One of my clients has been trying to move his domain AWAY from Network Solutions, Inc. Due to some outdated information, the “auth code” had to be had over the phone.

We did get the code, however only after suffering through 15-20 minutes of some very strong arm “stay with us” script.

After getting off the phone, the client told me he would have never gotten through it without me, and out of fear would have just left it with NSI…

That’s a bad scene. This data should not be held by the registrar. They have HEAVY financial incentive to not give it to the registrant.

I’ve wrestled with that one a lot.

I think a penalty should be paid for not renewing a domain if for no other reason than it serves to cause people to warn others to renew their domain “Helps foster education”.

I think the real nefarious part of redemption fee is how it gets combined with transfer fullfillment given a registrar incentive to NOT ensure a registrant renews and then mark up the redemption fee in order to force the domain to auction.

In other words transfer fullfilment should NOT be allowed, all domains should be required to be released and then reregistered. Doing this then puts pressure on registrars to LOWER the redemption costs to ensure they retain a customer. Tranfer fullfillment has turn the registrars against registrants, it needs to be stopped.

Removing JUST the email field still provides physical address and telephone information and a mechanism exists to reports “bad whois” information and have the domain deleted.

The cost of creating a domain dispute is FAR higher than the cost of making a phone call or sending a letter via the mail.

So personally I’m not sure the email information needs to be available via the public whois system. I think all registries should be required to implment centralized whois (like .ORG and .INFO) so that registrars can see the email contact info (and provide it to their users if they wish) and then REMOVE the email contact information from the public whois.

Taking it one step further, if registries were required to centralize whois, and provide WhoWas (via registrars) then the entire Port 43 system could be eliminated and we’d all benefit from a huge reduction in SPAM – I spend 15 minutes per day filtering through spam derived from whois harvested email addresses.

As for Auth Codes, I’d never want to see that feature removed I’d only want to see it made more agressive to further impede domain theft.

1) ICANN should have complete records of registrant data at all times, and transaction logs.

2) Dept of Commerce should have access and recourse to audit all Registry transactions and put in place an efective task-force for problem management, and enforcement. Registerfly transaction failures are everywhere. ( dont much want ICANN police, ICANN should be a Research and develpement authority for building out future generations of web)

2a) Transaction failure recourse. When a registrar takes your money, refuses to renew, and the “grace” period is ignored, domain grabbing systems engage and then the domain is stuck for a while and then lost.

3) REMOVAL OF REDEMPTION FEE EXTORTION

4) EXPLAIN to the world that DOMAIN OWNERSHIP is a misnomer. It is A LEASE contract for use of a NAME over a time period that can expire. Its bad contract law to state anything else.

5) Reparations. This Registerfly problem has existed since the moment ICANN Accredited Registerfly last year. Evidennce of that complaint stream has been removed from public forum archive.

Renewal transaction failure by registerfly should be redressed and rightful re-instantiation of DNS should be performed for provable caaes, retroactive to the date of Registerfly accreditation, and publicly available rights to recovery should be implemented.

Get the word out, since the disconnect between website owners and domain name registrants is a serious problem. a $1000 website that makes income for a small business can be lost for a $9.99 renewal failure. The trickle down impact of this is 100′s of times the fees.

junky youtube awareness videos – link everywhere that may help.

http://www.youtube.com/watch?v=RTViHZIHvlY
http://www.youtube.com/watch?v=jsrvUqj6cdU

Registrar transfer mechanism should not depend on the goodwill of registrars. As Tim G. points out, there is economic incentive for registrars to interfere with out-transfers. Most do it subtly by making the process difficult and time consuming in hopes of discouraging the customer. Many of them hide auth codes, unnecessary layers of confirmation, detailed FAQs on in-transfers but no mention of out-transfers, etc. One of them, namely 1and1, requires you to opt-out of domain renewal by logging into a website separate from your hosting account (cancel.1an1.com), then confirm cancellation order via email, and lastly by requiring you to send a signed fax. While there is a rational to some of these practices on security basis – such as preventing domain hijacking – i feel a lot of registrars make the process unduly difficult simply to discouraging customer migration.

If there is a lesson to be learned from RegistrarFly meltdown, it is this: The customer should be empowered to transfer without the need to get approval from outgoing registrar. Therefore, the transfer approval process should be between the customer and unbiased entity, such as the TLD Registry. (Since Registry doesn’t care what registrar customer uses, there is no incentive for them to make things unnecessarily difficult). I propose that upon new domain registration (and transfer to another registrar) Registry issues auth code either directly to admin email to through registrar which should be contractually obliged to pass that information with the registration receipt). Armed with the authcode customer should be able to initiate in-transfer from any registrar and not need approval from the loosing registrar.

For security reasons (in case of theft of auth code) admin email should be notified of any transfer requests and should have ability to opt-out of transfer, again directly with Registry using the authcode to confirm identity, and should be able to request a new authcode be issued to admin email.

While such system move some responsibly from registrars to Registries, ultimately it is in end consumer, ICANN and Registries interest to implement such a system. As we have seen when RF fell apart, the burden of customer support has fallen on your shoulders anyway. The end-customer will embrace the idea of having more control.

Secondly, i don’t think registrar data escrow is a realistic solution. First of all it will require enormous resources from ICANN and from each registrars to keep data in synch. Secondly it will be strongly opposed by various constituency on grounds of privacy. In other words, both the public and registrars will strongly oppose any data escrow plan on both economic and ideological grounds. Besides, even if implemented you ICANN will have huge headaches in following up on end-user requests.

Design a distributed system that empowers end-user and you will solve the bane of another sinking registrar pulling their customers down in the undertow.

Empower end-user with choice and you will have a system that works better and also requires less tinkering on your part. The end-customers will favor registrars with higher quality thus improving the overall quality of the registration system.

Thirdly, ICANN should not and needs not be in the business of rating registrars. This will only server to create controversy. I’ll give you an example. Some governments are clearly better than others. Should UN be in the business of rating governments of member nations? Should US federal government rate the states? Should states rate counties and cities? Such ratings while useful are best left to third parties. What you could do is put out yearly surveys directly to the end users (registrants) and rate registrars on this basis. Actually this could work quite well. It will be useful, legitimate, and will let you off the hook from accusations of playing favorites.

The solution is conceptually simple: take control of low-level domain data such as whois and auth codes away from the registrars and put it with the registries. I realize it’s easier said than done, as you would essentially need separate accounts at the registrar and the registry, which would be confusing for a casual user, and probably more expensive than the current system. But, having experienced RegisterFly, I’ll take confusion over absolute lack of security, any day.

Of course, this begs a question: what would we need the registrars for, then? Just collecting money for initial registration, transfers/renewals, and value added services, I guess, such as providing DNS, email forwarding/accounts, and http forwarding/space. In case of all of them, I was using my own servers instead of relying on RegisterFly, yet they still managed to sc..w me up by, essentially, modifying whois for my domain without my consent, and making it impossible for me to change it back, so that I could transfer away. This must never be allowed to happen again.

Argentina use too a non AUTH CODE method, but mexico function very well too in a password by mail basis, with link to confirm the transaction.

Adam Masri
President
Nolex

The UK model of registry allows for private individuals to keep their information (except name) off the Whois searches available to the public.