One cannot claim that this is a "security improvement" in the rest of the document to justify removal of the Losing FOA. This recommendation does nothing to bolster security.

Potential next step: WG to consider if it needs to revisit which recommendations about the TAC should be referenced as justification of the eliminating the Losing FOA.

Recommendation should reference the Transfer Policy and not the Temporary Specification (which will, at some point, be superseded by this Policy). This is because the Temporary Specification is intended to be temporary and the updates to the Transfer Policy should live in a permanent update.

Potential next step: Strawman revision

The working group recommends that the Transfer Policy include the following requirement confirms the following provision of Appendix G: Supplemental Procedures to the Transfer Policy contained in the Temporary Specification for gTLD Registration Data: “4. Registry Operator MUST verify that the "AuthInfo" code provided by the Gaining Registrar is valid in order to accept an inter-registrar transfer request,” with terminology updates in accordance with other relevant recommendations.

One cannot claim that this is a "security improvement" in the rest of the document to justify removal of the Losing FOA. This recommendation does nothing to bolster security. 

Furthermore, RFC 9154 says (in section 4.3): "4. The authorization information MUST only be stored by the gaining registrar as a "transient" value in support of the transfer process. 5. The plain-text version of the authorization information MUST NOT be written to any logs by a registrar or the registry, nor otherwise recorded where it will persist beyond the transfer process." 

But, according to Rec #11, the TAC is "one-time-use", and so if the registry operator has cleared the TAC, it would have had no loss of security if it had been logged for audit trail purposes by the gaining registrar. So, this didn't make sense.

Rec 11: #3

Potential next step: WG to consider the merits of these arguments and whether they warrant adjustment to the Report and recommendations.

Be more precise on including what the action of “clear” entails in the policy recommendations as Org understands that “clear” entails unsetting the authorization information by the Registry.

Potential next step: Strawman revision:

The Registry Operator MUST unset the authorization information clear the TAC as part of completing the successful transfer request.

Add language that specifies a scenario where if the transfer request is not successful (e.g. “NACKED” by the losing registrar), the TAC must also be cleared by the registry operator, and a notification sent by the losing registrar explaining that the transfer request was not successful and a new TAC must be generated if a new transfer request is to be generated.

Potential next step: WG to consider whether the recommendations should include additional details per the scenario described.

One cannot claim that this is a "security improvement" in the rest of the document to justify removal of the Losing FOA. This recommendation does nothing to bolster security. To improve security, you would need to mandate a delay in the provision of the TAC.

Potential next step: WG to consider if it needs to revisit which recommendations about the TAC should be referenced as justification of the eliminating the Losing FOA.

The Registries note an ambiguity between Recommendations 3 and 12 that we believe should be clarified. Recommendation 3 states that the Registrar of Record is required to notify an RNH of the provision of a TAC within 10 minutes of its request. However, Recommendation 12 states that the TAC itself must be provided within at most 5 days. The use of “provision” and “provide” are ambiguous. Perhaps Recommendation 3 is intended to notify an RNH of the “request” for a TAC as opposed to its provision? Other resolutions are possible and our suggestion does not indicate a preferred choice.

Rec 12: #8

Potential next step: WG to consider if the edits proposed with respect to the “Notification of TAC Request” are sufficient to address this comment. Namely, that the term “Notification of TAC Issuance” will be used, and the recommendation will refer to the time that the TAC is issued. Strawman edit:

Recommendation 12: The working group confirms that the Transfer Policy MUST continue to require Registrars to set the TAC at the Registry and provide issue the TAC to the RNH or their designated representative within five calendar days of a request, although the working group recommends that the policy state the requirement as 120 hours rather than 5 calendar days to reduce any risk of confusion. The working group further recommends that the policy MUST make clear that 120 hours is the maximum and not the standard period in which the TAC is to be provided issued.

One cannot claim that this is a "security improvement" in the rest of the document to justify removal of the Losing FOA. This recommendation does nothing to bolster security. Many people may access the TAC in a 14-day period.

Rec 13: #5

Potential next step: WG to consider if it needs to revisit which recommendations about the TAC should be referenced as justification of the eliminating the Losing FOA.

The permitted maximum of 14 days appears to be unnecessarily long given that the longer that it is available the generally greater chance that there is of its misuse.

Potential next step: WG to consider if these comments introduce new information that may prompt the WG to reconsider the current recommended 14-day period.

Add provision that the Rr MAY NOT set the TAC to null after a period of less than 24 hours.

Rationale: This is to prevent registrars from abusing this clause and blocking users from legitimately transferring out their domain names like for example - setting TAC to null after one minute.

Potential Next Step: The WG previously considered including a minimum TTL but did not come to agreement to do so. If recommendations are kept as-is, consider adding rationale explaining why this is not needed?

Change “standard” to “maximum” in accordance with §13.2 which allows for a shorter TTL but not for a longer one.

Change “enforced by the Registries” to “enforced by the Registry" to clarify that the registry is authoritative for the TLD in question. . .

Potential next step: Strawman revision: 

​​13.1: A standard maximum Time to Live (TTL) for the TAC MUST be 14 calendar days from the time it is set at the Registry, enforced by the Registryies.

[Staff note: If this edit is adopted, does the recommendation need to more explicitly state that there must always be a TTL?]

Be consistent through the policy recommendations. Use the combination of 14 days and 366 hours instead of calendar days alone.

Rec 13: #6

Potential next step: Strawman revision

13.1: A standard Time to Live (TTL) for the TAC MUST be 14 calendar days / 366 hours from the time it is set at the Registry, enforced by the Registries. 

Use more precise language in place of “clearing the TAC” or “setting the TAC to null.”

Potential next step: Strawman revision

13.2: The Registrar of Record MAY unset the authorization information set the TAC to null: After a period of less than 14 days by agreement by the Registrar of Record and the RNH.”