Provide feedback on how domain transfers should work.
ICANN invites comments on an initial working group report that includes recommendations to change how domain transfers work.
The initial report (pdf) proposes a series of changes to domain transfers between registrars. The most important is to remove the authorization form step in domain transfers.
Here’s how a domain transfer works today:
1. Customer obtains an authorization code from their existing registrar and provides it to the winning registrar
2. The winning registrar verifies the transfer request and initiates the transfer
3. The losing registrar sends a notice (an “Authorization Form, or FOA) of pending transfer to the customer, giving them up to 5 days to cancel the request
The proposal would eliminate step 3 but add a notification to step 1. When you request an authorization code (which will be called a transfer authorization code), your registrar will be required to notify you of this request.
But here’s the thing: Even if it only takes a few minutes to email the customer about the request, the domain transfer may already be complete before it can be stopped.
This seems like a step backwards for domain transfer security. I also believe that registrars will create a backdoor security feature (as shown below) similar to the dreaded delay you encounter when trying to transfer a domain out of web.com registrars.
Here is the comment I submitted to ICANN:
Thank you for your work in modernizing domain transfers.
I am concerned about the decision to remove the Losing Registrar’s Form of Authorization (FOA). With FOA, a domain owner could become aware of a fraudulent transfer and have time to contact the registrar to stop it. Under the proposed system, the registrant of the domain name will likely not become aware of a transfer until the transfer is complete.
Although this will facilitate transfers and — in the terms of the initial report — instantaneousI am afraid that this leads to fraudulent transfers.
It would be interesting to hear from registrars how often customers try to stop fraudulent transfers after receiving the FOA.
There is a backdoor security measure that registrars could take to reduce the chances of this happening: domain registrars could delay the delay between people requesting Transfer Authorization Codes (TAC ) and issuing them to customers. I fear that registrars will feel compelled to implement this backdoor security measure, which will end up burdening domain registrants; they will have to request the code and then wait a long time for it to arrive before providing it to the winning registrar. They would not be able to complete the domain transfer process in one sitting.
I understand that the working group is working on transfer cancellation procedures at a later stage. Approving a less secure transfer system before determining restore functionality doesn’t make sense to me.