There are four parties involved in the transfer process:
The registrant or domain owner;
The losing registrar;
The gaining registrar.
The central registry - central repository of records.
Got that?
Okay, the way a transfer was supposed to work was as follows:
The domain owner submits a transfer request to the gaining registrar
The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
Having received such confirmation, they notify the central registry that the transfer is valid.
The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
If the losing registrar does not object, the transfer is executed.
(Steps 2 and 4 actually run in parallel, but that's irrelevant.)
The Problem However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.
One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)
Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.
When one tries to cover ones ass too much, one's hands end up covered in shit.
Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.
The Solution The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them It does not require the losing registrar to do so, so this is business as usual for the nice registrars.
The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.
What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.
Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.
A question for you: how can the gaining registrar, who has no previous contact with the customer, ensure that the person they are dealing with is the same person who originally registered the domain with the losing registrar?
Isn't it _easier_ for the losing registrar to ascertain this?
The gaining registrar uses the existing whois data to verify the customer's details. Usually this takes the form of an email send to the admin-c address with a unique url for the user to follow.
Remember, this is how it's currently done.
The losing registrar works off the whois data too. The only extra information the losing registrar may have would perhaps be the credit card used to pay for the domain, and really, this sort of information shouldn't be accessable anyway once the payment has been made. If th
The only extra information the losing registrar may have would perhaps be the credit card used to pay for the domain, and really, this sort of information shouldn't be accessable anyway once the payment has been made.
My recent experience has been that the losing registrar has a username/password combination for the registrant, which is likely more secure than a random number in an e-mail that could be sniffed by anyone on the same network as the registrant when they download it. And which is often sent t
That's a fair point. In my experience however, most of the clients who come to us with an existing domain have forgotten their registrar username and password, and have to get it resent to them, via email.
If Joe Public valued such things as they should, then the losing registrar would certainly be in a better position to authenticate things.
Having said that, the issue at hand isn't authentication: it's the problem of registrars blocking their customers from moving to the competition by (mis)use of the pro
"No, no, I don't mind being called the smartest man in the world. I just wish
it wasn't this one."
-- Adrian Veidt/Ozymandias, WATCHMEN
GOOD thing, not BAD thing. (Score:5, Informative)
- The registrant or domain owner;
- The losing registrar;
- The gaining registrar.
- The central registry - central repository of records.
Got that?Okay, the way a transfer was supposed to work was as follows:
- The domain owner submits a transfer request to the gaining registrar
- The gaining registrar was to seek confirmation of the transfer from the domain owner, based on existing whois information, and independent of the request.
- Having received such confirmation, they notify the central registry that the transfer is valid.
- The central registry notifies the losing registrar of the imminent move, to give them a chance to block it should there be unresolved billing issues or other disputes. Only in such a case was the losing registrar meant to block the transfer.
- If the losing registrar does not object, the transfer is executed.
(Steps 2 and 4 actually run in parallel, but that's irrelevant.)The Problem
However, a number of losing registrars put in a policy some time ago that they would also seek confirmation from the domain owner, despite the gaining registrar having already done so in step 2. They would object to all transfers unless they received authorisation to their liking from the domain owner.
One registrar in particular required a copy of an Australian driving licence or passport, or a notarised letter for non-aussies. In this case it made the administrative cost of a transfer prohibitively high. The did not require this level of identification when a domain was being transferred to them. (Before you ask, yes the admin details were correct. They were just being berks.)
Invariably this policy was put in by registrars to try to prevent customers moving to other registrars, by adding additional hoops. The 'excuse' put forward was to reduce exposure to legal actions.
When one tries to cover ones ass too much, one's hands end up covered in shit.
Not all registrars did this - the nicer ones honored the word of the gaining registrar and only interfered if there were billing issues etc.
The Solution
The new ICANN rules is a compromise - it now explicitly allows the losing registrar to seek the double confirmation, but they can no longer block the move just because the customer didn't jump through enough hoops for them
It does not require the losing registrar to do so, so this is business as usual for the nice registrars.
The important point is that the gaining registrar still has to verify the transfer in the first place, as it should be. The customer confirms their identity once, and no more.
What's to stop a registrar faking authorisation? The loss of their ICANN accredidation, and hence their business.
Final point: although this is a non-story, it *is* important to make sure your admin details, especially your email address, are correct and up to date. Just as you would check your entry in the phone book, check your whois data too.
Re:bullshit (Score:2)
The ICANN position has *always* been that the gaining registrar must verify the request.
If your company doesn't do this, then it's not fulfilling it's responsabilities, and should have it's ICANN accredidation removed.
ICANN, until now, *never* asked losing registrars to double-check the veracity of the transfer.
Companies like yours which did so introduced needless delays for the customer.
this new system is going to turn out very badly for everyone
This syst
Re:GOOD thing, not BAD thing. (Score:2)
Isn't it _easier_ for the losing registrar to ascertain this?
Re:GOOD thing, not BAD thing. (Score:2)
Remember, this is how it's currently done.
The losing registrar works off the whois data too. The only extra information the losing registrar may have would perhaps be the credit card used to pay for the domain, and really, this sort of information shouldn't be accessable anyway once the payment has been made. If th
Re:GOOD thing, not BAD thing. (Score:2)
My recent experience has been that the losing registrar has a username/password combination for the registrant, which is likely more secure than a random number in an e-mail that could be sniffed by anyone on the same network as the registrant when they download it. And which is often sent t
Re:GOOD thing, not BAD thing. (Score:2)
If Joe Public valued such things as they should, then the losing registrar would certainly be in a better position to authenticate things.
Having said that, the issue at hand isn't authentication: it's the problem of registrars blocking their customers from moving to the competition by (mis)use of the pro