Logo

050040040 Transfer Policy PDP WG
Andrea Glandon - ICANN Org
28:46
Please review ICANN Expected Standards of Behavior here: https://www.icann.org/resources/pages/expected-standards-2016-06-28-en
Sarah Wyld (RrSG / Tucows)
29:14
Thanks to the small team group members for your extra work, much appreciated!
Emily Barabas - ICANN Org
30:57
https://docs.google.com/document/d/1O9PAnxWFUuPofLQCWIQXz8lT7KEj1HgH3b_obh0AK00/edit
Emily Barabas - ICANN Org
31:01
See page 7
Farzaneh Badiei (NCSG)
33:09
I thought we were not going to use the word “identify”
Sarah Wyld (RrSG / Tucows)
33:30
it makes me nervous
Farzaneh Badiei (NCSG)
34:11
tell me about it Sarah. Thanks Jim
Sarah Wyld (RrSG / Tucows)
36:13
Unique requirement was only for Rr-generated codes; if the RNH generates the code, they may set the same one on multiple domains. Do we want to prevent that now?
Andrea Glandon - ICANN Org
38:33
**Members: when using chat, please select Panelists and Attendees or Everyone in order for everyone to see chat.
Sarah Wyld (RrSG / Tucows)
39:15
thanks, it's great to have principles to focus our criticism on :)
Kristian Ørmen (RrSG)
39:36
I really think the auth id would be more secure if it would have a TTL at the registry level
Prudence Malinki (RrSG)
40:26
+1 Kristian
Kristian Ørmen (RrSG)
42:12
I think many registrars today allow the registrant to set the code
Kristian Ørmen (RrSG)
42:37
And that will continue to happen if the auth id is created at the registrar level instead of the registry
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
45:13
Comment: Registrar storing auth-code - may be necessary to facilitate reseller/api wholesale type registrar models for their downline
Lutz Donnerhacke
45:46
Two Factor authentication for whom? Most registrants are unable to handle the technical difficulties
Sarah Wyld (RrSG / Tucows)
46:00
how would using those be prohibited? like would we make a list of characters that are disallowed? is there an easy techy way that I don't know about?
Farzaneh Badiei (NCSG)
47:06
they can’t handle two factor auth? I doubt that.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
48:00
@sarah just like requiring upper, lower, number, special, it would be a string constraint .... didn't want to proclaim the homoglyph stuff in small team - but my suggestion was that we don't say use One or lower case L only, but rather these are sets that only one can be present in a string
Lutz Donnerhacke
48:08
@farzahneh: Not the industrial registrants … the normal ones.
Sarah Wyld (RrSG / Tucows)
48:36
Jothan - thanks, interesting
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
49:08
16 characters was the maximum available venn diagram overlap between the max/min across the diversity of Registry Service Providers currently
Lutz Donnerhacke
50:07
Can the rate Limit of authinfo Code tries implemented at the registry Level? Or are Registrars considered as honest and lawful in any case?
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
50:22
Steve's wise on UX presentation and the user interface for clarity. Spaces might complicate where cut/pasting auth's
Farzaneh Badiei (NCSG)
50:39
so do we have a use case that explains the user experience in using the authentication code and what the challenges are?
Farzaneh Badiei (NCSG)
50:58
or are we saying all this from registrars and registries experience
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
51:17
I could try requesting one for a domain that I have at Network Solutions and document that process Farzaneh
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
51:30
the experience varies, though
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
51:59
I just happen to have one there that I need to practically transfer, I am not singling them out.
Farzaneh Badiei (NCSG)
52:41
that would be helpful. I wonder if the complaints from registrants could illustrate the problems too
Sarah Wyld (RrSG)
52:59
Yeah - we should see what data we can gather up
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
53:12
There is a diversity to each side of the process on gaining and incumbent registrar, and there is per TLD/RSP flavor
Sarah Wyld (RrSG)
55:13
So we're contemplating requiring all Rrs to implement MFA for their own CPs? That is a good best practice but making it mandatory seems maybe overstepping?
Sarah Wyld (RrSG)
55:18
(Or I misunderstood)
Sarah Wyld (RrSG)
55:29
(or is the second factor the actual Registrar CP password?)
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
55:49
2-factor was at a different abstract layer than the EPP/SRS stuff, it was suggested as being a requirement that an account at the registrar have a minimum level of security to access the domain's auth-info code due to the auth-info being the keys to the domain.
Farzaneh Badiei (NCSG)
57:10
hmm I am a very small registrant and have to use dual factor authentication everyday for simple transactions… so I think we need to do more research on what the reality is …
Volker Greimann (RRSG)
57:30
We should not try to increase domain stickyness
Farzaneh Badiei (NCSG)
57:58
what is domain stickyness
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
58:06
Trying to find balance between adequate protections and level of friction/difficulty - plus being modest with altering status quo
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
59:00
@Farzaneh stickiness is where a domain registrant feels trapped by Kafka/technical or other things that do not allow an egress transfer
Lutz Donnerhacke
59:17
@Farzaneh My experience with customers is quite different. The call us to do "anything" from them.
Sarah Wyld (RrSG)
59:49
Would definitely lead to an increase in support volume
DANIEL K. NANGHAKA (At-Large)
01:00:41
we should look at the effectiveness, efficiency of the process amidst security concerns that may arise during the transfer process
Sarah Wyld (RrSG)
01:01:34
sure no prob
Sarah Wyld (RrSG)
01:01:40
nope go ahead
Farzaneh Badiei (NCSG)
01:02:08
Domain stickiness can happen when you rely on Kafkaesque processes. And very old password technology.
Farzaneh Badiei (NCSG)
01:03:36
but anyhow I think we need to know more about registrants complaints and what their problems are with auth code
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:04:43
the key will be having a means to delineate between technical aptitude of user and failure/complexity of process on that
Sarah Wyld (RrSG)
01:08:23
Yes - I didn't mean to suggest I'm not open to changing the existing process, just tryin to catch up with the small team :)
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:09:03
my perspective as a small team member was that we gather up the legos and dump them on the table for the WG to build with
Theo Geurts (RrSG)
01:09:35
good perspective
Crystal Ondo - Google (RrSG)
01:09:48
That's how we handle it currently fwiw. The registrant has to click a button to trigger display of the code in our UI. But the code is created on our end, and sent to the RY, upon creation / transfer-in of the domain.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:11:51
this is obvious but should not be overlooked.... IF empty auth/null is used when authcode not set, there MUST be restriction from that being considered as "no code furnished = matches registry, proceed"
Sarah Wyld (RrSG)
01:12:19
Good point Jothan
Sarah Wyld (RrSG)
01:16:15
+1 Berry!
Kristian Ørmen (RrSG)
01:16:16
:D
Farzaneh Badiei (NCSG)
01:16:17
well I think we are here to set policy and not micromanage how registrars should do things. I agree with the Lego analogies. though it aint as much fun
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:16:29
Is anal-retentative hyphenated?
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:16:32
;)
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:17:43
Many of the better resources for transfer information exist throughout registrars' help pages
Farzaneh Badiei (NCSG)
01:18:28
shouldn’t the part of ICANN org that is involved with receiving transfer complaint also give us some data to work with?
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:18:30
one of the resources we used for a high level review of the gTLD auth code information was the well-made wiki that rrp-proxy has for their reseller program as an example.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:19:03
often, those are focused on the specific manner in which the registrar has implemented their transfer process
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:19:35
and there is some diversity to these
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:19:43
from registrar to registrar
Farzaneh Badiei (NCSG)
01:20:06
of course you can’t cover all use cases but at least it will be more objective…
Lutz Donnerhacke
01:20:20
If there were a fallback procedure to recover from a failed Transfer (well defined post mortem process), the whole subject would ne much easier.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:21:04
@farzaneh that might be helpful to have some data - high level - on what the things are that registrants complain about … as mentioned earlier, there is a use sophistication hurdle that might taint that info
Farzaneh Badiei (NCSG)
01:22:02
@JF I agree.
Theo Geurts (RrSG)
01:22:55
IRTP-C one lesson learned, the amount of use cases is just endless
Lutz Donnerhacke
01:23:59
bulk Transfer is either handled by Automation or is hard.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:24:10
Lego …. we done been told once @roger :)
Sarah Wyld (RrSG)
01:24:12
"Lego" is plural
Sarah Wyld (RrSG)
01:24:35
Agreed! Criticism is way easier than creation :)
Theo Geurts (RrSG)
01:25:10
@Lutz bulk transfers are normal on a registry or registrar level. Several ccTLDs have excellent procedures for bulk transfers.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:25:14
rather than ask how long the string should be, we defined a length and let people tell us it is not right
Farzaneh Badiei (NCSG)
01:25:41
well perhaps you have a different process to come up with use cases. If we have a limited scope … the whole technology world builds products and develops policy based on use case… maybe we need a different way of coming up with use cases in a Multistakeholder world. Unlike the former dismantled WHOIS PDP that came up with imaginary consumer protection use cases.
Farzaneh Badiei (NCSG)
01:26:05
plural is Lega
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:26:12
if volunteer time were infinite and free @Farzaneh :)
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:26:27
if only :)
Farzaneh Badiei (NCSG)
01:26:59
all I am saying is we need to be more objective. call it use case, real world scenario complaint aggregation etc
Volker Greimann (RRSG)
01:27:10
This is why we need a strong recall mechanism]
Theo Geurts (RrSG)
01:27:25
Lucky for us this is not a WHOIS focussed WG Farzaneh
Sarah Wyld (RrSG)
01:28:09
I agree with Farzaneh about wanting more info about real-world complaints. I think we asked each SG/etc to provide input... did we get much?
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:28:25
the WHOIS trees have seven year rings. This group hopefully has only one 2 year ring
Theo Geurts (RrSG)
01:28:41
We got some good input Sarah
Sarah Wyld (RrSG)
01:29:12
Thanks Theo, I need to go find that, I think
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:29:42
A TTL should have a minimum value no less than 1-2 days. Would not want a sticky registrar to set it to 5 minutes
Emily Barabas - ICANN Org
01:29:59
@Sarah, we have not yet gotten input from any of the SO/AC/SG/Cs but they still have some time to respond to the request.
Sarah Wyld (RrSG)
01:30:54
Thanks Emily, I just found that in the meeting notes!!
Emily Barabas - ICANN Org
01:31:02
(In response to the request for early input on the charter questions)
Sarah Wyld (RrSG)
01:31:03
Explains why I could not remember reviewing the input :)
Kristian Ørmen (RrSG)
01:32:36
You should always be allowed to just overwrite the code with a new one if needed
Theo Geurts (RrSG)
01:32:36
Some fax you the TAC
Sarah Wyld (RrSG)
01:32:50
+1 Kristian re overwrite
Farzaneh Badiei (NCSG)
01:33:12
I need to drop off. will look for homework on the mailing list. Thanks for changing that scary word Jim.
Holida Yanik (ICANN Org)
01:33:20
Regarding transfer complaints involving AuthCode/unlocking domains, as ICANN Contractual Compliance we see complaints mentioning inability to access control panel, difficulties with completing 2-factor verification, registrar did not respond to AuthCode/unlocking requests, registrar provided incorrect AuthCode.
Kristian Ørmen (RrSG)
01:33:31
Yes. There should be logs of all activity
Theo Geurts (RrSG)
01:34:12
Agreed
Sarah Wyld (RrSG)
01:34:20
Agreed
Lutz Donnerhacke
01:36:58
Yep, Registrars or Resellers which deny Access to authinfo codes are a Problem. If become worse, if the Reseller goes out of Service. There is no procedure for, the regitrant is completely lost
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:37:09
@holida that is helpful - 2fa is the majority of the issue I face - lost/broken mobile
Volker Greimann (RRSG)
01:37:29
lutz+1
Lutz Donnerhacke
01:37:55
But let us discuss the number of Chars in the code
Theo Geurts (RrSG)
01:38:01
We have procedures in place if a reseller goes bankrupt, we still need to be compliant with the RRA
Lutz Donnerhacke
01:39:31
bankrupt is the only way to become unresponsive. Some still exists, but Change their scope and let the Domain reselling Department die
Lutz Donnerhacke
01:39:39
.. not ..
Theo Geurts (RrSG)
01:40:32
yeah sometimes you need to shake up "certain" resellers. Still registrar needs to comply with the RRA.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:40:37
TTL vs Real World can be problematic - ie 48 hour TTL on a Friday before a 3 day weekend or holiday
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:41:17
or at a company that has many levels of beurocratic or Kafkaesque silos/processes for transfers
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:41:24
etc scenarios.
Lutz Donnerhacke
01:41:33
You do not Need an Weekend. It's sufficient to have three different Departments at the customer.
Volker Greimann (RRSG)
01:41:54
Most registrants do not lock their domain
Volker Greimann (RRSG)
01:42:39
absolutely
DANIEL K. NANGHAKA (At-Large)
01:43:08
for TTL we could have a standard time zone or look at the timing
Andrea Glandon - ICANN Org
01:43:37
**Members: when using chat, please select Panelists and Attendees or Everyone in order for everyone to see chat.
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:43:45
TTL could just be 'time remaining' vs specific date
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:44:04
so as to not complicate UTC/Timezones etc
James Galvin (RySG)
01:44:18
with the TAC it’s eligible to moved. whether or not you can is still subject to the system.
zzzJody Kolker GoDaddy Registrar (RrSG Alternate)
01:44:20
reposting for all attendees:Most registrant don't lock the domain, but do registrars lock them as a default?
Theo Geurts (RrSG)
01:44:39
we do not Jody up to the reseller
James Galvin (RySG)
01:44:40
some registrars lock by default
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:44:46
The interaction with Lock/Auth and what can/cannot be done should be well defined. ie, can/cant do X if locked
Volker Greimann (RRSG)
01:44:50
Some do, some don’t
Theo Geurts (RrSG)
01:45:10
some sell a registrar lock to registrants where the reseller cannot remove the lock
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:45:28
The second to last bullet is worth looking at
Jothan Frakes (Plisk.com / Rr Alt / Small Group)
01:46:18
Appreciated serving on small team, thank you and glad to join future groups
Sarah Wyld (RrSG)
01:46:46
Thanks, all
Kristian Ørmen (RrSG)
01:46:48
Thank you
Catherine Merdinger (RrSG)
01:46:51
Thanks everyoen!