Re: EPP minutia (was: Re: Gtld transfer process)

[Valdis.Kletnieks () vt edu]

On Sun, 23 Jan 2005 03:40:11 EST, John Curran said:
> At 12:55 AM -0500 1/23/05, Valdis.Kletnieks () vt edu wrote:

> > Do you have a requirement that the domain remain unchanged even in the
> > face of fraud on the part of the registry itself? 
>
> I indicated failure or fraud by registrars being the problem, not the registry.

Right, and I asked whether fraud on the part of the registry itself was something
you felt a need to defend against.  Remember that we've caught some registries
doing less-than-exemplary things, so being worried about fraud by registrars while
blissfully ignoring a rogue registry is probably a bad idea...

> ability to clear it without the same explicit direction.   So, where's the lock
> the domain name holder sets which simply can't be cleared without *their*
> consent?

"We have a doesn't-LOOK-forged authorization from you on file..." ;)

> Ideally, a digitally signed request backed by a known chain of CA's,
> followed by a reasonable out-of-band verification process performed
> by the registry with a positive affirmation loop.  There's known art in
> this area (ref: financial services) and it definitely doesn't look like the
> current Intra-Registrar domain transfer policy.

OK.. that gives us all a *much* better idea of what level of protection you want.. 

Looks sane, looks sensible, proper selection of "known chain" even helps with
the rogue registry problem,  looks like something that companies in a particular
mindset would want.  All we need now is for somebody to make a workable
business model out of it.. ;)

Attachment: _bin
Description: