Auth codes are one of the most useful aspects of the new
TLD registries and it, in addition to domain locks, is an
awesome way to prevent domain theft.
The problem is that many registrars did not like being
forced to implement Auth Codes and as a result have
severaly *GUTTED* the effectiveness of the Auth Codes.
Thus far Tucows is the *ONLY* registrar I have seen that
properly implements Auth codes, IMHO. Auth code *ARE NOT*
to be use "authorize transfer" they are to be used only by
the owner to approve a transfer, period -- If you do it
any other way then Auth Codes effectiveness is *SEVERLY*
degraded, if it still even has any effectiveness.
For example, when Auth Codes first came online many
registrars set the Auth Code equal to the users Password.
When the user sold a domain the buyer was now only handed
the sellers account password (!) but also the Auth Code
for all other Auth code protected domains held at that
registrar! Get the picture? By allowing anyone to enter a
Auth Code to initiate transfer you actually simplify the
process of domain theft ... Force the owner to enter the
Auth Code (via owner in Whois record) and you have a
*VERY* effective tool which aids in preventing domain
theft.
Tucows *PLEASE* remain a leader and do nothing to
compromise the Auth Code system / concept. Thanks!
On Mon, 8 Dec 2003 19:15:45 -0800 (PST)
Tom Brown <tbrown@baremetal.com> wrote:
>
>Apologies for what is almost a double post... but I think
>that what we
>want can be made more clear...
>
>Auth-codes for transfers are supposed** to be a good
>thing. They should
>suffice as "indisputable proof" that the transfer request
>has been made by
>a valid representitave of the domain owner...
>consequently, if the API
>would allow us to specify the auth-code for an EPP domain
>during a
>transfer, we should be able to skip the opensrs admin
>contact confirmation
>step completely and just go to "submit to registry" ...
>which could even
>tell us if the auth code is wrong... all this happening
>before we bill the
>registrant's credit card .... simple, effective, doable?
>already exists?
>Or did I miss roadblock?
>
>(** unfortunately this isn't the first time that a great
>technical
>solution has been distorted almost beyond recognition,
>e.g. sign over your
>first born child and all your right sige organs and we'll
>send you the
>auth code for your domain.)
>
>-Tom, president, http://baremetal.com/
>
>On Mon, 8 Dec 2003, Tim Woodcock wrote:
>
>> Hello.
>>
>> We are having a lot of problems getting people to
>>complete transfers in
>> the epp realm. We are putting through transfer requests
>>from foreign
>> registrars, but the users are having trouble finishing
>>the operation.
>>
>> The simplest solution for us would be to require that
>>the user specify the
>> authorization when they request the transfer. Is there
>>a mechanism that
>> allows us to do this?
>>
>> ---------------------------------------------------------------------
>> Tim Woodcock
>> twoodcock@baremetal.com
>> BareMetal.com Inc.
>> http://baremetal.com/
>> Software Development Team
>> ---------------------------------------------------------------------
>>
>>
>>
>
>----------------------------------------------------------------------
>tbrown@BareMetal.com | Courage is doing what you're
>afraid to do.
>http://BareMetal.com/ | There can be no courage unless
>you're scared.
> | - Eddie Rickenbacker
>
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:37:52 EDT