Gtld transfer process

The loophole that led to this error has been closed.

Perhaps for you but this process leaves a lot of registrars in position
to do damage, accidentally or by the criminal action of staff.

In some cases registrars delegate the obtaining of the approval from a reseller

Though well intentioned to make it easier to move away from
bad registrars all this does is put everyone else at far greater
risk - not only from registrars but also their resellors who are
likely to be unvetted. It seems quite easy for criminals to
gain conrol

Many registrars now put names on lock by default

So we're back to needing the cooperation of the old registrar, may as well
have stuck with the old, less risky, way

(7) If the registry receives no response from the losing registrar
after a 5 day period, the transfer will be completed.

Adding the risk of not noticing and it just going through unchallenged

(9) If the losing registrar believes that a transfer was unauthorised,
the losing registrar may contact the gaining registrar for a copy of the
authorisation in step 2 to arrange for the transfer to be reversed.

Too late, the damage is done

In the case of, the step (2) failed at the gaining registrar.
I can't comment on steps taken by the losing registrar.

It doesn't matter, the system is broken by design - they had to trust you
to be correct

The principle of the process, is that a registrant can move to another
domain name provider (registrar or reseller) at any time, and can
initiate a transfer from the new provider. This relies on the new
provider authenticating the request.

I'm only paying my registrar to be trustworthy, I don't want to have
to trust the rest

The integrity of the process is greatly improved through the use of the
auth_info password in the EPP protocol. This has been operating
effectively in .org, .info., .biz and .name.

I disagree (the new whois sucks too)

My personal view is that the current transfers policy WITH the use of
auth_info and WITH the use of registrar-LOCK is a reasonable balance
between security and allowing registrants to easily move their name.

My experience has been that getting auth_info (which criminal staff
would have access to) from bad registrars is almost impossible, with
registrar-LOCK too they have enough control to negate the gain in
being able to pull a domain to a new registrar - you still need the
cooperation of the old one so it's just as bad as the old way but lots
more risk for everyone

EPP is thus of no advantage and registrar pull is dangerous

I am interested to hear what members of the NANOG list believe would be
a better transfers process.

Everyone has their ideas but the people running a $1.2B business should be able
to do better