2022-07-26 Transfer Policy Review PDP WG Call

Notes/ Action Items

Action Items:

HOMEWORK/ACTION ITEMS:

1. After the Tuesday, 26 July call: Staff to send out a blank spreadsheet/table.
2. By Monday, 01 August: WG members to complete the spreadsheet/table.
3. By Tuesday, 02 August: Staff to compile responses for discussion at the meeting on 02 August at 16:00 UTC.

Notes:

Transfer Policy Review Phase 1(b) - Meeting #55

Proposed Agenda

26 July 2022

1. Roll Call & SOI updates

      2. Welcome and Chair Updates

      3. Detailed Analysis of CoR Triggers and Actions – Present and Future

See: https://docs.google.com/spreadsheets/d/1eB3cowSoEp4ERoqQmlc3hc5dpV4g5NzP/edit?usp=sharing&ouid=106429012576252349565&rtpof=true&sd=true [docs.google.com]

Introduction:

• Possible proposed approach.
• If we look at the inter-registrant policy – back in the day the IRTP-C/-D had the “luxury” of starting from scratch, but we don’t have that.
• Because we have an existing policy, even if there is full consensus to get rid of the policy we still have to provide a rationale.
• We do have the ability to ask ourselves: would the change of registrant policy be developed the way it is taking into account the TAC only being revealed on request, and if there was a post-transfer restriction (30 or 60 days), would that have addressed the problems the CoR policy was trying to overcome.
• We also realize that we don’t have any data to work with, so we have to proceed with a systematic analysis, hence the table.
• Current policy – two key components: Trigger of Section C, Change of Registrant – we will be analyzing the trigger and then the possible actions in response.  See: https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en.
• Table to aid analysis: These are sample responses, not meant to be staff positions.
• Triggers are the first column on the left.  Dissecting each of the triggers in isolation.
• Trying to draw solid lines around key components of the policy as they exist today.
• First one: looking at rows 4-5 – is that particular transaction legitimate or illegitimate.  We will get into whether it’s possible to distinguish that. 
• Second line: columns F-G – possible action with the understanding that there is no intention to move to another registrar.
• Moving to H-I – in connection with a change of ownership.  So not just a change in contact information.  Challenging because some of these triggers may have an action before that potential change.
• Looking at J-K – inter-registrant change with intent to change registrars: could leverage Phase 1A recommendations.
• Column L – Outcomes: substance for further recommendations.
• In summary: 1) what are the triggers and actions, 2) what are the impacts on the market, 3) what are the outcomes.

Discussion:

• Previously we didn’t have much information, such as with two-factor authentication (TFA), to go on.  Now we see that larger registrars are using TFA, but not sure about smaller registrars.  Those data points are available.  That could be a good start.
• Good point because we always look at how the landscape has changed.  Good to know that TFA is very well used throughout the industry.

Deeper dive into the example (Emily):

• We start with triggers and the first use case is a prior registrant name change – II.A.1.1.1 Prior Registrant name + II.A.1.3.1 A change to the Registered Name Holder's name or organization that does not appear to be merely a typographical correction
• Helpful distinction is that we want to be weighing the impact on everyday users and on malicious uses – does this action mitigate malicious actions but also what is the impact on users?
• Probably will not be able to tell if a trigger is illegitimate or not.
• More relevant in some cases or others, whether you can distinguish a typographical correction.
• Important to note the intent might be hard or impossible to know, when we look at the action later on would be important.
• The other thing that is tricky is the concept of “change of control”.  This term is the genesis of where this all came from, but it doesn’t have a clear definition.  Regardless of how you define it, we can consider whether it matters whether change of control is happening or not.
• Looking at columns F & G – simplest case: Remains w/ Registrar & No Change of Control
  • Are the actions fit for purpose?  Risk are lower.  Current policy language makes it hard to tell when certain updates trigger additional requirements.
  • Replace confirmation with notification; eliminate the 60-day lock.
• Columns H & I: In close proximity to or as part of change of control
• Columns J & K: Followed by inter-registrar transfer
• Column L: Possible recommendations and rationale

Discussion:

• Good to go into the example of malicious actions and impacts.
• Next steps: Does this group want to go through this on a call, or fill out the table separately and staff can compile to discuss on a call?  Is it easier to go horizontally through the table?
• If we do this offline: At some point we need to go through this to produce the rationale?  At the end of the day we should go through it anyway.  Answer: Even if we complete it offline we’ll still walk through the responses on a call and by doing so we are answering the charter questions.
• Let’s plan to do this as a homework assignment and then staff can compile and eliminate duplications; also can more easily focus on areas of agreement.

Timeline/Next Steps:

• We have two more calls before the summer pause.
• Need feedback from the WG on what is feasible.
• Can team up with a “buddy” to work on it, but want to get different perspectives.
• Can the WG have responses (or partial responses) by end of day next Monday, 01 August for staff to compile for discussion next Tuesday?

HOMEWORK/ACTION ITEMS:

1. After the Tuesday, 26 July call: Staff to send out a blank spreadsheet/table.
2. By Monday, 01 August: WG members to complete the spreadsheet/table.
3. By Tuesday, 02 August: Staff to compile responses for discussion at the meeting on 02 August at 16:00 UTC.

   4. AOB

• Next session: Tuesday 2 August at 16:00 UTC