Dear Steinar, you say:

Another question is whether 60 days is the right number of days. It could be higher or lower.

That was exactly what puzzled me. If I understand the process correctly, there is no reason for having the same number for #1 and #2. Specifically, I would keep the grace period quite long after the initial registration, because there might be a reasonable chance that the affected parties are not all fully aware (e.g. fraudulent action), while after the successful transfer there has been already an interaction. Cheers, Roberto

On 10.11.2021, at 08:45, Steinar Grøtterød via CPWG <cpwg@icann.org> wrote:

Dear Gopal,

Thanks for your input.

Re Q3: The 60-days transfer lock after initial registration and successful transfer is today implemented in the Inter-Registrar transfer Policy. The majority of the Registries have these locks included in their RRA, but there is an option to change the 60-days lock policy in a reviewed inter-registrar policy.

Re Q4: Similar to the present option to opt-out of a transfer lock after change of registrant (COR), a reviewed inter-transfer policy can give the option for the Registrant to opt-out of the transfer locks. However, the Registrar may define in their Terms of service that an opt-out cannot be done even though the Registry allow this.

Another question is whether 60 days is the right number of days. It could be higher or lower.

Sorry for confusing wording. My intention was to get some feedback from CPWG.

Regards, Steinar Grøtterød

On 10/11/2021, 06:18, "gopal@annauniv.edu" <gopal@annauniv.edu> wrote:

Dear Steinar Grøtterød,

Thank you for the queries.

My reference for this discussion is:

https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en

ICANN's mandatory verification process of any details is of paramount importance.

#1:

The initial registration is frozen after a grace period. Hence I support the 60 - Day Lock - in for any further changes / transfers.

#2:

I suppose this.

#3: Registrar Only ?

Transfer is only through the Registrar.

#4:

Registrants cannot transfer.

Quick Notes:

Assumption:

Contact Updates and Transfers are separate. Contact Updates have the opt-out provision even now. Transfers do not.

Registrar & Registrant

If one opts-out of the transfer lock for contact update, one will not have to wait 60 days to transfer it. But one will still have to wait for any other transfer lock to lapse.

Whois Privacy updates are exempt from such lock-ins.

Questions for a quick check:

How does one ensure that there are no other locks ?

Are there any Generic Top Level Domains (gTLD) and Country Codes that are not effected by this policy?

Sincerely,

Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On 2021-11-09 23:14, Steinar Grøtterød via CPWG wrote:

...

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

3. Could the above be optional?

4. Should the Registrant has the option to opt-out?

I did not have the time to discuss this with the At-Large TPR members and observers, hence will not ask for a poll. But hopefully CPWG can express their view at the CPWG call on Nov 10, 2021.

Regards,

Steinar Grøtterød _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

On Wed, Nov 10, 2021 at 02:44:09PM +0530, gopal--- via CPWG wrote:

The rationale for 60 days for all as I understand :

That's the same understanding I have.

The original registrant is very likely to notice the problem during the 60-day window and alert the authorities about the issue. A domain that has been transferred is also a lot harder to reclaim. [...] Keeping the number of days same for all makes business sense to me.

Yep.

Need clarification on : Change of Contact Details of the Registrant.

Personally I have not problem in chaning the contract details earlier. In many cases this change is more important, than the change of the registrar, because something in the ownership did really changed. It does also make complain handling easier, i.e. if you have to complain in the name of a company, which does not longer exist. The authorities will become confused ...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks. Account control panel compromises (a strong indicator) were absent for most of the months. Average domain transfers are around 400.000-500.000 a month. Best. Theo On Wed, Nov 10, 2021, at 11:48 AM, Michele Neylon - Blacknight via CPWG wrote:

I’d recommend you read the SSAC papers on hijacks as well as some of the background materials for previous IRTP PDPs

A lot of the locks that exist at the moment are due to past experience ie. Domains being hijacked etc.,

-- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *CPWG <cpwg-bounces@icann.org> on behalf of Steinar Grøtterød via CPWG <cpwg@icann.org> *Date: *Tuesday, 9 November 2021 at 17:45 *To: *CPWG <cpwg@icann.org> *Subject: *[CPWG] Transfer Policy Review Team: Question about the 60-days lock *[EXTERNAL EMAIL]* Please use caution when opening attachments from unrecognised sources.

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name? 2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name? 3. Could the above be optional? 4. Should the Registrant has the option to opt-out?

I did not have the time to discuss this with the At-Large TPR members and observers, hence will not ask for a poll. But hopefully CPWG can express their view at the CPWG call on Nov 10, 2021.

Regards, Steinar Grøtterød _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

This is very good news. The framework of operations for domain transfers seems to be quite robust. However, I note that ICANN does not have contractual authority to require a registrar to transfer a domain name back to a different registrar or registrant, even if a transfer was the result of an unauthorized access to your email account or other login credentials. Sincerely, Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2021-11-10 17:52, Theo Geurts via CPWG wrote:

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 12:21 PM, Theo Geurts wrote:

...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 11:48 AM, Michele Neylon - Blacknight via CPWG wrote:

...

I’d recommend you read the SSAC papers on hijacks as well as some of the background materials for previous IRTP PDPs

A lot of the locks that exist at the moment are due to past experience ie. Domains being hijacked etc.,

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

FROM: CPWG <cpwg-bounces@icann.org> on behalf of Steinar Grøtterød via CPWG <cpwg@icann.org> DATE: Tuesday, 9 November 2021 at 17:45 TO: CPWG <cpwg@icann.org> SUBJECT: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

3. Could the above be optional?

4. Should the Registrant has the option to opt-out?

I did not have the time to discuss this with the At-Large TPR members and observers, hence will not ask for a poll. But hopefully CPWG can express their view at the CPWG call on Nov 10, 2021.

Regards,

Steinar Grøtterød

_______________________________________________

CPWG mailing list

CPWG@icann.org

https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Hi Bill, A very good question (that I don’t know the answer to). Maybe someone else on the list have an answer? If not, I will put the question to the TPR WG. Regards, Steinar Grøtterød From: CPWG <cpwg-bounces@icann.org> on behalf of CPWG <cpwg@icann.org> Reply to: Bill Jouris <b_jouris@yahoo.com> Date: Wednesday, 10 November 2021 at 14:10 To: Theo Geurts <atlarge@dcx.nl>, CPWG <cpwg@icann.org>, "gopal@annauniv.edu" <gopal@annauniv.edu> Subject: Re: [CPWG] Transfer Policy Review Team: Question about the 60-days lock If ICANN does not have the contractual ability to require transfer back after unauthorized change, the contracts ought to be updated to provide for that. Bill Jouris On Wednesday, November 10, 2021, 04:52:55 AM PST, gopal--- via CPWG <cpwg@icann.org> wrote: This is very good news. The framework of operations for domain transfers seems to be quite robust. However, I note that ICANN does not have contractual authority to require a registrar to transfer a domain name back to a different registrar or registrant, even if a transfer was the result of an unauthorized access to your email account or other login credentials. Sincerely, Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2021-11-10 17:52, Theo Geurts via CPWG wrote:

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 12:21 PM, Theo Geurts wrote:

...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 11:48 AM, Michele Neylon - Blacknight via CPWG wrote:

...

I’d recommend you read the SSAC papers on hijacks as well as some of the background materials for previous IRTP PDPs

A lot of the locks that exist at the moment are due to past experience ie. Domains being hijacked etc.,

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

FROM: CPWG <cpwg-bounces@icann.org<mailto:cpwg-bounces@icann.org>> on behalf of Steinar Grøtterød via CPWG <cpwg@icann.org<mailto:cpwg@icann.org>> DATE: Tuesday, 9 November 2021 at 17:45 TO: CPWG <cpwg@icann.org<mailto:cpwg@icann.org>> SUBJECT: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

3. Could the above be optional?

4. Should the Registrant has the option to opt-out?

I did not have the time to discuss this with the At-Large TPR members and observers, hence will not ask for a poll. But hopefully CPWG can express their view at the CPWG call on Nov 10, 2021.

Regards,

Steinar Grøtterød

_______________________________________________

CPWG mailing list

CPWG@icann.org<mailto:CPWG@icann.org>

https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Apart from IRTP-D policy (a sort of UDRP for transfers), there is no other ICANN process. But it is within the scope of this WG to discuss this and we already discussed briefly a process to reverse unauthorized transfers. Most of the unauthorized transfers are solved between the losing and gaining registrar. Again it does not happen much as these numbers are very low. Theo On Wed, Nov 10, 2021, at 3:51 PM, Steinar Grøtterød via CPWG wrote:

Hi Bill,

A very good question (that I don’t know the answer to).

Maybe someone else on the list have an answer? If not, I will put the question to the TPR WG.

Regards, Steinar Grøtterød

*From: *CPWG <cpwg-bounces@icann.org> on behalf of CPWG <cpwg@icann.org> *Reply to: *Bill Jouris <b_jouris@yahoo.com> *Date: *Wednesday, 10 November 2021 at 14:10 *To: *Theo Geurts <atlarge@dcx.nl>, CPWG <cpwg@icann.org>, "gopal@annauniv.edu" <gopal@annauniv.edu> *Subject: *Re: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

If ICANN does not have the contractual ability to require transfer back after unauthorized change, the contracts ought to be updated to provide for that.

Bill Jouris

On Wednesday, November 10, 2021, 04:52:55 AM PST, gopal--- via CPWG <cpwg@icann.org> wrote:

This is very good news.

The framework of operations for domain transfers seems to be quite robust.

However, I note that ICANN does not have contractual authority to require a registrar to transfer a domain name back to a different registrar or registrant, even if a transfer was the result of an unauthorized access to your email account or other login credentials.

Sincerely,

Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On 2021-11-10 17:52, Theo Geurts via CPWG wrote:

...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 12:21 PM, Theo Geurts wrote:

...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 11:48 AM, Michele Neylon - Blacknight via CPWG wrote:

...

I’d recommend you read the SSAC papers on hijacks as well as some of the background materials for previous IRTP PDPs

A lot of the locks that exist at the moment are due to past experience ie. Domains being hijacked etc.,

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

FROM: CPWG <cpwg-bounces@icann.org> on behalf of Steinar Grøtterød via CPWG <cpwg@icann.org> DATE: Tuesday, 9 November 2021 at 17:45 TO: CPWG <cpwg@icann.org> SUBJECT: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

3. Could the above be optional?

4. Should the Registrant has the option to opt-out?

I did not have the time to discuss this with the At-Large TPR members and observers, hence will not ask for a poll. But hopefully CPWG can express their view at the CPWG call on Nov 10, 2021.

Regards,

Steinar Grøtterød

_______________________________________________

CPWG mailing list

CPWG@icann.org

https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

...

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. _______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Michele, On Thu, Nov 11, 2021 at 6:52 PM Michele Neylon - Blacknight via CPWG < cpwg@icann.org> wrote:

If a domain moves from registrar A to registrar B getting that undone is one thing, but it becomes a lot more complex and messy when it’s hopped to another registrar.

How do you prove who the registrant should be?

What about domain name sellers who suffer remorse?

What about other disputes?

A lot of the issues that end up being pushed to ICANN aren’t ICANN issues at all and are disputes between 3rd parties. We see this all the time.

If the third parties are engaged in registering / re-registering domain names - ccTLD or gTLDs delegated by ICANN - with or without ICANN accreditation, what happens to the domain name due to a dispute between the 3rd parties is still an ICANN issue.

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

*From: *CPWG <cpwg-bounces@icann.org> on behalf of Theo Geurts via CPWG < cpwg@icann.org> *Date: *Wednesday, 10 November 2021 at 16:35 *To: *Bill Jouris via CPWG <cpwg@icann.org> *Subject: *Re: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

*[EXTERNAL EMAIL]* Please use caution when opening attachments from unrecognised sources.

Apart from IRTP-D policy (a sort of UDRP for transfers), there is no other ICANN process. But it is within the scope of this WG to discuss this and we already discussed briefly a process to reverse unauthorized transfers.

Most of the unauthorized transfers are solved between the losing and gaining registrar. Again it does not happen much as these numbers are very low.

Theo

On Wed, Nov 10, 2021, at 3:51 PM, Steinar Grøtterød via CPWG wrote:

Hi Bill,

A very good question (that I don’t know the answer to).

Maybe someone else on the list have an answer? If not, I will put the question to the TPR WG.

Regards,

Steinar Grøtterød

*From: *CPWG <cpwg-bounces@icann.org> on behalf of CPWG <cpwg@icann.org> *Reply to: *Bill Jouris <b_jouris@yahoo.com> *Date: *Wednesday, 10 November 2021 at 14:10 *To: *Theo Geurts <atlarge@dcx.nl>, CPWG <cpwg@icann.org>, " gopal@annauniv.edu" <gopal@annauniv.edu> *Subject: *Re: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

If ICANN does not have the contractual ability to require transfer back after unauthorized change, the contracts ought to be updated to provide for that.

Bill Jouris

On Wednesday, November 10, 2021, 04:52:55 AM PST, gopal--- via CPWG < cpwg@icann.org> wrote:

This is very good news.

The framework of operations for domain transfers seems to be quite robust.

However, I note that ICANN does not have contractual authority to require a registrar to transfer a domain name back to a different registrar or registrant, even if a transfer was the result of an unauthorized access to your email account or other login credentials.

Sincerely,

Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

On 2021-11-10 17:52, Theo Geurts via CPWG wrote:

...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 12:21 PM, Theo Geurts wrote:

...

Compliance showed us the number of complaints regarding unauthorized transfers yesterday. The numbers were low ranging from 1-20 a month, with little to no indication of real domain name hijacks.

Account control panel compromises (a strong indicator) were absent for most of the months.

Average domain transfers are around 400.000-500.000 a month.

Best.

Theo

On Wed, Nov 10, 2021, at 11:48 AM, Michele Neylon - Blacknight via CPWG wrote:

...

I’d recommend you read the SSAC papers on hijacks as well as some of the background materials for previous IRTP PDPs

A lot of the locks that exist at the moment are due to past experience ie. Domains being hijacked etc.,

--

Mr Michele Neylon

Blacknight Solutions

Hosting, Colocation & Domains

https://www.blacknight.com/

https://blacknight.blog/

Intl. +353 (0) 59 9183072

Direct Dial: +353 (0)59 9183090

Personal blog: https://michele.blog/

Some thoughts: https://ceo.hosting/

-------------------------------

Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty

Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845

FROM: CPWG <cpwg-bounces@icann.org> on behalf of Steinar Grøtterød via CPWG <cpwg@icann.org> DATE: Tuesday, 9 November 2021 at 17:45 TO: CPWG <cpwg@icann.org> SUBJECT: [CPWG] Transfer Policy Review Team: Question about the 60-days lock

[EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources.

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

3. Could the above be optional?

4. Should the Registrant has the option to opt-out?

I did not have the time to discuss this with the At-Large TPR members and observers, hence will not ask for a poll. But hopefully CPWG can express their view at the CPWG call on Nov 10, 2021.

Regards,

Steinar Grøtterød

_______________________________________________

CPWG mailing list

CPWG@icann.org

https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

...

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

---

CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________

CPWG mailing list

CPWG@icann.org

https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________

By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

On Fri, Nov 12, 2021 at 2:00 AM Jothan Frakes <jothan@gmail.com> wrote:

A lot of the issues that end up being pushed to ICANN aren’t ICANN issues

...

...

at all and are disputes between 3rd parties. We see this all the time.

100% agree

...

If the third parties are engaged in registering / re-registering domain names - ccTLD or gTLDs delegated by ICANN - with or without ICANN accreditation, what happens to the domain name due to a dispute between the 3rd parties is still an ICANN issue.

I might agree with this were the words "ccTLD", "re-registering" and "ICANN" deleted from it.

"Re-registering" might be inaccurate, I meant renewal. How would that sentence be presented for your agreement without "ICANN" in it, Jothan? And why would you leave out ccTLDs?

On Fri, Nov 12, 2021 at 09:19:25AM +0100, Chokri Ben Romdhane via CPWG wrote:

So I'm with removing the 60 day lock after the successful transfer, since the TAC (or any other technical mechanisms) may avoid any transfer risks.

Unfortunately this is not true. Using a different authentication mechanism does not reduce fraud consequences. Such codes are always also available to insiders and social engineering. So the problem with a fraudulent transfer is not gone. Hence we need to block further changes of the registrar (lock). But the most common action required (change of the domain data) should be lifted from a lock. We only need to catch the thief in the first step.

Dear All, I am only thinking aloud and technically I relish all tunable parameters in large dynamical systems like what ICANN has been very admirably working with. The specific case in point in the 17 November meeting has been the "opt - out" choice. Being deterministic in large systems give a veneer of assurance that things are not likely to slip into chaotic state. No guarantee as one who is hell bent in breaking in will eventually do so. Also, homogeneity is a better recipe for chaotic conditions. Hence, where possible I would strongly urge to include choice such as the one indicated in the attached screen - shot. This way we get a voluntary buy-in from a core stakeholder segment. Things become managerial and what is being looked for is a numane approach in dealing with conditions that have gone awry. My humble submission: When things go awry, Ethics First and Legal Next Sincerely, Gopal T V 0 9840121302 https://vidwan.inflibnet.ac.in/profile/57545 https://www.facebook.com/gopal.tadepalli PS: I am sorry if using the screenshots of the Registrar and Registrant screens is not permissible in ICANN presentations. I have not seen any in the past three years from within ICANN. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Dr. T V Gopal Professor Department of Computer Science and Engineering College of Engineering Anna University Chennai - 600 025, INDIA Ph : (Off) 22351723 Extn. 3340 (Res) 24454753 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ On 2021-11-18 02:55, John McCormac via CPWG wrote:

On 09/11/2021 17:44, Steinar Grøtterød via CPWG wrote:

...

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

Following up on today's meeting:

...

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

Yes. This is still important to deal with issues of reversed creditcard charges and non-payment. While payments systems have improved, this 60 day lock is still a defence against an orchestrated attack using stolen payment details.

...

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

Yes. This is one way of drastically reducing the chances of success for domain name theft. Domain name thieves generally use multiple registrars to make it difficult for the registrant to recover their stolen domain name.

...

3. Could the above be optional?

No. And ICANN Compliance should proactively enforce it.

...

4. Should the Registrant has the option to opt-out?

No. Do the people who came up with the proposal of making it opt-out for registrants actually understand the issue of domain name theft/hijacking and how the thieves transfer a stolen domain name from registrar to registrar to make it difficult for registrants to recover their domain name?

On a related issue that came up in the call, Domain Tasting is very different from registrars simply offering time limited promotions.

Domain Tasting involved registrars simply being set up for the purposes of tasting and deleting millions of domain names in the five day Add Grace Period. This exploitation of the AGP spread to retail registrars. Over approximately five years, over 1 billion (1,000,000,000) .COM domain names were tasted. The ICANN registry reports were flawed and incomplete at the time and remained so until 2014. Those of us who were tracking the issue at a domain name level measured it in worn out harddrives.

It was only when legal action was taken against a few key registrars and Google announced that it would not monetise registrations within their five day AGP period that Domain Tasting took a near fatal hit. ICANN was stuck in a procastination loop while Domain Tasting was happening but it was convinced to eventually do the right thing by adding a "restocking" fee for new registations deleted within the AGP. When that was implemented, large-scale Domain Tasting stopped. Domain Tasting has nothing to do with the 60 day locks.

Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************

-- This email has been checked for viruses by AVG. https://www.avg.com

_______________________________________________ CPWG mailing list CPWG@icann.org https://mm.icann.org/mailman/listinfo/cpwg

_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Theo Most ccTLDs are thick registries. So the registry has the data The biggest gTLD is .com so the registry doesn’t (and hopefully never will). Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting, Colocation & Domains https://www.blacknight.com/ https://blacknight.blog/ Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Personal blog: https://michele.blog/ Some thoughts: https://ceo.hosting/ ------------------------------- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,R93 X265,Ireland Company No.: 370845 From: CPWG <cpwg-bounces@icann.org> on behalf of Theo Geurts via CPWG <cpwg@icann.org> Date: Thursday, 18 November 2021 at 12:21 To: Bill Jouris via CPWG <cpwg@icann.org> Subject: Re: [CPWG] Transfer Policy Review Team: Question about the 60-days lock [EXTERNAL EMAIL] Please use caution when opening attachments from unrecognised sources. John, Can you explain the relationship between domain locks for 60 days and attacks using stolen payment details? A lot of the EU ccTLD registries and other ccTLDs do not have such a 60-day lock and I never saw any issues in relation to stolen payment details. And to be clear, we process a lot of incoming and outgoing ccTLD transfers. In addition, to drastically reduce domain theft, you have to have a big issue of domain theft first. The current amount of unauthorized transfers complaints is very low as provided by compliance. I suspect domain theft (which is a different bucket) is even lower, though we do not have real statistics. With the exception of IRTP-D, from what I recall dispute providers had a total of 2 cases since 2016. I do not mind the 60 day lock in the sense that it bothers me. However, as a registrar, I would not mind the option to be able to remove the lock in certain scenarios. Thanks, Theo On Wed, Nov 17, 2021, at 9:25 PM, John McCormac via CPWG wrote: On 09/11/2021 17:44, Steinar Grøtterød via CPWG wrote:

Dear all,

At the TPR WG Meeting on Nov 9, 2021, the 60-days locks were discussed. The present policy – and the majority of Registry Operators, have a 60-days transfer lock after the initial registration of a domain name AND a 60-days lock after a successful inter-registrar transfer.

Based on the discussion in the TPR WG, I would like to hear the CPWG opinion by asking the following:

Following up on today's meeting:

1. Are we in favor of keeping the 60-days lock after the initial registration of a domain name?

Yes. This is still important to deal with issues of reversed creditcard charges and non-payment. While payments systems have improved, this 60 day lock is still a defence against an orchestrated attack using stolen payment details.

2. Are we in favor of keeping the 60-days lock after a successful transfer of a domain name?

Yes. This is one way of drastically reducing the chances of success for domain name theft. Domain name thieves generally use multiple registrars to make it difficult for the registrant to recover their stolen domain name.

3. Could the above be optional?

No. And ICANN Compliance should proactively enforce it.

4. Should the Registrant has the option to opt-out?

No. Do the people who came up with the proposal of making it opt-out for registrants actually understand the issue of domain name theft/hijacking and how the thieves transfer a stolen domain name from registrar to registrar to make it difficult for registrants to recover their domain name? On a related issue that came up in the call, Domain Tasting is very different from registrars simply offering time limited promotions. Domain Tasting involved registrars simply being set up for the purposes of tasting and deleting millions of domain names in the five day Add Grace Period. This exploitation of the AGP spread to retail registrars. Over approximately five years, over 1 billion (1,000,000,000) .COM domain names were tasted. The ICANN registry reports were flawed and incomplete at the time and remained so until 2014. Those of us who were tracking the issue at a domain name level measured it in worn out harddrives. It was only when legal action was taken against a few key registrars and Google announced that it would not monetise registrations within their five day AGP period that Domain Tasting took a near fatal hit. ICANN was stuck in a procastination loop while Domain Tasting was happening but it was convinced to eventually do the right thing by adding a "restocking" fee for new registations deleted within the AGP. When that was implemented, large-scale Domain Tasting stopped. Domain Tasting has nothing to do with the 60 day locks. Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com<mailto:jmcc@hosterstats.com> MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com ********************************************************** -- This email has been checked for viruses by AVG. https://www.avg.com _______________________________________________ CPWG mailing list CPWG@icann.org<mailto:CPWG@icann.org> https://mm.icann.org/mailman/listinfo/cpwg _______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.

Thanks for the feedback John. All the best, Theo On Thu, Nov 18, 2021, at 9:11 PM, John McCormac wrote:

On 18/11/2021 12:20, Theo Geurts via CPWG wrote:

...

John,

Can you explain the relationship between domain locks for 60 days and attacks using stolen payment details?

I was thinking of it in term of attack types, Theo, Basically there are opportunistic attacks with a single credit card and then there are spikes in attacks due to credit card data being compromised in a breach. With the first type, the attack may be limited but the second often involves multiple attackers. The fraud and risk detection systems have improved but they are not perfect. There is still an element of lag between card details being stolen and the theft being notified to the credit card company. It is that window that both types of attacker exploits. The registrar or reseller should not be on the hook for fraudulent charges.

...

A lot of the EU ccTLD registries and other ccTLDs do not have such a 60-day lock and I never saw any issues in relation to stolen payment details. And to be clear, we process a lot of incoming and outgoing a ccTLD transfers.

That may have to do with the different types of markets. They are primarily catering to a highly localised market whereas the gTLD are, mainly, catering for a global market. A ccTLD registration may not be quite as "convertible" as a .COM registration.

...

In addition, to drastically reduce domain theft, you have to have a big issue of domain theft first. The current amount of unauthorized transfers complaints is very low as provided by compliance. I suspect domain theft (which is a different bucket) is even lower, though we do not have real statistics. With the exception of IRTP-D, from what I recall dispute providers had a total of 2 cases since 2016.

The main targets for domain theft are valuable domain names (short, short numerical or generic keyword). Some of the registrants have had to take UDRP actions to recover them because the thief used registrar hopping to intentionally make it more difficult to recover the domain name. The targeted domain names could be valued in thousands or tens of thousands of Euro/Dollars. It is a qualitative issue rather than a quantitative issue. That allows domain theft to be presented as a being a small problem in terms of ICANN compliance.

...

I do not mind the 60 day lock in the sense that it bothers me. However, as a registrar, I would not mind the option to be able to remove the lock in certain scenarios.

That's different from the registrant being allowed to opt out of the 60 day lock and there may be an argument for registrars being able to exercise discretion in some cases.

Regards...jmcc -- ********************************************************** John McCormac * e-mail: jmcc@hosterstats.com MC2 * web: http://www.hosterstats.com/ 22 Viewmount * Domain Registrations Statistics Waterford * Domnomics - the business of domain names Ireland * https://amzn.to/2OPtEIO IE * Skype: hosterstats.com **********************************************************

-- This email has been checked for viruses by AVG. https://www.avg.com