Re: [gnso-irtpc] Comments on time-limiting FOA

[Avri Doria <avri@xxxxxxx>]

Hi,

<co-chair hat off>

I think I support the reasoning and the conclusion of this email
It seems like a good idea for protecting registrants.
I think the 30 day timeout is very reasonable for the registrant transferring 
his or her name.

I too prefer the mandatory 30 single use FOA timeout.

avri

On 22 May 2012, at 14:58, Mike O'Connor wrote:

> hi all,
> 
> i would like to make the case for upgrading the time-limiting of FOA's from 
> being a "recommended best practice" to being a policy that is implemented 
> across all registrars.
> 
> here's why…
> 
> first, a replay of the current policy:
> 
> "Section 2 -- Gaining Registrar Requirements
> For each instance where a Registered Name Holder requests to transfer a 
> domain name registration to a different Registrar, the Gaining Registrar 
> shall:
> 2.1 Obtain express authorization from either the Registered Name Holder or 
> the Administrative Contact (hereafter, "Transfer Contact"). Hence, a transfer 
> may only proceed if confirmation of the transfer is received by the Gaining 
> Registrar from the Transfer Contact.
> 2.1.1 The authorization must be made via a valid Standardized Form of 
> Authorization (FOA)…."
> 
> 
> i've highlighted the two phrases that speak to me, FOA's are to be obtained 
> "for each instance" of a transfer and are used to "obtain express 
> authorization" of the transfer.  
> 
> the proposal to time-limit FOAs comes from the working group that launched 
> the long series of PDPs of which this one is the 3rd of 5.  so let's take a 
> look at the question that was posed lo those many years ago:
> 
> Whether provisions on time-limiting Form Of Authorization (FOA)s should be 
> implemented to avoid fraudulent transfers out. For example, if a Gaining 
> Registrar sends and receives an FOA back from a transfer contact, but the 
> name is locked, the registrar may hold the FOA pending adjustment to the 
> domain name status, during which time the registrant or other registration 
> information may have changed.
> 
> it seems to me that the need to limit the time that an FOA is implied by the 
> "avoid fraudulent transfers out" phrase in that question.
> 
> i prefer a policy stance which addresses the security needs of the typical 
> domain registrant (an individual or corporation that uses the domain name) 
> while providing a mechanism where the ease-of-use needs of the 
> relatively-unusual domain-investor can still be addressed.  here's how i'd 
> prefer to see our recommendation phrased.
> 
> "Therefore the WG recommends Section 2 of the IRTP be revised to insert the 
> following section:
> 
> 2.1.4 The FOA will expire when the requested-transfer is complete, it is 
> renewed by the Registered Name Holder, or in 30 calendar days, which ever 
> comes first.  "
> 
> my hope is that by introducing the notion of renewing an FOA, we can 
> accommodate the registrant (and registrars) that would like to:
> 
> -- "pre-authorize" a transfer for months or even years (presumably with 
> suitable security around that process)
> -- provide a framework that they can explicitly enter into agreements to 
> "auto-renew" the FOA indefinitely if they so choose 
> -- support a variety of manual or auto-renew processes that can vary across 
> registrars.
> 
> i'm hoping that with this, we make it possible for high-volume domain 
> investors to put a "buy it right now" sign on their names over long periods 
> of time but still provide enhanced security for the vast majority of 
> registrants who are simply using the name to conduct their day-to-day affairs.
> 
> as i said on the call, i'm cranky about relegating this to a "best practice." 
>  i think that approach solves the problems of the few at the expense of the 
> many.
> 
> mikey
> 
> 
> - - - - - - - - -
> phone         651-647-6109  
> fax           866-280-2356  
> web   http://www.haven2.com
> handle        OConnorStP (ID for public places like Twitter, Facebook, 
> Google, etc.)
>