've previously discussed on this list). Those
domains aren't going to be hijacked unless there's an inside job by
the registrar in cooperation with VeriSign. I'll take my chances in
the courts if that happens. If these proposals were actually going to
*improve* my security, why would I be so against them?
> In this scenario, the affected registrars / registry _may_ be able to
> help, but are not obligated to. And some of those remedial mechanisms
> could take months or even a year to run their course.
Depending on the "urgency", a court can act much more swiftly to
return a hijacked domain name. I previously cited the example of
Microsoft taking down botnets with domains registered at multiple
registrars (some outside the USA). A newer example is where the US
Feds last wek shut down various websites/domains accused of movie
and some of those domains were at international registrars (e.g.
zml.com is at a Chinese registrar, Bizcn.com Inc.). Notice www.zml.com
says they went to US District Court for the Southern District of NY
(which presumably VeriSign accepted as a jurisdiction, even if it was
A court is much more likely to give due process than the current ETRP
proposal, and can act just as swiftly.
> Which brings us back to ETRP. In its current form, I can't support the
> proposal due to the lengthy (6 month) window and the impracticalities of
> the "Title / Token" system. But I know that, in the here and now, our
> internal 60-day lock is a good (not perfect) prophylactic against
> Absent the opt-in lock and absent an ETRP would open all registrars'
> vaults to the bad guys, and severely undermine (if not totally undo)
> _both_ the Primary domain name industry and the Secondary aftermarket.
Both you and Bob, suggest this "60 day lock" is a good thing. What do
folks imagine is going to happen in that 60 days? Only a registrar
with poor authentication of requests would benefit from that 60 day
lock, to believe that it's of any benefit to security.
Let's imagine where it might be of use. Bad Registrar X has
example.com, and relies on very poor authentication to allows Bad Guy
to steal the domain, but keeps it at Registrar X due to a 60-day
"rule" after a registrant change. The innocent registrant (Good Guy)
notices the name is stolen, and contacts the registrar. He/she screams
a bit, jumps up and down, and is asked to present documentation to
authenticate their identity. Then the innocent registrant (once
authenticated) needs to convince Registrar X that the name was indeed
stolen. Bad Guy might disappear, in which case the job is easier. But,
what if Bad Guy disputes it, and denies it was stolen at all? Then,
it's a judgement call, with no set process --- basically willy-nilly
at each registrar. God forbid the Good Guy doesn't notice the name is
stolen in the first 60 days.
Suppose that example.com was instead at Good Registrar Y, with strong
authentication. When Bad Guy tried to do an internal transfer
(registrant change) of the domain name from Good Guy, he fails
immediately! The domain name doesn't get stolen in the first place.
Why? Because Registrar Y did the proper checks *before* the registrant
change occurred. (Registrar X only did the proper checks *after* the
name was claimed to be stolen).
I want all registrars to be like Registrar Y. Registrar Y doesn't need
the ETRP, or the 60 day lock, because they did the checks properly
*before* the registrant change. What's there to dispute at that point?
Nothing. (or if there is, it's a decision best left to courts)
Why do registrars exist like Registrar X? Money, basically. Good
security, good design of systems, etc., costs money. Some registrars
cut corners in design and security. If a "good guy" registrant chose
to keep his valuable domain name at Registrar X in the first place, he
has himself partly to blame (and also the registrar, and also to ICANN
for not mandating higher minimum standards). He had the ability to
manage that risk (e.g. use one with Executive Lock, VeriSign registry
lock, etc.), but chose not to do so. If the domain name gets stolen,
the costs (e.g. legal costs) rightly fall upon him, for not doing
things properly in the first place (i.e.maybe he chose to save $2/yr
by going with a less secure registrar)
So, I leave these questions to Bob, James, and anyone else who wants
to join the debate:
(a) If we have properly authenticated registrant changes (i.e. like
Registrar Y), do we need the 60 day lock after a registrant change? If
so, what purpose does it serve? (besides holding the name hostage, and
perhaps allowing registrars to make an extra renewal fee margin 1/6th
of the time)
(b) If we have properly authenticated registrant changes (i.e. like
Registrar Y), do we need the ETRP as currently proposed? If so, what
purpose does it serve? (besides allowing reverse hijacking to take
place due to seller's remorse, or outright fraud by sellers who undo
legitimate transfers without any remorse)
(c) If I'm buying a valuable domain name, can you understand why I, as
a sophisticated and risk-averse registrant, want to move the domain
name away from "bad" Registrar X as soon as possible (i.e.
immediately!), and into good "Registrar Y"? How do I benefit
whatsoever from keeping my domain name even 1 day at a registrar I
don't want the domain name to be at?
(d) Would you support consumer choice in allowing registrants to
opt-in to Irrevocable Transfers, e.g. see:
(i.e. this really should be the best practice in the status quo, where
transfer/change authentication is done properly *before* a
transfer/change). If not, why not?
P.S. Sorry for the lengthy email, it couldn't all fit into 140
characters. :-) I invite anyone who wants to talk by phone to give me
a call, to discuss interactively.