RE: improving the registrar transfer process

Hello William,

We know how to do 3-way handshakes. Rather a fundamental of
the Internet. So quickly folks forget....

We knew in advance that the VRSN/NetSol/whatever protocol was
terrible, and that the ICANN policy change was not going to
be helpful.

The ICANN policy change had no impact on this particular incident.

As the incident has been documented so far, the transfer would have
occurred under both the old and the new policy.

With respect to the protocol. An IETF process was used to develop the
EPP protocol as a replacement for RRP.

With respect to notifications of transfers, the new protocol handles
this by a message queue at the registry. (ie email is no longer the

It might be useful to consider reviewing the protocol to ensure that a
transfer cannot proceed unless the losing registrar system confirms
receipt of the transfer request.


I think it would be helpfull if you explain what steps are involved in
domain transfer process (to your registrar) and its authorization, i.e.
something like
1. MIT receives transfer request from reseller
2. MIT sends email confirmation to whois contact (which contact - tech,
3. MIT sends email (or is it request through Verisign RRP?) to Verisign
4. MIT waits for such and such action...

I also would like to confirm who is responsible for denying transfer
request if LOCK is present. Is Registry supposed to do it automaticly
or is it responsibility of losing registrar to actively deny the request
if they have put lock on domain?