[gnso-irtpc] Comments on time-limiting FOA

["Mike O'Connor" <mike@xxxxxxxxxx>]

hi all,

i would like to make the case for upgrading the time-limiting of FOA's from 
being a "recommended best practice" to being a policy that is implemented 
across all registrars.

here's why…

first, a replay of the current policy:

"Section 2 -- Gaining Registrar Requirements
For each instance where a Registered Name Holder requests to transfer a domain 
name registration to a different Registrar, the Gaining Registrar shall:
2.1 Obtain express authorization from either the Registered Name Holder or the 
Administrative Contact (hereafter, "Transfer Contact"). Hence, a transfer may 
only proceed if confirmation of the transfer is received by the Gaining 
Registrar from the Transfer Contact.
2.1.1 The authorization must be made via a valid Standardized Form of 
Authorization (FOA)…."


i've highlighted the two phrases that speak to me, FOA's are to be obtained 
"for each instance" of a transfer and are used to "obtain express 
authorization" of the transfer.  

the proposal to time-limit FOAs comes from the working group that launched the 
long series of PDPs of which this one is the 3rd of 5.  so let's take a look at 
the question that was posed lo those many years ago:

Whether provisions on time-limiting Form Of Authorization (FOA)s should be 
implemented to avoid fraudulent transfers out. For example, if a Gaining 
Registrar sends and receives an FOA back from a transfer contact, but the name 
is locked, the registrar may hold the FOA pending adjustment to the domain name 
status, during which time the registrant or other registration information may 
have changed.

it seems to me that the need to limit the time that an FOA is implied by the 
"avoid fraudulent transfers out" phrase in that question.

i prefer a policy stance which addresses the security needs of the typical 
domain registrant (an individual or corporation that uses the domain name) 
while providing a mechanism where the ease-of-use needs of the 
relatively-unusual domain-investor can still be addressed.  here's how i'd 
prefer to see our recommendation phrased.

"Therefore the WG recommends Section 2 of the IRTP be revised to insert the 
following section:

2.1.4 The FOA will expire when the requested-transfer is complete, it is 
renewed by the Registered Name Holder, or in 30 calendar days, which ever comes 
first.  "

my hope is that by introducing the notion of renewing an FOA, we can 
accommodate the registrant (and registrars) that would like to:

-- "pre-authorize" a transfer for months or even years (presumably with 
suitable security around that process)
-- provide a framework that they can explicitly enter into agreements to 
"auto-renew" the FOA indefinitely if they so choose 
-- support a variety of manual or auto-renew processes that can vary across 
registrars.

i'm hoping that with this, we make it possible for high-volume domain investors 
to put a "buy it right now" sign on their names over long periods of time but 
still provide enhanced security for the vast majority of registrants who are 
simply using the name to conduct their day-to-day affairs.

as i said on the call, i'm cranky about relegating this to a "best practice."  
i think that approach solves the problems of the few at the expense of the many.

mikey


- - - - - - - - -
phone   651-647-6109  
fax             866-280-2356  
web     http://www.haven2.com
handle  OConnorStP (ID for public places like Twitter, Facebook, Google, etc.)