Dear David,
i forgot to mention the last point, which fortunately someone else on the
list has also covered, which added to the below gives something close to a
perfect system
"EVERY CHANGE would be logged, and by whom it is done and when etc. and
theefore incase of a dispute OPRS could track these changes and punish the
rogue reseller apprpriately. Like i was telling earlier on the list. the
very fact tht punishment could mean disbarrment from the system and loss of
all prev customers serves as enuf disincentive to not act as a rogue
Added to that i dont know how feasible it is, but oprs culd have a due
diligence check before taking in a reseller ..... just a thought"
1) the reseller should be allowed to make changes to everything - this is
essential since it allows for better service to the customer
2) however every change should generate an acknowledgement which should be
emailed to the client and the client. here is the catch. the client does not
need to approve the change, but he has the power to disapprove by simply
replying to the email
3) the reseller can only access the clients passwd but can never changeit.
the passwd can only be changed by the client
i think if abv three things are implemented there is no way to break this
system, ie the reseller cannot hijack a domain name, nor do levels of
service go down
my two bits
-----Original Message-----
From: diyoha@uceng.uc.edu [mailto:diyoha@uceng.uc.edu]On Behalf Of David
Iyoha
Sent: 01 March 2000 23:44
To: Bhavin Turakhia
Cc: discuss-list@opensrs.org
Subject: Re: New Ideas for OpenSRS (or wish list) - Reseller Access
Hi Bhavin,
> 2) however every change should generate an acknowledgement which should be
> emailed to the client and the client. here is the catch. the client does
not
> need to approve the change, but he has the power to disapprove by simply
> replying to the email
What would be the time frame that a reply would prevent the action from
happening? Let us say I do not check my email over the weekend. Would it
be too late then?
A hole I see would be since the email address is not protected like the
password then the rogue reseller could change the email address while
making legitimate updates to the domain information. That way when
unwanted changes are made the client will not know!
Although since the password cannot be changed it would not be a complete
hijack, but it would be a successful saboteur move and a major
inconvenience. Plus the reseller could prevent the client from
receiving renewal information by changing the email address which would
cause the domain to be eventually lost. (and reclaimed by the reseller?)
Also in this proposed solution there needs to be a way for a client to
prevent their reseller from making changes, if that reseller starts
acting crazy or for whatever other reason i.e. the client *wants* to and
has the ability to administer the domain themselves.
Aside from the few things I noticed it seems like a good idea.
David
> -----Original Message-----
> From: owner-discuss-list@opensrs.org
> [mailto:owner-discuss-list@opensrs.org]On Behalf Of David Iyoha
> Sent: 01 March 2000 02:00
> To: discuss-list@opensrs.org
> Cc: Rick H Wesson
> Subject: Re: New Ideas for OpenSRS (or wish list) - Reseller Access
>
> Hi,
>
> I guess an example of hijack would be:
> 1. Change customers password
> 2. Change all information to that of "new" owner i.e. admin, tech, billing
> 3. Change name server info
> 4. Sell domain to new owner or keep for personal use
>
> David
>
> Rick H Wesson wrote:
>
> > David,
> >
> > On Tue, 29 Feb 2000, David Iyoha wrote:
> >
> > > Hello Rick,
> > >
> > > My major point is what is the reality of protection from a contract?
And
> why have to
> > > go through the trouble in the first place?
> > >
> > > Scenario 1
> > > I buy a domain from a opensrs reseller in Britain and I
> > > live in Toledo in the USA. Reseller hijacks my domain. I would need to
> > > go through some serious hoops and money to regain my domain. Who knows
> > > how the international laws would apply here ....
> >
> > first define hijack, just how do you propose that the reseller
"hijack's"
> > the domain.
> >
> > second if there were any for you to "prove to ICANN" that the reseller
> > did do something and you had no recorse, TUCOWS *could* loose their
right
> > to access the NSI RRP database. Furthermore TUCOWS could loose their
100K
> > preformance bond if they were found to have violated part of the RL&A
with
> > NSI.
> >
> > so you see that it is in TUCOWS interest to "fix" any registrar that
would
> > "hijack" a domain.
> >
> > > Scenario 2
> > > I buy a domain from an opensrs reseller in Toledo and I live in New
> > > Jersey. Reseller hijacks my domain. I would need to also go through
> > > some serious hoops and money to regain my domain (less than the
> > > international scenario)
> >
> > again define "hijack" and describe exactly what documentation you would
> > have in all cases of "hijacking" to determine you are the rightfull
owner
> > and the "registrar" or "reseller" has violated their contract with you.
> >
> > Its realy difficult to explain what your potential recource with out
> > knowing what "hijack" means.
> >
> > > The easiest case would be if the reseller was in the same city as I
> > > was and even that would not be a very easy scenario. I would need to
> > > at the very least go through the court system. Which is not cheap or
> > > trivial.
> >
> > Let me ask you about a senerio, Registrant bulk_registers' 100 domains
for
> > 10 years each, then the registrant requests a chargeback.
> >
> > what is the registrar to do? the registrar is out over $10,000 and the
> > registrant still has the domains.
> >
> > now, who is being protected?
> >
> > regards,
> >
> > -rick
>
> --
> Systematic Software
> david.iyoha@systware.com
> (513) 241 3331
> http://www.systware.com
-- Systematic Software david.iyoha@systware.com (513) 241 3331 http://www.systware.com
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:23 EDT