RE: [gnso-irtp-pdp-jun08] FW: Request for Comments on IRTP Response

["James M. Bladel" <jbladel@xxxxxxxxxxx>]

Barbara:

This information is very helpful, please extend our thanks to Scott.

While I don't disagree with the substance of Patrick or Scott's
comments, I would suggest that these ideas do not directly address the
issues associated with transfers. Specifically, the exchange of authInfo
codes for contact objects (separate from domain objects) would probably
still rely on email, and would have all the same vulnerabilities that
we've identified in the current method.

Additionally, authInfo codes for contact objects would still be useless
in "thin" registries, which contain no contact data at all. Which means
registrars are still operationally dependent upon each others' WHOIS for
transfers.

I agree that the EPP poll message system is probably not practical. 
Poll Queues are not universally implemented, or used as intended by all
registrars, and the protocol was not designed for inter-registrar
communications. Such a system would also likely be prohibitively
expensive in terms of development resources.

But the general idea remains true:  Any system used to exchange
registrant contact information (or authInfo codes) should be both
-secure- and -authenticated-. Email comes up short in both categories.

Thanks--

J.


-------- Original Message --------
Subject: [gnso-irtp-pdp-jun08] FW: Request for Comments on IRTP
Response
From: "Steele, Barbara" <BSteele@xxxxxxxxxxxx>
Date: Tue, February 03, 2009 11:48 am
To: <Gnso-irtp-pdp-jun08@xxxxxxxxx>

 All,
Here is Scott's response to our request for a 'sanity check' of the
technical information provided in the comments to the initial report. 
Given that this is rather straight forward, I am not sure that it would
be beneficial for Scott to join the call on Tuesday.  If anyone
disagrees and would like for him to attend, please let me know and I
will ask if he is available.  Thanks much.
 
 -------------------------------------------------------
Barbara Steele
Compliance Officer / Director of Policy
VeriSign Naming Services



 

   From: Hollenbeck, Scott 
Sent: Tuesday, February 03, 2009 11:22 AM
To: Steele, Barbara
Subject: RE: Request for Comments on IRTP Response



I only found one thing I disagree with:
 
"Sadely, there is no way, nor requirement, for the registry and the
current sponsoring registrar to document why they reject a transfer (no
provision for that in EPP)"
 
EPP allows the registry operator to include text with every response to
a command.  The rationale for rejecting a transfer can be documented
using this feature if the registry operator chooses to include
appropriate text in the response.  Messages can also be enqueued for
client (registrar) retrieval via the <poll> command to document rejected
transfers.
 
I didn't see anything else that was obviously incorrect.
-Scott-