Re: [gnso-irtpc] Comments on time-limiting FOA
- To: IRTPC Working Group <gnso-irtpc@xxxxxxxxx>
- Subject: Re: [gnso-irtpc] Comments on time-limiting FOA
- From: Avri Doria <avri@xxxxxxx>
- Date: Tue, 22 May 2012 16:26:16 -0400
<co-chair hat off>
I think I support the reasoning and the conclusion of this email
It seems like a good idea for protecting registrants.
I think the 30 day timeout is very reasonable for the registrant transferring
his or her name.
I too prefer the mandatory 30 single use FOA timeout.
On 22 May 2012, at 14:58, Mike O'Connor wrote:
> hi all,
> i would like to make the case for upgrading the time-limiting of FOA's from
> being a "recommended best practice" to being a policy that is implemented
> across all registrars.
> here's why…
> first, a replay of the current policy:
> "Section 2 -- Gaining Registrar Requirements
> For each instance where a Registered Name Holder requests to transfer a
> domain name registration to a different Registrar, the Gaining Registrar
> 2.1 Obtain express authorization from either the Registered Name Holder or
> the Administrative Contact (hereafter, "Transfer Contact"). Hence, a transfer
> may only proceed if confirmation of the transfer is received by the Gaining
> Registrar from the Transfer Contact.
> 2.1.1 The authorization must be made via a valid Standardized Form of
> Authorization (FOA)…."
> i've highlighted the two phrases that speak to me, FOA's are to be obtained
> "for each instance" of a transfer and are used to "obtain express
> authorization" of the transfer.
> the proposal to time-limit FOAs comes from the working group that launched
> the long series of PDPs of which this one is the 3rd of 5. so let's take a
> look at the question that was posed lo those many years ago:
> Whether provisions on time-limiting Form Of Authorization (FOA)s should be
> implemented to avoid fraudulent transfers out. For example, if a Gaining
> Registrar sends and receives an FOA back from a transfer contact, but the
> name is locked, the registrar may hold the FOA pending adjustment to the
> domain name status, during which time the registrant or other registration
> information may have changed.
> it seems to me that the need to limit the time that an FOA is implied by the
> "avoid fraudulent transfers out" phrase in that question.
> i prefer a policy stance which addresses the security needs of the typical
> domain registrant (an individual or corporation that uses the domain name)
> while providing a mechanism where the ease-of-use needs of the
> relatively-unusual domain-investor can still be addressed. here's how i'd
> prefer to see our recommendation phrased.
> "Therefore the WG recommends Section 2 of the IRTP be revised to insert the
> following section:
> 2.1.4 The FOA will expire when the requested-transfer is complete, it is
> renewed by the Registered Name Holder, or in 30 calendar days, which ever
> comes first. "
> my hope is that by introducing the notion of renewing an FOA, we can
> accommodate the registrant (and registrars) that would like to:
> -- "pre-authorize" a transfer for months or even years (presumably with
> suitable security around that process)
> -- provide a framework that they can explicitly enter into agreements to
> "auto-renew" the FOA indefinitely if they so choose
> -- support a variety of manual or auto-renew processes that can vary across
> i'm hoping that with this, we make it possible for high-volume domain
> investors to put a "buy it right now" sign on their names over long periods
> of time but still provide enhanced security for the vast majority of
> registrants who are simply using the name to conduct their day-to-day affairs.
> as i said on the call, i'm cranky about relegating this to a "best practice."
> i think that approach solves the problems of the few at the expense of the
> - - - - - - - - -
> phone 651-647-6109
> fax 866-280-2356
> web http://www.haven2.com
> handle OConnorStP (ID for public places like Twitter, Facebook,
> Google, etc.)