RE: EPP minutia (was: Re: Gtld transfer process)
Hello John,
It appears that "REGISTRAR LOCK" has interesting per-registrar implementation variations which do not always put the domain holder's interests first. While the registry does not, per se, have a direct business interest with the domain holder, it should be possible to have a lock state which is more oriented to the critical needs of some business domain holders.
For a reasonable fee (and copious amount of documentation), it should be possible for any record holder to instruct the registry to lock the ownership of a domain down in such a way so as to require a similar amount of paperwork to release; thus effectively creating an "OWNER LOCK" state.
These services are actually already available in the competitive registrar market. It is a matter of choosing a registrar that has the right business model and services to suit the registrant. Many corporates already take advantage of such services. Regards, Bruce
It is a matter of choosing a registrar that has the right business model and services to suit the registrant.
What if a company doesn't want to deal with any registrar? What if they just want to register their domain name and have it stay registered. For some companies, their registered domain name is a critical part of their network infrastructure. Why should these companies be forced to deal with third parties who add no value to the service? There is no free market when ICANN forces companies to deal with 3rd parties rather than deal directly with the registry that provides the mission critical DNS service for their domain name. Perhaps this is another area where a membership-based NANOG could help by standing up and explaining the operational importance of DNS stability to the bureaucrats in ICANN. --Michael Dillon
Michael.Dillon@radianz.com wrote:
It is a matter of choosing a registrar that has the right business model and services to suit the registrant.
What if a company doesn't want to deal with any registrar? What if they just want to register their domain name and have it stay registered. For some companies, their registered domain name is a critical part of their network infrastructure. Why should these companies be forced to deal with third parties who add no value to the service?
I disagree, in part. (1) The purpose of registrars is processing paperwork for verification of registrants. (2) The purpose of the registry is to run servers, as efficiently and inexpensively as possible. It's a reasonable division of labor.
There is no free market when ICANN forces companies to deal with 3rd parties rather than deal directly with the registry that provides the mission critical DNS service for their domain name.
There's only 1 registry, so there's never a "free market" there -- that's a monopoly by design. The competition between registrars is a good thing that has brought the registration process to a commodity market. However, having any "market" requires penalties when the registrars fail to perform their function. And not just a "reputation" penalty, although that's certainly germaine. An actual financial penalty. Markets are all about financial exchange. That's why (as originally designed) every registrar posts a large performance bond up front. Clearly, Mel-IT failed in its responsibilty to correctly process the paperwork for registration. That Mel-IT has a business model where they "farm out" the registration to incompetent third parties called "resellers" is of no interest. The third party is acting as an agent for Mel-IT, and Mel-IT is ultimately responsible. Moreover, the Mel-IT president/CEO/attorney/et alia egregiously demonstrated negligence when notified of the problem. I expect that Mel-IT will be assessed a reasonable penalty for their failure. The usual penalty is 3 times actual (liquidated) damages. Since Mel-IT has already demonstrated a failure to perform, in addition their performance bond to continue as a registrar should be raised to at least 10% of their annualized gross income. It costs money to clean up their messes. Those are the things required for a "free" market. Accountability. Responsibility. Free markets are not without cost.
Perhaps this is another area where a membership-based NANOG could help by standing up and explaining the operational importance of DNS stability to the bureaucrats in ICANN.
We have a membership-based NANOG. Everybody who joins NANOG is on this mailing list. Everybody who joins this mailing list is part of NANOG. We (in NANOG) have an interest in ensuring that the bureaucrats assess the penalty on behalf of our members -- that panix.com is made whole. Accountability. Responsibility. -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
It is a matter of choosing a registrar that has the right business model and services to suit the registrant.
On Wed, Jan 19, 2005 at 01:28:51PM +0000, Michael.Dillon@radianz.com wrote:
What if a company doesn't want to deal with any registrar? What if they just want to register their domain name and have it stay registered.
I really can't think of any domain name registrant that this statement doesn't apply to -- even the spammers. <shrug> The purpose is so that someone can do all the "paperwork" for when that customer needs to change something ;-) -- Joe Rhett Senior Geek Meer.net
Joe Rhett wrote:
What if a company doesn't want to deal with any registrar? What if they just want to register their domain name and have it stay registered.
I really can't think of any domain name registrant that this statement doesn't apply to -- even the spammers.
<shrug> The purpose is so that someone can do all the "paperwork" for when that customer needs to change something ;-)
The alternative is dealing with VGRS directly, and with apologies to the Verisign employees here who I'm sure aren't directly responsible for some of the extremely net-unfriendly activities Verisign has perpetrated lately, I wouldn't want to deal with the company myself. -- JustThe.net - Apple Valley, CA - http://JustThe.net/ - 888.480.4NET (4638) Steven J. Sobol, Geek In Charge / sjsobol@JustThe.net / PGP: 0xE3AE35ED "In case anyone was wondering, that big glowing globe above the Victor Valley is the sun." -Victorville _Daily Press_ on the unusually large amount of rain the Southland has gotten this winter (January 12th, 2005)
At 11:02 PM +1100 1/19/05, Bruce Tonkin wrote:
Hello John,
It appears that "REGISTRAR LOCK" has interesting per-registrar implementation variations which do not always put the domain holder's interests first. While the registry does not, per se, have a direct business interest with the domain holder, it should be possible to have a lock state which is more oriented to the critical needs of some business domain holders.
For a reasonable fee (and copious amount of documentation), it should be possible for any record holder to instruct the registry to lock the ownership of a domain down in such a way so as to require a similar amount of paperwork to release; thus effectively creating an "OWNER LOCK" state.
These services are actually already available in the competitive registrar market.
It is a matter of choosing a registrar that has the right business model and services to suit the registrant.
If you believe that REGISTRAR LOCK meets the need, then I've failed to adequately communicate my requirements. The requirement is my domain remains unchanged despite complete failure or fraud of any number of registrars. Because REGISTRAR LOCK is administered by registrars, it cannot meet my requirements of absolute protection of change without direct owner intervention. Also, consider past events, and the DNS community/ICANN response: - DNS community claims that some registrars are being intentionally non-responsive on transfers in order to retain customers & revenue - Rather than making failure to respond accurately and timely to a registry request a major issue, the DNS community/ICANN change failure to respond into implicit approval after five days - As a result, there is a an increased chance of hijacking, and some registrars are now automatically setting REGISTRAR LOCK on all their customers How long before folks complain that REGISTRAR LOCK is now in the way of transferring domains, and we end up with an erosion in the meaning of that state? It appears domain name owners for critical infrastructure have no choice but to continuously monitor the infighting among registrars and evolving DNS registry/registrar rules in order to protect themselves. This is a really unfortunate burden, since the vast majority of organizations simply want their domain name to be locked from changes without their direct consent. /John
On Sun, 23 Jan 2005 00:00:29 EST, John Curran said:
If you believe that REGISTRAR LOCK meets the need, then I've failed to adequately communicate my requirements. The requirement is my domain remains unchanged despite complete failure or fraud of any number of registrars.
Do you have a requirement that the domain remain unchanged even in the face of fraud on the part of the registry itself? And what level of "Yes I really mean it" documentation do you consider sufficient to turn this *off* in case you *do* need to change something? Does it have to resist a forged e-mail? Forged fax and hacking your phone system so they can answer the confirmation callback? Forged notarized forms mailed to the registry rescinding the lock? A determined "black helicopter" attack on the part of a competitor?
At 12:55 AM -0500 1/23/05, Valdis.Kletnieks@vt.edu wrote:
On Sun, 23 Jan 2005 00:00:29 EST, John Curran said:
If you believe that REGISTRAR LOCK meets the need, then I've failed to adequately communicate my requirements. The requirement is my domain remains unchanged despite complete failure or fraud of any number of registrars.
Do you have a requirement that the domain remain unchanged even in the face of fraud on the part of the registry itself?
I indicated failure or fraud by registrars being the problem, not the registry. The moment that the registrars took it upon themselves to set registrar-lock without explicit direction of the domain holder, they implicitly picked up the ability to clear it without the same explicit direction. So, where's the lock the domain name holder sets which simply can't be cleared without *their* consent?
And what level of "Yes I really mean it" documentation do you consider sufficient to turn this *off* in case you *do* need to change something? Does it have to resist a forged e-mail? Forged fax and hacking your phone system so they can answer the confirmation callback? Forged notarized forms mailed to the registry rescinding the lock? A determined "black helicopter" attack on the part of a competitor?
It needs to survive random errors of omission (unlike the present lock...) Ideally, a digitally signed request backed by a known chain of CA's, followed by a reasonable out-of-band verification process performed by the registry with a positive affirmation loop. There's known art in this area (ref: financial services) and it definitely doesn't look like the current Intra-Registrar domain transfer policy. /John
On Sun, 23 Jan 2005 03:40:11 EST, John Curran said:
At 12:55 AM -0500 1/23/05, Valdis.Kletnieks@vt.edu wrote:
Do you have a requirement that the domain remain unchanged even in the face of fraud on the part of the registry itself?
I indicated failure or fraud by registrars being the problem, not the registry.
Right, and I asked whether fraud on the part of the registry itself was something you felt a need to defend against. Remember that we've caught some registries doing less-than-exemplary things, so being worried about fraud by registrars while blissfully ignoring a rogue registry is probably a bad idea...
ability to clear it without the same explicit direction. So, where's the lock the domain name holder sets which simply can't be cleared without *their* consent?
"We have a doesn't-LOOK-forged authorization from you on file..." ;)
Ideally, a digitally signed request backed by a known chain of CA's, followed by a reasonable out-of-band verification process performed by the registry with a positive affirmation loop. There's known art in this area (ref: financial services) and it definitely doesn't look like the current Intra-Registrar domain transfer policy.
OK.. that gives us all a *much* better idea of what level of protection you want.. Looks sane, looks sensible, proper selection of "known chain" even helps with the rogue registry problem, looks like something that companies in a particular mindset would want. All we need now is for somebody to make a workable business model out of it.. ;)
participants (7)
-
Bruce Tonkin
-
Joe Rhett
-
John Curran
-
Michael.Dillon@radianz.com
-
Steve Sobol
-
Valdis.Kletnieks@vt.edu
-
William Allen Simpson