RE: [gnso-irtpc] Comments on time-limiting FOA
- To: "'IRTPC Working Group'" <gnso-irtpc@xxxxxxxxx>
- Subject: RE: [gnso-irtpc] Comments on time-limiting FOA
- From: "Chris Chaplow" <chris@xxxxxxxxxxxxx>
- Date: Wed, 23 May 2012 16:01:05 +0200
My gut feeling is that there should be a time limit on FOA and this should
be policy rather than recommend.
I do appreciate the argument not to create policy for a non problem.
Perhaps we should help the community (and us) understand the wisdom by
expressing pros and cons of both (ie policy and best practice) in a table
in the report.
Avenida del Carmen 9
Ed. Puertosol, Puerto Deportivo
1ª Planta, Oficina 30
Tel: + (34) 952 897 865
Fax: + (34) 952 897 874
E-mail: <mailto:chris@xxxxxxxxxxxxx> chris@xxxxxxxxxxxxx
Web: <http://www.andalucia.com/> www.andalucia.com
Information about Andalucia, Spain.
De: owner-gnso-irtpc@xxxxxxxxx [mailto:owner-gnso-irtpc@xxxxxxxxx] En nombre
de Mike O'Connor
Enviado el: martes, 22 de mayo de 2012 20:59
Para: IRTPC Working Group
Asunto: [gnso-irtpc] Comments on time-limiting FOA
i would like to make the case for upgrading the time-limiting of FOA's from
being a "recommended best practice" to being a policy that is implemented
across all registrars.
first, a replay of the current policy:
"Section 2 -- Gaining Registrar Requirements
For each instance where a Registered Name Holder requests to transfer a
domain name registration to a different Registrar, the Gaining Registrar
2.1 Obtain express authorization from either the Registered Name Holder or
the Administrative Contact (hereafter, "Transfer Contact"). Hence, a
transfer may only proceed if confirmation of the transfer is received by the
Gaining Registrar from the Transfer Contact.
2.1.1 The authorization must be made via a valid Standardized Form of
i've highlighted the two phrases that speak to me, FOA's are to be obtained
"for each instance" of a transfer and are used to "obtain express
authorization" of the transfer.
the proposal to time-limit FOAs comes from the working group that launched
the long series of PDPs of which this one is the 3rd of 5. so let's take a
look at the question that was posed lo those many years ago:
Whether provisions on time-limiting Form Of Authorization (FOA)s should be
implemented to avoid fraudulent transfers out. For example, if a Gaining
Registrar sends and receives an FOA back from a transfer contact, but the
name is locked, the registrar may hold the FOA pending adjustment to the
domain name status, during which time the registrant or other registration
information may have changed.
it seems to me that the need to limit the time that an FOA is implied by the
"avoid fraudulent transfers out" phrase in that question.
i prefer a policy stance which addresses the security needs of the typical
domain registrant (an individual or corporation that uses the domain name)
while providing a mechanism where the ease-of-use needs of the
relatively-unusual domain-investor can still be addressed. here's how i'd
prefer to see our recommendation phrased.
"Therefore the WG recommends Section 2 of the IRTP be revised to insert the
2.1.4 The FOA will expire when the requested-transfer is complete, it is
renewed by the Registered Name Holder, or in 30 calendar days, which ever
comes first. "
my hope is that by introducing the notion of renewing an FOA, we can
accommodate the registrant (and registrars) that would like to:
-- "pre-authorize" a transfer for months or even years (presumably with
suitable security around that process)
-- provide a framework that they can explicitly enter into agreements to
"auto-renew" the FOA indefinitely if they so choose
-- support a variety of manual or auto-renew processes that can vary across
i'm hoping that with this, we make it possible for high-volume domain
investors to put a "buy it right now" sign on their names over long periods
of time but still provide enhanced security for the vast majority of
registrants who are simply using the name to conduct their day-to-day
as i said on the call, i'm cranky about relegating this to a "best
practice." i think that approach solves the problems of the few at the
expense of the many.
- - - - - - - - -
handle OConnorStP (ID for public places like Twitter, Facebook, Google,