Thanks Donny. You're right, it does say *may.* So perhaps that's another thing the RC should consider trying to change. I realize it may pose an inconvenience for customers who want to flip names as you describe, but it wouldn't prevent it. What it would do is add a layer of protection against hijacking. I think the raven.com issue illustrates the potential problem with assuming that if someone has the authcode, the name must be theirs. I thought the same way about the authcode at one time, but various experiences have changed my mind. I think authcodes are a good tool, but only one piece of the security issue. Tim -------- Original Message -------- Subject: RE: [registrars] Grave Robbing and SEDO Fencing From: "Donny Simonton" <donny@intercosmos.com> Date: Tue, August 07, 2007 6:27 am To: "'Tim Ruiz'" <tim@godaddy.com>, "'Registrars Constituency'" <registrars@gnso.icann.org> Tim, The ICANN transfer policy says that I "may" deny a transfer within the 60 days after a domain is transferred to us, it doesn't say that we "must" deny the transfer. As more and more registrants start selling domains stopping them from transferring a domain just causes more problems. We have many customers who flip domains every day. With the hopes of making a few hundred bucks here and there. Ever since Verisign switched to EPP, my rule has been if you have the auth-info code you can do whatever you want with the domain, because it's yours. Donny