Nov. 12, 2021
5:12 p.m.
On Fri, Nov 12, 2021 at 09:19:25AM +0100, Chokri Ben Romdhane via CPWG wrote:
So I'm with removing the 60 day lock after the successful transfer, since the TAC (or any other technical mechanisms) may avoid any transfer risks.
Unfortunately this is not true. Using a different authentication mechanism does not reduce fraud consequences. Such codes are always also available to insiders and social engineering. So the problem with a fraudulent transfer is not gone. Hence we need to block further changes of the registrar (lock). But the most common action required (change of the domain data) should be lifted from a lock. We only need to catch the thief in the first step.