The call for the Transfer Policy Review PDP Working Group will take place on Tuesday, 14 November 2023 at 16:00 UTC for 90 minutes.
For other places see: https://tinyurl.com/29u8jzmr
- Welcome and Chair updates
- Overview COR and Charter [gnso.icann.org] Questions d1 - d3
- Discussion of COR Definitions and Change of Control
- COR Process (time permitting)
Apologies: Prudence Malinki (RrSG)
Alternates: Heidi Revels (RrSG)
Notes/ Action Items
ACTION ITEMS/HOMEWORK: WG members should review the "CoR - Overall Policy" Working Document at https://docs.google.com/document/d/1gu4sXGvyJeWJIfvaK_I7GKA6lAdfKFPQKaN4UMgzmcE/edit?usp=sharing and continue to think about "Change of Control".
- Welcome and Chair updates
- Not meeting next week; next meeting is 28 November.
- This is our last big topic; the goal is to wrap up by ICANN79 – about 2 months.
- Steinar, ALAC: CPWG trying to imagine a scenario when CoR is not part of the inter-registrar policy – will have a deeper discussion.
- Roger: We haven’t gotten there yet – could end up with something less restrictive, but still in the policy.
2. Overview COR and Charter [gnso.icann.org]Questions d1 - d3 – See attached slides and also at: https://docs.google.com/presentation/d/1Hrlj_0l-dacJ526xj8PFJ4n4V_x7nS9VjJhxIWdRWnY/edit?usp=sharing: Start at slide 4.
- Two big pieces: 1) opt out and 2) designated agent. We can still look at security issues that occur today.
- What comes into play with discussions with registrants is where there is an unpaid status and registrar is flowing the domain name into the recovery process – separate out this language?
- Can a CoR without being part of the policy?
- There will be a CoR but will vary in how different registrars process this unpaid status.
- Precursor to what we will decide on CoR in general.
- This is just a high-level overview – we will get to use cases later.
- A lot of this we’ll cover in definitions – this we’ll get to a point where we can make this policy less confusing.
- When we look at this notification is important.
- Historically we had to get deferral for privacy/proxy enabling/disabling. Have to address this so we don’t end up in the same spot.
- We touched on all the charter questions last year and we have addressed a lot of these issues with security recommendations. If we leave anything as we discussed then, it could be a high-level policy with details left to registrars, but as we go through this again we will address specific use cases.
3. Discussion of COR Definitions and Change of Control – Start at slide 8.
- We made pretty good progress when we talked about this previously – GDPR require registrants to be able to change their contact details while balancing against something bad happening. Ended up with registrar and registered name holders to be able to work together. We were being pretty careful about not introducing account details into policy.
- Think that logically change of control seems like a better model than the current definition because what we care about is contactability – that is the anchor. That is more reflective of how the system works. It is necessarily one piece of information.
- Note that the Whois verification policy for phone, email – registrar needs to verify. Doesn’t identify an identity—so contactability.
- Big issue we dealt with was Designated Agent – does it serve a purpose?
- During the IRT work the Designated Agent was the salvation to the policy.
- The Designated Agent was around before, just not codified in policy.
- Security implications are big for inter- (versus intra-) registrar transfer.
- Think about the idea of contactability – that is a big change that does allow registrants to do updates and also manage operational issues.
- Question: The concept of Change of Control – are there issues of ownership? Change of ownership is generally different from change of registrant contract details. We need to look at the differences and discuss them.
- The distinction between control and CoR hinges on change of ownership. What are we trying to do with CoR? This about registration at an abstract level – who can do what with a domain name. Gets really hard to talk about accounts. Stick to what registrars and registrants – change of control or contactability.
- Change of ownership also includes agreements between parties – different from change of control.
- Goal: when there’s a change of ownership (or control) goes to a level of awareness to make sure things are going the right way – is it valid, verified, etc.?
- Assumptions that we don’t know re: change of ownership. May not know unless there is a dispute.
- At least the registrant could be notified that that has happened.
- Everyone agrees that notification is great – the key question is whether there is something beyond notification?
- Where we are is agreeing on notification and then if the WG wants to add to that…
- Question: How deep does this go – changes to domain name records? Don’t see that is part of changing records – not sure ICANN has control of that –beyond the scope.
- Nameservers are not necessary with the same control panel as the Registrar interface.
- Challenge: Does the CoR policy change to only notification of change of registrant data to prior registrant. Could be a good starting spot.
- Notification process could be left up to the registrar. Contactability is what matters.
- Concerns: 1) Brand owners interest in a lock following CoR; 2) if only notification, is there any requirement for redress in case of unauthorized changes?
- Registrar may not know if a change is authorized or not.
- The move to notification is the right direction – how does that work with existing verification process, such as in the RAA?
- If it is a notification is there an escalation process to the prior contact?
- How would you even know there are changes being made?
- If we take it down to just verification we should think about the issues accordingly.