On Tue, Jan 18, 2005 at 06:36:16PM +1100, Bruce Tonkin wrote:
(5) The registry will send a message to the losing registrar confirming that a transfer has been initiated.
Can you confirm or deny whether this actually happened in the case of the panix.com transfer? The other problem I see in this area is that the RRP specification (if that is in fact the protocol that was used) seems to claim that this message is out-of-band and thus beyond the scope of the protocol: so it does not (can not) specify an ACK. If an attacker found a way to prevent this message from being received, even if generated... A strictly enforced technical requirement for an ACK here might work wonders (perhaps it would have to be enforced by duping both the confirmation and the ACK to the "System", as RRP so quaintly calls it, and denying future transfers initiated by parties with too many outstanding ACKs). Not an approval, just an ACK. There seems to be a general lack of IETF design and review of protocols in this crucial area. Again not good. Thor