Dear TPR WG members, Please find below the notes and action items from today’s meeting. The next meeting will be Tuesday, 02 August at 16:00 UTC. Best regards, Emily, Julie, Berry, and Caitlin Action Items: HOMEWORK/ACTION ITEMS: 1. After the Tuesday, 26 July call: Staff to send out a blank spreadsheet/table. 2. By Monday, 01 August: WG members to complete the spreadsheet/table. 3. By Tuesday, 02 August: Staff to compile responses for discussion at the meeting on 02 August at 16:00 UTC. Notes: Transfer Policy Review Phase 1(b) - Meeting #55 Proposed Agenda 26 July 2022 1. Roll Call & SOI updates 2. Welcome and Chair Updates 3. Detailed Analysis of CoR Triggers and Actions – Present and Future See: https://docs.google.com/spreadsheets/d/1eB3cowSoEp4ERoqQmlc3hc5dpV4g5NzP/edi... [docs.google.com]<https://urldefense.com/v3/__https:/docs.google.com/spreadsheets/d/1eB3cowSoE...> Introduction: * Possible proposed approach. * If we look at the inter-registrant policy – back in the day the IRTP-C/-D had the “luxury” of starting from scratch, but we don’t have that. * Because we have an existing policy, even if there is full consensus to get rid of the policy we still have to provide a rationale. * We do have the ability to ask ourselves: would the change of registrant policy be developed the way it is taking into account the TAC only being revealed on request, and if there was a post-transfer restriction (30 or 60 days), would that have addressed the problems the CoR policy was trying to overcome. * We also realize that we don’t have any data to work with, so we have to proceed with a systematic analysis, hence the table. * Current policy – two key components: Trigger of Section C, Change of Registrant – we will be analyzing the trigger and then the possible actions in response. See: https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en. * Table to aid analysis: These are sample responses, not meant to be staff positions. * Triggers are the first column on the left. Dissecting each of the triggers in isolation. * Trying to draw solid lines around key components of the policy as they exist today. * First one: looking at rows 4-5 – is that particular transaction legitimate or illegitimate. We will get into whether it’s possible to distinguish that. * Second line: columns F-G – possible action with the understanding that there is no intention to move to another registrar. * Moving to H-I – in connection with a change of ownership. So not just a change in contact information. Challenging because some of these triggers may have an action before that potential change. * Looking at J-K – inter-registrant change with intent to change registrars: could leverage Phase 1A recommendations. * Column L – Outcomes: substance for further recommendations. * In summary: 1) what are the triggers and actions, 2) what are the impacts on the market, 3) what are the outcomes. Discussion: * Previously we didn’t have much information, such as with two-factor authentication (TFA), to go on. Now we see that larger registrars are using TFA, but not sure about smaller registrars. Those data points are available. That could be a good start. * Good point because we always look at how the landscape has changed. Good to know that TFA is very well used throughout the industry. Deeper dive into the example (Emily): * We start with triggers and the first use case is a prior registrant name change – II.A.1.1.1 Prior Registrant name + II.A.1.3.1 A change to the Registered Name Holder's name or organization that does not appear to be merely a typographical correction * Helpful distinction is that we want to be weighing the impact on everyday users and on malicious uses – does this action mitigate malicious actions but also what is the impact on users? * Probably will not be able to tell if a trigger is illegitimate or not. * More relevant in some cases or others, whether you can distinguish a typographical correction. * Important to note the intent might be hard or impossible to know, when we look at the action later on would be important. * The other thing that is tricky is the concept of “change of control”. This term is the genesis of where this all came from, but it doesn’t have a clear definition. Regardless of how you define it, we can consider whether it matters whether change of control is happening or not. * Looking at columns F & G – simplest case: Remains w/ Registrar & No Change of Control * Are the actions fit for purpose? Risk are lower. Current policy language makes it hard to tell when certain updates trigger additional requirements. * Replace confirmation with notification; eliminate the 60-day lock. * Columns H & I: In close proximity to or as part of change of control * Columns J & K: Followed by inter-registrar transfer * Column L: Possible recommendations and rationale Discussion: * Good to go into the example of malicious actions and impacts. * Next steps: Does this group want to go through this on a call, or fill out the table separately and staff can compile to discuss on a call? Is it easier to go horizontally through the table? * If we do this offline: At some point we need to go through this to produce the rationale? At the end of the day we should go through it anyway. Answer: Even if we complete it offline we’ll still walk through the responses on a call and by doing so we are answering the charter questions. * Let’s plan to do this as a homework assignment and then staff can compile and eliminate duplications; also can more easily focus on areas of agreement. Timeline/Next Steps: * We have two more calls before the summer pause. * Need feedback from the WG on what is feasible. * Can team up with a “buddy” to work on it, but want to get different perspectives. * Can the WG have responses (or partial responses) by end of day next Monday, 01 August for staff to compile for discussion next Tuesday? HOMEWORK/ACTION ITEMS: 1. After the Tuesday, 26 July call: Staff to send out a blank spreadsheet/table. 2. By Monday, 01 August: WG members to complete the spreadsheet/table. 3. By Tuesday, 02 August: Staff to compile responses for discussion at the meeting on 02 August at 16:00 UTC. 4. AOB * Next session: Tuesday 2 August at 16:00 UTC