IPC Comments

[claudio digangi <claudiosemail@xxxxxxxxx>]

IPC Comments
On
Inter-Registrar Transfer Policy (IRTP) Issues
Part A ‘New IRTP Issues’
September 26, 2008


Issue I – Is there a way for registrars to make Registrant E-mail Address data 
available to one another? Currently there is no way of automating approval from 
the Registrant, as the Registrant Email Address is not a required field in the 
registrar Whois. This slows down and/or complicates the process for 
registrants, especially since the Registrant can overrule the Admin Contact.
 
COMMENTS
 
The lack of an e-mail address for the Registrant generally does not delay the 
transfer of domain registrations, for the simple reason that, to our knowledge, 
when the Admin Contact e-mail is functioning, no registrar even attempts to 
obtain approval by any other means. In most cases, furthermore, the Registrant 
or an authorized employee’s e-mail address is listed as the Admin Contact, so 
the Registrant in fact consents to the transfer. Nevertheless, the value 
judgment implicit in the Issue—that it would be preferable to be certain that 
the entity listed as the Registrant consents to the transfer—is sound. In cases 
where the Registrant and the Admin Contact are not the same, it seems plausible 
that confusion could result over whether the Registrant actually consented to a 
transfer, or whether a Registrant’s purported authorization (or rejection) of a 
transfer from an e-mail address not listed in the Whois was authentic. 
 
However, if Registrant E-mail Address data is to be made available to other 
registrars, it should happen in the context of Whois. One purpose of the Port 
43 protocol was to provide information necessary for inter-registrar transfers, 
so developing a separate protocol to provide certain pieces of information 
necessary to that process would be superfluous. If Registrant E-mail Address 
data is to be made available, it should be done as part of an overall technical 
modernization of the Whois protocol.
  
The need for inter-registrar communication of registrant information speaks to 
the legitimate need for Port 43-like access to Whois data (in addition to the 
public’s need and the need of intellectual property owners for open access to 
Whois data, such as can be obtained through web interfaces). Other parties with 
needs for Port 43-like automated access include information providers, such as 
those who provide research services for non-marketing purposes such as 
trademark availability clearance and searching, audits of domain portfolios for 
corporate mergers and acquisitions, and investigations of intellectual property 
infringement and fraud. The need for Registrant E-mail Address data in Whois is 
just one of many reasons why ICANN should address, rather than avoid the need 
to modernize the Whois protocol.


Issue II – Whether there is need for other options for electronic 
authentication (e.g., security token in the Form of Authorization (FOA)) due to 
security concerns on use of email addresses (potential for hacking or 
spoofing). 

COMMENTS

Yes, we believe that there is a need for further options for electronic 
authentication in order to set a reasonable secure and basic standard to be 
used by every registrar, and that such options should be independent of any 
other services offered by the registrar.  It is important that ICANN sets out 
the requirements for this basic standard in its IRTP. The challenge is to find 
a way to improve security without making the transfer system too cumbersome.

The weakness in almost every current system for electronic authentication is 
that too much depends on information and confirmation via e-mail (of the 
registrant’s and/or the Admin Contact). Even with partial off-line 
authentications (e.g. in the form of a signed fax from the Registrant) in 
combination with an e-mail confirmation, it is necessary to rely on the 
presumption that the registrant’s e-mail address is correct because any 
additional documentation requiring signature is sent via that e-mail address.  
Email-based authentication does not appear to be sufficient to secure the 
identity of the registrant.

A current risk point is that there is a period after a registrant has unlocked 
a domain name during which malicious transfer requests might accidentally be 
accepted.  One possible solution could be to require the registrant to submit 
with its request to unlock the name the IANA ID of the registrar to which the 
name is intended to be transferred.  Transfer requests coming from any other 
registrar would then be automatically rejected.   Another solution is the use 
of digital certificates.

However, we appreciate that certain registrants and certain areas of business – 
the financial sector, for example – may require an even higher standard and 
level of security.  We see these classes of registrants and business sectors 
are best served by additional services that are created and offered by the 
registrars without involvement of ICANN. 

The IPC believes an analysis of various ccTLD registry policies would benefit 
the policy development process. Examples include the Swedish registry system 
which uses an application called Domain Manager (“Domänhanteraren”), and 
features a certificate-based web interface to effectuate transfers.  In the 
Swiss Registry (SWITCH), authentications are performed either via e-mail or by 
signed fax only. CoCCA (a grouping of small ccTLD registries) uses a password 
generated by electronic token for allowing access to the registrar account, but 
does not authenticate a registrant’s right to a transfer. 

The benefits of improved electronic authentication are safer communications and 
transfers. Potential problems could be unexpected and increased costs for 
Registrants – either by demands for certain software or by increased costs at 
the Registry level (which will ultimately raise the price for domain name 
administration), as well as a more time-consuming process whenever a 
certification of the Registrant’s ID is needed.


Issue III – Whether the policy should incorporate provisions for handling 
“partial bulk transfers” between registrars – that is, transfers involving a 
number of names but not the entire group of names held by the losing registrar.

COMMENTS

Yes, the policy should incorporate provisions for handling partial bulk 
transfers.  Any mechanism to facilitate the smooth transfer of a registrant’s 
domain names is welcomed.  Partial bulk transfers would be particularly helpful 
in connection with corporate asset sales and acquisitions.  For example, a 
registrant may be selling only one of its business lines to a third party or an 
acquiring company may wish to have only some of the acquired company’s domain 
names transferred to its own registrar.  Furthermore, in the cases of 
termination or non-renewal of a registrar's Registrar Accreditation Agreement, 
a partial bulk transfer policy would enable the de-accredited registrar to 
transfer domains in bulk to numerous “gaining” registrars, further protecting 
the rights of registrants.

Submitted by,

Claudio DiGangi, on behalf of IPC