RE: [gnso-irtp-b-jun09] 60 day lock following registrant change

["Rob Golding" <rob.golding@xxxxxxxxxxxxxxx>]

>> a "wire-transfer" is no more secure than
>> any other payment method - any EFT can be recalled by the sending
>> bank should the account holder report it as unauthorised/fraudulent

> Perhaps you should do more research into payment systems.

I spent 1989 to 2004 designing and implementing banking systems for
international and central banks around the world, including working on the
specifications that now form the core of the SWIFT bank-to-bank payment
systems used by them all - so I think I've done my research :p

Every bank can recall any payment.  The circumstances for them doing so may
vary, and the "trouble" doing so may or may not cause is a different
discussion, but all payments *can* be pulled back, despite what they might
tell you to make you feel all warm-and-fuzzy.

> See: http:// [snip]

Thankfully putting it on a webpage doesn't make it true ;)

> it's definitely not guaranteed. And it's a lot more serious
> to undo a wire transfer falsely.

Recalling any legitimate payment, by whatever method, is a breach of
contract - I don't believe there is any method "more serious" than any other
- although certainly in Europe, consumer protection laws make it trivial
when personal c/cards are involved.

None of which is really relevant to whether a *registrar* should be able to
issue an "undo" on a (suspected fraudulent) domain transfer - there are lot
of other "uses" of domains beyond the business model of flogging them on a
2ndary market

> For all intents and purposes, it's the old registrant who is recalling
> it (why would a losing registrar not cooperate with their old client?)

Why ? Because they don't accept it's a fraudulent transfer or they are not
able to verify the registrant identity to their satisfaction, or that the
necessary indemnities are not in place - any number of reasons why a
registrar may chose not to issue a recall, even when requested by the
registrant.

> They
> can just transfer it back, as there's no theft.

That only works *if* the gaining registrar agrees, and some of those that
"aid" in fraudulent transfers are unlikely to do so.
And why should a registrant (if they didn't authorise the transfer) need to
follow the rules/procedures/policies/whatever of a registrar with whom they
have no agreement or contract ?

> If the purchaser completes the deal by initiating a transfer to the
> gaining registrar,  which is then accepted by the prior owner at the
> losing registrar, the WHOIS at the new registrar will immediately
> change to the purchaser when the transfer is complete.

WHOIS/Contact details change is a separate procedure to Registrar Transfer.

> [If the purchaser does the change of registrant entirely at the old
> registrar, with the desire to them move it to their favourite
> registrar, then they'd have to deal with situations like that at
> GoDaddy, where potentially the name is forced to stay there for 60
> days

Based on your earlier arguments, surely that would be a-good-thing(tm)...

> (b) ALL allegations are considered "valid" (shoot first, ask questions
> later)

I don't recall anyone suggesting that at all - quite the opposite.

> (c) ONLY the losing registrar (the one who had weak "security" to
> begin with) is authorized to make the determination

It's quite common for scum to send registrants "fake" invoices for domains -
I see several thousand of them go across my desk every year.
It's similarly quite common for these scum to include on the reams of
"paperwork" they send out a space which is for the EPP code to be entered.

Registrants get fooled by this process used by domain-scum-of-(location),
and at the point of handing over such details, lose control over/services
for their domain as a direct result of being "conned" by a "sales-technique"
which is a criminal offence in UK law.

That is a very real problem, and not one of "security" at the losing
registrar, but one of sad-but-true stupidity of the registrant.

> That's really the "elephant in the room". Holding the registrars
> responsible both financially and legally creates the proper
> incentives

I've never heard of a completed transfer which didn't follow the procedures
of the registrars concerned, so what are you expecting to hold them
accountable for ?

Rob