Auth codes are one of the most useful aspects of the new TLD registries and it, in addition to domain locks, is an awesome way to prevent domain theft.
The problem is that many registrars did not like being forced to implement Auth Codes and as a result have severaly *GUTTED* the effectiveness of the Auth Codes. Thus far Tucows is the *ONLY* registrar I have seen that properly implements Auth codes, IMHO. Auth code *ARE NOT* to be use "authorize transfer" they are to be used only by the owner to approve a transfer, period -- If you do it any other way then Auth Codes effectiveness is *SEVERLY* degraded, if it still even has any effectiveness.
For example, when Auth Codes first came online many registrars set the Auth Code equal to the users Password. When the user sold a domain the buyer was now only handed the sellers account password (!) but also the Auth Code for all other Auth code protected domains held at that registrar! Get the picture? By allowing anyone to enter a Auth Code to initiate transfer you actually simplify the process of domain theft ... Force the owner to enter the Auth Code (via owner in Whois record) and you have a *VERY* effective tool which aids in preventing domain theft.
Tucows *PLEASE* remain a leader and do nothing to compromise the Auth Code system / concept. Thanks!
On Mon, 8 Dec 2003 19:15:45 -0800 (PST) Tom Brown <[EMAIL PROTECTED]> wrote:
Apologies for what is almost a double post... but I think that what we want can be made more clear...
Auth-codes for transfers are supposed** to be a good thing. They should
suffice as "indisputable proof" that the transfer request has been made by
a valid representitave of the domain owner... consequently, if the API
would allow us to specify the auth-code for an EPP domain during a
transfer, we should be able to skip the opensrs admin contact confirmation
step completely and just go to "submit to registry" ... which could even
tell us if the auth code is wrong... all this happening before we bill the
registrant's credit card .... simple, effective, doable? already exists? Or did I miss roadblock?
(** unfortunately this isn't the first time that a great technical
solution has been distorted almost beyond recognition, e.g. sign over your
first born child and all your right sige organs and we'll send you the
auth code for your domain.)
-Tom, president, http://baremetal.com/
On Mon, 8 Dec 2003, Tim Woodcock wrote:
Hello.
We are having a lot of problems getting people to complete transfers in the epp realm. We are putting through transfer requests from foreign registrars, but the users are having trouble finishing the operation.
The simplest solution for us would be to require that the user specify the authorization when they request the transfer. Is there a mechanism that allows us to do this?
---------------------------------------------------------------------
Tim Woodcock [EMAIL PROTECTED]
BareMetal.com Inc. http://baremetal.com/
Software Development Team ---------------------------------------------------------------------
----------------------------------------------------------------------
[EMAIL PROTECTED] | Courage is doing what you're afraid to do.
http://BareMetal.com/ | There can be no courage unless you're scared.
| - Eddie Rickenbacker
