On Sat, May 14, 2022 at 11:48:25PM +0200, Lutz Donnerhacke via CPWG wrote:

By my reading of the initial report and the AtLarge "Draft responses" I do not miss anything important (besides the point, that the FOAs are removed in exchange for a promise to have an easy to use rollback mechanism later) or misleading.

Please let me explain my point by quoting some lines of the "TRP Initial Report Draft", lines 576-580 (https://community.icann.org/display/TPRPDP/Working+Documents?preview=/167543...) ----- Taking into account these considerations, the working group determined that the Losing FOA requirement should be eliminated and replaced with new requirements. These new requirements allow the transfer to occur in nearly real time while ensuring that: 1. The RNH is informed of an inter-Registrar transfer and 2. A sufficient record of the process is maintained to support investigation of complaints and resolution of disputes. ----- As far as my memory told me, this was one of the occurences of this "promise of an quick-reverse mechanism". But this promise is missing in the draft. OTOH on the same page there is a mentioning of a "TAC notification" which seems to replace the "Losing FOA", but can not stop the initiated transfer. There is a time window to transfer the domain using the TAC which is send out at roughly the same time as the notification, so the TAC can be used before the registrant had time to react (given, that most registrans do not read email every day). In lines 606-629 that a "Notification of Transfer Complete" must be send. This might also be called "Damage report", if something went wrong. I.e. the registrants notification email is using the domain name, which was transfered maliciously, so the attacker can redirect all emails and filter the notification. So the line 628/629 instructions how to revert a domain transfer might not reach the (former) registrant. Yes, this is not part of the currenct process, but should be raised during the public comment phase.